Professional Documents
Culture Documents
Version 7
G210-2213-00
Note: Before using this information and the product it supports, read the information in "Notices" at the end of this document.
iii
Connecting a server to a hunt group . . . . 114 Creating the DB2 administrator and
Planning for modem use . . . . . . . . . 116 administration server account . . . . . . . 147
Installing modems . . . . . . . . . . . 116 Installing and setting up Domino and DB2 on
Modems and modem command files . . . . 116 Microsoft Windows - Local configuration . . . 148
Creating a Notes Direct Dialup connection . . 117 Installing and setting up Domino and DB2 and
Creating a Network Dialup connection . . . . 118 the DB2 Access server on Microsoft Windows -
Encrypting Network Dialup Connection Local configuration . . . . . . . . . . 149
documents . . . . . . . . . . . . . 120 Installing and setting up Domino and DB2 on
Coordinating dialup ISP connections between Microsoft Windows - Remote configuration . . 150
servers . . . . . . . . . . . . . . 121 Installing and setting up Domino and DB2 on
Coordinating Notes Direct Dialup connections IBM AIX - Local configuration . . . . . . . 150
between servers . . . . . . . . . . . 123 Installing and setting up Domino and DB2 and
Configuring a communication port . . . . . 125 the DB2 Access server on Microsoft Windows -
Modifying modem command files and acquire Remote configuration . . . . . . . . . . 152
scripts . . . . . . . . . . . . . . . 127 Installing and setting up Domino and DB2 on
Using acquire and login scripts . . . . . . 127 IBM AIX - Remote configuration . . . . . . 153
Writing and editing acquire and login scripts 128 Installing and setting up Domino and DB2 and
Commands for acquire and connect scripts . . 129 the DB2 Access server on IBM AIX -- Remote
Connecting Notes clients to servers . . . . . . 130 configuration . . . . . . . . . . . . 155
Requirements for connecting Notes clients to Setting up DB2 on Microsoft Windows . . . . 157
remote servers over various access media . . . 130 Installing and setting up Domino and DB2 and
the DB2 Access server on IBM AIX -- Local
Chapter 5. Setting up Domino and configuration . . . . . . . . . . . . 157
DB2 . . . . . . . . . . . . . . . 133 Installing DB2 on IBM AIX . . . . . . . . 159
IBM AIX post-installation procedure . . . . . 160
Understanding Domino and DB2 -- Limited
Creating a server ID for the DB2 Access server 161
Availability . . . . . . . . . . . . . . 133
Installing the DB2 Access server on the DB2
DB2 Access Views . . . . . . . . . . . 134
server . . . . . . . . . . . . . . . 162
Query views. . . . . . . . . . . . . 135
Enabling the Domino server to communicate with
DB2 and Domino authentication . . . . . . 136
the DB2 server procedures . . . . . . . . . 164
Benefits of using Domino with DB2 . . . . . 136
Enabling Domino access to a DB2 server . . . 164
Domino and DB2 user accounts that are needed for
Enabling a Domino server to communicate with
Domino and DB2 . . . . . . . . . . . . 137
a DB2 server . . . . . . . . . . . . 165
Accounts required with Microsoft Windows . . 137
NOTES.INI variables set by the DB2 Server
Accounts required with AIX/UNIX . . . . . 137
Enablement Tool . . . . . . . . . . . 168
Using the Domino Web Administrator client with
Configuration variables modified during DB2
Domino and DB2 . . . . . . . . . . . . 137
server enablement . . . . . . . . . . . 169
Databases created with Domino 7 . . . . . . 138
Manually creating the Domino server user and
Database storage . . . . . . . . . . . 138
other accounts on Microsoft Windows . . . . 170
Databases not supported as DB2 enabled Notes
Mapping the DB2 ID to a Notes ID in the Domino
databases . . . . . . . . . . . . . . 138
server’s Domino Directory . . . . . . . . . 171
Compact database options are enabled for
Allowing anonymous access to Notes data . . 171
Domino and DB2 . . . . . . . . . . . 140
Mapping DB2 user names to Notes user names 172
Domino and DB2 supported platforms and
Using formulas to create custom patterns in
configurations . . . . . . . . . . . . . 141
user names . . . . . . . . . . . . . 172
Supported platforms and hardware and
DB2 groups . . . . . . . . . . . . . . 173
software requirements . . . . . . . . . 141
DB2 group classes . . . . . . . . . . . 174
Supported configurations in Domino and DB2 142
Managing DB2 groups and classes . . . . . 174
Example of a local Domino and DB2
Locking a DB2 group . . . . . . . . . . 175
configuration . . . . . . . . . . . . 143
Unlocking a DB2 group . . . . . . . . . 175
Example of a remote Domino and DB2
Renaming a DB2 class . . . . . . . . . 175
configuration that uses separate servers . . . 143
Associating a DB2 group with a class . . . . 175
Example of a remote Domino and DB2
Moving a DB2 enabled Notes database to
configuration that uses partitions . . . . . . 144
another DB2 group . . . . . . . . . . 175
Installation and setup procedures. . . . . . . 146
Upgrading Domino 7 and DB2 . . . . . . . 176
Microsoft Windows . . . . . . . . . . 146
Prerequisites if you are running Domino 7, beta
IBM AIX . . . . . . . . . . . . . . 146
1, 2, or 3 . . . . . . . . . . . . . . 176
All platforms . . . . . . . . . . . . 146
Procedure - Upgrading when you have created
Installing the DB2 Access server . . . . . . 146
DB2 enabled Notes databases . . . . . . . 176
Domino server enablement and mapping Notes
Procedure - Upgrading when you have not
and DB2 user IDs . . . . . . . . . . . 147
created any DB2 enabled Notes databases . . . 177
Creating the DB2 installation account . . . . 147
Contents v
Collecting detailed information from user Increasing the server’s output timeout for DOLS
calendars . . . . . . . . . . . . . . 312 downloads . . . . . . . . . . . . . . 387
Setting up agents for the DOLS subscription . . . 387
Chapter 11. Using Policies . . . . . . 313 Optional tasks for DOLS administrators . . . . 388
Policies . . . . . . . . . . . . . . . 313 Adding a directory catalog to a DOLS
Organizational and explicit policies . . . . . 313 subscription . . . . . . . . . . . . . 388
Policy hierarchy and the effective policy . . . 314 Viewing DOLS download information . . . . 389
Client policy lock-down . . . . . . . . . 316 Reducing DOLS download time with the client
Planning and assigning policies . . . . . . 317 installation CD . . . . . . . . . . . . 389
Using policies to assign NOTES.INI or Location Reducing DOLS download time with selective
document settings to Notes client users . . . 317 replication . . . . . . . . . . . . . 390
Notes application plug-in and policies . . . . 318 Web Control instructions for DOLS users . . . 391
Creating policies . . . . . . . . . . . 318 DOLS troubleshooting and error messages . . . 391
Managing policies . . . . . . . . . . . 350 Error messages . . . . . . . . . . . . 391
Chapter 12. Setting Up Domain Search 357 Chapter 14. Planning the Service
Domain Search . . . . . . . . . . . . . 357 Provider Environment . . . . . . . . 393
Support for multiple languages . . . . . . 357 Planning the xSP server environment . . . . . 393
Domain Search and single-database full-text The Domino service provider administrator . . 393
search . . . . . . . . . . . . . . . 357 Ways to set up a service provider environment 393
Implementing Domain Search . . . . . . . 357 Securing the service provider environment . . 394
Server configurations for Domain Search . . . . 358 Using Domino features in a hosted server
Configuration for the Domain Catalog . . . . 358 environment . . . . . . . . . . . . . 394
Configurations for the Domain Index . . . . 358 Planning the IP Address configurations in a
Domain Search over a WAN . . . . . . . 358 hosted environment . . . . . . . . . . 395
Planning the Domain Index . . . . . . . . 359 Planning the distribution of hosted organization
The Domain Catalog . . . . . . . . . . 359 data . . . . . . . . . . . . . . . 397
Assigning database categories for the Domain Deciding which protocols and services to offer
Search form . . . . . . . . . . . . . 363 in the xSP environment . . . . . . . . . 400
Estimating the size of the Domain Index . . . 363 Deciding which applications to offer multiple
Excluding attachments from the Domain Index 364 hosted organizations . . . . . . . . . . 401
Domain Search security . . . . . . . . . 364 Using activity logging for billing at hosted
Creating and updating the Domain Index . . . . 365 organizations . . . . . . . . . . . . 401
To set the Domain Indexer task . . . . . . 365 Example of planning a hosted environment . . . 402
Tuning Domain Indexer performance . . . . 366
Changing the location of Domain Index files 367 Chapter 15. Setting Up the Service
Deleting databases from the Domain Index . . 367 Provider Environment . . . . . . . . 405
Backing up the Domain Index and Catalog . . 367 Setting up the service provider environment . . . 405
Customizing Domain Search forms . . . . . . 368 Installing the first server or additional servers
Results forms -- where do the document titles for hosted environments . . . . . . . . . 405
come from? . . . . . . . . . . . . . 368 Setting up a hosted organization . . . . . . 406
Setting up Notes users for Domain Search . . . . 368 Setting up the Domino certificate authority for
Using Policies . . . . . . . . . . . . 368 hosted organizations . . . . . . . . . . 406
Manual setup from a Notes workstation . . . 369 Using policies in a hosted environment . . . . 406
Setting up Web users for Domain Search . . . . 369 What happens when you register a hosted
Using content maps with Domain Search . . . . 369 organization? . . . . . . . . . . . . 407
To assign content categories . . . . . . . 370 Example of registering a hosted organization 414
To view content categories . . . . . . . . 370 Using Internet and Web Site documents in a
To change content categories . . . . . . . 370 hosted environment . . . . . . . . . . 415
Global Web Settings documents and the service
Chapter 13. Setting Up Domino provider environment . . . . . . . . . 417
Off-Line Services . . . . . . . . . . 373 Configuring activity logging for billing hosted
Domino Off-Line Services . . . . . . . . . 373 organizations . . . . . . . . . . . . 418
Configuring the DOLS subscription . . . . . . 373
To edit the configuration document . . . . . 373 Chapter 16. Managing a Hosted
Overview of DOLS administrator tasks . . . . . 379 Environment . . . . . . . . . . . . 421
How DOLS works . . . . . . . . . . . . 380 Maintaining hosted organizations . . . . . . 421
Creating a DOLS Offline Security Policy document 384 Using a browser to access a hosted
Increasing security for DOLS subscriptions . . . 386 organization’s Web site . . . . . . . . . 421
Contents vii
Starting and stopping the LDAP service . . . 523 Picking the server(s) to run the Dircat task . . 613
Customizing the LDAP service configuration 524 Specifying the Domino Directories for the Dircat
Setting up clients to use the LDAP service . . . 539 task to aggregate . . . . . . . . . . . 614
Using LDAP to search a Domain index . . . . 540 Controlling which information is aggregated
Monitoring the LDAP service . . . . . . . 541 into a directory catalog . . . . . . . . . 614
RFCs supported by the LDAP service . . . . 543 Full-text indexing directory catalogs . . . . . 619
Planning issues specific to Extended Directory
Chapter 23. Managing the LDAP Catalogs . . . . . . . . . . . . . . 620
Schema . . . . . . . . . . . . . . 545 Planning issues specific to condensed Directory
Catalogs . . . . . . . . . . . . . . 622
LDAP Schema . . . . . . . . . . . . . 545
Multiple directory catalogs . . . . . . . . 624
Attributes . . . . . . . . . . . . . 545
Overview of setting up a condensed Directory
Object classes . . . . . . . . . . . . 545
Catalog . . . . . . . . . . . . . . 625
Abstract object classes . . . . . . . . . 545
Overview of setting up an Extended Directory
Structural object classes . . . . . . . . . 545
Catalog . . . . . . . . . . . . . . 630
Auxiliary object classes . . . . . . . . . 546
The Dircat task . . . . . . . . . . . . 633
Syntaxes . . . . . . . . . . . . . . 546
Opening the configuration document for a
The Domino LDAP schema . . . . . . . . 546
directory catalog . . . . . . . . . . . 635
The schema daemon . . . . . . . . . . 548
Monitoring directory catalogs . . . . . . . 635
Domino LDAP Schema database . . . . . . 549
Methods for extending the schema . . . . . 551
Guidelines for extending the schema . . . . 552 Chapter 27. Setting Up Extended
Extending the schema using the Schema ACLs . . . . . . . . . . . . . . . 637
database . . . . . . . . . . . . . . 553 Extended ACL . . . . . . . . . . . . . 637
Deleting schema elements from the Schema How other database security features restrict
database . . . . . . . . . . . . . . 556 extended ACL access settings . . . . . . . 637
Schema-checking . . . . . . . . . . . 556 Elements of an extended ACL . . . . . . . 638
Searching the root DSE and schema entry . . . 557 Extended ACL access settings . . . . . . . 638
Extended ACL subject . . . . . . . . . 643
Chapter 24. Using the ldapsearch Extended ACL target . . . . . . . . . . 645
Utility . . . . . . . . . . . . . . . 559 Extended ACL examples. . . . . . . . . 650
Extended ACL guidelines . . . . . . . . 652
ldapsearch Utility . . . . . . . . . . . . 559
Setting up and managing an extended ACL . . 653
Table of ldapsearch parameters . . . . . . 559
Using search filters with ldapsearch . . . . . 561
Using ldapsearch to return operational Chapter 28. Overview of the Domino
attributes . . . . . . . . . . . . . . 562 Mail System . . . . . . . . . . . . 659
Examples of using ldapsearch . . . . . . . 562 Messaging overview . . . . . . . . . . . 659
Supported routing, format, and access protocols 660
Chapter 25. Setting Up Directory The Domino mail server and mail routing . . . 661
Assistance . . . . . . . . . . . . 565 How mail routes in a Domino system . . . . 663
Domino mail files . . . . . . . . . . . 664
Directory Assistance . . . . . . . . . . . 565
Mail clients . . . . . . . . . . . . . 665
How directory assistance works . . . . . . 565
Mail security . . . . . . . . . . . . 666
Directory assistance services . . . . . . . 566
Working with other mail systems in your
Directory assistance concepts . . . . . . . 572
organization . . . . . . . . . . . . . 667
Setting up directory assistance . . . . . . . 582
Mail performance and monitoring . . . . . 667
Directory assistance examples . . . . . . . 599
The Domino Directory and mail routing . . . 667
Monitoring directory assistance . . . . . . 603
Overview of routing mail using Notes routing 669
Overview of routing mail using SMTP . . . . 671
Chapter 26. Setting Up Directory The Domain Name System (DNS) and SMTP
Catalogs . . . . . . . . . . . . . 605 mail routing . . . . . . . . . . . . . 674
Directory Catalogs . . . . . . . . . . . . 605 Examples of using multiple MX records . . . 675
Condensed Directory Catalogs. . . . . . . 605
Directory catalogs on servers compared to Chapter 29. Setting Up Mail Routing 677
directory assistance for individual Domino Planning a mail routing topology . . . . . . . 677
Directories . . . . . . . . . . . . . 607 Connection topologies for mail routing . . . . 677
Extended Directory Catalogs . . . . . . . 607 The Domino mail router . . . . . . . . . 678
Overview of directory catalog setup . . . . . 609 Clients accessing the Domino server . . . . . 680
Planning directory catalogs . . . . . . . . 610 Sample mail routing configurations . . . . . 680
Directory catalogs and client authentication . . 610 Creating a Configuration Settings document . . 688
Directory catalogs and Notes mail encryption 613 Routing internal mail . . . . . . . . . . 689
Chapter 31. Setting Up Shared Mail 817 Chapter 35. Monitoring Mail . . . . . 891
Tools for mail monitoring . . . . . . . . . 891
Shared mail overview . . . . . . . . . . 817
Tracking mail messages . . . . . . . . . 891
Using multiple active shared mail databases . . 818
How mail tracking works . . . . . . . . 891
How using shared mail affects a user’s mail file
Generating mail usage reports . . . . . . . 892
quota . . . . . . . . . . . . . . . 818
Mail routing event generators . . . . . . . 892
How Domino maintains the security of a shared
Setting up mail monitoring . . . . . . . . 892
mail database . . . . . . . . . . . . 819
Setting up the Reports database . . . . . . 892
How shared mail works . . . . . . . . . 819
Controlling the Mail Tracking Collector . . . . 893
Setting up shared mail databases . . . . . . 819
Configuring the server for message tracking . . 895
Managing a shared mail database . . . . . 822
Tracking a mail message . . . . . . . . . 896
Disabling shared mail . . . . . . . . . 831
Generating a mail usage report . . . . . . 898
Viewing mail usage reports . . . . . . . . 900
Chapter 32. Setting Up the POP3
Service . . . . . . . . . . . . . . 833 Chapter 36. Setting Up the Domino
The POP3 service . . . . . . . . . . . . 833
Web Server . . . . . . . . . . . . 903
Supporting outbound mail service for POP3
The Domino Web server . . . . . . . . . . 903
clients . . . . . . . . . . . . . . . 833
Web server features . . . . . . . . . . 904
Authenticating with the server . . . . . . 833
Making Web site content changes. . . . . . 904
Accessing a mail file from the Notes client and
Setting up a Domino server as a Web server . . 905
a POP3 client . . . . . . . . . . . . 834
Hosting Web sites . . . . . . . . . . . 914
Setting up the POP3 service . . . . . . . 834
Custom Web server messages . . . . . . . 934
Setting up POP3 users . . . . . . . . . 836
Improving Web server performance . . . . . 937
Contents ix
Chapter 39. Planning Security . . . . 963 Roles in the ACL . . . . . . . . . . . 1038
Overview of Domino security . . . . . . . . 963 Managing database ACLs . . . . . . . . 1040
Know the business . . . . . . . . . . 963 Using the Administration Process to update
Identify assets and threats (risk analysis) . . . 963 ACLs . . . . . . . . . . . . . . . 1040
Develop strategies to protect your computing Setting up the Administration Process for
environment . . . . . . . . . . . . . 964 database ACLs . . . . . . . . . . . 1041
Develop incident handling procedures . . . . 964 Managing database ACLs with the Web
Plan and deliver employee training . . . . . 965 Administrator . . . . . . . . . . . . 1041
Keep processes current . . . . . . . . . 965 Editing entries in multiple ACLs . . . . . 1041
The Domino security model . . . . . . . 965 Viewing all database ACLs on a server . . . 1042
The Domino security team . . . . . . . . 967 Using the ACL log . . . . . . . . . . 1043
Security planning checklists . . . . . . . 969 Enforcing a consistent access control list . . . 1043
Security policies . . . . . . . . . . . 973 Updating Readers and Authors fields . . . . 1044
Setting up an Internet certificate authority . . . 973 Setting up database access for Internet users 1044
Preventing users from accessing forms and
Chapter 40. Controlling Access to views in a Web application . . . . . . . 1044
Maximum Internet name-and-password access 1045
Domino Servers . . . . . . . . . . 977 Requiring an SSL connection to a database 1046
Server access for Notes users, Internet users, and
Domino servers . . . . . . . . . . . . 977
Types of server access controls . . . . . . 977
Chapter 43. Protecting User
Server access list . . . . . . . . . . . 977 Workstations with Execution Control
Deny access list . . . . . . . . . . . 977 Lists . . . . . . . . . . . . . . . 1047
Notes ID lock out . . . . . . . . . . . 977 The execution control list . . . . . . . . . 1047
Anonymous access . . . . . . . . . . 978 The workstation ECL . . . . . . . . . 1047
Network port access . . . . . . . . . . 978 How the workstation ECL works . . . . . 1047
Setting up Notes user, Domino server, and Determining effective access . . . . . . . 1048
Internet user access to a Domino server . . . 978 ECL security access options . . . . . . . 1048
Customizing access to a Domino server . . . 979 The administration ECL . . . . . . . . 1050
Validation and authentication for Notes and Deploying and updating workstation ECLs 1055
Domino . . . . . . . . . . . . . . 993
Chapter 44. Setting Up
Chapter 41. Protecting and Managing Name-and-Password and
Notes IDs . . . . . . . . . . . . . 995 Anonymous Access to Domino
Domino server and Notes user IDs . . . . . . 995 Servers . . . . . . . . . . . . . 1057
Certificates . . . . . . . . . . . . . 995 Name-and-password authentication for
Password-protection for Notes and Domino IDs 997 Internet/intranet clients . . . . . . . . . 1057
The password quality scale . . . . . . . . 999 Name-and-password authentication over
Verifying user passwords during authentication 1000 non-SSL secured connections . . . . . . . 1058
Setting up password verification . . . . . 1002 Name-and-password authentication over SSL 1058
Using 128-bit ID file encryption . . . . . . 1003 Customizing name-and-password
Assigning multiple passwords to server and authentication . . . . . . . . . . . . 1058
certifier IDs . . . . . . . . . . . . 1003 Setting up basic name-and-password
ID recovery . . . . . . . . . . . . 1004 authentication . . . . . . . . . . . . 1058
Public key security . . . . . . . . . . 1010 Session-based name-and-password
User and server key rollover . . . . . . . 1014 authentication for Web clients . . . . . . 1060
Using cross-certificates to access servers and Controlling the level of authentication for
send secure S/MIME messages . . . . . . 1016 Internet clients . . . . . . . . . . . 1065
Adding cross-certificates to the Domino Managing Internet passwords . . . . . . 1068
Directory or Personal Address Book . . . . 1017 Multi-server session-based name-and-password
authentication for Web users (single sign-on) . 1069
Chapter 42. Controlling User Access Anonymous Internet/intranet access . . . . 1077
to Domino Databases . . . . . . . 1025 Validation and authentication for
The database access control list . . . . . . . 1025 Internet/intranet clients . . . . . . . . 1079
Default ACL entries . . . . . . . . . . 1025
Acceptable entries in the ACL . . . . . . 1026 Chapter 45. Encryption and
Configuring a database ACL . . . . . . . 1032 Electronic Signatures . . . . . . . 1081
Access levels in the ACL . . . . . . . . 1033 Encryption . . . . . . . . . . . . . . 1081
Access level privileges in the ACL . . . . . 1035 Public and private keys . . . . . . . . 1081
User types in the ACL . . . . . . . . . 1038 Encryption strength . . . . . . . . . . 1082
Contents xi
Chapter 53. Monitoring the Domino Configuring traps for Domino events . . . . 1205
Server . . . . . . . . . . . . . . 1159 Configuring traps for NetView for AIX . . . 1206
Monitoring the Domino system . . . . . . . 1159 Troubleshooting the Domino SNMP Agent . . . 1207
Monitoring Configuration database . . . . . 1159 Check Server Tasks . . . . . . . . . . 1207
Monitoring server shutdown . . . . . . . 1160 Check MIB Values using the SNMP
Monitoring processes running in the Domino Management Station . . . . . . . . . 1207
server environment . . . . . . . . . . 1160
Monitoring events on the Domino system . . 1161 Chapter 55. Using Server Health
Event generators . . . . . . . . . . . 1161 Monitoring . . . . . . . . . . . . 1209
Event handlers . . . . . . . . . . . 1169 Server Health Monitor . . . . . . . . . . 1209
Viewing an event report . . . . . . . . 1175 Table of Server Health Monitor statistics . . . 1210
Viewing event messages, causes, and solutions 1175 Table of Server Health Monitor ratings . . . 1211
Customizing the appearance of the Domino Using the Server Health Monitor . . . . . 1212
server console and Domino Administrator Server Health reports . . . . . . . . . 1214
console . . . . . . . . . . . . . . 1175 Working with Server Health Monitor statistics 1215
Statistics and the Domino system . . . . . 1177 Viewing server health with the Server Health
Platform statistics . . . . . . . . . . 1179 Monitor . . . . . . . . . . . . . . 1216
Using the Domino Administrator to monitor
statistics . . . . . . . . . . . . . . 1182 Chapter 56. Monitoring Domino
Using mail-in statistics . . . . . . . . . 1185
Domains . . . . . . . . . . . . . 1219
Charting statistics . . . . . . . . . . 1185
Domino Domain Monitoring (DDM) . . . . . 1219
Domino domain monitoring . . . . . . . 1219
Chapter 54. Using the Domino SNMP DDM probes . . . . . . . . . . . . 1220
agent . . . . . . . . . . . . . . 1189 Maintaining DDM Probes . . . . . . . . 1242
The Domino SNMP Agent . . . . . . . . . 1189 DDM server collection hierarchy . . . . . 1243
The Domino SNMP Agent’s main functions 1189 Managing the DDM server collection hierarchy 1245
Out-of-band server status through the MIB 1189 Domino Domain Monitor database (DDM.NSF) 1247
Control of a Domino server through SNMP 1189 Viewing events in the Domino Domain
Real-time alerts on server status . . . . . 1190 Monitor database . . . . . . . . . . . 1248
Forwarding of Domino events as SNMP traps 1190 Maintaining the Domino Domain Monitor
Domino statistics through the MIB . . . . 1192 database. . . . . . . . . . . . . . 1249
SNMP security . . . . . . . . . . . 1192 Using IBM Lotus instant messaging in the
Domino SNMP Agent architecture . . . . . . 1192 Domino domain monitor database . . . . . 1252
About the Domino MIB . . . . . . . . . 1193 Filtering events in DDM . . . . . . . . 1253
System requirements . . . . . . . . . . 1193
Microsoft Windows requirements . . . . . 1194 Chapter 57. Transaction Logging and
IBM AIX requirements . . . . . . . . . 1194
Recovery . . . . . . . . . . . . . 1255
Linux requirements . . . . . . . . . . 1194
Transaction logging . . . . . . . . . . . 1255
Solaris requirements . . . . . . . . . . 1194
Understanding the database instance ID
z/OS requirements . . . . . . . . . . 1194
(DBIID) . . . . . . . . . . . . . . 1256
Configuring the Domino SNMP Agent . . . . 1194
How transaction logging works . . . . . . 1256
Special considerations for partitioned servers 1194
Planning for transaction logging . . . . . . 1257
Configuring the Domino SNMP Agent for
Setting up a Domino server for transaction
Microsoft Windows . . . . . . . . . . 1196
logging . . . . . . . . . . . . . . 1257
Configuring the Domino SNMP Agent for AIX 1196
Changing transaction logging settings . . . . 1259
Configuring the Domino SNMP Agent for
Disabling transaction logging for a specific
Linux . . . . . . . . . . . . . . . 1197
database. . . . . . . . . . . . . . 1259
Configuring the Domino SNMP Agent for
View logging . . . . . . . . . . . . 1260
Solaris . . . . . . . . . . . . . . 1198
Using transaction logging for recovery . . . 1260
Configuring the Domino SNMP Agent for
Fault recovery . . . . . . . . . . . . . 1261
z/OS . . . . . . . . . . . . . . . 1199
Operating systems and fault recovery . . . . 1261
Completing the configuration of the Domino
Enabling fault recovery . . . . . . . . . 1261
SNMP Agent . . . . . . . . . . . . 1201
Specifying a cleanup script for fault recovery 1261
Manually starting and stopping the Domino
Setting up a Fault Reports database . . . . . 1262
SNMP Agent . . . . . . . . . . . . 1203
Creating a Fault Reports database . . . . . 1262
Using NET-SNMP with the Domino SNMP
Collecting diagnostic information after a server or
Agent . . . . . . . . . . . . . . 1203
client crash . . . . . . . . . . . . . . 1263
Using the Domino MIB with your SNMP
Writing status bar history to a log file . . . . 1264
management station . . . . . . . . . . . 1205
Setting up automatic diagnostic data collection
Configuring traps for HP OpenView . . . . 1205
on clients . . . . . . . . . . . . . 1264
Contents xiii
Chapter 64. Improving Database Show Configuration . . . . . . . . . . 1524
Performance . . . . . . . . . . . 1371 Show Directory . . . . . . . . . . . 1525
Setting advanced database properties . . . . . 1371 Show Diskspace . . . . . . . . . . . 1526
Database properties that optimize database Show Heartbeat . . . . . . . . . . . 1526
performance . . . . . . . . . . . . 1371 Show Memory . . . . . . . . . . . 1526
Soft deletions . . . . . . . . . . . . 1376 Show Monitors . . . . . . . . . . . 1527
The database cache . . . . . . . . . . 1376 Show Opendatabases . . . . . . . . . 1527
Tools for monitoring database size . . . . . 1379 Show Performance . . . . . . . . . . 1527
Monitoring database size . . . . . . . . 1379 Show Port . . . . . . . . . . . . . 1527
Compacting databases . . . . . . . . . 1379 Show Schedule . . . . . . . . . . . 1528
Determining the file format of a database . . 1381 Show SCOS . . . . . . . . . . . . 1528
Compact options . . . . . . . . . . . 1382 Show Server . . . . . . . . . . . . 1529
Database size quotas . . . . . . . . . 1386 Show Stat . . . . . . . . . . . . . 1530
Deleting inactive documents . . . . . . . 1387 Show Stat Platform . . . . . . . . . . 1530
Allowing more fields in a database . . . . . 1389 Show Tasks. . . . . . . . . . . . . 1531
Show Transactions . . . . . . . . . . 1531
Show Users . . . . . . . . . . . . 1532
Chapter 65. Using Server.Load . . . 1391 Show Xdir . . . . . . . . . . . . . 1533
Server.Load . . . . . . . . . . . . . 1391 Start Consolelog . . . . . . . . . . . 1534
Server.Load agents . . . . . . . . . . 1391 Start Port . . . . . . . . . . . . . 1535
Server.Load metrics and messaging statistics 1392 Stop Consolelog . . . . . . . . . . . 1535
Setting up clients and servers for Server.Load 1395 Stop Port . . . . . . . . . . . . . 1535
Built-in and custom Server.Load scripts . . . 1396 Sucache refresh . . . . . . . . . . . 1535
Running the built-in Server.Load workloads 1401 Sucache show . . . . . . . . . . . . 1536
Tell . . . . . . . . . . . . . . . 1536
Chapter 66. Troubleshooting . . . . 1431 Administration Process Tell Commands . . . 1537
Troubleshooting . . . . . . . . . . . . 1431 Agent Manager Tell commands . . . . . . 1538
Troubleshooting tools . . . . . . . . . 1431 Certificate Authority process tell commands 1539
Troubleshooting the Domino system . . . . 1433 Change Manager tell commands . . . . . 1540
Overview of server maintenance . . . . . 1508 Cluster Replicator Tell commands . . . . . 1540
DIIOP Tell commands . . . . . . . . . 1541
Appendix A Server Directory Cataloger Tell commands . . . . 1542
Commands . . . . . . . . . . . . 1511 LDAP Tell commands . . . . . . . . . 1542
Domino server commands . . . . . . . . . 1511 Router Tell commands . . . . . . . . . 1542
Broadcast . . . . . . . . . . . . . 1512 Schedule Manager Tell commands . . . . . 1543
Dbcache Disable . . . . . . . . . . . 1513 SMTP Server Tell commands . . . . . . . 1544
Dbcache Flush. . . . . . . . . . . . 1513 Statistic Collector Tell Commands . . . . . 1544
Dbcache Show . . . . . . . . . . . 1514 Web Navigator Tell commands . . . . . . 1544
Drop . . . . . . . . . . . . . . . 1514 Web Server Tell commands . . . . . . . 1544
Exit . . . . . . . . . . . . . . . 1514 Trace . . . . . . . . . . . . . . . 1545
Help . . . . . . . . . . . . . . . 1514 Domino and DB2 server commands . . . . . 1546
Load . . . . . . . . . . . . . . . 1515 DB2 Access . . . . . . . . . . . . . 1546
Platform . . . . . . . . . . . . . . 1515 DB2 Catalog . . . . . . . . . . . . 1547
Pull . . . . . . . . . . . . . . . 1516 DB2 Group . . . . . . . . . . . . . 1547
Push . . . . . . . . . . . . . . . 1517 DB2 Group Info . . . . . . . . . . . 1548
Quit . . . . . . . . . . . . . . . 1518 DB2 Info . . . . . . . . . . . . . 1549
Replicate . . . . . . . . . . . . . 1518 DB2 Purge . . . . . . . . . . . . . 1550
Restart Port . . . . . . . . . . . . 1519 DB2 Reconnect . . . . . . . . . . . 1551
Restart Server . . . . . . . . . . . . 1520 Using a console to send commands to a server 1551
Restart Task . . . . . . . . . . . . 1520 Capturing server command output in a file 1551
Route . . . . . . . . . . . . . . 1520 Entering commands at the console at the server 1551
Save . . . . . . . . . . . . . . . 1521 Sending Controller and shell commands from a
Set Configuration . . . . . . . . . . 1521 remote console . . . . . . . . . . . . 1552
Set Rules . . . . . . . . . . . . . 1521 Sending commands from the Domino
Set SCOS . . . . . . . . . . . . . 1522 Administrator console . . . . . . . . . . 1553
Set Secure . . . . . . . . . . . . . 1522 Adding commands to the Commands menu 1555
Set Statistics . . . . . . . . . . . . 1523 Adding a group of servers to the Send menu 1555
Show Agents . . . . . . . . . . . . 1523 Sending commands from a Web Administrator
Show AI. . . . . . . . . . . . . . 1523 console . . . . . . . . . . . . . . . 1555
Show Allports . . . . . . . . . . . . 1523 Using the Domino Character Console to access
Show Cluster . . . . . . . . . . . . 1524 the server console . . . . . . . . . . . 1556
Contents xv
EnableBiDiNotes . . . . . . . . . . . 1597 iNotes_WA_PrintUserStyleSheet . . . . . . 1616
Enforce_Personal_Agents . . . . . . . . 1597 iNotes_WA_QueryAgents . . . . . . . . 1617
ExtMgr_AddIns . . . . . . . . . . . 1598 iNotes_WA_SametimeNameFormat . . . . . 1617
Fault_Analyzer_Match_Percentage . . . . . 1598 iNotes_WA_SametimeProtocol . . . . . . 1618
FaultRecoveryFromINI . . . . . . . . . 1599 iNotes_wa_SecMailPreferNotes . . . . . . 1618
FileDlgDirectory . . . . . . . . . . . 1599 iNotes_WA_SkipEndIESession . . . . . . 1619
Fixup_Tasks . . . . . . . . . . . . 1599 iNotes_WA_UseInternetAddrForXsp . . . . 1619
FormulaTimeout . . . . . . . . . . . 1599 InstallType . . . . . . . . . . . . . 1620
FT_Domain_Directory_Name . . . . . . . 1600 JavaEnableJIT . . . . . . . . . . . . 1620
FT_Domain_IdXthdsS . . . . . . . . . 1600 JavaJITName . . . . . . . . . . . . 1620
FT_Index_Attachments . . . . . . . . . 1600 JavaMaxHeapSize . . . . . . . . . . 1620
FT_Intl_Setting . . . . . . . . . . . 1600 JavaMinHeapSize . . . . . . . . . . 1621
FT_Max_Search_Results . . . . . . . . 1601 JavaNoAsyncGC . . . . . . . . . . . 1621
FT_No_Compwintitle . . . . . . . . . 1601 JavaNoClassGC . . . . . . . . . . . 1621
FTG_No_Summary . . . . . . . . . . 1601 JavaStackSize . . . . . . . . . . . . 1621
FT_Summ_Default_Language . . . . . . 1602 JavaUserClasses . . . . . . . . . . . 1622
FTUpdate_Idle_Time . . . . . . . . . 1602 JavaVerbose . . . . . . . . . . . . 1622
FTUpdate_Idle_Time_MS . . . . . . . . 1602 JavaVerboseGC . . . . . . . . . . . 1622
GuessMIMEBodyLang . . . . . . . . . 1603 KeyFileName . . . . . . . . . . . . 1623
Health_Report_Purge_After_N_Days . . . . 1603 KitType . . . . . . . . . . . . . . 1623
HTTPEnableConnectorHeaders . . . . . . 1603 LANnumber . . . . . . . . . . . . 1623
HTTPLogUnauthorized. . . . . . . . . 1604 LDAPBatchAdds . . . . . . . . . . . 1624
HTTP_PWD_Change_Cache_Hours . . . . 1604 LDAPConfigUpdateInterval . . . . . . . 1624
ICMNotesPort . . . . . . . . . . . . 1604 LDAPGroupMembership . . . . . . . . 1624
ID_Recovery_Suppress_Recovery_Msg . . . 1604 LDAPIdleSessionExtendedTimeout . . . . . 1625
IM_Enable_SSO . . . . . . . . . . . 1605 LDAPIdleSessionExtendedTimeoutClients . . 1626
IMAILExactSize . . . . . . . . . . . 1605 LDAPIdleSessionTimeout . . . . . . . . 1626
IMAP_Config_Update_Interval . . . . . . 1605 LDAPNotesPort . . . . . . . . . . . 1626
IMAP_Convert_Nodisable_Folder_Refs . . . 1606 LDAPPre55Outlook . . . . . . . . . . 1626
IMAPDisableFTIImmedUpdate . . . . . . 1606 LDAPName_Update_Suppress_Time . . . . 1627
IMAPDisableMsgCache . . . . . . . . 1607 Location . . . . . . . . . . . . . . 1627
IMAPGreeting . . . . . . . . . . . . 1607 Log . . . . . . . . . . . . . . . 1627
IMAPNotesPort . . . . . . . . . . . 1607 Log_AgentManager . . . . . . . . . . 1628
IMAPRedirectSSLGreeting . . . . . . . . 1607 Log_Authentication . . . . . . . . . . 1628
IMAP_Session_Timeout . . . . . . . . 1608 Log_Connections . . . . . . . . . . . 1629
IMAPShowIdleStatus . . . . . . . . . 1608 Log_Console . . . . . . . . . . . . 1630
IMAPSSLGreeting . . . . . . . . . . 1608 Log_DirCat . . . . . . . . . . . . 1630
IM_No_Setup . . . . . . . . . . . . 1608 LogFile_Dir . . . . . . . . . . . . 1630
IM_USE_CANONICAL_NAME . . . . . . 1608 Log_Replication . . . . . . . . . . . 1631
Incoming Mail Sound . . . . . . . . . 1609 Log_Sessions . . . . . . . . . . . . 1631
INET_Authenticate_with_Secondary . . . . 1609 LogStatusBar . . . . . . . . . . . . 1631
iNotes_WA_AuthTokenName. . . . . . . 1609 Log_Tasks . . . . . . . . . . . . . 1632
iNotes_WA_AutoUseWebmail . . . . . . 1610 Log_Update . . . . . . . . . . . . 1632
iNotes_WA_DefaultFormatPlainText . . . . 1610 Log_View_Events . . . . . . . . . . 1632
iNotes_WA_DisableActCntSecurity . . . . . 1610 MailBoxDisableTDNLogging . . . . . . . 1633
iNotes_WA_DisableBothFormats . . . . . . 1611 MailCharSet . . . . . . . . . . . . 1633
iNotes_WA_DisableRecodeMIMECharset . . . 1611 MailCompactDisabled . . . . . . . . . 1634
inotes_WA_DisableReuseChildWindows . . . 1611 MailCompactHour . . . . . . . . . . 1634
iNotes_wa_GZIP_Content_Types_Excluded 1611 MailConvertMIMEonTransfer. . . . . . . 1635
iNotes_wa_GZIP_Content_Types_Included 1612 Mail_Disable_Implicit_Sender_Key . . . . 1635
iNotes_wa_GZIP_Disable . . . . . . . . 1612 MailLogToEventsOnly . . . . . . . . . 1635
iNotes_WA_LogoutRedirect . . . . . . . 1612 Mail_Log_To_MiscEvents . . . . . . . . 1635
iNotes_WA_LogoutScrubType . . . . . . 1613 MailServer . . . . . . . . . . . . . 1636
iNotes_WA_MaxRowsPerLine . . . . . . 1614 MailSetup . . . . . . . . . . . . . 1636
iNotes_WA_NameLookupMaxNumMatch . . 1614 Mail_Skip_NoKey_Dialog . . . . . . . . 1637
iNotes_WA_NamePickerSearchAccentInsensitive 1615 MailSystem . . . . . . . . . . . . . 1637
iNotes_WA_NoWebmail . . . . . . . . 1615 MailTimeout . . . . . . . . . . . . 1637
iNotes_WA_OpenElementNoStore . . . . . 1615 MailTimeoutMinutes . . . . . . . . . 1637
iNotes_WA_PortalLogout . . . . . . . . 1616 MailUpgradeFolder . . . . . . . . . . 1638
iNotes_WA_PortalOffline . . . . . . . . 1616 Map_Retry_Delay . . . . . . . . . . 1638
iNotes_WA_PortalSkipEndIESession . . . . 1616 Max_Config_Files . . . . . . . . . . 1638
Contents xvii
Temp_Index_Max_Doc . . . . . . . . . 1678 Time-based execution requests . . . . . . 1786
TimeSeparator . . . . . . . . . . . . 1678
TimeZone . . . . . . . . . . . . . 1678 Appendix G Accessibility
Topology_WorkInterval . . . . . . . . . 1679 and Keyboard Shortcuts in Domino
TransLog_MaxSize . . . . . . . . . . 1679
TransLog_Path . . . . . . . . . . . 1679
Administrator . . . . . . . . . . . 1789
TransLog_Performance . . . . . . . . . 1679 Accessibility and keyboard shortcuts . . . . . 1789
TransLog_Status . . . . . . . . . . . 1680 Enabling and using extended accelerator keys 1789
TransLog_Style . . . . . . . . . . . 1680 Keyboard shortcuts . . . . . . . . . . 1790
TransLog_UseAll . . . . . . . . . . . 1681 Keyboard shortcuts for the Domino
Update_Disable_Fulltext . . . . . . . . 1681 Administrator user interface . . . . . . . 1790
Update_Disable_Views . . . . . . . . . 1681 Keyboard shortcuts for databases . . . . . 1791
Update_Fulltext_Thread . . . . . . . . 1681 Keyboard shortcuts for dialog boxes . . . . 1791
Update_Idle_Time . . . . . . . . . . 1682 Keyboard shortcuts for properties boxes . . . 1791
Update_Idle_Time_MS . . . . . . . . . 1682 Keyboard shortcuts for documents . . . . . 1792
Update_No_BRP_Files . . . . . . . . . 1682 Keyboard shortcuts to select and move text in
Update_No_Fulltext . . . . . . . . . . 1682 a document . . . . . . . . . . . . 1793
Updaters . . . . . . . . . . . . . 1683 Keyboard shortcuts to move the cursor in a
Update_Suppression_Limit . . . . . . . 1683 document . . . . . . . . . . . . . 1793
Update_Suppression_Time . . . . . . . 1683 Keyboard shortcuts to change text and
UpgradeApps . . . . . . . . . . . . 1683 paragraph properties in a document . . . . 1794
UseFontMapper . . . . . . . . . . . 1684 Keyboard shortcuts when working in views 1794
$Use_ST_IM . . . . . . . . . . . . 1684
ViewExpnumber . . . . . . . . . . . 1684 Appendix H Server.Load
ViewImpnumber . . . . . . . . . . . 1685 Command Language . . . . . . . . 1797
View_Rebuild_Dir . . . . . . . . . . 1685 Server.Load script conventions . . . . . . . 1797
WCT_IM_Use_Lookup . . . . . . . . . 1685 Server.Load commands . . . . . . . . . . 1797
WebAuth_Verbose_Trace . . . . . . . . 1686 @Else command . . . . . . . . . . . 1797
WebSess_Verbose_Trace . . . . . . . . 1686 @EndIf command . . . . . . . . . . 1797
Window_Title . . . . . . . . . . . . 1687 @If command . . . . . . . . . . . . 1798
WinInfoboxPos . . . . . . . . . . . 1687 Add command . . . . . . . . . . . 1798
WinSysFontnumber . . . . . . . . . . 1687 BeginCrit command . . . . . . . . . . 1799
XPC_Console . . . . . . . . . . . . 1687 BeginLoop command . . . . . . . . . 1799
BeginLoop2 command . . . . . . . . . 1799
Appendix D System and Break command . . . . . . . . . . . 1799
Application Templates . . . . . . . 1689 Cal command . . . . . . . . . . . . 1799
System and application templates . . . . . . 1689 ChangeTo command . . . . . . . . . 1800
CheckForNewMail command . . . . . . . 1801
Close command . . . . . . . . . . . 1802
Appendix E Customizing Console command . . . . . . . . . . 1802
the Domino Directory . . . . . . . 1695 DBClose command . . . . . . . . . . 1802
The Domino Directory template . . . . . . . 1695 DbDelete command . . . . . . . . . . 1802
Rules for customizing the Domino Directory 1695 Delete command . . . . . . . . . . . 1802
Customizing the Domino Directory template 1697 Drop command . . . . . . . . . . . 1803
Creating a copy of the Domino Directory EndCrit command . . . . . . . . . . 1803
template . . . . . . . . . . . . . . 1697 Entries command. . . . . . . . . . . 1803
Customizing a visible view in the Domino ErrorDelay command . . . . . . . . . 1803
Directory . . . . . . . . . . . . . 1698 FindByKey command . . . . . . . . . 1804
Using the Domino Directory to extend the FindByName command . . . . . . . . 1804
LDAP schema . . . . . . . . . . . . 1698 GetAll command . . . . . . . . . . . 1804
Applying template customizations to the Help command . . . . . . . . . . . 1804
Domino Directory database . . . . . . . 1708 If command . . . . . . . . . . . . 1804
Upgrading to a new Domino Directory ImailCheckForNewMail command . . . . . 1805
template . . . . . . . . . . . . . . 1709 ImailCloseMailbox command . . . . . . . 1805
ImailFetchEntry command . . . . . . . 1805
Appendix F ImailFetchOld command . . . . . . . . 1805
Administration Process Requests . . 1711 ImailGetLastEntries command . . . . . . 1805
Administration process requests . . . . . . . 1711 ImailGetNewMail command . . . . . . . 1805
Administration Process Requests -- One ImailHelp command . . . . . . . . . 1805
Domain . . . . . . . . . . . . . . 1711 ImailListMailboxes command . . . . . . 1805
Cross Domain Administration Requests . . . 1771 ImailLogin command . . . . . . . . . 1806
Appendix J Setting Up a
Domino 5 Certificate Authority . . . 1831
Contents xix
xx Lotus Domino Administrator 7 Help
Chapter 1. Deploying Domino
This chapter outlines the steps required to deploy IBM® Lotus® Domino(TM) 7 successfully and
introduces important concepts that you need to know before you install Domino servers.
1
v Servers that manage messaging services
v Directory servers that provide users and servers with information about how to communicate with
other users and servers
v Passthru servers that provide users and servers with access to a single server that provides access to
other servers
v Domain Search servers that provide users with the ability to perform searches across all servers in a
Domino domain
v Clustered servers that provide users with constant access to data and provide load-balancing and
failover
v Partitioned servers that run multiple instances of the Domino server on a single computer
v Firewall servers that provide Notes users with access to internal Domino services and protect internal
servers from outside users
v xSP servers that provide users with Internet access to a specific set of Domino applications
Your decisions help determine which types of Domino servers your require. When you install each server,
you must select one of the following installation options:
v Domino Utility Server -- Installs a Domino server that provides application services only, with support
for Domino clusters. The Domino Utility Server is a new installation type for Lotus Domino 7 that
removes client access license requirements. Note that it does NOT include support for messaging
services. See full licensing text for details.
v Domino Messaging Server -- Installs a Domino server that provides messaging services. Note that it
does NOT include support for application services or Domino clusters.
v Domino Enterprise Server -- Installs a Domino server that provides both messaging and application
services, with support for Domino clusters.
Note: All three types of installations support Domino partitioned servers. Only the Domino Enterprise
Server supports a service provider (xSP) environment.
Before you install Domino servers, create a diagram of your company and use the diagram to plan a
meaningful name scheme. Then create certifier IDs to implement the name scheme and ensure a secure
system.
A hierarchical name scheme uses a tree structure that reflects the actual structure of a company. At the
top of the tree is the organization name, which is usually the company name. Below the organization
name are organizational units, which you create to suit the structure of the company; you can organize
the structure geographically, departmentally, or both.
For example, the Acme company created this diagram for their servers and users:
For more information on certifier IDs, see the topic ″Certifier IDs and certificates″ in this chapter.
Julia Herlihy/Sales/East/Acme/US
Typically a name is entered and displayed in this abbreviated format, but it is stored internally in
canonical format, which contains the name and its associated components, as shown below:
CN=Julia Herlihy/OU=Sales/OU=East/O=Acme/C=US.
Note: You can use hierarchical naming with wildcards as a way to isolate a group of servers that need to
connect to a given Domino server in order to route mail.
Domino domains
A Domino domain is a group of Domino servers that share the same Domino Directory. As the control
and administration center for Domino servers in a domain, the Domino Directory contains, among other
documents, a Server document for each server and a Person document for each Notes user.
For more information on administering multiple Domino directories, see the chapter ″Planning Directory
Services.″
A third scenario is common when multiple companies work closely together yet want to retain individual
corporate identities. Then one domain and multiple organizations may work best.
Finally, the fourth scenario involves maintaining multiple domains and multiple organizations. This
scenario often occurs when one company acquires another.
Sometimes the decision to create multiple Domino domains is not based on organizational structure at all.
For example, you may want to create multiple Domino domains if you have slow or unreliable network
connections that prohibit frequent replication of a single, large directory. Keep in mind that working with
multiple domains requires additional administrative work and requires you to set up a system for
managing them.
Domains can be used as a broad security measure. For example, you can grant or deny a user access to
servers and databases, based on the domain in which the user is registered. Using an extended ACL is an
alternative to creating multiple domains, because you can use the extended ACL to specify different
levels of access to a single Domino Directory, based on organization name hierarchy.
For more information on extended ACLs, see the chapter ″Setting Up Extended ACLs.″
Partitioned servers
Using Domino server partitioning, you can run multiple instances of the Domino server on a single
computer. By doing so, you reduce hardware expenses and minimize the number of computers to
administer because, instead of purchasing multiple small computers to run Domino servers that might
not take advantage of the resources available to them, you can purchase a single, more powerful
computer and run multiple instances of the Domino server on that single machine.
On a Domino partitioned server, all partitions share the same Domino program directory, and thus share
one set of Domino executable files. However, each partition has its own Domino data directory and
NOTES.INI file; thus each has its own copy of the Domino Directory and other administrative databases.
If one partition shuts down, the others continue to run. If a partition encounters a fatal error, Domino’s
fault recovery feature restarts only that partition, not the entire computer.
For information on setting up fault recovery, see the chapter ″Transaction Logging and Recovery.″
Partitioned servers can provide the scalability you need while also providing security. As your system
grows, you can migrate users from a partition to a separate server. A partitioned server can also be a
member of a cluster if you require high availability of databases. Security for a partitioned server is the
same as for a single server.
When you set up a partitioned server, you must run the same version of Domino on each partition.
However, if the server runs on UNIX®, there is an alternative means to run multiple instances of Domino
on the server: on UNIX, you can run different versions of Domino on a single computer, each version
with its own program directory. You can even run multiple instances of each version by installing it as a
Domino partitioned server.
When making the decision to use partitioned servers, remember that it is easier to administer a single
server than it is to administer multiple partitions. However, if your goal is to isolate certain server
functions on the network -- for example, to isolate the messaging hub from the replication hub or isolate
work groups for resource and activity logging -- you might be willing to take on the additional
administrative work. In addition, running a partitioned server on a multiprocessor computer may
improve performance, even when the partitions are in the same domain, because the computer
simultaneously runs certain processes.
To give Notes users access to a Domino server where they can create and run Domino applications, use a
partitioned server. However, to provide customers with Internet access to a specific set of Domino
applications, set up an xSP server environment.
For more information about using Domino in an xSP environment, see the chapter ″Planning the Service
Provider Environment.″
Note: You can register servers and users without stamping each server ID and user ID if you have
migrated the certifier to a Domino server-based certification authority (CA).
For more information about server-based CAs, see the chapter ″Setting Up a Domino Server-based
Certification Authority.″
Each time you create a certifier ID, Domino creates a certifier ID file and a Certifier document. The ID file
contains the ID that you use to register servers and users. The Certifier document serves as a record of
the certifier ID and stores, among other things, its hierarchical name, the name of the certifier ID that
issued it, and the names of certificates associated with it.
Note: During server setup, you can use an existing certifier ID instead of creating a new one. The
certifier ID that you specify cannot have multiple passwords assigned to it. Attempting to user a certifier
ID with multiple passwords generates an error message and causes server setup to halt.
There are two types of certifier IDs: organization and organizational unit.
If your company is large and decentralized, you might want to use the Domino Administrator after
server setup to create a second organization certifier ID to allow for further name differentiation -- for
example, to differentiate between company subsidiaries.
For more information on working with multiple organizations, see the topic ″Domino domains″ earlier in
this chapter.
For information on recertifying user IDs, see the chapter ″Setting Up and Managing Notes Users.″ For
information on recertifying server IDs, see the chapter ″Maintaining Domino Servers.″
You can create up to four levels of organizational unit certifiers. To create first-level organizational unit
certifier IDs, you use the organization certifier ID. To create second-level organizational unit certifier IDs,
you use the first-level organizational unit certifier IDs, and so on.
Using organizational unit certifier IDs, you can decentralize certification by distributing individual
certifier IDs to administrators who manage users and servers in specific branches of the company. For
example, the Acme company has two administrators. One administers servers and users in West/Acme
and has access to only the West/Acme certifier ID, and the other administers servers and users in
East/Acme and has access to only the East/Acme certifier ID.
Certifier security
By default, the Server Setup program stores the certifier ID file in the directory you specify as the
Domino data directory. When you use the Domino Administrator to create an additional organization
certifier ID or organizational unit certifier ID, you specify where you want the ID stored. To ensure
security, store certifiers in a secure location -- such as a disk locked in a secure area.
User ID recovery
To provide ID and password recovery for Notes users, you need to set up recovery information for each
certifier ID. Before you can recover user ID files, you need access to the certifier ID file to specify the
recovery information, and the user ID files themselves must be made recoverable. There are three ways to
do this:
v At user registration, create the ID file with a certifier ID that contains recovery information.
v Export recovery information from the certifier ID file and have the user accept it.
v (Only for servers using the server-based certification authority) Add recovery information to the
certifier. Then, when existing users authenticate to their home server, their IDs are automatically
updated.
For more information, see the chapter ″Protecting and Managing Notes IDs.″
Internet services
The Domino Server Setup program presents these selections for Internet services:
v Web Browsers (HTTP Web services)
v Internet Mail Clients (SMTP, POP3, and IMAP mail services)
These are optional advanced Domino server services that you can enable:
v DIIOP CORBA Services
v DECS (Domino Enterprise Connection Services)
v Billing
v HTTP Server
v IMAP Server
v ISpy
v LDAP Server
v POP3 Server
v Remote Debug Server
v SMTP Server
v Stats
v Statistic Collector
v Web Retriever
* This name may include alpha characters (A - Z), numbers (0 - 9), and the ampersand (&), dash (-),
period (.), space ( ) , and underscore (_).
For more information on network name requirements and the effect that server name format has on
network name-to-address resolution, see the chapter ″Setting Up the Domino Network.″
This overview lists the features that you may want to include in your Domino environment.
1. Create Connection documents for server communication.
2. If you have mobile users, set up modems, dialup support, and RAS.
3. Set up mail routing
4. Establish a replication schedule.
5. Configure incoming and outgoing Internet mail (SMTP).
Isolated LANs can be connected by WANs. A WAN is either a continuous connection -- such as a
frame-relay, leased telephone line, or digital subscriber line (DSL) -- or a dialup connection over a modem
or Integrated Services Digital Network (ISDN) line. Dialup connections are either to an individual server
or to a LAN (through a provider network or your company’s own communications server).
Buildings or sites that are geographically close to each other can use a MAN, which is a continuous,
high-speed connection that can connect corporate LANs or connect a LAN to the WAN. Like a WAN, a
MAN is usually shared by multiple organizations.
Wireless technology that works with Domino ranges from localized transmission systems (802.11a or
802.11b) to national or international satellite transmission systems that are geostationary, mid-orbit, or
tracked orbit.
If you are planning a network for geographically dispersed locations, consider how to achieve a
cost-effective infrastructure. Placing servers in one location requires that users in other locations access
the Domino server across WAN connections, which can be slow and expensive. Placing servers in every
location and replicating databases to make the same information available on several LANs requires
attention to administration at each location. One effective way to set up a network is to use a hub server
at each location to handle communication with hub servers in other locations. Then, only the hub servers,
not every server in the network, use WAN connections.
The functionality of Notes workstations and Domino servers depends on the effectiveness and capacity of
networks. To plan a Domino network with sufficient capacity, you must consider not only the traffic to
and from Domino servers but also any other traffic on the network.
NRPC communication
Domino servers offer many different services. The foundation for communication between Notes
workstations and Domino servers or between two Domino servers is the Notes remote procedure call
(NRPC) service.
11
addition, you can use any IETF-compliant PPP communications server to dial into the network on which
the Domino server resides or though which the server can be accessed.
For more information on dialup connections, see the chapter ″Setting Up Server-to-Server Connections.″
On LANs, Lotus Domino is compatible with the TCP/IP and NetBIOS over the lower transport IP For
NetBIOS connections to work, both Notes workstations and Domino servers must use the same lower
transport.
For detailed information on which protocols are compatible with Lotus Domino for each supported
operating system, see the Release Notes.
Because each network protocol consumes memory and processing resources, you might want to exclude
one or more ports and later remove the associated protocol software from the system.
In TCP/IP and NetBIOS, you can install multiple network interface cards (NICs) and enable additional
Notes network ports for each protocol, using the NOTES.INI file to bind each port to a separate IP
address or NetBIOS LANA number.
For more information, see the topic ″Adding a network port on a server″ later in this chapter.
When you set up Server documents, be sure to assign each server to the correct NNN. Lotus Domino
expects a continuous connection between servers that are in the same NNN, and serious delays in routing
can occur if a server must dial up a remote LAN because the remote server is inadvertently placed within
the NNN. Also bear in mind that the Notes Network field for each port can contain only one NNN
name, and no two NNN names can be the same.
NNNs affect Notes users when they use the Open Database dialog box. When a user selects Other to
display a list of servers, the servers displayed are those on the NNN of the user’s home server for the
port on which the Notes workstation communicates with the home server. Also, when users click on a
database link or document link, if a server in their home server’s NNN has a replica of that database,
they can connect to the replica.
Note: If a server is assigned to two NNNs in the same protocol, as in the case where the server has two
Notes network ports for TCP/IP, a Notes workstation or Domino server connecting to that server uses
the NNN for the port listed first in the Server document.
Note: When resolving names of Domino servers that offer Internet services, Lotus Notes uses the
protocol’s name-resolver service directly.
Note: If the Net Address field in the Server document contains a physical address -- a practice that is not
recommended in a production environment-- the Notes Name Service performs the resolve directly, thus
placing the burden of maintaining physical address changes on the Domino administrator.
1. If the workstation/server has a Connection document for the destination server that contains the
protocol-specific name, the workstation/server passes the protocol-specific name to the protocol’s
name-resolver service. If the Connection document contains a physical address, the Notes Name
Service performs the resolve directly. Normal-priority Connection documents are checked first, and
then low-priority Connection documents.
Note: Unlike in Server documents, adding physical addresses in Connection documents is not
discouraged, since only the local workstation/server uses the Connection document.
2. To determine if the destination server’s protocol-specific name is cached, the workstation checks the
Location document and the server checks its own Server document. If the name is cached, the
workstation/server uses the last-used Notes network port to determine the protocol and passes this
value to the protocol’s name-resolver service.
3. If the protocol-specific name is not cached, one of the following occurs, based on the list order of
enabled Notes network ports:
v For a Notes workstation connected to the home (messaging) server, Notes gives the common name
of the destination Domino server to the home server, which looks in the Domino Directory for the
Server document of the destination server. The home server locates the contents of the Net Address
field for the Notes named network that the Notes workstation has in common with the destination
server and passes this name to the protocol’s name-resolver service. If the workstation and the
destination server are in the same Domino domain but not in the same Notes named network, the
home server locates the names of each protocol that the workstation has in common with the
destination server and passes each to the appropriate protocol until a resolve is made. If the Notes
workstation can’t access its home server, it connects to its secondary Notes name server, which
carries out the same actions as the home server.
v For a Domino server, Domino checks the Server document for the destination server, locates the
contents of the Net Address field for the Notes named network that the Domino server has in
common with the destination server, and passes this name to the protocol’s name-resolver service.
If the destination server is in the same Domino domain as the Domino server, but not in the same
Notes named network, the Domino server locates the protocol name of each protocol that it has in
common with the destination server and passes each to the appropriate protocol until a resolve is
made.
4. If Steps 1 through 3 do not produce the server’s network address, the workstation/server offers the
Domino common name of the destination server to the name-resolver service of each protocol, based
on the order of the enabled network ports in the Server document.
Chapter 2. Setting Up the Domino Network 13
Network security
Physical network security is beyond the scope of this book, but you must set it up before you set up
connection security. Physical network security prevents unauthorized users from breaking through the
network and using one of the operating system’s native services -- for example, file sharing -- to access
the server. Physical network security also comes into play when any data is exposed, as the potential
exists for malicious or unauthorized users to eavesdrop both on the network where the Domino system
resides and on the system you are using to set up the server.
Network access is typically controlled using network hardware -- such as filtering routers, firewalls, and
proxy servers. Be sure to enable rules and connection pathways for the services that you and others will
access.
Newer firewall systems offer virtual-private-network (VPN) services, which encapsulate the TCP/IP
packet into another IP wrapper where the inner TCP/IP packet and its data are encrypted. This is a
popular way to create virtual tunnels through the Internet between remote sites. If you want to have the
Domino server access both a private VPN and the Internet for SMTP mail, make sure your solution is
able to handle full TCP data packets and that it allows dual connections. If not, the Domino server
system may require a second NIC to work around limitations of the VPN solution.
For more information, see the chapter ″Controlling Access to Domino Servers.″
In addition, you can encrypt all connections by service type. Encrypting connections protects data from
access by malicious or unauthorized users. To prevent data from being compromised, encrypt all Domino
and Notes services that connect to public networks or to networks over which you have no direct control.
Encrypting the connection channel prevents unauthorized users from using a network protocol analyzer
to read data.
To encrypt NRPC network traffic, use the Notes port encryption feature. For traffic over Internet
protocols, use SSL. For both NRPC and Internet protocols, you can enforce encryption at the server for all
inbound and outbound connections. In the case of the Notes client, you can also enforce encryption on all
outbound connections, even if the server to which you are connecting allows unencrypted connections.
Because encryption adds additional load to the server, you may want to limit the services for which the
server uses encryption. Other ways to minimize the load that encryption puts on the system include:
v Using an additional Domino server acting as a passthru server for NRPC connections
v Using a reverse proxy to manage authentication and encryption outside of Domino servers when using
SSL
v Removing unnecessary or unused protocols or services on the server system as well as Domino server
services
For more information, see the chapters ″Installing and Setting Up Domino Servers″ and ″Setting Up
SSL on a Domino Server.″
A proxy stops direct access from an untrusted network to services on a trusted network. If an application
proxy is in use, then application-specific heuristics can be applied to look at the connections from the
untrusted networks and determine if what is being requested is legal or safe.
An application proxy resides in the actual server application and acts as an intermediary that
communicates on behalf of the requester. An application proxy works the same as a packet filter, except
the application proxy delivers the packet to the destination. An application proxy can be used with any
protocol, but it is designed to work with one application. For example, an SMTP proxy understands only
SMTP.
A circuit-level proxy is similar to an application proxy, except that it does not need to understand the
type of information being transmitted. For example, a SOCKS server can act as a circuit-level proxy. You
can use a circuit-level proxy to communicate using Internet protocols with TCP/IP -- that is, IMAP,
LDAP, POP3, SMTP, IIOP, and HTTP, as well as Internet protocols secured with SSL.
HTTP is a special case. In Domino, when the HTTP Connect method is used by an HTTP proxy,
applications using other protocols can also use the HTTP proxy, but they use it as a circuit-level proxy,
not as an application proxy. SSL uses the HTTP Connect method to get through an application proxy
because the data is encrypted and the application proxy cannot read the data. HTTPS (HTTP and SSL)
use both the HTTP proxy and the Connect method, which implies that the HTTP proxy is a circuit-level
proxy for HTTPS. The same method is used to get NRPC, IMAP, and other protocols through the HTTP
proxy.
You can set up a Domino passthru server as an application proxy for NRPC. A passthru server provides
all levels of Notes and Domino security while allowing clients who use dissimilar protocols to
communicate through a single Domino server. The application proxy does not allow Internet protocols --
for example, HTTP, IMAP, and LDAP -- to use a Domino passthru server to communicate, however. For
Internet protocols, you can use an HTTP proxy with the HTTP Connect method to act as a circuit-level
proxy.
A Notes client or Domino server can also be a proxy client and interoperate with either passthru (NRPC
protocol only) or as a SOCKS or HTTP tunnel client (for NRPC, POP3, LDAP, IMAP, and SMTP
protocols). You set this up in the Proxy setting in the client Location document.
If you are using the Network Information Service (NIS), you must use the fully qualified domain name
and make sure NIS can coexist with DNS.
For information on configuring these settings, see the documentation for your network operating system.
You must first connect the server to the untrusted network -- for example, the Internet -- and then set up
Notes workstations and Domino servers to use the passthru server as a proxy when accessing services
outside the trusted network.
To set up a workstation or server to use the passthru server, you must specify the passthru server in the
Location document for a workstation and in the Server document for a server.
Chapter 2. Setting Up the Domino Network 15
For more information on connecting a server to the Internet and passthru servers, see the chapter ″Setting
Up Server-to-Server Connections.″
If you use the Network File System (NFS) without maintaining the password file, users can breach
security by accessing files through NFS instead of through the Domino server. If this ″back door″ access
method is needed, isolate the network pathway on a LAN NIC and segment, and make sure that the
ability to access files through NFS is exclusive to this isolated secure network.
Database corruption
If the network connection fails while the Domino server is writing to a database on the file server or
shared NAS server, the database can become corrupted. In addition, the interdependence of the file
sharing protocols -- Server Message Block (SMB), Common Internet File System (CIFS), and Network File
System (NFS) -- and the remote file system can affect the Domino server’s performance. Domino
sometimes needs to open large numbers of remote files, and low latency for read/write operations to
these files is desirable.
To avoid these problems on Domino servers, consider doing one or more of the following:
v Create an isolated network and use cut-through (non-buffering) layer-2 switches to interconnect the
Domino server to the NAS system.
v Limit access to the NAS system to the Domino server.
v Reduce the number of hops and the distance between hops in the connection pathways between the
Domino server and the storage system.
v Use a block protocol instead of a file protocol.
v Use a private storage area network (SAN) instead of a shared NAS system.
v Avoid creating any file-access contention between Domino and other applications.
Security problems
When ″Encrypt network data″ is enabled, all Domino server and Notes workstation traffic is encrypted.
However, the file I/O between the Domino server and the file server or shared NAS server is not
encrypted, leaving it vulnerable to access by unauthorized users.
Advanced configurations
Use these topics to plan how to integrate Lotus Domino with the TCP/IP network when the Domino
server has more than one IP address or is partitioned:
v Advanced Domino TCP/IP configurations
v Partitioned servers and IP addresses
v Ensuring DNS resolves in advanced TCP/IP configurations
Moving to IPv6
This topic provides the information you need if your company is migrating to the IPv6 standard:
v IPv6 and Lotus Domino
For background information on how the Notes Name Service works with name-resolver services such
DNS, see the topic ″Resolving server names to network addresses in NRPC″ earlier in this chapter.
Within DNS, ″domain″ refers to a name space at a given level of the hierarchy. For example, the .com or
.org in a Web URL represents a top-level domain. In a domain such as acme.com, a DNS server -- that is,
a server running DNS software -- in the Acme company stores the records for all Acme servers, and an
administrator at Acme maintains those records.
When you set up a Notes workstation on the TCP/IP network, you normally rely on DNS to resolve the
name of the workstation’s Domino home server the first time the workstation tries to connect to it. As
long as the Notes workstation and Domino home server are in the same DNS domain level, DNS can
accomplish the resolve.
If you do not want to enter the FQDN in the Net Address field, you can change it to the simple IP host
name -- for example, app01 -- either during server setup or later by editing the Server document. For
example, you might use the simple IP host name if you are setting up multiple TCP ports for NRPC, a
configuration in which using the FQDN for each network address can cause connection failures if the
Notes Name Service returns the FQDN for the wrong TCP port. In this case, using the simple IP host
name ensures that DNS does a lookup in all domain levels within the scope of the domains defined in
the requesting system’s TCP/IP stack settings.
CAUTION:
In a production environment, do not use IP addresses in Net Address fields. Doing so can result in
serious administrative complications if IP addresses change or if Network Address Translation (NAT)
connections are used, as the values returned by the Notes Name Service will not be correct.
Note: In companies using multiple DNS domains, a Domino secondary name server ensures that a Notes
workstation can connect with its home server even when the home server is in a different DNS domain.
You can use policies to automate the setup of secondary name servers.
For more information, see the topic ″Ensuring DNS resolves in NRPC -- Best practices″ later in this
chapter. For information on policies, see the chapter ″Using Policies.″
Master Browser cache (for NT domains or SAMBA servers) -- Collects broadcasted names and IP
addresses and publishes them across the NT domain to other Master Browser systems for Windows ®
systems to access in their name lookups.
v Windows Internet Name Service (WINS) -- Uses NetBIOS broadcasts. Unlike DNS, which is static in
nature, WINS is dynamic. Note that the TCP/IP stacks of Macintosh and UNIX client systems may not
be able to access the WINS server.
v LAN Manager Hosts (LMHosts) -- A static hosts file method.
CAUTION:
On a Windows system, the combination of the system’s native NetBIOS over IP name-resolver service
and DNS can cause name resolution failure for the Domino server name.
For information on avoiding this problem, see the topic ″Server name-to-address resolution over
NetBIOS″ later in this chapter.
Note: When you choose a common name for a Domino server that uses DNS, use only the characters 0
through 9, A through Z, and the dash (-). Do not use spaces or underscores.
Note: The DNS names held in Lotus Notes and Lotus Domino are not case sensitive; Notes workstations
and Domino servers always pass DNS names to DNS in lowercase.
You can avoid problems and extra work if you consider the DNS configuration, as well as the effect of
other protocol name-resolver services, when you choose the format for the common name of the Domino
server.
To avoid name-resolution problems that affect all TCP services on Windows systems, see the topic
″Ensuring DNS resolves on Windows systems -- All TCP protocols.″
For procedures to help you avoid DNS problems in NRPC, see these topics:
v Ensuring DNS resolves in NRPC -- Best Practices
v Ensuring DNS resolves in NRPC -- Alternative practices
v Ensuring DNS resolves in NRPC -- A practice to use with caution
For naming requirements when using Domino Off-Line Services (DOLs) or Domino Web Access, see the
chapter ″Installing and Setting Up Domino Servers.″
Note: For a Domino server on Windows 2000, problems occur only if you enable name services for
NetBIOS over IP in order to join an NT domain using Server Message Blocks (SMB).
For example, for the Domino server BosMail02/Acme, the common name is BosMail02. You name the
system NT-BosMail02. You create an A record in DNS for NT-BosMail02.acme.com and a CNAME record
for BosMail02.acme.com, linking it with NT-BosMail02.acme.com.
When you have one DNS domain: If your company uses only one DNS domain, doing the following
eliminates the need for CNAME records in DNS:
1. Assign the same name as both the Domino server common name and the simple IP host name
registered with DNS.
2. Make sure the Net Address field on the Server document contains the server’s FQDN.
3. Create an A record (or, for IPv6, AAAA record) in DNS.
For example, you set up the Domino server App01/Engr/Acme. Thus, you register the server with DNS
as app01, the server’s common name. The Net Address field in the Server document contains
app01.acme.com (the server’s FQDN), and the A record is: app01.acme.com IN A 192.168.10.17.
When you have multiple DNS domain levels: If your company uses multiple DNS domain levels -- for
example, when each country in which a multinational company has offices is a subdomain in DNS --
doing the following eliminates the need for multiple CNAME records in DNS and ensures that DNS
lookups always work, regardless of the DNS domain level of the user’s system:
1. Assign the same name as both the Domino server common name and the simple IP host name.
2. Make sure the Net Address field on the Server document contains the server’s FQDN.
20 Lotus Domino Administrator 7 Help
3. Create an A record (or, for IPv6, AAAA record) in DNS.
4. If users’ systems are in a different DNS domain than that of their home server or in a DNS
subdomain of their home server’s domain, set up a secondary name server. Place this secondary name
server on the same physical network as the users’ systems or on a network that the users can access.
Note: Register the secondary name server in the root of the company’s DNS domain.
5. Set up all Notes users or a subset of users affected by Step 4, or set up an individual Notes user.
For more information on setting up groups of users, see the chapter ″Using Policies.″ For more
information on setting up an individual Notes user, see the topic ″Setting up a secondary name
server″ later in this chapter.
For example, you register the Domino server ParisMail01/Sales/Acme with DNS as
parismail01.france.acme.com. Parismail01 is the home server for some users in the DNS subdomain
spain.acme.com. You set up a secondary name server, Nameserver/Acme, register it with DNS as
nameserver.acme.com, and ensure that the Location documents of users who need a secondary name
server point to this server.
When a user in spain.acme.com attempts a first connection with the home server
(parismail01.france.acme.com), the connection fails because the DNS subdomain for spain.acme.com has
no records for the subdomain france.acme.com. Notes then connects successfully with the secondary
name server (nameserver.acme.com), since the DNS subdomain for spain.acme.com does include the
records for acme.com. When the secondary name server supplies the Notes workstation with the FQDN
from the Net Address field in the Server document for ParisMail01, DNS resolves the FQDN to an IP
address, and the user can access mail.
As long as all Server documents in the Domino domain have the TCP/IP network address in FQDN
format, this approach allows any Notes workstation or Domino server to locate any Domino server,
regardless of its DNS domain level.
Domino server names that differ from their DNS names: When your name scheme for Domino servers
is different than that for DNS, use one of the following methods to translate the Domino server’s name to
the host name:
v Create a local Connection document on each Notes client and Domino server that needs to connect to
the Domino server, and enter the FQDN for the system that hosts the Domino server in the Net
Address field. For example, for the Domino server named App01/Sales/Acme on the system registered
with DNS as redflier, enter redflier.acme.com in the Net Address fields of the Connection documents.
v Use an alias (CNAME) record in DNS to link the Domino server common name to the simple IP host
name. For example, for the Domino server App01/Sales/Acme on the system registered with DNS as
redflier, use a CNAME record to link the name App01 to the name redflier. When a Notes workstation
first accesses this server, it obtains the host name from the Net Address field of the Server document
and caches it, thereby making future connections faster.
IP addresses in Connection documents: In situations in which you don’t want to use any name-resolver
service -- such as bringing up a new server system that you don’t want known yet, or having a server on
the Internet that you want accessible but for which you can’t use DNS -- create Connection documents
that directly tell Notes workstations or Domino servers how to access this Domino server by using the
server’s IP address in the documents’ Net Address fields.
Network Address Translation (NAT): NAT is a method of translating an IP address between two
address spaces: a public space and a private space.
Private addresses are IP address spaces that have been reserved for internal use. These addresses are not
accessible over the Internet (non-routable) because network routers within the Internet will not allow
access to them.
The following address spaces have been reserved for internal use. It is best to use these IP addresses and
not make up your own.
v Class A: 10.0.0.0 to 10.255.255.255
v Class B: 127.16.0.0 to 172.31.255.255
v Class C: 192.168.0.0 to 192.168.255.255
For example, users inside a company access the Domino server based on its assigned IP address, which is
a private address (192.168.1.1). Internet users must access the Domino server through a NAT router,
which converts the private address to one of its static public addresses (130.20.2.2). Therefore, a Notes
client accessing the server from the Internet uses the public address.
When you have multiple DNS domain levels: If your company uses multiple DNS domain levels -- for
example, when each country in which a multinational company has offices is a subdomain in DNS -- do
the following:
1. Use the server’s FQDN as the Domino server common name.
2. Create an A record (or, for IPv6, AAAA record) in DNS.
For example, if you register a server with DNS as app01.germany.acme.com, you can also assign the
Domino server’s common name as app01.germany.acme.com. In this case, the server’s Domino
hierarchical name might be app01.germany.acme.com/Sales/Acme.
Domino supports both IPv6 and IPv4. Thus, if an IPv6-enabled Domino server encounters an IP address
in IPv4 format, the Domino server can still make the connection to that address. When attempting to
connect to a server, Domino tries to resolve all IP addresses for a server until one works. This allows a
server to have both an IPv4 address and an IPv6 address. Domino caches the last successful address for a
server and uses only the cached address to quickly search for a server. If you do not want to use only the
cached address, enter the NOTES.INI setting DONT_USE_REMEMBERED_ADDRESSES=1.
In DNS, records that store IPv6 addresses are called AAAA records. After you enable IPv6 on a Domino
server and add the server’s AAAA record to DNS, another IPv6-enabled Domino server can connect to it
only over IPv6. Servers that don’t support IPv6 can run Domino with IPv6 support disabled, which is the
default. These servers can successfully connect to IPv6-enabled Domino servers only if the DNS for the
IPv6 servers contain A records.
IPv6 addresses contain a varying number of colons; therefore, the syntax shown above can not be used
with IPv6 addresses. To be consistent with a proposed format for Web servers, if the port number is
included with an IPv6 address, the address must be enclosed in square brackets.
The following address formats can be used wherever address strings are supported, for example, in
Server documents, in the Open Database dialog box, or in the Port Trace dialog box.
9.95.77.78
9.95.77.78:1352
[9.95.77.78]
[9.95.77.78]:1352
fe80::290:27ff:fe43:16ac
[fe80::290:27ff:fe43:16ac]
[fe80::290:27ff:fe43:16ac]:1352
Prior to installing the IPv6 stack, check to see if IPv6 is configured on your system by using the following
commands according to platform:
Platform Commands
Microsoft Windows platforms ipconfig /all
All other platforms ifconfig -a
After installing IPv6, use that same command to verify that IPv6 is available.
Microsoft Windows 2003 server platform: To enable IPv6 on the Microsoft Windows 2003 server
platform, use
netsh interface ipv6 install
Microsoft Windows XP client: To enable IPv6 on the Microsoft Windows XP client, use
netsh interface ipv6 install
United Linux platform: IPv6 is enabled by default on the United Linux platform.
Zones: In the IPv6 standard, when link local address and site local address are used, an additional
parameter is required to specify the interface on which the address is valid. In the API, this additional
parameter is called the scope_id; in user documentation, the parameter is called the zone. In Notes and
Domino 7, use the format address string followed by the percent sign (%) followed by the zone.
On Microsoft Windows, the zone is an integer index into the interface list with the first interface being
zone one.
Domino 7 supports two Notes ports for Internet servers. The user interface specifies two Notes port
names in the NOTES.INI variable SMTPNotesPort. For example,
SMTPNotesPort=TCPIP,TCPIP6
There is one restriction. If either of the ports is shut down (stop port tcpip) the Internet servers
momentarily shut down both ports and restart listening on the one remaining port. Also, outbound
connections for any address will succeed on any TCP port. For outbound connections, Domino creates the
proper socket to handle the attempted target address.
Making outbound connections with a TCP port bound to an IP address: When a client or a server
making outbound connections has a TCP port bound to a specific IP address, using the NOTES.INI
setting SMTPNotesPorts= <TCPIPAddress>, the bound port can only make outbound connections of the
type of the bound IP Address. For example, if a server binds the Notes Port TCPIP to an IPV4 address
and the Notes Port TCPIP6 to an IPV6 address, then port TCPIP can only make outbound connections to
IPV4 addresses and port TCPIP6 can only make outbound connections to IPV6 addresses.
In a configuration that includes IPV4 and IPV6 Notes ports bound to IP addresses, the ports listed in the
Connection documents must include all TCP ports over which the connection can possibly be made. For
example, if you create a Server Connection document from serverA to serverB, and serverB’s DNS name
can resolve to both an IPV4 address and an IPV6 address, and you want the connection to work over
IPV4 or IPV6, you must include both ports in the Connection document.
When an IPv4 or an IPv6 socket is created and used: Use the following set of rules to determine
whether to use an IPv4 or IPv6 socket:
v When connecting or listening, if IPv6 is not enabled, always create an IPv4 socket.
Note: The address 0 indicates that a listener is willing to listen to any address. Applying the above set of
rules, note the following:
v To create an IPv6 socket that listens to any IPv6 address, do not bind to an address.
v To create an IPv4 socket that listens to any IPv4 address, bind it to address ::ffff:0.0.0.0
On UNIX servers, an IPv6 socket bound to any address accepts all incoming connections, but on
Windows the same socket only listens to incoming IPv6 connections.
On Linux, if one port binds to the ″any″ address and IPv6 is enabled, a second port cannot bind to a
specific IPv4 or IPv6 address. If this is attempted, an ″Address is already in use″ error is returned.
Example 1-- No IPv6 support (Applies to all platforms): No change required. IPv6 is off by default.
Example 2 -- UNIX platform supporting all valid IPv4 and IPv6 addresses: TCP_EnableIPv6=1
Example 2 assumes that no ports are bound to any addresses. By default, on UNIX, the single unbound
listening socket is IPv6. The IPv6 socket can receive connections from any IPv4 or IPv6 address.
Example 3 -- Microsoft Windows platform supporting all valid IPv4 and IPv6 addresses:
TCP_EnableIPv6=1
TCPIP=TCP, 0, 15, 0
TCPIP6=TCP, 0, 15, 0
PORTS=TCPIP,TCPIP6
TCPIP_TCPIPADDRESS=0,[::ffff:0.0.0.0]:1352
SMTPNotesPort=TCPIP,TCPIP6
Example 3 assumes that no ports are bound to any addresses. On Microsoft Windows, by default, the
TCPIP6 port is an IPv6 socket because IPv6 is enabled. The TCPIP port is an IPv4 socket, because its
bound address has the IPv4 format. Both listen to all addresses because the bound address is 0. The
SMTPNotesPort variable is required to force the SMTP listener to listen on two sockets -- one for IPv4
and one for IPv6.
Example 4 -- UNIX (but not Linux 2.4) partitioned servers. Each server listens to its assigned IPv4 and
IPv6 addresses only: Each Server:
TCP_EnableIPv6=1
TCPIP=TCP, 0, 15, 0
TCPIP6=TCP, 0, 15, 0
TCPIP_TCPIPADDRESS=0,9.33.162.84:1352
TCPIP6_TCPIPADDRESS=0,[fe80::209:6bff:fecd:5b93]:1352
SMTPNotesPort=TCPIP,TCPIP6
Example 5 -- Microsoft Windows (and Linux 2.4) partitioned servers. Each server listens to its assigned
IPv4 and IPv6 addresses only: Each Server:
TCP_EnableIPv6=1
TCPIP=TCP, 0, 15, 0
TCPIP6=TCP, 0, 15, 0
PORTS=TCPIP,TCPIP6
TCPIP_TCPIPADDRESS=0,9.33.162.84:1352
TCPIP6_TCPIPADDRESS=0,[fe80::209:6bff:fecd:5b93%4]:1352
SMTPNotesPort=TCPIP,TCPIP6
The difference here is that Microsoft Windows and Linux 2.4 require the use of the zone in the address
even for addresses bound to listeners if the address is a link local address. The same effect can also be
achieved as shown in Example 5A.
Examle 5A -- Microsoft Windows and Linux 2.4 partitioned servers. Each server listens to its assigned
IPv4 and IPv6 addresses only: For each server:
TCP_EnableIPv6=1
TCP_DefaultZone=4
TCPIP=TCP, 0, 15, 0
TCPIP6=TCP, 0, 15, 0
PORTS=TCPIP,TCPIP6
TCPIP_TCPIPADDRESS=0,9.33.162.84:1352
TCPIP6_TCPIPADDRESS=0,[fe80::209:6bff:fecd:5b93]:1352
SMTPNotesPort=TCPIP,TCPIP6
Example 6 -- Any client wants to make outbound IPv4 connections: No change required
Example 6A -- A UNIX client (not Linux 2.4) wants to make an outbound IPv6 connection:
TCP_EnableIPv6=1
Connect to an IPv6 address, or to a DNS or hosts file resident name that resolves to an IPv6 address.
Connect to an IPv6 address, or to a DNS or hosts file resident name that resolves to an IPv6 address. If
the address is a link local address, it must include the zone, such as fe80::209:6bff:fecd:5b93%4, or the
local NOTES.INI file must contain a default zone, or the zone must be included in the local bound
address. Such addresses must NEVER be stored in DNS, in Server documents, or Connection documents.
If an IPv6-capable computer running Windows XP enables IPv6 and it is DHCP, it will automatically
have its QUAD A record stored in DNS and it is stored without a zone, because the zone is a local
construct. Therefore, the ONLY way to use such a DNS entry is to have a default zone in NOTES.INI.
Example 7A -- Microsoft Windows / Linux 2.4 client wants to make outbound connection via IPv6:
TCP_EnableIPv6=1
TCP_DefaultZone=4
Connect to an IPv6 address, or to a DNS or hosts file resident name that resolves to an IPv6 address. If
the address is a link local address, it need not include the zone, such as fe80::209:6bff:fecd:5b93 because
the zone is defaulted by the NOTES.INI variable.
Example 7B -- Microsoft Windows / Linux 2.4 client wants to make outbound connection via IPv6:
TCP_EnableIPV6=1
TCPIP=TCP, 0, 15, 0
PORTS=TCPIP
TCPIP_TCPIPADDRESS=0,[fe80::209:6bff:fecd:5b93%4]:1352
Connect to an IPv6 address, or to a DNS or hosts file resident name that resolves to an IPv6 address. If
the address is a link local address, it need not include the zone, such as fe80::209:6bff:fecd:5b93 because it
is defaulted by the bound address’s zone.
Enabling Internet protocols on both TCP/IP and TCP/IPV6 ports: Add the following settings to the file,
NOTES.INI:
v ldapnotesport=tcpip,tcpipv6
v imapnotesport=tcpip,tcpipv6
v smtpnotesport=tcpip,tcpipv6
v pop3notesport=tcpip,tcpipv6
For a configuration with multiple IP addresses, you must bind each listening port to the appropriate IP
address to ensure that each TCP service receives the network connections intended for it.
For more information, see the topics ″Binding an NRPC port to an IP address″ and ″Binding an Internet
service to an IP address″ later in this chapter.
Note: A configuration with multiple NICs does not increase the number of Domino sessions you can
have on a server. In TCP/IP, machine capacity depends on processors and memory.
For a configuration with multiple addresses and one NIC, you must configure the TCP/IP stack and bind
each listening port to an IP address.
Lotus Domino is designed to listen for TCP/IP connections on all NICs in a computer system. If more
than one partition is hosting the same service (NRPC, SMTP, POP3, IMAP, LDAP, or HTTP), fine-tune
which partitions listen for which connections by associating each service’s TCP port with a specific IP
address.
For more information on associating services with IP addresses, see the topics ″Binding an NRPC port to
an IP address″ and ″Binding an Internet service to an IP address″ later in this chapter.
As an alternative to using a separate NIC for each IP address, you can use a single NIC and still assign a
separate IP address to each partition.
For more information, see the topic ″Assigning separate IP addresses to partitions on a system with a
single NIC″ later in this chapter.
If you are unable to assign a separate IP address to each partition, you can use port mapping.
For more information on port mapping, see the topic ″Configuring a partitioned server for one IP address
and port mapping″ later in this chapter.
Note: As an alternative to port mapping, you can use port address translation (PAT), in which a firewall
redirects the TCP port connection to a different TCP port. Both port mapping and PAT require advanced
skills to implement correctly.
For information on servers accessing a private LAN in a Domino cluster, see the book Administering
Domino Clusters.
Users in different DNS subdomains accessing one Domino server: If users are on two isolated
networks and the Domino server has a NIC for each network, use DNS to direct the users to the NIC the
server shares with them.
1. Assign an IP address to each NIC by creating A records (or, for IPv6, AAAA records) in DNS. Use the
ping command and the IP address to test the responsiveness of the NIC.
Note: If the Domino server is running Windows and there is a route between the two networks,
prevent the NetBIOS broadcasts from exiting from both adapters by using the Windows Control Panel
to disable one instance of the WINS client. Use the Bindings tab of the Network dialog box, select All
Adapters, and select the name of the NIC for which you want to disable WINS.
2. Create two CNAME records in DNS for the Domino server, linking the server’s common name to each
NIC name in the A records. (Using CNAME records for the Domino server provides diagnostic
fidelity to test the network pathway independently of the server’s name resolve.)
3. Add a second Notes network port for TCP/IP in Domino.
For more information, see the topic ″Adding a network port on a server″ later in this chapter.
4. Bind each TCP/IP port to the IP address of the appropriate NIC. On the server console, verify that
both TCP/IP ports are active and linked to the correct IP address.
Example: At the Acme company, some users connect to the Domino server Chicago/Sales/Acme over
an Ethernet network, others over a Token Ring network. Register the Domino server with DNS as
chicago.east.acme.com for the users on the Ethernet network and as chicago.west.acme.com for users on
the Token Ring network.
1. Create start of authority (SOA) table entries in DNS for the subdomain east.acme.com, as follows:
chi-ethernet A 10.20.20.2
chicago CNAME chi-ethernet
2. Create SOA table entries in DNS for the subdomain west.acme.com, as follows:
chi-tokenring A 10.10.10.1
chicago CNAME chi-tokenring
3. Change the name of the original Notes network port for TCP/IP to TCPIP1, and name the second
port TCPIP2.
4. Use the NOTES.INI file to bind TCPIP1 to the IP address for the Ethernet network and to bind
TCPIP2 to the IP address for the Token Ring network.
5. In the Server document’s Net Address field for each TCP/IP port, enter chicago.
6. On the Ethernet users’ workstations, set the DNS name lookup scope to east.acme.com, and on the
Token Ring users’ workstations, set it to west.acme.com.
User-to-server access and server-to-server access via different DNS subdomains: If users need to access
a Domino server over the LAN and other Domino servers need to access the same server over the WAN,
add a second NIC to the server. Then use DNS to direct the users to the NIC for the LAN and to direct
other servers to the NIC for the WAN.
1. Assign an IP address to each NIC by creating an A record (or, for IPv6, AAAA record) in DNS. Use
the ping command and the IP address to test the responsiveness of the NIC.
Note: If the Domino server is running Windows and there is a route between the two networks,
prevent the NetBIOS broadcasts from exiting from both adapters by using the Windows Control Panel
to disable one instance of the WINS client. Use the Bindings tab of the Network dialog box, select All
Adapters, and select the name of the NIC for which you want to disable WINS.
2. Create two CNAME records in DNS for the Domino server, linking the server’s common name to each
NIC name in the A records. (Using CNAME records for the Domino server provides diagnostic
fidelity to test the network pathway independently of the server’s name resolve.)
3. Add a second Notes network port for TCP/IP in Domino.
For more information, see the topic ″Adding a network port on a server″ later in this chapter.
4. Bind each TCP/IP port to the IP address of the appropriate NIC. On the server console, verify that
both TCP/IP ports are active and linked to the correct IP address.
For more information on binding ports to IP addresses, see the topic ″Binding an NRPC port to an IP
address″ later in this chapter.
5. To direct the Domino server’s first outbound connection to the server-to-server network, edit the
PORT setting in the NOTES.INI file to read as follows:
PORT=serverportname, userportname
Note: Listing the port that users will use first is important, as the Notes Name Service cannot
distinguish which NIC a user is accessing and makes the connection based on the content of the Net
Address field for the first TCP/IP port listed in the Server document.
7. In the Server document’s Net Address field for the second TCP/IP port (the port that servers will
use), enter the FQDN, using the server’s common name and the servers’ DNS subdomain.
An initiating server uses its local Domino Directory to detect the Notes named network it has in
common with this server.
8. Set each user’s DNS name lookup scope to the correct DNS subdomain.
9. In each server’s TCP/IP stack, set the DNS name lookup scope to the correct DNS subdomain.
Example: At the Acme company, users connect to the Domino server BostonApp04/Sales/Acme over
the LAN, and other Domino servers access it privately over the WAN. You register the server with DNS
as bostonapp04.boston.acme.com for the LAN users and as bostonapp04.domino.acme.com for the
server-to-server network over the WAN.
1. Create the following SOA table entries in DNS for the subdomain boston.acme.com, as follows:
usr-bostonapp04 A 103.210.20.2
bostonapp04 CNAME usr-bostonapp04
2. Create the following SOA table entries in DNS for the subdomain domino.acme.com, as follows:
srv-bostonapp04 A 103.210.41.1
bostonapp04 CNAME srv-bostonapp04
3. Change the name of the original Notes network port for TCP/IP to TCPIP1, and name the second
port TCPIP2.
4. Use the NOTES.INI file to bind TCPIP1 to the IP address for the user network, to bind TCPIP2 to the
IP address for the server-to-server network, and to add the setting PORT=TCPIP2, TCPIP1.
5. In the Server document’s Net Address field for port TCPIP1, enter bostonapp04.boston.acme.com. For
port TCPIP2, enter bostonapp04.domino.acme.com.
6. On each user’s workstation, set the DNS name lookup scope to boston.acme.com. In the TCP/IP
stacks of the servers that need to connect to this server, set the name lookup scope to
domino.acme.com.
Note: Although you can add some NetBIOS services to Linux and UNIX systems, NRPC communication
does not use them.
For detailed system requirements for using NetBIOS with Lotus Domino, see the Release Notes.
The risks of using NetBIOS involve the security of the file system on Domino servers. Depending on the
access permissions of the operating system and on the transport protocol being used, NetBIOS name and
file services might allow users to see or access the server’s file system. When a server provides NRPC
services, mitigate this risk by disabling the NetBIOS name and file services (SMB/CIFS) on the system so
that the system’s name cannot be seen over the network. Other Notes/Domino systems can still find the
Domino server because Lotus Domino has its own NetBIOS name service to propagate and register the
Domino server’s NetBIOS name, but access is secure because it is controlled by the authentication and
certification features in NRPC.
If the system on which you run Domino requires NetBIOS name or authentication services, mitigate the
security risk by isolating the NetBIOS services. Install an additional NIC on the system for NetBIOS over
a private administration network, and disable NetBIOS on the NIC that the Domino server uses.
Note: On Linux and UNIX systems, the SAMBA server service (Windows file server) can offer Server
Message Block/NetBIOS or Common Internet File System/IP access, or both.
For background information on how the Notes Name Service works with name-resolver services such as
the NetBIOS name service, see the topic ″Resolving server names to network addresses in NRPC″ earlier
in this chapter.
When you use the Notes Name Service with the NetBIOS name service, only a Notes or Domino system
using the same NetBIOS transport protocol as the destination Domino server can see the destination
server’s NetBIOS name. If the Notes or Domino system has more than one NIC for which the NetBIOS
transport protocol is enabled, only the NetBIOS port with the same LANA binding as that of the
destination server can see the destination server’s name.
Which physical address is registered for a Domino server depends on the transport protocol:
v For NetBIOS over NetBEUI, the NIC’s 32-bit MAC address is used.
For NetBIOS over TCP/IP, you can also do one of the following:
v Use a WINS server with a static entry.
v In the initiating system’s TCP/IP stack settings, enable NetBIOS name lookup by DNS. This works
even if you are not using any NRPC services; however, the destination server must be registered with
DNS.
Note: NetBIOS name space is flat, even with TCP/IP. If the client is not within the same DNS domain
level, access by name may not be possible.
CAUTION:
The resolution of a Domino server name can be adversely affected if the server name is the same as
the NetBIOS name for a Windows system.
To prevent this problem without making it difficult to manage system files remotely, do the following:
v On Windows 2000, add a preface such as W2K- to the system name, using the Network Identification
tab on the System Properties dialog box.
For more information on the NetBIOS name service, see Microsoft’s resource kit documentation for the
Windows 2000 operating systems.
After you install the server, you use the Domino Server Setup program to accept network defaults or
customize network settings.
For more information, see the chapter ″Installing and Setting Up Domino Servers.″
After you run the setup program, you may need to complete one or more of these tasks to finish setting
up Lotus Domino on the network:
v Change the default names assigned to Notes named networks to make them consistent with actual
network topography.
v Fine-tune network port setup by adding, enabling, renaming, reordering, disabling, or deleting ports or
by enabling network encryption or compression on a port.
v Complete tasks specific to the TCP/IP, or NetBIOS, protocol.
For information on connecting Notes workstations to the network, see Lotus Notes 7 Help.
After you complete the Server Setup program, rename the NNN for each network port in the Server
document. It is useful if the name reflects both the location of the network and its protocol. For example,
if your company has a TCP/IP network and has LANs in Boston and San Francisco, change the name of
the NNN in Boston to ″TCPIP Boston network,″ and change the name of the NNN in San Francisco to
″TCPIP SF network.″
CAUTION:
Domino assumes that all servers in a NNN have a continuous LAN or WAN connection. If this is not
the case, serious delays in mail routing between servers can occur. Be careful not to include servers
with only dialup connections in an NNN.
For information on configuring a communication port for a dialup modem, see the chapter ″Setting Up
Server-to-Server Connections.″
Use Domino Administrator to make these changes to a server’s network port setup:
v Disable a network port
v Enable a network port
v Add a network port
v Rename a network port
v Reorder network ports
v Delete a network port
v Encrypt network data on a port
v Compress network data on a port
Note: On a Notes workstation, you use the User Preferences dialog box to change port setup.
For more information on changing port preferences on a workstation, see Lotus Notes 7 Help.
For information on creating a Connection document on a Notes workstation, see Lotus Notes 7 Help.
For information on creating a Connection document on a Notes workstation, see Lotus Notes 7 Help.
Field Action
Port Enter the port name. Lotus Domino assigns a default port name to each network protocol
detected on the system.
If the Domino server has multiple TCP/IP ports, see the topic ″Reordering multiple server ports for
TCP/IP″ later in this chapter.
Note: When you create a Connection document on a server, the Connection document takes the port
order from the order in the Setup Ports dialog box. Then, whenever the server connects with the
Network data encryption occurs if you enable network data encryption on either side of a network
connection. For example, if you enable encryption on a server’s Notes network port for TCP/IP, you
don’t need to enable encryption on the TCP/IP ports of workstations or servers that connect to the
server.
If you want the server to have one TCP/IP port for Notes traffic over the Internet and another TCP/IP
port for internal traffic over NRPC, you can encrypt the port for Internet traffic and leave the port for
internal traffic unencrypted.
Be aware that multiple high-speed encrypted connections to a server can affect server performance
adversely. Encrypting network data has little effect on client performance. For protocols other than NRPC,
you use SSL for encryption.
For more information, see the chapter ″Setting Up SSL on a Domino Server.″
For compression to work, enable it on both sides of a network connection. To enable compression for a
network port on a server, use the Server tab in the Domino Administrator. To enable compression on
network ports on Notes workstations, from the Domino Administrator, use a setup or desktop policy
settings document or from a workstation, use the User Preferences dialog box.
WAN connections: Enabling network compression on X.PC ports can significantly reduce the time it
takes to send and receive data over a remote connection between a Notes workstation and a Domino
server or between two Domino servers.
You benefit from using network compression only if the data being transmitted is not already
compressed. In the case of a network dialup service such as Microsoft’s Remote Access Service (RAS)
which includes built-in compression, enabling compression on Notes network ports does not provide any
additional benefit. The same is true of tasks involving data that was compressed using the Lempel-Ziv
algorithm (LZ1 compression) -- such as replicating a mail file with a large number of compressed
attachments.
LAN connections: While compression decreases bandwidth use on a LAN, you must weigh this gain
against increased memory and processor use, since network compression works by buffering data before
compressing it. The cost of compression might be worth it only for a heavily loaded network.
Note: You can use setup or desktop policy settings to assign secondary name servers to groups of users.
Note: Unless the connection is over a dial-on-demand ISDN modem, remote bridge, or router, it is
best to enter a number no greater than 10, as the Notes client or Domino server won’t retry the
connection until the timer has expired.
6. Click OK.
To enable IPv6, add this NOTES.INI setting to the server’s NOTES.INI file:
TCP_EnableIPV6=1
Server-to-server communication: If you add a second Notes network port for TCP/IP in order to isolate
server-to-server communication -- for example, a private network for cluster replication -- list this port
first in the NOTES.INI file so that server-to-server traffic will tend to occur over this connection, thus
decreasing the data flow on the port for the user network. To change the port order in the NOTES.INI
file, use the Port Setup dialog box.
For more information, see the topic ″Reordering network ports on a server″ earlier in this chapter.
Note: If you are setting up a private cluster network and do not list the server port first, you must add
the setting Server_Cluster_Default_Port to the NOTES.INI file. The disadvantage of adding this setting is
that if the server encounters a problem connecting over this port, it will not try another port, and
replication will not occur.
For more information on the Server_Cluster_Default_Port setting, see the appendix ″NOTES.INI File.″
To reorder the ports in the Server document, click the Ports - Notes Network Ports tab, and edit the fields
in the table.
For background information on Domino server setups with multiple IP addresses, see the topic
″Advanced Domino TCP/IP configurations″ earlier in this chapter.
To bind an NRPC port to an IP address: When setting the NOTES.INI variables for port mapping, do
not include a zone in a port mapped address. The zone is only valid locally.
1. For each IP address, make sure you have added a Notes port for TCP/IP. Also make sure that each
port has a unique name.
For information on adding a Notes port, see the topic ″Adding a network port on a server″ earlier in
this chapter.
2. In the NOTES.INI file, confirm that these lines appear for each port that you added:
Ports=TCPIPportname
TCPIPportname=TCP, 0, 15, 0
Note: For IPv6, enclose the address in square brackets, as it contains colons. For example:
TCPIP_TCPIPAddress=0,[fe80::290:27ff:fe43:16ac]
4. (Optional) To help you later remember the function of each port, add the default TCP port number for
NRPC to the end of the line you entered in Step 3, as follows:
:1352
CAUTION:
Do not change the assigned TCP port number unless you have a way to redirect the inbound
connection with Domino port mapping or a firewall that has port address translation (PAT).
In a situation where you must change the default NRPC port number, see the topic ″Changing a TCP
or SSL port number″ later in this chapter.
For the Domino Web server (HTTP service), you use the Server document to bind HTTP to a host name
IP address.
Note: If you don’t know the port name to enter for an NRPC port, open the Server document, click
the Ports - Notes Network Ports tab, and look at the ports associated with the TCP protocol.
Service Action
POP3 Enter POP3NotesPort=port namewhere port name is the name of the NRPC port that you want
to link the service to.
IMAP Enter IMAPNotesPort=port namewhere port name is the name of the NRPC port that you want
to link the service to.
SMTP Enter SMTPNotesPort=port namewhere port name is the name of the NRPC port that you want
to link the service to.
LDAP Enter LDAPNotesPort=port namewhere port name is the name of the NRPC port that you want
to link the service to.
ICM Enter ICMNotesPort=port namewhere port name is the name of the NRPC port that you want
to link the service to.
Example: The following example shows the lines (in bold) to add to the Ports section of the NOTES.INI
file to bind two NRPC ports to their IP addresses and to specify the second NRPC port for the SMTP
service.
Ports=TCPIP, TCP1P2
Note: Domino adds the lines that are not bold when you use either the Domino Server Setup program or
the Domino Administrator’s Setup Ports dialog box to enable a port.
Note: If the server is a partitioned server and has Web sites configured with separate IP addresses, or has
virtual servers (Domino 5) configured for one or more partitions, enter the partition’s IP address, and
each Web site or virtual server’s IP address in the ″Host name(s)″ field, separated by semicolons.
Alternatively, you can use FQDNs in this field. Do not list additional Web sites and virtual hosts that
have IP addresses that are already listed in this field.
Example 1 -- Server partition with Web sites: The partition’s host name is app01 and there are two Web
sites configured for it: sales.acme.com and accounting.acme.com. The Web site sales.acme.com uses the
same IP address as the partition, and the Web site accounting.acme.com has its own IP address. Enter the
following in the ″Host name(s)″ field:
9.88.43.113;9.88.46.110
where 9.88.43.113 is the IP address for both the partition and the Web site sales.acme.com and 9.88.46.110
is the IP address for the Web site accounting.acme.com.
Example 2 -- Server partition with virtual servers: The partition’s host name is app01 and there are two
virtual servers (9.88.46.114 and 9.88.46.115) and one virtual host configured for it. Enter the following in
the ″Host name(s)″ field:
9.88.43.113;9.88.46.114;9.88.46.115
where 9.88.43.113 is the IP address for both the partition and the virtual host sales.acme.com, 9.88.46.114
is the IP address for virtual server 1 (accounting.acme.com), and 9.88.46.115 is the IP address for virtual
server 2 (northeastsales.acme.com).
For information on Web sites and Internet Site documents, see the chapter ″Installing and Setting Up
Domino Servers.″
Note: Using separate IP addresses with a single NIC can have a negative impact on the computer’s I/O
performance.
For background information on partitioned servers and the TCP/IP network, see the topic ″Partitioned
servers and IP addresses″ earlier in this chapter.
To disable an IP address in IBM AIX or Linux: Do not remove the IP address of a server partition that
uses the computer host name as its server name.
1. Enter this command at the console:
/usr/sbin/ifconfig interface delete server_name
where interface is the name of the network interface, and server_name is the name of the partitioned
server.
2. Remove the partition’s name entry from the local host names /etc/hosts file.
3. Remove the corresponding ifconfig command from the system startup /etc/rc.net file.
Sun Solaris: This procedure is for Sun Solaris 2.6. You must have superuser privileges to configure the
NIC.
To disable an IP address in Sun Solaris: Do not remove the IP address of the server partition that uses
the computer host name as its server name.
1. To disable the IP address, type:
/sbin/ifconfig hme0:n down
where n is the number assigned to the file that contains the server name. For example:
/sbin/ifconfig hme0:1 down
2. Remove the corresponding /etc/hostname.hme0:n file. For example, to remove Server2, remove the
/etc/hostname.hme0:1 file, which contains the name Server2.
3. Remove the partition’s server name entry from the local host names /etc/hosts file.
Windows: To configure a single NIC for multiple IP addresses on Windows systems, do the following:
v For Windows 2000, use the Network and Dial-up Connections icon on the Control Panel , and then the
Local Area Connection icon. Click the Properties button. For more information, see the Windows 2000
documentation.
If the port-mapping partition fails, existing sessions on the other partitions remain connected. In most
cases, Notes clients will not be able to open new sessions on any of the partitions. However, because each
Notes client maintains information in memory about recent connections, including those redirected by the
port-mapping partition, a client may be able to connect to a partition even when the port-mapping
partition is not running. A client or remote server that has a Connection document containing both the IP
address and the assigned port can always access the port-mapping partition.
Because the port-mapping partition requires extra system resources, consider dedicating the partition to
this task only. To do this, remove all other server tasks, such as mail routing and replication, from the
partition’s NOTES.INI file.
Port mapping works for NRPC communication only. However, you can use the Server document in the
Domino Directory to configure IMAP, LDAP, and POP3 services and Domino Web servers to use unique
ports for communication. When you do, you must make the port number available to users when they
try to connect to the servers.
To configure for one IP address and port mapping: When you set up port mapping, the port-mapping
partition automatically routes NRPC communication requests to the other server partitions.
Note: When setting the NOTES.INI variables for port mapping, do not include a zone in a port mapped
address. The zone is only valid locally.
1. Decide which server partition will perform port mapping.
2. Choose a unique TCP/IP port number for each server partition on the computer. The port-mapping
partition uses the assigned port, 1352. It is best to use port numbers 13520, 13521, 13522, 13523, or
13524 for the additional server partitions.
3. In the NOTES.INI file of the port-mapping partition, include one line for the port-mapping partition
and one line for each of the other partitions. For the port-mapping partition, enter:
TCPIP_TcpIpAddress=0,IPAddress:1352
where TCPIP is the port name, and IPAddress is the IP address of the port-mapping partition.
For each of the other partitions, enter:
TCPIP_PortMappingNN=CN=server_name/O=org,IPaddress:TCP/IP port number
where TCPIP is the port name, NN is a number between 00 and 04 assigned in ascending sequence,
server_name is the server name of the partition, org is the organization name, IPAddress is the shared IP
address, and TCP/IP port number is the unique port number you chose for the partition.
Note: You must assign the numbers for NN in ascending order beginning with 00 and ending with a
maximum of 04. If there is a break in the sequence, Domino ignores the subsequent entries.
4. In the NOTES.INI file of each of the other partitions, include this line:
TCPIP_TcpIpAddress=0, IPAddress:IPport_number
where TCPIP is the port name, IPAddress is the shared IP address, and IPport_number is the unique
port number you chose for the partitioned server.
5. In the Net Address field on the Ports - Notes Network Ports tab in the Server document for each
partition, enter the fully qualified domain name -- for example, sales.acme.com -- or enter the
common server name -- for example, Sales.
6. Create an IP address entry for the port-mapping partition in the DNS, NIS, or the local hosts file.
7. Include each partition name as a separate CNAME entry in the DNS, NIS, or the local hosts file.
8. If you also plan to set up the partitions for IMAP, LDAP, and POP3 services and Web server
communication, assign to each protocol a unique port number in the ″TCP/IP port number″ field on
the appropriate subtabs (Web, Directory, and Mail) on the Ports - Internet Ports tab of the Server
document.
Note: You must make these port numbers available to users when they try to connect to these
servers. For example, if you assign port 12080 to the Web server acme.com, users must include
acme.com:12080 in the URL in order to connect to the server, unless they have a means to redirect the
connection to this port assignment.
Example: This example shows the lines you add to the NOTES.INI files of the server partitions to set up
port mapping for six partitions.
Partition 2:
TCPIP_TcpIpAddress=0,192.94.222.169:13520
Partition 3:
TCPIP_TcpIpAddress=0,192.94.222.169:13521
Partition 4:
TCPIP_TcpIpAddress=0,192.94.222.169:13522
Partition 5:
TCPIP_TcpIpAddress=0,192.94.222.169:13523
Partition 6:
TCPIP_TcpIpAddress=0,192.94.222.169:13524
Default port for NRPC: By default, all NRPC connections use TCP port 1352. Because the Internet
Assigned Number Authority (IANA) assigned Lotus Domino this port number, non-Domino applications
do not usually compete for this port.
To change the default NRPC port number, use the NOTES.INI setting TCPIPportname_TCPIPAddress and
enter a value available on the system that runs the Domino server. TCP ports with numbers less than
5000 are reserved for application vendors. You may use any number from 1024 through 5000, as long as
you don’t install a new application that requires that number.
Note: When setting the NOTES.INI variables for port mapping, do not include a zone in a port mapped
address. The zone is only valid locally.
Default ports for Internet services: You may occasionally need to change the number of the TCP or SSL
port assigned to an Internet service. Lotus Domino uses these default ports for Internet services:
Note: Make sure that your IP host names do not contain illegal characters such as spaces,
underscores, or ampersands.
5. If you use the Network Information Service (NIS), make sure that you have properly configured the
UNIX system for NIS. Make sure that the NIS hosts map contains the server name and IP address of
every Domino server with which you want to communicate.
6. Depending on your name-resolution practices, do one of the following:
v If your Domino server names are the same as the DNS host names, make sure you have followed
the instructions in the topics Ensuring DNS resolves on Windows systems -- All TCP protocols,
Ensuring DNS resolves in NRPC -- Best practices, and Ensuring DNS resolves in advanced TCP/IP
configurations.
v If your Domino server names are different from the DNS host names, use the ping command to
verify that all of the DNS names which represent the Domino server are responding from the
correct network areas, as well as the Domino server name, if needed.
v If you are using IP addresses in Connection documents, use the ping command to verify the IP
address itself.
v If you are using network address translation (NAT), verify that access is possible from both the
internal network and external Internet using the appropriate IP addresses. If you are using
name-resolver services, make sure that the external DNS offers out the public address and the
internal DNS offers out the private address.
For more information on the last three practices in Step 6, see the topic ″Ensuring DNS resolves in
NRPC -- Alternative practices″ earlier in this chapter.
NetBIOS systems using the same transport protocol should be in the same Notes named network. If you
create Connection documents on the server, the LAN port you select must also be for the same transport
protocol.
To find the LANA number for a NetBIOS protocol on a Windows XP or 2000 system: A Windows XP
or 2000 system does not have a direct means to see the LANA associations. For Windows XP or 2000
systems you can either review the system’s registry bindings or use a Microsoft tool called LANACFG to
see and change the LANA number assignments.
The following is an example of the tool’s output from a Windows 2000 server.
lanacfg [options]
showlanapaths - Show bind paths and component descriptions for each exported lana
setlananumber - Change the lana number of a bind path
rewritelanainfo - Verify and write out lana info to the registry
showlanadiag - Show lana diagnostic info
Server installation
The first step in deploying a Domino server is installation, or copying the program files to the system’s
hard drive.
For information on installing servers for hosted environments, see the chapter ″Setting Up the Service
Provider Environment.″
For information about installing the xSP server, see the topic Installing the first server or additional
servers for hosted environments.
For information about silent server installation, see ″Using silent server installation to install Domino on
Windows systems″ in this chapter.
1. Before you install the Domino server program files on a Windows system, do the following:
v Make sure that the required hardware and software components are in place and working.
v Read the Release Notes for operating system and network protocol requirements and for any
last-minute changes or additions to the documentation.
v Temporarily disable any screen savers and turn off any virus-detection software.
v Before running any Domino setup command, be sure to complete any pending reboot actions you
may have from installing other applications.
v Make sure that all other applications are closed. Otherwise, you may corrupt any shared files, and
the Install program may not run properly.
v If you are upgrading to Domino from a previous release, see the book Upgrade Guide.
2. Run the install program (SETUP.EXE), which is on the installation CD.
3. Read the Welcome screen, and click Next. Then read the License Agreement and click I accept the
terms in the license agreement, and then click Next.
4. Choose the program directory, and choose whether you are installing partitioned servers. Click Next.
5. Specify the data directory in which to copy the software. If you are installing a partitioned server, If
you are installing partitioned servers, specify a data directory for each partition.
Note: For partitions, use the Add button to add each of the data directories to the list. If they are not
added to the list they will not be installed.
6. Select the server type you acquired:
55
v Domino Utility Server -- Installs a Domino server that provides application services only, with
support for Domino clusters. The Domino Utility Server removes client access license
requirements. Note that it does NOT include support for messaging services. See full licensing text
for details.
v Domino Messaging Server -- Installs a Domino server that provides messaging services. Note that
it does NOT include support for application services or Domino clusters.
v Domino Enterprise Server -- Installs a Domino server that provides both messaging and
application services, with support for Domino clusters.
v Customize - Allows you to select the features you want to install.
Note: All installation types support Domino partitioned servers. Only the Domino Enterprise
Server supports a service provider (xSP) environment.
7. If you are installing partitioned servers, specify a data directory for each partition.
8. Review the summary information, and then select Next to begin installing files.
9. Click Finish to complete the install program.
10. Choose Start - Programs - Lotus Applications - Lotus Domino Server, or use the icons on your
Desktop to start the Server Setup program.
The ″server’″ portion of the path is a script that initializes a UNIX shell so that Domino programs can run
on UNIX.
While by default the actual location of the lotus directory is /opt/ibm/lotus, you can change it to any
location, for example, /local/lotus or /usr/lotus.
Before running Domino’s silent server install on a Windows system, do the following:
v Make sure that the required hardware and software components are in place and working.
v Read the Lotus Domino Release Notes for operating system and network protocol requirements. Check
the Release Notes for last-minute changes or additions that may impact the silent server install.
v Temporarily disable screen savers and turn off virus-detection software.
A response file created using the template method contains the literal values that are used during the
install process. It is generated prior to the execution of the installation and contains all of the default
installation options and paths. You can manually customize this file by editing options. The benefit of
using a template file is that you do not need to install a server in order to create the file.
A response file created using the record method is generated after the server install completes, at the time
the wizard exits and stores the values of the applicable wizard properties in the file. The recorded
response file is useful for saving a record of a specific wizard execution session which can later be reused
in a silent or modified installation. When you install a server, your customizations are saved to the
resulting response file, eliminating the need to edit the response file. This is the ″safer″ method because
you do not create issues caused by typos or incorrect entries and values.
Note: It takes several minutes for the response file to be created. When the SETUP.EXE file and the
JAVA.EXE file have finished running, the new response file is ready for use. To determine whether
SETUP.EXE and JAVA.EXE have finished running, check the Task Manager.
1. To create the response file, do one of these:
v Open the template file, modify the file as necessary, and then save the file to a new name.
v Save the file to a new file name, modify the file, and then save the file again.
2. Run the silent install referencing the response file.
When the response file has been created, perform the silent install of the Domino server.
1. Launch the server install with any of the command line parameters shown in the table below.
Express install is similar to a regular server install except that you have the additional option of
launching the server from the last window displayed during express install. During the express install,
you are presented with various dialog boxes and informational messages, as you would be during the
standard Domino server install; however, during express install, many of the options presented on the
dialog boxes are selected for you, resulting in a faster install process.
To run Domino’s Express Install, from the Installer command line, enter the following command:
setup -express
Note: Run Domino express server install from the full installation kit. It is not available for installation
from a Web kit.
Note: The command shown above uses the directory name ″tmp″ but you may name this directory
according to your own naming conventions.
Because the CIO feature is not supported for use with Domino servers, do not enable this option on file
systems that Domino accesses. If this option is enabled, Domino data may be corrupted which can causes
server crashes or performance issues.
Certain core file system items, such as file buffer cache, per-file lock or inode lock, and sync daemon, are
managed differently by the operating system with the CIO option enabled. Domino is not coded to
address these changes in behavior.
The CIO option is typically enabled as a flag when a file system is mounted. Use these steps to disable
the mount option:
1. Run this command for each file system mounted with CIO:
chfs -a options=rw /FS_NAME
Where /FS_NAME is the name of the mount point.
2. Unmount and remount each file system, or reboot, which has the same effect when done after
running the chfs commands.
3. To verify that the change was applied, run ’mount’ and verify that you do not see ″cio″ in the mount
options column, as shown in the examples.
For more information on the CIO feature, see the AIX whitepaper ″Improving Database Performance With
AIX Concurrent I/O″ at http://www-1.ibm.com/servers/aix/whitepapers/db_perf_aix.pdf
Note: Domino first server setup creates IDs with a default public key width of 1024 bits. If a different
key width is required, run SETUP.EXE to install the Domino files but before starting the server, open the
server’s NOTES.INI file, and then set SETUP_FIRST_SERVER_PUBLIC_KEY_WIDTH to the desired key
width. For example, for Domino R5-compatible keys, install the files for the Domino server by running
SETUP.EXE, but before starting the server, open the NOTES.INI file and then set
SETUP_FIRST_SERVER_PUBLIC_KEY_WIDTH=630. The public key width can be set to either 630 or 1024
when using the NOTES.INI variable.
Users require a Notes ID so that DOLS can synchronize the offline mail file with the server. The default
DOLS configuration will prompt the user for a Notes ID the first time they go offline with Domino Web
Access.
If you rename a user, the user must reinstall the DOLS offline subscription in order for the offline mail
file to synchronize with the server. After a name change, the user must wait for the old Notes ID and
password to stop working, accept the name change using a Notes client, then log on to Domino Web
Access with the new Notes ID and password.
Note: DOLS runs on Domino servers configured to work through a Microsoft IIS server.
Note: On the iSeries platform, the Server document is updated when a new server is configured or
an existing server is modified using the CFGDOMSVR or CHGDOMSVR CL command with
DOLS(*YES) specified.
For more information on configuring an iSeries server with DOLS, see the Lotus Domino 7 for iSeries
Release Notes.
4. Create a DOLADMIN.NSF database from the template DOLADMIN.NTF.
5. After the database is created, restart the Domino administrator and click the Configuration tab. The
name of the DOLADMIN.NSF is an option in the Navigation pane.
To set up Domino Web Access, choose ″Web Browsers (HTTP Web services)″ during Server Setup. If you
want to give users the ability to work off line, also choose Domino Off-Line Services (DOLS). DOLS is
not required to run Domino Web Access.
Note: When providing a Domino domain name, do not use a period. For example, use AcmeProduction
as a domain name instead of Acme.Production.
In the Domino Administrator, make sure that the Fully Qualified Domain name (FQDN) (such as
acme.lotus.com) is specified on the Basics tab of the Server document.
There are two versions of Sametime available for Domino 7.0, however these instruction apply to both
version. References to the Sametime server also apply to installing the limited use version. The two
versions are:
v IBM Lotus Instant Messaging Limited Use -- the default instant messaging capability that is included in
Domino 7.0.
v IBM Lotus Sametime® -- the full instant messaging product that includes Web conferencing capabilities.
It is available only if your organization purchased it.
For complete information on installing IBM Lotus Sametime, see the IBM Lotus Sametime 7.0 Installation
Guide for your operating system, and the IBM Lotus Sametime 7.0 Administrator’s Guide. To view or
download the Sametime documentation, go to http://www.lotus.com/LDD/doc.
Configuration Notes:
v For Mozilla, you must have at least Sametime 3.1 to run instant messaging integration. Previous
versions of Lotus Sametime are not supported in Domino Web Access on Mozilla.
v When you install Domino 7.0, the stlinks files that are installed in the stlinks directory (for example,
C:\st\domino\Data\domino\html\sametime\stlinks), are overwritten. If you have modified stlinks
files (for example, if the Sametime server is configured for tunneling) these files will be replaced. When
you are upgrade to 7.0, these files are backed up in a file called stlinks.sav. For additional information,
see the topic Customizing STLinks files for tunneling or reverse proxy servers.
v To access the Sametime server using a protocol that is different from the current Web page’s protocol,
use the NOTES.INI configuration setting iNotes_WA_SametimeProtocol.
v Sametime integration with Domino Web Access is not supported with JRE 1.4.1.
If the Sametime server is in a different domain than your Domino Web Access server, follow the
instructions in Setting up Sametime and Domino Web Access in different domains.
Make sure the Sametime server is functioning properly before proceeding. If you have multiple Sametime
servers in a single community, also make sure that Domino single sign-on (SSO) is functioning properly
between the servers. For complete information on working with multiple Sametime servers, see the IBM
Lotus Sametime 7.0 Administrator’s Guide, available on http:\\www.lotus.com/ldd/doc.
Part 3 - Create Connection documents: You need Connection documents for the Domino Web Access
and the Sametime server if the Sametime server is not in the same domain as the Domino Web Access
server. Also, if the Sametime server is in the same domain as the Domino Web Access server, but is not
clustered with the registration server, you need a Connection document in order to replicate the Domino
Directory.
Create Connection documents using the standard procedure, and include the information below:
Part 4 - Specify the Sametime server for Domino Web Access users: There are two ways to specify a
Sametime server for Domino Web Access users. You can edit the Configuration Settings document for the
Domino Web Access server, or you can edit the person document for each user who uses instant
messaging.
Method 1
To enable instant messaging and set the Sametime server for all Domino Web Access users at one time,
use the Instant Messaging settings in the Configuration Settings document, Domino Web Access tab. After
you have done this, individual users can enable or disable instant messaging on their local Domino Web
Access clients by setting a User Preference.
Method 2
If you choose not to enable instant messaging for all users, then you must edit the person document for
each user who will use instant messaging:
1. From the Domino Administrator, click the People & Groups tab.
2. Select the Domino Web Access Domino directory, then click People.
3. Double-click a name to open the user’s Person document.
4. Click Edit.
5. Enter the name of the Sametime server in the ″Sametime server″ field. For example,
Sametime/Sales/Acme/UK.
Part 5 - Set up Domino Web SSO authentication between the DWA server and IM server: Domino
single sign-on (SSO) authentication allows Web users to log in once to a Domino or WebSphere server,
and then access any other Domino or WebSphere server in the same DNS domain that is enabled for
single sign-on (SSO) without having to log in again. In a multiple server environment, it is possible that
one or more servers in your Domino domain are already configured for Domino SSO, and the Domino
Directory already contains a Domino Web SSO configuration document. When you install Sametime, it
creates a Web SSO configuration document called LtpaToken unless one already exists in the Domino
directory. If an LtpaToken configuration document already exists, Sametime does not attempt to alter it.
For more information about Domino Web SSO authentication, see the topic Multi-server session-based
name-and-password authentication for Web users (single sign-on).
Complete the steps in this section if your DWA server is not configured for Web SSO, and you want to
use the Web SSO document that Sametime created to configure it.
1. Ensure that the Domino Directory has replicated throughout the Domino domain since you installed
Sametime.
2. Update the Web SSO Configuration document that was created when you installed Sametime
(LtpaToken):
a. Open the Domino Directory and select the Configurations - Web - Web Configurations view.
b. From within this view, expand the list of Web SSO Configurations.
c. Open the ″Web SSO Configuration for LtpaToken″ document in edit mode. (If you are unable to
edit the document, record the settings in the document, and then delete it and create a new one.)
d. Update these fields if necessary:
Domino Server Names -- make sure this field contains the name of all of the DWA servers and
Sametime servers that should participate in Single Sign-on.
DNS Domain -- make sure this is the fully-qualified domain name of the DWA and Sametime
server.
e. Click Save & Close.
3. Enable single sign-on and basic authentication in the Server document for the DWA server as
described in Enabling single sign-on and basic authentication. When you update the Web SSO
Configuration field, select LtpaToken from the list.
4. Ensure that the updates replicate to all of the servers in the domain.
Complete the steps in this section if your DWA server is already configured for Domino Web SSO. You
must add the Sametime server to your configuration:
1. Update your existing Domino Web SSO Configuration document.
a. Open the Domino Directory and select the Configurations - Web - Web Configurations view.
b. From within this view, expand the list of Web SSO Configurations.
c. Open the Domino Web SSO document that you are using for your DWA server in edit mode.
d. Update these fields if necessary:
Domino Server Names -- make sure this field contains the name of all of the DWA servers and
Sametime servers that should participate in Single Sign-on.
DNS Domain -- make sure this is the fully-qualified domain name of the Sametime server.
e. Click save & Close.
Although Domino SSO is the preferred authentication method, you can continue to use secrets and
tokens authentication databases, if you are already using them. For example, if any of the servers in your
domain is configured for something other than multiple server SSO, (single server SSO for example) you
must use secrets and tokens authentication. For information on setting up Secrets and Tokens
authentication, see the topic Setting up Secrets and Tokens authentication for instant messaging in
Domino Web Access.
Part 6 - (for mixed environments only) Copy the SametimeApplet folder on the Domino Web Access
server to the Sametime server: For a mixed environment, in which the users’ mail files are based on the
INOTES5.NTF mail template, and they are using Domino Web Access Chat, you must copy the
SametimeApplet folder from the Domino Web Access server to the same location on the Sametime server.
On the Domino Web Access server, the applets are located in the <data directory>\domino\html
directory.
Note: Chat is the Domino Web Access feature that provided awareness and allowed people to chat with
co-workers in Domino Web Access prior to 6.5.2. To use Chat, you must also lower the value of the
instant messaging security setting in the SAMETIME.INI file to allow a connection from an older client.
For iNotes5 and iNotes6 mail templates, use VP_SECURITY_LEVEL=20. For more information on
specifying the minimum security level, see the IBM Lotus Sametime 7.0 Installation Guide (available on
http://www.lotus.com/LDD/doc), which details this setting.
Part 7 - Verify that instant messaging works with Domino Web Access:
1. Make sure that replication is complete, the Person documents exist on the Sametime server, and that
the updated Web SSO document exists on all of the servers that will participate in single sign-on..
2. If you have not already done so, follow the instructions in the IBM Lotus Sametime 7.0 Installation
Guide to verify that instant messaging is working properly before you test whether it is working with
Domino Web Access clients.
3. Launch Domino Web Access in a browser. In any view or document in which online awareness
appears, click the Active status icon of the person you want to chat with to test the instant messaging
connection.
Note: If the instant messaging status does not appear next to the Welcome username text in Domino Web
Access, check the user’s Person document in the Domino directory. If you configured the Sametime server
by populating this document, make sure the ″Sametime server″ field is correct (Basics tab, under
Real-Time Collaboration).
To replicate STAuthS.nsf from the Sametime server to the Domino server directory:
1. Using a Notes client, choose File - Database - Open.
2. Enter the name of the Sametime server (for example, Sametime/Acme).
Note: After you have replicated stauths.nsf from your Sametime server to your Domino server, open the
Replication Settings dialog box for the database, click Other, and check the ″Temporarily disable
replication for this replica″ box. This will prevent another version of the database from a Windows
system from overwriting your name change (using uppercase and lowercase letters) for the UNIX server.
Using a custom port for tunneling: If the Sametime server is configured for tunneling on port other
than 8082, you must modify the stlinks.js file on both the Sametime server and the DWA server.
1. Locate the following directory on your Sametime server. This directory contains both the stlinks.js file
and the hostinfo.js file.
<sametime_data_directory>\domino\html\sametime\stlinks
2. Copy the following two lines from the Hostinfo.js file to the beginning of the stlinks.js file (by default,
there are only 2 lines in the Hostinfo.js file):
var HTTP_TUNNELING_PORT=xx;
var TUNNELING_ADDRESS="";
The values you see for these variables in the hostinfo.js file should match your Sametime server
tunneling configuration. For releases after 2.5, Sametime normally creates and automatically updates
the content of these files on the Sametime server.
3. Save the updated stlinks.js file on the Sametime server.
Note: When you upgrade your Sametime server to a later release, the stlinks.js file is replaced with
the default version and you must perform steps 1-3 again to update the file. It is also possible that
installing a Sametime fix pack may make it necessary to restore the updates.
4. Copy the updated stlinks.js file from the Sametime server to the DWA server, replacing the existing
stlinks.js file in <domino_data_directory>\domino\html\sametime\stlinks.
Note: If the DWA server is running on i5/OS, make sure that the owner of the stlinks.js file is set to
QNOTES.
Using reverse proxy servers: If your network environment uses reverse proxy servers to protect the
identities of servers behind a firewall, you may need to modify the stlinks.js file on both the DWA server
and the Sametime server.
You must modify the stlinks.js file if you want DWA users to be able to connect to the Sametime
community inside the intranet even if they are outside the firewall. Stlinks.js is located in the following
directory on each server: <domino_data_directory>\domino\html\sametime\stlinks
Two variables that provide reverse proxy support are included in stlinks.js:
ll_RProxyName - the reverse proxy name
ll_AffinityId - the Sametime server affinity ID
Make sure you update the stlinks.js file on both the DWA server and the Sametime server.
For more information about reverse proxy support, see the IBM Lotus Sametime 7.0 Installation Guide
(available on http://www.lotus.com/LDD/doc).
Once you have customized the contents of the stlinks.js files, there are some issues related to future
server upgrades that you need to be aware of:
v When you upgrade Domino to a new release, the customized STLinks files may be replaced, and
DWA-Sametime integration to stop working. This can occur when you upgrade Domino on either the
DWA server or the Sametime server.
In recent Domino releases, the original contents of the STlinks directory are backed up to the following
directory before the files are replaced:
Windows: <domino_data_directory>\domino\html\sametime\stlinks.save
AIX and Solaris: <domino_data_directory>/domino/html/sametime/stlinks.save
i5/OS: <domino_data_directory>/domino/html/sametime/stlinks/stlinks.sav
After you upgrade Domino on either the DWA server or the Sametime server, restore any stlinks.js
customizations from the file in the backup directory to the file in the stlinks directory.
v When you update the level of Sametime by installing a newer release of Sametime or applying a fix
pack, it is possible that you will also need to copy the newer version of the stlinks directory to your
DWA server. Make sure you check the documentation that accompanies the Sametime update to
determine if this is necessary. If this occurs, you will need to reapply your stlinks.js customizations on
each of the servers.
To set up a cross-domain configuration when the Sametime server and the Domino Web Access server are
located in different domains:
1. Cross certify both domains with each other.
2. Configure Directory Assistance on the Sametime server.
3. If you have set up single sign on (SSO), go to Step 4. If you do not have SSO set up, replicate
STAuthS.nsf to the Domino Web Access Server (file name is case sensitive on UNIX servers).
4. Create a server document for the Sametime server in the Domino Directory of the Domino Web
Access server, completing the fields below. Another way to do this is to edit Configuration Settings
document, Domino Web Access tab, and enter the Sametime server name in the in the field ″Set an
instant messaging server hostname for all DWA users.″ If you use this setting, you do not need to
complete Step 5.
v Server name
v Domain name
v Fully qualified Internet host name
v Is this a Sametime server?
5. Enter the Sametime server name in the Sametime Server field of each Domino Web Access user’s
Person document.
Note: If the Sametime server is configured using a port other than the default port, then the ″Fully
Qualified Hostname″ field must contain hostname:port.
Browser Address: The instant messaging integration features rely on the ability of the browser to
directly communicate with the Sametime server. This means that the fully-qualified Internet hostname of
the Sametime server must be resolvable from the browser (for example, the fully qualified Internet
hostname for a Domino server named IM/Acme might be im.acme.com).
Therefore, either DNS must be able to resolve this address or it must be resolved to the proper IP address
by some other mechanism (such as editing of the local operating system’s hosts file).
Bengali
Devanagari
Gujarati
Gurmukhi
Kannada
Malayalam
Oriya
Tamil
Telugu
Note: Clicking Next to go to the next screen restores the alphabet to that of the default language. Repeat
the preceding procedure for each screen on which you want to use a different alphabet.
Automatic server setup does not apply to partitioned servers or to remote servers.
You can enable this feature from the script file containing all of the user configuration parameters for
UNIX script installation. In the UNIX kit directory, the sample script file is SCRIPT.DAT.
Note: Before running any Domino setup command, be sure to complete any pending reboot actions you
may have from installing other applications.
Note: The default is start_server_setup = 0, which is the manual setting. When the manual setting (0)
is active, you must manually initiate the server setup or server restart.
3. Enter one of these values according to when you want automatic setup to run:
v 0 -- To disable automatic server setup and enable manual setup. You have to manually start the
server after a new server installation or restart the server after an upgrade when you use this
setting.
v 1 -- To automatically launch server setup after installation or to automatically restart the server after
a server upgrade.
Note: For Linux on zSeries and z/OS, set the DISPLAY environment variable so that the setup
program is directed to a workstation supporting X-Window.
When the Install program starts, it asks for the password of the ID that owns the Notes data directory.
v 2 -- To automatically launch server setup in listen mode after installing a new server. You can then
connect to the server using the Remote Server Setup tool. To automatically restart the server after
installing a server upgrade.
Note: When the Install program starts on a Linux on zSeries system, the program asks for the
password of the ID that owns the Notes data directory.
Note: The default is Manual Server Setup. When the manual setting (0) is active, you must manually
initiate the server setup or server restart.
2. Press the Spacebar until you see the setting you want to use. You can use one of the following
settings:
v Local Server Setup -- To automatically launch server setup after installation or to automatically
restart the server after a server upgrade.
Note: For Linux on zSeries and z/OS, set the DISPLAY environment variable so that the setup
program is directed to a workstation supporting X-Window.
When the Install program starts, it asks for the password of the ID that owns the Notes data directory.
v Remote Server Setup -- To automatically launch server setup in listen mode after installing a new
server. You can then connect to the server using the Remote Server Setup tool. To automatically
restart the server after a server upgrade.
Note: During server setup, you can use an existing certifier ID instead of creating a new one. The
certifier ID that you specify cannot have multiple passwords assigned to it. Attempting to use a certifier
ID with multiple passwords generates an error message and causes server setup to halt.
If you are using Linux on zSeries, you cannot use the Domino Server Setup program locally. You must
use the Domino Server Setup program remotely, as described in the next section.
Note: Before running any Domino setup command, be sure to complete any pending reboot actions you
may have from installing other applications.
Note: During server setup, you can use an existing certifier ID instead of creating a new one. The
certifier ID that you specify cannot have multiple passwords assigned to it. Attempting to user a certifier
ID with multiple passwords generates an error message and causes server setup to halt.
For more information, see the topic ″Entering system commands correctly″ earlier in this chapter.
To run the Server Setup program from a Windows client with Domino
Administrator
Note: Before running any Domino setup command, be sure to complete any pending reboot actions you
may have from installing other applications.
1. Make sure that you:
v Selected ″Remote Server Setup″ when you installed Domino Administrator on the client system (on
the Windows desktop, choose Start - Programs - Lotus Applications and see if Remote Server Setup
appears in the list)
v Know the host name or network address of the remote system
2. Install the Domino server program files on a server system, but do not run the Domino Server Setup
program.
3. At the command prompt on the server system, from the Domino program directory, do one of the
following:
v On a Windows server, enter
nserver -listen
v On a UNIX server, enter
server -listen
To run the Server Setup program from a Windows client without Domino
Administrator, or from a UNIX workstation
Note: Before running any Domino setup command, be sure to complete any pending reboot actions you
may have from installing other applications.
1. Make sure that you know the host name or network address of the remote system.
2. Install the Domino server program files on a server system, but do not run the Domino Server Setup
program.
3. At the command prompt on the server, from the Domino program directory, do one of the following:
v On a UNIX server, enter
/lotus/bin/server -listen
v On a Windows server, enter
nserver -listen
4. On the client system, install the Java runtime environment.
5. Create a temporary directory on the client system. For example, enter the following at the command
prompt:
v On a Windows client:
mkdir c:\temp
v On a UNIX workstation:
mkdir /temp
6. Do one of the following:
v From a Windows client, copy the remote setup files CFGDOMSERVER.JAR, JHALL.JAR, and
REMOTESETUP.CMD from the server to the directory you created on the client system. These files
are in C:\Domino program directory on the server.
v From a UNIX workstation, copy the remote setup files CFGDOMSERVER.JAR, JHALL.JAR, and
REMOTESETUP from the server to the directory you created on the workstation. These files are in
/Domino program directory/lotus/notes/latest/ibmpow/ on an AIX server, /Domino program
directory/lotus/notes/latest/zlinux/ on a Linux on zSeries server, /Domino program
directory/lotus/notes/latest/linux/ on a Linux server, and /Domino program
directory/lotus/notes/latest/sunspa/ on a Solaris server.
Note: Linux on zSeries and z/OS ship tar files on the cd which contain all the files needed for
remote server setup.
v On Linux on zSeries -- ZLINUX_CLIENT.TAR
v On z/OS -- ZOS_CLIENT.TAR
7. At the command prompt on the client system, from the directory you created, do one of the
following:
v On a Windows client, enter remotesetup.cmd
v On a UNIX workstation, enter remotesetup
8. In the Connect to Remote Domino Server dialog box, click Ping to ensure that you can connect to the
remote server.
9. Enter the host name or network address of the remote server.
10. Click OK to start the Domino Server Setup program.
Note: For Linux on zSeries and z/OS, set the DISPLAY environment variable so that the setup
program is directed to a workstation supporting X-Window.
Tip: Entering nserver -help or server -help displays all parameters available for working with
remote server setups.
5. In the Connect to Remote Domino Server dialog box, click Ping to ensure that you can connect to the
remote server.
6. Enter the host name or network address of the remote server.
7. Click OK to start the Domino Server Setup program.
For more information, see the topic ″Entering system commands correctly″ earlier in this chapter.
Note: For Linux on zSeries and z/OS, set the DISPLAY environment variable so that the setup
program is directed to a workstation supporting X-Window.
Tip: Entering nserver -help or server -help displays the parameters available for working with
server setup profiles.
3. Enter a name and description for the profile.
Note: Linux on zSeries and z/OS ship tar files on the CD that contains the files needed for remote
server setup.
v On Linux on zSeries -- ZLINUX_CLIENT.TAR
v On z/OS -- ZOS_CLIENT.TAR
5. At the command prompt on the client system, from the directory you created, enter:
remotesetup -record
Note: For Linux on zSeries and z/OS, Set the DISPLAY environment variable so that the setup
program is directed to a workstation supporting X-Window.
6. Enter a name and description for the profile.
7. Continue through the setup program.
Domino saves your selections in a file with the name you specified in Step 6 and stores the file in the
client-system directory that you created in Step 3.
Chapter 3. Installing and Setting Up Domino Servers 75
Using a server setup profile
You can use a server setup profile at the server you are setting up or from a client system. Using a server
setup profile from a Windows client is easier if the client has Domino Administrator installed -- to use a
profile from a Windows or UNIX client without Domino Administrator, you need the Java runtime
environment plus some files from the program directory of an installed Domino server.
When you use a setup profile, you choose whether or not to view the setup screens as you run the
profile. Running a profile without viewing the screens is sometimes referred to as a ″silent″ setup.
For more information, see the topic ″Entering system commands correctly″ earlier in this chapter.
Tip: Entering nserver -help or server -help displays the parameters available for working with
server setup profiles.
3. Choose the profile to use. If you don’t see the profile you want in the list, click Browse to locate the
directory that contains the profile.
4. To change the existing profile, select ″Modify selected profile.″ Click OK to start the server setup.
Note: Linux on zSeries and z/OS ship tar files on the CD that contains the files needed for remote
server setup.
v On Linux on zSeries -- ZLINUX_CLIENT.TAR
v On z/OS -- ZOS_CLIENT.TAR
6. At the command prompt on the client system, from the directory you created, enter:
remotesetup -playback
Note: For Linux on zSeries and z/OS, set the DISPLAY environment variable so that the setup
program is directed to a workstation supporting X-Window.
7. In the Connect to Remote Domino Server dialog box, click Ping to ensure that you can connect to the
server.
8. Enter the host name or network address of the server.
9. Click OK.
10. Choose the profile to use. If you don’t see the profile you want in the list, click Browse to locate the
directory that contains the profile. To change the existing profile, select ″Modify selected profile.″
11. Click OK to start the server setup.
Tip: When doing a silent setup, display a progress bar (Windows) or have percent-complete written to
the command line (UNIX) by adding the -pb parameter to the end of the command.
For more information, see the topic ″Entering system commands correctly″ earlier in this chapter.
Note: If the profile file is not in the root directory, use the profile’s full path in the command.
Tip: Entering nserver -help or server -help displays the parameters available for working with
server setup profiles.
3. If the profile uses existing server, certifier, or administrator IDs that require passwords, do the
following:
a. Create a text file that contains the passwords for the existing IDs. The keywords in this are:
Server=
AddServer=
Certifier=
OUCertifier=
Administrator=
b. Add a parameter in the command line for the name of the password file. For example, on
Windows enter:
nserver -silent c:\myprofile.pds c:\passwd.txt
4. If this is a partitioned server setup, add the = parameter to the command line to specify the
NOTES.INI file in this partition’s Domino data directory. For example, on Windows enter:
nserver -silent c:\myprofile.pds =c:\lotus\domino\data2\notes.ini
5. Check the ERRORLOG.TXT file in the Domino data directory to confirm that the setup is complete, or
to view any error messages that were generated during setup.
Note: If the profile file is not in the root directory, use the profile’s full path in the command.
5. If the profile uses existing server, certifier, or administrator IDs that require passwords, do the
following:
a. Create a text file that contains the passwords for the existing IDs. The keywords in this are:
Server=
AddServer=
Certifier=
OUCertifier=
Administrator=
b. Add a parameter in the command line for the name of the password file. For example, on
Windows enter:
serversetup -silent c:\myprofile.pds c:\passwd.txt -remote serveraddress
6. If this is a partitioned server setup, add the = parameter to the command line to specify the
NOTES.INI file in this partition’s Domino data directory. For example, on Windows enter:
serversetup -silent c:\myprofile.pds -remote serveraddress =c:\lotus\domino\data2\notes.ini
7. Check the ERRORLOG.TXT file in the Notes data directory to confirm that the setup is complete, or
to view any error messages that were generated during setup.
Note: For Linux on zSeries and z/OS, set the DISPLAY environment variable so that the setup
program is directed to a workstation supporting X-Window.
3. On the client system, install the Java runtime environment.
4. Create a temporary directory on the client system. For example, enter the following at the command
prompt:
v On a Windows client:
mkdir c:\temp
v On a UNIX workstation:
mkdir /temp
5. Do one of the following:
v From a Windows client, copy the remote setup files CFGDOMSERVER.JAR, JHALL.JAR, and
REMOTESETUP.CMD from the server to the directory you created on the client system. These files
are in C:\Domino program directory on the server.
Note: Linux on zSeries and z/OS ship tar files on the CD that contains the files needed for remote
server setup.
v On Linux on zSeries -- ZLINUX_CLIENT.TAR
v On z/OS -- ZOS_CLIENT.TAR
6. At the command prompt on the client system, from the Notes program directory, enter:
remotesetup -silent c:\myprofile.pds -remote serveraddress
Note: For Linux on zSeries and z/OS, set the DISPLAY environment variable so that the setup
program is directed to a workstation supporting X-Window.
Where myprofile is the name you gave the setup profile and serveraddress is the host name or network
address of the server you are setting up.
Note: If the profile file is not in the root directory, use the profile’s full path in the command.
7. If the profile uses existing server, certifier, or administrator IDs that require passwords, do the
following:
a. Create a text file that contains the passwords for the existing IDs. The keywords in this are:
Server=
AddServer=
Certifier=
OUCertifier=
Administrator=
b. Add a parameter in the command line for the name of the password file. For example, on
Windows enter:
remotesetup -silent c:\myprofile.pds c:\passwd.txt -remote serveraddress
8. If this is a partitioned server setup, add the = parameter to the command line to specify the
NOTES.INI file in this partition’s Domino data directory. For example, on Windows enter:
remotesetup -silent c:\myprofile.pds -remote serveraddress =c:\lotus\domino\data2\notes.ini
9. Check the ERRORLOG.TXT file to confirm that the setup is complete, or to view any error messages
that were generated during setup.
The Certification log records information related to recertification and name changes. When you add
servers and users to Domino, the Certification Log maintains a record of how you registered them. For
each registered server and user, the Certification Log stores a document containing the following
information:
v Name and license type
v Date of certification and expiration
v Name, license type, and ID number of the certifier ID used to create or recertify the ID
Server registration
Before you install and set up additional servers, you must register them. In effect, registering a server
adds the server to the system. The server registration process creates a Server document for the server in
the Domino Directory and creates a server ID. After registering and installing a server, you use the Server
Setup program to obtain a copy of the Domino Directory for the new server and to set up the server to
run particular services and tasks -- for example, the HTTP service, the Mail Router, and so on.
The server registration user interface automatically removes leading spaces and trailing spaces from
passwords. Passwords cannot begin or end with a space. This also applies to certifier registration and
user registration.
Note: When setting up an additional server, obtaining the Domino Directory from the registration server
via dialup over a modem is possible for Windows systems only. For other operating systems, the
additional server must be on the network in order to communicate with the registration server.
Before you register servers, plan and understand your company’s hierarchical name scheme. The name
scheme defines which certifier ID to use when you register each new server. In addition, make sure that
you have access to each certifier ID, know its password, and have created ID recovery information for it.
If you have decided to use the Domino server-based certification authority (CA), you can register servers
without access to the certifier ID file and its password.
For more information on the hierarchical name scheme, see the chapter ″Deploying Domino.″ For
information on ID recovery, see the chapter ″Protecting and Managing Notes IDs.″ For more information
on using the Domino server-based CA, see the chapter ″Setting Up a Domino Server-based Certification
Authority.″
The registration server, which is the server that initially stores changes to documents in the Domino
Directory until the Domino Directory replicates with other servers, must be up and running on the
network. To register servers from your workstation, you must have access to the registration server and
have at least Author access with the Server Creator and Group Modifier roles in the ACL of the Domino
Directory.
If you have a Domino server-based CA for issuing Internet certificates, you can choose to configure the
new server to support SSL connections by providing a server key ring password and the server’s host
name. Then, Domino does the following:
v The registration process creates a certificate request in the Administration Requests database
(ADMIN4.NSF) to be processed by the server’s Internet CA
v The registration process creates a ″create SSL key ring″ request in ADMIN4.NSF
Note: You must use the Domino Administrator if you want to use this server registration process to
configure a new server for SSL.
For more information on these requests, see the appendix ″Administration Process Requests.″
Registering a server
Note: If you have not specified a registration server in Administration Preferences, this server is by
default:
v The server specified in the NewUserServer setting in the NOTES.INI file
v The Administration server
1. If you are supplying the certifier ID, make sure that you have access to it and that you know its
password.
2. If you are using the Domino Administrator and would like the new server to support SSL, make
sure that you have an Internet CA configured.
3. From the Domino Administrator or Web Administrator, click the Configuration tab.
4. From the Tools pane, click Registration - Server.
5. If you are using the Domino Administrator, do the following:
a. If you are using the CA process, click Server and select a server that includes the Domino
Directory that contains the Certificate Authority records, and the copy of the Administration
Requests database (ADMIN4.NSF) that will be updated with the request for the new certificate.
Then click ″Use the CA Process,″ select a CA-configured certifier from the list, and click OK.
b. If you are supplying the certifier ID, select the registration server. Then click ″Certifier ID″ and
locate the certifier ID file. Click OK, enter the password for the certifier ID, and click OK.
c. In the Register Servers dialog box, click Continue if you want to apply the current settings to all
servers registered in this registration session; otherwise, complete these fields:
Field Action
Registration Server Click Registration to specify the registration server.
Certifier If the certifier ID displayed is NOT the one you want to use for all servers registered in
this session, or if you want to use the Domino server-based CA instead of a certifier ID,
click Certifier and you return to Step 4.
Public key specification The public key specification that you use impacts when key rollover is triggered. Key
rollover is the process used to update the set of Notes public and private keys that is
stored in user and server ID files.
Choose one:
v Compatible with all releases (630 bits)
v Compatible with Release 6 and later (1024 bits)
Note: For information about the significance of the public key specification and key
rollover, see the topic User and server key rollover.
License type Choose either North American (default) or International. In practice, there is no
difference between a North American and an International ID type.
d. Click Continue.
6. If you are using the Web Administrator, do the following:
a. Select a registration server that includes the Domino Directory that contains the Certificate
Authority records, and the copy of the Administration Requests database (ADMIN4.NSF) that
will be updated with the request for the new certificate.
b. Select a CA-configured certifier from the list, and click OK.
7. In the Register New Server(s) dialog box, complete these fields for each server that you want to
register:
Field Action
Server name Enter the name of the new server.
Server title Enter the server title, which appears on the Configuration tab in the All Server
Documents view and in the Server Title field of the Server document.
Domino domain name The default domain name is usually the same as the name of the organization certifier
ID.
Server administrator Enter the name of the person who administers the server.
name
ID file password Required if you are going to store the server ID in the Domino Directory.
The password is case-sensitive and characters you use will depend on the level you set
in the Password quality scale.
Password Options Click Password Options. Specify a password quality scale by choosing the level of
complexity for the password. By default, the level is 0, where 16 is the highest. Click
OK.
Location for storing server v Select ″In Domino Directory″ to store the server ID in the Domino Directory.
ID
v Select ″In File″ to store the server ID file in a file. Then click ″Set ID File,″ select the
name and path for the file, and click Save.
Note: You don’t see this field from the Web Administrator, as the server ID is stored in
the Domino Directory.
8. (Domino Administrator only) If you chose an Internet CA in the Register Servers dialog box and you
want the server to support SSL connections, click Advanced, select ″Enable SSL ports,″ and complete
the following fields:
v Server key ring password -- Enter a password for the server key ring
v Server host name -- Enter the fully qualified domain name of the server, for example,
app01.acme.com
9. Do one:
v Click the green check box to add the server to the registration queue.
v Click the red X to clear the fields.
10. The server registration queue displays the servers ready to be registered. To display the settings for a
server, select the server name in the queue.
11. Click one:
For more information on organization certifier IDs, see the chapter ″Deploying Domino.″
1. From the Domino Administrator, click the Configuration tab.
2. From the Tools pane, choose Registration - Organization.
3. (Optional) To change the registration server, which is the server that initially stores the Certifier
document until the Domino Directory replicates, click Registration Server, select the correct server, and
then click OK. If you have not specified a registration server in Administration Preferences, the
registration server is by default:
v The local server, if there is one and it contains a Domino Directory
v The server specified in the NewUserServer setting in the NOTES.INI file
v The Administration server
4. (Optional) Click Set ID file to change the location where Domino stores the certifier ID. Be sure to
keep the certifier ID file in a secure place so that it is readily accessible to register new servers and
users, but safe from misuse. By default, the certifier ID is stored in C:\.
5. Complete these fields:
Field Action
Organization name Enter the name of the organization. Enter a name different from the one used on the
organization certifier ID created when you set up the first Domino server.
Country code (Optional) Adding an organizational country or region code for the country or region
where the organization’s corporate headquarters are located minimizes the chance that
another organization has the same organization name as yours. Enter the country or
region code only if you have registered your organization name with a national or
international standards body. For multinational companies, you can enter a country or
region in which the company has offices, as long as the organization name is registered
there.
6. Click Register.
For background information on OU certifier IDs, see the chapter ″Deploying Domino.″
For background information on OU certifier IDs, see the topic ″Certifier IDs and certificates.″
Note: The registration server is the server that initially stores the Certifier document until the Domino
Directory replicates. If you have not specified a registration server in Administration Preferences, the
registration server is by default:
v The local server if there is one and it contains a Domino Directory
v The server specified in NewUserServer setting of NOTES.INI
v The Administration server
Field Action
Organizational Unit Enter a name for the new organizational unit.
Certifier password Enter a case-sensitive password for the certifier. The characters you use for this
password depend on the level set in the ″Password quality scale″ field.
Password quality scale Choose the level of complexity for the password. By default, the level is 8, where 16 is
the highest.
Security type Choose either North American (default) or International. In practice, there is no
difference between a North American and an International ID type.
Mail certification requests Enter the name of the administrator who handles recertification requests. The name
to (Administrator) specified here appears in the Certifier document in the Domino Directory. If you are
creating a certifier ID for an off-site administrator, enter that administrator’s name in
this field.
Location (Optional) Enter text that appears in the Location field of the Certifier document.
Comment (Optional) Enter text that appears in the Comment field of the Certifier document.
Internet Site documents make it easier for administrators to configure and manage Internet protocols in
their organizations. For example, prior to Domino 6, if you wanted to set up a Web site in your
organization, it was necessary to configure each Domino server in the domain with Mapping documents,
Web realms, and File Protection documents. If you had virtual servers and virtual hosts, you had to do
the same thing for them. In Domino 6, you can configure a Web Site document so that all servers and
hosts use it to get configuration information for a Web site, including mapping information, file
protection information, and Web realm authentication information.
When you enter a Host name or IP address in an Internet Site document, you do not gain control over
which authentication controls are applied according to the IP address the user connects to. Instead, the
first Internet Site document located for the server and the organization is used. As a result, except for
Web Site documents, you should have only one Internet Site document for each organization, protocol,
and server combination.
Server A has two IP addresses and you create the following two Internet Site documents for POP3:
v One Internet Site document for one IP address with no SSL allowed
v One Internet Site document for another IP address, with SSL allowed.
The IP address is used to determine the organization and both Internet Site documents apply to the same
organization. The first Internet Site document that matches the server and the organization is used, in this
case, the Internet Site document that does not allow SSL.
Modifications to Internet Site documents (including the creation of new Site documents) are dynamic. The
server or protocol does not need to be restarted after you create a new Site document, or after you
modify or delete an existing one. Changes generally take effect minutes after the change is made. The
ability to dynamically create, modify, or delete Internet Site documents is especially valuable in service
provider environments, so that existing hosted organizations are not interrupted when a new hosted
organization is configured.
Internet Site documents are created in the Internet Sites view, which is used to help manage Internet
protocol configuration information by listing the configured Internet Site documents for each organization
in the domain.
CAUTION:
If you use an Internet site document to configure one Internet protocol on a server, you must also use
Internet site documents for all Internet protocols on that server. For example, you cannot set up an
LDAP Internet Site document and, on the same server, use the Server document to configure HTTP.
While most protocol settings are configured in Internet Site documents, there are some settings that need
to be configured in the Server document to support Internet protocol configurations. These include
settings for:
v Enabling and configuring the TCP/IP port.
v Enabling and configuring the SSL port (including redirecting TCP to SSL).
v Accessing the server -- such as who can access the server and how.
For more information on server access settings, see the chapter ″Controlling Access to Domino Servers.″
When registering hosted organizations, you have the option to create Internet Site documents during
hosted organization registration, or you can choose to create them later.
Service providers need to consider the following when using Internet Site documents:
v Each hosted organization has one Web Site document that can be created during hosted organization
registration. You must create this initial Web Site document to activate the HTTP protocol. If you have
multiple Web sites, you need one individual Web Site document for each additional Web site for each
organization. If the hosted organization supports DOLS, the Web Site document must contain the name
of the DSAPI filter file name. For more information, see the topic To configure DOLS on a server that
uses Web Site documents in this chapter.
v You must create one mail protocol Site document (IMAP, POP3, or SMTP) for each protocol used by
each organization.
v In a hosted environment, Domino IIOP (DIIOP) can use the information in the IIOP Internet site
document to define the scope of the Domino Directory used to validate users. With DIIOP, you can use
any Java® code running on any server on the network.
v If your configuration has one IP address that is shared by multiple hosted organizations, HTTP, IMAP,
LDAP, POP3, and SMTP are the available protocols. For IMAP, LDAP, POP3, and SMTP users, the
name provided during authentication must be the user’s Internet e-mail address, so that the server
knows the organization of which each user is a member. Anonymous access to LDAP is not supported
in this configuration.
v To enable SSL for a hosted organization, you must enter the server IP address in the field ″Host names
or addresses mapped to this site″ on the Basics tab of the Internet Site document.
Field Action
Descriptive name for this site (Optional) Enter a name that differentiates this site from all others that you
create. This name appears in the Internet Sites view in this format: the type
of Internet Site, the descriptive name, and the host name or address. For
example:
If you do not enter a name, the default name is the type of Internet Site
document with the host name or address appended. For example:
For hosted environments -- When creating Domino IIOP Site documents, the
first host name IP address that is on this list will be used to advertise
DIIOP’s service creating diiop_ior.txt. Therefore, it is recommended that each
Domino server have its own Internet Site document.
Domino servers that host this site (Required for all Internet Site documents) Enter the name of one or more
Domino servers that host this site. You can use any variation of
distinguished name (for example, Server1/Sales/Acme) as well as wildcards
(for example, */Acme).
The default is (*), which means that all servers in the domain can host this
site.
If you leave the field blank, the Internet Site will not be loaded on any
Domino server.
4. For all Internet Site documents, complete the settings on the Security tab.
5. Some Internet Sites require additional configuration. The table below indicates the Internet Site
documents that require additional configuration, and the locations for settings in those documents for
enabling additional configuration information unique to those protocols.
In order to enable SSL for Internet Sites, you must configure the SSL port on the Server document and set
up SSL on the server by obtaining a server certificate and key ring from an Internet certificate authority.
To set up SSL authentication, you must create a server key ring file for each Internet Site document.
However, if the Internet site documents are for the same organization, but are created for different
protocols, a single server key ring file can be used. Be sure to enter the server key ring file name in the
appropriate field on the Security tab of each site document.
If you want to use Certificate Revocation Lists (CRL) for Internet certificate authentication, the server
must be using a Domino server-based certification authority for issuing Internet certificates.
To enable SSL for a hosted organization, you must use the server IP address in the field ″Host names or
addresses mapped to this site″ on the Basics tab of the Internet Site document.
Note: For Web sites, the common name on the server key ring must match the DNS name to which the
IP address in the Web Site document is mapped. The IP address must be stored in the field ″Host name
or addresses to map to this site,″ which is located on the Web Site document. If you enable Redirect TCP
to SSL in a Web Site document, both the host name and the IP address must be stored in this field.
You should be familiar with SSL authentication, name and password authentication, and anonymous
access before completing these steps.
For more information about SSL authentication, see the chapter ″Setting Up SSL on a Domino Server.″
For more information about name-and-password authentication and anonymous access, see the chapter
″Setting Up Name-and-Password Authentication and Anonymous Access on a Domino Server.″
Note: In Domino, it is possible to effectively prohibit access to an Internet Site by selecting ″no″ for all
authentication options in an Internet Site Document. These options include TCP authentication, SSL
authentication, and TCP anonymous access.
1. From the Domino Administrator, click Configuration - Web - Internet Sites.
2. Choose the Internet Site document to modify, and click Edit Document.
3. Click Security, and complete these fields:
Field Enter
TCP Authentication
Choose one:
v Yes -- To allow anonymous access to this site
v No -- To prohibit anonymous access
Name & password Choose one:
v Yes -- To require a user to authenticate with the user’s name and Internet
password to access the site
v No -- To not require name and password authentication
Redirect TCP to SSL (Applies to Web Site only) Choose one:
v Yes -- To require clients and servers to use the SSL protocol to access the Web
site
v No -- To allow clients and servers to use SSL or TCP/IP to access the Web site
SSL Authentication
Anonymous (Applies to all Internet sites, except IMAP and POP3)
Choose one:
v Yes -- To allow users access over the SSL port without authenticating with a
name and password
v No -- To deny users anonymous access
Name & password Choose one:
v Yes -- To require a user to authenticate with user name and Internet password
in order to access this site using SSL
v No --To not require a name and password
Client certificate (Applies to Web Site, IMAP, POP3, and LDAP)
Choose one:
v Yes -- To require a client certificate for access to this site
v No -- To not require a client certificate
SSL Options
Key file name Enter the name of the server key ring file.
Protocol version Choose one:
v V2.0 only -- Allows only SSL 2.0 connections.
v V3.0 handshake -- Attempts an SSL 3.0 connection. If this fails and the requester
detects SSL 2.0, attempts to connect using SSL 2.0.
v V3.0 only -- Allows only SSL 3.0 connections.
v V3.0 with V2.0 handshake -- Attempts an SSL handshake, which displays
relevant error messages. Makes an SSL 3.0 connection if possible.
v Negotiated (default) -- Attempts an SSL 3.0 connection. If this fails, attempts to
use SSL 2.0. Use this setting unless you are having connection problems caused
by incompatible protocol versions.
Accept SSL site certificates Choose one:
v Yes -- To accept the certificate and use SSL , even if the server does not have a
certificate in common with the protocol server
v No (default) -- To prohibit the acceptance of SSL site certificates for access
Accept expired SSL certificates Choose one:
v Yes -- To allow clients access, even if the client certificate is expired
v No -- To prohibit client access using expired SSL certificates
If the use of Internet Sites is not enabled, comparable Server document settings are used to obtain
protocol configuration information.
You can only use the Internet Sites view for Domino servers. Servers running Domino 5.0x or earlier do
not have the option for enabling the Internet Sites view.
Note: Each time you start or restart HTTP, a console message indicates whether the HTTP task is using
Internet Sites or the Server document (Web Server Configurations view) to obtain Internet protocol
configuration information.
Note: The HTTP task is backward-compatible with the Web Server Configurations view.
/opt/ibm/lotus/bin/server
When run as a Windows service, Domino runs as any other Windows services runs. Some of the benefits
associated with running Domino as a Windows service are listed below.
v If you select ″Automatic″ for starting services, Windows services are started when the system starts.
From the People document, Group document, and from the Domino Directory itself there is a Chat
option in the menu bar. You can perform these instant messaging activities:
v Click Chat and you can choose from the following options:
v Chat with -- Open a chat with the person whose name is currently selected in the open document or
directory.
v Add to Instant Contact List -- Add the selected person’s name to an instant messaging contact list that
you choose.
v Show/Hide Contact List -- Toggles between displaying the names in the contact list and hiding the list.
For a calling server to connect to a given destination server, it requires information about how and when
to contact the destination server. The information about how to contact the destination server includes the
network to use to reach the target server, and, depending on the type of network, the network addresses,
phone number, and other information needed to make the connection.
When a server needs to connect to a destination server on the same Notes Named Network, the
information needed to make the connection is readily available and the connection occurs automatically,
without any administrative intervention. However, when two servers don’t share a common network, the
calling server must be able to obtain this information by some other method. In a Domino network,
administrators create Connections documents in the Domino Directory to store information about how to
connect to a destination server.
In addition to providing the network information required to contact a destination server, Connection
documents can also specify when to contact the destination server. Depending on the type of
communications required, a calling server may attempt to establish contact with the remote server
immediately, or only at scheduled intervals. For example, a server looking up a name on, or performing
cluster replication with a given destination server requires immediate access to a remote server.
On the other hand, to perform tasks such as routing mail or replicating databases, a calling server may
require only periodic access to the destination server. When setting up a Connection document for a task
that doesn’t require immediate access, you can specify when the calling server attempts to make the
connection. Network information in a Connection document is used to create the connection to the
specified destination server, whether or not the connection is related to a task defined in the schedule
part. In other words, a calling server can use the network information in a Connection document to
contact a specified destination server when contacting that server for reasons other than mail routing or
replication.
Connections between servers -- that is, your connection topology -- should enable servers to exchange
information reliably and efficiently, maximizing the capacity of the physical network, while minimizing
connection-related costs.
When creating Connection documents for scheduled operations or to enable contact with a destination
server, keep the following factors in mind:
v The physical network to which the servers belong -- Are servers in the same, or different Notes named
networks?
v Function of the server -- What is the primary role of the server? For example, is it an application
server, Web server, or Directory server? Does the server provide passthru or dialup access to connect
remote or disparate networks?
v Tasks running on the server -- Does the server require Connection documents for both replication and
mail routing?
95
v Access requirements -- Does the server need to be reached over a modem connection or as a passthru
destination?
v Does the planned connection topology make the best use of the available network infrastructure? It the
server hardware adequate to support its role in replication or routing? For example, if a server is to be
used as a replication hub, does it have a fast processor, sufficient memory, and enough disk space?
Does the server require multiple NICs? Is there enough bandwidth between servers to support the
anticipated traffic?
v Keep the number of Connection documents and the number of ″hops″ -- that is, the number of
between the connecting and destination servers -- to a minimum.
v The Domino domain location of the servers -- Are servers in the same domain, adjacent domains,
non-adjacent domains?
The number of Connection documents that you create for a server depends on whether the server is
running the replication task and/or the mail task. When you configure a server, the Server document, by
default, enables mail routing. When you create a Connection document, replication is enabled. Depending
on how you use the server -- that is, whether you store mail files and/or application databases on it --
you must create a minimum of one or two Connection documents.
For more information on configuring replication, see the chapter "Creating Replicas and Scheduling Replication.″
Cre
For more information on mail routing, see the chapter ″Overview of the Domino Mail System.″
Servers can also use information gathered from an External Domain Network Information (EDNI)
document to make a connection. As an administrator, you configure this document to retrieve names and
addresses of servers in another domain so that users and servers do not require Connection documents to
connect to servers in that domain.
For more information on EDNI documents, see the topic ″Setting up external domain lookups″ later in
this chapter.
To create a topology for remote servers, first determine which databases the workstations and servers
access frequently. In particular, think about how you want to route mail and replicate databases.
Determine if users and servers in remote locations need access to certain mail and other databases. If so,
consider these methods to make the databases available:
v Create replicas of the databases on a remote server
For information about using database replicas, see the chapter ″Scheduling Replication.″
v Place modems on local servers that remote users need to access.
96 Lotus Domino Administrator 7 Help
For information about connecting servers by modem, see the topic ″Planning for modem use″ later in
this chapter.
v Set up a passthru server for use by remote servers or users.
For information about setting up passthru servers, see the topic ″Setting up a server as a passthru
server″ later in this chapter.
Because users who connect to a remote server over a Notes Direct Dialup connection typically have only
one modem on their workstations, by default, they can connect to that one server only. Creating replicas
of frequently used databases on that server enables remote users to access multiple databases over a
single dialup connection.
Setting up a passthru server enables remote workstations or servers that connect to one Domino server to
access additional Domino servers also. Using a passthru server consolidates modem resources on a few
Domino servers and centralizes administration and troubleshooting.
Note: A server that uses a passthru connection to reach the destination server must first be able to
connect to the passthru server. To provide information on how to connect to the passthru server,
you may have to create an additional Connection document.
4. The connecting server checks information stored in memory about other servers in the server’s Notes
named network. It uses this information to define a path to the destination server. The server reads
this information from Server documents in its local Domino Directory.
5. If the connecting server’s local Domino Directory does not contain information about the destination
server, it tries to connect directly to the destination server on the LAN by using the server common
name as its address.
6. The connecting server checks the low-priority Connection documents. A low-priority Connection
document is one that has Low selected in the ″Usage priority″ field.
7. If the connecting server still cannot find a path to the destination server, it issues a message that a
connection is not possible.
To display information about how a server makes a connection, open the Miscellaneous Events view in
the log file (LOG.NSF). To change the amount of information Domino records about connections in the
log file, change the log level.
For more information on log files, see the chapter ″Using Log Files.″
To provide for efficient replication, consider setting up some servers as dedicated replication servers.
Using dedicated servers to handle replication greatly reduces the amount of work that database servers
have to devote to replication, because the database servers have to replicate with the replication servers
only, instead of having to replicate with every server that maintains a copy of a given database. To
control replication, you create Connection documents that specify which servers to replicate with and
when.
How you connect servers for replication depends on many factors, including the layout of physical
network and the size of your organization, as well as the extent to which you want to re-use existing
Connection documents created for mail routing. There are several different configurations, or topologies,
you can use to control how replication occurs between servers:
v Hub-and-spoke
v Peer-to-peer
v Ring
Choose the replication strategy that provides the most efficient replication performance. In many cases,
you’ll use different topologies in different parts of the network.
To set up replication in a hub-and-spoke system, you create one Connection document for each
hub-and-spoke connection. To ensure that the replication task on the hub, rather than the spokes, assumes
most of the work always, in each Connection document specify the hub server as the source server, the
spoke server as the destination server, and pull-push as the replication method.
A hub-and-spoke topology can be especially useful at large, multiple-server sites or in a centralized office
that needs to connect via phone or leased lines to smaller, regional offices. If you have a large site, you
The major drawback of hub-and-spoke topology is that it is vulnerable to single point of failure if the
hub is not working. Deploying a backup server that replicates the hub and can quickly be reconfigured
into a hub server if the primary hub goes down can alleviate this shortcoming.
Note: Do not use hub-and-spoke replication for databases larger than 100MB that have replicas on less
than four servers. Instead, schedule replication for these databases to occur separately from other
replications.
In a peer-to-peer topology, the potential for replication problems decreases, because only two servers
communicate for each replication and no hub or intermediary servers are involved. However,
peer-to-peer replication requires many Connection documents, increases administration since you must
avoid overlap in replication schedules, and prevents you from standardizing ACL requirements.
For more information on using clusters, see the book Administering Domino Clusters.
Unlike mail routing, which works in one direction and requires a pair of Connection documents to enable
two-way routing, replication between servers works in both directions, and requires only one Connection
document between each pair of servers. Because the server that initiates replication takes on the larger
share of the replication workload, if decide to add replication to one of the Connection documents
already used for mail routing between two servers, add the replication task to the document on the more
powerful server in the pair.
The hub servers at Acme Corporation handle server communication between servers located on the East
and West Coasts. These servers are geographically distant and connect over the Internet using a modem
or ISDN line. Controlling communication through hub servers is beneficial because it centralizes
administration for connections that may be costly or time consuming.
By using hub servers, only two servers, not every server in the organization, need to make the remote
connection.
The firewall server is a Domino server that protects Hub-E/East/Acme and Hub-W/West/Acme from
outside users. Because the firewall server uses Domino instead of some other type of firewall software,
the hub servers can use Domino features, such as mail and replication, to send and receive information.
In this example, the Acme Corporation has one hub server, Hub-E/East/Acme, and three spoke servers.
The spoke servers -- HR-E/East/Acme, HR-S/South/Acme, and HR-W/West/Acme -- contain an
Employee Benefits application. Employees on the East Coast access the application on HR-E/East/Acme;
employees on the West Coast access a replica of the application on HR-W/West/Acme; and employees in
the South access a replica of the application on HR-S/South/Acme. Any changes to the application
replicate through Hub-E/East/Acme to the HR servers. The HR servers send changes to the hub, which
then sends changes back to the HR servers. With the three Connection documents that Acme created, the
hub server performs the replication, reducing the load on the spokes. Making the application available to
East, West, and South users prevents them from making costly WAN connections to the application.
In this example, the Acme Corporation has two hub servers -- Hub-W/West/Acme and
Hub-E/East/Acme -- connected peer-to-peer. Each hub server replicates with several spoke servers. Any
Depending on where you locate applications, they can be accessible to Notes users, to browser users, or
to both Notes and browser users. To be available to browser users, an application must be on a Domino
Web server.
In this example, Web/East/Acme stores a Web application for the organization’s Web site. The
application is accessible to browser users who are outside the Acme Corporation. Webstage-E/East/Acme
and Webstage-W/West/Acme have replicas of the Web application. Users can make changes to the Web
application on Webstage-E/East/Acme and Webstage-W/West/Acme. Webstage-W/West/Acme uses a
schedule that sets up replication through the hub servers to Webstage-E/East/Acme.
Webstage-E/East/Acme does not have a replication schedule, so once changes to the Web application are
complete, users manually replicate changes from Webstage-E/East/Acme to Web/East/Acme. This
replication makes the changes available to users outside the Acme Corporation.
The Acme Corporation also has two servers that do not host Web applications -- HR-E/East/Acme and
HR-W/West/Acme. These servers contain an Employee Benefits application that only internal employees
who use a Notes workstation can access. Employees on the East Coast access the application on
HR-E/East/Acme, and employees on the West Coast access a replica of the application on
HR-W/West/Acme. Any changes to the application replicate through the hub servers to the HR servers.
Making the application available to East and West Coast users prevents them from making costly WAN
connections to the application.
In this example, three firewalls on Domino servers are used to protect the Acme network from external
intruders: one firewall exists between the hub server in Acme’s West Coast office and the public network
over which it communicates with the East Coast Office; a second firewall protects the hub server at the
East Coast office; a third firewall protects Webstage-E/East/Acme from attacks that might come from the
Internet through Web/East/Acme.
The Acme Corporation uses two mail servers -- one for each geographic location. All users send mail
using a mail database located on either Mail-E/East/Acme or Mail-W/West/Acme. The mail databases
are accessible to all mail client software -- Notes workstations, IMAP, POP3, and browsers.
Routing mail messages is similar to replicating changes made in databases. In this example, the mail
servers route messages through the hub servers to the mail server in the other location. For example,
when Alan Jones/Sales/East/Acme sends a message to Susan Salani/HR/West/Acme, the message
routes from Mail-E/East/Acme to Hub-E/East/Acme, from Hub-E/East/Acme to Hub-W/West/Acme,
and then from Hub-W/West/Acme to its final destination Mail-W/West/Acme. Susan
Salani/HR/West/Acme reads the message on her mail server, Mail-W/West/Acme.
Directory servers provide users and servers with information about other users and servers -- for
example, information needed to address or send mail. Directories contain information about how to
communicate with all Notes and Internet users and Domino servers. In many cases, you can set up a
mail server as a directory server.
In this example, a condensed directory catalog is on each Notes client and a Domino Directory is on each
server -- Mail-E/East/Acme, Hub-E/East/Acme, Hub-W/West/Acme, and Mail-W/West/Acme. To
resolve names, clients check the local directory catalog first; if the name is not there, Domino checks the
Domino Directory.
Domino uses replication, which is the process by which Domino updates one directory database with
changes from a directory database on another server. For example, if a change is made on
Mail-E/East/Acme, the change is sent to the replicas on Hub-E/East/Acme, Hub-W/West/Acme, and
Mail-W/West/Acme. Users cannot access the directories on the hub servers; users access directories only
on the mail servers.
At Acme Corporation, replication occurs automatically at a scheduled time. The replication schedule
determines how long it takes for changes to appear on the directory servers.
Again, a firewall using a Domino server lets you use Domino features to send information across the
WAN -- in this case, you use the mail routing and replication features.
The Acme company chose this remote server topology so that remote users and servers have access to the
entire system by connecting to one server (the passthru server). Acme uses the passthru to function only
as a bridge between the remote user or server and the rest of the system. To keep the load on the
passthru to a minimum, the server does not contain application or mail databases.
Users who work remotely dial in through the passthru server and can access any server in the system. As
most of Acme’s users who dial in remotely have only one modem on their system, using the passthru
server allows them to access multiple servers with one connection. To reduce traffic on the passthru
server, Acme recommends that its remote users replicate databases and then work on the local replicas.
Then users can work in their local replicas and dial in and replicate occasionally with the server replicas.
Acme dedicated five modems to the passthru server. The remote server also dials into one of these
modems for replication. Because this server makes its connection in the early morning hours, the
connection does not conflict with users trying to access the system.
Acme uses a hunt group configuration for its modems so that users have only one phone number to dial
when connecting. Acme’s phone infrastructure is set up so that multiple modems can have one phone
number. For this type of hunt group (all modems are on one server), Acme does not need to create a
Connection document to set up the hunt group.
The remote server is in Acme’s satellite office in Ohio. Employees who work in this office focus on
marketing and use this server to access various marketing related databases. The remote server contains
replicas of relevant databases, and it replicates once a day to update the databases. By using the remote
server, users in the Ohio office save time and resources because they don’t have to dial into Acme’s
system as often.
Field Description
Connection Type Select Local Area Network.
Source server The name of the connecting server.
Source domain The name of the connecting server’s domain. This field is required only for mail routing.
Use the port(s) The name of the network ports (or protocols) that the connecting or source server uses to
connect to the destination server.
Usage priority Choose one:
v Normal (default) - Select this option if this document defines the primary path to a
server.
v Low - Select this option to define a backup path to a server.
For more information about the effect of specifying the usage priority for a connection, see
the topic ″Forcing a server connection to use a specific protocol″ later in this chapter.
Destination server The name of the answering server.
Destination domain The name of the answering server’s domain. This field is required only for mail routing.
Optional network Provide an optional network address to facilitate attempts to locate the destination server
address over a TCP/IP connection. If the field contains no entry, Domino attempts to determine
the address of the destination server from the following sources: the server’s memory
cache, an External Domain Network Address document, or system services that search the
local hosts file or DNS to resolve the name.
7. Click the Replication/Routing and Schedule tabs to define the tasks you want to run, and select the
times you want the server to contact its destination.
8. Click Save & Close.
For example, suppose that both SPX and TCP/IP are enabled on Server A, the source server, and Server
B, the destination server. You create a Connection document from Server A to Server B specifying that
Server A uses the port TCP/IP to contact Server B and set the usage priority in this document to Normal.
When determining how to connect to Server B, Server A first checks the Domino Directory for a
normal-priority Connection document governing the connection. After locating the document, Server A
If multiple normal-priority Connection documents exist for the same destination server, the connecting
server chooses one based on the type of connection in the following order of preference:
1. Local Area Network
2. Network Dialup
3. Notes Direct Dialup
4. Passthru server
5. Hunt group of passthru servers
You can also use the usage priority setting to configure a backup path to a destination server. When you
set the usage priority for a Connection document to Low, the connecting server only uses the information
in the document to connect to the destination server as a last resort, after it has exhausted all other
possible means of locating connection information.
For more information on how a server determines the route to a destination, see the topic ″How a server
connects to another server″ earlier in this chapter.
Field Enter
Usage priority Choose one:
Normal - This Connection document defines a primary path to the destination server. The
connecting server attempts to use this Connection document to make the connection to the
destination server.
Low - This Connection document defines a backup path to the destination server. The
connecting server uses this Connection document only as a last resort when trying to
connect to the destination server.
The EDNI document works in conjunction with a server task called GETADRS to import address
information from another Domino domain so that Notes users can connect to servers in the external
domain. In the EDNI document, you specify the external Domino domain containing the servers you
want users to connect to and the protocols for which you want connection information. In many cases,
TCP/IP is the only protocol for which you may need a document. You also specify a server in your local
domain that requests the information (Requesting Server) and a server in the external domain that
supplies the information (Information Server).
After AdminP adds the server address information to the local Domino Directory users attempting to
open databases on servers in the external domain can use the information from this document to make
the connection without requiring a connection document.
Using EDNI documents, you can reduce the number of Connection documents in the Domino Directory,
eliminating those that are not required for replication or routing.
Before creating an EDNI document, determine if the connection information is useful for the domain. For
example, if you are using the NetBIOS protocol, which isn’t a routable protocol, a direct connection to the
external domain may not be possible even if you have the network address of the server in an EDNI
document. Also, if an external domain server has multiple TCP/IP ports, the host name or address
returned to the EDNI document may not be the address of the appropriate port to use. Because each
protocol has its own restraints, you should thoroughly research and test the external domain lookup
capability using the network system configuration at your organization before using it.
To share information across domains, the Domino domain requesting the information must be
cross-certified with the external domain.
Because the Requesting Server gathers information from Server documents in an external domain, these
documents need to be configured properly to enable successful server name lookups. For example, a
document with a fully qualified host name or IP address would enable a successful lookup, but a
document with only the server common name may not (unless that common name were a full host
name).
The data from an external domain server lookup resolves client requests for a server address only; it does
not add additional server names to a client’s request for a list of servers.
Field Description
Requesting server The name of the local domain server that performs the request for external domain
information. This server runs the GETADRS task to obtain information from the
information server in the external domain.
Information server The name of the server in the external domain from which the requesting server obtains
information.
Domain to query The name of the external domain.
Protocols to query The name of one or more protocols in the external domain to query. Specify only protocols
that are used in both domains.
6. Run the GETADRS program on the Requesting server. You run GETADRS using any of these
methods:
v Run the program manually from the server console by entering:
LOAD GETADRS
Internet connections
To enable a Domino server to connect to another server across the Internet, you must establish Internet
access with an Internet Service Provider (ISP) and register an Internet domain name with the ISP -- for
example, acme.com. After you contract Internet service, create Connection documents to instruct the local
Domino servers how to contact the target server.
Servers can connect to the ISP using a direct connection or by way of a Domino or non-Domino proxy
server. If the local network uses a proxy server to connect to the Internet, the calling Domino server does
not need to connect to the ISP directly, because the proxy server establishes this connection to the ISP.
Servers connecting to the Internet require networking software that is compatible with the Internet. If
TCP/IP is not already installed on the Domino server, install the protocol using the installation
instructions included with the operating system. If you do not have a Domino TCP/IP port enabled for
the server, add and enable the port.
For information about adding a network port to a Domino server, see the chapter ″Setting Up the
Domino Network.″
A firewall filters traffic passing between the internal network and the Internet and is usually part of a
TCP/IP router. Most firewalls work by hiding the IP addresses of computers on your internal network
from the Internet, thus breaking the connection between the internal and external networks, so that while
there is a connection between the internal LAN and the firewall, and from the firewall to the Internet,
there’s no direct connection between the Internet and the local network.
For more on how to create a LAN Connection document, see the topic ″Creating a LAN connection″
earlier in this chapter.
Proxy connections
A proxy is a server that provides indirect access to the Internet. A proxy server usually runs in
conjunction with firewall software to pass incoming and outgoing requests between servers on either side
of a firewall. If your organization uses a proxy server for its Internet connection, a Domino server on the
internal LAN connects to the Internet through the proxy and firewall servers, which, in turn, connect to
your ISP. Because the proxy server establishes the connection with the ISP, the Domino server does not
connect to the Internet directly.
A Domino proxy server is one type of proxy server. You set up a Domino passthru server as a proxy for
the Internet the same way that you set up a passthru server for internal Domino communication. You do
not need to configure the server differently for Internet connections. The proxy server does not have to be
a Domino server.
However, when a server is connected through a proxy server, rather than having a direct connection,
after you create a LAN Connection document to define the connection, you must complete the proxy
information in the Server document of the calling server as described in the following procedure:
1. From the Domino Administrator, click the Configurations tab and expand the Server view.
2. Select the Server document of the server to connect to the Internet through the proxy, and click Edit
Server.
3. Click the Ports - Proxies tab, and then do one of the following:
v To connect through an HTTP proxy, in the HTTP Tunnel proxy field, enter the proxy’s
fully-qualified domain name or IP address and specify the port to use for the connection. For
example, enter httpproxy.company.com:8080 or 192.168.77.34:8080.
v To connect through a SOCKS proxy, in the SOCKS proxy field, enter the proxy’s fully-qualified
domain name or IP address of the SOCKS proxy and specify the port to use for the connection. For
example, enter socks.company.com:1080 or 192.168.77.34:1080.
Note: If you enter values for both fields, Domino uses the HTTP Tunnel proxy.
4. Click Save & Close.
Note: By default, if the server is configured to use a proxy, it uses the proxy for all connections. To
prevent use of the proxy for connections to certain servers, enter the server names in the ″No Proxy for
these hosts or domains″ field on the Ports - Proxies tab on the Server document.
You can set up a passthru server so that it leads to additional passthru servers as well as directly to a
passthru destination server. Thus, you can chain together multiple passthru connections to enable a client
to pass through several servers until it connects to a given target server.
Passthru access is valuable to Notes client users as well. When you provide a Notes client with access a
to a passthru server, the client user can connect to a single server to access other network servers. For
mobile users, this enables access to multiple destination servers on the same LAN over a single phone
connection. Using a passthru server this way saves the time and expense of configuring many individual
servers to support modem connections and of requiring Notes client users to use multiple phone calls to
access multiple servers.
Passthru Logging
To enable to monitoring of passthru traffic for security reasons, after you configure a server as a passthru
server, the server log (LOG.NSF) records information about passthru sessions established through that
server. For example, the log records information about users who access this server for to make passthru
connections to other servers.
For more information about server log files, see the chapter ″Using Log Files.″
Hunt groups
If your telecommunications infrastructure supports a hunt group -- that is, a pool of modems that are
connected to different phone lines but that use a single phone number -- you can configure Domino
servers and Notes client users to connect to a hunt group on a passthru server. Whenever a call is made
to the hunt group number, the incoming call is routed to the first available modem in the group.
You can use a hunt group with one or more passthru servers. If more than one passthru server is used in
the hunt group, to allow any passthru server in the hunt group to receive a call and route it to the
destination server, the calling server or user must use a Hunt Group Connection document.
For more information about configuring Lotus Notes clients to use a passthru server, see Lotus Notes 7
Help.
Note that passthru can benefit users and servers on the same network as the passthru server as well as
remote users and servers. For example, some of the Notes clients in the above diagram are on the same
LAN as Webstage-E and HR-E, but because they do not share any protocols, they cannot access these
servers without using passthru.
Field Description
Access this server If this server is not a passthru destination, leave this field blank.
For information about setting up a server as a passthru destination, see the topic ″Setting
up a server as a passthru destination″ later in this chapter.
Route through Specifies the names of the users, groups, and servers allowed to connect to a destination
server through this server. When this field is blank (the default), the server does not allow
passthru connections.
Enter an asterisk (*) to provide passthru access for all users and servers, even those not
listed in the Domino Directory. Enter a hierarchical name with an asterisk as the common
name to provide access for all users and servers certified by a particular organization or
organizational unit. For example, the entry */Acme allows access to all users in the Acme
organization.
Entries in this field are granted passthru access, even if denied general access to the server
in the Server Access section of the Server document Security tab.
By default, this field is blank and the server allows routing to all servers configured as
passthru destinations. Adding entries to this field restricts passthru access from this server
to the specified destination servers only.
Field Description
Access this server Specifies the names of the users, groups, and servers allowed to access the server as a
passthru destination. When this field is blank (the default), the server is not available as a
passthru destination.
Enter an asterisk (*) to provide access for all users and servers, even those not listed in the
Domino Directory. An asterisk followed by a certifier name provides access for all users and
servers certified by a particular organization or organizational unit. For example, the entry
*/Acme allows access to all users in the Acme organization.
Note: Access to a passthru destination is subject to restrictions set in the Server Access section of the
Server document’s Security tab. These fields define general access to the server.
You can grant a user or server general access to a server and prohibit access to the same server as a
passthru destination. However, if you deny a user or server general access to a server, those users and
servers cannot access the server as a passthru destination.
Before creating a passthru connection, verify that the current server is not configured to use a default
passthru server. When a server is configured to use a default passthru server and it receives a request to
connect to a destination server for which no other connection is defined, it attempts to route through the
named server to the requested destination. If the named server is not set up to allow passthru
connections to the requested destination server, the passthru attempt places an unnecessary load on both
servers.
Field Description
Connection type Select Passthru server
Source server The name of the server connecting to the passthru server
Source domain The name of the connecting server’s domain
Use passthru server or hunt The name of the passthru server or hunt group that this connection uses to reach the
group destination server
Usage priority Choose one:
v Normal (default) - Select this option if this document defines the primary path to
a server.
v Low - Select this option to define a backup path to a server.
For more information about the effect of specifying the usage priority for a
connection, see the topic ″Forcing a server connection to use a specific protocol″
earlier in this chapter.
Destination server The name of the destination server to connect to through the passthru server.
Destination domain The name of the destination server’s domain
6. Click the Replication/Routing and Schedule tabs to define the tasks you want to run, and select the
times you want the server to call its destination.
7. Click Save & Close.
A Hunt group connection document is required whenever a hunt group has multiple passthru servers. If
a hunt group has a single passthru server, create a Network dialup Connection document to define the
connection, rather than a hunt group Connection document.
Field Description
Connection type Hunt group
Source server The name of the server connecting to the hunt group
Source domain The name of the connecting server’s domain. Required only if the source server and
destination server are in different Domino domains.
Use the port The modem port
Always use area code Specifies when the modem on the source server includes the area code to dial a number.
Choose one:
v Yes - The server always includes the area code to dial, even when dialing numbers in
the local exchange.
v No - (default) The server includes the area code only when dialing numbers outside the
local area code.
Usage priority Choose one:
v Normal (default) - Select this option if this document defines the primary path to a
server.
v Low - Select this option to define a backup path to a server.
For more information about the effect of specifying the usage priority for a connection, see
the topic ″Forcing a server connection to use a specific protocol″ earlier in this chapter.
Hunt group Enter a unique name to identify the hunt group, for example, AcmeEastHuntGroup. If you
create passthru Connection documents that use this connection, the hunt group name you
enter in them must match the name entered here.
The name you enter name here is also used to apply commands to the hunt group servers.
For example, to replicate a database that is located on a hunt group server, enter:
rep hunt_group_name database
In this case, the calling server initiates the modem connection to the designated hunt
group and then replicates the specified database on each server where it resides.
Destination domain The name of the domain to connect to through the hunt group. Required only if the source
server and destination server are in different Domino domains. Enter a domain name to
ensure that the hunt group connects to a server in the specified domain.
Destination country The country code to use when dialing the number of the hunt group modem.
code
Destination area code The area code to use when dialing the number of the hunt group modem.
Destination phone The phone number of the hunt group modem.
number
Login script name The name of the login script file to use when connecting to the hunt group.
Installing modems
The number of modems that you can use on a server is dependent on the operating system and system
resources -- for example, the number of available communication ports. Each modem needs its own
communication port.
If you expect heavy dialup use, install additional modems or install a multiple-port communication board
to connect multiple modems to multiple communication ports on a single board.
Specifying a modem type automatically associates a modem with a modem command file. A modem
command file is a text file containing commands that Domino issues to the modem. If none of the
available modem types matches your modem, you can modify a generic modem command file or contact
IBM support to obtain the appropriate modem file.
Domino installs modem files in the Domino Data\Modems subdirectory. Commands in the modem
command file are arranged as required by the X.PC protocol provided with Domino.
Domino provides a generic all-speed modem file, GEN_ALL.MDM, which you can modify. For
information on modem command files and instructions on modifying them, use a text editor to read the
file TEMPLATE.MDM. Use this file in conjunction with the documentation that came with the modem to
modify modem command files.
When using Notes Direct Dialup connections, Domino uses the X.PC protocol driver. The X.PC protocol
driver is installed automatically when you install a Domino server. It links Domino to a computer’s
operating system and the hardware devices that handle the communication.
Notes Direct Dialup connections use Domino security and thus offer tighter security than Network
Dialup connections to a remote access server.
1. Make sure that you already installed a modem and that one exists on the destination server.
2. From the Domino Administrator, click the Configuration tab.
3. Click Server, and then click Connections.
4. Click Add Connection.
5. Select Notes Direct Dialup in the ″Connection type″ field.
6. Complete these fields:
Field Description
Source server The name of the calling server.
Source domain The name of the calling server’s domain.
Use the port(s) The name of the communications port that the calling or source server uses.
Always use area code Specifies whether the source server always uses the area code when dialing. Choose one:
v Yes - The server always includes the area code to dial, even when dialing numbers in
the area code defined in the source server’s Server document. Use this option if your
phone system requires an area code for local calls.
v No - (default) The server includes the area code only when dialing numbers outside the
local area code.
For more information about the effect of specifying the usage priority for a connection, see
the topic ″Forcing a server connection to use a specific protocol″ earlier in this chapter.
Destination server The name of the remote server.
Destination domain The name of the remote server’s domain.
Destination country The country code for the remote server. Enter this number only if it’s required to complete
code the call.
Destination area code The remote server’s area/city code. Enter this number only if it’s required to complete the
call.
Destination phone The phone number of the remote server.
number
Login script file name The name of the connect script to use when connecting to the remote server. Supply this
file name only if additional information is required to authenticate with the destination
server after dialing completes.
Login script arguments Between 1 and 4 values used by the login script when authenticating with the destination
server. For example, enter a login name and password if the login scripts must provide
these elements when connecting to the destination server. The script uses the values in the
order in which they are entered. Values entered in this field are not encrypted and are
displayed in the clear.
7. Click the Replication/Routing and Schedule tabs to define the tasks you want to run, and select the
times you want the server to call its destination.
8. Click Save & Close.
Note: To ensure the best performance for connections that use data-compressing modems, don’t apply
Domino network data encryption to ports using these modems. Rather than reducing the size of the
transmitted data, the modem’s hardware compression techniques can increase it, negating the benefits of
the modem compression.
For more information about encrypting data on an NRPC port, see the chapter ″Setting Up the Domino
Network.″
Because RAS uses its own compression, Domino compression should not be used with RAS.
Notes clients and Domino servers who establish a Network Dialup connection to a Remote Access Server
can access the entire remote Domino network over the remote LAN. After establishing a connection, the
calling client or server can communicate with servers on the remote LAN using the network protocols
defined in RAS only, that is, TCP/IP and Netbios.
Field Description
Connection type Network Dialup
Source server The fully-distinguished Notes name of the connecting server. For example,
Server1/Sales/ACME.
Source domain The name of the connecting server’s Domino domain. Required only if the source server
and destination server are in different Domino domains
Use LAN port(s) Specifies the port that the server uses to establish the network dialup connection using the
remote access service.
Usage priority Choose one:
v Normal (default) - Select this option if this document defines the primary path to a
server.
v Low - Select this option to define a backup path to a server.
For more information about the effect of specifying the usage priority for a connection, see
the topic ″Forcing a server connection to use a specific protocol″ earlier in this chapter.
Destination server The fully-distinguished Notes name of the Domino server you want to access.
For SMTP routing connections, enter the host name of the destination server, for example,
internet.isp.com.
Destination domain The name of the destination server’s Domino domain. Required only if the source server
and destination server are in different Domino domains.
Leave this field blank when configuring SMTP routing to an ISP server.
Optional network Provide an optional network address to facilitate attempts to locate the destination server
address over a TCP/IP connection. If the field contains no entry, Domino attempts to obtain the
destination server’s IP address from the IP protocol stack.
7. Click the Network Dialup tab and complete the following fields:
Field Description
Choose a service type Select Microsoft Dial-up Networking
Optionally, you can complete the following additional fields in the dialog box. If you
complete these fields, the settings override those configured in the specified Dial-up
Networking entry on the server. These settings are used by the remote access service,
not by Domino. Complete the fields and then click OK
v Login name - The name that the server uses to log in to the remote access server.
v Password - The password the server uses to log in to the remote access server. For
security reasons, when you enter the password, it appears as a series of asterisks.
After you save the Connection document, before storing the document Domino
encrypts the password with the public keys of the source server and the users and
servers listed in the Owners and Administrators fields of the document.
v Phone number - The phone number of the remote access server. If the server uses
pulse dialing, do not enter a phone number in this field. Also, be sure to select Pulse
in the server’s modem configuration options and in the Microsoft Dial-up Networking
dialog, provide a phone number and check the Use Telephony dialog properties box.
v Area code - Area code of the remote access server.
v Country code - Country code of the remote access server.
v Dial-back phone number - The phone number of the source server. If the remote
access server has call-back enabled, it calls this number after authentication
completes.
v Domain - The Windows logon domain of the remote access service
The remaining fields on this tab are read-only and display information only if you completed the
corresponding field in the previous step.
8. Click the Replication/Routing and Schedule tabs to define the tasks you want to run, and select the
times you want the server to call its destination.
9. Click Save & Close.
Note: To ensure the best performance for connections that use data-compressing modems, don’t apply
Domino network data encryption to ports using these modems. Rather than reducing the size of the
transmitted data, the modem’s hardware compression techniques can increase it, negating the benefits of
the modem compression.
For more information about encrypting data on an NRPC port, see the chapter ″Setting Up the Domino
Network.″
Use these steps to encrypt a Connection document created prior to Release 5 so that only the users and
servers you specify can use the document to make a connection and view the settings in the document.
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the ″Use Directory on″ field.
3. Click Server, and then click Connections.
4. Open the Network Dialup Connection document.
120 Lotus Domino Administrator 7 Help
5. Choose File - Document Properties.
6. Click the Security tab (the key icon), and deselect ″All readers and above.″
7. In the ″Public Encryption keys″ field, enter the names of users and servers who need access to the
document, and then save the document.
To automate the coordination of dialup schedules, Domino lets you create an AutoDialer connection. An
AutoDialer connection provides a link between two Connection documents: one document that controls
when a source server initiates the given replication or mail routing task; and one document that controls
when the destination server dials up an ISP to establish an Internet connection. An AutoDialer task on
both servers tracks the task schedule set in the source server’s Connection document and prompts the
destination server to come online in time to receive requests from the calling server.
The source server uses the destination server’s IP address to establish the connection. Because this
requires a stable IP address, the destination server’s ISP must provide static IP addresses; that is, it must
assign the server the same IP address every time the server connects to the ISP.
AutoDialer connections honor the timeout settings specified for the modem communication port. If a
connection is idle for the amount of time specified, Domino closes the connection.
To enable replication, the administrator creates an AutoDialer connection for the two server by doing the
following:
1. Creates a Pluto-to-ISP Network Dialup connection document that provides information on how to
connect the destination server, Pluto, to the ISP, using a local phone number. In the Pluto-to-ISP
connection document, the administrator then does the following:
v Enables AutoDialer and specifies that Pluto will begin to dial up the ISP three minutes before the
scheduled replication with Jupiter.
v Assigns the AutoDialer connection the name ″PlanetReplication.″
2. Creates a Jupiter-to-Pluto LAN connection document that provides information on how the source
server, Jupiter, connects to Pluto. In the Jupiter-to-Pluto LAN connection document, the administrator
then does the following:
v To enable Jupiter to locate Pluto on the Internet, specifies Pluto’s IP address in the Optional
Network Address field.
v Enables AutoDialer and assigns the AutoDialer connection in this document the same name as the
AutoDialer connection in the Pluto-to-ISP Connection document: ″PlanetReplication″ This name
provides the link between the two documents.
v Sets the schedule on the Jupiter-to-Pluto connection document to begin replication at 10:00 AM.
Domino then searches the available Connection documents to locate any that have the AutoDialer
connection name ″PlanetReplication.″ After it finds the matching documents, Domino calculates when
Pluto must dial up its ISP to answer the replication request from Jupiter, and sets this schedule in the
Pluto-to-ISP connection document. In this example, because Pluto is in the time zone GMT -08:00, it must
dial up the ISP at 6:57 AM local time to come online three minutes before Jupiter, in the time zone GMT
-05:00, initiates replication at 10:00 AM local time.
At 6:57 AM the AutoDialer on Pluto requests the dialup information from the Pluto-to-ISP connection
document and dials the ISP. Three minutes later, Jupiter sends a replication request over the Internet to
Pluto.
For more information, see the topic ″Coordinating Notes Direct Dialup connections between servers″ later
in this chapter.
Field Description
AutoDialer Task Select Enabled
AutoDialer connection Specifies a name for this AutoDialer connection. Enter any unique name, for example,
name InternetReplication. It’s best to use a name that’s short and descriptive.
The name you enter in this field must also appear in the AutoDialer connection name field
in the Connection document that provides the schedule for this task (see Step 5).
Connect remote server Specifies how many minutes before a scheduled action that this server will dial up to
to network connect to the Internet. To ensure availability, specify a time value that enables the server
to be online several minutes before the start of the scheduled action.
6. Connect the destination server (the dialing server) to the Internet by having it dial up the ISP.
7. From the server console of the destination server, enter the command:
Replicate servername directoryfile
Where servername is the name of the source, or replication, server, and directoryfile is the filename of
the Domino Directory database. For example, enter:
Replicate Jupiter NAMES.NSF
8. Add the AutoDialer task to the ServerTasks item in the NOTES.INI file to start the AutoDialer task on
Pluto.
The process for creating an AutoDialer connection for use with a Notes Direct Dialup connection is
similar to the one used to create an AutoDialer connection for a Network Dialup connection. For
replication tasks, set up the more powerful server to be the source server, and the less powerful server,
generally the server with the dialup connection, to be the destination server.
If the dialing server connects into a passthru server rather than connecting directly to the replication
server, all communications between the dialing server and the replication server occur through the
passthru server. The replication server cannot locate the dialing server on the network except with the
To set up an AutoDialer connection for use with Notes Direct Dialup connections
1. Create a Notes Direct Dialup connection document that defines how the dialing, or destination, server
connects to the Domino server initiating replication (the source server).
For information on creating a Notes Direct Dialup connection, see the topic ″Creating a Notes Direct
Dialup connection″ earlier in this chapter.
If the dialing server dials into a passthru server, rather than directly into the source server, in addition
to this Notes Direct Dialup connection document, you must also create a Passthru connection
document if one doesn’t already exist. You must also set up the source server as a passthru
destination.
Note: The AutoDialer section on this Passthru connection document is not used.
For information on creating a Passthru connection document, see the topic ″Creating a passthru
connection″ earlier in this chapter.
2. On the Replication/Routing tab of the Connection document you created in Step 1, complete the
following fields in the AutoDialer section:
Field Description
AutoDialer Task Select Enabled
AutoDialer connection Specifies a name for this AutoDialer connection. Enter any unique name, for example,
name AutoDialReplication. It’s best to use a name that’s short and descriptive.
The name you enter in this field must also appear in the AutoDialer connection name field
in the Connection document that provides the schedule for this task (see Step 5).
Connect remote server Specifies how many minutes before a scheduled action that this server will dial up to
to network connect to the Internet. To ensure availability, specify a time value that enables the server
to be online several minutes before the start of the scheduled action.
Note: Enabling network encryption can slow performance, especially for connections that use
data-compressing modems. Never apply Domino network data encryption to ports that use
data-compressing modems. Rather than reducing the size of the transmitted data, the modem’s
hardware compression techniques can increase it, negating the benefits of the modem compression.
For more information about setting up network data encryption for a port, see the topic Encrypting
network data on a server port.
8. Select ″Compress network data″ to enable Domino network data compression. Network compression
occurs only if it is enabled on both sides of the connection. If compression is not enabled on the
server being connected to, data will not be compressed.
9. Click portname Options, where portname is the name of the port whose settings you want to change.
10. Modify default port settings, as needed and then click OK.
Note: These settings apply to digital-analog modems only, not cable or DSL modems.
The default port settings work in most situations. However, if you are performing troubleshooting,
you may wish to adjust some of the settings. The following settings are available:
If there’s no match and your modem is not 100% Hayes-compatible, you may need to edit
an existing modem command file or create a new one. For information about your
modem, see your modem documentation.
For information about editing modem command files, see the topic ″Modifying a modem
command file″ later in this chapter.
Maximum port speed Specifies the maximum speed at which the communication port on the computer sends
data to the modem and receives data from the modem. Domino selects a maximum data
transmission speed based on the modem type you select. The maximum speed is limited
by the maximum speed specified in the modem’s command file and may also be limited
by the server’s operating system. Default value is 19200. Specify the highest value
supported by your modem hardware. Select a lower port speed if you are having trouble
with a noisy phone line or cannot establish the carrier.
Note: When using a null modem, the maximum port speed on both computers must
match.
Speaker volume Specifies how loudly to amplify modem tones during connection attempts. Choose the
volume that best allows you to monitor call progress: Low Medium, or High; or choose
Off to mute the modem.
Dial mode Choose one:
v Tone - For touch-tone phone lines.
v Pulse - For rotary phone lines or modems that do not support touch-tone dialing.
Log modem I/O Select this option to help troubleshoot modem connection problems by recording modem
control strings and responses in the Miscellaneous Events view of the server’s Notes Log
(LOG.NSF).
To conserve disk space, after the problem is fixed, deselect this option to prevent the extra
information from being recorded.
Log script I/O Select this option to help troubleshoot communication problems between servers that
occur after the modem establishes a connection. The server records script file responses
and replies in the Miscellaneous Events view of the server’s Notes Log (LOG.NSF).
To conserve disk space, after the problem is fixed, deselect this option to prevent the extra
information from being recorded.
Hardware flow control Specifies how data is sent between the computer and the modem. Select this option (the
default on operating systems other than UNIX) to enable data flow control. Deselect this
option only if you’re using a modem or external serial port that doesn’t support flow
control. When deselected, messages about errors and retransmissions can appear in the
Phone Calls view of the log file (LOG.NSF).
Wait for dialtone before Select this option (the default) to require the modem to detect a dialtone before dialing.
dialing Deselect this option on phone systems where dial tone detection is a problem.
Dial timeout Specifies the time, in seconds, that the source server continues attempting to connect to
the destination server before it cancels the attempt. Increase the dial time-out period when
using pulse dialing or when calling overseas. The default value is 60.
Hangup if idle Specifies the time, in minutes, that the modem on the source server waits before hanging
up if there is no data passing through the connection. The default value is 15. For ports
that workstation users dial into, specify a longer idle time so users have time to read or
compose long documents.
11. To specify an acquire script for this port, click Acquire Script, select the script in the Acquire Script
dialog box, and then click OK.
For more information on acquire scripts, see the topic ″Writing and editing acquire and login scripts″
later in this chapter.
12. If necessary, you can edit acquire scripts and modem command files.
For information about editing modem command files and acquire scripts, see the topic ″Modifying
modem command files and acquire scripts″ later in this chapter.
Note: To ensure the best performance for connections that use data-compressing modems, don’t apply
Domino network data encryption to ports using these modems. Rather than reducing the size of the
transmitted data, the modem’s hardware compression techniques can increase it, negating the benefits of
the modem compression. For more information about setting up network data encryption for a port, see
the chapter ″Setting up the Domino Network.″.
Login scripts provide information required to access a destination server and are required by some Direct
dialup connections. The server runs the commands in the login script after running the modem command
file.
You can edit an existing acquire or login script or create new ones from scratch using any text editor.
When editing or writing scripts, use the appropriate script commands, keywords, and comments. The
keywords identify and classify the script file. The script commands execute sequentially. The keywords
you use depend on the device that the script sets up.
Any time you change a script, make sure you save the file with an SCR extension and copy it to the
Notes Data/Modems subdirectory of every workstation and the Domino Data/Modems subdirectory of
every server that uses the script.
For information about how to edit an script from the Port Setup dialog box, see the topic ″Configuring a
communication port″ earlier in this chapter.
Script keywords
Use these keywords when you write a script file.
Similarly, mobile users who use login scripts when configuring dialup communications from a Notes
client, see the value of the DESC keyword in the login script.
TYPE
Tells whether the script is an acquire or connect script. For example:
TYPE CONNECT
ARG...ARG4
For connect scripts only, these optional keywords precede a description of each of the four script
arguments. You may write scripts using from 0 through 4 arguments. For example, you might use the
following script arguments and descriptors in a connect script file:
ARG1 1. REMOTE DTE ADDRESS:
ARG2 2. None entered:
ARG3 3. None entered:
ARG4 4. None entered:
ARG1 is a keyword and ″1. REMOTE DTE ADDRESS:″ is the description that appears in the Call Setup
dialog box. ARG2, ARG3, and ARG4 are keywords. ″X. None entered:″ lets users enter arguments when
making the call. Users can enter arguments when they choose File - Mobile - Call Server, select More
Options, and then select Call Setup; or they can enter arguments in the Notes Direct Dialup Connection
document in the Domino Directory or Personal Address Book.
To connect to Domino through a passthru server, users must specify the name of the passthru server in
the current Location document and set up Passthru Connection documents.
For more information about the Limited Availability program and other important information on this
topic, see the URL http://www.ibm.com/lotus/nsfdb2.
An understanding of DB2 concepts is assumed before you attempt to configure Domino and DB2.
You can configure IBM Lotus Domino to run with DB2 databases and Notes databases. You can also
access and view data stored in Notes databases as well as data stored in DB2 databases. When working
with your data, there is no visible difference between the data stored in a Notes database and data stored
in a DB2 database.
When you run Domino with DB2, there are three distinct interactions that occur between Domino and
DB2. They are:
v Domino uses DB2 as an alternate data store for Notes data.
v Specific sets of data are pushed from an NSF to DB2 in the form of DB2 Access Views (DAVs).
v A Notes view can be built based on an SQL query in the form of Query Views.
Note: DAVs and Query Views are explained later in this topic.
When working with data, you interact only with the Domino server as a Notes user. In a Domino and
DB2 configuration, all of the data stored in DB2 is owned by Domino; therefore, you do not need a DB2
ID. The client is unaware that the storage is in DB2 and not in an NSF file. There is no need for users to
have DB2 connectivity because DB2 connectivity is handled by the Domino server.
Domino connects to DB2 using the Domino server user account assigned to it when you run the DB2
Server Enablement tool from the Domino Administrator. The DB2 Server Enablement tool enables a
Domino server to communicate with a DB2 server.
133
For more information, see the topic ″Enabling Domino access to a DB2 server.″
A Notes NSF can contain many notes that differ from each other, whereas DB2’s relational database is
organized in structured tables and columns that are similar to each other. To help resolve the issue of
using two very different database structures, a DAV identifies a common set of notes in an NSF. This
common set of notes can then be used by DB2.
For example, you can organize notes in DB2 based on the Notes form that is used to create the note. In
this example, the form ″Employee″ contains the text fields FirstName, LastName, Street1, Street2, State,
and Zip Code.″ Therefore, you can create a DAV in Domino Designer that instructs Domino to create a
DB2 view that provides access to a specific set of notes that contain a specific set of fields.
CAUTION:
When creating a DAV, the designer must be sure that field names are entered exactly as they appear in
the database. If a field name is invalid, no data displays.
Access to the DAV is managed by a the DB2 Access server installed on the DB2 server.
Domino stores NSFs as a set of tables in DB2. You cannot view this data, it is private to Domino. You can
only view NSF data in DB2 by creating a DAV to expose that data.
For more information about DB2 Access Views, see the topic ″DB2 Access Views″ in the Domino Designer
7 documentation.
Query views
A Query view is another type of Notes view. Like other types of Notes views, query views are design
elements that are part of Notes applications. A query view uses an SQL query to populate its data instead
of using a view formula that selects notes from a Notes database. If you want to create a query view
based on data in a Notes database that resides in DB2, you must first have defined and populated a DAV.
Data in DB2 databases is accessed and manipulated through System Query Language (SQL) statements.
Chapter 5. Setting up Domino and DB2 135
When you create a Notes view that is based on an SQL query, keep the following tips in mind:
v If the query view references only non-Domino data, you cannot ″open″ the notes in the Notes view. It
will literally be a Notes view of DB2 data.
v If the query view references Domino data via a DAV and selects the #NOTEID from the DAV, you can
open the note.
v A Query can be composed dynamically in the Notes client application, for example, by using the
@prompt function. For example, the application can prompt the user for STATE and then query only
the people who live in the selected state.
v A Query View can join data from multiple DB2 tables and views; therefore, you can join data from two
NSFs by joining two separate DB2 Access Views.
A benefit of using DB2 to access data is that Query Views are dynamic; you can re-execute them with
different SQL statements to quickly access specific notes. Regular Notes views need to be rebuilt using
the Update and Updall tasks, but Query Views do not; therefore, they do not take up space in the NSF.
Query Views can do things that regular Notes views cannot do, for example, they can join data from
multiple NSFs and they can access non-Domino data. Non-Domino data is any data visible to DB2.
For more information about Query Views, see the topic ″Query Views″ in the Domino Designer 7
documentation.
Domino and DB2 user accounts that are needed for Domino and DB2
To install the DB2 software on Microsoft Windows or on IBM AIX or UNIX, you need an installation
account.
v An installation account is an OS user account created in Microsoft Windows or AIX/UNIX. You use
this account to install the DB2 software.
Note: The DB2 server enablement tool enables a Domino server to communicate with a DB2 server.
3. A Notes user account with Domino server access rights.
4. A DB2 account name which is an OS user account that you will map to the Notes user account. This
mapped account is needed for accessing the DB2 Access Views and Query Views.
Using the Domino Web Administrator client with Domino and DB2
The Domino Web Administrator client can be used with Domino and DB2. The Domino and DB2 features
that are available from the Domino Web Administrator function exactly as they do when using those
same features from the Domino Administrator client.
These Domino and DB2 features are also available using the Domino Web Administrator client:
v DB2 Server Enablement Tool
v Edit DB2 Access server Connection document
v Test DB2 Access
For information about creating databases in DB2, go to the DB2 Information Center at
http://publib.boulder.ibm.com/infocenter/db2help/index.jsp
Database storage
When you run the DB2 Server Enablement Tool from the Domino Administrator or the Domino Web
Administrator, you specify a number of parameters. One of these is the default database storage type of
either DB2 or NSF that is assigned to all databases that you create. By default, the database storage type
is DB2, but you can change that to NSF on the DB2 tab of the Server document. When NSF is the default
database storage type, new databases are created as files in the Domino server’s disk space. When DB2 is
the default database storage type, the databases are stored in a DB2 database managed by the DB2 server.
″Classic″ Domino databases are referred to as NSF databases, and NSFs stored in a DB2 database and
managed by a DB2 server are referred to as DB2 enabled Notes databases.
Only databases stored in DB2 can be accessed in DB2 using SQL. Databases created with an NSF are not
visible to DB2. NSFs and DB2 enabled Notes databases are visible to the Domino server.
Each DB2 enabled Notes database can be identified by the following icon in the Files panel of the
Domino Administrator:
Note: Do not create replicas for these .NSF files on a DB2 enabled Domino server:
Command to
Task run task Description Database
Activity Trends Collector trends Runs the Activity Trends Collector which activity.nsf
performs historical and trended analysis on
Domino Activity data.
Administration Process AdminP Automates a variety of administrative tasks. admin4.nsf
Billing Billing Collects all generated billing information. billing.nsf
Cataloger Catalog Updates the database catalog. catalog.nsf
Cluster Database Directory Cldbdir Updates the cluster database directory and cldbdir.nsf
Manager manages databases with cluster-specific
attributes.
Event Monitor Event Monitors events on a server. events4.nsf
HTTP Server HTTP Enables a Domino server to act as a Web webadmin.nsf
server so browser clients can access
databases on the server.
IMAP Server IMAP Enables a Domino server to act as a mail files for IMAP
maildrop for IMAP clients. users/mail7.ntf
The databases in the following table are not supported as DB2 enabled Notes databases in Domino 7 and
DB2.
Note: Do not create replicas for these .NSF files on a DB2 enabled Domino server:
Running compact -B on a directory results in a single set of table and index reorganizations because
several DB2 enabled Notes databases can exist in a set of tables within a tablespace. The table and index
reorganizations for data in a DB2 enabled Notes database are deferred until compact is finished with
regular NSF processing.
Note: The Compact -b option does not have any impact on a DB2 enabled Notes database.
The Domino administrator should be familiar with the DB2 Database Analysis and Reporting Tool
(db2dart.) Db2dart is a DB2 utility that displays tablespace usage information, including what needs to be
done to best lower the HWM of a tablespace so that the tablespace can be reduced in size.
For more information about the Limited Availability program and other important information on this
topic, see the URL http://www.ibm.com/lotus/nsfdb2.
To enable Domino 7 with DB2, use the ″DB2 key″ that allows access to Domino 7 with DB2. For Microsoft
Windows platforms, use NDB2KEY.DLL; for IBM AIX platforms, use libdb2key_r.a.
Add the DB2 key to the Domino Program directory. The default Domino Program directory on Microsoft
Windows is C:\Program Files\Lotus\Domino; the default Domino Program directory on IBM AIX is
/opt/lotus/ibm.
For more information about the DB2 key, see the URL http://www.ibm.com/lotus/nsfdb2.
Supported platforms
Domino 7 and DB2 are supported on these platforms:
v Microsoft Windows ®
v IBM AIX® 5.2 and 5.3
Note: Shared mail is not supported for a DB2 server. The recommended method of installation is to
create a new DB2-enabled Domino server and replicate to DB2. If an existing server is upgraded to a
DB2-enabled Domino server, the shared mail linked mail files need be unlinked prior to the upgrade.
Software requirements
v IBM Lotus Domino server 7
v IBM Lotus Domino Administrator 7.0
v DB2 UDB Enterprise Server Edition version 8.2.2 (FixPak 9).
v DB2(R) Run-Time Client is required for remote configurations
CAUTION:
Do not confuse the DB2 Run-Time Client with the DB2 Run Time Client Lite (RTCL). We do NOT
support the DB2 Run Time Client Lite.
v IBM DB2 Access for Lotus Domino 7.0
v IBM Lotus Notes Client 7.0 is required to be able to open Query Views
Other requirements
v Transaction logging must be enabled to run the DB2 Domino server. When you enable transaction
logging on the Server document, set the log file size to at least 192 MB.
v UTF-8 is supported for Domino 7 and DB2. New databases are created as UTF-8 databases. No other
database encoding is supported.
To use a DB2 server remotely, the computer on which the Domino server resides must also have one of
the following DB2 components installed:
v DB2 Run-Time Client -- Must be installed on the Domino server in all configurations where DB2 is
installed on one computer and Domino is installed on another computer.
142 Lotus Domino Administrator 7 Help
v DB2 UDB Enterprise Server Edition -- Includes all components of a DB2 server and connects to a
remote DB2 server.
v DB2 Workgroup Edition -- We do not provide this but if a customer has purchased and is using this,
we will support it.
Each Domino server manages its own database on the DB2 server.
A DB2 server can support multiple Domino servers, each connected to its own database. These can be
separate databases in the same DB2 instance or separate DB2 instances -- each supporting a single
database / Domino server (recommended).
In this configuration, the DB2 Run-Time Client is installed on the Domino servers.
CAUTION:
Do not confuse the DB2 Run-Time Client with the DB2 Run Time Client Lite (RTCL). We do not
support the DB2 Run Time Client Lite.
Microsoft Windows
If you are setting up a local configuration on Microsoft Windows, complete one of these two procedures:
v Installing and setting up Domino and DB2 on Microsoft Windows - Local configuration
v Installing and setting up Domino and DB2 and the DB2 Access server on Microsoft Windows - Local
configuration
If you are setting up a remote configuration on Microsoft Windows, complete one of these two
procedures:
v Installing and setting up Domino and DB2 on Microsoft Windows - Remote configuration
v Installing and setting up Domino and DB2 and the DB2 Access server on Microsoft Windows - Remote
configuration
Anyone installing their Domino and DB2 configuration on a Microsoft Windows platform must also
complete this procedure:
v Installing DB2 on Microsoft Windows
IBM AIX
If you are setting up a local configuration on IBM AIX, complete one of these two procedures:
v Installing and setting up Domino and DB2 on IBM AIX - Local configuration
v Installing and setting up Domino and DB2 and the DB2 Access server on IBM AIX - Local
configuration
If you are setting up a remote configuration on IBM AIX, complete one of these two procedures:
v Installing and setting up Domino and DB2 on IBM AIX - Remote configuration
v Installing and setting up Domino and DB2 and the DB2 Access server on IBM AIX - Remote
configuration
Anyone installing a Domino and DB2 configuration on an IBM AIX platform must complete these two
procedures:
v Installing DB2 on IBM AIX
v IBM AIX post-installation procedure
All platforms
Complete these procedures only if you will be using the DB2 Access server and you did not install it as
part of one of the installation procedures you have already completed.
The DB2 installation account can be a local or domain user account that you create at the OS level in
Windows/AIX and it must belong to the Administrators group on the computer on which you are
performing the DB2 installation.
For details about creating user or domain accounts and assigning Administrator rights, see your
Microsoft Windows or IBM AIX documentation. For example, in Microsoft Windows, create the account
from the Control Panel - Administrative Tools, and then assign the Administrator rights listed below to
the account from Control Panel - Local Security Policy.
If the Administrators group already has the administrator rights, there is no need to specifically add the
DB2 installation account because these rights will be inherited.
Note: If you want the DB2 Setup wizard to create a new DB2 administration server user account, which
is a domain user account, the installation account that you use to perform the DB2 installation must also
be assigned the right to create domain user accounts and it must belong to the Administrators group on
the computer on which you are performing the DB2 installation.
For more information about the DB2 installation account, go to the DB2 Information Center
http://publib.boulder.ibm.com/infocenter/db2help/index.jsp.
After you create the DB2 installation account and assign the necessary rights, log in using the DB2
installation account to begin installing DB2.
Note: By default, any user that is part of the Administrator group has SYSADM authority.
The DB2 administrator account starts the DB2 services, such as DB2 DAS, DB2 Remote Command server,
DB2 Governor, and other DB2 services.
The DB2 administrator account must belong to the Administrator’s group on the machine on which you
perform the DB2 installation.
For more information about the DB2 key, contact your IBM representative.
Complete this procedure to set up a new Domino and DB2 environment on Microsoft Windows. This is
not a procedure for upgrading an existing Domino and DB2 configuration.
Procedure
1. Install and set up the Domino server and the Domino Administrator. For instructions, see Chapters 1
- 3 of Administering the Domino System, or see the Domino Administrator 7 Help.
2. When you start the Domino server, you are prompted to specify whether to run Domino as an
application or a Windows service. Choose application.
3. Create an installation user account.
4. Install DB2 on Microsoft Windows.
5. Create a DB2 administrator account.
6. On the Domino server, permanently enable transaction logging.
Note: To use a DB2 enabled Notes database, transaction logging must be turned on in Domino.
Linear, circular or archival transaction logging may be used. DB2 enabled Notes databases do not
work if transaction logging is not enabled.
7. Enable the Domino server to communicate with the DB2 server.
8. After Domino creates the initial DB2 database, stop the Domino server.
9. Determine whether your DB2 configuration has a SYSCTRL group by entering this command from
the DB2 Command Line Processor (CLP):
GET DBM CFG
10. If your DB2 configuration has a SYSCTRL_GROUP, you can omit this step. If your DB2 configuration
does not have a SYSCTRL_GROUP, set up DB2DOM as the SYSCTRL_GROUP in DB2 by entering
this command from the DB2 CLP:
Update dbm cfg using SYSCTRL_GROUP DB2DOM
11. Update the DB2 configuration by entering these commands from the CLP window:
DB2STOP
DB2START
12. Restart the Domino server and the Domino Administrator.
13. Map the DB2 user name to a Notes user name.
Installing and setting up Domino and DB2 and the DB2 Access server
on Microsoft Windows - Local configuration
To enable Domino 7 with DB2, use the ″DB2 key″ that allows access to Domino 7 with DB2. For Microsoft
Windows platforms, use NDB2KEY.DLL. Add the DB2 key to the default Domino Program directory
C:\Program Files\Lotus\Domino.
For more information about the DB2 key, contact your IBM representative.
Complete this procedure to set up a new Domino and DB2 environment on Microsoft Windows. This is
not a procedure for upgrading an existing Domino and DB2 configuration.
Procedure
1. Install and set up the Domino server and the Domino Administrator. For instructions, see Chapters 1
- 3 of Administering the Domino System, or see the Domino Administrator 7 Help.
2. When you start the Domino server, you are prompted to specify whether to run Domino as an
application or a Windows service. Choose application.
3. Create an installation user account.
4. Install DB2 on Microsoft Windows.
5. Create a DB2 administrator account.
6. On the Domino server, permanently enable transaction logging.
Note: To use a DB2 enabled Notes database, transaction logging must be turned on in Domino.
Linear, circular or archival transaction logging may be used. DB2 enabled Notes databases do not
work if transaction logging is not enabled.
7. Create a server ID for the DB2 Access server.
8. Install the DB2 Access server on the server running DB2.
9. Enable the Domino server to communicate with the DB2 server.
10. After Domino has created the initial DB2 database, stop the Domino server.
11. Determine whether your DB2 configuration already has a SYSCTRL group by entering this command
from the DB2 Command Line Processor (CLP):
GET DBM CFG
12. If your DB2 configuration has a SYSCTRL_GROUP, you can omit this step. If your DB2 configuration
does not have a SYSCTRL_GROUP, set up DB2DOM as the SYSCTRL_GROUP in DB2 by entering
this command from the DB2 CLP:
Update dbm cfg using SYSCTRL_GROUP DB2DOM
13. Update the DB2 configuration by entering these commands from the CLP:
DB2STOP
DB2START
14. Restart the Domino server and the Domino Administrator.
15. From the Domino server console, enter
DB2 ACCESS SET
16. To verify that the DB2 Access server is installed and configured properly, use the Test DB2 Access
feature from the Domino Administrator client.
17. Map the DB2 user name to a Notes user name.
Complete this procedure to set up a new Domino and DB2 environment on Microsoft Windows. This is
not a procedure for upgrading an existing Domino and DB2 configuration.
Procedure
1. Install and set up the Domino server and the Domino Administrator. For instructions, see Chapters 1
- 3 of Administering the Domino System, or see the Domino Administrator 7 Help.
2. When you start the Domino server, you are prompted to specify whether to run Domino as an
application or a Windows service. Choose application.
3. Create an installation user account.
4. Install DB2 on Microsoft Windows.
5. Create a DB2 administrator account.
6. On the Domino server, permanently enable transaction logging.
Note: To use a DB2 enabled Notes database, transaction logging must be turned on in Domino.
Linear, circular or archival transaction logging may be used. DB2 enabled Notes databases do not
work if transaction logging is not enabled.
7. Install the DB2 Run Time Client on the same system as the Domino server.
8. Enable the Domino server to communicate with the DB2 server.
9. After Domino creates the initial DB2 database, stop the Domino server.
10. Determine whether your DB2 configuration already has a SYSCTRL group by entering this command
from the DB2 Command Line Processor (CLP):
GET DBM CFG
11. If your DB2 configuration has a SYSCTRL_GROUP, you can omit this step. If your DB2 configuration
does not have a SYSCTRL_GROUP, set up DB2DOM as the SYSCTRL_GROUP in DB2 by entering
this command from the DB2 CLP:
Update dbm cfg using SYSCTRL_GROUP DB2DOM
12. Update the DB2 configuration by entering these commands from the CLP window:
DB2STOP
DB2START
13. Restart the Domino server and the Domino Administrator.
14. Map the DB2 user names to Notes user names.
Complete this procedure to set up a new Domino and DB2 environment on IBM AIX. This is not a
procedure for upgrading an existing Domino and DB2 configuration.
Prerequisite
v The SYSADMIN_GROUP must contain the user ″root.″
v Swap space should equal or exceed physical RAM. For example, if you have 8 GB RAM, you must
have at least 8 GB of swap space.
Procedure
1. Install and set up the Domino server. For instructions, see Chapters 1 - 3 of Administering the Domino
System, or see the Domino Administrator 7 Help.
2. Start the Domino server.
3. On the Domino server, permanently enable transaction logging.
Note: To use a DB2 enabled Notes database, transaction logging must be turned on in Domino.
Linear, circular or archival transaction logging may be used. DB2 enabled Notes databases do not
work if transaction logging is not enabled.
4. Stop the Domino server.
5. Install DB2 on IBM AIX.
6. From the AIX OS or from the AIX administrator tool, create these three primary groups:
Note: You are creating a group for each of the three users listed in Step 10.
v DAS user group. For example, use group name db2asgrp.
v Fenced user group for the user who owns the DB2 Access server. For example, use the group
name db2fadm1.
v Instance owner account group. For example, use the group name db2iadm1.
7. Determine whether your DB2 configuration already has a SYSCTRL_GROUP. From the DB2
Command Line Processor (CLP) enter the command:
GET DBM CFG
8. If your DB2 configuration has a SYSCTRL_GROUP, you can omit this step. If you do not have a
group with SYSCTRL_GROUP access, create a group named DB2DOM. You will be designating
DB2DOM as a DB2 SYSCTRL_GROUP later during this procedure.
9. Add the Domino user account to the DB2DOM group or to whatever group you have designated as
a SYSCTRL_GROUP.
10. From the AIX OS or from the AIX administrator tool, create these three user accounts and then add
the user to the corresponding group you created in Step 6.
v DB2 instance owner -- When you create this account, it is automatically created in the home
directory.
v Fenced -- DB2 Fenced User runs user-defined functions (DB2 Access) and stores procedures
outside of the address space used by the DB2 database.
v DAS account -- DAS account runs the DB2 server on your system.
11. You now have the following users and groups set up:
13. Restart the Domino server and the Domino Administrator client.
14. On the DB2 server, log in using the instance owner user account name and password.
15. If your DB2 configuration has a SYSCTRL_GROUP, you can omit this step. If your DB2 configuration
does not have a SYSCTRL_GROUP, set up DB2DOM as the SYSCTRL_GROUP in DB2 by entering
this command from the DB2 CLP:
Update dbm cfg using SYSCTRL_GROUP DB2DOM
16. Update the DB2 configuration by entering these commands from the CLP window:
DB2STOP
DB2START
17. From the Domino Administrator, run the DB2 Server Enablement Tool to enable the Domino server
to communicate with DB2.
18. Complete the AIX post-installation procedure.
Installing and setting up Domino and DB2 and the DB2 Access server
on Microsoft Windows - Remote configuration
To enable Domino 7 with DB2, use the ″DB2 key″ that allows access to Domino 7 with DB2. For Microsoft
Windows platforms, use NDB2KEY.DLL. Add the DB2 key to the default Domino Program directory,
C:\Program Files\Lotus\Domino. For more information about the DB2 key, contact your IBM
representative.
Complete this procedure to set up a new Domino and DB2 environment on Microsoft Windows. This is
not a procedure for upgrading an existing Domino and DB2 configuration.
Procedure
1. Install and set up the Domino server and the Domino Administrator. For instructions, see Chapters 1
- 3 of Administering the Domino System, or see the Domino Administrator 7 Help.
2. When you start the Domino server, you are prompted to specify whether to run Domino as an
application or a Windows service. Choose application.
3. Create an installation user account.
4. Install the DB2 server on Microsoft Windows.
5. Create the DB2 administrator account.
6. On the Domino server, permanently enable transaction logging.
Note: To use a DB2 enabled Notes database, transaction logging must be turned on in Domino.
Linear, circular or archival transaction logging may be used. DB2 enabled Notes databases do not
work if transaction logging is not enabled.
7. Install the DB2 Run-Time Client on the same system as the Domino server.
8. Create a server ID for the DB2 Access server.
9. Install the DB2 Access server on the server running DB2.
10. Enable the Domino server to communicate with the DB2 server available in the Domino
Administrator.
11. After Domino has created the initial DB2 database, stop the Domino server.
Complete this procedure to set up a new Domino and DB2 environment on IBM AIX. This is not a
procedure for upgrading an existing Domino and DB2 configuration.
When you create file systems on IBM AIX, enable the large file option. For more information, see the
subtopic ″Enabling large files″ in the topic ″AIX operating system tuning″ in the Tivoli Software
Information Center.
Prerequisite
v The SYSADMIN_GROUP must contain the user ″root.″
v Swap space should equal or exceed physical RAM. For example, if you have 8 GB RAM, you must
have at least 8 GB of swap space.
Procedure
1. Install and set up the Domino server. For instructions, see Chapters 1 - 3 of Administering the Domino
System, or see the Domino Administrator 7 Help.
2. Start the Domino server.
3. On the Domino server, permanently enable transaction logging.
Note: To use a DB2 enabled Notes database, transaction logging must be enabled in Domino. Linear,
circular or archival transaction logging may be used. DB2 enabled Notes databases do not work if
transaction logging is not enabled.
4. Stop the Domino server.
5. Install DB2 on IBM AIX.
6. From the AIX OS or from the AIX administrator tool, create these three primary groups:
Note: In a remote configuration, the Domino user account can be the same ID as the Instance
owner’s user ID.
10. From the AIX OS or from the AIX administrator tool, create these three user accounts and then add
the user to the corresponding group you created in Step 6.
v DB2 instance owner -- When you create this account, it is automatically created in the home
directory.
v Fenced -- DB2 Fenced User runs user-defined functions (DB2 Access) and stores procedures
outside of the address space used by the DB2 database.
v DAS account -- DAS account runs the DB2 server on your system.
11. You now have the following users and groups set up:
12. From the AIX OS or from the AIX administrator tool, assign secondary groups to the users you
created as follows:
13. Install the DB2 Run-Time Client on the same system as the Domino server.
14. Restart the Domino server and the Domino Administrator client.
15. On the DB2 server, log in using the instance owner user account name and password.
16. If your DB2 configuration has a SYSCTRL_GROUP, you can omit this step. If your DB2 configuration
does not already have a SYSCTRL_GROUP, set up DB2DOM as the SYSCTRL_GROUP in DB2 by
entering this command from the DB2 CLP:
Update dbm cfg using SYSCTRL_GROUP DB2DOM
17. Update the DB2 configuration by entering these commands from the CLP window:
DB2STOP
DB2START
Installing and setting up Domino and DB2 and the DB2 Access server
on IBM AIX -- Remote configuration
To enable Domino 7 with DB2, use the ″DB2 key″ that allows access to Domino 7 with DB2. For IBM AIX
platforms, use libdb2key_r.a. Add the DB2 key to the default Domino Program directory, /opt/lotus/ibm.
For more information about the DB2 key, contact your IBM representative.
Complete this procedure to set up a new Domino and DB2 environment on IBM AIX. This is not a
procedure for upgrading an existing Domino and DB2 configuration.
On IBM AIX, the Domino server’s installation process checks for the proper configuration of the Input
Output Completion Protocol (IOCP). IOCP must be installed on AIX systems on which the DB2 Access
server is installed. If Domino has not been installed on the computer where the DB2 Access server is to
be installed, you must manually verify that IOCP is installed and enabled prior to installing the DB2
Access server.
When you create file systems on IBM AIX, enable the large file option. For more information, see the
subtopic ″Enabling large files″ in the topic ″AIX operating system tuning″ in the Tivoli Software
Information Center.
Prerequisite
v The SYSADMIN_GROUP must contain the user ″root.″
v Swap space should equal or exceed physical RAM. For example, if you have 8 GB RAM, you must
have at least 8 GB of swap space.
Procedure
1. Install and set up the Domino server. For instructions, see Chapters 1 - 3 of Administering the Domino
System, or see the Domino Administrator 7 Help.
2. Start the Domino server.
3. On the Domino server, permanently enable transaction logging.
Note: To use a DB2 enabled Notes database, transaction logging must be enabled in Domino. Linear,
circular or archival transaction logging may be used. DB2 enabled Notes databases do not work if
transaction logging is not enabled.
4. Stop the Domino server.
5. Install DB2 on IBM AIX.
6. From the AIX OS or from the AIX administrator tool, create these three primary groups:
Note: You are creating a group for each of the three users listed in Step 10.
v DAS user group. For example, use group name db2asgrp.
v Fenced user group for the user who owns the DB2 Access server. For example, use the group
name db2fadm1.
v Instance owner account group. For example, use the group name db2iadm1.
7. Determine whether your DB2 configuration already has a SYSCTRL_GROUP. From the DB2
Command Line Processor (CLP) enter the command:
GET DBM CFG
Note: In a remote configuration, the Domino user account can be the same ID as the Instance
owner’s user ID.
10. From the AIX OS or from the AIX administrator tool, create these three user accounts and then add
the user to the corresponding group you created in Step 6.
v DB2 instance owner -- When you create this account, it is automatically created in the home
directory.
v Fenced -- DB2 Fenced User runs user-defined functions (DB2 Access server) and stores procedures
outside of the address space used by the DB2 database.
v DAS account -- DAS account runs the DB2 server on your system.
11. You now have the following users and groups set up:
12. From the AIX OS or from the AIX administrator tool, assign secondary groups to the users you
created as follows:
13. Install the DB2 Run-Time Client on the same system as the Domino server.
14. Restart the Domino server and the Domino Administrator client.
15. Install IOCP on the same server on which you will install the DB2 Access server.
16. Create a server ID for the DB2 Access server
17. Install the DB2 Access server on the server running DB2.
18. On the DB2 server, log in using the Instance owner user account name and password.
19. If your DB2 configuration has a SYSCTRL_GROUP, you can omit this step. If your DB2 configuration
does not have a SYSCTRL_GROUP, set up DB2DOM as the SYSCTRL_GROUP in DB2 by entering
this command from the DB2 CLP:
Update dbm cfg using SYSCTRL_GROUP DB2DOM
20. Update the DB2 configuration by entering these commands from the CLP window:
DB2STOP
DB2START
21. From the Domino Administrator, run the DB2 Server Enablement Tool to enable the Domino server
to communicate with DB2.
22. Complete the AIX post-installation procedure.
Before you run the DB2 Setup wizard, set up one user account at the operating system level that you will
use to install DB2. This DB2 installation user account must have Administrator rights and must adhere to
the DB2 naming rules.
For information about the DB2 installation account, see Creating the DB2 installation account.
Transaction Logging
As previously mentioned, transaction logging must be enabled on the Domino server before you install
DB2. Ensure that you have enabled transaction logging. On the Server document on which you enable
transaction logging, set the Log file size to at least 192 MB.
Installing and setting up Domino and DB2 and the DB2 Access server
on IBM AIX -- Local configuration
To enable Domino 7 with DB2, use the ″DB2 key″ that allows access to Domino 7 with DB2. For IBM AIX
platforms, use libdb2key_r.a. Add the DB2 key to the default Domino Program directory, /opt/lotus/ibm.
For more information about the DB2 key, contact your IBM representative.
Complete this procedure to set up a new Domino and DB2 environment on IBM AIX. This is not a
procedure for upgrading an existing Domino and DB2 configuration.
On IBM AIX, the Domino server’s installation process checks for the proper configuration of the Input
Output Completion Protocol (IOCP). IOCP must be installed on AIX systems on which the DB2 Access
server is installed. If Domino has not been installed on the computer where the DB2 Access server is to
be installed, you must manually verify that IOCP is installed and enabled prior to installing the DB2
Access server.
Prerequisite
v The SYSADMIN_GROUP must contain the user ″root.″
v Swap space should equal or exceed physical RAM. For example, if you have 8 GB RAM, you must
have at least 8 GB of swap space.
Procedure
1. Install and set up the Domino server. For instructions, see Chapters 1 - 3 of Administering the Domino
System, or see the Domino Administrator 7 Help.
2. Start the Domino server.
3. On the Domino server, permanently enable transaction logging.
Note: To use a DB2 enabled Notes database, transaction logging must be turned on in Domino.
Linear, circular or archival transaction logging may be used. DB2 enabled Notes databases do not
work if transaction logging is not enabled.
4. Stop the Domino server.
5. Install DB2 on IBM AIX.
6. From the AIX OS or from the AIX administrator tool, create these three primary groups:
Note: You are creating a group for each of the three users listed in Step 10.
v DAS user group. For example, use group name db2asgrp.
v Fenced user group for the user who owns the DB2 Access server. For example, use the group
name db2fadm1.
v Instance owner account group. For example, use the group name db2iadm1.
7. Determine whether your DB2 configuration already has a SYSCTRL_GROUP. From the DB2
Command Line Processor (CLP) enter the command:
GET DBM CFG
8. If your DB2 configuration has a SYSCTRL_GROUP, you can omit this step. If you do not already
have a group with SYSCTRL_GROUP access, create a group named DB2DOM. You will be
designating DB2DOM as a DB2 SYSCTRL_GROUP later during this procedure.
9. Add the Domino user account to the DB2DOM group or to whatever group you have designated as
a SYSCTRL_GROUP.
10. From the AIX OS or from the AIX administrator tool, create these three user accounts and then add
the user to the corresponding group you created in Step 6.
v DB2 instance owner -- When you create this account, it is automatically created in the home
directory.
v Fenced -- DB2 Fenced User runs user-defined functions (DB2 Access) and stores procedures
outside of the address space used by the DB2 database.
v DAS account -- DAS account runs the DB2 server on your system.
11. You now have the following users and groups set up:
13. Log on as Domino server administrator, in the UNIX shell used to start the Domino server, set the
DB2INSTANCE parameter as shown in these examples below for ksh and csh.
ksh csh
export DB2INSTANCE=<db2instancename> setting DB2INSTANCE <db2instancename>
14. Restart the Domino server and the Domino Administrator client.
15. Create a server ID for the DB2 Access server .
16. Install the DB2 Access server on the server running DB2.
17. On the DB2 server, log in using the instance owner user account name and password.
18. If your DB2 configuration has a SYSCTRL_GROUP, you can omit this step. If your DB2 configuration
does not have a SYSCTRL_GROUP, set up DB2DOM as the SYSCTRL_GROUP in DB2 by entering
this command from the DB2 CLP:
Update dbm cfg using SYSCTRL_GROUP DB2DOM
19. Update the DB2 configuration by entering these commands from the CLP window:
DB2STOP
DB2START
20. From the Domino Administrator, run the DB2 Server Enablement Tool to enable the Domino server
to communicate with DB2.
21. Complete the AIX post-installation procedure.
Resetting the environment variable using the command line window ksh
1. On the Domino server, log in as the Domino user who will start the Domino server, and then type
this command to identify the DB2 instance you are using:
export DB2INSTANCE=db2instancename
2. Log in as the Domino user, and then change to the data directory. Start the Domino server by typing:
server
At server startup, this message displays indicating that a number of connections are pre-allocated. The
lowest possible number of connections is four, but the value may be greater depending on what is
necessary.
DB2 Connection pre-allocation complete, Available Count =<number>
3. Logged in as the Domino user, stop the Domino server by entering this command from the Domino
server console:
exit
4. As the instance owner, stop and restart the DB2 instance, by entering these commands:
db2stop
db2start
5. Logged in as the Domino user, start the Domino server.
Resetting the environment variable using the command line window csh
1. On the Domino server, log in as the Domino user who will start the Domino server, and then type
this command to identify the DB2 instance you are using:
setenv DB2INSTANCE=db2instancename
2. Log in as the Domino user, and then change to the data directory. Start the Domino server by typing:
server
At server startup, this message displays indicating that a number of connections are pre-allocated. The
lowest possible number of connections is four, but the value may be greater depending on what is
necessary.
DB2 Connection pre-allocation complete, Available Count =<number>
3. Logged in as the Domino user, stop the Domino server by entering this command from the Domino
server console:
exit
4. As the instance owner, stop and restart the DB2 instance, by entering these commands:
db2stop
db2start
Before installing a DB2 Access server on the DB2 server, you need a server ID saved to a file. Use this
server ID when you install the DB2 Access server. When you are registering a new server, be sure to
select the DB2 Server access check box to create a server ID specifically for the DB2 Access server. When
you use the DB2 Access Server option, the server ID is automatically saved to a file. When you create the
server ID, do not assign a password to the ID. Be sure to make note of the server ID path and file name,
because you are required to enter this information when installing the DB2 Access server.
1. From the Domino Administrator, click the Configuration tab.
2. From the Tools pane, click Registration - Server.
3. From the Domino Administrator, do one of the following:
a. To use the CA process, click Server, and then select a server that has the Domino Directory that
contains the Certificate Authority records and the copy of the Administration Requests database
(ADMIN4.NSF) that will be updated with the request for the new certificate. Then click ″Use the
CA Process,″ select a CA-configured certifier from the list, and click OK.
b. To provide the certifier ID, select the registration server. Then click ″Certifier ID″ and locate the
certifier ID file. Click OK, enter the password for the certifier ID, and click OK.
4. In the Register Servers dialog box, complete these fields and then click Continue:
Field Action
Registration Server Click Registration to specify the registration server, and then click OK.
Certifier If the certifier ID displayed is NOT the one you want to use for all servers registered in
this session, or if you want to use the Domino server-based CA instead of a certifier ID,
click Certifier and return to Step 4.
Certificate Authority Not applicable for DB2 Access server.
Public key specification Choose one:
v Compatible with all releases (630 bits)
v Compatible with Release 6 and later (1024 bits)
License type Choose North American (default) or International. In practice, there is no difference
between a North American and an International ID type.
Expiration date (Optional) Enter a date in mm-dd-yyyy format in the Certificate Expiration Date box. The
default expiration date is 100 years after the current date, minus allowances for leap
years.
Certificate Authority Accept the default of None Available.
5. On the Basics tab of the Register New Server(s) dialog box, complete these fields:
Field Action
Server name Enter the name of the new server.
Server title Enter the server title. The Configuration tab in the All Server Documents view and the
Server Title field of the Server document display this title.
Domino domain name The default domain name is usually the same as the name of the organization certifier
ID.
6. Click Advanced, and select the check box for ″This server is a DB2 Access server only.″
7. Click the green check box to add the server to the registration queue.
Note: The server registration queue displays the names of the servers that are ready to be registered.
To display the settings for a specific server, select the server’s name.
8. Click Register All.
Install the DB2 Access server on the DB2 server that hosts Notes data. This can be the same computer on
which Domino is installed for a local configuration, or it may be a different computer in a remote
configuration. The DB2 Access server enforces Domino database security, such as ACLs and reader lists,
for DB2-enabled data. If the DB2 Access server is not installed properly, the DB2 Designer functions will
not be available and you will not be able to access DB2 data.
Install and enable the DB2 Access server to allow DB2 to access Domino data. The DB2 Access server
requires a server ID. Copy the server ID file that you are using for the DB2 Access server to the server on
which you are installing the DB2 Access server. If you have not completed the procedure ″Creating a
server ID for the DB2 Access server,″ do so before installing the DB2 Access server on the DB2 server.
Note: The DB2 Access server cannot cross-certify Domino servers from domains other than its own
domain.
When you install the DB2 Access server, a DB2 Access Server Connection document is created when the
Domino server is started. This DB2 Access Server Connection document connects the DB2 Access server
and a Domino server that you designate using the Domino Administrator. The DB2 Access Server
Connection document contains a configuration-only Domino Directory.
We recommend that you perform the DB2 Access server installation prior to running the DB2 Server
Enablement Tool from the Domino Administrator. If you perform the DB2 Access server installation after
running the DB2 Server Enablement Tool, you must complete Steps 3a and 3b of the procedure Installing
and setting up Domino and DB2 and the DB2 Access server on Microsoft Windows - Local configuration.
After you install the DB2 Access server, Domino changes the name of the server ID file to USER.ID and
stores the file in the data directory for the DB2 Access server.
Note: If your configuration includes the DB2 Access Server, TCPIP is the only supported port setting.
Any other configured port settings are disabled.
Prerequisites
1. Gather the following information before running the setup program. While the InstallShield Wizard is
running, you will be prompted to enter:
v The name of the DB2 Access Domino server ID file and the location where the server ID file is
stored. Enter the complete server ID path with filename.
v The location where the local DB2 server is installed. The subdirectory is always SQLLIB, but you
need the complete path.
v For AIX configurations, you must be logged on as the root user to perform the installation. The root
user must be a member of the group SYSADMIN_GROUP.
v For AIX configuration, you need to know the DB2 Instance name.
v For AIX configurations, you need a temporary directory of approximately 150 megabytes.
2. Before beginning the installation process, you must have already created (registered) a new server and
retained the server ID.
Procedure
1. Run the Domino DB2 Access setup file. The InstallShield Wizard for IBM DB2 Access for Lotus
Domino runs.
2. If you are using Microsoft Windows, skip this step. On AIX only, review the log file,
DB2SETSTDOUT.LOG, to determine whether the install was successful. The log file is in the directory
that contains the DB2 Access server files. For example, in AIX the log file is in this directory:
/local/domudf/db2setstdout.log.
3. When the InstallShield Wizard completes the installation, do one of these:
v If you installed the DB2 Access server prior to running the DB2 Server Enablement tool, you are
done installing the DB2 Access server. You may now proceed to run the DB2 Server Enablement
Tool. OR
v If you installed the DB2 Access server after running the DB2 Server Enablement tool, complete
Steps a and b.
a. Ensure that the DB2 tab on the Server document contains the correct information in these fields,
and then add or modify information in those fields as necessary:
v DB2 Access server name -- Fully-qualified user name of the USER.ID file that the DB2 Access
server is using. For example, DB2AccServ/DomainName
v DB2 Access path -- On AIX configuration, the directory containing libdomudf. On Microsoft
Windows configurations, this entry is not used.
b. From the Domino server console, enter
DB2 ACCESS SET
User-defined functions are created in the DB2 database and a DB2 Access Server Connection
document is created.
4. From the Domino server console, enter this command to review the DB2 install information:
db2 info
For information about the information that is returned by the DB2 INFO command, see the topic DB2
INFO.
When you have completed the Domino server enablement procedures, proceed to Mapping the DB2 ID to
the Domino server’s Domino Directory.
This section of the documentation also includes these topics that are related to server enablement:
v NOTES.INI variables set by the DB2 Server Enablement Tool
v Configuration variables modified during DB2 server enablement
The DB2 Server Enablement Tool is the recommended method of enabling Domino access to a DB2
server. The DB2 Server Enablement Tool does the following:
v Checks for a valid DB2 library path and does one of these:
– On Microsoft Windows -- If a valid DB2 library path is located, the Enable Server for DB2 Based
Data dialog box displays with the focus in the field, DB2 Library Path. If a valid DB2 library path is
not located, Domino posts a message stating you must install DB2 prior to enabling the Domino
server.
– On IBM AIX -- A dialog box displays in which you can enter the default DB2 install path. If you
have not installed DB2, you must do so before proceeding.
v Inserts the DB2 user name and password in the Domino server ID.
v Checks the accuracy of the DB2 information that you entered. (If any DB2 information is incorrect, the
Enable Server for DB2-Based Data dialog box displays with the focus in the field containing the
incorrect information.) If the DB2 information is accurate, Domino does the following:
– Writes the configuration information to the NOTES.INI file.
– Populates the fields on the DB2 tab of the Server document on the administration server and
replicates the Server document back to the originating server. To allow the Server document to be
updated, the administration process must by running on all of your servers and a replication
schedule must be enabled between the administration server and the server you are enabling.
The administration process posts an administration request in the local copy of the Administration
Requests database (ADMIN4.NSF). The replicator then replicates ADMIN4.NSF to the administration
server. The administration process on the administration server processes the administration request and
updates the Server document with the new information. The replicator then replicates the changes to the
Server document on the originating server.
The Domino server user name and password are stored in the Domino server’s ID file. The Domino
server user account enables Domino to access a DB2 server. Create one Domino server user account for
each Domino server.
After creating the Domino server user account, create a Domino server user group named DB2DOM and
add the Domino server user to that group. You must then manually define DB2DOM as a system control
group in DB2. The system control group parameter assigns system control (SYSCTRL) authority to the
group name. The Domino server user account is a member of the DB2DOM group that has SYSCTRL
authority; and as such, the Domino server user account has the right to allow Domino to access the DB2
server. The Domino server user has complete authorization over the DB2 database and its contents. This
server user acts on behalf of all Notes users.
Note: If you have a Windows user account that you want to use as the Domino server user, begin this
process with Step 3 of the procedure in the topic Manually creating the Domino server user account and
the DB2DOM group.
During the DB2 server enablement process, the DB2 database is created. Domino uses the administration
process to create that database, and the administration process requires that the administration server is
running. After the database is created, the default schemas, domino.catalog, and other objects are created.
Several NOTES.INI variables are automatically set by the DB2 Server Enablement Tool, using information
that you provide.
CAUTION:
The DB2 database name that you enter in this procedure is automatically stored in the NOTES.INI
variable DB2DATABASE. If you later delete or modify this value, Domino’s DB2 capabilities are
effectively disabled. The name stored in DB2DATABASE is used as the basis for the names of the
database, buffer pool, tablespaces, and schema.
In this procedure, all of the steps apply to all supported platforms unless there is a notation at the
beginning of the step that indicates it is for IBM AIX only or Microsoft Windows only. If a step does not
apply to your configuration, just omit that step and proceed to the next step.
Prerequisites
1. From the Domino Administrator, point to the server you are enabling.
2. Have this information available before you begin the procedure:
v The name of the DB2 instance that you created when you installed DB2. If you are using Microsoft
Windows, the default instance name is DB2; on AIX, it is whatever you named it.
v The Domino server account name and password. This is a user name created at the OS level that
will be used by the Domino server to access the DB2 server. This user account must have at least
SYSCTRL_GROUP access in DB2 or it must be a member of the group, DB2DOM.
v The server ID that you created for the DB2 Access server.
Procedure
1. From the Domino Administrator, click Configuration.
2. Click DB2 Server -- Enable Server for DB2.
Note: If the feature Enable Server for DB2 is not active, the Domino server is already enabled for
DB2, or you are using a pre-Domino 7 version of the Lotus Domino and Notes software, or you are
using a platform other than Microsoft Windows or IBM AIX.
3. Complete the fields on the DB2 Server tab and DB2 Access tab as follows:
Field Action
DB2 and Domino are on different systems or DB2 is If any of these conditions are true, click this check box:
64-bit on AIX server v DB2 and Domino are installed on different computers.
v 64-bit DB2 instance is used on the DB2 AIX server.
v You are using the DB2 Run-Time Client on the
Domino server.
DB2 Instance Name Enter the DB2 instance name that you created when you
installed the DB2 server.
Note: This field only applies to local configurations
using a 32-bit DB2 instance.
DB2 Datastore Directory (Optional) Enter the full path and name of the directory
where the DB2 enabled Notes databases will be stored
on the DB2 server. For example,
v In Microsoft Windows, a sample path is:
c:\db2db\srvr\
v In IBM AIX, a sample path is:
/local1/db2inst1/db2dir/
Field Action
OS account name to be used by Domino to access DB2 This user name is an operating system user account name
that Domino uses to access the DB2 server. This is a
Microsoft Windows or IBM AIX account. If you are using
IBM AIX, you can only enter an existing user account
name; you cannot create one from this dialog box.
Do one:
v Enter a new name to create the new user account. This
option applies only to Microsoft Windows.
v Enter an existing user account name if you have created
one that you want to use. It must be an OS user
account name.
DB2 Password Enter the password for the new or existing user account
name that you entered in the field ″OS account name to
be used by Domino to access DB2.″ that The Domino
server uses this password to access the DB2 server.
Verify DB2 password Reenter the password.
DB2 Access server name Enter the name of the DB2 Access server that you
registered using the Domino Administrator and that you
used for the DB2 Access server install. This server name is
used for DB2 Access Views. Domino adds the DB2 Access
name to the field, Trusted Servers, in the Server Access
section of the Security tab on the Server document for the
Domino server.
4. Click Enable.
5. One of these occurs, according to platform:
v Microsoft Windows -- A status box displays. If there are no errors, click OK. Click Store or Continue
according to whether you want to stop the server-enablement process or continue the process.
v IBM AIX -- A series of messages appears. Review the messages, and then click Stop or Continue
according to what you want to do.
6. If you installed the DB2 Access server prior to running the DB2 Server Enablement tool, enter this
command from the Domino server console:
You can open the NOTES.INI file to view the settings established when you enabled a Domino server to
communicate with a DB2 server.
For information about the updates to the Server document, see the topic Setting and modifying DB2
values in the Server document.
When you enable a Domino server to communicate with an existing DB2 database, Domino modifies the
following DB2 database management configuration parameters:
Manually creating the Domino server user account and the DB2DOM group
1. Using the DB2 naming conventions to create a Microsoft Windows user account.
2. Specify a password for the new user account, and then click Create to save the user name and
password. Exit that dialog box.
3. Create a new Windows group and name it DB2DOM.
4. Add the new user to the DB2DOM group. When you click Create, the DB2DOM group is added to
the group list.
Note: If you already have a SYSCTRL group that you want to use, you can add the Domino server user
to the existing group instead of creating a new group.
1. From the Windows desktop, choose Start - Programs - IBM DB2 - Command Line Tools - Command
Line Processor.
2. From the command line processor (CLP), enter this command to define DB2DOM as a system control
group:
Update dbm cfg using SYSCTRL_GROUP DB2DOM
This message appears: ″Completed Successfully.″
3. From the CLP, enter this command to stop the DB2 server:
db2stop
4. From the CLP, enter this command to restart the DB2 server:
db2start
5. Enter this command to exit the CLP:
Quit
6. Enter this command to close the command window:
Exit
Users must have a DB2 identity to access DB2 databases from the DB2 server. This DB2 user name (an
OS user name) must be mapped to a Notes user name. After the DB2 user name is mapped to a Notes
user name, the user’s Domino privileges are enforced, that is, the ACLs assigned to the NSF apply. If the
user’s DB2 user name is not mapped to the Domino server’s Domino Directory, the user is assigned
″Anonymous″ access to the DAV. They are then only able to view information that the Domino NSF’s
ACL allows. Although the user connects directly to DB2, access to Domino data is still managed by
Domino (in addition to DB2 GRANT privilege control). DB2 user names are used to access DB2 data.
Although a DAV makes Notes data available in DB2, Domino still enforces security on this data. To
access Notes data using SQL (for example, CLP, ODBC, and Notes Query Views), a user must have both
a DB2 user identity and a Lotus Notes identity, and the DB2 user name must be mapped to the Lotus
Notes user name in the Domino Directory of the Domino server that ″owns″ the DB2 enabled Notes
database.
The DB2 to Notes user mapping must be unique. If you map more that one Notes user to a single DB2
user name, an error is generated when you try to access the DAV using either a query view or SQL.
Use ″Set DB2 user name″ from the Tools panel in the Domino Administrator to map a DB2 (OS) user
name and a Notes user name. For instructions on using Set DB2 user name, see the topic ″Mapping DB2
user names to Notes user names.
When a DB2 user attempts to access data in a DAV, the DB2 Access server verifies with the Domino
server that the DB2 user is a known Notes user and that the Notes user has access to the NSF on which
the DAV is based. For SQL access, the DB2 user is mapped to a Notes user to check Notes ACL
privileges. It is the mapping of the DB2 user name and Notes user name that verifies that the DB2 user is
a known Notes user.
When a Notes application uses an SQL Query View to access Notes and non-Notes data stored in DB2, to
make the connection to DB2 it uses the DB2 user name that is mapped to the Notes ID of the Notes user
executing the query. In this case, the Notes user is mapped to a DB2 user to verify that the user has the
necessary GRANTS in DB2 to see the data.
If a user is only cross certified to access a DB2-enabled Domino server and that user does not have a
Person document in that server’s Domino Directory, you can use the Set DB2 User Name tool in the
Domino Administrator to set the DB2 Account name for that user.
When this NOTES.INI setting is enabled, anonymous access to Notes is used whenever a DB2 user name
is not mapped to a Notes user name.
Note: Anonymous access allows you to use SQL to access Notes data without mapping users; however;
DB2 Access Views provide Notes access to DB2 data and always require a valid mapping. You cannot use
anonymous access in a Query View.
Field Action
Use name from network account name field, if available Click this check box if there is an existing network
account name in the Person document and you want to
use that name.
Enter the user’s discrete name, that is, a name you enter
individually -- not a name generated by specifying a
pattern.
Make resulting name uppercase Choose this option if you want to display the DB2 user
name in uppercase characters.
For example, you can create a formula for the custom pattern of LastName followed by the underscore
character followed by the OrganizationName:
L_O
DB2 groups
Domino uses a concept called groups to manage storage in DB2. Grouping allows multiple DB2 enabled
Notes databases to share a single schema, tablespace, and table set.
When you create a DB2 enabled Notes database, it is automatically assigned to the next available DB2
group. In most cases, Domino’s management of groups is sufficient and you will not need to manage
groups in any way. But there are some circumstances in which you may want or need to manage groups.
v As used by Domino, DB2 tablespaces are limited to a maximum size of 256 GB. The default is to store
ten DB2 enabled Notes databases per group; therefore, this creates a maximum DB2 enabled Notes
database size of 25.6 GB. You may want to isolate large databases in their own groups to avoid this
limit.
v In DB2, the tablespace is the smallest unit of backup and restore; therefore, you may want to store DB2
enabled Notes databases with the same backup policy in the same group.
v Grouping similar DB2 enabled Notes databases in one group enables you to better reuse the existing
DB2 indices which can impact the length of time needed to reorganize the tablespace using Compact.
By default, ten DB2 enabled Notes databases can be associated with a DB2 group, but you can use the
″Maximum number of NSFs in group″ field on the DB2 tab of the Server document to change that value.
The maximum number of DB2 enabled Notes databases is set to ten by default, in the Maximum number
of NSFs in Group field on the DB2 tab of the Server document. This value is set to ten for performance
purposes. If you change the entry to a value greater than ten, the next time a database is created, the DB2
groups will backfill until the new maximum number of DB2 enabled Notes databases per group is
reached. For example, the next DB2 enabled Notes database will be associated with GRP1 unless it is
explicitly locked. You cannot reset the maximum number of databases allowed in a DB2 group that is
locked.
The DB2 Group administration tools are enabled for DB2-enabled Domino servers only.
You can also view and sort DB2 enabled Notes databases and DB2 group information.
Note: The Group Administration user interface is not available from the Domino Web Administrator
client.
You must have Administrator rights to move a DB2 enabled Notes database to another DB2 group.
1. From the Domino Administrator, click the Files tab.
2. In the left panel, choose DB2 Group Name.
3. Select the database that you want to move.
4. Choose Tools - DB2 Groups - Move to Group.
5. Do one of these:
v To move a database to an existing DB2 group, type the DB2 group name, and then click Move.
v To move a database to a new DB2 group, click the check box ″Move databasename to new group,″
and then click Move. The new group name displays in the left panel.
Note: If you attempt to move a database and all DB2 groups are full or locked, the check box ″Move
databasename″ is selected by default and the Group Name field is not active. Click Move and a new DB2
group is created for you. The selected database is then moved to the new DB2 group. The new DB2
group is automatically added to the class named DEFAULT.
6. Press F9 to display the results of the move.
Complete the prerequisites, and then complete one of the procedures according to whether or not you
have created a DB2 database and whether it contains one or more DB2 enabled Notes databases.
If you or any users are using Domino 7 beta release 1, 2 or 3 and you do not have UTF-8 encoding,
complete all of the steps in this procedure. If you are using a post beta 3 version of Domino and DB2, or
if you are sure that you are using UTF-8 encoding, omit Step 3.
1. Stop the Domino server if it is running.
2. Upgrade to Domino 7 and DB2.
3. To create a new DB2 database with the same name as the DB2 database used in the beta release,
ensure that the NOTES.INI entry, DB2INIT=, is set to DB2INIT=CREATE in the server’s NOTES.INI
file.
4. Start the Domino server. Your upgrade process is complete.
Complete this procedure to upgrade a beta release of Domino and DB2 to Domino 7 and DB2.
Note: It is imperative that when you upgrade to Domino 7, you also upgrade the DB2 Access server. The
DB2 Access server upgrade should be done at the same time as the update to the Domino server(s)
supported by those DB2 Access servers.
Note: The command, DB2 Stop, is not available for post beta 3 releases of Domino and DB2.
4. Shut down the Domino server, and then verify that all server tasks have completed.
5. Drop the existing DB2 database by entering this command from the DB2 CLP:
drop database <DBname>
6. Upgrade your DB2 server to DB2 8.2.2 version by installing the newer DB2 release over your older,
existing version.
7. Install the new Domino server and Domino Administrator over your existing beta install.
Note: You cannot revert to a Version 7, 32-bit instance after you have migrated to a Version 8, 64-bit
instance.
Prerequisites
1. Complete these tasks before installing DB2 8.2.2:
v Read the Known Problems and Workaround section of the Readme file.
v Ensure that all DB2 processes are stopped.
2. To switch to the root authority, type this command:
su - root
Procedures
1. For each DB2 instance, type these commands:
Note: If you are using hacmp, use the ha_db2stop command instead of db2stop, because db2stop will
trigger a failure event.
su - instancename # instancename represents the name of the instance you created
. $HOME/sqllib/db2profile
db2 force applications all
db2 terminate
db2stop
db2licd -end # run at each physical node
Exit
2. Type these commands:
su - dasownername
. $HOME/das/dasprofile
db2admin stop
Exit
3. Run slibclean to unload unused shared libraries from memory:
/usr/sbin/slibclean
4. Stop all instances, including the Fault Monitor, that are using DB2 version 8.
5. Locate the file fixpak ###.tar.Z. (Where ### refers to the number for DB2 8.2.2, FixPak 9)
6. Uncompress fixpak. ###.tar.Z, and then tar -xvf .fixpak ###tar.
7. Change directory to fixpak ### .
8. Log in as root, and then run installFixPak.
9. Log in as root, and then type this command to update all instances:
INSTHOME/instance/db2iupdt iname
v Where INSTHOME is the installation directory appropriate to your operating system
v Where INAME represents the instance name
Note: If the database administrator server instance exists and is a DB2 8 DAS instance, run this
command to update the DAS instance:
INSTHOME/instance/dasupdt dasname
v Where DASNAME is the DAS owner name
v Where INSTHOME is the installation directory
1010. 10. For each instance, log in as the instance owner and then enter the db2start command to restart each
instance.
Use the NOTES.INI setting, NSF_BUFFER_POOL_SIZE_MB= to adjust buffer pool size. For example,
NSF_BUFFER_POOL_SIZE_MB=128
When using a DB2-enabled Domino server, most data is in DB2; therefore, less memory is required for
Domino’s buffer pool and more memory is required for DB2’s several buffer pools.
Adjust buffer pool size according to the amount of memory on your computer.
v The minimum amount of memory is 512KB -- nothing smaller. A machine with less than 1GB memory
may not work well.
v Reduce buffer pool settings by half for large buffer pools, but leave small buffer pool settings as they
are.
v Double the size of the large buffer pools if you have 2GB - 4GB memory.
If you are using the algorithm for R5, and Domino 7 and DB2 reside on the same computer, set
NSF_BUFFER_POOL_SIZE_MB to a value less than the value suggested by the R5 algorithm. For
example, if the algorithm suggests 200MB, try using 128MB. The exact adjustment depends on the exact
mix of NSF and DB2 enabled Notes databases. If you use very few NSFs, try further reducing the buffer
pool.
When a process starts using XA with DB2, all subsequent new connections are usually created using the
assumption that the new connections will be participating in XA operations unless the
SQL_ATTR_HANDLE_XA_ASSOCIATED connection attribute is explicitly set to FALSE to opt-out of XA.
Setting the attribute SQL_ATTR_HANDLE_XA_ASSOCIATED to FALSE breaks any legacy DB2 calls that
the process makes that did not know about XA, such as DECS and other Domino add-ins that access
DB2.
SQLSetConnectAttr(hdbc, SQL_ATTR_HANDLE_XA_ASSOCIATED,
(SQLPOINTER*)SQL_CONNECT_WITH_XA_ON, SQL_IS_INTEGER);
When you create a DB2 enabled Notes database from an NSF database, the DB2 enabled Notes database
can require twice as much disk space as the NSF required. With ongoing use, the DB2 enabled Notes
database version can grow much larger. Allot twice as much space for the DB2 enabled Notes database as
you allotted for the NSF.
As databases are maintained, that is, documents are added and deleted, views are built, and DAVs are
created, allow an additional two times as much space for DB2 enabled Notes databases as allowed for
NSF databases. In total, allow four times as much space for each DB2 enabled Notes database as is
allotted for each NSF.
Examples
Example 1 -- One mail database uses 512 MB as an NSF; therefore, you need to allow 1 GB for initial
creation of the DB2 enabled Notes database. Mail files tend to be active with many inserts and deletes.
The DB2 enabled Notes database is an active database; therefore, allow 2 GB for ongoing use.
Example 2 -- A reference database uses 512 MB as an NSF; therefore, allow 1 GB when you create the
DB2 enabled Notes database.
Example 3 -- DB2 enabled Notes databases are stored in groups by default. Ten DB2 enabled Notes
databases use the same group, DB2 tablespace, and DB2 container file. Assume there are ten mail
databases, 512 MB each, and all ten are in the same DB2 group. The NSFs use 5 GB total. When you
create the DB2 enabled Notes databases from the NSFs, allow 10 GB. For ongoing use, allow 20 GB.
Note: Currently there are issues that make it very difficult to free up the unused space, so allow a lot of
space.
Field Description
DB2 User name Enter the user name for accessing the DB2 server.
DB2 password Enter the password for accessing the DB2 server.
Note: If you are modifying one of the DB2 parameters, restart the server after saving your modifications
in order to allow those modifications to take effect.
Field Description
Host Name Host name of the DB2 server. The host is the name of the
remote server on which you are storing data. Remote
configuration only.
Port Number Specify the port number used to access the DB2 server.
Remote configuration only.
Instance The DB2 instance name. The default instance is DB2.
Database Enter the DB2 database name. The default is Domino.
Directory A valid path where DB2-based NSF tablespace containers
will reside. This field defaults to the DB2 server’s default
directory set up by the DB2 administrator.
For example, from the DB2 CLP, enter a command similar to the following:
db2 update db cfg for <yourdb> using logprimary X
Where the value of <yourdb> is the value you specified for DB2Database in the Server Enablement Tool.
The default value is DOMINO.
Use this procedure to modify or delete the Domino server’s DB2 ID properties for the Domino server.
The user name and password are stored in the server’s ID file.
1. From the Domino Administrator, click Configuration - Server.
Field Action
DB2 User name Enter the user name for accessing the DB2 server.
DB2 password Enter the password for accessing the DB2 server.
5. Do one of these:
v To set or modify the DB2 user name or password for the Domino server user, click Set and then
proceed to step 6.
v To delete a DB2 user name and password for the Domino server user, click Clear and then proceed
to step 6.
6. Complete these fields and then click OK.
Field Action
Password verify Do one:
v If you are setting or modifying the DB2 password,
re-enter the new password to verify the password you
entered in the DB2 password field.
v If you are deleting a user account name, re-enter the
existing DB2 password to allow the delete to take
effect.
Update system account Select this check box to update the user name and
password stored in the system account. For this beta
release, this field only applies to systems running
Microsoft Windows.
Check the log file, LOG.NSF, for more information on any failures reported by the Validate DB2 User
Name tool.
1. From the Domino Administrator, click People and Groups.
2. In the left pane, click People. Select the person whose DB2 user name you are validating.
3. From the Tools panel, click People - Validate DB2 User Names.
4. Specify which Domino Directories you want to validate by choosing one of these:
v The currently selected Domino Directory
v All configured Domino Directories
5. Click OK.
Field Action
Source Server Non-modifiable field containing the name of the DB2
Access server.
Source Domain Non-modifiable field containing the name of the domain
in which the DB2 Access server resides.
Destination Server Non-modifiable field that displays the name of the server
to which the Domino Administrator is connected.
Destination Domain Non-modifiable field that displays the name of the
domain to which the Domino Administrator client is
connected.
Use Port(s) Non-modifiable field that is set to TCPIP.
Optional Network Address Enter the TCP network address of the server to which
the Domino Administrator client is connected.
DAVs and SQL views are set up using Domino Designer 7, but you use the Domino Administrator for
these activities regarding views:
v Using federated data with query views
v Setting the maximum number of rows in SQL queries
v Building views of large databases
v Views categorized by numeric datatypes
Procedure
1. Set the environment variable, DB2_ALLOW_SETAUTH_WITH_REMOTECONNECT=, in order for
query views to work. Use the following path and command:
C:\Program Files\IBM\SQLLIB\BIN>db2set -i DB2 DB2_ALLOW_SETAUTH_WITH_REMOTECONNECT=1
where -i is the name of your DB2 instance (typically DB2).
2. Restart DB2 to allow the environment variable to take effect.
3. Ensure that your DOMINO database has federated support enabled.
4. Create a federation wrapper in DB2 for the remote server.
5. Add a user mapping to this federation wrapper mapping the DOMINO server user to the remote
connection user name and password. From the DB2 Control Center, choose Server Definitions - DAVS
- User Mapping.
The Domino server user is the account you created for DB2 server enablement.
6. From the DB2 Control Center, create a nickname mapping a local object to the foreign object.
7. Grant privileges to the NICKNAME object as required for those mapped DB2 users to whom you
want to give access to the federated table. Complete these steps from the command prompt or from
the command center:
v Log on to your database as your Domino server user, or as another administrator.
v Use this command to grant privileges:
db2 => grant select on domino.forpeter to <user’s short name>
ALL users granted access to the federated table have equal access to it, based on the mapped credential
in the federation definition.
To set the maximum number of rows returned in SQL queries to a value other than 500, add this
NOTES.INI variable to server’s NOTES.INI file:
DB2QUERYVIEWROWLIMIT=value
Note: On DB2-enabled Domino servers, designers can set ″Maximum rows returned by an SQL query″ in
the View Properties - Option tab. If the DB2QueryViewRowLimit variable is set at the server level,
designers can still limit the number of rows to a smaller value, and the smaller value will take
precedence.
When building subsequent views of the same database, use the updall command with -R. For example,
enter the following:
Load updall <databasename> -R
For more information about the updall task, see the topic Updating database indexes and views.
When a process starts using XA with DB2, all subsequent new connections are usually created using the
assumption that the new connections will be participating in XA operations unless the
SQL_ATTR_HANDLE_XA_ASSOCIATED connection attribute is explicitly set to FALSE to opt-out of XA.
Setting the attribute SQL_ATTR_HANDLE_XA_ASSOCIATED to FALSE breaks any legacy DB2 calls that
the process makes that did not know about XA, such as DECS and other Domino add-ins that access
DB2.
SQLSetConnectAttr(hdbc, SQL_ATTR_HANDLE_XA_ASSOCIATED,
(SQLPOINTER*)SQL_CONNECT_WITH_XA_ON, SQL_IS_INTEGER);
Before you register new Lotus Notes users, you may want to specify default settings that apply to all
users you register. Default settings make user registration easy and fast and ensure that user settings are
consistent.
You can define many default settings, such as what mail server users have or what certifier ID to use for
user registration. You can also specify a default workstation execution control list (ECL) to protect data
from unauthorized workstation access.
To set up Notes users, you can register them in Notes or migrate them from an external mail system or
directory. Before you begin to add users, it is best to specify default settings that Notes applies during
registration.
To add users, you register them and use the Lotus Domino server-based certification authority which
issues the appropriate certificate or use the appropriate certifier ID and password, which generates a user
ID and certificates that allow users appropriate system access. After registering Notes users, you need to
prepare the installation files so users can install Notes on their workstations.
User registration
You need to register users before they can install Notes on their workstations. For each user, the
registration process creates:
v A Person document in the Domino Directory.
v A user ID that is stamped with appropriate certificates (does not apply to non-Notes users).
v A mail file (Optional).
Notes offers different options for registering users. For example, using Basic user registration is fast and
easy because it automatically assigns many default settings to users. If you use Advanced user
registration, you can assign more advanced settings, such as adding a user to an Active Directory group.
You can also register users by importing them from a text file or migrating them from a foreign directory.
189
If you use the Register Person dialog box to register users, you can sort, view, and modify user settings
in the view of the User Registration Queue (USERREG.NSF) that appears in the dialog box. This database
contains information on users pending registration. When you exit the Register Person dialog box, you
can save all users pending registration and register them later. When you access the dialog box again, the
User Registration Queue automatically opens to display all users pending registration.
Before you register users, review your organization’s hierarchical name scheme and decide where each
user fits into that scheme. Based on the name scheme, you know which certifier ID to use to register
users, which server to use as the registration server, and on which server to store the user’s mail files.
When you register users, you must have the appropriate access to each server that you use, and you
must know the password for each certifier ID that you use. If you intend to implement policies in your
organization, create policies and settings documents before you register users so that you can assign
policies during registration.
Note: The registration user interface automatically removes leading spaces and trailing spaces from
passwords. Passwords cannot begin or end with a space. This also applies to certifier registration and
server registration.
For more information on creating non-Notes users, see the topic ″Creating non-Notes, Internet Users″ in
this chapter.
For more information on the Domino server-based certification authority, see the chapter ″Setting Up a
Domino Server-Based Certification Authority.″
The administrator specifies Mail-E, which is located on the East Coast Acme LAN, as Alan’s mail server.
Then Alan’s mail server is on the same LAN as his workstation, so that when he receives and sends mail,
he can connect directly to the server that stores his mail file.
Robin Rutherford works in the Accounting department in Acme’s West Coast division. The administrator
uses the Accounting/West/Acme certifier ID to register Robin. Mail-W is Robin’s mail server, and her full
hierarchical name is Robin Rutherford/Accounting/West/Acme.
Note: Do note modify the ACL for USERREG.NSF using the File - Database - Access Control menu
commands. Use the User Registration Database Access button on the Advanced Person Registration
Options dialog box.
2. From the Domino Administrator, click the People & Groups tab.
3. From the Servers pane, choose the server to work from.
4. Select Domino Directories, and then click People.
5. From the Tools pane, click People - Register. Enter the password for the certifier that you are currently
using.
Note: While registering a user, you can specify whether you want to register the user with the
server-based CA, or with a certifier ID and password. This selection is made on the ID Info panel in
advanced user registration.
6. Click the Options button, and then choose any of these options:
Option Purpose
Do not continue on registration Stops registration if you have multiple users selected and the registration
errors encounters an error. The default is to continue on registration errors.
Keep successfully registered users Keeps successfully registered users in the queue. The default is to remove
in the queue successfully registered users from the queue.
Try to register queued people with Tries to register queued users, even if their registration status contains errors.
error status For example, if you choose this option, a user whose password is insufficiently
complex will be registered. The default is not to register queued users who
have error status.
7. Click OK.
Registering users
You can use any of these methods to register Notes users:
v Basic user registration
v Advanced user registration
v Text file registration
v Registration settings
v Migration tools (for people using an external mail system or directory) registration
v Basic user registration from the Web Administrator
v Advanced user registration from the Web Administrator
Note: When registering users with non-ASCII characters in their user names, Notes attempts to convert
non-ASCII characters to ASCII. If one or more characters cannot be converted to ASCII, the Internet
address is not generated. You need to be aware of this when registering users whose names cannot be
converted to ASCII characters because you will need to create those Internet addresses manually.
Basic registration: For fast and easy registration, use the Basic user registration options. Basic
registration requires you to define user-specific settings, such as user name and password, but also offers
you the convenience of applying some default settings to users. You can define default settings in the
Registration preferences (found in the Administration Preferences dialog); you can define settings in the
Register Person dialog; or you can use Notes default settings. Some of the non-default settings you define
in Basic registration include the user name and password. You can also assign users to specific groups.
All settings available in Basic registration are also available in Advanced registration. You can choose to
view and perform Advanced registration at any time by clicking the Advanced check box in the Register
Person dialog.
Advanced registration: Advanced registration offers all the settings included in Basic registration and
also allows you to change default settings and define advanced or specific settings -- for example, assign
an alternate name to a user or add the user to an Active Directory group.
Text file registration: To register users from a text file -- that is, a file that contains information on one
or more users -- import them into the registration queue from the Register Person dialog box. This action
creates an entry for each user in the User Registration Queue and allows you to modify user settings
individually.
Web registration: User registration can now be done using the Domino Web Administrator. You register
users via the Web in a manner that is very similar to user registration done with the Domino
Administrator.
For more information on registering users with the Web Administrator, see the topic ″Using the Domino
Web Administrator to register users″ in this chapter.
If you are a service provider, for more information on registering users from the hosted organization site,
see the chapter ″Managing a Hosted Environment.″
Registration Settings: To simplify the process of registering users, you can create policies and
Registration Settings documents to preset registration settings for different types of users. For example,
users who work in Human Resources may have different registration settings than users who work in
Sales. You can create Registration settings for Sales, and another set of Registration settings for Human
Resources, and use them to register everyone with the proper settings. In addition, when you add new
users to Human Resources or Sales, the defined Registration settings apply.
Note: Administration preferences (File - Preferences - Administration Preferences) do not apply to user
registration performed with the Web Administrator.
Migration from external mail system or directory: You can migrate users who use an external mail
system or directory into Notes. You register them using migration tools accessed through the Migrate
People button in the Register Person dialog box. After migrating them, you can modify their settings.
The following list details the types of users you can migrate into Notes:
v Microsoft Exchange
Only settings you define as registration preferences remain from session to session. All other default
settings return to Notes defaults each time you begin a new registration session.
Default Notes user registration settings: This table lists all the default user registration settings that
Notes provides. The values in this table appear only under these conditions:
v Previous values have not been set in Registration preferences
v Previous values have not been set in the Register Person dialog box
User registration fields that do not appear in this table do not have default values.
Field Default
Registration Server Local server if it contains a Domino Directory. Otherwise, server specified in
NewUserServer setting of the NOTES.INI file, or the Administration server.
Password Quality Scale 8
Set Internet password Off
Encryption Strength Base strength on RSA key size
Internet address FirstnameLastname@Internet domain -- for example, RobinRutherford@Acme.com.
Internet Domain Current TCP/IP host domain
Address name format Firstname Lastname
Mail server Local server if it contains a Domino Directory or Administration server
Mail file template Mail(7)
Create file now On
Mail system Lotus Notes
Mail file name mail\<firstinitial><first7charactersoflastname>.nsf
Mail file owner access Editor with Delete documents rights
Create full text index Off
Set database quota Off
Roaming users
Users who access Notes from more than one Notes client can access their customized settings and
personal information automatically from any Notes client in the domain. Data for these users, known as
roaming users, replicates between the user’s machine and a roaming user server, where these files are
stored. When a roaming user logs on from a different Notes client, it automatically retrieves the user’s ID
file, Personal Address Book, bookmarks, and journal from the roaming user server. Any changes the user
makes in these files replicate to the roaming user server. This enables the roaming user to have a
consistent experience from any Notes client.
The roaming user feature is supported for the Notes client, Domino Administrator client, and Domino
Designer.
Registering roaming users on DB2-enabled Domino servers: When registering a roaming user, you
have the option of choosing the preferred data store for that user’s roaming files. If DB2 is not enabled
for the roaming server, the database(s) are created as NSF files. If you are registering a roaming user on a
DB2-enabled Domino server, you can choose NSF or DB2 as the data store but be aware that the user’s
local copy of the Domino Directory, NAMES.NSF, is created and stored as an NSF file. NAMES.NSF
cannot be created or stored as a DB2 file.
Creating a roaming user: To create a roaming user, complete the steps in the procedure ″Using
Advanced Notes user registration with the Domino Administrator″ but in addition to the standard
registration selections, be sure to make the roaming user-specific selections listed here.
v From the Basics tab, choose ″Enable roaming for this person″, to enable roaming capabilities for a user.
v Select the Advanced check box.
v Select the Roaming User tab. Complete any of the following Roaming User fields.
Using replication on a roaming server: After you set up a roaming user, when the Roaming User starts
Notes on any computer, Notes replicates three databases: the Personal Address Book, Bookmarks, and the
Personal Journal. If a user has upgraded from non-roaming to roaming, the Personal Journal only
replicates if a personal journal already exists with the default filename, JOURNAL.NSF. Notes also copies
some information from other databases and from the configuration file, NOTES.INI, and stores it in one
of those three databases.
Note: For Macintosh users, it copies the information from the Notes Preferences file.
When a roaming user logs on to a machine for the first time, any databases that exist in the roaming
user’s subdirectory on the roaming server are included with the three databases that Notes replicates by
default. To add other databases, create a replica of those databases in the Roaming User’s directory on the
roaming server.
If you selected the option to allow the user’s personal address book to be replicated by the user, the
user’s Personal Address Book may also contain a Roaming User’s ID and the user’s dictionary as file
attachments. The user ID is double-encrypted for added security before being attached. Because the user
ID replicates, users no longer need to copy their IDs to different computers when it is modified (for
example, by changing the password). Changes may not take effect; however, until replication occurs. In
this case, the roaming user can use the old user ID.
Most of the settings in the User Preferences dialog box, except for those that are specific to the operating
system’s configuration, are replicated. Examples of preferences that do not roam include fonts,
communication ports, background printing, bi-directional language settings, and file paths.
Bookmarks are replicated. Bookmarks include personal Welcome pages, toolbar preferences, all
bookmarked databases, folders, icons, and other bookmark preferences, and settings for framesets.
The personal journal database is replicated if it is named JOURNAL.NSF, or if it has been set via the
Welcome Page.
For more information on Advanced user registration, see the topic ″Using Advanced user registration″ in
this chapter.
If you want to assign advanced and/or specific settings to a user -- such as giving users alternate names
-- use Advanced user registration.
Note: To modify user settings after you add the user to the User Registration Queue, select the user from
the queue and then make your changes. To modify certain settings for multiple users at once, select the
names in the queue and then make changes.
Naming conventions: When adding users, user names can consist of uppercase and lowercase alpha
characters (A - Z), numbers (0 - 9), and the ampersand (&), dash (-), dot (.), space ( ) , and underscore (_).
Hosted Environments: If you are working in a hosted environment, when registering users, ensure that
you are using a certifier that was created for the hosted organization into which you are registering the
users. This applies regardless of whether you are using a certifier and password or the server-based CA.
To add the user to a group during user registration: You can add a user to a group during user
registration.
1. Click Advanced, and then click Groups.
2. Choose the group to which you are adding the user, and click Add.
3. Continue the registration process as usual.
Note: You can modify user settings at any time once you add the user to the User Registration Queue by
selecting the user from the queue and then making changes. You can also modify certain settings for
multiple users at once by selecting the users in the queue and making changes. You can cancel user
registration and clear all fields at any time by clicking the red X.
Hosted Environments: If you are working in a hosted environment, when registering users, ensure that
you are using a certifier that was created for the hosted organization into which you are registering the
users. This applies regardless of whether you are using a certifier and password or the server-based CA.
Roaming users: If you are registering roaming users, on the ID Info tab of the Register Person - New
Entry dialog box, choose ″In Domino Directory″ as the location for storing user IDs if you want roaming
users to access their Notes IDs from their personal Name and Address Book. If you do not choose the ″In
Domino Directory″ option, roaming users must either store their Notes ID on a file server or physically
carry their Notes ID with them on a diskette or other storage media. If you elect to store the user ID in
file and in the Domino Directory, the user IDs are stored in the user’s personal Name and Address Book.
Note: The Certifier Information Recovery Warning dialog box appears. Review the information in the
dialog box, select the check box and click OK.
1. Click Advanced.
2. From the Basic tab, complete these fields:
Field Enter
Registration Server Click Registration Server to change the registration server (which is the server that
initially stores the Person document until the Domino Directory replicates), select
the server that registers all new users, and then click OK. If you have not defined a
registration server in Administration Preferences, this server is by default one of
these:
v The local server if it contains a Domino Directory
v The server specified in NewUserServer setting of the NOTES.INI file
v The administration server
First name, Middle name, Last The user’s first and last names and (if necessary) middle name. The user’s Short
name name and Internet address are automatically generated. To change the Short name
or Internet address, click the appropriate space and enter the new text.
Short name A short name in the format FirstInitialLastName is automatically created as you
enter the user’s name. For example, JSmith is the short name for John Smith. You
can modify this field.
Password A password for the user ID.
Choose the password encryption strength (or password key width). The encryption
key that protects the Notes keys that are stored in the user ID file is derived from
the password. The stronger the encryption strength of the password, the stronger
the encryption key that protects the Notes keys.
v Base strength on RSA key size - encryption strength is determined by the size of
the RSA key stored in the ID file. If the RSA key size is less than 1024 bits, the
password encryption strength is 64 bits; if RSA key size is 1024 or greater, the
password key size is 128 bits.
v Compatible with all releases (64 bits)
v Compatible with 6.0 and later (128 bits)
Click the check box ″Set Internet password″ to give Internet users name and
password access to a Domino server and to set an Internet password in the Person
document. This field is automatically selected if you select the Other Internet, POP,
Domino Web Access, or IMAP mail types.
Mail system Click to change the user’s mail system from the default of Lotus Notes to an
Internet-based system or Domino Web Access.
Explicit policy Select the explicit policy to apply to this user. For more information on policies, see
″Policies.″
Policy synopsis Click to see a summary of this user’s effective policies.
Enable roaming for this person Click to enable roaming capabilities for this user. Doing so enables the Roaming
tab.
Create a Notes ID for this Click to create a Notes ID for this person during the registration process.
person
3. Click the Mail tab and complete any of these fields. Domino uses default values (if available) for any
fields you do not modify.
If you select Lotus Notes, POP, or IMAP, the Internet address is automatically
generated.
If you select Other Internet, POP, or IMAP, the Internet password is set by default.
If you select Domino Web Access, you can change other user registration
selections to Domino Web Access defaults by clicking Yes when prompted.
If you select Other or Other Internet, enter a forwarding address. This address is
the user’s current address, where the user wants mail to be sent. For example, if a
user temporarily works at a different location and/or uses a different mail system,
the user can have her mail forwarded to that new address. Or, a user may resign
from the company but leave a forwarding address so that mail addressed to the
old address is forwarded to the new location.
Mail server The user’s mail server. If you have not defined a mail server in Administration
Preferences, this server is (by default) the local server if it contains a Domino
Directory; otherwise, it is the Administration server.
Mail file name The file name of the mail file. By default, the path and file name are
mail\<firstinitial><first7charactersoflastname>.nsf.
Create file in background (Optional) Click Create file in background to force the Administration Process to
create the files in the background. Use this option to save time during the user
registration process. If you do not choose to create the file in the background, mail
files are created during the user registration process.
Mail file template A mail template from the list of available mail templates. For a description of the
template, select the template and click About. The default is Mail(R7)
(MAIL7.NTF).
Create full text index Click to generate a full-text index of the mail database.
Mail file replicas Click to open the Mail Replica Creation Options dialog box on which you can
select the servers to which the mail file will replicate. This option only applies to
clustered servers.
Mail file owner access Select the level of access in the access control list to assign to the user of the mail
database from the Mail file owner access list. By default, mail users have Editor
with Delete documents access to their own mail files; all other users have no
access. This option can be used to prevent mail users and/or owners from
deleting their own mail file. If the mail owner access is Designer or Editor, the
administrator ID currently being used is added to the mail file ACL as Manager.
Set database quota Click to enable, and then specify a size limit (maximum of 10GB) for a user’s mail
database.
Set warning threshold Click to generate a warning when the user’s mail database reaches a certain size,
and then enter the warning size (maximum of 10GB).
4. Click the Address tab, and enter values in any of these fields. Domino uses default values (if
available) for any fields you do not modify.
5. Click the ID Info tab, and enter values in any of these fields. Domino uses default values (if
available) for any fields you do not modify.
Field Enter
Create a Notes ID for this Click to create a Notes ID for this user.
person
Certifier Name list Choose a certifier ID to use when creating the user name during user registration
when a Notes user ID is not being created for the user.
This field appears if the check box ″Create a Notes ID for this person″ is not selected.
If you are working in a hosted environment and are registering a user to a hosted
organization, be sure to register that user with a certifier created for that hosted
organization.
Use CA process Click to use the Lotus Domino server-based certification authority (CA) to register this
user. The certifier ID and password will not be needed to complete the user
registration process if you use the Lotus Domino CA.
If you are working in a hosted environment and are registering a user to a hosted
organization, be sure to register that user with a certifier created for that hosted
organization.
This field appears if the check box ″Create a Notes ID for this person″ is selected.
Certifier ID Click if you want to use a certifier ID and password instead of the server-based CA. To
change to a different certifier ID, click Certifier ID, select the new ID, enter the
password, and then click OK.
If you are working in a hosted environment and are registering a user to a hosted
organization, be sure to register that user with a certifier created for that hosted
organization.
This field appears if the check box ″Create a Notes ID for this person″ is selected.
License type Choose either North American or International. The license type determines the type of
ID file created and affects encryption when sending and receiving mail and encrypting
data. North American is the stronger of the two types.
This field appears if the check box ″Create a Notes ID for this person″ is selected.
Certification expiration The expiration date of the user ID in mm-dd-yy format. The default is two years from
date the current date.
This field appears if the check box ″Create a Notes ID for this person″ is selected.
This field appears if the check box ″Create a Notes ID for this person″ is selected.
Public key specification The public key specification that you use impacts when key rollover is triggered. Key
rollover is the process used to update the set of Notes public and private keys that is
stored in user and server ID files.
Choose one:
v Campatible with all releases (630 Bits)
v Compatible with 6.0 and later (1024 Bits)
Note: For information about the significance of the public key specification and key
rollover, see the topic User and server key rollover.
Field Enter
Put roaming user files Click to store the user’s roaming information on the same server used for mail.
on mail server
Roaming Server Click Roaming Server to open the Choose Roaming User Files Server dialog box on which
you specify the server that stores the user’s roaming information. If you select Put
roaming user files on mail server, the Roaming Server defaults to the user’s mail server.
Personal roaming folder The subdirectory that contains the user’s roaming information. By default, this is based on
the sub-folder format you specify, but you can customize it.
Sub-folder format The method used to name roaming subdirectories on the roaming server. This determines
the default Personal roaming folder for each user.
Create roaming files in (Optional) Click ″Create roaming files in background″ to create the user’s roaming files the
background next time the Administration Process runs. Creating roaming files in the background forces
the Administration Process to create the files and saves time during the user registration
process.
8. Click the Other tab, and complete any of these fields. Domino uses default values (if available) for
fields you do not modify.
Field Enter
Setup profile Name of an R5 User Setup profile to assign.
Note: If you are using policies, you cannot use a user setup profile.
Unique org unit A word that distinguishes two users who have the same name and are certified by
the same certifier ID.
Location Departmental or geographical location of the user.
Local administrator The name of a user who has Author access to the Domino Directory but who does
not have the UserModifier role. This setting allows the local administrator to edit
Person documents.
Comment A comment about the user, regarding the user’s registration.
Alternate name language Choice of alternate name language. The certifier ID used to register this user must
contain the alternate name language for it to appear here.
Alternate name The alternate name of the user. The certifier ID used to register this user must
contain the alternate name language for it to appear here.
Alternate org unit A word that distinguishes two users who have the same name and are certified by
the same certifier ID. The certifier ID used to register this user must contain the
alternate name language.
Preferred language Choose a preferred language for the user, that is, the language that the user prefers
to use.
Windows User Options Click to set user options for Windows 2000. Opens the ″Add Person to Windows
NT/2000″ dialog box on which you can specify whether to add the user to the
Windows 2000 Active Directory. Enter the Windows account name for the user, and
select the name of the Windows 2000 group to which you are adding the user.
9. Click the green check mark. The user name appears in the Registration status view (the user
registration queue).
10. Click Register and then click Done.
Note: The Registration Preferences (from File - Preferences - Administration Preferences) that can be set
for user registration with the Domino Administrator do not apply to user registration with the Web
Administrator. During user registration on the Web, only registration settings set through policies or
through the server-based CA apply. Other settings are entered manually or are defaults.
For more information on using the Web Administrator, see the chapter ″Setting Up and Using Domino
Administration Tools.″
Web registration and the server-based certification authority: Web registration for Notes users requires
the use of the Domino server-based certification authority (CA). You need to understand what the
Domino CA is, as well as how to set it up and use it.
To register users with the Web Administrator, the Web administrator must be listed as an RA for that
certifier. The server that is running the Web Administrator should also be listed as an RA but that role is
not required for the server. It is required for the administrator. If the server is not listed as an RA, the
administrator that is an RA will need to open the Administration Requests database and approve the
administration request to register the user. You must assign the RA role in the Domino Administrator
client, not in the Web Administrator. To assign the RA role, use the Modify Certifier tool on the
Configuration panel.
For more information on the server-based certification authority, see the chapter ″Setting Up a Domino
Server-Based Certification Authority.″
Web registration and policies: Web user registration, like user registration done from the Domino
Administrator, can be simplified by assigning policies during the registration process. Create the policies
and related policy settings documents, prior to initiating Web user registration. Before registering users,
familiarize yourself with polices in Lotus Domino as well as with using policies with the Web
Administrator.
The use of policies for user registration with the Domino Web Administrator is optional.
For more information on using policies with the Web Administrator, see the chapter ″Setting Up and
Using Domino Administration Tools.″
To register users with the Web Administrator: Follow the instructions to register a user, with basic or
advanced registration, in these procedures:
v Using Basic user registration with the Web Administrator
v Using Advanced user registration with the Web Administrator
When using the Web Administrator client, you need to have set up a server-based certification authority
(CA) to register Notes users. The Web administrator, as well as the server on which the Web
Administrator database resides, must be listed as a registration authority (RA) for that certifier. You must
For more information on the server-based CA and the RA, see the chapter ″Setting Up a Domino
Server-Based Certification Authority.″
Note: The Registration Preferences (from File - Preferences - Administration Preferences) that can be set
in user registration with the Domino Administrator do not apply to user registration with the Web
Administrator. During user registration on the Web, only registration settings set through policies or
through the server-based CA apply. Other settings are entered manually or are defaults.
Field Action
First name, Middle name, Last name Enter a first name, middle name (if necessary), and last
name.
Short name The user’s Short name is automatically generated. To
change the Short name, enter the new text.
Password Enter the password for the user ID. Criteria for this
password is based on the level set in the Password
Quality Scale in the Password Options dialog box.
Password quality Choose a password quality. The default level is 8. The
password you specify must correspond with the
password quality that you select in ″Password Options.″
For more information on password quality scale, see the chapter ″Protecting and Managing Notes
IDs.″
9. Click the green check mark. The user name appears in the Registration status view (the user
registration queue). Or, click the red X to clear all fields and start over.
10. Click Register, and then click OK.
When using the Web Administrator client, you need to have set up a server-based certification authority
(CA) to register Notes users. The Web administrator, as well as the server on which the Web
Administrator database resides, must be listed as a registration authority (RA) for that certifier. You must
assign the RA role in the Domino Administrator client, not in the Web Administrator. To assign the RA
role, use the Modify Certifier tool on the Configuration panel.
Field Action
First name, Middle name, Last name Enter a first name, middle name (if necessary), and last
name.
Short name The user’s Short name is automatically generated. To
change the Short name, enter the new text.
Password Enter the password for the user ID. Criteria for this
password is based on the level set in the Password
Quality Scale in the Password Options dialog box.
Password quality Choose a password quality. The default level is 8. The
password you specify must correspond to the password
quality that you select in ″Password Options.″
For more information on password quality scale, see the chapter ″Protecting and Managing Notes
IDs.″
9. Click the Advanced check box to enable advanced settings.
Fields Action
Mail System Choose one of the available mail types and complete
the necessary associated fields:
v Lotus Notes (default)
v POP
v IMAP
v Domino Web Access
v Other Internet
v Other
v None
v If you select Lotus Notes, POP, or IMAP the Internet
address is automatically generated.
v If you select Other Internet, POP, or IMAP, the
Internet password is set by default.
v If you select Domino Web Access, you can change
other user registration selections to Domino Web
Access defaults by clicking Yes when prompted.
Field Action
Internet address The Internet e-mail address assigned to this user.
Internet Domain The domain to be used in the Internet address -- for
example, Acme.com.
Address name format The format of the Internet address. The default format
is FirstNameLastName@Internet domain without a
separator -- for example, RobinRutherford@Acme.com.
Separator The character inserted between names and initials in
the Internet address. The default is None.
12. Click the ID Info tab, and enter values in any of these fields.
Field Action
Create a Notes ID for this person Click to create a Notes ID for this user.
Certifier name list Choose a certifier from the list if you are not creating a
Notes ID for this user.
13. (Optional) Click the Groups tab, and complete these options as desired:
v Enter a group name, or click Search to locate the group name, to which you want to add this user
as a member.
v Select the group or groups to which you want to add the user and click Add.
For more information on adding users to groups, see the chapter ″Setting Up and Managing
Groups.″
Field Actions
Create replica(s) of mail database. Click this check box to create replicas of the mail files on
additional servers that you specify.
Select options for creation of mail database replicas Use these options as necessary:
v Add -- Click to open the Server for Mail File Replica
Creation dialog box. Use this dialog box to choose the
server(s) on which to create mail file replicas.
v Remove -- Choose one or more servers to remove from
the list of servers on which to create mail file replicas,
and then click Remove.
v Remove All -- Click to remove all servers from this
list.
15. Click the Roaming tab and enter values in any of these fields.
Field Action
Roaming user Click to activate the roaming user registration options to
register this user as a roaming user.
Put on mail server/ Choose one of these:
v Put on mail server -- Click to place the user’s roaming
Choose a server
files on the user’s mail server.
v Server name -- Click to store the user’s roaming file on
the ″Current Server″ or select another server of your
choice.
Personal roaming folder The subdirectory that contains the user’s roaming
information. By default, this is based on the sub-folder
format you specify, but you can customize it.
Sub-folder format The method used to name roaming subdirectories on the
roaming server. This determines the default Personal
roaming folder for each user.
If you want to add the text file to the NOTES.INI file so that Notes does not prompt you to browse for
the text file, enter BatchRegFile= filename to the NOTES.INI file.
You can also define a separator for the text file by adding BatchRegSeparator = character to the
NOTES.INI file. The separator character cannot be a character used in any of the user parameter settings
in the text file. If you do not specify a BatchRegSeparator, a semicolon (;) separator is used.
For more information on this NOTES.INI variable, see the appendix ″NOTES.INI File.″
Settings applied to a group of users: These user settings are available for you to modify before using
the menu (choose People - People - Register) to import and register users. Notes applies these settings to
all users in the group.
v Registration Server
v Password Quality Scale
v Set Internet password
v Internet address
v Internet Domain
v Format
v Mail server
v Mail file template
v Mail system
v Mail file name
Setting up the text file: To set up a text file, create a line in the text file for each user. Enter the
parameters for each user in exactly the order shown in the table below. Use one semicolon to separate
parameters, and use one semicolon to take the place of each contiguous parameter that you decide not to
specify.
For example, this line in a text file specifies only a last name and password:
Alexis;;;;password1
This line in a text file specifies a complete name, home server, and User Setup policies:
Alexis;Catherine;R.;;password1;;;Marketing / Acme;;;;;;Marketing Profile
Note that only the last name and password parameters are required.
You must create the directory before registration. For this parameter to take
effect, select the In File option on the ID Info panel for storing the user ID.
This parameter overrides the default ID directory shown in the Register
Person - New Entry dialog box.
7 ID file name The name you want to assign to the ID file. This file name applies only if
you store an ID in an ID file directory. If you do not specify a user ID file
name, the name on the ID is based on the person’s name.
8 Mail server name The name of the user’s mail server. This parameter overrides the one you
select during registration.
9 Mail file directory The mail file directory for the user.
10 Mail file name The name for the user’s mail file. If you do not use this parameter, the name
is based on the person’s name if the person uses Notes mail.
To register users from a text file: Notes uses the certifier ID specified in Administration Preferences; or
if there is none, it uses the ID specified in the CertifierIDFile setting of the NOTES.INI file.
1. Make sure that you have the following before you begin registration:
v Access to the certifier ID and its password if you are not using the Lotus Domino server-based
certification authority (CA)
v Editor access or the UserCreator role in the Domino Directory on the registration server
v Create new databases access on the mail server if you plan on creating mail files
2. Use a text editor to create a text file that contains ID information for each user.
3. From the Domino Administrator, click the People & Groups tab.
4. From the Servers pane, choose the server to work from.
5. Select Domino Directories and then click People.
6. Complete Step 7 or Step 8, depending on how you want to import and register users.
7. To register users and apply individual settings:
a. From the Tools pane, click People - Register. Enter the certifier password and click OK. The
Certifier Information Warning dialog box may appear. Click OK.
b. Click Import Text File, select the text file, and click Open.
c. To modify user registration settings, select a user from the User Registration Queue and make
your changes on the Register Person user interface.
d. Click Register to register the highlighted user or select multiple users in the registration queue and
click Register All. Click OK.
For more information on specifying registration settings, see the topic ″Using Advanced Notes user
registration″ earlier in this chapter.
8. To register users and apply settings to them as a group:
Alternate names are helpful because they let users use their native language and character set for display
and name lookup purposes. For example, a user can type in a name in a native language and character
set when sending mail or choose to display all documents in a database in a native language and
character set.
Each alternate name is associated with a language specifier that identifies the native language of the
name. Typically, the alternate name is specified in a character set consistent with the specified language;
whereas the primary name is specified in an internationally recognizable character set. Both types of
names provide the same security within the Domino system. Alternate names should not be used in
ACLs, Group documents, and Server documents.
You can add multiple alternate names to an organization certifier (as many alternate names as there are
language specifiers recognized by Notes). An organizational unit certifier may also contain multiple
alternate names, but each name must correspond to one of the language specifiers assigned to its parent
certifier. The organizational unit certifier does not need to contain all the language specifiers that its
parent contains. For example, /Acme may contain five language specifiers, while its child certifier
Sales/Acme contains a subset of those.
A user ID may contain only one alternate name. The language specifier associated with the alternate
name must correspond to a language specifier in the parent certifier ID. When you assign an alternate
name to a user, the alternate name and language specifiers are added to the user ID, to the Notes
certificates issued to the user, and to the user’s Person document.
Note: When assigning an alternate name, do not exceed 79 characters. When alternate names are
renamed, they are automatically truncated at 79 characters. Limiting the alternate name to 79 characters
prevents the name from being truncated because it does not exceed the 79 character limit.
To add an alternate name to a certifier ID: In this procedure, you assign an alternate name and its
associated language to the organization certifier ID and its organizational unit (child) certifiers through
the certification process. You first recertify the organization certifier, and then use the certifier to recertify
its organizational unit certifiers.
1. Have the certifier ID to which you want to add the alternate name accessible, if you are not using
the Lotus Domino server-based certification authority (CA).
2. From the Domino Administrator, click the Configuration tab.
3. Choose Certification, and then click Certify.
To add an alternate name to an existing user ID: Use the Lotus Domino server-enabled certification
authority (CA) or the certifier ID to recertify the user.
1. Make sure that the certifier contains an alternate name with the language specifier you want to use.
2. From the Domino Administrator, click the People & Groups tab.
3. From the Servers pane, choose the server to work from.
4. Click the Configuration tab.
5. Choose Tools - Certification - Certify.
6. If you are not using the Lotus Domino server-based certification authority (CA), select the certifier
ID that certified the user ID to which you are assigning an alternate name and enter the password.
Click OK.
7. Select the user ID to which you are assigning an alternate name and enter the password. Click OK.
8. Click Add. Select a language from the list and enter a new Common Name for that language, and
click OK.
9. (Optional) Specify a new certifier expiration date and a new password quality.
10. Click Certify.
11. You are prompted as to whether you want certify another, click Yes or No, accordingly.
To add an alternate name while registering a new user: Before you add an alternate name to a new
person, make sure you have a certifier that contains the alternate name and language specifier you want
to use. You assign the name and language in the Other pane of the Register Person dialog box during
advanced user registration.
For more information on advanced user registration, see the topic ″Using Advanced Notes user
registration″ earlier in this chapter.
As an administrator, you can customize the installation process for your users so that they install the
features that they need. The installation information in this section ranges from installing the Domino
clients using the installation CD to creating transform files to customize the installation process.
Installation methods
Domino offers several methods or types of installation that you can make available to the Domino Notes
users in your enterprise.
v Single-user client installation -- This installation is usually done from the CD or from files placed on
the network.
For more information on installing the Domino administration client, see the chapter ″Setting Up and
Using Domino Administration Tools.″
v Multi-user installation -- This option is available only for Notes client installation. Multi-user
installation is not available for installing the Domino Administrator client or Domino Designer.
For more information on multi-user installation, see the topic ″Multi-user installation″ in this chapter.
v Shared installation -- This option installs all program files to a file server while the users’ data files
reside on their local workstations.
For more information on shared installation, see the topic ″Installing the Domino clients in a shared
network directory″ in this chapter.
v Automated client installations (silent installation) -- This option can be used with or without a
transform file depending on whether you want to customize the silent installation.
v Customized installations -- This option uses the transform file to customize the installation process.
v Batch file installation -- This option enables users to install the clients by running a batch file that you
create for them.
v Installation with command line utilities -- This option allows users to install the clients using a
command line utility that you provide for them.
v Scriptable setup -- This option uses a setting in the NOTES.INI file to provide information to the client
setup wizard.
During the installation of the network image, all program files for Lotus Notes, Domino Administrator,
and Domino Designer are installed. To run Lotus Notes, Domino Administrator and Domino Designer
client installs from one set of program files on a file server, you create multiple transform files.
Note: To perform a shared installation and run the transform file, end-users must have the Windows
Installer service on their workstations.
After you install the program files to a directory on a server, users can run a shared version of the
software, thereby saving on disk space usage. However, if the server is unavailable, users cannot run
Notes. When users install Notes from this directory, only the data files (DESKTOP.DSK,
BOOKMARK.NTF, and all local databases) are copied to their workstations. The program files remain on
the server, where they are shared among all users. As users run Notes, the program files are read into
memory on their workstations.
Assign to those users who install Notes client software from the file server ″Read″ access to the directory
containing the files.
Note: Set the access to the administrator image on the network to ″Read Access″ -- that is the only
supported access.
Upgrading shared installations: Do not attempt to upgrade over existing network image files. To
upgrade an existing network image, delete all files in the existing network image and install the new
network image files to the same location.
Providing an installation tool (method) for the users: After successfully installing all client files to a
shared directory on the network, you can instruct users to use the transform file to install the client on
their own workstations.
To use silent installation: Use one of the three setup commands shown below.
v Use this format to run the install in silent mode without a progress bar:
Setup.exe /s /v"/qn"
When the installation is complete, the shortcut icons appear on the desktop.
v Use this format to display a message when the installation is complete or it has failed. Use the +
parameter as follows:
Setup.exe /s /v"/qn+"
v Use this format to display a progress bar during the installation, in addition to displaying the message
indicating that the installation is complete or it has failed. Use the b parameter as follows:
Setup.exe /s /v"/qb+"
For more information on how to use a transform file during silent client installs, see the topic ″Using
transform files for end-user installations.″
Multi-user installations
Multi-user installation applies to Microsoft Windows (Win 32) users only. The multi-user installation is
only supported for the Notes client installations; it is not supported for installing the Domino
Administrator client or the Domino Designer. Therefore, the multi-user option is only available in the
Notes installation kit.
Use the multi-user installation if your enterprise has multiple users who share a single workstation. Then
when users log onto the system, they run the Lotus Notes 7 client setup and their own personal data files
-- that is, BOOKMARK.NSF, NAMES.NSF, and other files are created.
The multi-user installation differs from a shared installation in that Program files are located on the local
system in a multi-user install, which can be an advantage. This allows for access to the Notes client
regardless of which network drives are available. In a shared installation, users are dependent on the
availability of shared network drives.
In a multi-user installation, install the Domino Program files to a central location on the local system.
Each user has their own data directory located in the system’s application data directory for the current
user. The actual location varies as follows according to operating system:
v Example 1 -- c:\Documents and Settings\user\Local Settings\Application Data\Lotus\Notes Data
v Example 2 -- c:\winNT\Profiles\user\Local Settings\Application Data\Lotus\Notes Data
v Example 3 -- c:\Bin\Win95\Profiles\user\Local Settings\Application Data\Lotus\Notes Data
Each user’s individual data files are created when the user logs on to the workstation, launches the Lotus
Notes 7 client, and completes the client setup. The multi-user option is only visible to those users with
administrative privileges on the local system. This installation option is not enabled for other users.
Note: Individual Location documents are no longer needed for each user that utilizes the Notes client on
the same workstation, as compared to previous releases where individual Location documents had to be
created for each user when multiple users attempted to use the same Notes client installation on a
workstation.
Multi-user install with multiple language Notes clients: You can install multiple copies of the Notes
client in multiple languages on one operating system. The language files are installed in each
MUI\language directory. For example, in a multi-user installation, if you first install a French Notes client
and then install a Japanese Notes client the user interface (UI) files are installed in individual directories
such as these:
\Program Files\Lotus\Notes\MUI\fr
\Program Files\Lotus\Notes\MUI\ja
The templates, modem, and help files are installed in the next directory, as shown
\Document Setting\All Users\Application Data\Lotus\Data\Shared\mui\fr
\Document Setting\All Users\Application Data\Lotus\Data\Shared\mui\ja
When a user starts the Notes client for the first time, the UI and database language are determined by the
user’s locale setting. If the locale language is not found in the directory \mui, the English user interface is
used and English databases are created to set up the Notes client.
For more information on what you can customize, see the topic ″Installation options available using the
transform file″ in this chapter.
If you prefer, you can allow the user to see and complete most of the fields on numerous windows that
can be displayed during the installation process.
For more information on transform files, see the topics ″Creating a transform file″ and ″Using transform
files for end-user installations″ in this chapter.
Creating a transform file: Creating a transform file requires a third-party tool such as InstallShield
Tuner OEM Edition. Lotus Domino 7 contains a version called InstallShield Tuner for Lotus Notes, that
you can use with Domino to create a transform file to customize the installation process, that is, to add
resources, change defaults, or hide features present in the standard Lotus Notes kit.
Note: The version of InstallShield Tuner for Lotus Notes that is included with Domino works only with
Lotus Domino, not with other products. You can use transform files to set up shared and customized
installations. Access their Web site at http://www.installshield.com for further information.
How to install the InstallShield Tuner for Lotus Notes: From the Lotus Domino 7 installation CD, in the
Apps/InstallShield Tuner for Lotus Notes directory, run the setup file, SETUP.EXE.
How to create a transform file: Use this procedure to create a transform file with InstallShield Tuner for
Lotus Notes. Users can then apply the transform file when installing clients.
For more information on shared installations, see the topic ″Installing the Domino clients in a shared
network directory″ in this chapter.
After creating the transform file, you apply the transform file to the installation process. The installation
process then uses the values that you set in the transform file in place of default values.
Installation options available using the transform file: Using a transform file, you can customize
installation for the users in your enterprise.
Customizing the location of the Install directories: Use this procedure to specify a location other than the
default location in which to store the installation directories. When specifying directory names, use names
that contain eight or fewer characters.
1. From Application Configuration, select Setup Properties.
2. Click Add/Remove Program Settings.
3. Change the PROGDIR property to the location in which you are storing the program files.
4. Change the DATADIR property to the location in which you are storing the data files. This is the new
default data directory.
Setting the installation to Multi-User by default: In a multi-user installation, the administrator installs the
Domino Program files to a central location on the local system. Each user has their own data directory
located in the system’s application data directory for the current user.
Note: End-users must have Administrator rights to choose a multi-user installation and must only install
the Notes Client. End-users must also have Administrator rights to upgrade an existing multi-user
installation.
1. From Application Configuration, select Setup Properties.
2. Change the value in the ApplicationUsers property to AllUsers. By default the installation is now a
multi-user installation.
For more information on multi-user installation, see the topic ″Multi-user installations″ in this chapter.
Adding custom files to a client installation: To add custom files to a client installation, create a transform
file.
Note: This customization option replaces the COPYFILE.TXT feature that was available in previous
releases of Lotus Domino.
1. Copy the custom files to the install directory or place them in a directory within the install directory
-- for example, PathToInstallKit\AllClient\CopyFiles\custom.mdm.
2. Click Target System Configuration - Files.
3. In the top pane, click Browse and locate the source directory, which is the directory from which you
are copying the custom files.
Examples -- Applying scriptable setup using a transform file during Notes client installation: You can
apply NOTES.INI settings during a client install by using a transform file. You can use this example
when setting up a transform file that applies NOTES.INI settings during Notes client installations.
Example 1 -- Including instant messaging parameters in a scriptable setup: You can include instant messaging
information during a scriptable setup of Notes client. The scriptable setup includes a setting that provides
information to the Notes client setup wizard. In this example, add the NOTES.INI setting, CONFIGFILE=,
to point to a text (.txt) file that contains the parameters for the Notes client setup wizard.
The SETUP.TXT file can be placed on shared network resource or distributed to individual workstations.
Note: If you decide that you want to distribute new or modified NOTES.INI settings using a transform
file, use the same method and steps that are explained in this example.
Creating the SETUP.TXT file: Create a SETUP.TXT file using the parameters shown below. Save your file
using the filename SETUP.TXT.
v IM.server=ServerName1.domain.com
v IM.port=1533
v IM.ConnectWhen=0
v IM.Protocol=0
For information about the scriptable setup parameters that you can use in a SETUP.TXT file, see the
topic ″Setting up Notes with a scriptable setup″ in this chapter.
To distribute the CONFIGFILE= parameter to the NOTES.INI file, use the InstallShield Tuner for Lotus
Notes application to create a transform file (.MST). The Tuner is located in the \Apps directory on the
Lotus Notes installation CD.
Setting up the transform file to apply the modified NOTES.INI file: To set up the transform file to distribute
the NOTES.INI settings, use the procedure in the topic ″Installation options available using the transform
file.″
Example 2 -- Disabling instant messaging using a scriptable setup: You can disable instant messaging during
a scriptable install of the Notes client. To do so, you need to complete these steps
1. Create a file, SETUP.TXT, that contains the following parameters and values:
v IM.Server=fakeservername
v IM.Port=80
v IM.Protocol=1
2. Store the file SETUP.TXT, on a shared network resource or distribute the file to individual
workstations
3. Add this setting to NOTES.INI file, ConfigFile=\\PathtoFile\SETUP.TXT, indicating the file is on a
shared network drive.
4. To protect against a user clicking the instant messaging buttons in the Notes client, implement a
desktop policy that sets the Sametime Server field to empty (no server name entered). In the desktop
policy settings document, be sure the Sametime Server field on the Basics tab is empty. This policy
will overwrite the fake server name in the SETUP.TXT file; therefore, Notes does not attempt to
connect to a Sametime server.
5. To ease distribution of this new setting in the NOTES.INI file, use the IS Tuner for Lotus Notes
application to create a transform file. The application is in the directory \apps on the Notes/Domino
install CD.
For more information about using the IS Tuner for Lotus Notes application to create transform files, see
the topic ″Customizing client installations″ in this chapter.
Using transform files for end-user installations: After creating a transform file, you can use that file for
end-user client installations.
To apply a transform: This section contains two sets of instructions. The first set explains how to apply a
transform file for a user interface (UI) installation -- that is, an installation that presents a user interface.
The second set explains how to apply a transform file for a silent install -- that is, an installation that
does not present a user interface and therefore does not require any user interaction. There is also a
section on using a batch file to launch the command.
For installations using the transform file (and for silent installations) using the msiexec commands, the
network installation should not be the first installation of Notes that you perform unless you are certain
that all of the client workstations contain the Windows Installer Service.
Note: The command line path is the default installation path or the path for the transform file.
In this example, the ″progdir″ parameter and the ″datadir″ parameter are used to overwrite the default
settings designated by the transform file.
1. Change to the install directory that contains both the Lotus Notes 7.msi and the transform, *.mst, files.
2. Do one of these:
v To install to the default Program and Data directories, enter this command from the command line:
msiexec /i "Lotus Notes 7.msi" TRANSFORMS="custom.mst"
v To overwrite the default Program and Data directories with the ones you specify, enter this
command from the command line:
msiexec /i "Lotus Notes 7.msi" PROGDIR=C:\Test DATADIR=C:\Test\Data TRANSFORMS="custom.mst"
Using a batch file to deploy command line options when applying a transform file
You can also create a batch file that the user launches to start the command. A sample batch file is shown
below:
The settings and parameters that you can use in the text file are listed in this table:
Setting Description
Username User’s hierarchical name -- for example, John
Smith/Acme
KeyfileName Directory path to the user’s ID file name --for example,
c:\program files\lotus\notes\data\jsmith.id
Domino.Name Domino server in the same domain as the user name.
You do not need to enter a hierarchical name.
Domino.Address An address for the Domino server, such as the IP address
of the server, if needed, to connect to the server. For
example, server.acme.com or 123.124.xxx.xxx
Domino.Port Port type, such as TCPIP
Domino.Server 1 to connect to the Domino server, 0 for no connection
AdditionalServices 1 forces display of the ″Additional Services″ panel even
if sufficient information is provided for these services;
the Additional Services panel lists Internet, proxy, and
replication settings.
AdditionalServices.NetworkDial To configure a network dialup connection to Internet
accounts created via Additional Services dialog box
Mail.Incoming.Name Incoming mail account name, a friendly name used to
refer to these settings
Mail.Incoming.Server Incoming mail (POP or IMAP) server name
Mail.Incoming.Protocol 1 for POP; 2 for IMAP
Mail.Incoming.Username Mail account user name or login name
Mail.Incoming.Password Mail account password
Mail.Incoming.SSL 0 to disable; 1 to enable the SSL protocol for incoming
Internet mail
Mail.Outgoing.Name Outgoing mail account name, a friendly name used to
refer to these settings
Mail.Outgoing.Server Outgoing mail (SMTP) server name
Mail.Outgoing.Address User’s Internet mail address, such as user@isp.com
Mail.InternetDomain Internet Mail domain name such as isp.com
Sample Scriptable Setup file: This is a sample scriptable setup file for a LAN connection. All options
are used in this sample file. Username = Joe Employee
KeyFileName=G:\shareddrive\userid\jemployee.id
Domino.Server=1
Domino.Name=servername/domain (For example, server1/sales/enterprise)
Domino.Port=TCP/IP
IM.Server=servername.misc.domain.com
IM.Port=12345
IM.ConnectWhen=2
IM.Protocol=3
IM.ProxyType=2
IM.ProxyServer=sametimeproxy.domain.com
IM.ProxyPort=789
IM.ServerNameResolve=0
IM.ProxyUsername=joeemployee
AdditionalServices=0
Mail.Incoming.Protocol=2
Mail.Incoming.Name=INCOMING INET MAIL
Instant messaging is included in the Notes client installation, and is installed when you install the Notes
client. During the Notes client configuration, the Lotus Notes Client Configuration dialog box displays
the check box ″Setup Instant Messaging″ that allows you to specify whether to set up IM during Notes
client setup. By default, the check box is selected to enable the setup of IM. You can deselect that check
box to prevent IM from being set up for users.
Enabling Single Sign-On for instant messaging: As an administrator, you can include IM in single
sign-on with Lotus Notes and push this feature down to users through dynamic configuration. To enable
IM with single sign-on for users, use the NOTES.INI variable, IM_ENABLE_SSO=1. If this variable is set
to 1, IM with single sign-on is enabled; if this variable is set to 0 (zero), IM with single sign-on is disabled
and the user must enter their instant messaging password. There is also a setting on the User Preferences
dialog box that users can set to designate whether they want to use the single sign-on feature, allowing
then to log on once and still connect to multiple applications and servers.
For more information on the NOTES.IN variable, see the appendix ″NOTES.INI File.″
Scriptable setup and instant messaging: If you are using scriptable setup to configure newly installed
clients, IM can be included in the scriptable setup. There are several variables that you use to define the
IM settings for users.
Name awareness in view columns and names fields: When Notes displays the online status for a
name, it passes that name as displayed, to the Sametime server for lookup in the Sametime server’s
directory. Usually this is the Notes abbreviated format (for example, John Smith/Austin/Acme), although
exceptions can be found in email because email names can be received from the Internet. In order for the
name to be found in the directory that the Sametime server uses, the directory needs to support a lookup
of a Notes abbreviated name. If the directory that the Sametime server uses is a Domino directory, this
occurs by default. However, if the directory that the Sametime server uses is an LDAP directory, you may
need to configure how the Sametime server performs a name lookup with the LDAP server. You may also
need to ensure that the LDAP directory has a Notes abbreviated name attribute for each of its entries.
For more information about using LDAP with a Sametime server, see the topic ″Configuring the LDAP
Searching Setting″ in the Lotus Sametime Administrator’s Guide. You can download or view the Lotus
Sametime Administrator’s Guide from the Documentation Library of the Lotus Developer Domain at
http://www.lotus.com/ldd/doc.
Instant messaging and policies: Use the desktop policy settings document or the setup policy settings
document to specify a Sametime server for users. Enter the server name in the Sametime server field.
When pushed down to the users, this setting populates the field ″Sametime server″ in the users’ Location
documents. The user can, however, enter a different server name in that field on the Location document
to override the setting from the policy document. The server specified in the Sametime server field is the
server that the user will access for instant messaging. If no server name is entered in this field, the user is
unable to log on to IM. The user would then have to review the settings on the Instant Messaging tab of
their Location document, and make the necessary corrections.
For more information about using policies, the desktop policy settings document and the setup policy
settings document, see the chapter ″Using Policies.″
Note: If the feature is not installed, you don’t have to uninstall Notes -- you can use Add/Remove
Programs in Windows to change the current installation. See the topic ″To install and enable single logon″
in the Notes client documentation.
The user’s computer’s name cannot be the same as the operating system (OS) login name when using
Client single logon. The Domino/Notes Client Single Logon feature does not work when the OS login
name is identical to the computer name, and the user logs in with the OS name. If Client Single Logon is
not working properly on a user’s system, change the OS login user name or the user’s computer’s name.
For information on how to change either name, refer to your Microsoft Windows documentation, or see
your Network Administrator.
OS and Domino password policies must be aligned as closely as possible to allow password
synchronization to work. During OS password changes, the Notes Network Provider must be able to
change the Notes ID to the new password provided by the OS. Notes is notified of the new OS password
only after the OS password has been changed. If the new OS password does not meet the Notes
password quality and history requirements, the Notes password change will fail.
During Notes password changes, the Notes Client must be able to change the OS password to the new
Notes password. If the new Notes password does not meet the OS password quality and history
requirements, the OS password change will fail.
Operating system (OS) password changes, that is, password changes that are initiated outside of IBM
Lotus Notes, occur in the system access control environment; therefore, the NOTES.INI file and the Notes
ID file must reside on a local drive.
To check whether the single logon feature is already installed, choose File - Security - User Security -
Security Basics. If the client single logon feature is installed, the option ″Login to Notes using your
operating system login″ is enabled.
To present a non-English language email interface to Domino users, the standard Domino environment is
required, as well as the following:
v The appropriate non-English version of Microsoft Windows for the end user so that users can open file
attachments that contain non-English (multiple-byte) characters in the file name. Providing the
non-English version of Microsoft Windows, also ensures that non-English fonts are present on the
system. Users can then read email subject lines and body text that are comprised of non-English
characters.
v The appropriate non-English mail template that enables folder names, button labels, field labels and
column headers to display in the non-English language. This is not required for users running a POP
or IMAP client.
v A non-English Lotus Notes client to enable menu options and dialog boxes to display in the
non-English language. This is not required for users running a POP, IMAP, or browser client.
v Non-English fonts for Lotus Notes to allow a user’s workstation to display text encoded in the
non-English character set in case the user does not have the non-English version of Microsoft
Windows.
To allow users to work in some languages other than English, you need to enable the setting ″Enable
Unicode display″ in Lotus Notes. Complete these steps:
1. From the user’s Notes client, click File - Preferences - User Preferences.
2. On the Basics panel, in the Additional Options list, check the option, Enable Unicode display.
3. Click OK.
Install the non-English Lotus Notes client and the non-English fonts for Lotus Notes on each workstation.
You can download both from the Passport Advantage site or the Business Partner Zone.
Note: The non-English mail template is installed when you the install the Language Pack Installer. You
can also obtain the non-English mail template from Passport Advantage site or the Business Partner Zone.
Prior to installing and setting up LPI in your Domino environment, review the following information:
v Review the LPI file, README.TXT, to be aware of limitations and restrictions.
You can create as many welcome pages as you want. However, there is a limit to the number of welcome
pages that will display in the Default Welcome Page menu in the desktop settings. This limit is
approximately ten pages, depending on the character length of the welcome page titles. The limit only
affects how many welcome pages appear in the desktop settings menu. All welcome pages will be
deployed to the user’s bookmarks, no matter how many there are.
Create and work on your corporate welcome page database locally, and then copy it to the server when
you are finished. This keeps users from seeing your changes in progress, ensuring that they only see
finished pages.
Designate a default welcome page for individual users by deploying it in an explicit policy, or for entire
organizations by using organizational policies.
Note: Images that are added to an Image Resource are not added to a Corporate Welcome Page if the
image is added to the Image Resource after the Welcome Page is created, and the Corporate Welcome
Page is then pushed to users.
Tip: To ensure that a custom welcome page is available to set as the default for users, create that page
first to make sure it will be available for selection on the desktop settings menu.
When you finish working on welcome pages locally, copy the welcome page database to a server to make
it available to users.
Enabling the Default Welcome Page field in the Desktop policy settings document
You need to enable the Default Welcome Page field in the Desktop policy settings document in order to
select a welcome page. The drop down list that displays the selection of welcome page titles is populated
by the NOTES.INI variable $CurrentLayout. The welcome page titles that exist for this variable are listed
in the drop down list of the Default Welcome Page field.
There are two ways to add the necessary welcome page information to the $CurrentLayout variable; use
one of them.
Implement these desktop settings in one or more policies, and then assign them to users to finish
deploying your custom welcome pages. The changes will deploy to users the next time they log in.
You will then need to go back into each of the desktop settings documents that point to the welcome
page database and create new database links to the new version. Once this is complete, the changes will
deploy to users the next time they log in.
Some modifications to welcome pages are deployed to users, while other changes are not:
v When deploying welcome pages, changes to the design are not deployed to users.
v Only welcome pages created and updated by the administrator (and those whose titles begin with a
″$″) are deployed to users.
v Adding a link to the Launcher can only be done locally. Changes to the Launcher are not deployed to
users.
v Design changes can only be made locally.
Managing users
The Administration Process helps you manage users by automating many of the associated
administrative tasks. For example, if you rename a user, the Administration Process automates changing
the name throughout databases in the Notes domain by generating and carrying out a series of requests,
which are posted in the Administration Requests database (ADMIN4.NSF). Changes are made, for
example, in the Person document, in databases, in ACLs and extended ACLs. However, the
Administration Process can be used only if the database is assigned an administration server.
Rename a user
There are several ways in which you ″rename″ a user. Usually they involve changing a user’s common or
alternate name. However, in Domino Notes, the name hierarchy becomes part of the user’s name. So if a
user is moved and certified by a new hierarchy, then that too is considered renaming. The rename tasks
are:
v Change a Notes user’s common name
v Notify a user of a change to private design elements during a name change
v Rename a Web user
v Move a user name in the name hierarchy
v Upgrade a user name from flat to hierarchical
237
Synchronizing Windows 2000 Active Directory and Notes users
You can synchronize Notes users with users in Windows 2000 Active Directory. You can also manage
Notes users from the Windows 2000 Microsoft Management Console.
In addition, the certifier ID you use and any ancestor of the certifier must have a Certifier document in
the Certificates view of the Domino Directory. For example, if you use the certifier ID for
/Sales/NYC/ACME, the Domino Directory must contain Certifier documents for /ACME,
/NYC/ACME, and /Sales/NYC/ACME.
For more information on assigning an administration server, see the chapter ″Setting Up the
Administration Process.″
For more information on processing renaming requests in the Administration Requests database, see the
topic ″Changing Notes user names with the Administration Process″ in this chapter.
Note: The AdminP Mail Notification agent runs only on Domino Release 5.05 or more recent servers and
sends e-mail to Notes Release 5.05 or more recent clients.
1. From the Domino Administrator, click Server - Analyses.
2. Click Administration Requests (7).
3. Locate the administration request to rename the user and then open the request.
4. Choose Actions - Enable/Disable User Notification. The agent is enabled and automatically sends to
the user an e-mail message containing links to databases in which the user created or modified design
elements such as a folder or view.
5. Click OK.
For more information on correcting this problem, see the chapter ″Setting Up the Administration Process.″
When a user is renamed, the user’s Internet address often needs to be changed accordingly. You can
change a user’s Internet address as part of a change to the user’s common or alternate name, but you
cannot use this rename procedure to change only the Internet address. If you attempt to use this
procedure to change only a user’s Internet address, you will generate an error.
When you initiate a user’s name change, the user may be prompted to accept or reject the name change.
If the user rejects the name change, an administration request is generated that requires you to either
accept the user name reverting to the original name or reject the name reverting to the original user
name. The user is prompted if the user has selected the ″Ask your approval before name changes″ option
on the Notes Name Changes dialog box.
Note: The Notes Name Changes dialog box is access from the File -- Security -- User Security -- Your
Identity -- Your Names -- Name Changes menu item in the Notes user interface.
If the expiration date for the name change is reached and the user has not responded, an administration
request is issued asking you to accept a request to retract the name change. You can then either accept
the request to retract the name change, or you can reject that request. If you accept the name change
retraction, the administration request for rejecting a name change are generated.
For more information on changing only a user’s Internet address, see the topic ″Changing a user’s
Internet address″ in this chapter.
For more information on approving or rejecting the administration requests that are generated when a
user rejects a name change, or when a name change is retracted, see the topics Accepting or rejecting
name change requests and Administration Process requests that require the administrator’s approval.
For information on using an agent to notify a user of changes to private design elements during a name
change, see the topic ″Changing Notes user names with the Administration Process″ in this chapter.
Note: To use the Domino alternate name functionality, Domino R5.0.2 or later must be running on all
servers involved with the name change, the user’s workstation, and the administrator’s workstation.
Field Action
Server Do one of these:
v If you are using the Lotus Domino server-based CA, choose the server
that is used to access the Domino Directory to look up the list of
certifiers.
v If you are supplying a certifier ID, select the server that is used to locate
the list of certifiers so that the Certifier ID file can be updated with the
latest set of certificates for itself and all of its ancestors. This is also the
server on which CERTLOG.NSF is updated.
Use the CA process Choose this option if you have configured the Lotus Domino server-based
CA.
v Select a CA configured certifier from the list and click OK.
Supply certifier ID and password Choose this option if you are using a certifier ID and password.
v Choose the certifier ID that certified the user’s ID and click Open. For
example, to rename Joe Smith/Sales/NYC/ACME, use the certifier ID
named SALES.ID.
v Click ″Certifier ID″ to select an ID other than the one displayed.
v Enter the password for the certifier ID and click OK.
8. In the ″Certificate Expiration Date″ dialog box, enter a new certification expiration date if desired.
The default certificate expiration date is two years from the current date. The ″Edit or inspect each
entry before submitting request″ check box is selected and cannot be modified.
9. In the Rename Person dialog box, complete the following fields as appropriate. In this dialog box
you have the option of synchronizing Active Directory user names, and changing primary and
alternate name information where appropriate.
Field Action
New Primary Name Information
First , Middle, and Last Name This is the name with which the user was registered. Make changes to
the user’s name as appropriate.
Qualifying Org. Unit (Optional) A name to differentiate this user from another user with the
same user name, certified by the same certifier. This adds a
differentiating component that appears between the common name and
the certifier name.
Short Name (Optional) Created at registration, the default is first initial, last name.
You can change this name. It does not change automatically based on
changes to the primary name fields. You must make this change
manually.
Internet Address (Optional) Created at registration, the default is first initial, last name.
You can change this name. It does not change automatically based on
changes to the primary name fields. You must make this change
manually.
To delete an alternate name, simply delete the name and do not enter a
new one.
Qualifying Org. Unit (Optional) A name to differentiate this user from another user with the
same user name, certified by the same certifier. This adds a
differentiating component that appears between the common name and
the certifier name.
Original Language The alternate language currently assigned to the user. (Non modifiable)
New Language Select from the list to assign a new alternate language.
You can also use this procedure to delete a roaming user name.
For more information on the administration requests that are generated when you delete a roaming user,
see the appendix ″Administration Process Requests.″
If the server is running Active Directory, you can delete the user’s Active Directory account as well.
There may be times when you want to maintain a user’s mail file even though you have deleted the user
from the Domino Directory. That option is available to you when you delete a user name. However, if
you choose to delete the user’s mail file, you must approve the mail file deletion in the Administration
Request database (ADMIN4.NSF). If you delete a roaming user name, you must approve replica
deletions.
For more information on Domino and Active Directory directory synchronization, see the chapter ″Using
Domino with Windows Synchronization Tools.″
For more information on the Web Administrator, see the chapter ″Setting Up and Using Domino
Administration Tools.″
To delete a user
1. To delete a user, you must have:
Field Enter
What should happen with the Choose the appropriate option(s):
user’s mail database(s)? v Do not delete the mail database -- to delete the Person document but leave the
user’s mail files intact.
v Delete the mail database on the user’s home server -- to delete mail files on the
user’s home server only.
v Delete mail replicas on all other servers -- this option is active only if Delete the
mail database on the users home server was chosen. This option deletes all mail
database replicas on other servers.
Add deleted user to Deny To deny a user access to servers immediately:
Access Group (This option is 1. Click Groups.
active only if one or more
2. Select a Deny Access Group from the list.
groups of type Deny Access
exists.) 3. Click OK.
Delete user’s Windows Select this option to delete the corresponding user account in Windows NT or
NT/2000 account, if existing Windows 2000 Active Directory account.
Delete user from this Domino Select this option to remove the account from the Domino Directory immediately,
Directory immediately while initiating Administration Process requests to remove the user’s name from
ACLs, Names fields, etc.
Note: If you choose to delete a user’s mail file, you must have at least Editor with delete documents
access to the Administration Requests database and delete documents access to the Domino Directory.
6. Click OK.
For more information on shared mail databases, see the chapter ″Setting Up Shared Mail.″
Field Enter
What should happen with the Choose the appropriate option(s):
user’s mail database(s)? v Do not delete the mail database -- to delete the Person document but leave the
user’s mail files intact.
v Delete the mail database on the user’s home server -- to delete mail files on the
user’s home server only.
v Delete mail replicas on all other servers -- this option is active only if ″Delete the
mail database on the users home server″ was chosen. This option deletes all mail
database replicas on other servers.
Add user to Deny Access To deny a user access to servers immediately:
Group (This option is active 1. Click Groups.
only if one or more groups of
2. Select a Deny Access Group from the list.
type Deny Access exists.)
3. Click OK.
Delete user’s Windows Select this option to delete the user’s corresponding Windows domain account.
domain account
Delete user from this Domino Select this option to remove the account from the Domino Directory immediately,
Directory immediately while initiating Administration Process requests to remove the user’s name from
ACLs, Names fields, etc.
Note: If you selected a mixed group of roaming and nonroaming users, the Mixed Roaming Profile
dialog box appears and prompts you to select either roaming or non-roaming. Click the check box
″Remove roaming profiles from <n> selected users. ″ In this case, <n> is the number of roaming users
selected.
5. Click the check box ″Perform updates in background″ to process each user in the background.
Tip: Run the process in the background so that you can use the Administrator client while requests
are processed.
Note: Only those users who have a hierarchical ID (for example, CN=Jane Doe/OU=East/O=Acme) can
be upgraded to roaming users. To upgrade a flat user ID, recertify that user ID to a hierarchical format,
and then upgrade the user. For information about recertifying an ID from flat to hierarchical, see the topic
Upgrading a user name from flat to hierarchical.
The roaming user feature requires the use of Dynamic Client Configuration (DCC). If you have used the
NOTES.INI setting, DisableDynConfigClient=1 to disable DCC, remove that NOTES.INI entry or
comment out the entry in the NOTES.INI file and then restart the client. If DCC is disabled, the end-user
Before changing a nonroaming user to roaming, read the roaming user information in the topic Using
Advanced user registration.
Note: If you selected a mixed group of roaming and nonroaming users, the Mixed Roaming Profile
dialog box appears and prompts you to select either roaming or non-roaming. Click the check box
″Assign roaming profiles to <n> selected users.″ In this case, <n> is the number of nonroaming users
selected.
5. Complete these fields:
Field Action
Where should the user’s roaming files be stored? Choose one:
v Store on user’s mail server -- Places the user’s roaming
files on the user’s mail server. (The user’s mail server
was designated during user registration.)
v Roaming Server -- Click the button to specify the
server on which you want to store the user’s roaming
files.
v Store user ID in personal address book -- (Optional)
Places the user’s ID in their own local personal
address book.
User’s personal roaming folder Choose one:
v Base folder -- Name of the folder in which to store the
user’s roaming files. By default the user’s base folder
is located in the Domino\data directory. For example,
if you want the base folder to be called Roaming for
all your roaming users, enter Roaming to create the
Domino\data\Roaming directory.
v Sub-folder format -- The format to use when naming
the roaming user’s personal subfolder. By default this
is the user’s short name format. You can change this
format if desired and you can optionally choose a
separator character. A personal folder (subfolder) is
created in the Base folder for each user you upgrade to
roaming user.
6. Click OK.
A message displays indicating the number of users successfully upgraded from nonroaming to
roaming.
You can also modify a user’s Internet name when performing a user rename, such as changing a user’s
common name. To modify the user’s Internet address using the Tools -> People -> Rename feature, you
must also modify another component of the user’s name, such as the short name, at the same time that
you are modifying the Internet address.
For more information on renaming a user with the options on the Tools pane, see the topic ″Renaming a
Notes user’s common or alternate name″ in this chapter.
Upgrading a user name from flat to hierarchical affects both the primary and alternate name information.
To use the Domino alternate name functionality, Domino 5.0.2 or later must be running on all servers
involved with the name change, the user’s workstation, and the administrator’s workstation.
Field Action
Server Do one of these:
v If you are using the Lotus Domino server-based CA,
choose the server that is used to access the Domino
Directory to look up the list of certifiers.
v If you are supplying a certifier ID, select the server
that is used to locate the list of certifiers so that the
Certifier ID file can be updated with the latest set of
certificates for itself and all of its ancestors. This is also
the server on which CERTLOG.NSF is updated.
Use the CA process Choose this option if you have configured the Lotus
Domino server-based CA.
v Select a CA-configured certifier from the list and click
OK.
Supply certifier ID and password Choose this option if you are using a certifier ID and
password.
v Choose the certifier ID that certified the user’s ID and
click Open. For example, to rename Joe
Smith/Sales/NYC/ACME, use the certifier ID named
SALES.ID.
v Click ″Certifier ID″ to select an ID other than the one
displayed.
v Enter the password for the certifier ID and click OK.
7. In the ″Certificate Expiration Date″ dialog box, accept or change the new certification expiration date.
The default certificate expiration date is two years from the current date.
Tip: The ″Edit or inspect each entry before submitting request″ check box is selected and cannot be
modified.
8. In the Rename Person dialog box, you have the option of changing the primary or alternate name
information. Then choose one of the following:
v OK - to submit the name change approval.
v Skip - if you are upgrading more than one user name and you want to continue to the next name
without submitting a name change for the current name.
v Cancel Remaining Entries - to cancel this name change and name changes for any other names you
selected and have not yet submitted.
9. When the Processing Statistics dialog box appears, review the information to verify that all name
changes have succeeded. If any fail, check the Certifier Log (certlog.nsf) to determine the reason for
the failure. Click OK.
For example, if Alice Brown/Marketing/Acme leaves a job in the Marketing department for a job in
Sales, you can certify her user ID with the /Sales/Acme certifier, which, in effect, moves her to that
Organizational Unit. Her full hierarchical name then becomes Alice Brown/Sales/Acme.
Field Action
Server Do one of these:
v If you are using the Lotus Domino server-based CA, choose the
server that is used to access the Domino Directory to look up the
list of certifiers.
v If you are supplying a certifier ID, select the server that is used
to locate the list of certifiers so that the Certifier ID file can be
updated with the latest set of certificates for itself and all of its
ancestors. This is also the server on which CERTLOG.NSF is
updated.
8. In the Request Move For Selected People dialog box, do the following:
Field Action
Old Certifier Verify the information. If it is incorrect, cancel the procedure and
begin again.
New Certifier Enter or select the new certifier. This is the name hierarchy that
issues a certificate for the user in the new hierarchy.
9. (Optional) Click the ″Allow the primary name to be changed when the name is moved″ check box if
you want the opportunity to change the user’s name when you approve the move.
10. For each name selected, choose one of the following:
v OK - to submit the name change.
v Skip - if you are renaming more than one user name and you want to continue to the next name
without submitting a name change for the current name.
v Cancel Remaining Entries - to cancel this name change and name changes for any other names
you selected and have not yet submitted.
Field Action
Server Do one of these:
v If you are using the Lotus Domino server-based CA, choose
the server that is used to access the Domino Directory to look
up the list of certifiers.
v If you are supplying a certifier ID, select the server that is
used to locate the list of certifiers so that the Certifier ID file
can be updated with the latest set of certificates for itself and
all of its ancestors. This is also the server on which
CERTLOG.NSF is updated.
Use the CA process Choose this option if you have configured the Lotus Domino
server-based CA.
v Select a CA-configured certifier from the list and click OK.
Supply certifier ID and password Choose this option if you are using a certifier ID and password.
v Choose the certifier ID that certified the user’s ID and click
Open. For example, to rename Joe Smith/Sales/NYC/ACME,
use the certifier ID named SALES.ID.
v Click ″Certifier ID″ to select an ID other than the one
displayed.
v Enter the password for the certifier ID and click OK.
5. If you are moving a user name from one hierarchy to another hierarchy, a cross certificate is
required. If your local Domino Directory does not contain a cross certificate for the certifier, you are
prompted to create one. Click Yes.
6. In the ″Certificate Expiration Date″ dialog box, do the following and then click OK:
Field Action
Certifier The name hierarchy of the certifier that will issue the new
certificate (non-modifiable).
New certificate expiration date (Optional) Specify a certifier ID expiration date other than the
default two years from the current date.
Edit or inspect each entry before submitting Selected by default. You can remove the check mark if you do
request not want to verify the entries.
7. In the Rename Person dialog box, make changes to the primary name as needed.
Field Action
New Primary Name Information
First, Middle, and Last Name This is the name with which the user was registered. Make
changes to the user’s name as appropriate.
Qualifying Org. Unit (Optional) A name to differentiate this user from another user
with the same user name, certified by the same certifier. This
adds a differentiating component that appears between the
common name and the certifier name.
Short Name (Optional) Created at registration, the default is first initial, last
name. You can change this name optionally. It does not change
automatically based on changes to the primary name fields. You
must make this change manually.
8. Complete the following fields as desired. These modifiable fields display only if the user ID has an
alternate name assigned to it.
The user name change in hierarchy continues just as a change to a Notes user’s common or alternate
name is completed.
Moving a user’s mail file and roaming files from the Domino
Administrator or the Web Administrator
You may need to move mail files when you need more space on a server or when users change jobs.
When a mail file is moved, the Administration Process first moves it to a new server, then issues a
request to delete the old mail file from its original mail server. You must approve this mail file deletion.
The Administration Process also changes the information in the ″Mail file name″ and ″Mail server″ fields
in the user’s Location document.
Moving a user’s mail file to a Lotus Domino Release 7 clustered server allows you to choose additional
servers on which to create replicas. The user interface provides a list of all the servers (cluster mates) you
can choose from. You can also click the server name to specify paths for each server.
You can use this procedure to move any user’s mail files, whether they are roaming users or not.
The files are moved by the Administration Process in the background so that you can continue to
perform administration activities while the files are being moved.
1. To move a user’s mail and/or roaming files, you must have:
v Editor with Create documents access, or Author access with the UserModifier role to the Domino
Directory
v At least Author with Create documents access to the Certification Log (for roaming files move)
v CreateReplica access to the destination server
2. From the Domino Administrator or the Web Administrator, click the People & Groups tab.
3. Click People and select a user name.
4. From the tools pane, click People - Move to Another Server.
5. Complete these fields:
Field Action
Destination Enter the name of the server to which you are moving the
user’s mail and/or roaming files. If the destination server
you choose is a clustered server, it appears ″checked″ in
the Additional mail server field on this dialog box.
Move roaming files into this folder Select this check box if you are moving a user’s roaming
files. This check box is not active if you are moving a
nonroaming user.
Field Action
Broadcast a message to Choose one of these:
v admin/ibm -- Sends a message to the user whose name
you selected prior to opening this dialog box. In the
example shown on the dialog box, it will be sent to
admin/ibm.
v All connected users -- Broadcasts the message to all
connected users.
v All users of a database -- Broadcasts this message to
anyone that has this database open. When you choose this
option, the database name field is enabled. Enter the name
of the database.
Broadcast this message Enter the message that is to be broadcast.
Show as dialog box on user’s workstation Choose this option to present the message to users in a dialog
box. If you do not choose the option, the message displays in
the status bar on the user workstation(s).
6. Click Broadcast.
Recertifying a user ID
Before a user ID reaches its expiration date, recertify the user ID using the original certifier ID. The user
ID is recertified without renaming the user.
Use the Certificate expiration view to determine which certifiers need to be recertified. Access this view
from Files - Certlog.nsf - By Expiration date. All certifiers are listed by expiration date.
For more information on certifiers and certification, see the chapter ″Deploying Domino.″
Note: To recertify a user ID using a certifier other than the certifier used to create the user ID, see
″Moving a user name in the name hierarchy″ in this chapter.
Field Action
Server Do one of these:
v If you are using the Lotus Domino server-based CA,
choose the server that is used to access the Domino
Directory to look up the list of certifiers.
v If you are supplying a certifier ID, select the server
that is used to locate the list of certifiers so that the
Certifier ID file can be updated with the latest set of
certificates for itself and all of its ancestors. This is also
the server on which CERTLOG.NSF is updated.
Use the CA process Choose this option if you have configured the Lotus
Domino server-based CA.
v Select a CA configured certifier from the list and click
OK.
Supply certifier ID and password Choose this option if you are using a certifier ID and
password.
v Choose the certifier ID that certified the user’s ID and
click Open. For example, to rename Joe
Smith/Sales/NYC/ACME, use the certifier ID named
SALES.ID.
v Click ″Certifier ID″ to select an ID other than the one
displayed.
v Enter the password for the certifier ID and click OK.
Field Action
New certificate expiration date (Optional) Specify a certifier ID expiration date other than
the default two years from the current date.
Only renew certificates that will expire before (Optional) Enter a date to recertify only a subset of
selected user IDs, according to their current expiration
dates.
Edit or inspect each entry before submitting request (Optional) Select the option to edit or inspect each entry
before submitting the request if you want to view each
certificate before it is renewed.
7. If you selected the option to view each entry prior to its being submitted, the Recertify Person dialog
box appears with non-modifiable information in the primary and common name fields. Review the
information that displays, then select one of the following:
v OK - to submit the name change.
You can also recertify a user ID with a different certifier ID, that is, a certifier ID other than the one used
to previously certify the user ID. Although recertifying a user ID with a different certifier is allowed, it is
not recommended that you do so using this procedure. In this case, you are renaming the user, which is a
very complex process involving changes to ACLs for various databases, changes to lists of group
members, and other related entries. Recertifying a user ID with a different certifier does not invoke the
Administration Process, so all changes need to be made manually. To recertify a user with a different
certifier ID, we recommend using the Rename tool, and requesting a move to a new certifier.
For more information, see the topic ″moving a user name in the name hierarchy″ in this chapter.
Field Action
Server Do one of these:
v If you are using the Lotus Domino server-based CA, choose the server
that is used to access the Domino Directory to look up the list of
certifiers.
v If you are supplying a certifier ID, select the server that is used to locate
the list of certifiers so that the Certifier ID file can be updated with the
latest set of certificates for itself and all of its ancestors. This is also the
server on which CERTLOG.NSF is updated.
Supply certifier ID and password Choose the certifier ID that issued the original certificate. For example, to
recertify the certifier ID for /Sales/NYC/ACME, choose the /NYC/ACME
certifier ID, which is NYC.ID.
v Click ″Certifier ID″ to select an ID other than the one displayed.
v Enter the password for the certifier ID and click OK.
Note: Although not recommended, you can choose a different certifier ID
to recertify a user ID, instead of using the original certifying ID.
Use the CA process Choose this option to use the server-based certification authority (CA).
v Select a CA-configured certifier from the list and click OK.
4. In the ″Choose ID to Certify″ box, select the certifier ID or user ID that you want to recertify. For
example, to recertify Sales/NYC/ACME, choose SALES.ID.
5. Enter the password and click OK.
6. In the Certify ID dialog box, complete the following fields as necessary:
Field Enter
Current Server The registration server for the current certifier ID. (nonmodifiable)
Current certifier The name hierarchy of the certifier that issued the certificate.
(nonmodifiable)
Expiration date (Optional) Specify a certifier ID expiration date other than the default
two years from the current date.
Primary key Public half of the primary RSA key pair stored in the Notes ID file. This
RSA key pair is used for electronic signatures on documents and
certificates, and on mail encryption when both the sender and the
recipient have a North American Notes license. This key pair is also used
for network authentication. (nonmodifiable)
International key The public half of the international RSA key pair. This key pair is used
for mail encryption when either the sender or recipient are running with
an International Notes license. (nonmodifiable)
Subject name list Certifier ID(s) you are working with.
Add Click to add and certify an alternate name. Select the alternate language,
country code (optional), and the organization identifier for the language.
Rename Rename the alternate name selected in the Subject name list. This button
is not available when recertifying user Ids. This button is enabled only
when alternate languages have been assigned.
Remove Removes the alternate name selected in the Subject name list.
Password quality Move the slider to change the level of complexity and variety of
characters entered for the password.
7. Click Certify.
Domino then makes a new entry for that user in the NOTES.INI file. For example, the new entry for this
user could be:
AUTO_SAVE_USER,Eric Thiel/Westford/IBM=as_ethiel.nsf
If an autosave database with the name as_ethiel.nsf already exists, the number 1 would be appended to
the user name portion of the new database name. For example,
as_ethiel1.nsf
When a user logs in to NOTES with their USER.ID, Domino checks the NOTES.INI file for an entry with
that user’s name. One of these situations occurs:
v The entry exists, and the database name in that entry is used.
v The entry exists but the database cannot be located. Domino creates a new database.
v The user does not have access to the database and an error message is generated.
v The entry cannot be located. A new NOTES.INI entry and database are created using the naming
convention described above.
License Tracking
License Tracking allows you to monitor the number of active Notes users within a Domino domain. You
can use License Tracking to determine how many client licenses you have, whether you need to purchase
additional licenses, and when you need to purchase them.
The Domino User License Tracking database is created and resides on the administration server, not on
all servers. The database is not created as soon as the License Tracking feature is enabled; instead, it is
created when the administration process processes the first administration request to update the database.
The administration process creates a new User License document in the Domino User License Tracking
database (USERLICENSES.NSF) for each new user reported in the administration request. Documents are
updated with the new time and date for those users who already have a document in the Domino User
License Tracking database. If a user does not access any servers in the Domino domain for one full year,
the corresponding User License document is deleted from the Domino User License Tracking database.
Daily updates to the database enable you to review this information at any time to obtain an up-to-date
report on the number of client licenses that you have available for use.
Note: If a user is deleted from the Domino Directory, the corresponding document in the Domino User
License Tracking database is deleted. If a user is renamed, the corresponding document is also renamed
accordingly. Existing administration requests are used to maintain this user information.
260 Lotus Domino Administrator 7 Help
By default, administrators have Manager access to the Domino User License Tracking database and users
have no access.
Note: The Miscellaneous/Licenses view that displayed in Domino R5 is not part of the License Tracking
feature.
You can deploy a ″My Work″ Welcome page for users by creating the My Work page using the desktop
policy settings document. If you are deploying a My Work page for your users, as well as a custom
Welcome page for users who choose to use that, use the advanced configuration. The advanced
configuration adds an additional page to the Welcome Page wizard which contains the advanced options.
Use advanced configuration if you want to lock specific items on the My Work page, lock the entire My
Work page, or prevent users from adding Team tabs to the My Work page. If you are deploying only a
″My Work″ Welcome page, and you are not locking it to prevent users from editing the My Work page,
you do not need to use the advanced configuration.
For more information about using the advanced configuration with Welcome pages, see the topic
″Enabling the Default Welcome Page field in the Desktop policy settings document″ in this chapter.
The My Work page option is available to users directly from the Welcome page, as well as from the
Welcome Page wizard. They can set up their My Work page in a manner that best suits their individual
work responsibilities. You cannot disable the My Work page, but you can deploy a My Work page and
lock it so that users do not modify it. If the My Work page is not locked, users are able to modify it from
their desktops. The ″My Work″ Welcome page is created with the template, BOOKMARK.NTF.
For more information about policies, see the chapter ″Using Policies.″
Using groups
Groups are lists of users, groups, and servers that have common traits. They are useful for mailing lists
and access control lists. Using groups can simplify administration tasks. For example, if you create a
group called ″Terminations″ that lists all former employees, you can enter the Terminations group name
in the ″Not access″ field in the Server Access section of the Security tab on each Server document. When
an employee leaves the company, you add the employee’s name to the Terminations group and then force
replication of the Domino Directory to prevent the employee from having access to all servers in the
domain. Using a Terminations group saves you the time and effort of manually adding individual
employee names to each Server document when employees leave the company.
To create a group, you create a Group document in the Domino Directory. You can add registered users
to the group as you create the Group document and you can add new users to a group as you register
them. There is no limit to the number of names that you can add to a group. However, the total number
of characters used for names in the group cannot exceed 32KB. To keep groups manageable, split a large
list of users into two or more groups.
By default, the Domino Directory contains two groups: LocalDomainServers and OtherDomainServers.
LocalDomainServers includes all servers in the current domain. Domino automatically adds servers that
you register in the current domain to the LocalDomainServers group. OtherDomainServers includes all
servers that are not in the current domain. For example, OtherDomainServers might include the names of
servers in other companies with which your company communicates. If you set up a connection to a
server in another company or domain, add the server name to the OtherDomainServers group.
A third group, LocalDomainAdmins, may reside in the Domino Directory if the ″Add
LocalDomainAdmins group to all databases and templates″ check box was selected during first server
setup for a domain. The LocalDomainAdmins group contains names of the domain administrators.
263
Creating a group with the Domino Administrator
1. Make sure that you have Editor access or Author access with the GroupCreator role in the Domino
Directory.
2. From the Domino Administrator, click the People & Groups tab.
3. From the Servers pane, select the server to work from.
4. Select Domino Directories, and then select Groups - Add Group.
5. Complete these fields on the Basics tab:
Field Action
Group name Enter a name for the group. It is recommended that you
use only these characters: A - Z, 0 - 9, & - . _ ’
(ampersand, dash, period, space, underscore, and
apostrophe) for the name. It is recommended that you do
not use special characters other than those listed because
some special characters may cause unexpected conflicts
or problems. A group name can be a maximum of 62
characters in length. For easier administration, use a
name without spaces. The only characters that are
expressly prohibited are @ and //.
6. Click the Administration tab and make changes to these fields as necessary:
Field Action
Owners Add an owner name or modify the list of group owners.
Administrators Add an administrator name or modify the list of group
administrators.
Allow foreign directory synchronization Choose one:
v Yes -- To allow synchronization between a post office
directory, such as the cc:Mail post office directory or a
Microsoft Exchange Address Book, and the Domino
Directory
v No -- To prevent synchronization between a post office
directory, such as the cc:Mail post office directory or a
Microsoft Exchange Address Book, and the Domino
Directory
Last modified v Non-modifiable field. Provides the hierarchical name
of the last administrator that made changes to the
Group document.
Field Action
Group name Enter a name for the group. It is recommended that you
use only these characters: A - Z, 0 - 9, & - . _ ’
(ampersand, dash, period, space, underscore, and
apostrophe) for the name. It is recommended that you do
not use special characters other than those listed because
some special characters may cause unexpected conflicts
or problems. A group name can be a maximum of 62
characters in length. For easier administration, use a
name without spaces. The only characters that are
expressly prohibited are @ and //.
Field Action
Owners Add an owner name or modify the list of group owners.
Administrators Add an administrator name or modify the list of group
administrators.
Allow foreign directory synchronization Choose one:
v Yes -- To allow synchronization between a post office
directory, such as the cc:Mail post office directory or a
Microsoft Exchange Address Book, and the Domino
Directory
v No -- To prevent synchronization between a post office
directory, such as the cc:Mail post office directory or a
Microsoft Exchange Address Book, and the Domino
Directory
Last modified v Non-modifiable field. Provides the hierarchical name
of the last administrator that made changes to the
Group document.
Deleting members from a group with the Domino Administrator or Web Administrator:
1. Make sure that you have Editor access or Author access with GroupModifier privilege in the Domino
Directory.
2. From the Domino Administrator or Web Administrator, click the People & Groups tab.
3. From the Domino Administrator, from the Servers pane, choose the server to work from. Omit this
step if you are working with the Web Administrator.
4. Select Domino Directories, and then select Groups.
5. Select the group from which you are deleting one or more members, and click Edit Group.
6. Do one of these:
v From the Domino Administrator, click Members and then select users, servers, or groups to delete.
v From the Web Administrator, select the users, servers, or groups to delete.
Note: From the Domino Administrator, to remove all members from the group, do not select any
members; just click Remove All, and then click OK.
8. Click Save and Close.
Creating a Terminations group with the Domino Administrator or Web Administrator: You may want
to create a group for employees who no longer have access to specific servers in your organization. When
you are deleting a person from the Domino Directory, you can then add that person’s name to a
Terminations group that is assigned a group type of Deny List Only. This is particularly useful for
preventing terminated employees from accessing servers.
1. Create a group named Terminations and assign it a group type of Deny List Only. For more
information on creating groups, see Creating a group with the Domino Administrator or Creating a
group with the Web Administrator.
Note: Groups of the type ″Deny List Only″ do not have to be named Terminations; assign any name that
you choose. We only suggest the name ″Terminations″ for clarity.
2. From the Domino Administrator or Web Administrator, follow instructions for deleting a user name,
but on the Delete Person dialog box, locate the ″Add deleted user to Deny Access Group″ field and
then click Groups.
For more information about deleting a user name, see the chapter ″Setting Up and Managing Notes
Users.″
3. Continue the delete process as usual, and then click OK.
Managing groups
To manage groups, you can do the following tasks:
v Assign a policy to a group
v Edit a group
v Deleting a group with the Domino Administrator or the Web Administrator
v Finding a group member
v Finding a group name in the domain with the Domino Administrator or Web Administrator
v Use the Manage Groups tool to add and remove group members
While managing groups, you may also need to recertify a certifier ID. To do so, see Recertifying a certifier
ID or a user ID.
Prior to assigning policies to groups, familiarize yourself with all aspects of policies and how they are
applied.
For more information on policies and policy settings, see the chapter ″Using Policies.″
Field Action
Selected Non-modifiable field. Displays the name of the selected
directory and the server on which the directory resides.
For: Non-modifiable field. Displays the number of groups
you have selected. This field is blank prior to finalizing
the assignment of a policy.
Users with an existing policy Non-modifiable field. Displays the number of users in
the selected groups who already have policies applied to
them. Prior to finalizing the assignment of the policy, this
field displays ″Unknown.″ After the policy is applied,
this field displays a value.
Policy Choose an explicit policy from the list. If this field
displays ″None Available,″ you have not created any
explicit policies that can be applied to a group.
Allow replacement of policies Click this check box to allow policies that have already
been applied to users in the selected groups to be
replaced by the policy you are now assigning.
View Policy Synopsis Click this check box only if you also assigning an
organizational policy to the selected groups. A policy
synopsis is composed of an explicit policy and an
organizational policy. The synopsis shows the net effect
of the two policies.
5. Click OK.
Editing a group
Use this procedure to edit any of the group attributes that are listed on the Group document in the
Domino Directory. You can modify the group name, group type, description, group membership, group
owner, administrator, and specify whether foreign directory synchronization is allowed. Foreign directory
synchronization allows synchronization between a post office directory, such as the cc:Mail post office
directory or a Microsoft Exchange Address Book, and the Domino Directory.
With group renaming, there isn’t any tolerance for simultaneous occurrences of the new and old names
while the name change makes its way across databases in the domain. For example, if a group name
changes in the Domino Directory before it has a chance to change in a database ACL, the old group name
in the database ACL is invalid. (This limitation doesn’t occur with user and server renaming.) As a
workaround, you can initiate the group rename action during non-peak work hours -- for example,
during the weekend -- or you can immediately process the requests, rather than waiting for the changes
to occur according to Administration Process schedules.
To edit a group:
1. To edit a group, you must have:
Field Action
Group name Enter a name for the group. It is recommended that you use only these characters: A - Z,
0 - 9, & - . _ ’ (ampersand, dash, period, space, underscore, and apostrophe) for the
name. It is recommended that you do not use special characters other than those listed
because some special characters may cause unexpected conflicts or problems. A group
name can be a maximum of 62 characters in length. For easier administration, use a
name without spaces. The only characters that are expressly prohibited are @ and //.
Do not use a name that is in use as the name of an organization in the hierarchical name
scheme.
Note: Do not create group names containing a / (slash) unless you are working in a
hosted environment. Using the / in group names in a non-hosted environment causes
confusion with hierarchical naming schemes. Hierarchical names are required in a hosted
environment.
Group type Select one of these:
v Multi-purpose -- Use for a group that has multiple purposes -- for example, mail,
ACLs, and so on. This is the default.
v Access Control List only -- Use for server and database access authentication only.
v Mail only -- Use for mailing list groups.
v Servers Only -- Use in Connection documents and in the Domino Administration
client’s domain bookmarks for grouping.
v Deny List only -- Use to control access to servers. Typically used to prevent terminated
employees from accessing servers, but can be used to prevent any user from accessing
particular servers. The Administration Process cannot delete any member of the group.
Category (Optional) Select a category to which you are adding the group and click OK. The
Category field can be used to categorize your groups in any manner that you want. If the
category that you want to use is not listed in the dialog box, add the category name in
the New Keyword field and click OK.
Description Enter a description of the group.
Mail Domain Enter the name of the mail domain for the group. This is especially useful for enterprises
that have more than one mail domain.
Internet Address Enter the Internet address that applies to the group.
6. Click the Administration tab and make changes to any of these fields:
Field Action
Owners Add an owner name or modify the list of group owners.
Administrators Add an administrator name or modify the list of group administrators.
Foreign directory Choose one:
synchronization v Yes -- To allow synchronization between a post office directory, such as the cc:Mail post
allowed office directory or a Microsoft Exchange Address Book, and the Domino Directory
v No -- To prevent synchronization between a post office directory, such as the cc:Mail
post office directory or a Microsoft Exchange Address Book, and the Domino Directory
Last modified Non-modifiable field. Provides the hierarchical name of the last administrator that made
changes to the Group document.
7. (Optional) To sort the list of group members before saving the Group document, click Sort Member
List.
8. Click Save and Close.
For more information about synchronizing Domino and Active Directory, see the chapter ″Using Domino
with Windows Synchronization Tools.″
Tip: You can also delete a group from the Tools panel using Groups - Delete.
Field Action
Delete group from this Directory immediately. Click this check box to immediately delete all references
to this group in this replica of the Domino Directory.
6. Click OK.
7. Click Close.
Finding a group name in the domain with the Domino Administrator or Web
Administrator
Use this procedure to locate every occurrence of one or more specific group names within a domain. This
is especially useful when moving groups to other servers or domains or when verifying that you have
completely deleted a group name from your domain.
To view the log of locations: To view the log of locations where the group name(s) are located:
1. From the Domino Administrator, click Server - Analyses - Administration Requests (7).
2. Select the view All Requests by Action and access the ″Find Name in Domain″ request.
3. Double-click the request to access the Administration Process - Log document. Locate the ″Links to
items found within Domino Directory documents:″ field. This field contains the links to the Group
documents located using the Find Groups action.
Note: You may have to scroll to the right to reveal the button.
3. Enter the common name (for example, Jane Doe) and click OK. If the group member is found, a check
mark appears next to the group or groups in which the member name is located.
Tip: You can also find a group member from the Domino Directory, Groups view.
Field Enter
People and Groups The directory that you want to open. A list of all users and groups in the
directory is displayed.
Look In
Group Hierarchies The directory containing the group you are managing.
Look in
Replicas
To make a database available to users in different locations, on different networks, or in different time
zones, you create replicas. All replicas share a replica ID which is assigned when the database is first
created. The file names of two replicas can be different, and each replica can contain different documents
or have a different database design; however, if their replica IDs are identical, replication can occur
between them.
As users add, edit, and delete documents in different replicas of a database, the content in the replicas is
no longer identical. To ensure that the content in all replicas remains synchronized, you use Connection
documents to schedule replication between the servers that store the replicas. Then multiple sites, teams,
and users can make changes to a database and share those changes with everyone else who has access to
that database. In addition, using replicas and scheduling replication reduces network traffic. Users never
need to connect to a single central server that stores the only replica of a particular database. Instead,
they can access a replica of that database on one or more local servers.
These distributed replicas can also be Web sites that are hosted on different Lotus Domino 7 servers.
Then users aren’t dependent on one server when they attempt to access critical applications over the
Internet. If one server is unavailable, users can access another replica of the database on another server.
You can also use replicas to help manage ongoing Web site design. On one server, you can set up a Web
staging area where you design and test new pages. When the design changes are tested and ready to be
released, you can replicate this server with the server storing the replica of the Web site that is available
to users. By using replicas and replication this way, you prevent Web users from seeing your
″work-in-progress.″
A replica of a database isn’t the same as a copy of a database that you make by choosing File - Database -
Copy. Although a copy of a database may look the same as the original database, a copy doesn’t share a
replica ID with the original database and so it can’t replicate with it.
275
v Place a replica of a master template on each server that stores a database that inherits from the master
template.
v Create a backup database from which you can restore information if data becomes corrupted; since
corrupted data often replicates, use this only as a secondary backup method.
Keep in mind that two replicas will contain slightly different content between replications. If users need
access to the most up-to-date information in a database, you can create replicas on clustered servers and
then set up replication in clusters. In a cluster, all replicas are always identical because each change
immediately replicates to other servers in the cluster.
For more information on setting up individual databases for replication, see the topic ″Creating replicas
using the Administration Process″ in this chapter.
To schedule replication between servers, the servers must be able to connect to each other in order to
update replicas. You may need to create Connection documents to enable server connections, depending
on your server topology. As users add, edit, and delete documents in a database, the replicas contain
slightly different information until the next time the servers replicate. Because replication transfers only
changes to a database, the network traffic, server time, and connection costs are kept to a minimum.
During scheduled replication, by default, the initiating server first pulls changes from the destination
server and then pushes changes to the destination server. As an alternative, you can schedule replication
so that the initiating server and destination server each pull changes or so that the initiating server pulls
changes only or pushes changes only.
You can also use the server commands Pull, Push, and Replicate to initiate replication between servers.
For more information on server connections and Connection documents, see the chapter ″Setting up
Server-to-Server Connections.″
Replication, step-by-step
To fully-understand replication, you need to be familiar with the information in the topics ″Guidelines for
setting server access to databases″ and with ″Setting up a database ACL for server-to-server replication″
in this chapter. You also need to fully familiarize yourself with the information on replication in the
appendix ″Server Commands.″
1. Replication is initiated by a server or a workstation in one of the following ways:
v Replication schedule settings in a Connection document take effect.
v A replication command to replicate immediately is issued at the server console. The server console
commands include replicate, pull, push, and load replica.
v Settings in a Program document. The Program document starts a new task on the server rather than
sending work to an existing task.
v A replication command to replicate immediately is issued by an end-user working in the Notes
client user interface. This is done from a workstation only, not from a server.
v Scheduled replication from a Notes client. This is done from a workstation only.
The servers authenticate each other by finding a certificate in common and testing to be sure that
certificates are authentic.
2. The Replicator constructs a list of local files to replicate and asks the remote server to find those that
have a match with the list of local files.
Assign an access level that is at least as high as the highest user access level
For example, design changes made to the replica on Server A replicate to Server B only if the replica on
Server B gives Server A at least Designer access.
For more information on setting up a database ACL, see the chapter ″Controlling User Access to Domino
Databases.″
LocalDomainServers
This group represents servers that are in the same Domino domain as the server that stores the replica.
Typically you assign this group a higher access level in the database ACL than the OtherDomainServers
group.
OtherDomainServers
This group represents servers that are not included in the Domino domain of the server that stores the
replica. Typically you assign this group a lower access level in the database ACL than
LocalDomainServers. For example, assigning this group Reader access in the ACL ensures that the local
Domino domain retains control over the database.
Note: Do not add the names of servers from outside companies to LocalDomainServers or to
OtherDomainServers. Both these groups are included in all databases by default and may have a high
access level in some cases. Instead, create a group specifically for the external servers with which your
company communicates; for example, create a group called ″External Servers.″ Then add this group to
database ACLs as needed.
For more information on setting up groups, see the chapter ″Setting Up and Managing Groups.″
In general, for servers, enable all the privileges that the selected access level allows. This ensures that the
server has access that is as high as users might have and can replicate all user changes. However, to
prevent certain changes from replicating without deselecting privileges for each user, you can deselect a
For more information on setting up database ACLs, see the chapter ″Controlling User Access to Domino
Databases.″
Note: A database that doesn’t replicate should have at least one server in its ACL to serve as the
administration server for the database. This allows the Administration Process on a server to update
names in the ACL when names in the organization change.
For more information on administration servers, see the chapter ″Setting Up the Administration Process.″
For more information on the administration requests that processed while creating a replica see the
appendix ″Administration Process Requests.″
1. If you are creating a replica on a destination server in another domain, make sure that:
Note: Do not use the wild card character (*) in the ″Create Replica″ field of the destination
server’s Server document because this character causes the request to fail.
4. Make sure each destination server:
v Is running the Administration Process.
v Has at least Reader access in the ACL of the source replica.
5. From the Domino Administrator, select the source server in the server pane on the left. To expand
the server pane, click the servers icon in the server pane.
6. Click the Files tab.
7. In the files window, select one or more databases for which you want to create replicas.
8. From the Tools pane, choose Database - Create Replica. Or, drag the selected database(s) to the
Create Replica tool.
9. (Optional) If the current domain includes a cluster, click ″Show only cluster members″ to display
only destination servers that are members of the cluster.
10. Select one or more destination servers. To select a server if it doesn’t appear in the list, select Other,
specify the hierarchical server name, then click OK.
11. (Optional) Select a destination server, click ″File Names″ to choose a custom file path on the
destination server for any database you’re replicating, and then click OK. You can repeat this
procedure for each destination server. If you don’t choose this option, the database is stored on the
destination server in the same location as on the source server.
To put the replica in a directory below the data directory, type the directory name, backslash, and
then the file name -- for example, JOBS\POSTINGS. If the specified directory does not exist, Domino
creates it for you.
12. Click OK. A dialog box shows the number of databases processed and indicates if any errors
occurred.
You can specify replication settings on a new replica as you create it or on an existing replica. You can
specify some replication settings for multiple replicas at once from a central source replica. You must
have Manager access to a replica to set replication settings for it.
CAUTION:
Replication settings are not intended to be used as a security measure.
Advanced
Replicate Which non-document elements this Advanced
replica receives
Do not send deletions made in this replica Whether a replica can send Send
to other replicas document deletions to other replicas
Do not send changes in database title & Whether a replica can send changes Send
catalog info to other replicas to the database title and Database
Catalog categories to other replicas
Do not send changes in local security Whether a replica can send changes Send
property to other replicas to the Encryption database property
(in the Basics tab of the Database
Properties box) to other replicas
Temporarily disable replication Whether a replica can replicate Other
Scheduled replication priority The replication priority of a Other
database used in Connection
documents for scheduling
replication
CD-ROM publishing date The publishing date for a database Other
on a CD-ROM
You can manage these settings for multiple replicas from a central source replica.
For more information, see the topic ″Specifying replications settings for multiple replicas from one source
replica″ in this chapter.
Remove documents not modified in the last x days: The number of days specified here, known as the
purge interval, controls when Domino purges deletion stubs from a database. Deletion stubs are markers
that remain from deleted documents so that Domino knows to delete documents in other replicas of the
database. Because deletion stubs take up disk space, Domino regularly removes deletion stubs that are at
least as old as the value specified. It checks for deletion stubs that require removal at 1/3 of the purge
interval. For example, assuming the default value, 90 days, when a user opens a database, Domino
checks if it has been at least 30 days since it removed deletion stubs, and if so it removes any deletion
stubs that are at least 90 days old. The Updall task, which runs by default at 2:00 AM, also removes
deletion stubs.
You can shorten the purge interval, if you want, but be sure to replicate more frequently than the purge
interval; otherwise, deleted documents can be replicated back to the replica.
Optionally, you can select the check box to remove documents in the replica that haven’t changed within
the purge interval. If you select the check box, when Domino removes deletion stubs it also removes
documents that haven’t changed within the specified number of days. These documents are purged,
meaning no deletion stubs remain for the documents, so the documents aren’t deleted in other replicas.
The ″Only Replicate Incoming Documents Saved or Modified After: date″ setting prevents the purged
documents from reappearing through replication. If the other replicas have this check box selected,
similar document purging occurs in them.
CAUTION:
If you select the check box on a non-replicated database, documents are lost and you can only recover
them from a system backup.
Note: Domino regularly removes deletion stubs according to the purge interval even if you don’t select
the check box.
Only Replicate Incoming Documents Saved or Modified After: date: A replica can only receive
documents created or modified since the date specified. If you clear the database replication history,
during the next replication, Domino scans only documents created or modified since the date specified
here. If you clear the date before clearing the replication history, Domino scans all documents in the
database.
Use this option in conjunction with clearing the replication history to solve replication problems. If you
clear or change this date, when Domino next purges deletion stubs, it resets the date to correspond to the
number of days specified in ″Remove documents not modified in the last x days″ setting. For example, if
Domino purges deletion stubs on 1/1/99 and the ″Remove documents not modified in the last x days″
setting is 90, on 1/1/99 Domino resets the date to 10/1/98. If the check box is selected in the ″Remove
documents not modified in the last x days″ setting -- meaning documents that meet the purge interval
criteria are purged as well as deletion stubs -- this automatic date reset insures that the purged
documents aren’t replicated back into the replica.
Receive summary and 40KB of rich text only: If you select this setting, Domino prevents large
attachments from replicating and shortens the documents that this replica receives. The shortened
documents contain only a document summary that includes basic information, such as the author and
subject, and the first 40K of rich text.
When users open a shortened document, they see ″(TRUNCATED)″ in the document title. To view the
entire document, users open it and choose Actions - Retrieve Entire Document.
Replicate a subset of documents: Use this setting to specify that a replica receives only the documents
in a specific directory or view or only documents that meet selection criteria specified in a formula.
Replication formulas are similar to view selection formulas.
Keep in mind the following points when you use replication formulas:
v You cannot use @DbLookup, @UserName, @Environment, or @Now in a replication formula.
v Using @IsResponseDoc in a replication formula causes all response documents in a database to
replicate, not just those that meet the selection criteria. To avoid this, use @AllChildren or
@AllDescendants instead. If you use @AllChildren or @AllDescendants, make sure the database
performance property ″Don’t support specialized response hierarchy″ is not selected.
Replicate: Use this setting to control which non-document elements a replica receives. This table
describes the options:
Don’t select this option when you first create the replica because
the new replica won’t contain any design elements for displaying
information.
Agents Selected If selected, allows a replica to receive agents. If deselected,
prevents the replica from receiving agents, although the replica
still receives changes made by the agents.
Replication formula Not selected If selected, ensures that replication settings specified for multiple
destination replicas from one source replica can replicate. This
option is required if you’re using a central source replica to
manage replication settings for multiple replicas.
Access control list Selected If selected, allows the replica to receive ACL changes from any
server that has Manager access in the replica’s ACL.
Deletions Selected If selected, allows the replica to receive document deletions. If
deselected, the replica won’t receive deletions through replication,
but users assigned ″Delete documents″ access in the replica ACL
can still delete documents from the replica.
Note: If ″Do not send deletions made in this replica to other
replicas″ (on the Send panel of the Replication Settings dialog
box) is selected for the source replica, this replica won’t receive
deletions from the source replica, regardless of this setting.
Fields Not selected If deselected, the replica receives all fields in each document
received. If selected, you select a subset of fields to receive, but
you should only do this if you have a thorough knowledge of
application design.
Do not send changes in database title & catalog info to other replicas: This setting prevents changes
made to this replica’s database title or Database Catalog categories from replicating.
Do not send changes in local security property to other replicas: This setting prevents changes to the
database Encryption property (set by choosing Encryption on the Basics tab of the Database Properties
box). Use this primarily to prevent changes made to this property on a local replica from replicating to a
server. For example, if this setting is selected and you disable the Encryption property on a local replica,
the property remains selected on a server replica.
Temporarily disable replication: Select this to temporarily suspend replication while you troubleshoot a
problem. You can select this for one database, or if you use the Domino Administrator, you can disable
replication of multiple databases. If a database is on a cluster server, disabling replication suspends both
cluster replication and scheduled replication.
Scheduled replication priority: You can assign a priority of High, Medium, or Low to a database. Then
in a Connection document, you can schedule replication so that databases of a particular priority replicate
at specific times. For example, you can schedule low-priority databases to replicate less frequently and
schedule high-priority databases to replicate more frequently. If you assign a different priority to two
replicas, the priority of the replica on the server that initiates the scheduled replication takes precedence.
Replication priority doesn’t apply to replicas on a cluster of servers. Cluster replication occurs whenever
a change occurs, not according to schedules in Connection documents.
CD-ROM publishing date: Some organizations -- for example, publishing companies -- distribute
databases on CD-ROM rather than replicate them. To receive updates, users replicate with a replica on
the organization’s server. The users specify the date the information was published on the CD-ROM so
that the first replication with the organization’s replica scans only documents created or modified since
the publishing date. If users do not specify the date, the initial replication unnecessarily scans the entire
database, which can be a slow process, especially if it occurs over a dial-up connection.
The only replication settings you can specify using centralized management are ″Replicate a subset of
documents,″ to control which documents a replica receives, and ″Replicate,″ to control which
non-document elements a replica receives.
Note that changing centrally-administered replication settings requires two replications for the changes to
take effect: the first replication to replicate the new settings from the source server to the destination
servers and a second replication to replicate based on the new settings. The second replication doesn’t
occur until the source database is updated in some other way; to force the new settings to take effect if
the source database isn’t updated, clear the replication history.
1. Make sure you understand replication settings.
2. Make sure you have Manager access in the ACL of the central source replica. Make sure that the
central source replica has Manager access in the ACL of all destination replicas.
3. Do one of the following:
v Click Replication Settings in the New Replica dialog box to specify replication settings for a new
replica.
v Open the central source replica, and then choose File - Replication - Settings to modify existing
replication settings.
4. Click the Advanced panel.
5. To specify a destination server, click the computer icon next to ″When computer,″ specify the name
of the destination server, select Add Server, then click OK. Or accept the default entry. To specify a
Notes client as a destination server, enter the Notes user’s hierarchical name.
6. To specify a source server, click the computer icon next to ″Receives from,″ specify the name of a
source server, select Add Server, then click OK. Or accept the default entry. To specify the name of a
Notes client as a source server, enter the Notes user’s hierarchical name.
7. To delete a server, click either computer icon, select a server, select Delete Server, then click OK.
8. To have the specified destination replica receive a subset of documents, click ″Replicate a subset of
documents″ and then specify the views/folders to replicate or specify a replication formula.
9. To specify which non-document elements the replica should receive, select appropriate options under
″Replicate.″ You must select ″Replication formula.″
10. Repeat Steps 5 through 9 for each additional destination/source server combination.
11. Click OK.
Using the same replication settings for all destination servers: The Acme Corporation has a database
called Technical Support on the server Support-E/East/Acme, which it uses to post information about
customer problems and problem resolutions. The database displays customer suggestions made during
the support calls in a view called Customer Suggestions. Acme has three servers at satellite sales offices:
Sales-Bos-E/East/Acme, Sales-Phil-E/East/Acme, and Sales-Hart-E/East/Acme. The satellite sales offices
are only interested in customer suggestions and not in other details of technical support calls. Therefore,
Acme replicates only the contents of the Customer Suggestions view to these servers. To accomplish this,
it completes the replication settings dialog box on the Technical Support database on
Using separate replication settings for each destination server: The Acme Corporation has a database
called Sales Leads on the server Sales-E/East/Acme. Acme has three servers at satellite sales offices:
Sales-Bos-E/East/Acme, Sales-Phil-E/East/Acme, and Sales-Hart-E/East/Acme. Each satellite sales office
is only interested in leads pertaining to its area. Each document in the Sales Leads database includes the
field ″Office″ with one of these keywords selected: Boston, Philadelphia, Hartford. To replicate only sales
leads pertaining to Boston to Sales-Bos-E/East/Acme, Acme completes the replication settings dialog box
on the Sales Leads database on Sales-E/East/Acme.
Although these examples describe server-to-server replication, you could use similar settings to configure
replication between a central source replica and replicas on Notes clients. For example, salespeople could
replicate directly with the source replica and receive only leads pertinent to their areas. To accomplish
this, specify Notes users’ hierarchical names as destination servers.
You can schedule server-to-server replication to happen at specific times, or you can specify a time range
with a repeat interval. By scheduling replication for a time range, you ensure that the servers exchange
information several times a day. After the server makes a successful connection, it waits the amount of
time specified in the ″Repeat interval of″ field on the Connection document before calling the other server
again.
Be sure to consider time zones when you schedule replication between servers in different countries. You
want to replicate the documents created during each time zone’s peak business hours and schedule
replication for an off-peak time. For example, to schedule replication between a server in New York and a
server in Germany, schedule replication between 3 AM and 1 PM Eastern Standard Time (EST) to
correspond to Germany’s business hours, which are six hours later than EST.
The default replication time setting is 8 AM to 10 PM, with a repeat interval of 360 minutes.
The server calls and attempts to connect at the exact time you specified. If unsuccessful, the server tries
to connect for an hour. Whether or not the connection succeeds, the next call does not occur until 8 AM
the next morning.
The server calls at the first time specified, 8 AM. If unsuccessful, the server retries for up to an hour, until
9 AM. Whether or not the call succeeds, the next call occurs at the next scheduled time, 1 PM. If
unsuccessful, the server retries for up to an hour, until 2 PM. This process continues for each specific time
you specify.
If the first call is unsuccessful, the server retries periodically until it successfully establishes a connection
and replicates. If the server cannot connect, it keeps trying until the end of the time range. If the server
successfully replicates, it calls again at the specified repeat interval after the previous call ended.
The server attempts the first call at the start of the time range. If unsuccessful, the server tries again and
again. The time between call attempts increases with each unsuccessful attempt. The server retries the call
for the entire range or until a connection is made. After a failed call, the server retries periodically for the
entire call range. However, it does not call again after a successful exchange of information.
For example, you could create two Connection documents -- one that schedules replication for Monday to
Friday, and another that schedules replication for Saturday and Sunday.
Staggering schedules
You can use staggered schedules on hub-and-spoke topology. For example, you could schedule the first
server to replicate from 8 AM to 10 AM, the second server from 8:05 AM to 10:05 AM, and so on. You can
create a simple round-robin schedule for a hub server and its spokes, repeating as often as is practical.
This process spreads all data within a hub’s sphere of influence quickly.
Both mail routing and replication are enabled by default, but you can change this setting and use
separate Connection documents to schedule each task. This way, you can control the specific time(s), time
range(s), or the repeat interval for replication and mail routing separately, and increase or decrease these
settings, as needed.
How you connect servers for replication depends on the location of the servers. You can connect servers
for replication over a Local Area Network (LAN) or over an intermittently connected serial line, such as a
dial-up modem or Remote access service connection. In addition, you can use passthru servers for
replication.
Replicating over the Internet is performed identically as with a LAN using TCP/IP. The Domino server
must be in the same Notes domain as the Domino server with which you want it to replicate. If it’s not,
your server needs a certificate in common with the other server.
Note: Do not use the server’s common name when replicating servers. Only the server’s full hierarchical
name should be used during server-to-server replication. This applies to all instances of server-to-server
replication.
Field Enter
Usage priority Choose ″Normal″ to force the server to use the network information in the current
Connection document to make the connection.
Source server The name of the calling server.
Source domain The name of the calling server’s domain.
Use the Port(s) The name of the network port (or protocol) that the calling server uses.
If you don’t want to specify the actual port for making a local area network connection, but
would prefer to have Domino determine the port used, don’t list any ports in the Use the
Port(s) field in the LAN Connection document. Domino uses all the information it has,
including all enabled LAN ports and all enabled or disabled Connection documents, to
determine the best path to use to connect with the other server.
Destination server The name of the answering server. You can also specify a Group name that contains server
names so that the Source server replicates with each server listed in the group you specify.
To do this, you create a group that contains servers only, and specify ″Servers only″ as the
group type. The group cannot contain the names of other groups of servers.
Destination domain The name of the answering server’s domain.
Field Enter
Replication task Choose Enabled.
Replicate databases of Choose one:
Priority v High
v Medium & High
v Low & Medium & High (default)
Replication type Choose one:
v Pull Pull
v Pull Push (default)
v Pull Only
v Push Only
Files/Directories to The names of specific databases or directories of databases that you want to replicate.
Replicate
Separate entries with semicolons (;) and specify the names as they exist on the calling
server. If the database is in a subdirectory to the data directory, include the path relative
to the data directory -- for example, EAST\SALES.NSF.
To specify all files within a directory and any of its subdirectories, enter the directory
name relative to the data directory with the directory slash, for example EAST\. You
can’t use wild cards (*).
Field Enter
Schedule Choose Enabled.
Call at times The times between which you want replication to occur each day; the default is 8 AM -
10 PM.
Repeat interval of The number of minutes between replication attempts; the default is 360 minutes.
Days of week The days of the week to use this replication schedule; the default is Sun, Mon, Tue,
Wed, Thu, Fri, Sat.
By default, Domino uses Pull-Push as the replication direction. However, you can specify a different
replication direction.
v Pull-Push, the default replication direction, is a two-way process in which the calling server pulls
updates from the answering server and then pushes its own updates to the answering server. Using
Pull-Push, the replicator task on the calling server performs all the work.
v Pull-Pull is a two-way process in which two servers exchange updates. Using Pull-Pull, two replicators
-- one on the calling server and one on the answering server -- share the work of replication.
v Push-only is a one-way process in which the calling server pushes updates to the answering server.
One-way replication always takes less time than two-way replication.
v Pull-only is a one-way process in which the calling server pulls updates from the answering server.
One-way replication always takes less time than two-way replication.
For information on forcing immediate replication, see the topic ″Forcing immediate replication″ later in
this chapter.
To specify an individual database, enter the file name of the database, including the NSF extension. If the
database is in a subdirectory of the data directory, include the path relative to the data directory -- for
example, EAST\SALES.NSF.
To specify all files within a directory and any of its subdirectories, enter the directory name relative to the
data directory with the directory slash, for example EAST\. You can’t use wild cards (*).
If the replication type is Pull-Pull, only the connecting server receives the specified databases during
replication. The other server still receives all databases in common with the calling server.
The default setting is Low & Medium & High. Domino automatically replicates all databases that two
servers have in common.
If two replicas are assigned different priorities, Domino uses the priority assigned to the replica on the
server that initiates the replication. If you schedule databases to replicate by priority and a particular
database isn’t replicating often enough, ask the database manager to increase the priority level of that
database.
If the ″Replication Time Limit″ field has a value in it and the replication isn’t complete at the end of the
specified time or if the server crashes, then replication will begin where it left off once it restarts. When
the field is blank, Domino uses as much time as it needs to complete the replication session.
CAUTION:
If you specify an inappropriately low value and the databases do not have time to replicate
completely, replication terminates upon reaching the time limit, regardless of how little progress, if
any, occurred. The log file (LOG.NSF) records a message indicating that termination has occurred but
that the replication was successful. The replication history isn’t updated so that the next replication
takes place after the last complete replication event.
To limit replication time for all servers, edit the NOTES.INI file to include the ReplicationTimeLimit
setting.
When you use multiple replicators, each replicator handles only one replication session at a time. For
example, if Hub-E/East/Acme is scheduled to replicate with HR-E/East/Acme and with
Hub-W/West/Acme simultaneously, one replicator handles replication between Hub-E/East/Acme and
HR-E/East/Acme, while a second replicator handles replication between Hub-E/East/Acme and
Hub-W/West/Acme.
Multiple replicators handle multiple replications between one source server and multiple destination
servers simultaneously. Multiple replicators do not handle replications of multiple individual databases
on a source server with a single destination server. For example, if both Database 1 and Database 2 on
Hub-E/East/Acme need to replicate with Hub-W/West/Acme, only one replicator handles each
replication session, one at a time.
Examine the Connection documents that schedule replication on each server. By adjusting the schedules
and enabling multiple replicators, you can shorten the time it takes to complete a replication cycle. With
this shortened cycle, you can schedule one or more additional cycles per day, which means fewer
database updates and speedier replications per cycle. After you start multiple replicators, you can use the
Tell command to stop all replicators; however, you can’t use the Tell command to stop a specific
replicator.
Method Steps
From the NOTES.INI file Edit the Replicators or ServerTasks setting in the NOTES.INI file.
From the console Enter the Load Replica command at the console. Use this method if you need more
replicators and you don’t want to shut down the server to change the NOTES.INI
file. Each time you enter this command, the server loads another replicator.
For more information on settings in the NOTES.INI file, see the appendix ″NOTES.INI File.″ For more
information on entering server commands, see the appendix ″Server Commands.″
You can use this feature to reduce the replication workload on a particular server or to isolate a server for
troubleshooting. Or you may want to force the calling server to cover the time and cost of the entire
replication process.
There are many situations when forcing replication is necessary. For example, you may want to update a
database immediately, without waiting for scheduled replication to occur, or you might need to replicate
with a different server because the usual server is unavailable. You can force immediate replication to
trace replication and mail routing problems or to force changes to critical system databases -- such as in
the Domino Directory -- to spread quickly through the domain. When you force immediate
server-to-server replication, you can initiate replication in one or in both directions.
Command Result
Replicate Replicates changes to databases in both directions; Domino performs
Pull-Push replication.
Pull Replicates changes to databases in one direction where the initiating server
pulls changes from the other server.
Push Replicates changes to databases in one direction where the initiating server
pushes database changes to the other server.
To enable replication again, repeat Steps 1 and 2, and in Step 3 deselect ″Temporarily disable replication.″
To enable replication again, repeat Steps 1 - 4, and in Step 5 select ″Enable replication.″
Replicating from the server console: You can use a database option with the Replicate, Pull, or Push
server commands to force replication of a specific database that two servers have in common.
v Use the Replicate command to send changes to and receive changes from a specified server
v Use the Pull command to receive changes from a specified server
v Use the Push command to send changes to a specified server
For example, to send changes to the database PRODUCTS.NSF from the server Webstage-E/East/Acme
to the server Web/East/Acme, enter the following command from Webstage-E/East/Acme:
Push Web/East/Acme Products.nsf
You can also see a graphical representation of your replication topology. Replication topology maps are
most useful for quickly displaying the replication topology and for letting you easily follow connections
between servers.
This task is not enabled by default. To see replication topology information, enable the Maps task
manually.
1. From the Domino Administrator, click the Servers - Status tab.
2. Click Tools - Start.
3. Select Maps Extractor from the menu and then click Start Task.
4. Click Done.
To focus on a specific area of the topology map, use the plus (+) and minus (-) keys to zoom in and out.
Database.nsf.replicate statistics
Domino maintains statistics about replication status. The database.nsf.replicate statistics are:
v NotesMergedBack = The destination note sequence is actually higher than the source note sequence.
Domino will assume a replication merge occurred and will update the source as well
v NotesReceived = If the NSF Database is the source database
v NotesReopened = There is a possible replication conflict; rr Domino could not find a corresponding
item for an incremental note; therefore, Domino cannot perform an incremental update and will try
again with a full note open.
v NotesSent = If the NSF Database is the destination database
The calendar and scheduling features use the Schedule Manager (Sched task), the Calendar Connector
(Calconn task), and the Free Time system (a combination of Sched, Calconn, and nnotes tasks) to operate.
When you install Domino on a server (any server except a directory server), the Sched and Calconn tasks
are automatically added to the server’s NOTES.INI file. When you start the server for the first time, the
Schedule Manager creates a Free Time database (BUSYTIME.NSF for non-clustered mail servers and
CLUBUSY.NSF for clustered mail servers) and creates an entry in the database for each user who has
filled out a Calendar Profile and whose mail file is on that server or on one of the clustered servers.
Each user can keep a personal calendar and create a Calendar Profile that identifies who may access the
user’s free time information and specifies when the user is available for meetings. When users invite
other users to meetings, the Free Time system performs the free-time lookups. The Free Time system also
searches for and returns information on the availability of resources. If the lookup involves searching in
Free Time systems on different servers or scheduling applications, the Calendar Connector sends out the
queries. When users schedule appointments in their calendars and reserve resources, the Schedule
Manager task collects and updates that information in the Free Time database.
By default, the Schedule Manager has access to the Free Time database, so you do not have to define the
ACL for this database.
If you add a previously non-clustered server to a cluster, the Schedule Manager deletes the
BUSYTIME.NSF database on that server and creates CLUBUSY.NSF, which then replicates to all cluster
members. If you remove a server from a cluster, the opposite occurs: Schedule Manager deletes
CLUBUSY.NSF and creates BUSYTIME.NSF. Until the Schedule Manager validates the database by
checking to see if the location of users’ mail files has changed, the clustered Free Time database contains
information about users whose mail server you removed from the cluster. This validation also occurs
once each day (at 2 AM) to update free-time information for users whose mail files have been added to
or removed from a mail server. You can update the information at any time by entering the Tell Sched
Validate command at the console.
A benefit of clustered scheduling is that schedule information is always available, even when users’ home
servers are down. With non-clustered scheduling, if users’ home servers are not available, the Free Time
database is not available for searching.
297
Other advantages of using clustered scheduling include improved performance and reduced server
traffic. Because the Free Time database is available from other members in a cluster, the server that
receives a user’s query does not have to search another server’s Free Time database for schedule
information about a user whose mail server is in the cluster.
In the following examples, Kathy wants to check the free time of and schedule a meeting with three users
-- Bob, who is in the same domain as Kathy; Robin, who is in a different domain; and Susan, who uses a
different scheduling application (Lotus Organizer®).
If the Free Time system doesn’t find a Foreign Domain document, the query fails; and the Find Time
dialog box indicates that Susan’s information is unavailable.
Setting up scheduling
How you set up scheduling depends on where users are located -- that is, in the same Domino domain or
in different Domino domains -- and whether users use alternate scheduling applications, such as IBM
OfficeVision.
Field Enter
Calendar server name The name of the server in the adjacent domain that accepts and processes all
scheduling queries for that domain.
6. Set up the Resource Reservations database if you want to allow users to search for and reserve
resources.
Note: Free-time lookups require reasonable network response time and direct LAN connections from the
intermediate domain to the two separate non-adjacent domains.
1. Make sure that you have set up Non-adjacent Domain documents in the Domino Directory to
establish communication between the domains.
For more information on Non-adjacent Domain documents, see the chapter ″Setting Up Mail
Routing.″
2. From the Domino Administrator, click the Configuration tab.
3. Choose the Domino Directory in the ″Use Directory on″ box.
4. Click Messaging - Domains, and then open each appropriate Non-adjacent Domain document.
5. Click the Calendar Information tab, complete this field, and save the document:
Field Enter
Route requests through The name of a calendar server that is in a domain adjacent to both the querying
calendar server and the target domains. This server accepts and forwards free time queries from the
source to the target non-adjacent domain.
6. Set up the Resource Reservations database if you want to allow users to search for and reserve
resources.
Field Enter
Calendar server name The name of the server that is running the alternative scheduling program.
Calendar system Choose OfficeVision from the list.
6. For Notes mail users who use a different scheduling application, enter the name of the foreign
domain in the Calendar Domain field of each user’s Person document.
7. Set up the Resource Reservations database if you want to allow users to search for and reserve
resources.
Field Action
Server Enter the name of the server on which you are creating
the database.
Title Enter the name of the database.
File Name Enter a file name for the database. Use the file name
extension nsf.
Template server Choose the template server from which you will be
copying the template.
Show advanced templates Click this check box to display additional templates
including the Resource Reservations (RESRC7.NTF)
template.
Inherit future design changes Click the check box if you want the database to inherit
design changes that will be made to the template in the
future.
Note: The Schedule Manager task no longer maintains busytime for rooms or resources.
See the Lotus Notes 7 release notes for information about using the Rooms and Resources Manager.
There can be a maximum of two replicas of any Rooms and Resources databases on cluster mates on
which the Rooms and Resources Manager is run. You can have more than two replicas in a cluster if only
two of those replicas are on systems that run Rooms and Resources Manager. For example, if you have
four servers in a cluster but Rooms and Resources Manager only runs on two of them, all Domino 7
servers are permitted to have replicas of the same Rooms and Resources database. Replicas of the Rooms
and Resources database can be created on pre-Domino 7 servers only if the following criteria is met:
v The Router task is not running on the pre-Domino 7 server
v The pre-Domino 7 server is using the Domino 7 Rooms and Resources template
v The Rooms and Resources database resides on a Domino 7 server
v When the list of cluster mates is sorted alphabetically, the pre-Domino 7 server is not one of the first
two servers listed.
The Rooms and Resources Manager task provides automatic failover of request processing when the
current processing server fails. The Rooms and Resources Manager typically processes requests on the
database’s home server, that is, the server on which the database resides. If the Domino server on which
the Rooms and Resources Manager is running fails, the Rooms and Resources Manager on the Domino 7
cluster mate detects the server failure and begins processing reservation requests where the failed server
left off. The Room and Resources Manager on the failover server continues processing reservations until
that server fails. The original server then fails over for the failed server and begins processing requests
again. This failover ability provides sustained availability for the Rooms and Resources Manager.
When you create a site, you have the option of enabling the Resource Reservations autoreminder feature.
When the autoreminder feature is enabled, automatic reminder notices are sent to the chairperson who
booked the room or resource. You designate how many autoreminders are sent for a particular room or
resource, as well as how many days prior to the reservation date they are sent.
When you create a Resource document, you define the resource name, type, and availability; and you
specify who can reserve the resource. There are three types of resources:
After you set up resources, users can search for the free time of a resource and schedule the resource for
a meeting while searching for free time and inviting users to the meeting. For each Resource document
you create, the Administration Process creates a corresponding Resource document in the Domino
Directory. During a free-time query, the Free Time system searches the Free Time database to find the
location of these resources and returns information on the availability of both the resource and the
invitees.
When setting up rooms as resources, enter the room information in a consistent format, either by name or
by number. Doing so will limit the number of errors caused when a room cannot be located in the
database.
When a user reserves a conference room with type-ahead enabled, Lotus Domino searches for the
conference room by room number or by room name, but not by both. Lotus Domino looks up rooms
according to how they have been added to the Resource Reservations database -- either by name or by
number. If a user enters a room name and the room resource is set up by room number, an error is
generated and the room is not located. Setting up all room resources by room name or by room number
helps eliminate this type of error.
When you create a Site Profile or Resource document, the new resource is not available for users to
schedule until the Administration Process adds the resource to the Domino Directory and the addition
replicates to all replicas that are on servers used for scheduling resources of the Domino Directory.
When you create a resource of type Room or Other, you can specify how far in advance reservations can
be created for single meetings and for repeating meetings. Use this feature to prevent users from
scheduling meetings several years in advance, as they are unlikely to need to create reservations years in
advance of the actual date. You can limit advance reservations for a specific number of days or until a
specific date is reached.
Field Enter
Site name The name of the site where the resource exists -- for example, 50 West Lincoln
Building.
Domain name The name of the domain where the Resource Reservations database resides. By
default, your current Domino domain is entered in this field.
7. If you chose Enabled in the field, Resource reservation autoreminder, complete these fields:
Field Action
Send autoreminder for Choose one:
v All rooms/resources -- Autoreminders are enabled for all rooms and resources in
the specified site. All rooms/resources is the default setting.
v Particular rooms/resources -- The Select rooms/resources field displays. Specify
the rooms/resources to which autoreminders will apply. You can select multiple
entries.
Field Enter
Resource Type Choose one:
v Room -- if the resource is a room
v Other -- if the resource is not a room
v Online Meeting Place -- if you will be meeting via IBM Lotus Instant Messaging
server.
Name A unique name that identifies the resource -- for example, a room number.
Site Click to display a list of available sites, and then choose one.
Category Name for category of Resource -- for example, Electronic or AV. This field also
displays names of all previously entered Category values, from which you can
(Appears when you select choose.
Other as Resource Type)
Capacity The capacity of the resource, for example, the seating capacity of a room.
The Internet Address field is not visible for Online Meeting Place.
7. Enter the following Owner Options for resources of type Room or Other. If you chose a resource type
of Online Meeting Place, go to Step 9.
Field Enter
Owner restrictions Choose one:
v None -- Click if no owner is assigned to the resource and anyone can reserve the
resource.
v Owner only -- Click to assign a Resource owner. Only the Resource owner can
process Resource requests without special approval. Enter the name of the
resource owner in the Owner’s name field. The owner is the person or group to
whom requests from other users (those not listed in the List of names field) are
forwarded for approval and processing.
v Specific people -- Click to allow only specified users access to the resource. Enter
the names of users allowed to reserve this resource in the List of names field.
v Autoprocessing -- Click to allow only specified users and groups access to the
resource and to assign a resource owner. Enter the name of the resource owner in
the Owner’s name field. The owner is the person or group to whom requests
from other users (those not listed in List of names field) are forwarded for
approval and processing. Enter the names of users allowed to reserve this
resource in the List of names field.
v Disable reservations -- Click to prevent users from reserving a resource from a
meeting notice and directly from the Resource Reservations database.
Availability settings Choose one of these:
v 24 hours everyday -- The resource is available 24 hours each day. When you
select this availability setting, other availability settings are disabled.
v Time zone -- Specify the time zone for the resource. The default is Local Time,
but you can specify others as applicable, such as Eastern Time.
v Days of week and hours of days -- Select the days of the week that the resource
is available. Specify availability start time and end time for each available day
selected.
8. Enter the following Online Resource data for resources of type Online Meeting Place.
.
Field Enter
Online meeting database The default Sametime Conference database, STCONF.NSF, is entered by default. If
the IBM Lotus Instant Messaging server is a UNIX server, the IBM Lotus Instant
Messaging setup may be customized and a name other than STCONF.NSF may be
used for the Sametime Conference database. If the database name has been
changed, enter the name of that database.
External address Name of the Sametime mail-in database on the IBM Lotus Instant Messaging server.
This database, STCS.NSF, is created during IBM Lotus Instant Messaging
installation. The default name is Sametime Reservations. It must be manually
added to the Domino Directory as a mail-in database. The name that you specify
for the mail-in database, is the name that is added to this External address field.
For information on how to manually add a mail in database to the Domino
Directory, see the topic ″Creating a Mail-in Database document for a new database″
in the Domino Administrator online documentation.
IBM Lotus Instant Messaging The name of the Domino server on which IBM Lotus Instant Messaging is running.
server The mail server must have mail connectivity to the IBM Lotus Instant Messaging
server to deliver the invitations that cause the meetings to be scheduled.
Audio Video Support Choose one:
v Audio -- Voice only
v Audio and Video support -- Voice and video display
Note: Users with manager access and the [CreateResource] role in the Resource Reservations ACL can
rename a room/resource.
New resource information is not available until the Administration Process updates the Resource
document in the Domino Directory and the change replicates to all relevant replicas of the Domino
Directory that are on servers used for scheduling resources. The Rename agent must run to rename
reservations and to send notices to the chairperson. The Rooms and Resources Manager (RnRMgr) task
must also run to rename the Busytime database. The Agent Manager (AMgr) task and the RnRMgr task
must be running in order to allow the Resource Reservations database to function without an
administrator’s intervention.
Renaming a resource
After a resource has been renamed (which includes having the site or category changed), all reservation
owners receive email notices stating that the resource has been renamed and lists the former resource
name, new resource name, and a list of dates, times, and chairs for each reservation.
If a reservation owner or chair made the reservation through the Calendar, the resource rename
notification contains an ″Update My Meetings″ button in the body of the message. Clicking this button
then updates all instances all meetings in the chair’s Calendar that employ this resource.
If a reservation owner or chair made the reservation through the Resource Reservations database, the
reservations are updated automatically with the new information, and resource rename notification
indicates this.
If the chair has an assistant who is authorized to receive notices on the chair’s behalf, then the Resource
Rename Notice is forwarded to the assistant as well. This notice is a full copy of the note that is sent to
the chair, including an ″Update My Meetings″ button in the body of the message. The assistant must be
sure to use the ″Update My Meetings″ button in the chair’s message to update the chair’s calendar.
Note: It is important that the chair or calendar manager update their meetings with the new name of the
room or resource. Failure to do so will cause problems if there are subsequent changes to the meeting
(such as rescheduling).
Field Edit
Description Description of the resource.
Capacity (for Rooms only) The capacity of the resource, if it has one -- for example, the seating capacity of a
room.
Internet address An Internet address that iCalendar users can use to reserve the resource.
7. Edit any of the following fields for resources of type of Online Meeting Place. If you are editing a
resource of type Other or Room go to step 8. Do not complete step 7.
Field Enter
Description Description of the resource.
Online Meeting Database The default database, STCONF.NSF, is entered by default. This field cannot be
modified.
External address Name of the mail-in database on the IBM Lotus Instant Messaging server. The name
you enter here must be identical to the name of the Sametime Mail-in database.
IBM Lotus Instant Messaging Name of the IBM Lotus Instant Messaging server hosting the meeting.
server
Audio Video Support Choose one:
v Audio -- voice only
v Audio and Video -- Voice and video display
Other comments Modify or enter comments regarding the resource as desired.
8. To rename the resource, or change its site and/or category, click Rename.
Field Action
New Name Enter the new name of the resource. This name must be unique.
Site Choose a new Site for this Resource from the drop-down list.
Category (for Other only) Choose a new category for this Resource from the drop-down list.
11. Click Save and Close. A confirmation message appears when the change request is generated
successfully.
To delete a resource
When you delete a resource, an administration request that requires the administrator’s approval is also
generated. After deleting the resource in the user interface, open the Administration Requests database
and approve the deletion there. Instructions for both procedures are included here.
1. Make sure that you have the [CreateResource] role in the ACL of the Resource Reservations database.
2. From the Domino Administrator, click the Files tab.
3. From the Servers pane, select the server from which you want to work.
4. Open the Resource Reservations database, and then click Resources.
5. Open the Resource document that you are deleting, and click Delete Resource.
6. Click Yes and click OK.
To allow a Web user to delete a reservation in the Resource Reservations database, via a Web browser,
assign Editor access to that user in the database ACL of the Resource Reservations database. In a Web
view, the Move to Trash and the Empty Trash buttons are then enabled.
Reservations that are created manually or with Calendaring and Scheduling, can be deleted by a
requester with Editor access to the Resource Reservations database, a resource owner with Editor access
to the Resource Reservations database, or by a database manager with Editor access to the Resource
Reservations database and the CreateResource role.
Single-room, non-repeating reservations that are created manually in the Resource Reservations database
can be edited by the requester of the reservation, with Editor access to the Resource Reservations
database, if the reservation has a status of ″waiting for approval″ or if the reservation has been accepted.
Repeating room or resource reservations that are created manually cannot be edited.
You categorize Holiday documents according to a group name. For example, you may have a group
named ″Full-time″ that contains all the company holidays for full-time employees. The default Holiday
documents included with Lotus Domino have group names associated with countries or religions -- for
example, United States or Italy -- and the groups contain documents specific to holidays in each country.
As an administrator, you may want to modify or delete these documents to reflect your organization’s
needs. Then you can advise all users to import a specific group of Holiday documents.
To add a document to an existing group, select the group when you create a new Holiday document. To
create new groups, enter a new group name in the Holiday document. Remember that your users import
Holiday documents according to group name, not document name, so be sure to plan the organization of
documents in groups.
Title Action
Group Do one of these:
v Select a group from the list.
v Add a new group in the New keyword field and then click OK.
Title Enter the name of the holiday -- for example, Christmas
Repeat Specify how often the holiday repeats
v Monthly by Date
v Monthly by Day
v Yearly
v Custom -- If you choose Custom, enter one or more dates on
which the holiday repeats.
6. If you chose Custom in the Repeat field in Step 5, do not complete Step 6. Instead, go to Step 7.
Field Action
Start date Enter the date when the holiday first occurs. This date may be the
actual date of the holiday (such as New Year’s day) or it may be
the date from which to start the holiday. For example, if your
organization gives employees every other Friday off from June
through August, enter June 1 as the Start Date and select ″For″
from the Continuing field to specify an end date of August 31.
Continuing Choose one:
v Until -- Click Until and then enter a specific date in the ″Repeat
Until″ field.
v For -- Click For and then specify the number of months or years
during which the holiday repeats in the ″Repeat For″ field.
7. Complete this step only if you chose Custom in the Repeat field in Step 5.
Field Enter
Repeat Dates Enter the date or dates when the holiday occurs -- for example,
01/01/02, 01/02/2003.
(Applies only to Custom.)
Policies
Using a policy, you control how users work with Notes. A policy is a document that identifies a collection
of individual policy settings documents. Each of these policy settings documents defines a set of defaults
that apply to the users and groups to which the policy is assigned. Once a policy is in place, you can
easily change a setting, and it will automatically apply to those users to whom the policy is assigned.
Organizational policies
An organizational policy automatically applies to all users registered in a particular organizational unit.
For example, to distribute default settings to all users registered in Sales/Acme, create an organizational
policy named */Sales/Acme. Then when you use the Sales/Acme certifier ID to register a user, that user
automatically receives the settings in the corresponding organizational policy.
If you move a user within the hierarchical structure -- for example, because the user transfers from the
Sales department to the Marketing department -- the organizational policy for the corresponding certifier
ID is automatically assigned to the user. For example, if you move the user from Sales/Acme to
Marketing/Acme, all settings defined in the desktop, archiving, and security policy settings documents
associated with the */Marketing/Acme organizational policy are assigned to the user. The new policy
settings become effective the first time users authenticate with their home server.
313
Explicit policies
An explicit policy assigns default settings to individual users or groups. For example, to set a six-month
certification period for contract workers in all departments, create an explicit policy and then assign it to
each contract employee or to the group that includes all contract employees.
There are three ways to assign an explicit policy: during user registration, by editing the user’s Person
document, or by using the Assign Policy tool.
For information on assigning an explicit policy, see the topic ″Assigning an explicit policy,″ later in this
chapter.
Using Exceptions
You can assign an exception attribute to either an organizational or explicit policy. You use an exception
to allow the user to override a policy setting that is otherwise enforced throughout an organization.
When you create an exception policy, you specify only the settings that will not be enforced. Then when
you assign the exception policy, it exempts users from enforcement of those settings only.
Exception policies are a way to give someone in an organization special treatment, possibly because of
their position or job requirements. For example, the */Acme policy includes a Registration policy setting
that enforces a mail database quota of 60 MB. However, a small group of employees in Acme need to
exceed this quota. The solution is to create an ″exception″ policy that includes only a Registration policy
settings document, that does not set a quota limitation on the mail database. When this exception policy
is assigned to users, they can override the database quota setting. Because exception policies defeat the
enforcement of policy settings, use them sparingly.
In addition to organizational policies, users may also have explicit policies assigned to them. In that case,
the order of resolution is that all organization policy settings are resolved first, then any explicit policy
settings are resolved.
For example, if you want all users to use the same Internet mail name format, set that value in the
Registration policy settings document for the top-level policy. Once you have set this value, you do not
have to change it or reenter it in subsequent child policies. You simply ″inherit″ this value from the
parent by selecting the inherit option. However, if you have a select group of international users for
whom this setting is a problem, you can create an explicit policy that applies to the select group only. The
combination of the explicit and organizational policies together provide the control and the flexibility you
need.
There are two tools that help you determine the effective policy governing each user. The Policy Viewer
shows the policy hierarchy and associated settings documents, and a Policy Synopsis report shows the
policy from which each of the effective settings was derived.
The following figure shows a policy hierarchy. In this hierarchy, the policy at each organizational level
has set its own password quality setting.
In the following figure, Joe User inherits a password quality setting from a parent policy. Inheriting a
setting occurs in the child policy at the field level in a policy settings document.
Another way that a user ″inherits″ field-level settings is through enforcement. In the illustration below,
the password quality setting is enforced in the parent policy at the field level in the Registration policy
settings document. If settings are enforced in a parent policy, the settings at the child policy level do not
apply.
Domino uses dynamic configuration to deploy policy settings. When end-users authenticate with their
home servers, information stored in the policy settings documents is deployed (pushed down) to the
end-users. If one or more fields or tabs is set to allow end-user modifications, dynamic configuration does
not overwrite those policy settings. If a field or tab does not allow end users to modify the settings,
dynamic configuration deploys policies using the settings designated by the administrator who set up the
policy settings document.
To use a policy to assign a NOTES.INI value to Notes client users, use the Domino Designer to add a
new field to the desktop policy settings document. The new field must be named $PrefVariableName,
where VariableName is the name of the NOTES.INI variable you want to set. In the new field on the
desktop policy settings document, enter the value you want assigned to that NOTES.INI variable. That is
the value that is set in the NOTES.INI for the assigned Notes users.
For example, assume that you want to use a policy settings document to add a font size setting of 5 to
your NOTES.INI file. To change the font setting, do the following:
1. From the Domino Designer, open the desktop policy settings document form.
2. Create a new field named $PrefDisplay_font_adjustment.
3. Assign a value of 5 to the field $PrefDisplay_font_adjustment.
4. Save and exit.
To set a Location document setting using a policy document, add a new field to the desktop policy
settings document. The new field must be named LocAllVariableName, where VariableName is the name
of the fields you are setting in the Location documents. In the new field on the policy settings document,
enter the value you want assigned to that Location document field. That is the value that is then assigned
to all of the users’ Location documents.
Note: Some settings require that the Notes client be restarted in order for the settings to take affect.
For more information about adding the new field to desktop policy settings document, see the Domino
Designer documentation.
The Basics tab of the desktop policies settings document contains a Notes application plug-In section. Use
those settings to define whether IBM Workplace (TM) Collaboration Services or IBM Lotus Sametime will
provide instant messaging services. When you use a policy to define how these services are provided,
users cannot change them using the File - Preferences - User Preferences - Instant Messaging menu
choices. Those menu choices are inactive when the policy settings are invoked.
Note: The Notes application plug-in works only with the IBM Workplace Managed Client. You cannot
use it with other Eclipse applications.
For more information about the Notes application plug-in and the desktop policy settings document, see
the topic ″Creating a desktop policy settings document″ in this chapter.
Creating policies
Creating a policy is a two-step process. If you create an organizational policy, it automatically applies
when you register users. If you create an explicit policy, you assign it manually during user registration,
in the Person document or by using the Policy Assignment tool.
For more information on assigning explicit policies, see the topic ″Assigning an explicit policy,″ later in
this chapter.
1. Create one or more of the following policy settings documents to define default settings that you
want to assign to users:
v Registration policy settings
v Setup policy settings
v Desktop policy settings
v Security policy settings
v Archive policy settings
v Mail policy settings
2. Create a Policy document, which identifies specific policy settings.
For more information on user registration settings, see the chapter ″Setting Up and Managing Notes
Users.″ For more information about the password quality scale, see the chapter ″Protecting and Managing
Notes IDs.″
Field Action
Name Enter a name that identifies the users that use these settings.
If you are a server provider, enter the name of the hosted organization.
Description Enter a description of the settings.
Choose a registration server Select the registration server from the list.
Choose a password quality Select a password quality level.
5. If you are setting up roaming users, choose ″Roaming User,″ and then complete these fields. If you
are a service provider, note that ″Roaming User″ is not supported for hosted organizations.
Field Action
Use mail server for roaming server Do one:
v Select to store the user’s roaming information on the same server used
for mail.
v Deselect and enter the name of the server to store the user’s roaming
information.
Create roaming files options Choose one:
v Create roaming files now -- to create the user’s roaming files during
user registration.
v Create roaming files in background -- to use the Administration
Process to create the user’s roaming files after user registration.
Cleanup options Choose one:
v Do not clean up -- No cleanup is performed on roaming user files.
v Clean up every N days -- Specify a number between 0 an 365.
v Clean up periodically -- Cleans up files when Notes is shut down.
v Prompt for user clean up -- The user is prompted on exiting the client
as to whether they want to clean up their personal files. If the user
chooses Yes, the data directory on that client workstation is deleted. If
the user chooses No, the user is prompted as to whether they want to
be asked again on that client. If the user chooses No, the user is not
prompted again. If the user chooses Yes, the user is prompted again
the next time the user exits the client on that workstation.
Field Action
Choose the mail system Choose a mail system.
v If you are a service provider, choose Lotus Notes only if you run
Domino Off-Line Services (DOLS) in the hosted organization.
v If you choose Other, Other Internet, or None, continue with Step 8.
Mail server Choose the server that stores the user’s mail file.
v If your organization supports DOLS, choose a DOLS-enabled server.
Mail template Choose one:
v MAIL7.NTF -- if the organization uses Lotus Notes, POP3, or IMAP.
v DWA7.NTF -- if the organization uses Domino Web Access.
v Your organization’s custom mail template
Create mail file Choose one:
v Create mail file now -- to create the mail file immediately.
v Create mail file in the background -- to use the Administration Process
to create the mail file. Choose this option if you are creating many
mail files at once.
Field Action
Internet Domain Enter the Internet domain (or, if you are a service provider, the Internet
domain for the hosted organization). This domain becomes part of the
Internet address that is added to the Person document for each user who
receives Internet mail.
Choose an Internet address format Choose the address format for Internet mail.
Choose an Internet address separator Choose the separator character to use in the user’s name portion of the
Internet address.
Field Action
Mail file owner access Choose the access level. The default is Editor with delete rights.
Note: This is a change from previous versions of Domino in which the
default mail owner access was Manager. The change was made to
prevent users from accidentally deleting mail files.
Create full text index (Optional) Check this option to allow users to perform a full-text search
on their mail files. The default is unchecked.
9. Click the ID/Certifier tab. In the ″Create a Notes ID″ field, do one:
v Uncheck the field if you do not want to create Notes IDs for users, and then continue with Step 9.
Field Action
Security Type Choose North American or International
Public Key Specification Choose one:
v Compatible with all releases (630 bits)
v Compatible with 6.0 and later (1024 bits)
Password Key Width Choose the password key width (password encryption strength). The
encryption key that protects the Notes keys that are stored in the user ID
file is derived from the password. The stronger the encryption strength of
the password, the stronger the encryption key that protects the Notes keys.
v Base strength on RSA key size -- encryption strength is determined by
the size of the RSA key stored in the ID file. If the RSA key size is less
than 1024 bits, the password encryption strength is 64 bits; if RSA key
size is 1024 or greater, the password key size is 128 bits.
v Compatible with all releases (64 bits)
v Compatible with 6.0 and later (128 bits)
Certificate Expiration Date Choose one:
v Static date -- and then enter an expiration date. The default static date is
24 months from the creation.
v Months from user creation -- and then enter the number of months. The
default is 24 months.
Location for storing user ID Choose one or more:
v In Domino Directory -- to store the ID in the user’s Person document.
v In File -- and then click ″Set ID File″ to select the path and specify the
location to store the ID.
v In Mail File -- to store the ID in the user’s mail file.
For more information on security types, see the chapter ″Encryption and Electronic Signatures″ For
more information on the password quality scale, see the chapter ″Protecting and Managing Notes
IDs.″
10. Click the Miscellaneous tab, and complete any of these fields:
Field Action
Group assignments Choose the group to which you will add all users you register using these
registration settings. Leave this field blank if you are not registering all
users into one group.
Local administrator Enter the name of the administrator.
If you are a service provider, enter the name of the administrator at the
hosted organization in this format:
Before you create a setup policy settings document, set up the Domino system for any or all of the
following:
v Domain search server
v Web Navigator and InterNotes server
v Databases you want to add to the user’s bookmarks in the Favorites folder
v Mobile directory (or client directory) catalogs
v Passthru servers, LAN servers, Internet servers, and remote servers
v TCP/IP and NDS Notes name servers
v Host domains where Java applets are assumed to be safe
v Proxy servers
Field Action
Name Enter a name that identifies the users (and, if you are a service provider, the
hosted organization) that use these settings.
Description Enter a description of the settings.
Catalog/Domain Search server Choose the name of the server used for domain searches.
Directory server Enter the name of the server whose Domino Directory you want users to use.
IBM Lotus Instant Messaging Enter the name of the server used to connect to IBM Lotus Instant Messaging.
server
Local mailfile Choose this option to create a local copy of the user’s mail file.
Internet browser Choose the Internet browser used from this location.
5. On the Databases tab, complete one or more of these fields to add databases to the user’s workspace:
Field Action
Default databases added to Create a link for each database to add to the user workspace.
bookmarks Note: If the server that stores a database is down during setup, a bookmark
will not be created.
Create As new replicas on user’s Create a link for each database to add as a new replica to the user workspace.
machine
Mobile directory catalogs Create a link for each mobile directory catalog to add automatically to the user
workspace.
Field Action
Trusted hosts Enter the name of trusted hosts.
Network access for trusted hosts Choose one:
v Disable Java
v No access allowed
v Allow access only to originating host
v Allow access to any trusted host
v Allow access to any host
Network access for untrusted hosts Choose one:
v Disable Java
v No access allowed
v Allow access only to originating host
Trust HTTP proxy Choose one:
v Yes
v No
To use a desktop policy settings document to enforce the settings specified in the setup policy settings
document, specify the same settings in a desktop policy settings document. For example, to ensure that
the IBM Lotus Sametime server specified in the setup policy settings document remains the same each
time the user logs in, enter the IBM Lotus Sametime server name in both the setup and desktop policy
settings documents.
You can use a desktop policy settings document to add or set NOTES.INI variables for Notes client users.
This is an easy way to assign NOTES.INI variables to all Notes client users, or to a specific subset of
Notes client users, at one time.
For more information about using policies to assign NOTES.INI variables to Notes client users, see the
topic Using policies to assign NOTES.INI settings to Notes client users.
To use a desktop policy settings document to add to or update the user’s desktop workspace, change the
setting in the desktop policy settings document. For example, to change the IBM Lotus Sametime server
For information about the Smart Upgrade Tracking Reports database, see the topic ″Smart Upgrade
Tracking Reports database″ in the Setting up Notes Users chapter.
Use a desktop policy setting document to modify user Location documents, and to create Connection
documents for dial-up connections that simplify server connections.
You also use a desktop policy settings document to manage and update bookmarks. You can, for
example, set up a bookmark hierarchy for Notes users by creating an outline of bookmarks that includes
folders and links such as database links, document links, and URL links. You can create folders that have
links within the folders. All of the folders and bookmarks in the outline are then placed on the Bookmark
Bar of the Notes client. To add bookmarks to an existing folder on the user’s desktop, such as More
Bookmarks, include the folder in the bookmark outline. Any links included in that folder are merged
with the corresponding folder in the Notes client. You can also create a folder called ″Startup″ that
includes links that open automatically every time the user logs in to Notes.
You can also set user preferences, usually set by Notes users. If you set user preferences, Notes users will
still be able to change their preferences, but the changes will be only temporary. The next time the
desktop policy is enforced, their preferences will be reset to the original policy settings.
The desktop policy settings document includes a Notes Application Plug In section on the Basics tab. Use
these settings to specify whether instant messaging services are provided by IBM Workplace
Collaboration Services, or by IBM Lotus Sametime. You also specify whether instant messaging name
resolution (converting Notes names to Internet names) is performed by IBM Workplace Managed Client
or the Domino Directory. To use the IBM Workplace Managed Client for name resolution, you must have
specified IBM Workplace Collaboration Services as the infrastructure to use to connect to instant
messaging. These settings can also be specified using NOTES.INI settings $USE_ST_IM and
WCT_IM_USE_LOOKUP instead of policies.
Note: If the desktop policy settings document is saved with the default settings selected for the fields in
the Notes Application Plug In section, the ″Use IBM Lotus Sametime instant messaging″ user preference
is de-selected each time the user exits the Notes client. To avoid this, choose IBM Lotus Sametime in the
Instant Messaging Provider field (to always use Sametime) or choose Don’t Change so that the policy
does not affect the current instant messaging selection. The user preferences are in Workplace Managed
Client, File - Preferences - User Preferences.
For more information about the NOTES.INI settings, see the appendix, ″NOTES.INI File.″
Note: An important user preference about which administrators should be aware is the option to ″use
canonical name for instant messaging status lookup.″ Enabling this setting for users lets them display
online awareness for names when your IBM Lotus Sametime server is configured to lookup Notes
canonical hierarchical names (for example CN=John Smith/OU=Sales/O=Acme) instead of Note
abbreviated hierarchical names (for example John Smith/Sales/Acme). (The feature described here is
available only if your company has an IBM Lotus Sametime server, and only for Windows versions of
IBM Lotus Notes.) Enable this setting in Preferences - Instant Messaging.
Field Action
Corporate Welcome Pages Add the database link to the database containing custom welcome pages
database and/or custom My Work pages.
Note: You cannot use the Web Administrator to create links.
Default Welcome page Do one:
v Select the welcome page that users see when they start Notes.
v Select Workplace if you want users to see and use the My Work Welcome
page for Notes instead of a default or custom Welcome page.
v Select ″No default Welcome Page″ if there is no default welcome page.
(default)
Homepage selection For the field ″Do not allow users to change their home page″ do one:
v Check to prohibit users from choosing their own home page. If you check this
check box, users cannot change the welcome page or the My Work page to
anything other than what is defined in the policy. The drop-down list is
greyed out.
v Uncheck (default) to allow users to change their home page.
For more information about welcome pages, see the chapter ″Setting Up and Managing Notes
Users.″
6. Enable or disable the option to allow users to create private location documents.
7. If you are using the Notes Application Plug-in, complete these fields to set up instant messaging:
Field Action
Allow users to change the settings in this section Use this field to designate whether end users can modify
the settings in this section of the document. This is part
of the client policy lock-down feature.
8. Specify whether to allow Private Location documents. A private location document is created by a
user, who designates who can use that document in the Only for user field on the Advanced - Basics
tab of the the Location document.
9. In the Server Options section, complete these fields:
Field Action
Catalog/Domain Search server Choose the name of the server used for domain searches.
Directory server Enter the name of the server whose Domino Directory you want users to use.
IBM Lotus Instant Messaging Enter the name of the server used to connect to IBM Lotus Instant Messaging.
server
Local mailfile Choose this option to create a local copy of the user’s mail file.
Internet browser Choose the Internet browser used from this location.
Retrieve/open pages If you chose Notes or Notes with Internet Explorer as the Internet browser,
choose the location from which to run the Web Retriever process.
10. Under Mail Template Information, complete these fields if you are converting from a previous
Domino mail template:
Field Action
Prompt user before upgrading mail file Do one:
v Check yes to inform users before upgrading their mail
files. Allows users to defer upgrade.
v Uncheck (default) to upgrade without notification.
Old design template name for your mail files The default asterisk (*) uses any mail template.
11. Under Internet Browser, choose the Internet browser used from this location. If you chose Notes or
Notes with Internet Explorer as the Internet browser, choose the location from which to run the Web
Retriever process.
12. Under Calendaring and Scheduling, complete this field:
Field Action
Reschedule repeating meetings using resettles feature Enable to allow users to reset repeating meetings that
have been rescheduled with different start and end times
to the same start and end time. This is disabled by
default.
13. On the Smart Upgrade tab, complete these fields according to whether you use the Smart Upgrade
feature, and if you are using it, according to how you use it.
Field Action
Upgrade deadline If you use Smart Upgrade, use mm/dd/yyyy format to enter the date by which
users must upgrade. If users to do not upgrade by this date, the upgrade
happens automatically.
Remind me every hour after Check this field if you want to send an hourly reminder to users who have not
″upgrade deadline″ has passed updated their clients by the deadline set in the field ″Upgrade deadline.″
Mail-in Database for Smart Enable Smart Upgrade Tracking for the user by selecting the mail-in database
Upgrade reports: name.
14. On the Databases tab, complete one or more of these fields to add databases to the user’s workspace:
Field Enter
Create As new replicas on user’s Create a link for each database to add as a new replica to the user workspace.
machine
Mobile directory catalogs Create a link for each mobile directory catalog to add automatically to the user
workspace.
Bookmarks to merge with users’ Drag and drop or copy links to add to the user’s bookmarks. Arrange links in
bookmarks the order you want them to display. However, do not add any links above the
Favorites folder, because they will be added to the bottom of the user’s
bookmarks list.
15. On the Dial-up Connections tab, enter information about the default passthru and other remote
servers.
16. On the Accounts tab, enter the default account information for Internet servers.
17. On the Name Servers tab, enter the names and addresses of secondary TCP/IP, NDS and NetBIOS
Notes name servers. If you want users to be able to change the settings you specify on this tab, click
the check box ″Allow users to change the settings on this tab.″
18. On the SSL tab, complete these fields:
Field Enter
Accepts SSL Site certificates Choose one:
v Yes to allow the server to accept the site certificate and
use SSL to access an Internet server, even if the
Domino server does not have a certificate in common
with the Internet server.
v No to not allow this server to accept site certificates.
Accept expired SSL certificates Choose one:
v Yes to allow clients to access the server, even if the
client certificate is expired.
v No to not allow clients to access the server with
expired client certificates.
Field Action
Trusted hosts Enter the name of trusted hosts.
Network access for trusted hosts Choose one:
v Disable Java
v No access allowed
v Allow access only to originating host
v Allow access to any trusted host
v Allow access to any host
Network access for untrusted hosts Choose one:
v Disable Java
v No access allowed
v Allow access only to originating host
Trust HTTP proxy Choose one:
v Yes
v No
20. On the Proxies tab, enter the default proxies to assign to users.
21. On the Mail tab, choose the format to use for messages to Internet addresses.
22. On the Preferences tab, choose user preferences.
23. On the Diagnostics tab, if you want to enable automatic diagnostic collection on clients, complete
these fields:
Field Action
Mail-in database for diagnostic reports Click the arrow in the field and then select the database
to which the diagnostic reports from client crashes are
to be mailed and then click OK.
For more information about automatic diagnostic data collection on clients, see the chapter
″Transaction Logging and Recovery.″
24. Save the document.
For information about user preferences, see Lotus Notes 7 Help.
Field Action
Name Enter a name that identifies the users (and, if you are a service provider, the
hosted organization) that use these settings.
Description Enter a description of the settings.
Field Action
Password management options
Use custom password policy for Choose one:
Notes clients v No (default)
v Yes - to implement a custom password policy. Custom password policies enable
you to configure specific password parameters so that passwords are not trivial
or predictable. Use settings on the ″Custom Password Policy″ tab to set up the
policy.
Check password on Notes ID Choose one:
file v No (default)
v Yes - to require that all copies of the user ID have the same password
Allow users to change Internet Choose one:
password over HTTP v Yes (default) -- to allow users to use a Web browser to change their Internet
passwords.
v No
Update Internet password when Choose one:
Notes client password changes v No (default)
v Yes -- to synchronize the user Internet password with the Notes client
password.
Enable Notes single logon with Choose one:
Workplace Rich Client v No (default)
v Yes - to allow users to enable single logon with the Notes plug-in for the IBM
Workplace rich client
Password expiration settings
CAUTION:
Do not enable password expiration if users use Smartcards to log in to Domino
servers.
Required change interval Specify the number of days for which a password is valid before it must be
changed. Default is 0.
Note: If you set this value to less than 30, the value for the ″Warning period″ field
is calculated automatically. The calculated value is 80% of the value entered for
this field.
Allowed grace period Specify the number of days that users have to change an expired password before
being locked out. Default is 0.
Password history (Notes only) Specify the number of expired passwords to store. Storing passwords prevents
users from reusing old passwords. Default is 0.
Warning period Specify the number of days prior to password expiration at which the user
receives an expiration warning message. Default is 0.
Note: The value of this field is calculated if the ″Required change interval″ setting
is set at less than 30 days. Password expiration must be enabled in order for the
value of this field to be calculated. If this value is calculated, it cannot be
overwritten.
Custom warning message Enter a custom warning message that will be sent to users whose password has
passed the expiration threshold specified in the Warning Period field.
Note: The custom warning message is for Notes clients only, regardless of how
you enabled password expiration. Internet users do not see the warning message.
Password quality settings
Required password quality If you require users to choose passwords based on password quality, specify that
quality by choosing a value from the drop-down list.
For more information on password quality, see the chapter ″Protecting and
Managing Notes IDs.″
Use length instead If you require users to choose passwords based on length, click Yes. When you do,
the ″Required Password Quality″ field changes to ″Required password length.″
Specify the minimum password length here.
6. If you have chosen to implement a custom password policy, complete these fields on the Custom
Password Policy tab.
Field Action
Change password on first Notes client use Require users to change their passwords the first time they
log in using Notes.
Note: This only works if the policy is applied during user
registration.
Allow common name in password Allow combination of common name of user to be used in
passwords. For example: John232 is the password for user
CN=John Doe/O=Mutt, where the common name is John
Doe.
Password length minimum Specify the minimum number of characters that users can
have in their passwords
Password length maximum Specify the maximum number of characters that users can
have in their passwords
Password quality minimum Specify the minimum password quality value that users
can have for their passwords
Minimum number of alphabetic characters required Specify the minimum number of alphabetic characters that
users are allowed to have in their passwords
Minimum number of upper case characters required Specify the minimum number of uppercase characters that
users are allowed to have in their passwords
Minimum number of lower case characters required Specify the minimum number of lowercase characters that
users are allowed to have in their passwords
Minimum number of numeric characters required Specify the minimum number of special characters, namely
punctuation, that users are allowed to have in their
passwords
Minimum number of special characters required Specify the minimum number of special characters, namely
punctuation, that users are allowed to have in their
passwords
Maximum number of repeated characters required Specify the maximum number of repeated characters, of
any kind, that are allowed in user passwords.
Minimum number of unique characters required Specify the minimum number of characters that appear
only once in a password
Minimum number of non-lower case characters Specify the minimum number of special characters,
required numbers, and upper case characters that you require in
user passwords. A higher value here makes passwords
more difficult to guess.
7. Complete the fields on the Execution Control List tab to configure the Administration ECL.
Field Action
Admin ECL The default administration ECL is the default value for this field.
Choose one:
v Edit -- to edit the default administration ECL.
v New -- to create a new administration ECL. Enter the name of the new ECL and
choose options in the Workstation Security: Execution Control List dialog box.
The name of the new ECL appears in this field.
Update Mode Choose one:
v Refresh -- to update workstation ECLs with changes made to the
Administration ECL. If a setting appears in both the administration and
workstation ECL, the administration ECL setting overrides the workstation ECL
setting.
v Replace -- to overwrite the workstation ECL with the Administration ECL. This
option overwrites all workstation ECL settings.
Update Frequency Choose one:
v Once Daily -- to update the workstation ECL when the client authenticates with
the home server and either it has been a day since the last ECL update or the
administration ECL has changed.
v When Admin ECL Changes -- to update the workstation ECL when the client
authenticates with the home server and the administration ECL has changed
since the last update.
v Never -- to prevent the update of the workstation ECL during authentication.
8. Complete the fields on the Keys and Certificates tab to configure key rollover for groups of users. You
specify triggers that initiate key rollover for a group of users. You have the option of spacing out the
rollover process over a specified period of time for the group of users to which this policy applies.
For more information on key rollover, see the chapter ″Protecting and Managing Notes IDs.″
Field Action
Default Public Key v Inherit public key requirement settings from parent policy
Requirements
v Enforce public key requirement settings in child policies
User Public Key Requirements
Minimum Allowable Key Choose one. Keys weaker than the one specified will be rolled over:
Strength v No minimum.
v Maximum compatible with all releases (630 bits).
v Compatible with Release 6 and later (1024 bits).
Maximum Allowable Key Choose one. Keys stronger than the one specified will be rolled over.
Strength v Minimum (512 bits)
v Maximum compatible with all releases (630 bits).
v Compatible with Release 6 and later (1024 bits).
Preferred Key Strength Choose the preferred key strength to use when creating new keys:
v Minimum (512 bits).
v Maximum compatible with all releases (630 bits).
v Compatible with Release 6 and later (1024 bits).
Maximum Allowable Age for Specify the maximum age a key can reach before needing to be rolled over.
Key (in days) Default is 36500 days (100 years).
Assigning an existing Admin ECL to a security settings document: It is possible to assign an existing
Admin ECL to a security settings document by doing the following:
1. In the Security Settings document, click Execution Control List.
2. Click Edit Settings.
3. Click New, and enter the name of the Admin ECL you want to assign to the Security Settings
document. The Admin ECL appears.
4. Click OK.
For more information about Notes and Internet passwords, see the chapters ″Protecting and Managing
IDs″ and ″Setting Up Name-and-Password and Anonymous Access to Domino Servers.″
For more information about administration and workstation ECLs, see the chapter ″Protecting User
Workstations With Execution Control Lists.″
The mail policy settings document contains fields that allow you to specify when a setting is to be
applied and whether end-users can modify the setting.
v Allow user to change -- Click the Allow check box to permit the user to change the setting that you
specified for the field. If you do not check the Allow check box, the user must use the setting that you
specify and is not allowed to make changes to the setting. This setting is part of the client policy
lock-down feature.
v When to Apply this setting -- Use this field to specify when the setting should be applied: Don’t
change, Always, or Initially.
The effective mail policy for a user is stored in that user’s mail database in the calendar profile. The
administration process writes the mail policy to the calendar profile. The administration process checks
for mail policy updates every 12 hours, and when necessary updates the user mail files according to the
changes in the mail policy settings document.
Message disclaimers and character sets: As previously mentioned, message disclaimers can be added
by the server or by the client.
The client adds message disclaimers prior to converting the character set; therefore, the client process for
determining Internet character sets for MIME messages has not changed.
v If the client is configured to disclaim and send Notes RTF messages to the Internet, the client adds the
disclaimer to the message and sends it. When the client adds the message disclaimer, it marks the
message as ″disclaimed.″ The Domino server converts the message from Notes RTF to MIME format
and determines the Internet character set for the message. The Domino server does not disclaim the
message because the client has already marked the message as disclaimed.
v If the client is not configured to disclaim messages, the Domino server disclaims the message as
described. If necessary, the server converts the RTF message to a MIME format message.
When message disclaimers are added by the server, Domino determines the Internet character sets for the
message text and the message disclaimer. If the character sets are the same, Domino adds the message
disclaimer and the message is sent. If the two character sets differ, Domino determines which character
set to use as follows:
v If the ″Multilingual Internet mail″ setting is Use Best Match, Domino uses either the message text’s
character set or the disclaimer’s character set according to which character set best represents the
characters. Any characters that cannot be represented by the correct character are represented by a
substitute character -- typically a question mark (?). Domino then sends the message.
v If the ″Multilingual Internet mail″ setting is Use Unicode (UTF-8), Domino re-codes the message text
and disclaimer text as UTF-8 and sends the message.
Field Action
Name Enter a name that identifies the users that use these
settings or that describes the purpose of these settings.
Description Enter a description of the settings.
5. Complete these fields on the Mail File Preferences - Mail - Basics tab:
Field Action
Allow users to change mail file ownership Click the Allow check-box to allow users to change their
mail file ownership setting. Users will be able to modify
the assigned ownership of their mail files.
Automatically check mail messages for misspellings Click Yes to enable the checking of email messages for
before sending misspellings prior to sending the message.
6. On the Mail File Preferences - Mail - Letterhead tab, click Yes to set a default letterhead for users
mail messages. Select the default letterhead from the list of available letterheads. If you do not want
to set a default letterhead for users, do not check the Yes check box.
7. Complete these fields on the Mail File Preferences - Calendar & To Do - Basics tab:
Field action
Double-clicking on a time slot in calendar creates a Select the default form (meeting, appointment,
anniversary, reminder, or all day event) to open when you
double-click a time slot to create a new Calendar entry.
Duration of a new appointment or meeting (in minutes) Enter a new default duration for new appointment entries
and meeting invitations.
Default is 60 minutes.
Anniversaries repeat for (in years) Enter a new default period for new anniversary entries to
repeat.
Default is 10 years.
8. Complete these fields on the Mail File Preferences - Calendar & To Do - Display tab:
Field Action
How the Calendar view is displayed
Beginning of the work day Beginning of the work day - Specifies the start time for
the first time slot that displays in the calendar. For
example, if you choose 8:00 AM, the calendar displays 8
00 AM as the start time for the first time slot for each day.
End of the work day End of the work day -- Specifies the end time for the last
time slot that displays in the calendar. For example, if you
choose 6:30 PM, the calendar displays 6:30 PM as the end
time for the last time slot each day.
Each time slot lasts Each time slot lasts -- Choose either 60, 30, or 15 minutes
according to the degree of detail you want users to be
able to specify when designating the duration and time of
a meeting. For example, if you choose 15 minutes,
meetings can be set in as few as 15 minute increments.
9. Complete these fields on the Mail File Preferences - Calendar & To Do - Scheduling tab:
Field Action
Your Availability Use this setting to establish the user’s free-time schedule.
Select the days of the week the user is available, then
specify the hours the user is available for each selected
day.
When adding an entry to your calendar
Check for conflicts when adding appointments, Click Yes if you want Notes to check for conflicts when
accepting meetings, scheduling a new meeting users are adding appointments, accepting meetings, and
scheduling a new meeting.
Note a conflict if entry occurs outside available hours Click Yes to show a conflict if someone attempts to
described above schedule a meeting for a time that is not available
according to the user’s preferences.
10. Complete these fields on the Mail File Preferences - Calendar & To Do - Alarms tab:
Field Action
Enable/Disable Alarms
Enable the display of alarm notifications Click Yes to allow alarm notification to display. Alarms
generate mail or audio reminders.
Default alarm settings when creating a new entry Select the default alarm settings for events
(appointments/meetings, anniversaries, reminders, or all
day events or todos) to apply when creating a new entry.
These display only when ″Enable the display of alarm
notifications″ has been set to ″Yes″.
How far in advance For meetings, appointments, and reminders enter the
number of minutes in advance that the alarm can be set.
For events, anniversaries, and to do items, enter the
number of days in advance that the alarm can be set.
These display only when ″Enable the display of alarm
notifications″ has been set to ″Yes″.
11. Complete these fields on the Mail File Preferences - Calendar & To Do - To Do tab:
Field Action
Hide To Do entries in the calendar Click Yes to prevent To Do entries from displaying in the
Calendar.
Allow Notes to update To Do status and dates for Click Yes to allow Notes to display incomplete To Do’s
incomplete entries on the current day in the Calendar.
12. Complete these fields on the Mail File Preferences - Calendar & To Do - Auto Process tab:
Field Action
Enable automatic responses to meeting invitations Click Yes to allow Notes to automatically process
meeting invitations from all or some users.
13. Complete these fields on the Mail File Preferences - Calendar & To Do - Rooms & Resources tab:
Field Action
Default Reservation settings for choosing site
Preferred site Enter the name of the preferred meeting site.
Use the preferred site as the default in the Find Room Click Yes to set the preferred site as the default entry in
and Find Resource dialogs the Find Room and Find Resources dialog boxes.
Prompts to reset your preferred site when scheduling Click Yes to prompt users to reset their default preferred
within a site that is not your current preferred site site when scheduling within a site that is not the
preferred site.
Default Meeting Settings For Rooms Choose one:
v Prompt me to add rooms to my list when scheduling
meetings -- To prompt the user to specify whether
they want to add additional rooms to their preferred
list of rooms. If they answer Yes, they can select the
rooms to add.
v Always add rooms to my list when scheduling
meetings -- To allow Notes to automatically update the
user’s preferred list of rooms whenever additional
rooms are available.
v Never add rooms to my list when scheduling meetings
-- Never permit Notes to update the user’s preferred
list of rooms.
Default Meeting Settings for Resources Choose one:
v Prompt me to add resources to my list when
scheduling meetings -- To prompt the user to specify
whether they want to add additional resources to the
preferred list of resources. If they answer Yes, they can
select the resources to add.
v Always add resources to my list when scheduling
meetings -- To allow Notes to automatically update the
user’s preferred list of resources whenever additional
resources are available.
v Never add resources to my list when scheduling
meetings -- Never permit Notes to update the user’s
preferred list of resources
14. Complete these fields on the Mail File Preferences - Access & Delegation - Access to Your Mail &
Calendar tab:
15. Complete these fields on the Mail File Preferences - Access & Delegation - Access to Your Schedule
tab:
Field Action
Who is allowed to see it? You can designate how much of, or whether, a user’s
schedule information appears when other people
schedule meetings and click Scheduler to check for your
busy and free times.
Choose one:
v Everyone may see your schedule information --
Everyone can view this user’s schedule.
v No one may see your schedule information -- No one
can view this user’s schedule.
What schedule information they can see Choose one:
v Only information about when you are busy and
available -- Default setting. Designated individuals just
see time periods designated as busy time or available
time.
v Detailed information about your calendar entries. --
Designated individuals can view detail information in
your schedule. The field ″Do not include the subject of
a calendar entry when detailed information is made
available″ displays.
Field Action
Notes client can add disclaimers Choose one:
v Enabled -- To allow message disclaimers to be added
by the Notes client.
v Disabled -- To prevent message disclaimers from being
added by the Notes client. (Message disclaimers can
still be added by the server if the Message Disclaimers
setting is Enabled on the server’s Configuration
Settings document.)
Choose one:
v Plain text -- When adding the disclaimer text in plain
text format.
v HTML -- When adding the disclaimer text in HTML
format.
Note: Enter the HTML tags when you are entering the
text of the message disclaimer. Image files are not
supported in HTML message disclaimers.
Disclaimer position Choose one:
v Append -- To add the message disclaimer at the end of
the mail message.
v Prepend -- To add the message disclaimer at the
beginning of the mail message.
Multilingual Internet mail The character set for Internet mail must be correct for the
message that is created from both the mail message text
and the message disclaimer text. This setting applies to
message disclaimers added by the server.
Choose one:
v Use Best Match --Use this option if you think the mail
recipients’ mail programs can not read Unicode
character sets.
v Use Unicode (UTF-8) -- Unicode is the preferred
method of sending messages in multiple languages.
Use this option if you think the mail recipients’ mail
programs can read Unicode character sets.
17. On the Comments tab, enter or modify comments regarding this policy settings document.
18. On the Administrator tab, enter or select the Owners and Administrators of this document.
19. Click Save & Close.
The mail archive database is a Notes database, and can be accessed like any other Notes database. The
views in a user’s mail archive mirror the views in the mail file and includes all the folders that exist
when mail is archived. So users can find and retrieve archived messages easily from within their archive
database. When a document has one or more responses, the entire document hierarchy is archived.
You can also use archiving policy settings to define a document retention policy for your mail files. With
document retention, you define the criteria for old documents, and then simply delete them from the
mail database without archiving them.
How mail file archiving works: Mail file archiving is a three-step process that includes document
selection, copying files to an archive database, and mail file cleanup.
v Document selection -- choosing which documents to archive based on activity and on folder selection.
For example, you can define an old document as a one that has not been modified for 365 days. You
can then archive all documents that match that criteria, or you can archive only documents in specific
folders that match that criteria.
v Copying -- copying selected documents from the source mail file to an archive database destination.
v Mail file clean up -- reducing the size of the source mail file by deleting archived documents or
reducing them in size. You can reduce the size of the document by first removing attachments, and
then leaving only the header information or leaving the header information and a portion of the mail
document.
Client-based and server-based archiving: When you use policies to manage archiving, you use either
server-based archiving or client-based archiving. In either case you can archive to a server. The terms
server-based or client-based refer to where the archiving process occurs, either on a server or on the
client’s workstation. If you choose to archive on a server, you must create a program document to run the
Compact server task. If you choose client-based archiving, however, the workstation must be running in
order to archive documents. If archiving is scheduled at a time during which the workstation is not
running, archiving will not occur. You can archive mail files to the following:
v Server-based archiving -- Using this option, the mail server archives to the mail server itself, or to
another server that you designate as the archive server.
v Client-based archiving -- Using this option the individual workstations process mail file archiving.
Depending on where the mail file resides, either on a mail server or on their individual workstations,
mail is archived to the mail server, a designated server, or to their local workstations.
For more information on using a program document to run the Compact server task, see the chapter
″Improving Database Performance.″
An example of using policies to manage mail file archiving: Acme’s administrator is happy to learn of
policy-based archiving because of these issues with archiving mail files:
v Space is tight on the mail server.
v Acme needs a centralized archive server.
v Archiving cannot occur during peak work hours.
v End users must not be allowed to control their archive settings.
v Lotus Notes 7 clients will not be rolled out immediately.
To resolve the problems to Acme’s archiving issues, the administrator uses these Archive policy settings,
and applies them to all users, via organizational policies.
v Archive settings are centrally managed and enforced by the administrator; users are prohibited from
changing or creating archive settings.
v Server-based archiving is enabled from a mail server to a designated archive server.
v The designated archive server is a Domino 7 server so that policies can be enforced in a mixed
environment.
v Archiving is scheduled to occur during off hours.
v Optionally, pruning (removing attachments and body of mail, but leaving header information intact)
might be helpful, depending on how tight space is on the mail server.
Using the mail archive log: To monitor mail document archiving, you can log archiving activity to an
archive log database. Information stored in a user’s Archive Log include the log date, the number of
You can use the mail archive log, for example, to track a document you thought was deleted. You can
easily scan the Archive Log to see if the document was archived. And since the archive log provides links
to archived documents, you can access the archived document from within the archive log.
Specifying the name and location for the Archive Log database: By default, the archive log database is stored
in c:\notes\data\archive, where archive is the default name for the archive directory. The default name
format for a user’s archive log database file is l_xxxx.nsf, where l_ is the prefix and xxxx is the name of
the user’s mail database. The name of the log database is based on a specified number of characters (the
default is 6) from the user’s ID. For example, for the end user John Smith, whose ID is jsmith, the archive
log database name is l_jsmith.nsf.
For more information about the type of information stored in an Archiving Log, see the chapter
″Improving Database Performance.″
Archive log file title: When a user archives a mail database to an archive log file, the log file title reflects
the name of the user’s mail file. The user can then manually change that log file name if desired. If
logging is turned off for mail archiving, this does not apply.
Creating an archive policy settings document: To set up mail file archiving, you use both archive and
archive criteria policy settings documents. The archive policy settings document enables you to specify
archive policy parameters -- or not specify parameters -- as well as to specify whether Notes users can
archive mail databases, and whether they can set or modify archive settings.
To prohibit all archiving, select the ″Prohibit Archiving″ setting and apply the policy to a set of users. If
you choose to prevent private archiving, users cannot change these settings or create private archive
settings.
If you allow archiving, use the archive policy settings document to define whether archiving is performed
by a server or by a user’s client, and to specify source and destination archive systems. If archiving is
client-based, you can also set the archive schedule. If you choose to, you can change the name and
location of the default archive log file. You can also set a policy designating that archiving is done by the
user’s client, and allow the user to define the schedule and archiving criteria.
Note: If you choose ″Archiving will be performed on a server,″ you must create a program
document to run the compact task.
For more information on using a program document to run the Compact server task, see the chapter
″Improving Server Performance.″
7. Under ″Archive source database is on,″ specify the server or workstation on which the mail file that
will be archived is located. Choose one:
v Local -- if the mail file is on the user’s workstation, of if the user has opened a replica of their
mail file. The replica may reside on a client or a server. Local applies to the mail file the user has
open and from which they issue any archiving commands.
v Specific server -- if the mail file is on a server other than the user’s designated mail server. Specify
the name of the server.
v Mail server -- if the mail file is on the mail server specified in the user’s Location document
(default).
8. Under ″Destination database is on,″ specify the server or workstation on which the archive database
will reside. If you allow private archiving, you must give the user Create access on the destination
server to create an archive database. Choose one:
v Local -- to create the mail archive database on the user’s workstation (available for client-based
archiving only).
v Specific server -- to create the mail archive database on a server other than the mail server. Then
specify the name of the server.
v Mail server -- to create the mail archive database on the user’s designated mail server.
9. On the Selection Criteria tab, do one or more of the following:
v Click New Criteria to create a new Archive Criteria Settings document. Then, click Add Criteria
and select your newly-defined criteria document.
v Click Add Criteria, and then choose one or more archive criteria settings documents to add to
your archiving settings.
v Click Remove Criteria, and then choose one or more archive criteria settings document to remove
from your archiving settings.
For information on creating an archive criteria settings document, see the topic ″Creating Criteria for
mail archiving,″ later in this chapter.
10. Click the Logging tab. Under Archive Logging, check the field ″Log all archiving into a log database″
to log archiving activity to a log database (the default).
11. (Optional) Change any of these fields if you want to change the location of the log directory and log
file name.
Field Action
Log Directory The default is archive. Enter a new name if you want to change it.
Log Prefix The default is the letter l, followed by an underscore (_). Enter a new prefix if
you want to change it.
Log Suffix The default is .NSF. Enter the file name that will precede the file name extension
(suffix).
Number of characters from The default is 6. To change this, enter the number of characters you want to use
original filename from the user’s ID to create the archive log name.
Field Action
Frequency Choose one:
v Daily and then select the days of the week on which to archive.
v Weekly (default), and then choose the day of the week on which to
archive.
Run at Specify the time. The default is 12:00 PM.
Note: The Notes client must be running for scheduled archiving to occur.
15. Under Location, specify the locations from which to archive. For example, if you are using
client-based archiving, you may want to archive only from a user’s office workstation, not from an
island or if the user has dialed in. Choose one:
v Any location -- to archive from any location.
v Specific location -- and then specify one or more locations.
16. On the Advanced tab, complete these fields:
Field Action
Delete a document only when the criteria can delete all Do one of these:
responses as well v Check (default) to ensure that documents that have
response documents that do not meet archiving criteria
are not deleted from the database. Use this option to
prevent orphaning of documents in hierarchical views.
v Uncheck to delete documents without prior checking
of response documents.
Maximum document retention selection is: Specify for all users to whom the policy applies, the
number of days, months, or years that comprise the
maximum retention period for deleting and archiving
documents. If private archiving is enabled, and a
maximum retention setting is in effect, users cannot
define criteria with a scope that is larger than the
maximum retention setting.
Creating criteria for mail archiving: You use an Archive Criteria policy settings document to define sets
of criteria to use when archiving a Notes user’s mail documents. You create an Archive Criteria policy
settings document from within an Archive policy settings document. After you create archive criteria, you
can use it in one or more archive policy settings documents.
When you specify archive criteria, you determine what to do with old documents in a user’s mail file. Do
you archive them (copy them to an archive database) or just delete them? If you archive them, you
determine how to ″clean up″ the copies of the archived mail documents that remain the user’s mail file.
And finally, you define what an old document is.
Specifying the name and location for the Archive database: By default, the archive mail database is stored in
the directory archive, located in the data directory. Archive is the default name for the archive directory.
The default name format for a user’s archive database file is a_xxxx.nsf, where a_ is the prefix and xxxx
is the name of the mail database. The name of the archive database is based on a specified number of
characters (the default is 6) from the user’s mail file. For example, for the end user John Smith, whose
mail file is jsmith, the archive database name is a_jsmith.nsf.
Field Action
Name Enter a name that identifies the archive criteria. When you add criteria
to a criteria policy settings document, this is the name that appears in
the selection box. This name also appears in the user’s mail folder
outline under tools - archive.
Description Enter a description of the criteria.
Archiving is enabled Do one:
v Check to enable this archive criteria.
v Uncheck if you are creating archive criteria to use later.
Field Action
Archive Directory The default is archive. Enter a new name if you want to change it.
Archive Prefix The default is the letter a, followed by an underscore (_). Enter a new
prefix if you want to change it.
Archive suffix The default is no suffix. Enter a suffix for the archive database name if
you want to add one.
Number of characters from original The default is 6. To change this, enter the number of characters to use
filename from the user’s mail file to create the archive database name.
If you are creating an exception policy, include only the policy settings documents that have settings
whose values you do not want to enforce. For each setting you do not want to enforce, change the value
as required. Exceptions are made at the policy setting level. When the effective policy settings are
resolved, any settings you specify in the exception policy apply.
Policy document names: The names of Policy documents must be in one of the formats below.
However, when you create a Policy document, you do not have to include the asterisk (*) or slash (/)
when you enter a policy name. Domino adds them for you depending on the type of policy you specify.
/policyname -- an explicit policy that must be assigned manually, but can be assigned at any organizational
level
Field Action
Policy name Enter one:
v A unique name, for an explicit policy.
v The name of the organization or organizational unit, such as Acme or
Sales/Acme
v The name of the hosted organization
Note: To create a policy for all hosted organizations in the Domino Directory, do
not enter a policy name. By default Domino will enter the asterisk for you.
Policy type Choose one:
v Explicit -- to create a policy to assign to specific users and groups.
v Organizational -- to create a policy that is automatically assigned to all users in
the part of the organization specified in the Policy name field.
Description Enter a description of the policy.
5. (Optional) Click Create Child to create a child policy document that includes the name of the parent
policy. You can save the child policy document and return to it at a later time. When you close this
document you return to the parent policy document.
6. To specify the policy settings documents to include in this policy, for each type of settings do one:
Note: If the name of the new policy settings document does not appear as a selection, you may
need to refresh. Press F9)
7. (Optional) To create an exception policy, click the Administration tab and enable ″Exception Policy.″
CAUTION:
Be cautious when creating an exception policy. An exception policy allows a user to override
enforced policy settings.
8. Save the document.
For more information on exception policies, see the topic ″Organizational and explicit policies,″ earlier
in this chapter.
In explicit policies, you create a child policy by setting up the child/parent name structure. For example,
the policy /Contractors may have a child policy called /Short term/Contractors.
In organization policies, child policies follow the hierarchy of the organization. So the child of */Acme is
*/Sales/Acme.
Managing policies
To manage policies, you can do any of the following:
v Edit policies
v Delete policies
v Create a report of the effective policy
v View policy relationships
v Assign an explicit policy or change a policy assignment
v Preventing replication of policies to pre-Domino release 4.67a servers
Deleting policies
Use this procedure to delete policy and policy settings documents. This table describes the result of each
type of deletion:
Deletion Result
Explicit policy An Administration Process request searches the Person documents of all users in
the domain and deletes all references to the deleted policy.
Organizational policy Deletes the policy document from the Domino Directory. All settings documents
named in the deleted policy remain intact.
Settings document Deletes the settings document from the Domino Directory. Deletes references to
the policy settings document from all policy documents.
To delete a policy:
1. From the Domino Administrator, click the Configuration tab, and then open the Policies - Hierarchy
view.
2. Select the policy or settings document you want to delete.
3. Click Tools - Policies - Delete.
The policy tools are not available in the Web Administrator client. For more information on deleting
policies in the Web Administrator, see the chapter ″Setting up and Using Domino Administration
Tools.″
Note: The policy tools are not available in the Web Administrator client.
How to use the policy viewer: The policy viewer has three panes. Depending on your selection in the
top left pane, the results in the right top pane differ. The bottom pane always shows either an actual
policy settings document or an effective policy settings document, based on your selections in the top
two panes. You can edit a policy settings document in the policy viewer. You cannot edit an effective
policy because the settings are derived settings.
Example of using the By Settings view: The administrator at the Acme company wants to use the
policy viewer to:
v View all policy settings documents in a domain
v View all policies that use a selected policy settings document
v View and edit a policy settings document
v View the effective policy settings
Example of using the By Hierarchy view: The administrator at the Acme company wants to use the
policy viewer to:
v View the policy hierarchy for the Acme domain
v View the policy hierarchy for a Notes user in the Acme domain
v View the settings documents used by each policy
v View the differences between the effective policy and the policy settings for a policy settings document
Using the policy viewer: You use the policy viewer to view the relationships of policies and policy
settings documents in a policy hierarchy.
By Settings view:
1. From the Domino Administrator, click the Configuration tab.
2. Open the Policies view, and then select the By Settings view.
3. Choose any of the following tasks:
Task Action
View a list of all policy settings documents in your Expand the functional areas in the left pane.
domain
View a list of all policies that use a policy settings 1. In the left pane, select a policy settings document.
document (display in the right pane)
2. View the policies that use that policy settings
document display in the right pane.
View and edit a policy settings document 1. Select a policy settings document in the left pane.
2. The selected policy settings document displays in
bottom pane. Double-click the document to edit it.
View the effective policy settings for a functional area 1. Select a policy settings document in the left pane.
(displays in the bottom pane)
2. Select a policy document that uses those settings in
the right pane.
3. View the effective policy in the bottom pane.
By hierarchy view:
1. From the Domino Administrator, click the Configuration tab.
2. Open the Policies view, and then select the By Hierarchy view.
3. Choose any of the following tasks:
Task Action
View the policy hierarchy for the a domain 1. In the field ″Show policy hierarchy for,″ select a
domain.
2. View the domain’s policy hierarchy in the upper left
pane.
View the policy hierarchy for a Notes user 1. In the field ″Show policy hierarchy for,″ select
Specific User, and then select the name of a Notes
user.
2. View the policy hierarchy for the user in the upper
left pane
View the settings documents used by each policy 1. Select a policy in the left pane.
2. View the policy settings documents used by the
selected policy in the upper right pane.
Use the Assign Policy tool to apply explicit policies to existing Notes users or to groups, or to change the
assignment from one explicit policy to another.
Note: The Assign Policy tool is not available in the Web Administrator.
You can also add, change, or remove an explicit policy assignment to an individual Notes user in the
Person document. All changes to policy assignments are recorded in the log file (LOG.NSF).
Assigning explicit policies in the Person document: You can assign or change a user’s explicit policies
in the Person document. Changes to the Desktop, Security, or Archive policy settings that are associated
with an explicit policy can be distributed this way. Changes to a user’s settings that were previously
defined using Registration and Setup policy settings are not made retroactively, so you would need to
make any changes to those settings manually in the Person document. For example, roaming user
settings can be defined in a Registration policy setting document. But you cannot change a user’s
roaming user status by changing the Registration policy setting document for that user.
Assigning explicit policies using the Assign Policy tool: You can assign an explicit policy to a user or
group, or you can change the explicit policy assignment using the Assign Policy tool. Use this tool when
you want to make changes to multiple users or groups. You can distribute changes to the Desktop,
Security, or Archive policy settings that are defined in explicit policies using this tool. When you change
the explicit policy for a user or group using this tool, you have the option of viewing the way the policy
assignment change impacts the effective policy for that user or group.
A readers field ($PolRdrs) has been added to each of the policy forms in the Domino Directory. This field
is blank by default, allowing all entities within a domain to have read access to the documents.
Additionally, a new role, [PolicyReader], has been added to the ACL of the Domino Directory. To
effectively stop the flow of policy documents to servers at levels earlier than 4.67a, complete these two
steps:
1. Using Designer, open the Policy forms, set the default value of the $PolRdrs fields to [PolicyReader]
role.
2. Assign the [PolicyReader] role to all entities (Servers, Administrators, etc.) within a domain that need
to keep reader access to policy documents. Pre-Domino release 4.67a entities do not need reader
access to policy documents.
For information on using Domino Designer, see the Lotus Domino Designer 7 printed documentation or
the Lotus Domino Designer 7 Help Database.
Domain Search
Notes and Web users can use Domain Search to search an entire Domino domain for database
documents, files, and attachments that match a search query.
To support Domain Search, you need to designate a Domino server as the indexing server, which builds a
domain wide index that all Domain Search queries run against. In order for the indexing server to build
the index, you must first create a Domain Catalog on the server -- a database that controls which
databases and file systems get indexed. The indexing server then spiders, or crawls, the servers that
contain the content to be indexed.
When a user submits a query, the results that the indexing server returns contain only database
documents to which that user has appropriate access.
If the indexing server is set up as a Domino Web server, it can support searches from both Lotus Notes
and Web browsers.
If users choose to display document summaries in their search results, Domain Search cannot create these
summaries in all languages. You can use the NOTES.INI setting FT_Summ_Default_Language to specify
which language the summary should default to in these cases.
Use Domain Search for less active databases such as archives and product specifications. Use full-text
indexes for single databases for active databases such as mail files, discussion databases,
problem-tracking databases, or any database used for generating reports. You might also want to have
single-database full-text indexes on servers with restricted user access, or in cases where users already
know what database they want to search in.
For information on setting up full-text indexes for single databases, see the chapter ″Setting Up and
Managing Full-text Indexes.″
357
v Setting up Notes users for Domain Search
v Setting up Web users for Domain Search
You can shorten the time it takes to run the Catalog task by splitting it among several servers: Server A
catalogs servers 1 to 25, Server B catalogs servers 26 to 50, Server C catalogs servers 51 to 75, and so on.
You can also limit the scope of the Domain Catalog by using the ″Limit domain cataloging to the
following servers″ field.
For indexing servers running Windows 2000/2003, the following minimum configuration is required:
v An Intel Pentium II 350MHz processor
v 256MB RAM
v Free disk space equal to approximately 30 percent of the size of the data being indexed
For information on estimating the size of the data to be indexed, see the topic ″Estimating the size of
the Domain Index″ later in this chapter.
If your organization has more than six Domino servers, dedicating one server as the indexing server
provides optimal performance.
Consider clustering indexing servers to ensure greater reliability and fault-tolerance and to balance the
load from user queries. If you use clustered indexing servers, create a replica of the Domain Catalog on
each of those clustered servers.
To index data in different locations, you can choose to replicate all databases to be indexed to servers in
the same location as the indexing server, thus eliminating the need for the indexing server to spider over
the WAN. The servers containing the databases to be indexed should be ones with fast LAN connections.
Even within the same location, databases on servers with slow LAN connections should be replicated to
ones with fast connections.
Reset the ″Include in multi database index″ database property for each replica on the servers to be
indexed, because this setting does not always replicate.
When you create the Domain Index, use the ″Limit domain wide indexing to the following servers″ field
to limit indexing to these servers.
Note: Indexing unnecessary databases causes users’ search results to be less meaningful, takes up space
on the server, and adds time to the indexing process, which indexes about 700MB to 1GB of information
per hour, depending on hardware and the content being indexed. At a minimum, avoid indexing the
following types of databases: Administration Requests databases, database catalogs, database libraries,
Event message databases, log databases, mail databases, portfolio databases, and server statistics
databases.
You create the Domain Catalog by enabling the Catalog task on the server that will index the Domino
domain.
The portions of the Domain Catalog of interest to the Domain Search administrator are those that indicate
which databases and file systems the indexing server will include in the Domain Index, as well as the
forms used to search the index. Database designers and managers select a database for indexing by
enabling the database property ″Include in multi database indexing.″ (Administrators can configure this
setting for multiple databases using the Domino Administrator.) These settings are saved to the Domain
Catalog when the Catalog tasks runs. Administrators can also control which databases are included in the
Domain Index by customizing the selection formula for a hidden view ($MultiDbIndex) in the Domain
Catalog.
Administrators specify which file systems to index by adding a File System document to the Domain
Catalog for each file system on a server.
For more information on creating database catalogs, see the chapter ″Setting Up Database Libraries and
Catalogs.″ For more information on rebuilding views, see the chapter ″Maintaining Databases.″
View Displays
Access control lists ACL information by Database, Level, and Name. Use this view to see who has what
level of access to the different databases in the domain.
Content Documents in the domain by Author, Category, and Date (if your organization has
implemented document content categories).
Databases Databases in the domain by Category, Hierarchy, Replica ID, Server, and Title.
Domain Indexer Status Last-time indexed for databases included in the Domain Index, by both Server and
Indexing Server.
File Systems File systems and servers included in the Domain Catalog.
Hidden views
You can display hidden views in the Domain Catalog by holding down CTRL-SHIFT as you open the
Catalog. Server tasks use hidden views to access information quickly. The hidden views $MultiDbIndex
and $FileSystem are the work queues for the Domain Indexer task. These views show which databases
and file systems will be spidered to create the Domain Index. The $MultiDbIndex view is sorted by
replica ID, number of documents in the replica, and server to ensure that the most recent replica (the one
containing the greatest number of documents) is the one included in the Domain Index.
Tip: Use this field to limit the scope of the Domain Catalog to regional locations or to expand its
scope to multiple Domino domains by cataloging multiple Domain Catalog servers.
9. Click ″Save and Close.″
When the Catalog task starts for the first time, Domino creates the Domain Catalog database based on the
CATALOG.NTF template and adds entries to the ACL so the database replicates properly within the
domain. The Administration Process creates the group LocalDomainCatalogServers in the Domino
Directory and adds the server that contains the Domain Catalog to that group.
Begin by using the hidden view $MultiDbIndex in the Domain Catalog to see which databases have
already been selected to be included in the Index by database managers. If you see databases in the view
that should not be in your Domain Index, such as personal mail databases or databases of limited
interest, or if important databases are missing from the view, either customize the $MultiDbIndex view’s
selection formula or use the Domino Administrator to include or exclude databases.
Note: If multiple replicas of a database were selected for indexing, Domain Search selects the replica
containing the greatest number of documents.
Using $MultiDbIndex to change which databases will be indexed: Customizing the selection formula
for the $MultiDbIndex view is the simplest and best way to control which databases are included in the
Domain Index.
The following is an example of a custom selection formula. In this example, the indexing server will
ignore ″Include in multi database indexing″ settings and index only databases in the smoketestdata
directory on servers that contain ″hub″ in the server name.
SELECT @IsAvailable(ReplicaID) & @IsUnavailable(RepositoryType) & @Contains((pathname); "smoketestdata") & @Contains((ser
Using Domino Administrator to change which databases will be indexed: You can use the Domino
Administrator to select or deselect the ″Include in multi database indexing″ option on multiple databases
at the same time.
1. From the Domino Administrator, select the server that contains the databases you want to include in
or exclude from the Domain Index.
2. Click the Files tab.
3. Make sure you have Manager access in the ACL for each database you want to include or exclude.
Tip: On the Files tab, you can right-click a database and choose Access Control - Manage to display
its ACL.
Note: If you want to include databases whose ACLs restrict default access, make sure that the
LocalDomainServers or LocalDomainCatalogServers group has at least Reader access to each database
you want to include.
Note: If you plan to limit the servers to be indexed and have placed replicas on those servers, you
might need to select those replicas now, even if the ″Include in multi database index″ database
property was set in the original databases, because this setting does not always replicate.
5. In the Tools pane on the right, select Database - Multi-Database Index.
6. Select Enable or Disable.
7. Click OK.
8. Assign categories for each database that you included.
For information on assigning categories, see the topic ″Assigning database categories for the Domain
Search form″ later in this chapter.
For file system searches, the indexing server must also be set up as a Domino Web server. This allows the
server to return links to documents in the file system and to return those documents in response to
queries from both Notes and Web clients.
For information on setting up a Web server, see the chapter ″Setting Up the Domino Web Server.″
CAUTION:
Domain Search filtering of results to users based on access works only with Domino databases.
For more information on file system security and Domain Search, see the topic ″Domain Search security″
later in this chapter.
To select which file systems to include: Add a reference to each file system in the File System
document, and then map the URL path to the file system directory so that the Domino Web server can
retrieve the found documents for users. Complete the following steps for each server that has file systems
you want to index.
1. Start the Domino Administrator or Notes client.
2. Choose File - Database - Open.
3. In the Server field, select the server that contains the Domain Catalog.
4. Select the Domain Catalog and click Open.
5. In the view pane, click File Systems.
6. Click ″Add File System.″
7. Select the server that contains the file system you want to index.
8. Beside the ″Current file system list″ box, click Add.
9. In the Add File System dialog box, enter the location of a file system to include, for example
c:\lotus\domino\data\files.
10. Enter a keyword, such as ″files,″ to associate with the file system. You need to use this keyword in
Step 14, as the portion of the incoming URL pattern that follows the forward slash (/).
11. Click OK to add the file system to the list.
12. Repeat Steps 8 through 11 to add more file systems to the list.
13. When you have completed the list, click ″Save and Close.″
14. Create a Web Site Rule document for the Web site for this file system. This step is needed to map the
incoming URL pattern to the file system directory on the target server.
Note: Searching within categories is supported only for Domino databases. Whenever a user specifies a
category on the search form, search results will not include any documents from file systems.
Use the Categories view in the Domain Catalog to see whether database managers have assigned
databases to appropriate categories. To edit or add categories, use Database Properties for each database.
Tip: On the Files tab, you can right-click a database and choose Access Control - Manage to display
its ACL.
4. Select the database that you want to categorize.
5. Choose File - Database - Properties.
6. Click the Design tab.
7. Make sure ″List in Database Catalog″ is selected.
8. In the Categories box, enter one or more categories for the database.
Separate category names with a comma.
You can use the hidden view $MultiDbIndex in the Domain Catalog to find the sizes of all databases
selected for indexing. You can also use this view to find out which of these databases have already been
indexed individually by their database managers -- and use full-text index size as a more accurate
indicator of the space a database will take up in the Domain Index.
1. From the Domino Administrator, choose File - Database - Open.
2. Select the cataloging server for the domain, and then select Domain Catalog.
Note: If more than one replica of a database is listed, the indexing server indexes the replica on the
server you include in the ″Limit domain wide indexing to the following servers″ field when you
create the index. If this field is blank, the indexing server indexes the replica with the greatest number
of documents.
6. Do one of the following for each database set to be part of the Domain Index:
v If there is a value in the ″Number of bytes indexed″ field on the Full Text tab, record it.
v If there is no value in the ″Number of bytes indexed″ field, record a number between 20 and 40
percent of the value in the Database size field on the Database tab. Record 20 percent if the
database is heavy on design, 40 percent if it is heavy on text.
7. Add the values from Step 6 to obtain an estimate of the Domain Index in bytes.
To exclude all other types of document attachments, set the following NOTES.INI variable for the
indexing server: FT_Index_Attachments=2
Tip: If you want to index file systems for which security is a high priority, you can attach the files to
Notes documents in a database selected for indexing.
For example, the Acme corporation has two application servers, App-E/East/Acme and
App-W/West/Acme. Acme users are certified with one of two organizational unit certifiers: /East/Acme
or /West/Acme. App-E/East/Acme does not allow access to any user with a /West/Acme certificate.
Databases on the server have the -Default- setting in their ACLs set to Reader to ensure that /West/Acme
users cannot access those databases.
When Acme implements Domain Search, /West/Acme users who query Domain Search might receive
search results that include links to and summaries of documents in databases on App-E/East/Acme,
because the ACLs of those databases do not prohibit /West/Acme users from seeing those results. (On
Windows systems, document summaries are included in the search results if users select the Detailed
Results option.) The server access lists continue to maintain database security in this environment,
because /West/Acme users cannot access documents from those links, but the mere existence of links
and summaries could reveal confidential information to the /West/Acme users.
To avoid this issue, check the ACLs for databases that are protected by server access lists to ensure that
they are set to filter correctly. To do this, assume that the server access list does not exist. Change the
ACL so that, in the absence of a server access list, the database would be secured appropriately. This
ensures that when Domain Search checks the database ACL, it filters out results that users cannot access.
If you are running Domino on Windows and are not sure that you can properly maintain database ACLs,
you might want to prevent anyone from seeing document summaries by setting the indexing server’s
NOTES.INI variable to FTG_No_Summary=1.
Note: This example assumes that the indexing server has a certificate that allows access to both
App-E/East/Acme and App-W/West/Acme.
Note: The indexing server must complete the initial indexing pass before users can perform searches.
Check the Domain Indexer Status view in the Domain Catalog to be sure the initial pass is complete.
To meet the specific needs of your organization, adjust the frequency with which the Domain Indexer
runs. Greater frequency results in more up-to-date indexes, but consumes greater CPU resources. By
default, the Domain Indexer task runs every 60 minutes. Experiment with different indexing frequencies
to yield the best results for your organization.
You can also enhance search performance by tuning the number of indexing threads used by Domain
Search. Each indexing thread indexes one repository at a time. With a greater number of threads, the
indexing server can index more databases simultaneously, but this requires more CPU utilization, and
response to search queries may be slow. With fewer indexing threads, response to queries is faster
because of greater CPU availability, but changes are not reflected in the index as quickly.
Note: Do not exceed eight threads per server or you may degrade the performance of the server, even on
servers with more than four CPUs.
FT_Domain_Directory_Name=directory
The database will be deleted from the index after the next update has been performed by both the
Catalog task and the Domain Indexer task.
1. From the Domino Administrator, select the server that contains the databases that you want to delete
from the Domain Index.
2. Click the Files tab.
3. Make sure you have Manager access in the ACL for each database you want to delete.
Tip: On the Files tab, you can right-click a database and choose Access Control - Manage to display
its ACL.
4. Select the databases you want to delete.
5. In the Tools pane on the right, click Database and then select Multi-Database Index.
6. Select Disable.
7. Click OK.
Note: Removing a database from the Domain Catalog or deleting every copy of a database also has the
effect of deleting the database from the Domain Index.
CAUTION:
Before you back up the Domain Index, check the Domain Indexer Status view in the Domain Catalog
to make sure that the Domain Indexer task has finished -- if you attempt to back up the Domain
Index while the Domain Indexer task is running, catastrophic data loss can result.
Both the search and results forms can be customized to suit organization-specific needs. An application
developer can, for example, add a corporate logo to either form, or rearrange the fields.
For more information on customizing search forms, see the book Application Development with Domino
Designer.
The developer can create additional search forms, and you can use setup policy settings (for new users)
or desktop policy settings (for existing users) to provide bookmarks to the new forms to users. For
example, users might use one form to search only Human Resources databases, or use another form to
store searches for future use. The bookmarks for search forms appear in the user’s More Bookmarks
folder.
For more information on using policy settings, see the chapter ″Using Policies.″
Note: Computing the window title for large numbers of documents requires CPU utilization. You can
omit this computation by adding the following setting in the indexing server’s NOTES.INI file:
FT_No_Compwintitle=1
In file systems such as IBM Lotus SmartSuite® or Microsoft® Office, the title and author are extracted
from the document properties fields. For HTML files, TITLE and AUTHOR tags are used.
For information on how users perform domain searches, see Lotus Notes 7 Help.
Using Policies
After you set up a Domain Search server for a Domino domain, you can use policies to automate the
process of setting up Domain Search for new or existing Notes users in that domain. For new users,
record the name of the Domain Search server in setup policy settings; for existing users, record the
server’s name in desktop policy settings. Setup policy settings populate the new user’s Location
document at registration. Whenever existing users authenticate with their home server, Lotus Notes
checks desktop policy settings and updates the current Location document with the name of the Domain
Search server.
For more information on policy settings, see the chapter ″Using Policies.″
Note: If the user enters the name of the indexing server incorrectly or specifies a server that is not an
indexing server, Notes returns an error.
Tip: If users enter the name of an indexing server in a Domino domain other than their own but you
have included the name of their indexing server in the desktop policy settings applied to them, the
″Catalog/domain search server″ field reverts to the policy setting the next time the users authenticate
with their home server. To preserve links to an indexing server in another Domino domain, users can
bookmark the search form from that server while they are performing a search.
For information on setting up a Domino Web server, see the chapter ″Setting Up the Domino Web
Server.″
When you are ready to roll out Domain Search to Web users, the Web application developer must add to
the site’s home page a link to the search form, which is contained in the Domain Catalog on the indexing
server.
To see for yourself what performing a domain search is like for a browser user, you can use a URL
command in your browser to simulate such a link. Enter the following command in your browser,
substituting the common name of your indexing server for servername:
http://servername/catalog.nsf/domainquery
When the search form displays, you can define your search. If you have properly configured the indexing
server and the servers holding the data, your search results display links that can be successfully
followed to each document found.
Note: If the ″Post to Catalog″ button is dimmed, try clicking another field on the Meta tab, or click
another tab and then return to the Meta tab, to enable it.
For a Lotus Notes document, click the ″Post to Catalog″ button to add content category information to
hidden meta fields in the document header and to add a content categories document for the
document to the Content by Category view in the Domain Catalog. For a Web URL, click this button
to add a content categories document for the URL to the Content by Category view in the Domain
Catalog.
You can customize the Content by Category view to suit organization-specific needs.
For more information on customizing views, see the book Application Development with Domino Designer.
Note: This procedure updates the category information for this entry in the Domain Catalog but does not
change the category information saved in the meta fields of the document itself.
Nearly all Notes functionality is retained when a DOLS-enabled application (called a subscription) is
taken offline. Users can compose, edit, delete, sort, and categorize Notes documents, and perform full-text
searches. DOLS subscriptions can make full use of Java applets, agent execution, and workflow. DOLS
also supports full data replication, retains application logic, and supports the full Notes security model.
The developer and administrator must set up and configure a DOLS subscription for offline use.
The developer copies a number of elements into the subscription, makes design changes if necessary, and
configures the subscription in the Offline Subscription Configuration Profile document.
The administrator makes sure DOLS is installed properly on the server, sets security for the subscription,
sets up agents, makes changes to the Offline Subscription Configuration Profile document if necessary,
and helps users install the subscription.
Once the subscription is enabled, users can access it on the server using a browser. The user clicks ″Go
Offline″ or ″Install Subscription″ from the Online menu on the subscription’s main page and the
subscription is installed on their computer.
Also installed on their computer is the Lotus Domino Sync Manager (previously the iNotes(TM) Sync
Manager), a utility for managing DOLS subscriptions. Users can open subscriptions online or offline,
synchronize, and set subscription properties with the Sync Manager.
You can change configuration settings even after users have downloaded the subscription.
373
3. Choose Actions - Edit Offline Configuration to open the document. Note that some of the fields have
default values, which you can change. You can use wild card characters in any field.
4. Click the Basics tab. The name of the main database should be in the ″Subscription title″ field. If it is
not, enter it.
5. Click the Services tab and fill in the following fields.
mycustomname mysetupfile.exe -z -r -u
If you specify more than custom service, separate the services with
commas. For example:
For more information on custom file sets, see the topic ″Creating
custom file sets for a DOLS subscription.″
6. Click the Schedule tab and complete the following fields. Note that the user can override most of
these fields from within the Subscription Properties box of the Domino Sync Manager.
7. Click the Sync Options tab and complete the following fields:
For tips on using directory names and wildcards when you specify
more than one Required file or Optional file, see the topic ″Creating
multiple database DOLS subscriptions.″
Optional files to replicate Enter the subscription’s optional files. Optional files are databases,
templates or directories that can be enabled or disabled in the sync
manager for offline installation and replication. For example, in
addition to the required file(s), you may want to download a related
Help database or an archived discussion database as an optional file.
Select this box to install a directory catalog with the subscription. Then
enter the file name, including directory path, of the catalog database
on the server (for example, dircats\mydircat.nsf). If the server
administrator has specified a default offline directory catalog for the
server by adding $DOLSDirectoryCatalog = nameofcatalog.nsf to the
NOTES.INI on the server, you can leave this field blank and the
server’s default offline catalog is replicated with the subscription. A
catalog filename specified here will override the server’s default offline
directory catalog.
In order for Domino Web Access for Web Mail users, to take a
directory catalog offline, you must add the name of a directory catalog,
including the NSF extension, to the $DOLSDirectoryCatalog setting in
the server’s NOTES.INI file.
For more information on using directory catalogs with DOLS, see the
topic ″Adding a directory catalog to the application″ before adding one
to your subscription.
Encryption Encrypt this subscription:
Select the box to enable encryption. Then select the level of encryption.
Encryption prevents an unauthorized user from accessing the offline
subscription’s data using another software product.
v If the subscription has multiple databases, all of these databases are
encrypted.
v If the subscription has a shared file, you must encrypt all
susbcriptions sharing the file. An unencrypted subscription may not
be able to open an encrypted file.
v Using strong encryption causes a database to open more slowly than
it would using a weaker encryption or no encryption.
Note: Do not encrypt the database from the Database Properties box.
Use the Offline Subscription Configuration document to prevent
unauthorized users from reading subscription data using other
applications.
Syc Options
Date Filtering Only sync documents modified within the last [number] days:
For example, a user installs this subscription with the directory catalog
dircat1.nsf. If the user then installs another subscription that uses
dircat1.nsf., and also selects this option, the two subscriptions share
dircat1.nsf.
All subscriptions that share the same file must be either encrypted or
not encrypted. Non-encrypted subscriptions may not be able to share a
file that is encrypted.
Select this box to push changes made to the active Off-Line Subscription
Configuration Profile Document (on the server), down to the Domino
Sync Manager (on the client), without requiring a reinstallation of the
subscription.
The following are the only settings and actions that cannot be changed
on the user’s computer unless the user deletes and reinstalls the
subscription.
Encryption
Force user to accept subscription changes. This box is only visible when
″Push subscription settings to Domino Sync Manager″ is selected. Select
this box to force the user to accept changes in the Offline Subscription
Configuration Profile document. Not selecting this box allows users to
prevent the changes from occurring on their subscriptions.
Read only subscription settings: Make schedule read-only. Select this box to dim the scheduled
replication settings in the Properties dialog - Schedule tab of the
subscription on the user’s computer. You can push this to users by
selecting it before they install the subscription, or by using the ″Push
subscription settings″ feature.
Make sync options read-only. Select this box to dim the Sync Options
settings in the Properties dialog - Sync Options tab of the subscription
on the user’s computer. You can push this to users by selecting it before
they install the subscription, or by using the ″Push subscription
settings″ feature.
Passthru server settings: Use passthru server to connect to destination server. Select this box to
use a passthru server to connect to the Domino server that hosts the
subscription. You must enter the name of the passthru server.
Then enter the name of the primary and secondary addresses. If users
connect to the host server through a passthru server, the addresses must
be for the passthru server.
9. (Optional) At the bottom of the configuration document, select whether to display the default
download page or create your own download page. The download page is what users see while
they’re installing a subscription. It’s useful for showing instructions, company graphics, warnings, or
tips. Do one of the following:
v Leave ″Display default download page contents″ selected to have the download page contain the
default text and graphics. You can add text, HTML, or images in the rich-text field below the
default text and graphics.
v Select ″Display only the custom contents below″ to create a download page. A rich-text field
appears in which you can add text, HTML, or images.
10. Save and close the configuration document.
11. Save and close the subscription.
12. (Optional) Customize the subscription. For more information on customizing the subscription, see
the topic ″Optional tasks for DOLS developers.″
Typically, the first step is for a user to enter the URL of a Domino server, along with the path and name
of a DOLS-enabled Web application on that server, into their browser. The browser contacts the server
through the Web Server task, also called the nHTTP task (1a)., and the Web Server then communicates
with the Web application (1b).
If the Web application has appropriate security levels set in the ACL, the user is prompted to log-in to
the Web application using their name and Internet password. This authentication is also handled by the
Web Server.
When the user selects ″Install Subscription...,″ the application requests the OCD (2a). A special DSAPI
filter file on the server, listening for URL Web server requests, notices the OCD request. The filter queries
the client to determine if the Domino Sync Manager (iNSM) client software is already installed. If not, the
filter tells the browser to begin downloading a set of DOLS File Sets to the client over the HTTP
connection (2b). These file sets are used to install the Domino Sync Manager software.
Field Description
Security domain Enter the domain that this policy affects. For example,
/US/Company, or /Company (include the leading
slash). All users in this domain are subject to the
deployment policy you set in this document.
Field Description
Certifier ID to use Attach a certifier ID to this rich text field. The certifier ID
must support the Security domain field specified in the
″Security domain″ field.
8. If you selected ″Use NAB for ID lookup,″ fill out the following fields in the Lookup tab:
Field Description
Address book to look up ID files from Enter the database filename, with relative path, of the
directory where your server’s user IDs reside. The target
database must have standard NAB views & documents,
with ID files attached to each person document.
Option Description
Tighten access to the database Open the ACL for the subscription and add the users
and groups to whom you want to grant access.
Anonymous must have ″No Access.″
Tighten security on the configuration document To limit who can open and edit the Offline Subscription
Configuration Profile document for a particular
subscription, open the subscription’s ″DOLS Offline
Configuration″ form in Lotus Domino Designer 7 and
change security settings in the Form properties.
Tighten security on offline data To ensure that unsanctioned users cannot access the
subscription data offline using another software product,
encrypt the subscription in the Offline Subscription
Configuration Profile document.
For an agent to perform actions on a server an administrator must add its signer, or a group the signer is
in, to the Server document (Security - Agent Restrictions).
Agents can perform both unrestricted actions and restricted actions. Restricted actions can potentially
cause serious damage to the server, so administrators must be careful about the permissions of agents
that perform restricted actions.
Note: There are also two kinds of agents: triggered and scheduled. Triggered agents are activated by a
user action, like clicking a button or selecting a menu item. Scheduled agents run automatically, on a
schedule, or when events happen inside a database, such as a new mail document arriving. Only
triggered agents work offline.
If a subscription contains triggered agents, do the following to make them work offline.
1. If the subscription contains restricted agents, create a group called ″DOLS_Restricted_Agents″ in the
Domino Directory.
2. Add the full names of the signers of the restricted agents to the ″DOLS_Restricted_Agents″ group.
If an agent has been configured to run as a Web user (Agent Properties - Design tab - Run as Web
user), use the full name of its signer. Otherwise, use the full name of the signer who modified it last
(for example, NewDevelopment/IBM).
3. If the subscription uses unrestricted agents, create a group called ″DOLS_Unrestricted_Agents″ in the
Domino Directory.
4. Add the full names of the signers of the unrestricted agents to the ″DOLS_Unrestricted_Agents″
group.
Note: If a database uses agents, make sure they’re all signed and that the server’s CERT.ID is
cross-certified with the DOLCERT.ID.
Click a column header to change the order of the data in the view. Open a document to see all the
information on a particular download.
To obtain a CD, contact your IBM Software Services for Lotus representative. Or you can download the
CD code from www.lotus.com/dols and create your own CD.
Perform the following steps to add subscriptions, custom file sets, and custom programs:
To add a subscription
1. Create new replicas of all databases belonging to the subscription. Any database you add to the CD
must have the same replica ID as the original. For example, you cannot make a new ″copy″ of a
database with the Notes client, because copies have new IDs.
2. In the directory \Content\Subscriptions on the CD, create one folder for each subscription. Name
each folder with the replica ID of the main database of the subscription. For example:
\Content\Subscriptions\72638271927F46D8
The hidden field ″ReplicaID″ in the Offline Configuration Profile Document contains the database’s
replica ID. If you open the Offline Configuration Profile Document in Notes, open document
properties, click the Fields tab, and select this field, you can copy and paste the ID to create the folder
name.
3. In each subscription folder, add the subscription itself in a directory structure exactly matching the
directory structure under the Data directory on the Lotus Domino 7 server. For example, if the
DOLS-enabled mail database joe.nsf was located in \Data\Mail on the server, you would add the
following:
\Content\Subscriptions\72638271927F46D8\Mail\joe.nsf
4. If the subscription has a directory catalog, create a DirectoryCatalog folder under
\Content\Subscriptions\<ID> and add a replica of the catalog. For example, if you wanted to add a
directory catalog to the joe.nsf subscription, you would add the following:
\Content\Subscriptions\72638271927F46D8\DirectoryCatalog\nameofcatalog.nsf
5. Open the Offline Configuration Profile Document of the original subscription on the server. Click the
Rules tab and add the names of the subscription’s Required and Optional databases to the Required
and Optional fields.
If users delete a subscription from the Domino Sync Manager, they must run the CD installer again, then
re-install the subscription to restore it. If they install the subscription from the server, they’ll only get the
online version of it, with none of your customizations.
Note: See the readme file on the CD for system and browser requirements, tasks for administrators and
users, and more reference information.
Note: DOLS requires that you add the following text to any selective replication formula that you
create. If you forget to add this text, offline users will not be able to open their offline applications:
|Form="DOLSOfflineConfiguration"
The following example shows a selective replication formula with the required text:
For more information on customizing how users install the subscription, see ″Customizing how users
install the DOLS subscription″ in the Lotus Domino Designer 7 Help.
Error messages
The following table lists client and server error messages you may see as you use DOLS. These error
messages are logged in LOG.NSF under Miscellaneous Events. You can locate LOG.NSF in the \Program
Files\Lotus iNotes\Data directory on the client machine. To open this file from a browser while offline,
enter http://127.0.0.1:89/LOG.NSF.
A Domino service provider delivers services to small-and medium-sized businesses, or multiple hosted
organizations from a single Domino domain. To those hosted organization, the service provider offers
Internet protocol-based access to a specific set of applications running on Domino servers. By using a
service provider, a company can outsource the administration of applications and services that were
formerly run on the company’s computer infrastructure.
This portion of the documentation focuses on the decisions you will be making when planning and
setting up your xSP server environment. You can then use your xSP server to host small and medium
businesses.
First and foremost, the service provider administrator is responsible for setting up and maintaining xSP
servers -- that is, protocol and database servers -- as well as any Domino clusters and network routers.
Although the hosted organization administrator can perform some of the user and group maintenance,
the service provider administrator performs a significant amount of the administrative tasks required to
maintain a hosted organization. At a minimum, the service provider administrator is responsible for
registering and maintaining hosted organizations and controlling which applications the hosted
organization uses. In addition, the service provider administrator must create and maintain a mechanism
that the hosted organization’s administrators use to communicate problems and issues that require the
intervention of the service provider administrator.
Set up an xSP server to offer pure Internet protocol-based access to a specific set of applications on
Domino servers. For example, Domino Web Access is such an application. Using an xSP server reduces
the total cost of ownership for a designated set of services, offered to several customers accessing the
server through standard Internet protocols. In a service provider environment, you are hosting multiple
companies in one Domino domain.
Use Domino partitioning to offer a Domino server where the customer can have Notes Client access and
can create and run their own Domino applications. Setting up a partitioned server is particularly effective
393
when the partitions are in different Domino domains. Partitioning provides a completely separate server
for each customer, as well as a completely separate Domino Directory.
For more information on partitioned servers, see the chapter ″Setting Up the Domino Network.″
In addition, the service provider configuration uses extended ACLs in the Domino Directory to protect
the data of each hosted organization from access by users in other hosted organizations. The extended
ACLs required to support the xSP security model are automatically established when new hosted
organizations are created. Plan and test carefully if you want to modify ACLs and extended ACLs in an
xSP environment -- security is extremely important.
The authentication controls in Site documents control only who can authenticate and use the Internet
protocols. After authentication, ACLs and extended ACLs control the data that can be read from and
written to the Domino Directory.
For more information on extended ACLs, see the chapter ″Setting Up Extended ACLs″ and for more
information on ACLs, see the chapter ″Controlling User Access to Domino Databases.″
A user in a hosted organization cannot directly access databases in any subdirectories other than the
hosted organization’s directory. Exceptions are the ″help″ and ″common″ subdirectories of the Domino
data directory which contains databases accessible to users in all hosted organizations.
To provide users with access to databases outside that of the hosted organization’s subdirectory, create a
directory link within the hosted organization’s directory.
For more information on how directory links work and how to create them, see the chapter ″Organizing
Databases on a Server.″
If a hosted organization’s users are registered at the service provider site, they can be registered with
certifier IDs and passwords or with the Domino server-based CA.
Directory Assistance
Directory assistance is not supported in a hosted environment. You cannot use Domino’s directory
assistance feature with Domino’s xSP configuration. The Directory assistance database name field on the
xSP Server document should be blank.
Policies
Policies are required when using the Domino service provider software. Before registering a hosted
organization, the service provider administrator must decide which policy settings to implement. Before
registering a hosted organization, the service provider administrator can create policy documents and
policy settings documents and then assign those documents during registration, or the service provider
administrator can create the documents during the hosted organization registration process.
For more information on policies, see the chapter ″Using Policies″ and see the topic ″Using Policy
Documents in a hosted environment″ later in this chapter.
For more information on Domino Off-Line Services (DOLS), see the chapter ″Setting Up Domino Off-Line
Services.″
For more information, see the C API User’s Guide and the C API Reference Guide on the IBM Web site,
www.ibm.com.
The IP address configuration that you choose will have an impact on your entire xSP configuration.
If the configuration features one IP address shared by multiple hosted organizations, POP3, IMAP, HTTP,
SMTP, LDAP and Domino IIOP are the available protocols. In this configuration, each IP address entered
on the Internet Site documents must be the same for each protocol. The POP3, IMAP, and LDAP users
must use their Internet e-mail addresses to authenticate. This configuration does not support anonymous
access to LDAP.
For more information on binding an IP address to a hosting server, see the chapter ″Setting Up the
Service Provider Environment.″
The following figure shows xSPserver2 supporting three hosted organizations, each with its own unique
IP address.
When you configure a hosted environment, databases must reside on the xSP server -- that is, the server
to which the hosted organizations are connecting.
Chapter 14. Planning the Service Provider Environment 397
Hosted organization data on one server
All of a hosted organization’s data can reside on one server. As the number of hosted organizations
increases, you can easily add additional servers.
If you are offering mail services, you must provide the protocols to support them. If you do not offer
mail services, you do not need the POP3, IMAP, or SMTP protocols.
Protocol/Service Requirement
HTTP with Domino Web Access When sending mail via Domino Web Access, enable
HTTP on the server that stores the mail file.
IIOP Domino IIOP is required to run Java code.
LDAP If you use POP3 or IMAP and the client mail application
supports LDAP, you can also use LDAP to provide the
mail clients with addressing services.
For ease-of-access and ease-of-administration, you can use host names and Web site names to resolve
mail addresses and to process transactions. The following table indicates which names are used by each
protocol.
Name Protocol
Server host name POP3 and IMAP clients use server host names to locate
host servers when retrieving mail.
For example, serverA.corporation.com
Inbound HTTP transactions can use server host names
when resolving transactions.
For information on the Domain Name Service (DNS) and MX records, see the chapter ″Overview of the
Domino Mail System.″
For more information on the Domain Name System (DNS) and MX records, see the topics The Domain
Name System (DNS) and SMTP mail routing and Examples of using multiple MX records.
Suggested criteria
Prior to choosing and installing applications for hosted organizations, do the following:
1. Decide how to track the applications available to each hosted organization. Lotus Notes/Domino 7
does not include an application to track installed applications.
2. Evaluate applications. For example, if an application is Notes-based, it may need to access external
files, or, it may be a Java application.
3. Evaluate the reliability of the application. Is the application reliable or does it cause the server to stop
or crash? Determine the impact, if any, that each application has on server performance.
4. Determine if the application presents any security risks. Ensure that the application does not allow
users to navigate the file system or add or run their own executable programs.
5. Evaluate how well the new application integrates with the existing configuration.
6. Test each application on a non-production server before installing it on an xSP server. Make sure that
each application is easy to install for each hosted organization.
Note: Domino does not support the use of servlets for xSP servers.
Note: The activity logging C API is included in the Lotus C API Toolkit for Domino and Notes 7. This
public C API can be used to read activity data.
For more information on activity logging, see the chapter ″Setting Up Activity Logging.″
Activity records
Many sessions that the Domino server hosts last for an extended period of time. To avoid losing activity
information, many activity types generate regular checkpoint records. For example, a two-hour Notes
session creates eight records: one open record, six checkpoint records and one close record, assuming that
the default checkpoint interval of 15 minutes is used. You need only review the most recent checkpoint
record for any activity because each checkpoint record shows all logged activity data.
xSP International plans to support SSL; therefore, they will use unique IP addresses. They begin by
installing two servers in their Domino domain: Server1 and Server2. Although each server will contain
data for multiple hosted organizations, the data for each individual hosted organization will reside on
only one server. The data for a hosted organization will not be distributed across multiple servers.
Identical applications will run on each server. If needed, xSP International can add additional servers to
this configuration.
xSP International will initially register four hosted organizations in this domain. To set up the first hosted
organization, CompanyA, the service provider administrator does the following:
Configuring the first or an additional server for a hosted environment does the following:
v Creates an All Servers Configuration Settings document if there is no Configuration Settings document.
v Modifies the All Servers Configuration Settings document to set proper defaults for service providers.
CAUTION:
Do not delete the All Servers Configuration Settings document for your hosted environment. If you
do so, you will be unable to delete or create hosted organizations. Instead, just modify the All Servers
Configuration Settings document and then save the revised document.
v Sets up an extended ACL for the Domino Directory (NAMES.NSF) and the Administration Requests
database (ADMIN4.NSF) to limit access to only users and/or administrators in the same hosted
organization.
v Modifies the Server document to set proper defaults for service providers.
v Sets the ACL on databases in the data directory.
v Modifies a server-specific Configuration Settings document (if one exists) to set defaults for service
providers.
v Modifies the database ACL for Anonymous from ″NoAccess″ to ″Reader.″
The service provider configuration provides services to multiple hosted organizations from a single
Domino Directory.
Before performing this procedure, see the chapter ″Installing and Setting Up Domino Servers.″
1. To install the first xSP server, do one:
405
v For Win32 systems, run this command from the directory in which the SETUP.EXE file is located:
setup -xsp
v For UNIX, run this command:
install
v At the prompt ″Do you want to configure this server with ASP functionality?, enter
Yes
For more information on installing Domino on UNIX, see the chapter ″Installing and Setting Up
Domino Servers.″
2. Start the server.
3. Choose the Domino Enterprise server setup.
4. As the Setup wizard runs, enter the information appropriate to your configuration.
A CA vouches for the identity of both server and client by issuing Internet certificates that are stamped
with the CA’s digital signature. The digital signature ensures the client and server that both the client
certificate and the server certificate can be trusted. The CA also issues trusted root certificates, which
allow clients and servers with certificates created by different CAs to communicate with each another.
Each hosted organization must have its own Domino CA. If the hosted organization uses DOLS or if they
require Notes IDs, the hosted organization must use the Domino server-based CA. If the hosted
organization administrator plans to use the Web Administrator, that hosted organization must use the
Domino server-based CA to register users.
As part of setting up a CA, create a Certificate Requests database. Then, using the Certificate Requests
database, you can submit Internet certificate requests through a browser, pick up new or renewed
certificates, and receive notification regarding request status.
For more information on the Domino CA and the Certificate Requests database, see the chapter ″Setting
Up a Domino Server-Based Certification Authority.″
Each hosted organization must have its own, unique registration policy settings document. Multiple
hosted organizations cannot share a registration policy settings document.
For more information on extended ACLs, see the chapter ″Setting up Extended ACLs″ and for more
information on modifying the default extended ACL settings established during hosted organization
registration, see the topic ″Modifying the extended ACL settings established during hosted organization
registration″ in this chapter.
v An Internet Site document is created for each Internet service for which you provide an IP address or
host name on the Internet panel of the Register Hosted Organization interface. The documents that are
created contain default information for the protocol. You provide additional, detailed information for
these documents during hosted organization registration. If you provide an address or host name for
multiple protocols, you are prompted to create the Internet Site document for each Internet protocol.
You must create the Internet Site document in order to use the corresponding Internet protocol. You are
also prompted to create one Web Site document for each hosted organization. The Web Site document
is the Internet Site document for the HTTP protocol. If a hosted organization has multiple Web sites,
create one additional Web Site document for each additional Web site.
Note: The Basics tab on the Server document contains the field ″Loads Internet configurations from
Server/Internet Sites documents,″ which is enabled by default and cannot be changed in a hosted
environment. When this field is enabled, settings on the Internet Site document take precedence over
settings on the Server document. This field is set when the servers are installed.
For more information on Web Site documents, see the chapter ″Setting up the Domino Web Server.″ For
more information on Internet Site documents, see the chapter ″Installing and Setting Up Domino
Servers.″
v If you are using clustered servers, you can use the Storage panel on the Register Hosted Organization
interface to create additional storage for the hosted organization on one or more servers in the cluster.
Note: The HostedOrganizationAdmin group is created by default (when you set up the hosted
environment) and administrators are automatically added to that group. Administrator groups enable
you to administer groups of people with administrator rights at one time instead of individually
establishing rights and settings for each hosted organization administrator.
For more information on the Web Site document, see the chapter ″Setting Up the Domino Web Server″
and for more information on Internet Site documents, see the chapter ″Installing and Setting Up Domino
Servers.″
1. Ensure that you are working with the xSP server you just installed. If you need to change to another
server, choose File - Open Server, or File - Preferences - Administration Preferences to select the
server.
2. From the Domino Administrator, click the Configuration tab.
3. From the Tools pane, click Hosted Org - Create.
4. Enter the certifier’s password, and click OK.
5. Complete these fields on the Basics panel of the Register Hosted Organization interface:
Field Action
Registration Server Enter the name of the server to use during the
registration process. The Domino Administrator contacts
the registration server while performing registration
tasks.
6. Complete as many of these fields as needed to enable the corresponding protocols for the hosted
organization. When you enter the host name or IP address for a protocol, that protocol is enabled
when the corresponding Site document is created. You are prompted to complete the corresponding
Site document later during this registration process.
Field Action
Internet Domain Enter the name of the Internet domain. By default, the
exact Internet domain name that you specified for this
hosted organization on the Mail tab of the registration
policy settings document is entered. For example,
enterprise.com.
HTTP Host/Address Enter the host name or IP address of the HTTP server for
the hosted organization.
SMTP Host/Address Enter the host name or IP address of the server that
receives SMTP transactions for the hosted organization.
POP3 Host/Address Enter the host name or IP address of the POP3 server for
the hosted organization.
IMAP Host/Address Enter the host name or IP address of the IMAP server for
the hosted organization.
Directory Host/Address Enter the host name or IP address of the LDAP server
for the hosted organization.
IIOP Host/Address Enter the host name or IP address of the Domino IIOP
server for the hosted organization.
Field Action
CA Enabled Choose this option if the hosted organization supports
DOLS or uses Notes IDs.
CA Server Enter the name of the server on which you created the
Domino CA. This is the server on which the CA process
will create Internet Certificates. This button is active only
if you have created a Domino CA.
Set ID file Specify the drive and directory in which the ID file is to
be stored. By default, the certifier ID name matches the
hosted organization name. The certifier ID must be
unique to the hosted organization.
Field Action
Mail Server By default, this field contains the name of the mail server
for the hosted organization exactly as you entered it in
registration policy settings document for the hosted
organization. The hosted organization and the
administrator’s mail file will be stored on this server.
This field cannot be modified.
Directory By default, this field contains the name of the directory
in which the hosted organization’s data resides. For
ease-of-administration, the directory name is created for
you and is identical to the hosted organization name.
This field cannot be modified.
Host Indicates whether the corresponding server hosts the
hosted organization. This field cannot be modified for
the first entry in this list. The first server entry in this list
has a check mark because that server is identified in the
registration policy settings document as the mail server
for the hosted organization.
To add a directory link, enter the full path for the storage
location and then click the check box so that the
directory link displays in the Physical Storage Location
field.
Field Action
Location Enter text to define the location of the hosted
organization.
Comment Enter text to define the hosted organization’s name and
other information.
10. If you have not selected an explicit policy for this hosted organization, this message appears:
"You must configure the organizational registration policy
for the hosted organization. This policy must contain the
necessary hosted organization settings. Do you want to
configure that policy now?"
11. Click Yes. If you click No, the hosted organization is not created.
12. Click Register. The Internet Site document for the first protocol you specified appears. Modify the
defaults, and add new information as necessary.
Note: If the hosted organization supports DOLS, on the Web Site document, specify a DSAPI filter file
name according to the operating system of the xSP server that hosts that hosted organization. Win32
requires the file ndolextn; and Linux, AIX, Solaris/Sparc, S390, and iSeries require libdolextn.
For more information on Internet Site documents, see the chapter ″Installing and Setting Up Domino
Servers″ and for more information on the Web Site document, see the chapter ″Setting Up the Domino
Web Server.″
Modifying the extended ACL settings established during hosted organization registration: Plan and
test carefully before you modify ACLs and extended ACLs in an xSP environment -- security is extremely
important.
When hosted organization registration is complete, all actions that are identified in the topic ″What
happens when you register a hosted organization?″ are complete. You may want to enable Read access on
some fields for a hosted organization. To allow Read access to fields for the anonymous entry in a hosted
organization, in the extended ACL settings, change Browse from Deny to Allow. In the Forms and Fields
Access section, select Show Modified, and change the fields from Read Deny to Read Allow.
Note: The individual fields are listed in the topic ″What happens when you register a hosted
organization?″ in this chapter.
For more information on the IP configurations that you can use in a hosted environment, see the chapter
″Planning the Service Provider Environment.″
SUNSolaris: Enter these commands as the root user, where <hme0> is the network interface card.
IBM AIX: Enter the following command as the root user, where <en0> is the network interface card.
To register Acme Printing as a hosted organization, the service provider administrator at xSP
International answers these questions:
v Does Acme Printing support DOLS users? Do they need Notes IDs? If Acme Printing supports DOLS
or needs Notes IDs for any purpose, a Domino CA needs to be created for the hosted organization. If
not, they can use certifier IDs and passwords. Acme Printing does support DOLS users.
v Which mail protocol does Acme Printing use? If they use POP3 or IMAP, they need SMTP on the same
server. Acme uses POP3, so they need SMTP.
v Which registration settings are needed for the registration policy settings document for Acme Printing?
The service provider administrator determines that Acme Printing needs the CA-related settings and
POP3-related mail settings. Other default settings can also be used.
v Does Acme Printing require storage locations in addition to the default storage locations? If the service
provider administrator set up Acme Printing on a clustered server, they’ll be able to use additional
storage on servers in the cluster. On what server and directory will that storage be located?
v Later, when an administrator is ready to register users for the hosted organization, they can determine
whether they can simplify user registration by creating additional policy settings documents, such as
desktop policy settings documents and security policy settings documents. An administrator can create
these policy settings documents as he would for any Lotus Domino enterprise. User registration for
Acme Printing employees is done by the service provider administrator instead of by an Acme Printing
administrator using the Web Administrator.
The service provider administrator at the service provider site, does the following from the Domino
Administrator:
1. Creates a Domino server-based CA for Acme Printing because they support DOLS. Each hosted
organization that needs a server-based CA requires its own Domino CA because the CA cannot be
shared across multiple hosted organizations.
2. Creates an explicit policy named AcmePolicy and an associated registration policy settings document.
Viewing Web Site and Internet Site documents for a hosted organization
1. From the Domino Administrator, click Files and open the Domino Directory (NAMES.NSF).
2. Choose Server - Internet Sites.
3. Select the name of the hosted organization whose Internet Site documents you want to view.
4. Double-click a document name to open it.
For more information on creating an Internet Site document, see the chapter ″Installing and Setting
Up Domino Servers″ and for information on creating a Web Site document, see the chapter ″Setting
Up the Domino Web Server.″
Configuring Internet sites with Web Site and Internet Site documents
In a hosted environment, each Internet Site document defines the configuration settings for an Internet
protocol for a hosted organization. When you register a hosted organization, you are prompted to create
one or more Internet Site documents as part of the hosted organization registration process.
Note: You have the option of not creating the Internet Site document during hosted organization
registration. You must then create the Internet Site document in order to use the protocol.
A Web Site document is required for the HTTP protocol. You are prompted to create one during the
hosted organization registration process. If multiple Web sites are assigned to one IP address -- that is,
multiple DNS names are registered to one IP address -- create a Web site document for each Web site.
Note: If the hosted organization supports DOLS, on the Web Site document, specify a DSAPI filter file
name according to the operating system of the xSP server that hosts that hosted organization. Win32
requires the file ndolextn; and Linux, AIX, Solaris/Sparc, S390, and iSeries require libdolextn.
For more information on specifying the DSAPI filter file name in the Web Site document, see the chapter
″Installing and Setting Up Domino Servers.
For security purposes, you can create a File Protection document for each server. A File Protection
document controls the access that Web browser clients have to the files on a server’s hard drive. Create
the File Protection document after creating any Web Site document(s) and/or Internet Site documents
that you need.
For more information on File Protection documents, see the chapter ″Controlling Access to Domino
Servers.″
By default, the Global Web Settings document applies to all servers in a Domino domain. If you do not
want the Global Web Settings to apply to all servers in a Domino domain, edit the document and specify
the servers to which the document applies.
The directories that are created via the Global Web Settings document reside in the hosted
organization\domino\ directory path.
Three associated Web Site Rule documents that contain the following settings are created when the
Global Web Setting document is created in a hosted environment:
Web Site Rule document Type of rule Incoming rule pattern Target server directory
DOLS Directory /download/* domino\html\download
iNotes help files Directory /inotes5/help/* domino\html\inotes5\help
iNotes.cab Redirection /iNotes.cab domino\html\iNotes.cab
The Web Site Rule document for DOLS-enabled hosted organizations downloads to a central location files
that are required when the hosted organization tries to access a DOLS-enabled database.
The iNotes.cab file is an archive file that contains controls that are installed into a browser and make
iNotes features available to browsers.
The iNotes help files are downloaded to a central location on the server so that they do not have to be
individually downloaded for each hosted organization.
Field Action
Descriptive name for this site Enter a name that describes the Web Site Rules that will be associated
with this document.
Domino servers that host this site Enter one:
v An asterisk (*) if the document is to apply to all servers in the
Domino domain.
v One or more names of servers to which this document applies.
Field Action
Activity logging is enabled Select this check box to enable activity logging on each
server that you designate.
Enabled Logging Types Select all logging types for which you want to collect
billing information.
Checkpoint interval Enter the number of minutes that transpire between
activity logging updates to LOG.NSF. The checkpoint
interval applies to the logging types that you selected
and that have open, active sessions.
Field Action
Select server activity types to search for Click the check box to and then do one of these:
v Select an activity type to view, and then click Add. Repeat to
continue adding types.
v Click Select All to view all activity types.
Start Date Select the start date and end date of the time period for which you
want to analyze logged activity data. Activity data for the time
End Date period you specify is stored in the Results database.
Start Time Select the start time and end time of the logged activity data you
want to analyze. Activity data for the specified time period is
End Time stored in the Results database.
Results Database Do the following:
1. Click this button to open the Results Database dialog box.
2. Specify the server on which the Results database will reside, the
title (name) of the database, and the file name.
3. Click OK.
4. Choose one:
v Append to this database -- To append the data to the existing Results database.
v Overwrite this database -- To overwrite the data in the existing Results database with new data.
5. Click OK. When the message box displays ″Analysis Completed,″ click OK. The Log Analysis - Log
Events view opens.
The majority of the administration activities that are performed in a hosted environment are exactly the
same as the same activities in a non-hosted environment. The following topics explain how to complete
activities that are unique to or different in a hosted environment. Where necessary, there is also
explanatory information.
v Adding a hosted organization to an additional server to provide new Web applications
v Deleting a hosted organization
v Disabling services temporarily for a hosted organization
v Enabling anonymous access to a hosted organization’s database
v Managing Users at a hosted organization
v Moving a hosted organization from one server to another server
v Removing a hosted organization from a backup or load-balancing server
v Restoring a hosted environment after a server crash
v Temporarily disabling services for a hosted organization
v Using a browser to access a hosted organization’s Web site
v Using the Resource Reservations database in a hosted environment
v Viewing a hosted organization
v Web Administration from the hosted organization site
For example, to access the home page for the hosted organization Acme Printing, enter:
www.acmeprinting.com/acme_printing/homepage.nsf
For example, to access your own mail file named JSMITH.NSF, at the hosted organization named Acme
Printing, enter:
www.acmeprinting.com/acme_printing/mail/jsmith.nsf
Note: You can use a Web Site document to redirect users to other Web sites.
For more information on redirecting users to other Web sites, see the chapters ″Setting Up the Domino
Web Server″ and ″Installing and Setting Up Domino Servers.″
421
Adding a hosted organization to an additional server to provide new
Web applications
A hosted server environment can be configured to allow multiple servers to provide Web applications to
one or more hosted organizations. Part of managing a hosted environment is enabling additional servers
to serve Web applications to a hosted organization. Web applications can be distributed across multiple
servers, while serving as many hosted organizations as you designate.
You can enable a hosted organization that is currently being served applications by one or more servers
to be served a Web application by an additional server.
If you are not using transaction logging, restore the Domino Directory from the most recent daily backup.
For more information on transaction logging, see the topics Transaction logging and How transaction
logging works.
For more information on transaction logging, see the chapter ″Transaction Logging.″
For example, a cache deletion results when you remove an IP address or host name from an Internet Site
document or remove a server from the list of Domino servers that host the site.
The following console message is logged if there are invalid host names in the Internet Site documents
(excluding the Web Site document):
Lookup of IP address for host hostname.com failed
Note: Both processing types generate administration requests and both require that you open the
Administration Requests (ADMIN4.NSF) database and approve the deletion of hosted organization
storage.
5. Click OK. You are prompted to confirm the deletion. Click Yes, and then click OK.
Do not confuse an ACL file, which provides security for the hosted organization itself, with a database
ACL, which controls the access that server, users, and groups have to a database.
In addition to modifying the ACL file, modify the hosted organization’s database ACL to allow
anonymous access to the database.
For more information on modifying a database ACL, see the chapter ″Controlling User Access to Domino
Databases″ and for more information on modifying the Web Site document security settings, see the
chapter ″Installing and Setting Up Domino Servers.″
To prevent users at a hosted organization site from accessing ADMIN4.NSF, do the following:
1. As the service provider administrator, open ADMIN4.NSF and select File - Database - Properties.
2. Select the i Tab and click User Detail.
3. In the User Activity interface, select the check box ″Activity is confidential.″
4. Click OK. Click X to close out of Properties.
To move non-database files from the source server to the destination server
1. Copy all database files from the source server to the destination server.
2. From the source server, recursively delete the non-database files that you copied to the destination
server.
3. Copy all non-database files in directories that are not within the hosted organization’s data directory.
Copy the files from the source server to the destination server.
4. Determine whether any Web application requires per-hosted-organization data that has not already
been copied. Copy that data to the destination server, and then delete it from the source server.
5. (Optional) Replicate the data from the source server to the destination server to ensure that all
changes made to the source server appear on the destination server.
6. Change the IP addresses hosted by the destination server to include the new addresses -- that is, those
formerly hosted by the source server. Modify all Internet Site documents as necessary.
7. Restart the Domino server on the destination server.
If you will be performing all user management actions from the service provider site, see specific areas of
the documentation that explain the actions you want to perform. For example, you would most likely
want to access these areas of the documentation:
v Registering users
v Managing users
v Creating and modifying groups
v Managing groups
v Deleting a group with the Domino Administrator or the Web Administrator
For more information on the Web Administrator, see the chapter ″Setting Up and Using Domino
Administration Tools.″
To use the Web Administrator, you must also use the server-based certification authority (CA). Set up and
load the CA before attempting to access and use the Web Administrator.
For more information on the server-based CA, see the chapter ″Setting Up a Domino Server-Based
Certification Authority.″
Note: If a hosted organization’s users are registered at the service provider site, they can be registered
with certifier IDs and passwords or with the Domino server-based CA. To register a user for a particular
hosted organization, ensure that the service provider administrator is using a certifier created for that
hosted organization. Users registered by the hosted organization administrator at the hosted organization
site must be registered using the Domino server-based CA.
To set up access to the Web Administrator at a hosted organization site: Before using the Web
Administrator, the hosted organization administrator must have rights in the ACL for WEBADMIN.NSF,
NAMES.NSF, and ADMIN4.NSF. The service provider administrator must assign these rights to the
hosted organization administrators who are responsible for managing users and groups with the Web
Administrator.
v Add the hosted organization administrator to the HostedOrganizationAdmins group and assign Author
access with the People&Groups role in the ACL.
v Add the hosted organization administrator to the LocalDomainAdmins group and assign Manager
access and All roles in the ACL.
The hosted organization administrator needs special access in NAMES.NSF. The service provider
administrator assigns these rights to the hosted organization administrators:
Give the hosted organization administrator the following access to the Administration Request Database
(ADMIN4.NSF):
v Author access with the Create documents and Read public documents roles.
To use the Web Administrator to manage users and groups: To maintain users and groups with the
Web Administrator, the hosted organization administrator performs these tasks:
v Registering users with the Web Administrator
v Deleting a user name with the Web Administrator
v Creating a group with the Web Administrator
v Deleting a group with the Web Administrator
For information on creating a database, see the topic Creating a Database if you have installed Lotus
Notes 7 Help. Or, go to http://www.notes.net/doc to download or view Lotus Notes 7 Help.
CAUTION:
Do not assign access rights and roles directly to a hosted organization. Because the Resource
Reservations database is not automatically protected by an extended ACL, if you assign access rights
and roles to a hosted organization, users in the hosted organization will be able to open the Resource
Reservations database for other hosted organizations.
Note: You can view a list of the hosted organizations and corresponding Site documents in the Domino
Directory.
For more information on viewing Web Site and Internet Site documents, see the chapter ″Setting Up the
Service Provider Environment″
Administration servers
Administration servers control how the Administration Process does its work. You specify an
administration server for the Domino Directory and for specific databases. By default, the first Lotus
Domino server you set up in a domain is the administration server for the Domino Directory. The
administration server for the Domino Directory maintains the Domino Directory’s ACL, performs deletion
and name change operations in that Domino Directory, and these changes are replicated to other servers
in the domain. If you have multiple directories in your domain -- not replicas of other domain’s
directories, but more than one of your own -- you can specify an administration server for each of the
directories in your domain. Do not specify an administration server in your domain for a replica of
another domain’s Domino Directory.
All databases need an administration server to manage name changes and deletions that apply to the
database -- for example, changes to the ACL, Readers and Authors fields, or Names fields. If a database
has replicas, you assign an administration server to only one replica. Then the Administration Process
makes all changes to that replica, and replication for that database carries out the changes in all other
replicas.
You can also set up one or more extended administration servers to distribute across multiple servers the
processing of administration requests that modify the Domino Directory.
For more information on extended administration servers, see the topic ″Using an extended
administration server″ later in this chapter.
431
The Administration Requests database
The Administration Requests database (ADMIN4.NSF) is created on the administration server for the
Domino Directory when that server starts for the first time. Requests for work to be done by the
Administration Process are stored in the Administration Requests database. The status of work done by
the Administration Process is also stored there as response Log documents to the requests, in the form of
Administration Request documents. To complete tasks, the Administration Process posts and responds to
requests in the Administration Requests database. Domino servers use replicas of this database to
distribute requests made on one server to other servers in the domain.
When other servers start, if the Administration Requests database does not exist, the server creates a
replica stub of the Administration Requests database and waits for it to be initialized from another server
in the domain. Every server in the domain stores a replica of the Administration Requests database and
the Domino Directory.
The Administration Requests database also acts as the interface to the Domino Certificate Authority
requests. It is the responsibility of the Registration Authority to monitor the status of the Certification
Authority (CA) Requests. The CA requests can be removed from the view or resubmitted for processing
in the same manner as the Administration Process Requests.
For more information on working with requests see the topics ″The Administration Requests database″
and ″Managing Administration Process requests″ in this chapter.
For more information on the Registration Authority (RA), see the chapter ″Setting Up a Domino
Server-Based Certification Authority.″
For more information on the Certification Log, see the chapter ″Installing and Setting Up Domino
Servers.″
If the domain has only a few servers, consider using one administration server for both the Domino
Directory and for other databases. The majority of the administration server resources are used for
updating the Domino Directory and replicating to keep the Domino Directory consistent across the
domain. The responsibility of the administration server of other databases is to maintain ACLs, Reader,
Authors, and Names fields; and unread lists during name management operations. While this option
centralizes administration, it may result in slower server performance as the domain grows and the use
of the Administration Process to update the Domino Directory and maintain databases increases.
A second option involves using a dedicated registration server as the administration server for the
Domino Directory. You limit this server’s responsibility to the processing of Domino Directory changes.
You can then use other servers, such as database hubs, for processing ACL changes to other databases. To
do so, specify the database hub as the administration server for those databases. You can divide the
responsibility for database ACL changes among several administration servers; but, you must make sure
that when there are multiple replicas of a database in the domain, you assign an administration server for
only one replica.
A third option involves using multiple servers to maintain the Domino Directory. If your domain is
geographically dispersed, having a single administration server for the Domino Directory means all
administration requests for Domino Directory changes have to replicate to this one server and the
resultant changes have to replicate back. If your company is organized hierarchically, that is, it is
composed of multiple organizations and organizational units, extended administration servers can be
assigned to maintain the directory documents associated with people, groups, and servers whose names
have that organization or organizational unit component.
Using a server that contains mail and other databases as the administration server for the Domino
Directory is possible, but is not recommended for performance reasons.
Always run the most recent version of Lotus Domino 7 on the administration server of the Domino
Directory and the extended administration servers, so that you can use all of the newest Administration
Process features.
Note: If you use an LDAP client to administer the Domino Directory, the Administration Process is not
aware of these changes and does not extend the changes to other databases. For example, if you delete a
Person document, you must manually remove references to that person’s name in other places that it
occurs because the Administration Process does not do this for you.
For more information on extended administration servers, see the topic ″Using an extended
administration server″ later in this chapter.
Note: To change the administration server for a database, you must have Manager access to the database
or be designated as a Full access administrator on the Security tab of the Server document.
1. From the Domino Administrator, open the domain containing the server with the database for which
you are setting an administration server.
2. From the Servers pane, select the server containing the database you are setting as an administration
server.
3. Click the Files tab and then select the database to which you are assigning an administration server.
4. From the Tools pane, click Tools - Database - Manage ACL.
5. Click Advanced.
6. Complete these fields and then click OK:
Field Enter
Administration Server Choose one of these:
v None -- If you do not want an administration server assigned for the
database.
v Server -- Select a server from the list.
Choose one of these according to whether you want modifications to the
indicated fields to occur during a rename group, rename user, or rename
server action; or during a delete server, delete group, or delete user action:
v Do not modify Names fields -- Names fields are not updated during any of
the above rename and delete actions.
v Modify all Readers and Authors fields -- Reader and Author fields are
updated during the rename and delete actions listed above.
v Modify all Names fields -- All names fields are updated during any of the
rename or delete actions listed above.
7. If you will be processing administration requests across domains, complete the procedure ″Creating a
Cross-domain Configuration document.″
Note: Log documents are listed directly beneath the request that the document pertains to. The
heading Administration Request - Log appears at the top of each Log document.
5. Review the information in the response Log document to ensure that the request has run.
6. Complete the procedure, ″Setting up ACLs for the Administration Process.″
A secondary Domino Directory can use the same administration server as your primary Domino
Directory, NAMES.NSF, or you can designate another server as the administration server for the
secondary directory.
If a replica ID is located, the server attempts to open the database. If it is successful, the server checks the
ACL to determine whether it is the administration server for that directory. If so, the server processes the
request. If it is not the administration server for that directory, the server leaves the request to be
processed by the appropriate administration server. If the server is unable to open the database, it ignores
the request.
For more information on secondary Domino Directories, see the chapter ″Setting up Directory
Assistance.″
For more information on designating a server as an administration server, see the topic ″Specifying an
administration server for databases″ earlier in this chapter.
Note: During cross-domain processing, any requests imported from another domain and any subsequent
requests created by the imported requests are processed by Lotus Domino Release 5 and more recent
servers only.
Edit the Directory Profile document for the Domino Directory to include the names of anyone allowed to
create a Cross-domain Configuration document. On the Directory Profile document, add the
administrators names to the ″List of administrators who are allowed to create Cross-domain
Configuration documents in the administration requests database″ field. If a Cross-domain configuration
document is created by someone whose name is not in that field or who is not a manager of the Domino
Directory, that configuration will be ignored.
The Administration Requests database contains Cross-domain Configuration documents that specify how
domains exchange and process administration requests. When you configure a Cross-domain
Configuration document, you designate the trusted entities, which are persons, servers, or certifiers. All
requests received from the domain must be signed by one of its trusted entities. Rename requests are the
exception; they are signed by certifiers so their validity is determined by the certificates and the
cross-certificate in the destination domain’s Domino Directory. For Rename requests going to another
domain, there must be appropriate cross-certificates between the two domains. Additionally, the Domino
Directory of the destination domain must either have all Certifier documents, with the certifier’s public
key, for the organizational structure represented in the name change request, or it must be able to access
those Certifier documents from a trusted Directory specified via Directory Assistance.
Note: Check the Connection documents for the servers involved in the cross-domain request processing.
The fields on the Connection document that have particular impact on the processing of administration
requests across domains are on the Basics tab: Source server, Source domain, Destination server, and
Destination domain fields.
Other fields on the Connection should be set up to allow for replication and communication between
source and destination servers as usual.
For more information on setting up trusted directories via Directory Assistance, see the chapter ″Setting
Up Directory Assistance.″
For more information on Certifier documents, see the chapter ″Installing and Setting Up Domino
Servers.″ For more information on cross-certificates, see the chapter ″Protecting and Managing Notes
IDs.″
Field Enter
Receive AdminP requests from domains The name of one or more domains from which this server will
receive requests.
List of AdminP requests allowed from other Select any of these requests that this server will accept from other
domains domains and then click OK.
v Create Replica
v Delete Person in Address Book
v Delete Server in Address Book
v Get Replica Information for Deletion
v Rename Person in Address Book
v Rename Server in Address Book
Only allow Create Replica requests if Server names in your current domain that will accept Create Replica
intended for one of the following servers requests from other domains.
If you selected Create Replica requests from the list above, the
request’s author is required to have Create Replica access to the
destination server. Create Replica requests must be signed by the
source server.
6. If you chose Outbound in Step 4, click Outbound Request Configuration and then complete these
fields:
Field Enter
Domains to submit AdminP requests to The name of one domain to which the server will send requests. If
you need to send AdminP requests to multiple domains, create a
separate Cross-Domain Configuration document for each domain to
which you will send requests.
List of AdminP requests to submit Select the type of requests that this server will send and then click
OK.
v Create Replica
v Delete Person in Address Book
v Delete Server in Address Book
v Get Replica Information for Deletion
v Rename Person in Address Book
v Rename Server in Address Book
If you selected the Create Replica request from the list above, the
request’s author is required to have Create Replica access to the
destination server. Create Replica requests must be signed by the
source server.
The quickest way to provide administrators with the access they need is to give them the minimum
levels of access:
v For the Domino Directory, create an administrator group of type Person Group with Editor access, and
list the administrators in the group.
v For the Administration Requests database, give administrators Author access. If an administrator will
be approving requests, give Editor access.
v For the Certification Log database, give administrators Author with Create documents access.
To assign access to administrators so they can perform only specific tasks, see the table below which
specifies the access that administrators need in the ACLs of the Domino Directory, secondary directories
-- if applicable, Administration Requests database, and Certification Log database. If an error occurs
during any administrative task, the administrator must have Editor access in the ACL of the
Administration Requests database to perform the task again.
For more information on setting up and modifying an ACL, see the chapter ″Controlling User Access to
Domino Databases.″
Note: If extended ACLs are enabled and you have specified who can modify documents for an
organization, administration requests will fail if they are initiated by anyone not specified in the extended
ACL.
For more information on Active Directory procedures, see the chapter, ″Using Domino With Windows
Synchronization Tools.″
For more information on how the Administration Process completes specific administrative tasks, see the
appendix ″Administration Process Requests.″
View Displays
Administrative Attention Required Requests that warrant attention and may require action on the part of the
administrator.
All Activity by Server Responses to requests, sorted by server.
All Errors by Date Responses with errors encountered, sorted by date.
All Errors by Server Responses with errors encountered, sorted by server.
All Requests by Action Requests and responses, sorted by action.
All Requests by Name Requests and responses, sorted by name.
All Requests by Originating Author Requests sorted by server name, administrator name, or user name,
according to how the request was initiated. This view allows one
administrator to monitor the activity of other administrators in the
Administration Requests database.
All Requests by Server Requests and responses, sorted by server.
All Requests by Time Initiated The ″All Requests by Time Initiated″ view sorts all administration requests
by the date and the time that the request was initiated.
For more information on ID recovery, see the topics ″ID recovery″ and
″Recovering an ID″ in the chapter ″Protecting and Managing Notes IDs.″
Note: When you open ADMIN4.NSF from the Domino Directory, this view
is called ″Recovery Information Updates.″
Certificate Requests Requests to create an Internet certificate and requests to create a Notes
certificate. This view is typically monitored by the administrator who has
been designated Certification Authority and Registration Authority.
Cross Domain - Configuration Cross-domain configurations sorted by domain and then by inbound
requests that are accepted and outbound requests that are accepted
Cross Domain - Delivery Failures Requests that cannot be delivered to the inbound domain
Enrollment Requests This view is not yet implemented.
Individual Approval Required The ″Individual Approval Required″ view shows the requests that must be
individually approved, that is, they cannot be approved by selecting
multiple requests in ADMIN4.NSF and clicking ″Approve Selected
Requests.″
Name Move Requests Requests to move a user’s name in the name hierarchy
Pending Administrator Approval Requests that are pending the approval by the administrator. There are
additional views associated with this view. They are:
v Pending by Age -- Shows all requests that are pending administrator
approval, sorted by the number of days that the request has been in
ADMIN4.NSF awaiting approval. Requests are sorted in increments such
as 7 days, 14 days, and so forth, up to requests older than 90 days.
v Pending by Server -- Shows all requests that are pending administrator
approval, sorted by the name of the server on which the request will be
processed.
Note: When you open ADMIN4.NSF from the Domino Directory, the
″Individual Administrator Approval″ view is listed here instead of as a
separate view.
The Administration Requests database (ADMIN4.NSF) also contains these processing options that are
available as buttons on the administration requests, according to whether to processing option applies to
a particular request.
To view documents in the Administration Requests database, you can use either the Domino
Administrator or the Web Administrator.
For information about messages that appear in the Administration Requests database, see the chapter
″Troubleshooting.″
For more information on the administration requests and how they are processed, see the appendix
″Administration Process Requests.″
To prevent these types of documents from being saved, the field ″Store Admin Process log entries when
status of no change is recorded″ on the Server Tasks tab of the Server document is set to No by default.
Response log documents that report that no action was performed by the server are not posted to the
Administration Requests database.
For more information on the Administration Process and the settings in the All Servers document, see the
topic ″Scheduling administration request processing″ later in this chapter.
Using Space Saver settings: Check the ″Space Saver″ settings of ADMIN4.NSF on all servers because
these settings do not replicate in the domain and ensure that the ″Remove documents not modified in the
last # days″ is checked. Be sure the value entered for this setting is a reasonable number -- depending on
how long you want to keep the history of the activity of the administration requests -- for example, less
than 90 days. This information is stored in Catalog documents. If you run the catalog, you can create a
view that displays this information.
1. From the Domino Administrator, choose Files and then right-click Administration Requests database.
2. Choose Properties and click Replication Settings - Space Savers.
3. Click ″Remove documents not modified in the last # days″ and choose a number of days from the list.
Click OK.
Using a Program document to compact the Administration Requests database: Create a Program
document that will compact ADMIN4.NSF on the servers in your domain on a regular basis.
For more information on using Program documents to compact a database, see the chapter ″Improving
Database Performance″.
For more information on setting up and using replication formulas, see Limiting the contents of a replica
if you have installed Lotus Domino Designer 7 Help. Or, go to http://www.notes.net/doc to download
or view Lotus Domino Designer 7 Help.
Field Action
Suspend Admin Process at Enter the time at which administration processing of
administration requests stops.
Restart Admin Process at Enter the time at which administration processing of
administration requests resumes.
When you initiate a user’s name change, the user is prompted to accept or reject the name change. If the
user rejects the name change, an administration request is generated that requires you to either accept the
user name reverting back to the original name or reject the user name reverting back to the original user
name. For example, if a user refuses a name change, the administration request ″Approve refused name
change″ is posted to ADMIN4.NSF.
If the expiration date for the name change is reached and the user has not responded, an administration
request is issued asking you to accept a request to retract the name change. You can then either accept
the request to retract the name change, or you can reject that request. If you accept the name change
retraction, the administration requests for rejecting a name change are generated.
1. From the Domino Administrator, choose Server - Analyses - Administration Requests.
2. Select the server and then open the Administration Requests (ADMIN4.NSF) database.
3. Open the Pending Administrator Approval view.
4. Open one of these views according to how you want to accept or reject requests that have been
generated by users accepting, rejecting, or ignoring name changes.
v Individual Approval Required -- Use this view to individually approve or reject each request. Select
and open the request and then click Approve or Delete.
v Pending by Age or Pending by Server -- Use one of these views to approve or reject multiple
requests at one time. Select the requests that you are accepting or rejecting, and then click Approve
Selected Requests or Delete Selected Requests.
5. Close the Administration Requests database.
Follow this procedure to force a request to occur immediately instead of waiting for the Administration
Process to initiate the request based on the timing schedule.
1. From the Domino Administrator, select the remote server.
2. Choose Server - Status - Server Console.
3. In the Domino Command field, enter a command from table above and click Send.
These commands check ADMIN4.NSF for new unprocessed requests that match the criteria specified in
the command. For example, the command ″tell adminp process interval″ checks ADMIN4.NSF for new
interval requests and queues those requests as if the interval time has expired.
Do not use the command ″tell adminp process all″ due to performance issues that are created when you
run that command. The ″tell adminp process all″ command simulates a restart of the administration
process; therefore, this command waits until all previous requests are processed before starting the next
request process. This ″wait″ is in the main thread of the administration process; therefore, new requests
that are received after the console command is issued will wait as well, regardless of request schedule.
This command slows the rate at which the administration process requests are run. This is especially true
for requests that require a lengthy processing time, such as changing a name in an ACL.
To adjust the default timing of when administration requests are carried out, edit the Server document.
You may want to force a request to occur immediately if the administration request is critical.
For more information on using server console commands to force administration request processing, see
the topic ″Managing Administration Process requests″ earlier in this chapter.
Field Enter
Interval The number of minutes that pass between the processing of
name-management requests -- rename, delete, and recertify. The default is 60
minutes.
Execute once a day requests at The time when updates to Person documents occur and ″Rename person in
unread lists″ requests run. The default is 12 AM.
Interval between purging mail file The number of days that pass between running the Object Collect task
and deleting when using object store against a mail file that uses shared mail and deleting the mail file. The
default is 14 days.
Start executing on The day on which Updates to Authors and Readers fields in a database and
discovery of shared and private design elements for a deleted person occur.
The default is Sunday.
Start executing at The time when the updates to Authors and Readers fields in a database and
discovery of shared and private design elements for a deleted person occur.
The default is 12 AM.
Mail file moves expire after The number of days during which the Notes client will update mail-related
changes. The default is 21 days. Valid values are 7 to 60, inclusive.
Note: If you want to edit a Server document for another server, click Configuration - Server - All Server
Documents and then select the document you want to edit.
2. Click Edit Document and then click Server Tasks.
3. Enter a value greater than 3 in the ″Maximum number of threads″ field in the Basics section of the
tab.
4. Click Save and Close.
5. To allow the change to take effect, stop the Administration Process and then restart it. Enter these
commands from the server console:
tell adminp q
load adminp
For information on creating a view, see Application Development with Domino Designer.
Creating a third-party Administration Request: You can extend the Administration Process by creating
an administration request directed to a third-party server add-in task that interprets the request and acts
on it. When creating a third-party administration request, specify:
v The Message Queue name in the ProxyProcess field of the request. The Administration Process uses
this data to pass the request’s and response’s note IDs.
v The Server name in the ProxyServer field of the request to identify the Domino server on which the
server add-in task is running.
v A Text version of an identifier, greater than ″5000,″ in the ProxyAction field.
The Administration Process acts on third-party requests by opening the message queue and placing a
message with the IDs of the administration request and log notes in it. The add-in task monitors the
message queue and then performs the required processing.
For information on creating a server add-in task that processes third-party administration requests, see
the Lotus C API User Guide.
To verify which task is processing a request: To verify whether AdminP or another task is processing
an administration request:
1. From the Domino Administrator, choose Server - Analyses - Administration Requests(7).
2. Open the ″All Requests by Action″ view.
3. Select the request, right-click the mouse button and choose Document Properties.
4. Click the Field tab, and then locate the ProxyProcess field which contains the name of the task that is
processing the administration request.
The ProxyProcess field is set by the program that created the request.
You can designate extended administration servers for one Domino Directory by selecting a namespace in
the Domino Directory’s extended access interface and designating a particular server as an administrator
for that namespace. The new interface allows you to specify the exact namespace that an individual
administration server is responsible for.
The extended administration server distributes the administration responsibilities across multiple servers
which is especially useful for remote administration of servers that are geographically dispersed. The
concept of the extended administration server was developed in order to make remote administration
available to administrators.
All of the Domino servers in the domain must Lotus Domino 7 servers or newer to use the extended
administration server feature.
Administration Process statistics and their descriptions are listed in this table.
For more information on Event Handlers, see the chapter ″Monitoring the Domino Server.″
For details on what the particular messages mean and for information on the corrective actions that can
be taken, see the documentation in EVENTS4.NSF for that message.
This table describes the messages and, in some cases, the causes of messages that appear in the
Administration Requests database. In addition, the table indicates the corrective action to take, where
appropriate.
Cause of error - This can indicate a failed Give the person making the request the
attempt by an unauthorized person to appropriate access to the Domino Directory.
delete documents from the Domino
Directory.
The Administration Process cannot set the Delete Mail file Restart the server and then click ″Perform
execution time for a spawned request. request again″ in the response Log document.
This server is not currently a member of a Remove Server from Manually delete the database.
cluster. This database cannot be marked for Cluster
deletion.
The Author of the Administration Request Create Replica Give the person making the request Create
is not allowed to create databases on this Database access to the destination server.
server. Move Replica Then click ″Perform request again″ in the
response Log document.
Note: The Domino Administrator client also offers Domino domain monitoring (DDM) which you can
use to view the overall status of multiple servers across one or more domains, and then use the
information provided by DDM to quickly resolve problems.
For more information about Domino domain monitoring, see the chapter ″Domino Domain Monitoring.″
Do not install the Domino Administrator on the same system on which you installed the Domino server.
Doing so compromises Domino’s security and impairs server performance.
For more information on installing the Domino clients, including the Domino Administrator, see the
chapter, ″Setting Up and Managing Notes Users.″
459
2. Do one:
v From the Windows® control panel, click Start - Programs - Lotus Applications - Lotus Domino
Administrator.
v Click the Domino Administrator icon on the desktop.
v From the Notes client, click the Domino Administrator bookmark button or choose File - Tools -
Server Administration.
Server pane
The server pane displays the servers in the domain, grouped in different views. For example, you can
view all servers in the domain or view them by clusters or networks. To ″pin″ the server pane open, click
the pin icon at the top of the server pane.
Task pane
The tasks pane provides a logical grouping of administration tasks organized by tabs. Each tab includes
all the tasks associated with a specific area of administration. For example, to manage the files located on
a particular server, select a server and click the Files tab.
Results pane
The appearance of the results pane changes, based on the task you are performing. For example, the
results pane may display a list of files, as on the Files tab, or an active display of real-time processes and
statistics, as on the Server - Monitoring tab.
Tools pane
The tools pane provides additional functions associated with a selected tab. For example, from the Files
tab you can check disk space and perform tasks associated with files.
Window tabs
Use window tabs to switch from one open window to another in the Domino Administrator. Every time
you open a database or a document, a new window tab appears beneath the main menu bar.
Domains
You can access the servers in each domain that you administer. Click a domain to open the server pane.
Bookmark bar
The Bookmark bar organizes bookmarks. Each icon on the Bookmark bar (running down the left edge of
the Domino Administrator window) opens a bookmark or a list of bookmarks, which can include Web
browser bookmarks.
Button Description
Favorites Lists your ″favorite″ servers -- that is, those you administer most frequently. To add a
server to Favorites, choose Administration - Add Server to Favorites, and then specify the
name of the server to add.
Domain Lists all servers in a domain. You can also view servers by hierarchy or by network.
For more information on adding domains, see the topic ″Setting Basics Preferences,″ later in this chapter.
Preference Description
Basics v Select domains to administer
v Add, edit, or delete domains
v Set domain location setting
v Select domain directory server
v Specify Domino Administrator startup settings
v Show Administrator Welcome Page
v Refresh Server Bookmarks on Startup
Files v Customize which columns appear on the Files tab
v Change the order in which columns appear
v Limit the types of files that the Domino Administrator retrieves
Monitoring v Configure global settings used to monitor the server
v Enable server health statistics and reports
Registration v Select global settings to use to register users, servers, and certifiers
Statistics v Select global settings for statistic reporting and charting
v Enable statistic alarms while monitoring statistics
Field Action
Domain name Enter the name of the domain to add, or edit an existing
name.
Domino directory servers for this domain Enter one or more directory servers, separated by
commas, or edit the list. For example:
Mail-E/East/Acme Mail-W/West/Acme
What location settings do you want to use for this Choose one:
domain? v Do not change location
v Change to this location. Specify the location from
which you want to manage this domain.
Field Action
On startup Do one:
v Choose ″Don’t connect to any server″
v Choose ″Connect to last used server″
v Choose ″Connect to specific server″ and then specify
the startup domain and startup server.
Show Administrator Welcome Page Do one:
v Check this box to see the Welcome page each time you
start the Domino Administrator.
v Uncheck this box if you do not want to see the
Welcome page.
Refresh Server Bookmarks on Startup Do one:
v Check this box to update the server’s bookmarks each
time you start the Domino Administrator. If you are
using Domino and DB2, you check this box because
server bookmarks must be up-to-date to allow all of the
Domino and DB2 features to work correctly.
v Uncheck this box if you do not want to refresh the
server’s bookmarks each time you start the Domino
Administrator.
Field Action
Do not keep more than <n> MB of monitoring data in Enter the maximum amount of virtual memory, in MB,
memory (4 - 99MB) used to store monitoring data. Default is 4.
Not responding status displayed after <n> minutes of Enter the amount of time after which the ″not
inactivity responding″ status displays. The default is 10 minutes.
Generate server health statistics and reporting Select this option to include health statistics in charts and
reports.
Note: You must enable this option to use the Server
Health Monitor.
Field Action
When using this location Choose the Location document.
Monitor servers Do one:
v Choose ″From this computer″ to monitor servers from
the local Domino administration client.
v Choose ″From server″ and then click Collection Server.
Select the Domino server running the Collector task
for the servers being monitored by the location you
selected.
Poll server every <n> minutes (1-60 minutes) Enter the server’s polling interval, in minutes.
v If ″From this computer″ is selected, the default is 1
minute.
v If ″From server″ is selected, the default is 5 minutes.
Automatically monitor servers at startup Select this option to start the Domino Server Monitor
when you start the Domino Administrator.
Field Action
Registration Domain Select a domain from the list. The registration domain is the domain into which users
and servers are registered.
This field appears if the check box ″Create a Notes ID for this person″ is not selected.
If you are working in a hosted environment and are registering a user to a hosted
organization, be sure to register that user with a certifier created for that hosted
organization.
Certifier ID Do one:
v Choose ″Certifier ID″ to use the certifier ID and password. Then click Certifier ID,
select the certifier ID file, and click OK to select the certifier ID used to register new
certifiers, servers, and users.
v Choose ″Use CA Process″ to use the Domino server-based certification authority.
Registration Server Click Registration Server to change the registration server, which is the server that
initially stores the Person document until the Domino Directory replicates. Select the
server that registers all new users, and then click OK. If you do not explicitly define a
registration server, it is, by default:
v The local server if it contains a Domino Directory
v The server specified in NewUserServer setting in the NOTES.INI file
v The administration server
Explicit policy If you already created explicit policies, select the policy from the list. If you have not
created explicit policies, this field displays ″None Available.″
User Setup Profile Select a profile. The default is none. You can assign either a policy or a user setup
profile, but you cannot assign both to the same users.
Mail Options Click Mail Options to display the Mail Registration Options dialog box.
Choose one of the following and complete any required associated fields:
v Lotus Notes (default) -- The Internet address is automatically generated.
v Other Internet -- The Internet password is set by default during registration. Enter a
forwarding e-mail address.
v POP -- The Internet address is automatically generated during registration, and the
Internet password is set by default during registration.
v IMAP -- The Internet address is automatically generated during registration, and the
Internet password is set by default during registration.
v Other -- Enter a forwarding e-mail address.
v None
Note: If you select Other or Other Internet, you will need to enter a forwarding address
for the user during user registration. The forwarding address is the e-mail address to
which the user wants their mail sent.
User ID/Password Click User ID/Password Options Settings to open the Person ID File Settings dialog
Options box. Do any of these:
v Person ID folder -- Choose a folder or enter a directory path in which to store the ID
files generated for this user during registration.
v Person password quality -- Set a new password quality for the ID files that are
generated for this user during registration. The default for a user ID is 8.
4. Click OK.
For more information on explicit policies, see the chapter ″Using Policies.″ For more information on
Advanced Options, see Domino Administrator 7 Help.
You also enable statistic alarms for use with statistic event generators. If you create statistics event
generators to report alarms, you must enable statistics alarms.
Field Action
Generate statistic reports while monitoring or charting Do one:
statistics v Enable the field and then specify, in minutes, how
often to create statistics reports in the Monitoring
Results database (STATREP.NSF). Default is 45
minutes. The value must be greater than the
monitoring poll interval specified in the Monitoring
preferences.
v Disable the field if you do not want to create statistics
reports or charts.
Check statistic alarms while monitoring or charting Do one:
statistics v Enable the field to report an alarm when a statistic
exceeds a threshold. You must enable this field to
generate a statistic events. Alarms are reported to the
Monitoring Results database (STATREP.NSF).
v Disable the field if you do not want to generate
alarms.
4. Click OK.
From the Domino Administrator, choose Files - Tools and then choose one of these:
v Debug LotusScript -- Enables LotusScript debugging. When a check mark appears to the left of the
Debug LotusScript option, LotusScript debugging is enabled. For more information about LotusScript
debugging, see the Domino Designer documentation, topic Using the LotusScript Debugger.
v Remote LotusScript Debugger -- Opens the Domino Debugger. The remote debugger allows debugging
of LotusScript agents running on remote servers. For more information about remote debugging, see
the Domino Designer documentation, topic Using the Remote Debugger.
v Show Java Debug Console -- Opens the Java Debug Console window. For information about the Java
Debug Console, see the Domino Designer documentation, topics Writing Java in an agent, Running a
Java program, and other related topics.
v Java Debugging Preferences -- Opens the Java Debugging Preferences dialog box. For information, see
the topic Enabling Java Debugging.
Java code from a script library runs in the context of the calling code.
Note: Specifying a port number may require several attempts before you locate a free port.
Statistics: From the Statistics tab, you can see the real-time statistics for the current status of the Domino
system.
Tracking Center: From the Tracking Center tab, you can issue tracking requests to track messages. You
must enable the Tracking Center tab in the Web Administrator.
For more information on enabling the Tracking Center for the Web Administration, see the topic
″Message-tracking in the Web Administrator″ later in this chapter.
To hide or show the Tools panel, click the triangle. To choose a specific tool, click the triangle to expand
or collapse the tools options. Hiding tools on one tab does not hide tools on other tabs.
The following table describes the tools that are on each tab.
Tab Tools
People & Groups v People
v Groups
Files v Disk Space
v Folder
v Database
Server - Status v Task
v User
v Ports
v Server
Server - Analysis v Analyze
Messaging v Messaging
Configuration v Certification
v Registration
v Policies
v Hosted Org
v Server
v Miscellaneous
Web Administrator
If you have a browser and want to manage and view settings for a Domino server, you can use the Web
Administrator to perform most of the tasks that are available through the Domino Administrator. This
section includes the following information about the Domino Web Administrator:
v Setting up the Web Administrator
v Setting up access to the Web Administrator database (WEBADMIN.NSF)
v Giving additional administrators access to the Web Administrator and assigning roles
v Starting the Web Administrator
v Using the Web Administrator
For the most current information about supported browsers, see the Release Notes.
For more information on how the HTTP server task synchronizes names in the Server document with
those on the Web Administrator database ACL, see ″Giving additional administrators access to the Web
Administrator,″ later in this chapter.
Default database security: The default ACL settings for the Web Administrator database are listed
below. You do not need to change these settings if the administrator’s name appears in the
Administrators field of the Server document.
Authenticating administrators: You can use either an Internet password or an SSL client certificate to
access the Web Administrator. The Web Administrator uses either name-and-password or SSL
authentication to verify your identity. The method the Web Administrator uses depends on whether you
set up the server or the Domino Web Administrator database (WEBADMIN.NSF), or both to require
name-and-password or SSL authentication.
To access the Web Administrator database, you must have name-and-password authentication or SSL
client authentication set up on the server. Name-and-password authentication is enabled for the HTTP
protocol by default.
To use name-and-password authentication, you must have an Internet password in your Person
document. To use SSL client authentication, you must have a client certificate, and SSL must be set up on
the server.
For more information, see the chapters ″Setting up Name-and-Password and Anonymous Access to
Domino Servers,″ ″Setting up Clients for S/MIME and SSL,″ and ″Setting up SSL on a Domino Server.″
You can also give administrators access to the Web Administrator manually by adding them directly to
the Domino Web Administrator database ACL. You can give an administrator full or partial access by
restricting the roles assigned. The role assigned to an administrator determines which commands are
available to the administrator, and which tabs appear in the Web Administrator client. You cannot restrict
roles when you add administrator access to the Web Administrator using the Server document. If you
add a name using the server document, you must manually restrict access to the web Administrator
through the Domino Web Administrator database ACL. To prevent an administrator from access, assign
No access in the ACL.
For more information on Web Administrator roles, see the topic ″Administrator Roles in the Web
Administrator″ later in this chapter.
To update the Web Administrator database ACL list manually: You can manually add an administrator
to the Web Administrator database ACL list.
1. From the browser using the Web Administrator, click the Files tab.
2. Select the Web Administrator database (WEBADMIN.NSF).
3. From the Tools menu, select Database - Manage ACL.
4. Click Add and add the administrator or group name to the ACL of the Web Administrator database.
5. In the Access field, select Manager.
6. Assign the roles. Assigned roles determine which commands and tabs appear in the Web
Administrator.
Tip: To select more than one role, hold down the Shift or Control key while selecting roles. Selected
roles appear highlighted.
7. Do one of the following:
v If the server requires name-and-password authentication, edit each administrator’s Person
document and enter an Internet password.
v If the server requires SSL client authentication, set up the browser for SSL.
For more information on Managing ACL roles, see the chapter ″Controlling User Access to Domino
Databases.″ For more information on SSL authentication, see the chapter ″Setting Up Clients for
S/MIME and SSL.
For example, if you assign only the People&Groups role to a Web Administrator, the People & Groups
tab is the only tab that appears when that administrator uses the Web Administrator. The following table
shows the roles that have been predefined for the Domino Web Administrator.
Role Tab
Files Files
People&Groups People & Groups
Replication Replication
Configuration Configuration
Mail Messaging - Mail
MsgTracking Messaging - Tracking Center
ServerStatus Server - Status
To restrict a Web administrator’s access, use the Manage ACL tool on the Files tab. For more information
on managing ACL roles, see the chapter ″Controlling User Access to Domino Databases.″
In addition, there is a new Task tool on the Replication and Mail - Messaging tabs. You can use this tool
to issue Tell commands, and to stop, start, and restart replication, router, and messaging tasks.
The Web Administrator includes most of the Domino Administrator functionality. However, the Domino
Server Monitor and performance charting are not available in the Web Administrator. And you can
restrict further which commands and tabs are available by restricting the roles assigned to an
administrator. Information on the availability of specific Web Administrator features and minor changes
to how you access a feature are documented throughout the Domino Administrator help documentation.
For the most recent information on using the new Domino Web Administrator, see the Release Notes that
shipped with this product or download the Domino Administrator online help from the Lotus Domino
Administrator Release 7 download page on the Lotus Developer Domain at http://www.lotus.com/ldd.
Additional buttons
The Domino Web Administrator includes these buttons that appear at to the right of the tabs. These do
not appear in the Domino Administrator:
v Sign out -- Use this to log out when you cannot or do not want to close the browser.
The mail bookmark displays in the bookmark area only if you have browsed to your home mail server.
Files preferences: By default, the Files tab in the Domino Administrator displays information about
database files in the following order; however, you can customize which columns display in the Web
Administrator. The fewer columns you display, the faster the Files panel performs.
v Title
v File Name
v Physical Path
v File Format
v Size
v Space Used
v Max Size
v Quota
v Warning
v Created
v Last Fixup
v Is Logged
v Template Name
v Inherit From
v Type
v Replica ID
To set Files preferences: By default, the Web Administrator displays all columns. You can add or delete
columns from the display. Select a column name from the ″Use these Columns″ list and then click Add or
Remove.
To use the Web Administrator to register users or servers, you must have Registration Authority (RA)
access in the server-based certification authority (CA). The server that is running the Web Administrator
should also be listed as an RA but that role is not required for the server. If, however, the server is not
listed as an RA, the administrator that is an RA must open the Administration Requests database and
approve the administration request to register the user. You must assign the RA role in the Domino
Administrator, not in the Web Administrator. To assign the RA role, use the Modify Certifier tool on the
Configuration panel.
You cannot set registration preferences in the Web Administrator. You must use the registration settings in
the CA and in the Registration policy settings document.
In the Web Administrator, you cannot configure a server for SSL during the server registration process.
For more information about modifying certifiers, see the chapter ″Setting up a Domino Server-Based
Certification Authority.″ For more information about user registration in the Web Administrator, and
If you create policies before you register users, you can assign them to users and groups during user
registration. You can also edit a Notes user’s Person document and manually assign an explicit policy by
specifying the name of the policy.
Working with policy documents: From the Web Administrator, you can use the Policies view in either
the People & Groups or the Configuration tab to add, edit, or delete policy documents. To add or delete
policy documents, use the buttons that display in the Results pane. In this view, the names of policy
documents are links. To edit one of these documents, click the link for the document you want to edit.
Using the Web Administrator to delete policy documents is not recommended because doing so does not
initiate the Administration Process requests required to remove all references to the deleted document
from other policy documents.
If you use the Web Administrator to create Setup or Desktop policy settings documents, you cannot add
the database links used to set up bookmarks or custom Welcome pages.
For more information about managing policies and policy documents, see the chapter ″Using Policies.″
Use the Live Console to send commands to a Web server running under a Server Controller. You can
send Controller and shell commands, as well as Domino server commands. To use the Live Console, you
must install Java Plug-in 1.4 or higher and enable it in your Web browser.
Use the Quick Console to send commands to a Web server that does not run under a Server Controller.
Or use it if you are unable to install or use the Java Plug-in in your browser.
For more information on using the console in the Web Administrator to send commands, see the topic
″The Server Controller and the Domino Console,″ later in this chapter and the appendix ″Server
Commands.″
For more information on service providers, see the chapter ″Managing a Hosted Environment.″
Field Action
Allowed to track messages Select both of these:
v Your name
v LocalDomainServers
Allowed to track subjects Select your name from the list
Editing the NOTES.INI file and cleanup script in the Web Administrator
You must be a Full Access Administrator to edit the NOTES.INI file. You must have Administrator access
or higher to view the NOTES.INI file, or to edit or view the cleanup script.
For more information on editing the NOTES.INI file, see the appendix ″NOTES.INI File.″
You can use the Domino Console, a Java-based console, to communicate with a Server Controller. You can
run the Domino Console on any platform except Apple Macintosh. Using the Domino Console, you can
send commands to multiple servers. The Domino Console doesn’t require a Notes ID, only a Domino
Internet name and password, so you can connect to servers certified by different certifiers without having
multiple Notes IDs or cross-certificates. You can customize output to the Domino Console -- for example,
use local event filters to specify the types of events the Console displays. You can also log server output
to log files and customize the appearance of the Console.
The Domino Console functions strictly as a server console. Consequently, the Domino Console doesn’t
include the full set of Domino administration features that are available through the Domino
Administrator and the Web Administrator, and you can’t use it to open and manage Notes databases.
The files needed to run the Server Controller and to run the Domino Console are provided with Domino
and Notes.
You can also use remote consoles in the Domino Administrator and Web Administrator to communicate
with a Server Controller.
For information on the available Controller commands and on using the Domino Administrator or Web
Administrator to communicate with a Controller, see the appendix ″Server Commands.″
The Server Controller runs in its own window. You can minimize a Server Controller window, but do not
close or kill the window to stop the Server Controller. Instead, use the Controller Quit command from a
console to stop a Server Controller and the server it controls.
When you run a Server Controller, you no longer have access to the traditional console at the server. You
can communicate only through the Domino Console or a console in the Domino Administrator or Web
Administrator.
Use -c to prevent the Domino Console from running when you start the Server Controller. You might
prevent the Console from running on a slow machine or a machine that is low on memory. If you use
this argument and the Domino server ID requires a password, the Domino server starts without running
its server tasks. To run the server tasks, you must connect to the Server Controller from a console and
specify the server password when prompted.
Use -s to prevent the server from running when you start the Server Controller. Use this argument along
with -c so that someone who is directly at the server can start only the Server Controller, and then a
remote administrator can start the server and specify a required server password remotely from a
console.
Example Result
nserver -jc Runs the Server Controller, the server, and the Domino Console
nserver -jc -c Runs the Server Controller and the server
nserver -jc -s Runs the Server Controller and the Domino Console
nserver -jc -c -s Runs only the Server Controller
Note: The Domino Console also starts by default when you start a Server Controller.
Lotus Domino includes a set of tools to make synchronization between Domino and Active Directory(R)
simple and easy. The Active Directory Domino Upgrade Service (AD DUS) is a tool that you can use with
Active Directory synchronization (ADSync) when you have data in your Active Directory and you have
just installed Domino. AD DUS can optionally be used to migrate all or a set of your Active Directory
users. After you’ve done that, you can start using ADSync to maintain those users in Active Directory
and in Domino.
User options are available to register Notes users in Active Directory. In the Domino Administrator’s user
registration interface, there is a ″Windows User Options″ button on the Other panel of the Register
Person - New Entry dialog box. You can select options to register a user in Active Directory at the same
time that the user is registered in Domino. This is essentially the opposite of what ADSync does.
Regardless of the tool with which you register a new user in both directories, you can use ADSync to
synchronize and delete users from both directories. You can also use ADSync to rename users in both
directories.
For more information on the user options available when registering Notes users, see the chapter ″Setting
Up and Managing Notes Users.″
You can synchronize Person and Group documents in the Domino Directory, and user and group
accounts in Active Directory. When you register or delete a Notes user or delete a Notes group, you can
automatically update the Active Directory. Use the Notes synchronization options to enable the
synchronization of all operations.
Conversely, special menu options and dialog boxes added to the Users and Computers snap-in of the
Microsoft Management Console (MMC) enable you to specify that additions, deletions, and name changes
made to Active Directory user or group accounts be reflected in the Domino Directory. You can also add
existing Active Directory user or group accounts to the Domino Directory, and synchronize Active
Directory and Domino Directory entries.
These directory synchronization features let you keep both the Domino Directory and Active Directory
current without having to update both when either changes. Also, you can manage user and group
information in the Domino Directory and the Active Directory through a single interface of your choice,
either Domino or Windows 2000.
You must have a properly certified Notes ID and appropriate access to make any changes to a Domino
Directory from Notes or Windows 2000, and have the appropriate rights if you are going to use the
Domino server-defined certification authority (CA) to certify users on Domino. Use a Lotus Notes 6 or
more recent client, and Lotus Domino 6 or more recent server as your registration server. You must create
479
policies that contain registration settings documents, either implicit or explicit, for all Domino certifiers
with which you are going to certify new users. Also, you must have appropriate rights in the Active
Directory allowing you to add user accounts and synchronize passwords.
Note: This file is not on the Windows 2000 Professional workstation CD. You must install the file
from the Windows 2000 Server CD. Microsoft licensing permits you to install this administrative
package on Windows 2000 Professional workstations.
3. From the Start menu, click Programs - Administrative Tools - Active Directory Users and Computers,
and verify that the workstation has connected to the domain controller.
4. Install, but do not run, the Domino Administrator.
5. Open a command prompt. From your Notes install directory, type:
regsvr32 nadsync.dll
A message box appears indicating that registration is complete. This can take up to one minute.
6. Run the Domino Administrator and complete the configuration process.
7. From the Domino Administrator, create an organizational policy or an explicit policy and a
Registration policy settings document. You must have at least one policy to use with ADSync.
For more information on policies, see the chapter ″Using Policies.″
8. From the Start menu, click Programs - Administrative Tools - Active Directory Users and Computers.
Click the Lotus Domino Options folder.
9. Right-click Domino Directory synchronization and then choose Options.
10. Enter your Notes password.
11. Click the Notes Settings tab.
12. Click the Notes Server for Registration button and specify a registration server. This is typically the
administration server of the Domino Directory.
13. Click OK.
14. Close and restart Active Directory Users and Computers to allow these changes to take effect.
Field Action
Enable all synchronization operations Click to enable all Notes synchronization operations. All
Windows 2000 and Domino Notes operations will be
synchronized.
Select synchronization operations to enable Click to activate all the fields on this dialog box. When this
check box is not selected, all of the other options on this
dialog box are not enabled.
When you click this check box, these fields are activated:
v Recertify users on rename
v Set common password on user synchronization
Recertify users on rename Click to use the Domino Administration Process to rename a
Notes user if the corresponding Windows 2000 user is
renamed.
Field Action
Administrator’s ID Click to open the Choose Notes Administrator ID dialog box
in which you can specify another Notes User ID as the
administrator ID. The initial user ID file name is taken from
current Notes client settings.
Registration Server Click to open the Choose Server dialog box from which you
can select a Registration server. The registration server must
be a Domino 6 or more recent server.
Use Registration server for all operations Click to use the server that you designated as the
Registration server for all synchronization operations and for
deletions.
You can modify any of the initial mappings, create mappings, or create Notes field names. When an
Active Directory object is created or is synchronized with Notes, all field values in the mapped Active
Directory object are copied to corresponding fields in the Person or Group document in the Domino
Directory. If necessary, fields are created in the Person or Group document and existing field values are
overwritten. This is one-way synchronization. No changes are made to the Active Directory object.
Field Mappings in ADSync, unlike other settings, are different for each Active Directory domain.
To allow the new fields to display in the dialog box, close and then restart the Microsoft Management
Console. The new fields appear.
When initializing, ADSync reads all Active Directory containers, Domino certifiers, and explicit policies
from the Domino Directory on the registration server. Because Active Directory allows you to create a
When you create or delete Active Directory containers or Notes certifiers and policies, they can be
mapped using the Container Mappings table by closing and reopening the Microsoft Management
Console.
To map containers
1. From the MMC, choose Domino Directory Synchronization.
2. Click Container Mappings.
3. Scroll through the AD Container list until you locate the Active Directory containers to which you are
mapping a particular Notes certifier and/or a Notes Policy. If you are mapping more than one
container to one policy or certifier, select multiple containers before choosing a policy or certifier.
4. Right-click the corresponding Notes Certifier field (it may appear blank). An editable field appears.
Enter the certifier name or select one from the list.
5. Right-click the corresponding Notes Policy field (it may appear blank). An editable field appears.
Enter the policy name or select one from the list.
6. Continue this process until you have mapped as many containers, certifiers, and policies as needed.
7. Click Apply and OK.
To allow the new policies and certifiers to display in the dialog box, close and then restart the Microsoft
Management Console. The new policies and certifiers appear.
Note: When you synchronize an Active Directory with the Domino Directory, ADSync copies the primary
names from the Active Directory to the Domino Directory. Primary names are copied exactly as they have
been entered in the Active Directory. Japanese (double-byte) characters are not supported in the Domino
Directory, but in some cases, they are supported in Active Directory. If you have registered any primary
names with Japanese characters in the Active Directory, before synchronizing the directories, rename
those primary names using single-byte characters that are supported by the Domino Directory.
For more information on Notes Settings, see the topic ″Specifying Notes Settings″ in this chapter.
The field mappings that are set in the Field Mappings table designate which fields are synchronized
during synchronization. System fields that cannot be safely synchronized in two directories are excluded
from the Field Mappings table.
For more information on Field Mappings, see the topic ″Mapping Active Directory fields with Domino
Directory fields″ in this chapter.
If the ″Set common password″ check box is checked on the Synchronization Options tab on the Lotus
ADSync Options dialog box, you are prompted to enter a new password during synchronization. This
changes the Windows password as well as the Notes Internet password for that user.
For more information on synchronization options, see the topic ″Enabling the Notes synchronization
options″ topic earlier in this chapter.
Note: Consult your Windows 2000 documentation for information about running and working with the
MMC and the Users and Computers snap-in.
You can register new users in Notes at the same time that you register them in the Active Directory, or
you can register existing Active Directory users in Notes. If any of the users or groups being registered
already exist in Notes, and the ″Synchronize if new user/group already exists in Notes″ option on the
Notes Synchronization Options tab is checked, a duplicate user or group is not created. Instead,
synchronization is performed.
Registration uses certifier IDs or the Domino server-based certification authority (CA). Only certifiers
listed in the registration server’s Domino Directory are used. If you are using certifier IDs, you are
prompted for the path and password, once per certifier per MMC session.
If you create users and groups without additional prompts, all defaults are used, and the entire
registration queue is processed. When users are created, random passwords are generated and placed in
the database, NTSYNC45.NSF, located in the root directory of the local Notes data directory.
For information on the fields that display while registering users, consult your Microsoft documentation.
Fields Action
Register in Domino Directory Click this check box to register this user in the Windows Active Directory and
in the Domino Directory. Other fields on this dialog box are enabled when you
click this check box.
Organizational units are useful for differentiating between users of the same
name. For example, John Smith/Eng/Acme and John Smith/Doc/Acme, where
one employee is a member of Engineering and the other is a member of
Documentation. Each is assigned a different organizational unit name.
Certifier context Choose the certifier to use to certify this user.
Organizational Policy Non-modifiable. Displays the name of the organizational policy that is
assigned if there is one. If there are no organizational policies, this field
displays None.
Explicit Policy Choose an explicit policy from the list. If you do not specify an explicit policy,
registration will not complete and you are prompted to specify one.
Use common password Click this check box if you want to use one password for Windows, Notes, and
Notes Internet. The existing Windows password is then replaced by the
password you enter here.
To preserve the existing Windows 2000 password, enter that password as the
common password.
If the Use common password check box is selected, the Notes password for the
user name field and the Confirm password field are enabled.
Password Enter the new password.
Confirm password Enter the same password again to confirm it.
Internet address The default Internet address as derived from the Windows user login name,
for example, KCarter@domain.com. When the user is registered in Notes, the
domain name from the user’s registration policy settings document is
appended.
Short name in Notes The short name by which the user will be known in Notes. By default, the
short name consists of the user’s first initial and last name.
4. Click Next.
Note: If you do not complete all required fields, a message indicates which fields need to be completed.
You must go back and complete the required fields.
5. Review the settings you specified for the user you are registering and click Finish.
When you are registering user and groups, all groups are registered first.
Registering existing users or groups quickly without prompts: Use this method to register many
existing users or groups at one time. Users and groups are registered using the existing information in
Field Action
If error happens during registration of Click this check box to register any users or groups whose registrations fail
some users and/or groups, try to on the first try. If not selected, users and groups are not registered if the
register them later first attempt fails.
If registration is canceled for some Click this check box to allow to attempt to register any users or groups
users and/or groups, try to register whose registrations are canceled on the first try. If not selected, users and
them later groups will not be registered if the first attempt is canceled.
This option is active only if ″Prompt for the name and password of each
user, and for the name and members of each group″ button is selected.
Note: You have the option of choosing one of the following if you decide not to register now:
v Click Register later to store the users or groups in the registration queue. You can then register
them later.
v Click Do not register to cancel user registration.
After successful registration in Notes, users and groups are synchronized with the Active Directory. A
progress bar displays during the registration process.
Registering existing users or groups individually with prompts: Use this method to register users and
groups individually. You are prompted to enter multiple fields of information on multiple dialog boxes
for each user and for each group that you register. This method is recommended when registering very
small numbers of users or groups, or when you need to modify information for users and groups during
the registration process. This option provides administrators with control over Notes registration
information for each user or group. When used to register numerous users or groups, this method is
time-consuming.
During group registration, for each group you can specify the members that are to be registered in Notes
by clicking the Members button on the dialog box on which it appears. You are also able to specify a new
group name, description, and group type if you want to modify any of those.
For more information on Active Directory, see the Microsoft Active Directory documentation or use the
Microsoft Active Directory online help for fields.
1. From the MMC, click Users.
2. On the Results pane, right-click the user or group you are registering and then click Register in
Domino.
3. Choose ″Prompt for the name and password of each user, and for the name and members of each
group.″ When this option is chosen, the ″If registration is canceled for some users and/or groups, try
to register them later″ check box is also active.
Field Action
If error happens during registration of Click this check box to attempt to register at a later time, any users or
some users and/or groups, try to groups whose registrations fail on the first try. If not selected, users and
register them later groups are not registered if the first attempt fails.
If registration is canceled for some Click this check box to attempt to register at a later time, any users or
users and/or groups, try to register groups whose registrations are canceled on the first try. If not selected,
them later users and groups will not be registered if the first attempt is canceled.
This option is active only if ″Prompt for the name and password of each
user, and for the name and members of each group″ button is selected.
Note: You have the option of choosing one of these if you decide not to register now:
v Click Register later to store the users or groups in the registration queue. You can then register
them later.
v Click Do not register to cancel user registration.
6. Complete the fields on all dialog boxes that display for each user or group.
7. Click Finish when you are done.
For more information on the Notes Registration dialog box that displays for users, see the topic
″Registering new users in Active Directory and in Domino Directory simultaneously″ in this chapter.
For more information on the Notes Registration dialog box that displays for groups, see the topic
″Registering new groups simultaneously in Active Directory and in Domino Directory″ later in this
chapter.
You can register new groups in Notes at the same time you register them in the Active Directory.
For information on the fields that display while registering groups, consult your Microsoft
documentation.
Complete this procedure to simultaneously register a group in Notes and in Active Directory:
1. From the MMC, right-click Users - New - Groups.
2. Complete the Active Directory group fields on the first window that displays, and then click Next.
3. Complete these Notes registration fields on the second window that displays:
Fields Action
Register in Domino Directory Click this check box to create a Notes group to
correspond to the Windows group. Deselect to create the
group only in the Active Directory. When this option is
selected, all other fields on this dialog box are active.
Group name Enter a group name.
4. Click Next.
5. Review the information that displays and click Finish. Click OK.
When you rename a Notes user or group, all occurrences of that user name are updated in the Domino
Directory and other databases by the Domino Administration Process on the Domino server.
When you delete a Notes user or group, all references to it are removed from the Domino Directory by
the Domino Administration Process running on a Domino server. After initiating the deletion, you must
approve the request in the Administration Requests (ADMIN4.NSF) database on the Domino server.
For more information on deleting users in Domino, see the chapter ″Setting Up and Managing Notes
Users.″
For more information on administration requests, see the appendix ″Administration Process Requests.″
Note: To use a Notes administrator ID other than the one most recently used, go to the Notes Settings
tab of the Lotus ADSync Options dialog box and specify another administrator’s ID.
Each Domino domain has at least one administration server for the Domino Directory. The administration
server is responsible for carrying out Administration Process requests that automate changes to the
Domino Directory. By default, the first server set up in a domain is the administration server for the
Domino Directory.
You can use directory servers in a Domino domain to dedicate specific servers to providing directory
services. Clients and specialized servers such as mail and application servers use the directory servers to
look up user, group and similar information.
You can set up Notes clients to use directory servers, rather than their mail servers, to look up names and
addresses.
For information on setting up Notes clients to use directory servers, see the chapter ″Setting Up the
Domino Directory.″
493
Using a central directory architecture in a Domino domain
Prior to this release, companies always used a distributed directory architecture in which every server in
a Domino domain had a full replica of the domain’s primary Domino Directory. A primary directory
contains all types of documents: documents used to provide directory services such as Person and Group
documents as well as documents used to configure Domino servers.
In this release, companies can implement a central directory architecture. In a central directory
architecture, a few directory servers in a domain have a replica of a the primary Domino Directory that
contains the entire contents of the Domino Directory. The other servers in the domain have a
Configuration Directory, a small, selective replica of the Domino Directory that contains only documents
used for Domino configuration. A server with a Configuration Directory uses a primary Domino
Directory on another server -- referred to as a remote primary Domino Directory -- to look up
information in Person, Group, Mail-In Database, and Resource documents, and in any new types of
custom documents a company has added to the directory.
Enterprise companies that use centralized architectures can benefit from this feature. A central directory
architecture allows for tighter administrative control over directory management because only a few
directory replicas contain user and group information. In addition, application and mail servers can run
on less powerful machines then the directory servers require, since the application and mail servers don’t
have to store a primary Domino Directory, which can be the largest database in a company. If the user
and group information in a directory changes frequently, the servers with Configuration Directories have
immediate access to the changes that critical business applications and processes require, because they
don’t have to wait for the changes to replicate locally.
To use a central directory architecture you must have adequate network bandwidth to support the remote
primary directory lookups. For failover, it is also important that at least two servers in a domain are
configured as a remote primary Domino Directory.
For additional information on implementing a central directory architecture, see the chapter ″Setting Up
the Domino Directory.″
Some of the questions to ask when planning for the LDAP service are:
v What levels of LDAP client authentication do you want to use? Anonymous access, enabled by default,
allows LDAP clients to connect without providing names and authentication credentials, such as
password or certificates. Typically you allow LDAP clients connecting anonymously only read access to
the directory.
Planning directory assistance for the LDAP service: You can set up directory assistance on a server that
runs the LDAP service so the LDAP service can extend client LDAP requests to a secondary Domino
Directory or to a remote LDAP directory.
Some of the issues to consider with respect to setting up the LDAP service to use directory assistance for
a secondary Domino Directory include:
v What access do I want LDAP clients to have to the secondary Domino Directory? You control LDAP
access separately for each Domino Directory or Extended Directory Catalog the LDAP service serves.
v If you use a custom LDAP application to administer the directory, the LDAP service allows the
application to modify the directory only if the directory is stored locally on the server running the
LDAP service. If the secondary Domino Directory is stored on a remote server, the LDAP service can
return a referral to that server instead or processing the LDAP operations itself.
Some of the issues to consider with respect to setting up the LDAP service to use directory assistance to
refer LDAP clients to a remote LDAP directory include:
v The LDAP service can never process an LDAP search, add, or modify request in a remote LDAP
directory. It can only refer LDAP clients to a remote LDAP directory.
v By default the LDAP service can return a given LDAP client a referral to only one remote LDAP
directory. If you want to enable the LDAP service to return an LDAP client more than one referral so
that an LDAP client can follow up with alternate referral if the directory server specified in the first
referral is unavailable, you must increase the ″Maximum number of referrals setting″ for the LDAP
service.
v You can specify alternate LDAP directories for referral in one Directory Assistance document for a
remote LDAP directory.
Note: The LDAP service, like any Domino Internet protocol server, can use directory assistance to
authenticate its clients using credentials in a secondary directory, and to use groups in a secondary
directory for database authorization.
For more information, see the topic ″Planning directory assistance″ later in this chapter.
Some of the issues to consider before setting up LDAP accounts on Notes clients are:
LDAP accounts for the Bigfoot and VeriSign directories are set up by default.
For additional information, see the chapter ″Using the ldapsearch Utility.″
Domino does not provide a comparable tool for modifying an LDAP directory.
Some of the questions to ask when planning directory access control include:
v Do you want to assign administrators to specific administration roles in the Domino Directory? If
administrators in your company have specialized administrative duties, consider assigning the
administrators only to the administration roles in the ACL that correspond to their duties. If your
company administrators do all administrative tasks, assign them to all of the roles.
v Do you want to use an extended ACL? One of the reasons to use an extended ACL is to limit
cross-organizational access to a directory that contains information for multiple organizations or
organizational units.
v Do you want to allow Anonymous access to the directory? By default, you use the domain
Configuration Settings document in the Domino Directory to control anonymous LDAP search access.
By default, anonymous LDAP users have Read access to a specific list of attributes.
The Anonymous entry in the directory database ACL by default is set to No Access and controls
anonymous access for all users other than LDAP users. If you use an extended ACL, then the
Anonymous entry in database ACL, and the extended ACL, then also control anonymous LDAP access.
Typically you give the Anonymous entry no more than Reader access.
For additional information, see the chapters ″Setting Up the Domino Directory″ and ″Setting Up
Extended ACLs.″
Note: In general an entry’s distinguished name is determined by the first value listed in the FullName
field. Domino Group and Server entries are the exceptions. The ListName field controls the distinguished
name of a Domino Group and the ServerName field controls the distinguished name of a Domino server.
If you add more than one value to a FullName, ListName, or ServerName field, keep the distinguished
name as the first value.
Before you register Notes users you should decide on a naming scheme for the users and create certifiers
that reflect that scheme. You should also use the Policies feature with a Registration policy settings
document to simplify the process of registration by filling in many of the registration settings
automatically.
For more information, see the chapters ″Setting Up Notes Users″ and ″Using Policies.″
For more information, see the chapter ″Using Domino with Windows Synchronization Tools.″
Migration tools
The Notes user registration program provides migration tools that convert third-party mail system users
or third-party LDAP directory users to Notes users. Be aware that if you migrate users from an LDAP
directory the migration tools convert the entries from the LDAP directory into Notes entries with new
names based on a certifier specified in the Notes user registration program.
Many of these tools invoke the Administration Process to automate these tasks.
For additional information, see the chapters ″Setting Up the Administration Process″ and ″Setting Up and
Using Domino Administration Tools.″
For more information, see the chapter ″Using Domino with Windows Synchronization Tools.″
Type-ahead addressing
Using type-ahead addressing a Notes user enters a few letters in a mail addressing field and Notes tries
too match those letters to a name in a directory. If Notes finds a match, it enters the completed name in
the addressing field automatically. If a Notes user has a local condensed Directory Catalog configured,
Administrators can use a setting in a Configuration Settings document to disable type-ahead addressing
on a server to reduce network traffic and improve server performance.
For more information on disabling type-ahead addressing on a server, see the chapter ″Customizing the
Domino Mail System.″
To search all local Address Books or an LDAP directory accessed using an LDAP Account document,
users can use an LDAP-style search query to locate entries. For example, users can search for all entries
with the last name ″Brown.″
In addition, a Notes client can set up LDAP accounts to connect directly to a remote LDAP directory.
For more information on LDAP account, see the earlier topic ″Planning LDAP accounts on Notes clients.″
Directory servers
Using the ″Domino directory server″ field on the Servers tab of a Location document in the Personal
Address Book, Notes clients can use directory servers, rather than mail servers, for directory lookups.
For more information, see the chapter ″Setting Up the Domino Directory.″
Directory catalogs are either client-based or server-based. Using a client-based condensed Directory
Catalog, often referred to as a Mobile Directory Catalog, Notes users can access directory information for
an enterprise off-line, when not connected to the network. Servers use server-based directory catalogs,
either a condensed Directory Catalog or an Extended Directory Catalog, to look up information
originating from a secondary Domino Directory.
In addition, if you are setting up directory assistance for a remote LDAP directory:
v Does the directory server require a search base? If so, enter the search base in the Directory Assistance
document.
v Do you plan to use the LDAP directory for client authentication or for ACL group authorization? If so,
for tighter security, in the Directory Assistance document, enable SSL and require the remote directory
server to present X.509 certificate.
v Is the remote LDAP directory Active Directory? If so, in the Directory Assistance document for the
directory select LDAP search filters that work specifically with Active Directory.
For additional information on planning directory assistance, see the chapter ″Setting Up Directory
Assistance.″
500 Lotus Domino Administrator 7 Help
Comparison of directory catalogs and directory assistance
The following table compares the features that directory catalogs and directory assistance support.
Directory assistance
for secondary Domino Directory assistance
Mobile Directory Condensed Directory Directory or Extended for remote LDAP
Feature Catalog Catalog on server Directory Catalog directory
Notes client mail Yes Yes Yes Yes
addressing
Notes client Yes Yes Yes No
LDAP-style
searches
Notes client Yes Yes Yes No
directory browsing
Notes client Yes Yes (if no Mobile Yes (if no Mobile No
type-ahead Directory Catalog) Directory Catalog)
addressing
Notes client F9 Yes Yes Yes No
address resolution
LDAP client search No Yes (search) Yes No
and write
operations No (write)
LDAP client No No No Yes
referrals
Internet client No Yes Yes Yes
authentication
Group No No Yes Yes
authorization
(enabled for one
secondary directory
only)
Directory search order for Internet client authentication: To authenticate an Internet client connecting
to a Domino server, the server searches directories for the user name and credentials in the following
order:
1. The server’s primary Domino Directory.
2. A condensed Directory Catalog on the server.
3. All directories defined in the server’s directory assistance database that:
v Have a naming rule that is trusted for authentication and that matches the logon name of the
Internet user
v Have the directory assistance option ″Make this domain available to: Notes clients and Internet
Authentication/Authorization″ enabled.
Directory search order for group names in database ACLs: When a Internet or Notes user attempts to
access a database on a server and the database ACL includes a group name, the server searches
directories in this order to locate the group to determine if the user is a member of it:
1. The server’s primary Domino Directory.
2. One directory -- LDAP or Notes -- configured in the server’s directory assistance database with the
″Group Authorization″ option selected.
Directory search order for LDAP searches: A server running the LDAP service searches directories in
the following order to process LDAP search requests:
1. A server’s primary Domino Directory, unless the primary Domino Directory is configured in a
directory assistance database used by the server and has the option ″Make this domain available to:
LDAP clients″ deselected.
2. A condensed Directory Catalog on the server.
3. A Domino Directory or Extended Directory Catalog that is configured in a server’s directory
assistance with the option ″Make this domain available to: LDAP clients″ selected.
If an LDAP user doesn’t specify a search base, which is a distinguished name used to indicate the
directory location at which to begin a search, the LDAP service searches the Domino Directories
and/or Extended Directory Catalog according to the search orders assigned to the directories. The
LDAP service searches directories with no assigned search orders alphabetically according to their
specified domain names.
If an LDAP user specifies a search base, only directories assigned naming rules that correspond to the
search base are searched. If there is more than one directory assigned a naming rule that matches, the
directory with the most specific matching rule is searched first. For example, if a user specifies the
search base ″ou=Sales,o=Acme,″ the server first searches a directory with the rule /Sales/Acme,
before searching a directory with the rule */Acme. If directories have identical naming rules that
match the search base specified by the user, search orders assigned to these directories determine the
order in which the directories are searched.
4. If the search is not successful in any Domino Directory or Extended Directory Catalog, the LDAP
service refers clients to an LDAP directory enabled for LDAP clients in the directory assistance
database.
If an LDAP user doesn’t specify a search base, the LDAP service does not return a referral.
If an LDAP user specifies a search base, the server picks an LDAP directory enabled for LDAP users
with a naming rule that matches the specified search base. If there is no such directory, the server
doesn’t return a referral. If there is more than one such directory, the server picks the one with the
most specific matching rule before picking one with a less-specific rule. If directories have identical
naming rules that match the search base specified by the user, search orders assigned to these
directories determine the order in which the LDAP service picks them for referrals.
Directory search order for a name in a Notes address field: When a Notes user enters a user or group
name in an address field of a Notes memo, the Notes client and mail server search directories in the
following order to retrieve the address for the name. If a name is found during any step, searches
continue only if the ″Recipient name lookup″ field in the Notes user’s current Location document is set to
″Exhaustively check all address books.″
1. The user’s Personal Address Book.
2. Any local Mobile Directory Catalogs on the client.
For searching to continue to a server, the ″Mail file location″ field in the active Location document
must be set to ″On server.″ Type-ahead searches never continue to a server if there is a local Mobile
Directory Catalog.
Additionally, name conversions between Notes and LDAP DN syntaxes may be necessary in multiple
directory environments. For instance, when entering the DN of an entry that resides in an LDAP
directory in the ACL of a Domino database (or an additional value of Fullname), you need to convert it
to its Notes DN equivalent. Or, when using the Notes DN mapping feature in Directory Assistance, you
should convert the Notes DN to its LDAP equivalent and use that value in the specified attribute of the
LDAP directory.
Note: Do not add an LDAP DN as the second value in a Domino Fullname field, as this value is the
Notes ″Common name″ value.
Alternate names
The alternate naming feature assigns a Notes user an alternate name recognizable in the user’s native
language, in addition to a primary name that is internationally recognizable. Users use alternate names to
use their native languages when displaying and working with names in the Domino Directory.
Corporate hierarchies
Companies can create corporate hierarchies to customize the way the Domino Directory categorizes user
entries. For example, companies might create a corporate hierarchy that categorizes by management level.
You can assign one user to a maximum of four corporate hierarchies. When Notes users address mail or
use the search tool to find people, they can choose to display the entries according to their corporate
hierarchy assignments, rather than simply by name or by Notes name hierarchy.
For additional information, see the chapter ″Setting Up the Domino Directory.″
For additional information, see the chapter ″Setting Up the LDAP Service.″
Configuration Directory
A directory in a central directory architecture that contains only documents related to Domino
configuration.
D
Directory server
A server whose purpose is providing directory services.
Directory assistance
A feature used by servers to extend client authentication, name lookups, and LDAP operations to
secondary directories.D
Directory catalog
An optional directory database that can aggregate entries from multiple Domino Directories into a single
database. There are two kinds of directory catalogs: condensed Directory Catalogs and Extended
Directory Catalogs.
Domino Directory
A directory created automatically from the PUBNAMES.NTF template during first server setup that
describes the users, servers, connections, and access control information for a Domino domain, or a
directory created manually from the PUBNAMES.NTF.
Domino domain
A network of clients and servers whose users, servers, connections, and access control information is
described in a Domino Directory.
Extended ACL
An optional directory access control feature available for a Domino Directory and Extended Directory
Catalog used to apply restrictions to users’ overall directory access.
LDAP schema
A set of rules that defines what can be stored as entries in an LDAP directory. The Domino LDAP
Schema database (SCHEMA.NSF), which is created from the SCHEMA.NTF template, publishes the
schema for a domain.
LDAP service
The LDAP server task running on a server to process LDAP client requests.
Secondary directory
Any directory a server uses that is not its primary Domino Directory. S
The Domino Directory is also a tool that administrators use to manage the Domino system. For example,
administrators create documents in the Domino Directory to connect servers for replication or mail
routing, to schedule server tasks, and so on.
When a server runs the LDAP service, the Domino Directory is accessible through the Lightweight
Directory Access Protocol (LDAP).
Typically, a Domino Directory is associated with a Domino domain. When you set up the first server in a
Domino domain, Domino automatically creates the Domino Directory database and gives it the file name
NAMES.NSF. When you add a new server to the domain, Domino automatically creates a replica of the
Domino Directory on the new server.
You can also create a Domino Directory manually from the PUBNAMES.NTF template and use it as a
secondary directory to store, for example, entries for your Internet users.
To optimize its performance, the Domino Directory has these database properties enabled by default:
v ″Document table bitmap optimization″ to improve the performance of small view updates -- for
example, updates of the Connections view.
v ″Don’t maintain unread marks″ to improve database performance and reduce the size of the database.
For more information on database performance properties, see the chapter ″Improving Database
Performance.″
507
Using a central directory architecture in a Domino domain
A central directory architecture is an optional directory architecture you can implement in a Domino
domain. This architecture differs from the traditional distributed directory architecture in which every
server in a domain has a full replica of the primary Domino Directory.
With a central directory architecture, some servers in the domain have selective replicas of a primary
Domino Directory. These replicas, which are known as Configuration Directories, contain only those
documents that are used to configure servers in a Domino domain, such as Server, Connection, and
Configuration Settings documents. A server with a Configuration Directory uses a remote primary
Domino Directory on another server to look up information about users and groups and other
information related to traditional directory services.
A server with a Configuration Directory connects to a remote server with a primary Domino Directory to
look up information in the following documents that it doesn’t store locally:
v Person
v Group
v Mail-in Database
v Resource
v Any custom documents you add
For example, to authenticate a user, a server with a Configuration Directory looks for the user credentials
in a Person document in a remote primary Domino Directory on another server in the domain.
Only an application that does a NAMELookup or similar directory call can use a Configuration Directory
to do a lookup in a remote primary Domino Directory.
Deciding which servers should use primary Domino Directories: The administration server for the
Domino Directory must store a primary Domino Directory. For failover, at least one other server in the
domain should store a primary Domino Directory. There may be additional servers that require primary
Domino Directories as well, depending on network bandwidth and stability, server usage patterns and
locations, and so forth. You may want servers that use primary Domino Directories that function as
remote primaries to be within a cluster to provide failover and workload balancing.
If there is a network congestion point in the domain, at least one server on each side of the congestion
point should have a primary Domino Directory that functions as a remote primary.
Using a combined central and distributed directory architecture: You can use a hybrid directory
architecture within one domain. For example, suppose at a company’s headquarters there are multiple
servers connected via fast network connections. There are also smaller remote offices that have limited
network bandwidth but are within the same domain. Servers at corporate headquarters can use the
central directory model that includes a combination of primary Domino Directories and Configuration
Directories, while the remote satellite offices can continue to use the distributed directory architecture in
which each server stores a primary Domino Directory.
Note: Do not mix servers with Configuration Directories and servers with primary Domino Directories in
the same cluster. This can cause users to encounter server authentication and database authorization
problems. All servers in a cluster should be configured to use the same type of directory.
Using a combined primary Domino Directory and Extended Directory Catalog: Although not a typical
configuration, you can integrate an Extended Directory Catalog with a primary Domino Directory to
collect users and groups from the primary domain and secondary domains into one directory database. A
server that stores a Configuration Directory can use this combination directory on a remote server as a
remote primary Domino Directory.
When you use this combination directory, all the users from the aggregated secondary directories are
automatically trusted for authentication, and all the groups can be used in database ACLs for database
authorization.
For more information on integrating an Extended Directory Catalog with a primary Domino Directory,
see the chapter ″Setting Up Directory Catalogs.″
Changing the directory type of a Domino Directory: The first server set up in a domain is always set
up with a primary Domino Directory. When you set up an additional server in the domain, you choose
whether to set up the replica of the Domino Directory on the server as a Configuration Directory or as a
primary Domino Directory. The default selection is a primary Domino Directory.
After server setup, you can change the directory type. After you change directory type, the
Administration Process generates a ″Store Directory Type in Server Record″ request to change the value
of the Directory Type field on the Basics tab of the Server document.
Note: Do not change the primary Domino Directory on the administration server to a Configuration
Directory.
1. From the Domino Administrator, connect to the server that stores the replica of the Domino Directory
you want to change.
2. Click the Files tab.
3. Select the Domino Directory, and then double-click.
4. Choose File - Replication - Settings, and change the replication settings for the directory as follows:
a. Click Space Savers in the Replication Settings dialog box.
b. Next to Include, select ″Configuration Documents only.″
c. Click OK.
5. Use the server command Replicate to replicate the Domino Directory that has the changed settings
with a primary Domino Directory on another server. Do a push-pull replication.
6. Restart the server that stores the Domino Directory replica you changed.
Controlling how a server finds a remote primary Domino Directory to use: To locate a remote primary
Domino Directory, a server with a Configuration Directory can use a default logic or can use a directory
replica specified through directory assistance.
The default logic to locate a remote primary Domino Directory: The Directory Servers view in a Domino
Directory list the replicas of the primary Domino Directories in the domain that are available for use as
remote primary directories by servers with Configuration Directories. The views sort these replicas
alphabetically by their server names.
Setting up directory assistance to locate a primary Domino Directory: You can use directory assistance rather
than the default logic to control which remote primary Domino Directory replicas in a domain servers
with Configuration Directories use. For example, if servers with primary Domino Directories are in a
cluster, you can use directory assistance to use cluster failover to locate the primary Domino Directory
replicas.
To create a Directory Assistance document in a directory assistance database that servers with
Configuration Directories use:
1. Make sure you have set up a directory assistance database on servers with configuration Domino
Directories.
2. From the Domino Administrator, connect to a server that is set up to use the directory assistance
database.
3. Click the Configuration tab.
4. Expand Directory and select Directory Assistance.
5. Click ″Add Directory Assistance.″
6. On the Basics tab, do the following:
a. Next to Domain Type, select Notes.
b. Next to Domain Name, enter the domain of the servers that store the remote primary Domino
Directories. This domain should be the same domain as that of the servers with configuration
Domino Directories.
c. Next to Search Order, select 1.
d. Next to Group Authorization, select No. A server can always use groups in a primary Domino
Directory replica to authorize database access, regardless of what you select for this option. Select
No to reserve the use of the Group Authorization option for a secondary directory.
7. On the Replicas tab do one of the following:
v If the servers that store the primary Domino Directories are clustered, to user cluster failover
specify one replica within the cluster. If that replica is unavailable, cluster failover takes effect
automatically. To use cluster failover, specify only one replica in the cluster.
v If the servers that store primary Domino Directories are not clustered, for failover specify at least
two replicas of the primary Domino Directories to use.
Note: A server always trusts the primary Domino Directory for client authentication, so it is not
necessary to enable a trusted rule in the Directory Assistance document.
For more information on directory assistance, see the chapter ″Setting Up Directory Assistance.″
Preventing the use of a Domino Directory replica as a remote primary: Do the following to prevent
servers with Configuration Directories from using a specific replica of the Domino Directory as a remote
primary. You can prevent a replica from being used only when servers with Configuration Directories use
Showing the Domino Directory replicas that can function as remote primaries: The Directory Servers
view in the Domino Directory lists the primary Domino Directories that are in the domain and that have
the option ″Allow this directory to be used as a remote primary directory for other servers″ selected on
the Basics tab of their Server documents. The Central Directories view sorts the primary Domino
Directory replicas by server name.
1. From the Domino Administrator, in the server pane on the left, select any server in the domain. If you
don’t see the server pane, click the servers icon.
2. Click the Files tab and open the Domino Directory.
3. Select the view Servers - Directory Servers.
Tip: Use the Show Xdir command on a server that uses a Configuration Directory to show the remote
primary Domino Directory replica the server last used.
Note: The default access for the -Default- entry allows users only to change some of the fields in their
Person documents.
The Domino Directory ACL includes Creator and Modifier roles that you assign to administrators so they
have the authority to create and edit specific types of documents. By assigning one or more roles along
with general access levels, you can limit an administrator’s access to some types of documents but allow
greater access to other types of documents.
Roles are useful when groups of administrators have specialized responsibilities. If all of the
administrators in your organization have identical administrative responsibilities, assign them to all roles.
The access defined in the ACL by a role never exceeds a general access level. For example, even if you
give the UserCreator role to an administrator who has Reader access in the ACL, the administrator
cannot use the Create menu to create Person documents.
For more general information on roles in an ACL, see the chapter ″Controlling User Access to Domino
Databases.″
Creator roles: Assign creator roles to control who can create documents in the Domino Directory. To
create documents in the Domino Directory, administrators must have:
v The ″Create documents″ privilege
v The Creator role that corresponds to the type of document being created
Role Allows
GroupCreator Administrators to create Group documents
NetCreator Administrators to create all documents except Person, Group, Policy, and
Server documents
PolicyCreator Administrators to create Policy documents
ServerCreator Administrators to create Server documents
UserCreator Administrators to create Person documents
CAUTION:
Assigning Creator roles does not provide true security because Domino sometimes ignores Creator
roles when administrators add documents to the directory programmatically.
Modifier roles: Rather than assigning Editor access which allows administrators to modify all
documents, assign administrators Author access along with one or more Modifier roles to control the
types of documents they can edit. For example, assign the UserModifier role to administrators who are
responsible for managing users. Unlike Creator roles, Modifier roles are a true security feature.
Role Allows
GroupModifier Administrators to edit Group documents
NetModifier Administrators to edit all documents except Person, Group, Policy, and
Server documents
Domino Directory
Most types of documents in the Domino Directory contain an Administration tab with an Administrators
field on it. To allow an administrator who has Author access to the directory to modify a single
document, enter the administrator’s name in the Administrators field.
1. From the Domino Administrator open the server that stores the Domino Directory you want to
change.
2. Click the Files tab and open the Domino Directory.
3. Open any document and click Edit.
4. Click the Administration tab.
5. In the Administrators field, enter the names of individual administrators or the name of a group of
administrators who can edit this document.
Note: The designated administrator(s) cannot modify the Owner or Administrator fields even though
they have access to edit the document. For a group document, the designated administrators can edit
only the Group Members field.
6. Click Save & Close.
Corporate hierarchies
You can categorize a Person document in the Domino Directory by a corporate hierarchy. When a Notes
user clicks the Address button to select the name in the Person document from a Domino Directory, or
uses the Find People search tool to find the name, the user can view the name by the assigned Corporate
Hierarchy.
You can categorize user names in any way you want in a corporate hierarchy. For example, you might
categorize users by company division:
Marketing
Kaplan, Judy
Spera, Phyllis
Burke, Kathy
Murphy, Bob
Marketing
Design
Spera, Phyllis
Planning
Kaplan, Judy
Hardware
Burke, Kathy
Software
Murphy, Bob
You can assign a user to up to four corporate hierarchies. For example, in addition to categorizing a user
by company division, you could also categorize the user by geographic location:
Boston
Spera, Phyllis
Marketing
Design
Spera, Phyllis
For example, to categorize the user Judy Kaplan this way, with no personal ranking:
Marketing
Kaplan, Judy
Philadelphia
Kaplan, Judy
fill out the Corporate Hierarchy Information tab in her Person document like this:
To use Desktop settings, Setup settings, or a User Setup Profile to automate the setup:
1. Create a Desktop settings, Setup settings, or User Setup Profile document in the Domino Directory.
For information, see the chapter ″Using Policies.″
2. Enter the name of the directory server in the Directory server field in the Basics tab of the document.
3. Click Save & Close.
Alternatively, a user can add the name of a directory server manually in the ″Domino directory server″
field which is on the Servers tab of a Location document in the Personal Address Book.
Field Enter
Domain defined by this Domino The name of the Domino domain for this directory. Domino completes this
Directory field automatically as part of first server setup.
Condensed server directory catalog The file name for a condensed Directory Catalog used by servers in the
for domain domain. As an alternative to using this field, you can specify the file names for
individual condensed Directory Catalogs in the ″Directory catalog database
name on this server″ field in the Basics section of Server documents. Setting up
a directory catalog is optional.
Sort all new groups by default Choose one:
v Yes to display the members of a new group in alphabetical order.
v No (default) to display members of a group in the order in which you add
them. If you select No, you can still override this option and alphabetize
members of a specific group.
Use more secure Internet Choose one:
Passwords v Yes (default) to use strong encryption for Internet passwords.
v No to use less secure encryption available with previous releases of Domino.
Allow the creation of Alternate Choose one:
Language Information documents v Yes (default) to allow you to create Alternate Language Information
documents that enable LDAP clients to search for user information in an
alternate language.
v No to prevent the creation of Alternate Language Information documents.
List of administrators who are Enter the names of users who can create Cross Domain Configuration
allowed to create Cross Domain documents to allow the Administration Process to submit requests between
Configuration documents in the Domino domains.
Administration Process Requests
database
Schedule the Administration Requests database (ADMIN4.NSF) to replicate as frequently as you replicate
the Domino Directory. The Administration Process, which simplifies some administration tasks, uses the
Administration Requests database and the Domino Directory to do its work. If the Domino Directory is
large, create a Connection document to schedule replication of only the Domino Directory and the
Administration Requests database.
For information on scheduling replication between servers, see the chapter ″Creating Replicas and
Scheduling Replication.″ For information on the Administration Process, see the chapter ″Setting Up the
Administration Process.″
For more information on the ldapsearch utility, see the chapter ″Using the ldapsearch Utility.″
Running the LDAP task on a server enables the LDAP service to process LDAP client requests.
In addition to the LDAP service, Domino and Notes offer these LDAP features:
v Notes client support for LDAP. For more information, see Notes 7 Help.
7
519
schema daemon spawned by the LDAP task on the administration server uses the Domino LDAP Schema
database to propagate schema changes to any other servers in the domain that run the LDAP service. The
LDAP task on the administration server for the LDAP service domain Domino Directory also verifies the
directory tree to ensure the LDAP service complies with the standard LDAP requirement that each part of
a distinguished name has an entry in the directory that represents the name part as an object class.
For information on the schema daemon, see the chapter ″Managing the LDAP Schema.″ For more
information on directory tree verification, see the next topic.
In addition to using its primary Domino Directory for processing LDAP requests, the LDAP service can
extend LDAP request processing to directory catalogs and secondary Domino Directories, and can refer
LDAP clients to remote LDAP directories, if processing is unsuccessful in any Domino Directory or
directory catalog.
By default the LDAP task listens for LDAP client requests over TCP/IP port 389, and accepts both
anonymous connections, and connections that bind using name-and-password security. The LDAP service
can also listen for requests over an SSL port, usually port 636. The LDAP service can accept requests over
the SSL port from anonymous LDAP clients, and from LDAP clients authenticated using
name-and-password security and/or X.509 certificates.
To search for an entry specified in an LDAP request, the LDAP service does either a view lookup or a
full-text search, depending on the search filter specified in the request. Views lookups are typically faster
than full-text index searches.
Note: The LDAP service always does a full-text search to locate information in a condensed Directory
Catalog set up on the server.
When an LDAP search filter specifies a name or mail attribute, the LDAP service uses views to quickly
locate entries. The PUBNAMES.NTF template design property for these hidden views has ″Universal″
with ″Unicode standard sorting″ selected for the sort order. Unicode provides a unique definition for
every character an LDAP client can specify regardless of the language configured on the client. Using
Unicode sorting, the LDAP service can accurately process LDAP requests specified in different languages
when using these views.
If an LDAP search filter searches for an attribute other than a name or mail attribute, the LDAP service
searches the full-text index, if one exists. If no full-text index exists, the LDAP service uses a view, but the
search will take longer than the full-text index search.
Note: The first value in the FullName field defines the distinguished name for any entry in the Domino
Directory except a Domino Group or Domino Server; the first value in the ListName field defines the
distinguished name for a Domino Group, and the first value in the ServerName field defines the
distinguished name for a Domino Server.
These messages indicate that the LDAP service is verifying that each part of a Notes-style distinguished
name in a document in the directory has a separate document to define the name part. If the LDAP
service detects that a part of a name is missing such a corresponding document, it creates one in a
hidden view. Creating an additional document in this way ensures that LDAP clients can always use
subtree searches to find the original document.
If the server running the LDAP service is the administration server for a Domino Directory or Extended
Directory Catalog, the LDAP service can verify the directory tree. The LDAP service does not verify the
directory tree for a Configuration Directory or for a condensed Directory Catalog.
The LDAP service can create three types of documents, depending on which part of a Notes
distinguished name is missing one: country, organizationalUnit, and organization documents. The LDAP
service adds such a document when:
v A Notes user name is registered with a unique organizational unit that is not controlled by a certifier.
In this case, the LDAP service creates an organizationalUnit document.
v A Notes user name is registered with a country part. In this case, the LDAP service creates a country
document.
v An administrator creates a document manually that contains a Notes-style distinguished name with an
organizational unit or organization that doesn’t correspond to a Notes certifier document. In this case,
the LDAP service creates an organizationalUnit or an organization document.
Directory tree verification applies only to the distinguished names of documents are added and visible
through Notes, since entries added through the LDAP protocol always have an object class defined for
each distinguished name part.
Running directory tree verification manually: You can run directory tree verification manually, for
example if you’ve added documents to a directory since you last started the LDAP service. To run
directory tree verification manually, enter this command from the Domino Directory administration
server:
Tell Ldap VerifyDIT
Finding the documents that directory tree verification creates: To find the documents created by
directory tree verification, use an LDAP client and specify the following search filter:
"creatorsname=servername"
where servername is the name of the name of the Domino that created the documents. Specify the name in
LDAP format, for example:
″creatorsname=cn=westserver,o=acme″
How the LDAP service forms a value for the mail attribute
To return to value for the mail attribute for a Person, Group, Mail-In Database, or Resource document, the
LDAP service searches for the following:
1. A fully formed Internet address in one of these fields, in the order indicated:
a. Internet Address (InternetAddress)
b. Short Name (ShortName) -- If the ″Internet Address Lookup″ field on Conversions tab of a Global
Domain document is disabled, the LDAP service doesn’t look for a short name.
c. Forwarding address (MailAddress) -- ″Forwarding address″ is the label for this field for Notes mail
users, but the label is different if another mail system is specified for a user.
2. Rules specified below the ″Internet address lookup″ field in the SMTP Address Conversion section on
the Conversions tab of a Global Domain document. If your organization uses more than one Global
Domain document, you must select ″Yes″ in the ″Use as default Global Domain″ field of the Global
Domain document you want to use.
Note: If an extended ACL denies an LDAP access to the LDAP mail attribute or the corresponding
Domino InternetAdress field, the LDAP service does not follow the above steps to derive an address for
the entry to return to the LDAP user.
For more information, see the chapter ″Setting Up the Domino Network.″
For information on the NOTES.INI file and on server commands, see the appendices.
Preventing the LDAP service on the administration server for the Domino
Directory from processing LDAP client requests
You can prevent the administration server for the Domino Directory from processing LDAP requests, and
leave this processing to another server or servers in the domain that run the LDAP service. Prevent the
administration server from LDAP request processing, for example, if the LDAP ports on the
administration server conflict with the operating system. When you disable the LDAP ports on the
Domino Directory administration server, the LDAP service on the server continues to run the schema
daemon and verify the directory tree for the domain, but does not accept LDAP client requests.
For more information, see the topic ″NOTES.INI settings for the LDAP service″ later in the chapter.
Except where noted in the table, restarting the LDAP task or the Domino server is unnecessary after
changing a setting because the task checks for setting changes automatically, by default at three-minute
intervals. You can use the NOTES.INI setting LDAPConfigUpdateInterval to change the interval at which
the LDAP service checks for changes to its settings.
Default: no limit
Default: 1
″Allow Alternate Controls whether LDAP users can do alternate See the topic ″Enabling LDAP alternate
Language Information language searches language searches.″
processing: 4
Default: not allowed
″Enforce schema?″ 4
Controls whether directory modifications See the topic ″Enabling or disabling
through LDAP must conform to the schema schema-checking.″
Default: 1
″Activity Logging Controls the size of the information Activity See the topic ″Limiting the amount of
truncation size″ 4 Logging can log for an LDAP Add or Modify attribute information logged for LDAP
operation Add and LDAP Modify activity.″
1
Set in the Server document of each server that runs the LDAP service. To configure authentication
options for the ports enabled in a Server document, you can instead use a Directory Site document. Using
the site document to configure authentication options is required in a hosted organization environment.
2
Alternatively, use the database ACL/extended ACL to specify anonymous LDAP search access.
3
Set in the domain Configuration Settings document of each Domino Directory and Extended Directory
Catalog the LDAP service serves. Each directory can have different settings.
4
Set in the domain Configuration Settings document of the primary Domino Directory of the servers that
run the LDAP service in a domain. Setting applies to the LDAP service running on any server in the
domain.
For information on the ″Activity Logging truncation size″ setting, see the chapter ″Setting Up Activity
Logging.″ For information on the ″Enforce schema?″ setting, see the chapter ″Managing the LDAP
Schema.″
Note: To authenticate using name-and-password security some LDAP clients -- for example Microsoft
Internet Explorer and Notes clients with LDAP accounts -- first do an anonymous search to retrieve the
distinguished names used for the authentication, so that users don’t have to specify the distinguished
names themselves. To enable such clients to authenticate using names and passwords, you must enable
anonymous access, as well as name and password authentication, for the LDAP service port the clients
use to connect. You must also allow anonymous read access to the attribute(s) the clients use to search
the directory anonymously to retrieve the distinguished names. Attributes typically searched for are cn,
uid, sn, givenname, or mail.
Follow these steps to change the LDAP service port and port security configuration on a specific server
that runs the LDAP service:
1. From the Domino Administrator, click the Configuration tab.
2. In the left pane, expand Server and open the Server document for the server that runs the LDAP
service.
3. Click Edit Server.
4. Click the Ports - Internet Ports - Directory tab.
Note: If you are administering a hosted organization environment, an asterisk (*) in the following
tables indicates options you must specify instead in a Internet Site document. In a non-hosted
organization environment, you can use the Internet Site document, but you aren’t required to.
For information on using Internet Site documents, see the chapter ″Installing and Setting Up Domino
Servers.″
5. To change the TCP/IP port configuration for the LDAP service, complete these fields:
Field Enter
TCP/IP port number Choose 389 (default) to use the industry standard port for LDAP connections
over TCP/IP. You can specify a different port, but 389 works in most situations.
TCP/IP port status Choose one:
v ″Enabled″ (default) to allow LDAP clients to connect to the server without
using SSL.
v ″Redirect to SSL″ to direct LDAP clients connecting without using SSL to use
SSL instead. The LDAP service returns a message to LDAP clients indicating
that they must connect over SSL.
v ″Disabled″ to prevent LDAP clients from connecting using the TCP/IP port.
Enforce server access settings Choose one:
v Yes to apply the ″Access server″ and ″Not access server″ settings set in the
Server Access section on the Security tab of this Server document to
authenticated LDAP clients connecting to the LDAP service over the TCP/IP
port.
v No (default) to specify that the LDAP service ignore the Server Access
settings.
Authentication options: Name & If the ″TCP/IP port status″ field is set to Enabled, choose one:
Password* v Yes (default) to allow LDAP clients to use name-and-password authentication
when connecting using the TCP/IP port.
v No to prevent LDAP clients from using name-and-password authentication
when connecting using the TCP/IP port.
For more information on server access settings, see the chapter ″Controlling Access to Domino
Servers.″ For more information on the authentication options, see the chapter ″Setting Up
Name-and-Password and Anonymous Access to Domino Servers.″
6. To change the SSL port configuration for the LDAP service, complete these fields:
Field Enter
SSL port number Choose 636 (default) to use the industry standard port for LDAP connections
over SSL. You can specify a different port, but 636 works in most situations.
SSL port status Choose one:
v ″Enabled″ to allow LDAP clients to connect to the LDAP service over SSL.
v ″Disabled″ (default) to prevent LDAP client connections over SSL.
Authentication options: Client If ″SSL port status″ is set to Enabled, choose one:
certificate* v Yes to allow LDAP clients to use client certificate authentication when
connecting.
v No (default) to prevent the LDAP service from using client certificate
authentication.
Authentication options: Name & If the ″SSL port status″ field is set to Enabled, choose one:
password* v Yes to allow LDAP clients to use name-and-password authentication when
connecting to the LDAP service over SSL.
v No (default) to prevent LDAP clients from using name-and-password
authentication over SSL.
Authentication options: If the ″SSL port status″ field is set to Enabled, choose one:
Anonymous* v Yes (default) to allow LDAP clients to connect to the LDAP service
anonymously over SSL.
v No to prevent anonymous SSL connections.
For more information on the authentication options, see the chapters ″Setting Up Clients for S/MIME
and SSL″ and ″Setting Up Name-and-Password and Anonymous Access to Domino Servers.″
7. Click Save & Close.
8. If you made the changes on a different server than the one for which you are configuring the LDAP
service, replicate the changes to the server that runs the LDAP service.
9. Enter the following command on the server that runs the LDAP service to put the changes into effect:
Restart Task LDAP
Note: The LDAP service always searches the full-text index to find information in a condensed Directory
Catalog set up on the server.
You specify anonymous search access separately for each directory the LDAP service serves.
Note: Always use the directory database ACL, optionally with an extended ACL, to control directory
access for authenticated LDAP users, and to prevent anonymous LDAP users from modifying the
directory.
Domain Configuration Settings document: The ″Choose fields that anonymous users can query via
LDAP″ setting on the LDAP tab of a domain Configuration Settings document in a Domino Directory or
Extended Directory Catalog is the default method used to determine search access for anonymous LDAP
users. The LDAP service uses the default settings in this document as the default anonymous search
access, even if you do not create the document.
You can modify the ″Choose fields that anonymous users can query via LDAP″ setting to customize
search access for anonymous LDAP users.
Database ACL/Extended ACL: You can use the database ACL along with an extended ACL to define
anonymous LDAP search access to a directory, rather than use the domain Configuration Settings
document.
For information on extended ACLs, see the chapter ″Setting Up Extended ACLs.″
Choosing which method to use: The database ACL/extended ACL is a more flexible method of
controlling anonymous LDAP search access than the domain Configuration Settings document. For
example, when you use the domain Configuration Settings document to allow or deny access to an
attribute, the access applies to all entries that contain the attribute. However, when you use the database
ACL/extended ACL, you can deny access to an attribute contained in entries at a particular branch of the
However, there are implications to using extended access that don’t apply to the use of the domain
Configuration Settings document. For example, after you enable extended access, you can make directory
changes only on a directory replica located on a Lotus Domino 6 or later server. You cannot make such
changes on releases earlier than Domino 6. ACL method also causes database security to be enforced for
Notes namelookups, such as type-ahead lookups. If the domain Configuration Settings document method
is adequate for your needs, it may make sense to use it instead.
Anonymous LDAP search access and upgrades from previous releases: If you upgrade a server from a
pre-Domino 6 release to Domino 6 or later, the LDAP service uses the LDAP anonymous access
configuration from the previous release. If you create or edit the domain Configuration Settings
document after updating the directory with the Lotus Domino 6 PUBNAMES.NTF design, the list of
attributes allowed for anonymous access include the following attributes not listed in previous releases:
These attributes were not listed in previous releases because you could not prevent anonymous LDAP
access to them -- in previous releases anonymous LDAP users always had search access to these
attributes. Starting with Lotus Domino 6, you can deny anonymous LDAP search access to the attributes
above, although they are allowed for anonymous search access by default to be consistent with the
anonymous search behavior of previous releases.
Using the domain Configuration Settings document to customize anonymous LDAP search access to a
directory: To use the domain Configuration Settings document to customize anonymous LDAP search
access to a specific Domino Directory or Extended Directory Catalog served by the LDAP service, first
open the document, then configure anonymous search access.
Step 1: Open the domain Configuration Settings document in the directory: To open the domain Configuration
Settings document for the primary Domino Directory:
1. From the Domino Administrator, open a server within the domain that runs the LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select Settings.
4. Do one of the following:
If you see the prompt ″Unable to locate a Server Configuration document for this domain. Would you
like to create one now?″ click Yes, then click the LDAP tab on the document.
If you do not see the prompt, click ″Edit LDAP Settings.″
To open the domain Configuration Settings document for a secondary Domino Directory or an Extended Directory
Catalog:: To open the domain Configuration Settings document in a Domino Directory that is not the
directory for a domain, or to open the document in an Extended Directory Catalog:
1. From the Domino Administrator, open the directory.
Step 2: Customize anonymous LDAP search access to the directory: After you have opened the domain
Configuration Settings document for the directory, follow these steps to customize anonymous LDAP
search access:
1. Next to ″Choose fields that anonymous users can query via LDAP″ select ″Select Attribute Types″ to
open the LDAP Attribute Type Selection dialog box.
The ″Queriable Attribute Types″ box at the right of the dialog box shows the attributes anonymous
LDAP users can access.
2. To add an attribute to the ″Queriable Attribute Types″ box to allow anonymous LDAP users to access
the attribute:
a. In the Object Classes box, select an object class that contains the attribute.
b. Click ″Display Attributes″ to display in the ″Selectable Attribute Types″ box all the attributes
defined for the selected object class(es).
c. Select the attribute in the ″Selectable Attribute Types″ box that you want to allow anonymous
LDAP users to access, and click Add to add the attribute to the ″Queriable Attribute Types″ box.
You can select more than one attribute.
Or, to add all the attributes listed in the ″Selectable Attribute Types″ box, click Add All.
When you allow anonymous access to an attribute, the access applies to all object classes for which
that attribute is defined.
3. To remove an attribute from the ″Queriable Attribute Types″ box to prevent anonymous LDAP users
from accessing the attribute, select the attribute and click Remove. Or, to remove all attributes, click
Remove All.
Tip: To revert the ″Queriable Attribute Types″ box to the attributes the LDAP service allows for
anonymous LDAP access by default, click ″Use Default Values.″
4. Click OK to close the LDAP Attribute Type Selection dialog box.
5. Click Save & Close to save the changes in the Configuration Settings document.
6. Do the following for each server in the domain that runs the LDAP service:
a. If you made the changes to a Domino Directory replica on a different server, replicate the changes
to the server.
b. Enter the following command on the server to put the changes into effect:
Restart Server
Converting the default anonymous access settings to database ACL and extended ACL settings: As
soon as you select the advanced ACL option ″Enable Extended Access″ for a directory served by the
LDAP service, the ″Choose fields that anonymous users can query via LDAP″ setting stops controlling
anonymous LDAP search access and is no longer visible in the domain Configuration Settings document.
Note: If you disable ″Enable Extended Access″ in a directory ACL, the default settings in the ″Choose
fields that anonymous users can query via LDAP″ setting in the domain Configuration Settings document
resume control of anonymous LDAP search access for the directory.
You control LDAP write access separately for each directory. For example, you could enable write access
for the primary Domino Directory, and leave write access disabled for an Extended Directory Catalog.
Note: You cannot enable LDAP write access to a condensed Directory Catalog served by the LDAP
service.
Keep the following points in mind if you enable LDAP write access for a directory:
1. Domino does not provide a tool for doing LDAP write operations, you must develop or obtain one.
2. If you allow LDAP write access, use the directory database ACL, and optionally, extended ACL, to
control the directory changes that LDAP users can make.
3. Enable schema checking for the LDAP service to require that directory changes made via LDAP
conform to the directory schema. By default schema checking is disabled, if you allow LDAP write
operations, enabling it is recommended to maintain consistent directory contents.
4. The Administration Process server task doesn’t respond to LDAP write operations. For example, if an
LDAP user deletes a Person document, the Administration Process can’t delete the associated user
name from database ACLs.
5. The LDAP service can carry out an LDAP write operation in a secondary Domino Directory or
Extended Directory Catalog only if that directory is stored locally on the server that runs the LDAP
service. If the LDAP service receives a write operation request for a Domino Directory on a remote
server, it sends an LDAP referral to the client. The LDAP service refers the client to the administration
server for the directory. If there is no administration server specified, it refers the client to the remote
server that stores the directory. The client must then follow the referral itself.
Note: If you enable LDAP write access to a secondary Domino Directory, do not use a condensed
Directory Catalog that aggregates that directory on a server that runs the LDAP service.
6. The distinguished names of directory entries are limited to 256 characters. Distinguished names do
not have to conform to the standard Notes naming model of organizational unit (ou), organization (o),
and country (c). For example, distinguished names such as these are acceptable:
v dn: cn=Jay Walker + uid=123456,u=Sales,o=Widget Inc.,c=GB
v dn: foo=Bar, o=Acme
v dn: cn=L. Eagle,o=Sue\, Grabbit and Runn,c=GB
Names such as these are recommended primarily for entries that are accessed through LDAP only,
since Notes users may find them confusing.
7. Prior to doing batch adds of 100 or more directory entries, you can use the NOTES.INI setting
LDAPBatchAdds to process the additions more quickly. Disable the setting when the batch adds are
complete.
8. You can’t modify the value of an entry’s structural object class attribute.
Enabling or disabling LDAP write access to a directory served by the LDAP service: By default, the
LDAP service does not allow LDAP clients to modify the directories the LDAP service serves. If you
To enable or disable LDAP write access to the primary Domino Directory of the LDAP service, or to a
secondary Domino Directory or Extended Directory Catalog the LDAP service serves:
1. From the Domino Administrator, open the directory for which you want to enable write access.
2. Select the Servers - Configurations view.
3. If you do not see a domain Configuration Settings document in the view, a document named * - [All
Servers], skip to step 4. If you see this document, do the following:
a. Open the document
b. Click the LDAP tab.
c. Click Edit Server Configuration.
4. If you do not see a domain Configuration Settings document in the view, create one by doing the
following:
a. Click Add Configuration.
b. On the Basics tab select Yes next to ″Use these settings as the default settings for all servers.″
c. Click the LDAP tab.
Tip: If you are enabling write access for the primary Domino Directory in the domain, a shortcut for
steps 2-4 is: from the Domino Administrator open the server that stores the directory; click the
Configuration tab; in the left pane expand Directory, then LDAP, and then select Settings; click Edit
LDAP Settings.
1. Next to ″Allow LDAP users write access″ choose one:
v Yes to allow directory changes via LDAP.
v No (default) to prevent directory changes via LDAP.
2. Click Save & Close.
3. For each server in the domain that runs the LDAP service, do the following:
a. If you made the changes to a Domino Directory replica on a different server, replicate the changes
to the server.
b. Enter the following command on the server to put the changes into effect:
Restart Server
4. If you enabled LDAP write access, set up the database ACL, and optionally extended ACL, to specify
the directory contents that LDAP users can modify.
For more information, see the chapters ″Setting Up the Domino Directory″ and ″Setting Up Extended
ACLs.″
Note: If you want to allow users to modify documents in the directory, you must have the
″Maximum Internet name-and-password access″ setting, found in the Advanced pane of the database
Access Control dialog box, set to Editor access or higher.
For more information on this ACL setting, see the chapter ″Controlling User Access to Domino
Databases.″
5. Configure how the LDAP service responds when it finds more than one occurrence of a name
specified in an LDAP write operation.
To specify the ″Rules to follow when this directory is the primary directory and there are multiple
matches on the distinguished name being compared/modified″ for all servers in the domain that run the
LDAP service:
1. From the Domino Administrator, open the server that runs the LDAP service, or a server in the same
domain as the one that runs the LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select Settings.
4. Do one of the following:
If you see the prompt ″Unable to locate a Server Configuration document for this domain. Would you
like to create one now?″ click Yes, then click the LDAP tab on the document.
If you do not see the prompt, click ″Edit LDAP Settings.″
5. In the ″Rules to follow when this directory is the primary directory and there are multiple matches on
the distinguished name being compared/modified″ field, choose one to specify how the LDAP service
responds in the two situations described above:
Note: If a directory is stored on a remote server, the LDAP service can send an LDAP referral to the
client but cannot process the add operation remotely itself.
The following table provides examples of how the LDAP service processes add operations as a result of
the above directory assistance configuration and different selections for the ″Rules to follow when this
directory is the primary directory and there are multiple matches on the distinguished name being
compared/modified″ LDAP service setting.
Directory or
directories to
″Rules to follow...″ which entry
Name of entry being added setting added Explanation
cn=Kate N/A Domain D Domain D directory is the only
Power,ou=DomainD,o=Acme directory with a rule that most
specifically matches a name added
cn=John Modify first match Domain B Rules for Domain B and C both
Ashby,ou=DomainC,o=Acme match the name being added;
entry added to Domain B because
it has lower search order than
Domain C.
cn=John Modify all matches Domains B & C Rules for Domain B and C both
Ashby,ou=DomainC,o=Acme match the name being added;
entry added to both directories.
cn=John Don’t modify any None Rules for Domain B and C both
Ashby,ou=DomainC,o=Acme match the name being added;
entry not added.
″Timeout″ and ″Maximum number of entries returned″: By default, LDAP service takes as long as
necessary to process searches, and returns all entries it finds that match the search criteria. If LDAP
service performance is slow, consider using the ″Timeout″ and ″Maximum number of entries returned″
fields on the LDAP tab of a domain Configuration Settings document to set limits on the length of
searches and the number of entries returned. If the LDAP client that sends a request also specifies limits,
whichever setting is lower takes precedence.
″Minimum characters for wildcard search″: Specify the minimum number of characters that users must
place before the first wildcard in a search filter when the wildcard is combined with a substring. The
default is 1 character. If you increase this value, users must provide more specific substring search filters,
If a filter begins with a wildcard followed by a substring, the LDAP service removes the initial wildcard
(unless ″Minimum characters for wildcard search″ is set to 0), then uses what remains as the search filter.
For example, if the option is set to 2 and a user specifies the filter sn=*br*, the LDAP service uses the
filter br* to process the search. However, if a user specifies the filter *b*, the LDAP service rejects the
search request because after the first wildcard is removed, b*, which is the remaining search filter,
contains only one character before the (now) first wildcard.
Note: The ″Minimum characters for wildcard search″ option doesn’t apply to search filters that use only
a wildcard as a value, for example, a search filter such as sn=* is always allowed. Because this kind of
filter searches only for the presence of an attribute, not for an attribute value, it does not have the search
performance implications associated with wildcards in substring searches. To control the number of
entries returned as the result of a presence search filter, use the ″Maximum number of entries returned″
option to set a maximum number of entries that the LDAP service can return.
Field Enter
Timeout The maximum time, in seconds, allowed for LDAP client searches;
default is 0. For example, specify 60.
Maximum number of entries returned The maximum number of directory entries the LDAP service
returns to LDAP clients as search results; default is 0, meaning that
there is no limit. For example, specify 100.
Minimum characters for wildcard search The minimum number of characters that must precede the first
wildcard in a search filter when the wildcard is combined with a
substring; default is 1.
Many LDAP clients do not support language tags in search queries. Such LDAP clients can specify, for
example, ″givenName=Etienne″ to find an entry with ″givenName;lang-fr=Etienne″ defined.
To enable LDAP alternate language searches, configure the LDAP service to allow them, and add the
language tags to entries. Use an Alternative Language Information document in the Domino Directory to
add language tags to a Person document. Use LDAP add and modify operations to add language tags to
any other type of entry.
Using an Alternative Language Information document to define language subattributes for a Person
document: To add LDAP language tags for a specific language to a Person document (dominoPerson
entry), create an Alternative Language Information document that is associated with the Person
document. The Alternative Language Information document contains a subset of the fields in the Person
document, for which you assign values in the alternate language. You can create multiple Alternative
Language Information documents for one Person document. You can create Alternative Language
Information documents in any Domino Directory that the LDAP service serves.
To add LDAP language tags for a specific language to a Domino Person document:
1. From the Domino Administrator, open the Domino Directory that contains the Person document.
2. Click the People & Groups tab.
3. Select People, and open the Person document to which you want to add the language tags.
4. Choose Actions - Add Alternate Language Information.
5. Click the Basics tab, and do the following:
a. In the Language field, select the language to use.
b. Enter values in the selected language for any of the other fields in the Basic tab.
Note: The User name (FullName) field is inherited from the Person document. LDAP uses this as
the distinguished name that identifies the person, and you can’t create an alternate language
version of it.
6. Click the Work/Home tab, and enter values in the selected language for any of the fields in the Work,
Home, and Corporate Hierarchy tabs.
For information on Corporate Hierarchies, see the chapter ″Setting Up the Domino Directory.″
7. Click Save & Close.
Viewing Alternative Language Information documents: To view the Alternative Language Information
documents associated with Person documents:
1. From the Domino Administrator, click the Files tab, and open the Domino Directory.
2. Expand the People view, and select the Alternate Languages view.
If you don’t require distinguished names as logon names for name-and-password security, the ″Internet
authentication″ field on the Security tab of a Server document for a server that runs the LDAP service
controls which client logon names are allowed for name-and-password security.
For more information on name-and-password security, see the chapter ″Setting Up Name-and-Password
and Anonymous Access to Domino Servers.″
To enable or disable the requirement that LDAP users use their distinguished names as log on names
when using name-and-password security when binding to the LDAP service:
1. From the Domino Administrator, open a server that runs the LDAP service, or a server in the same
domain as a server that runs the LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select Settings.
4. Do one of the following:
v If you see the prompt ″Unable to locate a Server Configuration document for this domain. Would
you like to create one now?″ click Yes, then click the LDAP tab on the document that is created.
v If you do not see this prompt, click ″Edit LDAP Settings.″
5. Next to ″DN Required on Bind?″ choose one:
v Yes to require distinguished names as LDAP client logon names for name-and-password security.
v No (default) to not require distinguished names for client logon names.
6. Click Save & Close.
To support LDAP V2 clients that don’t use UTF-8, you can change the default encoding to prevent the
LDAP service from using UTF-8 character encoding for V2 clients. If you prevent the use of UTF-8
character encoding for LDAP V2 clients, then the LDAP service may sometimes be unable to return
results containing international characters to V2 clients that use UTF-8.
Note: The LDAP service always uses UTF-8 character encoding when returning results with international
characters to LDAP V3 clients, for example, Microsoft Outlook Express clients and Notes clients.
To enable or disable the use of UTF-8 character encoding for LDAP V2 clients for the LDAP service
running on any server in a domain:
1. From the Domino Administrator, open the server that runs the LDAP service, or a server in the same
domain as the one that runs the LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select Settings.
4. Do one of the following:
For more information on LDAP service referrals, see the chapter ″Setting Up Directory Assistance.″
By default, the LDAP service can return one referral to a client. To configure the number of referrals the
LDAP service running on any server in a domain can return to LDAP clients:
1. From the Domino Administrator, open the server that runs the LDAP service, or a server in the same
domain as the one that runs the LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select Settings.
4. Do one of the following:
v If you see the prompt ″Unable to locate a Server Configuration document for this domain. Would
you like to create one now?″ click Yes, then click the LDAP tab on the document that is created.
v If you do not see this prompt, click ″Edit LDAP Settings.″
5. Next to ″Maximum number of referrals″ specify the maximum number of referrals the LDAP service
can return to a client.
6. Click Save & Close.
For more information, see the documentation provided with the client.
To use a Setup policy settings document and/or Desktop policy settings document to automate setup of
LDAP accounts for the LDAP service on Notes clients:
1. Make sure you understand policies and how to set them up.
For information, see the chapter ″Using Policies.″
2. If you haven’t already done so, create a Desktop policy settings document or a Setup policy settings
document to use to automate setup of the LDAP accounts.
3. Open the Desktop policy settings document or Setup policy settings document you want to use to
automate setup of the LDAP account.
4. Click the Accounts tab, then complete the following fields:
Field Enter
Inherit Default Accounts Settings from Parent Select to inherit default account settings from parent.
Enforce Default Accounts Settings in Children Select to enforce default account settings in children.
Account Names A descriptive name for the LDAP service account; users see this
name in the list of directories the client can search. If you specify
more than one account -- for example, an account for another
Internet service -- separate account names with commas (,).
Server Addresses The host name of the server running the LDAP service -- for
example, ldap.acme.com.
Protocols LDAP
Use SSL Connection Yes to use SSL; otherwise, No.
The primary Domino Directory of the server running the LDAP service is trusted for client authentication
automatically. You must explicitly trust other directories for client authentication.
For additional information, see the chapters ″Setting Up Directory Catalogs,″ ″Setting Up Directory
Assistance,″ ″Setting Up Name-and-Password and Anonymous Access to Domino Servers,″ and ″Setting
Up Clients for S/MIME and SSL.″
where:
For example, the following query searches for all documents that contain the text ″HR policies″ and then
returns the cn, url, doctitle, docauthor, and dbtitle values for those documents:
"(&(ObjectClass=Document)(Object=*HR policies*))" cn url doctitle docauthor dbtitle
You can use operators with the Object attribute search filter. For example, to find all documents that
contain both the text ″HR policies″ and the text ″1999″ and then return the same set of attributes as the
example above, use this query:
"(&(ObjectClass=Document)(&(Object=*HR policies*)(Object=*1999*)))" cn url doctitle docauthor dbtitle
To search the text of a database, you must have at least Reader access in the ACL of the source database.
enter this server command on a server that runs the LDAP service:
Tell Ldap Showconfig
To show the status of the above settings as well as the status of the LDAP service settings controlled
through the NOTES.INI file, enter this server command:
Tell Ldap showconfig debug
Note: Each statistic listed in the following tables begins with the prefix LDAP. but the tables omit the
prefix. For example, the statistic LDAP.Total LDAP Connections is shown as Total LDAP Connections.
Statistics related to LDAP operations: The following statistics relate to connections made using LDAP.
Statistics calculation begins at LDAP service startup.
Statistics for network activity on the LDAP service ports: The following statistics relate to network
activity over the LDAP service ports since Domino server startup. These statistics can reflect network
activity that does not involve the LDAP protocol, for example activity resulting from telnet requests.
Statistic Description
Sessions.Inbound.Accept.Queue Number of new connections waiting to be serviced by
threadpool
Sessions.Inbound.Active Number of currently running inbound TCP/SSL connections
Sessions.Inbound.Active.SSL Number of currently running inbound SSL connections
Sessions.Inbound.BytesReceived Number of bytes received by all inbound TCP/SSL
connections
Sessions.Inbound.BytesSent Number of bytes sent by all inbound TCP/SSL connections
Sessions.Inbound.Peak Maximum number of concurrent inbound TCP/SSL
connections
RFC Description
2079 Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource
Identifiers
2222 Simple Authentication & Security Layer (SASL)
2251 Lightweight Directory Access Protocol (v3)
2252 Lightweight Directory Access Protocol (v3) Attribute Syntax Definitions
2253 Lightweight Directory Access Protocol (v3) UTF-8 String Representation of Distinguished
Names
2254 The String Representation of LDAP Search Filters
2255 The LDAP URL Format
2256 A Summary of the X.500 (96) User Schema for use with LDAPv3
2596 Use of Language Codes in LDAP
2798 Definition of the inetOrgPerson LDAP Object Class
LDAP Schema
A directory entry contains information about a particular entity, for example, a person or a group, and is
associated with a distinguished name. An LDAP schema is a set of rules that define what can be stored
as entries in an LDAP directory. Each LDAP directory has a default schema, which organizations can
customize, or ″extend,″ by adding elements to it. The elements of a schema are attributes, syntaxes, and
object classes. LDAP directory servers provide the ability to enforce the schema to ensure that directory
changes made using LDAP operations conform to it.
Attributes
An attribute defines a piece of information that directory entries contain. For example, some common
attributes for entries related to people are cn (common name), telephoneNumber, and userPassword.
An attribute is either mandatory or optional for a particular type of entry. When an attribute is
mandatory and directory administrators use schema-checking to enforce the schema, administrators must
provide a value for the attribute when they add or modify the entries using LDAP operations. An
attribute can be defined to allow multiple values.
Object classes
An object class defines a set of attributes for a type of directory entry. Two or more object classes in an
object class hierarchy define the attributes for a type of entry. An object class inherits attributes from all
object classes above it in the hierarchy and then adds attributes of its own; for example:
There are three types of object classes: abstract, structural, and auxiliary.
545
Auxiliary object classes
An auxiliary object class adds attributes to another object class, usually a structural object class. An
auxiliary object class is useful for defining a set of attributes used by multiple object classes. An auxiliary
object class usually inherits from the abstract object class top. Object classes can’t inherit attributes from
an auxiliary object class. Instead, you must add an auxiliary object class to each object class that uses it.
Syntaxes
A syntax defines the data format in which an attribute value is stored. Directory String, Integer, and JPEG
are examples of standard LDAP syntaxes.
You can extend the schema to add custom schema elements that your organization needs.
To see detailed information about the Domino LDAP schema, open the Domino LDAP Schema database
(SCHEMA.NSF) on any server that runs the LDAP service.
For information relating to upgrading the LDAP schema, see the Upgrade Guide.
An object class that is not specific to Domino, for example a standard LDAP object class defined in the
LSCHEMA.LDIF file, maps to a form only if you create such a form. For example, the object class
residentialPerson is part of the default Domino LDAP schema, but it has no corresponding form in the
Domino Directory. Therefore by default you can use only LDAP operations to add, search, and modify,
residentialPerson entries. To give Notes and Web users access to these entries, you must you create a
corresponding form following a specific procedure. If you create a corresponding form, residentialPerson
entries are created as documents that are visible to Notes and Web users.
For instructions on creating a form in the Domino Directory that corresponds to an object class, see the
appendix ″Customizing the Domino Directory.″
Domino forms that are not defined as object classes in the default Domino LDAP
schema
The following forms in the Domino Directory are not defined as object classes in the schema because
their designs do not include a field that defines a distinguished name:
v CrossCertificate
v Location
v Server\Configuration Settings
v Server\Connection
v Server\Holiday
v Server\Domain
v Server\User Setup Profile
By default, an attribute that is not Domino-specific does not map to a visible field in the Domino
Directory.
top
person
organizationalPerson
inetOrgPerson
dominoPerson
top
groupOfNames
dominoGroup
While this attribute is fully available to customers deploying a new Domino 7 Domino Directory, those
using existing Domino Directories will need to do the following to make dominoUNID fully available:
1. Reload the LDAP schema by using the tell ldap reloadschema command.
2. In the domain Configuration Settings document of the primary Domino Directory, click ″Select
Attribute Types″ next to the setting ″Choose fields that anonymous users can query via LDAP″. The
LDAP Attribute Type Selection dialog box appears. From here, you can either:
v add the dominoUNID attribute automatically by clicking Use Default Values. All default attributes
for Anonymous users will be selected.
or
v manually add dominoUNID by choosing the wildcard class (*) in the Object Classes drop-down list.
This option is recommended if you have customized your attribute list for Anonymous.
For information on the tell ldap reloadschema command, see the chapter ″Server Commands.″
For more information on customizing anonymous LDAP search access information, see the chapter
″Setting up the LDAP Service.″
The schema daemon ensures that each LDAP service running in the domain uses a schema that is
up-to-date and consistent across servers. The schema daemon runs when the LDAP service first starts,
and then after that at 15-minute intervals by default.
For information on NOTES.INI settings that are available to control the schema daemon, see the topic
″NOTES.INI settings related to the schema daemon″ later in this chapter.
The LDAP service runs by default on the administration server for the Domino Directory. The schema
daemon spawned by the LDAP service on the administration server does the following to maintain the
schema for the domain:
1. Creates the Domino LDAP Schema database (SCHEMA.NSF) from the SCHEMA.NTF template (the
first time the schema daemon runs in this release, and subsequently if the Schema database is ever
deleted).
Note: Be sure the administration server for the Domino Directory is the first server in the domain you
upgrade to Lotus Domino 6 so that it is the server that first creates the Schema database.
2. Builds the schema for the domain into memory by loading information from the following files:
v LDAP-standard schema elements from the local LSCHEMA.LDIF file -- these elements do not
change.
v Forms and fields from the primary Domino Directory, which supply the Domino-specific schema
elements, and optionally, extended schema elements added as forms and fields. For performance
reasons, this step is done only once every 24 hours by default. You can use the NOTES.INI setting
Schema_Daemon_Reloadtime to change the default interval.
v Schema elements from the Extended Documents view of its local Domino LDAP Schema database.
The schema daemon on each subordinate server in the domain that run the LDAP service does the
following:
1. Replicates information from the replica of the Schema database on the administration server for the
Domino Directory to its local Schema database if the two replicas are different.
If the subordinate server doesn’t yet have a local replica of the Schema database and the
administration server is running, it pulls a replica from the administration server. If the administration
server is unavailable, the subordinate server uses a local LSCHEMA.LDIF file and Domino Directory
forms to determine the schema until the administration server is available.
2. The first time it runs, loads the schema published on disk in the All Schema Documents view of its
local Schema database into memory. Subsequently, it compares its in-memory schema to the on-disk
schema published in its local Schema database. If the two are different, updates its in-memory schema
with the more recent schema published in the local Schema database.
Tip: Use the server command Tell LDAP ReloadSchema to manually initiate the steps described above.
Administrators use the Schema database to learn about the schema and to extend the schema.
Administrators can access the Schema database from a Lotus Notes 7, Lotus Notes 6, or Web browser
client, and can use the Schema database to extend the schema from a Lotus Notes 6 or Web browser
client.
Each of these views included sub-views for object classes, attributes, and syntaxes.
All Schema Documents view: The All Schema Documents view contains a document for each element
defined in the schema. It also contains documents for draft schema elements awaiting administrator
approval and pending schema elements awaiting processing by the schema daemon on the
administration server for the Domino Directory.
Extended Documents view: The Extended Documents view shows a document for each extended object
class, attribute, and syntax added using the Schema database and incorporated into the schema by the
schema daemon running on the administration server for the Domino Directory.
The Extended Documents view does not show schema extensions made by adding forms and fields to the
Domino Directory. Only the All Schema Documents view shows new schema elements defined by new
Domino Directory forms and fields.
Pending Documents view: The Pending Documents view shows a document for each object class,
attribute, and syntax that an administrator has added using the Schema database and approved that is
awaiting processing by the schema daemon on the administration server for the Domino Directory.
In the All Schema Documents view, a green check mark icon indicates a pending schema element.
Draft Documents view: The Draft Documents view shows a document for each new object class,
attribute, and syntax that an administrator has added using the Schema database, but has not yet
approved.
In the All Schema Documents view, an hourglass icon indicates a draft schema element.
Tip: To determine which object classes use a particular attribute, do a full text search for the attribute
from the All Schema Documents - LDAP Object Classes view.
For information about the fields in Object Class documents, see the topic ″Using the Schema database to
add an object class to the schema″ later in this chapter.
If the default schema does not contain the attributes you need, add custom elements.
There are two methods available for extending the schema: using the Domino LDAP Schema database
(SCHEMA.NSF) or using the Domino Directory to add forms and fields.
Note: Modifying the file LSCHEMA.LDIF that is provided with Domino is not supported as a method
for extending the schema. This file is used to define the LDAP-standard object classes in the default
Domino LDAP schema.
Schema database
You can use the Domino LDAP Schema database (SCHEMA.NSF) to extend the schema. The Schema
database:
v Provides an easy-to-use interface for extending the schema
v Has built-in error checking that ensures valid schema elements
v Supports the creation of draft schema elements, which you can consider and modify before approving
them as part of the schema
v Simplifies the creation of object class hierarchies
v Allows you to assign object identifiers (OIDs) associated with your organization to the elements you
add
v Allows you to define LDAP characteristics for attributes, such as matching rules, and to define any
standard LDAP syntax for an attribute.
Domino Directory
You can extend the schema by adding forms, subforms, and fields to the Domino Directory. This method
allows Notes and Web users to create and view entries that use the new schema elements as documents,
while also enabling LDAP user access to the entries. This method is more time consuming than using the
Schema database, and must be done carefully to avoid mistakes in schema definition.
For information on using the Domino Directory to extend the schema, see the appendix ″Customizing the
Domino Directory.″
If the attributes will apply to more than one structural object class, add them to a new auxiliary object
class and then add the auxiliary object class to each structural object class that will use the attributes.
For example, suppose you want to add the same attributes to object classes A and B, both part of the
default schema. Add the attributes to a new auxiliary object class C, then add C to A and B.
Note: To add a new type of entry to the directory, typically you create a new structural object class that
inherits from top.
2.16.840.1.113678.2.2.2.1.1.
This number is then followed by a series of numbers that uniquely identify an organization.
When you create a schema element, assign it the OID prefix registered for your organization, followed by
an additional number that uniquely identifies the element within the schema.
For more information on OID’s or to request a prefix for your organization, go to the IANA (Internet
Assigned Numbers Authority) Web site: http://www.iana.org.
When you use the Schema database to create a new schema element, you first create a draft document for
the element. You approve the draft document when you are ready, and the document then moves from
the Draft Documents view to the Pending Documents view, where it awaits processing by the Schema
daemon on the administration server for the Domino Directory. The Schema daemon on the
administration server incorporate the changes into the schema and publishes them in the Schema
database. The Schema database then replicates to subordinate servers in the domain that run the LDAP
service.
To use the Schema database to extend the schema, you must use one of the following clients:
v Lotus Notes 7
v Lotus Domino Adminstrator 7
v Netscape Navigator with Java applets and Java scripts enabled
v Microsoft Internet Explorer with Java applets and Java scripts enabled
Field Action
LDAP name Enter a name for the attribute. The name can contain only ASCII characters and
hyphens. Do not include a space in the name.
OID Enter the object identifier.
Syntax name Select a syntax defined in the schema for the new attribute, then click OK. The
Syntax type field automatically displays the OID for the selected syntax.
Description (Optional) Enter a description for the attribute.
Equality match (Optional) Select a matching rule to apply when the equality operator is used to
search for this attribute.
5. Click Save & Close. A draft document for the new attribute appears in the Draft Documents - Draft
Attribute Types view.
6. Complete the procedure ″Approving draft schema documents in the Schema database.″
Field Action
LDAP name Enter a name for the object class.
OID Enter the object identifier.
Object Class Type Select the type of object class.
Superior Object Class (Optional) Select the object class that is immediately superior to this one in the
object class structure.
Auxiliary Object Classes (Optional) If this is a structural object class, select each auxiliary object class to use
with this object class.
Description (Optional) Enter a description for the object class.
Mandatory attributes Select the attributes that are required to have values.
You can’t remove mandatory attributes displayed that are inherited from a
superior object class.
Optional Attributes Select any attributes that may, but are not required to, have values.
You can’t remove optional attributes displayed that are inherited from a superior
object class.
5. Click Save & Close. A draft document for the new object class appears in the Draft Documents - Draft
Object Classes view.
6. Compete the procedure ″Approving draft schema documents in the Schema database.″
Field Action
LDAP name Enter a name for the syntax type.
OID Enter the object identifier.
The documents you approve move to the Pending Documents views. If you used a replica of the Schema
database on a subordinate server to approve the schema documents, the documents in the Pending
Documents views must replicate to the administration server for the Domino Directory. When the schema
daemon next runs on the administration server it verifies the elements in the Pending Documents views
and then publishes them in the Schema database. The updated Schema database then replicates to
subordinate servers in the domain that run the LDAP service.
Tip: Use the Tell LDAP Reloadschema server command on the administration server for the Domino
Directory to manually initiate processing of the schema changes in the Pending Documents view rather
than wait for the schema daemon to run on schedule.
Note that deleting an object class does not delete the attributes defined for the object class. If you want to
delete the attributes, you must do so separately.
To delete an attribute, object class, or syntax shown in the Extended Documents, Draft Documents, or
Pending Documents view of the Schema database:
1. Make sure you have Manager access in the database ACL with the ″Delete documents″ privilege.
2. Open the Schema database on the administration server for the Domino Directory.
3. Open the Extended Documents, Draft Documents, or Pending Documents view that contains the
schema element to be deleted.
4. Delete the schema element.
5. If you deleted a document from the Extended Documents view, on the administration server for the
Domino Directory restart the LDAP task, so the schema daemon loads the schema changes into
memory:
Restart Task LDAP
6. If you deleted a document from the Extended Documents view and the LDAP service also runs on a
subordinate server in the domain, after the Schema database changes replicate to the subordinate
server, restart the LDAP task on the subordinate server:
Restart Task LDAP
Schema-checking
When schema-checking is enabled the LDAP service carries out LDAP and and modify operations only if
the operations conform to the schema. Schema checking is enabled by default and it’s best to keep this
default behavior if you allow write access to a directory so you have better control over the contents of a
directory. When schema-checking is enabled the LDAP service does the following to check that LDAP
add and modify operations comply with the schema:
v Verifies that each object class specified in an LDAP add operation is defined in the schema.
v Verifies that attributes specified in LDAP add and modify operations are associated with valid object
classes for the entry.
v Verifies that during an LDAP add operation all mandatory attribute(s) required by the object classes for
the entry are provided.
If any of these checks fail, the LDAP service aborts the operation and returns the message, ″Object Class
Violation.″
Schema-checking is done only for LDAP add and modify operations and not when Notes and Web users
add and change documents in a Domino Directory.
Note: Whether or not you enforce schema-checking, the LDAP service requires that each directory tree
component specified in a distinguished name during an add or modify DN operation corresponds to an
entry in the directory. For example, to add an entry with the distinguished name ″uid=JDoe, o=Acme,″
there must be an entry in the directory for o=Acme.
For information on using the ldapsearch utility to search an LDAP directory, see the chapter ″Using the
ldapsearch Utility.″
When you search the root DSE or the schema entry you can specify whether to return values for
operational attributes. An operational attribute is an attribute that is used for directory administration.
The easiest way to see the schema is to open the All Schema Documents views in the Domino LDAP
Schema database (SCHEMA.NSF).
ldapsearch Utility
Domino and Notes provide a command-line search utility, LDAPSEARCH.EXE, that you use to search
entries in any LDAP directory. ldapsearch connects to a directory server and returns results that match
search criteria you specify.
Note: To use this tool, the NOTES.INI file must be included in your system’s path statement.
To use ldapsearch, enter the following command from the Domino or Notes program directory:
ldapsearch parameters searchfilter attributes
Where:
v parameters are case-sensitive command-line parameters.
v searchfilter is a required search filter that specifies the attributes for which to search.
v attributes are the attributes to return. Separate attributes with spaces. If you don’t specify one or more
attributes to return, ldapsearch returns all attributes from entries that match the search filter.
You do not have to use ldapsearch from a machine that runs the Domino LDAP service.
Note: If you have a local condensed Directory Catalog that is encrypted, to run ldapsearch from the
Notes program directory, you must specify the password associated with the Notes ID used to do the
encryption.
Parameter Use to
-? Print help on using ldapsearch.
-a deref Specify alias de-referencing. Enter never, always, search, or find. Never is the default if
you don’t use this parameter.
-A Retrieve only attribute names, not the values for the attributes.
-b base dn Specify a distinguished name to use as the starting point for beginning the search. Use
quotation marks to specify the value -- for example: ″ou=West,o=Acme,c=US″
You must use this parameter if the server you’re searching requires you to specify a search
base. Otherwise, it is optional.
Optionally use -s along with -b to determine the scope of the search. Without -s, -b
searches the entry specified as the starting point and all descendants of the entry.
-B Allow printing of non-ASCII values
559
Parameter Use to
-D bind dn Specify a distinguished name that the server uses to authenticate you. The name must
correspond to an entry in the directory and must have the necessary access to search the
directory.
If you don’t use this parameter, the connection to the server occurs anonymously. You
must use -D if the server doesn’t allow anonymous connections.
Along with -D, you must use the -w parameter to specify a password associated with the
distinguished name.
-f file Specify a file that contains search filters to use -- for example, -f filters. Place each search
filter on a separate line. ldapsearch performs one search for each line. Optionally specify a
filter pattern. For example, specify -f filters ″cn=%s″ and enter a common name value on
each line in the file.
-F sep Print sep rather than equal sign (=) between attribute names and values. Use this
parameter, for example, if a tool that reads the ldapsearch output expects a different
separator.
-h host name Specify the host name of the server to which you’re connecting -- for example, -h
server.acme.com.
-l timelimit Specify a time limit (in seconds) for the search to complete. If you do not specify this
parameter or if you specify a limit of 0, searches can take an unlimited amount of time.
ldapsearch never waits longer than a search time limit set on the server, however.
-L Specify that the output is in LDIF format. LDIF format uses a colon (:) as the attribute
delineator rather than an equal sign (=). LDIF is useful for adding or modifying many
directory entries at once. For example, you can import the contents of the output into an
LDAP-compliant directory.
-M Manage referral objects as normal entries so that ldapsearch returns attributes for the
referral entries themselves, rather than for the entries referred to.
-n Show how a search would be performed, but do not actually perform the search.
-p port Specify the port that the server uses. If you don’t use this parameter, ldapsearch uses port
389.
-R Do not automatically follow search references returned by the server.
-s scope Specify the scope of the search when you use the -b parameter:
v base -- to search only the entry specified with the -b parameter
v onelevel -- to search only the immediate children of the entry specified with the -b
parameter but not the entry itself
v subtree -- to search the entry specified with the -b parameter and all of its descendants.
This is the default behavior when you use -b without -s.
For example, this search filter finds all entries containing Smith as the value for the sn (surname)
attribute:
"sn=Smith"
You can specify any attribute stored in a directory in a search filter. The following are common attributes
used to search for entries about people:
v cn -- a person’s common name
v sn -- a person’s last name
v telephonenumber -- a person’s telephone number
v l -- a person’s geographic location
You can specify search filters on the ldapsearch command line, or you can specify them in a file and use
the ldapsearch parameter -f to refer to the file. If you use a file, specify each search filter on a separate
line.
Note you can include language tags in a search filter if the LDAP directory, such as the Domino
Directory, supports them. For example:
"givenName;lang-fr=Etienne"
For example, use this search filter to find entries with the surname Browning and the location Dallas.
"(&(sn=Browning)(l=Dallas))"
You can nest Boolean operators. For example, use this search filter to find entries with the surname
caneel or givenname alfred in the mail domain MDN:
"(&(maildomain=MDN)(|(sn=caneel)(givenname=alfred)))"
For example, to return all operational attributes for entries with the common name John Brown specify:
ldapsearch -h host "cn=John Brown" +
You can use the + syntax only with the directory servers that support the syntax, such as the Domino
LDAP service.
Search Command
All entries on host ldap.acme.com using port 389, and ldapsearch -h ldap.acme.com ″objectClass=*″
return all attributes and values
Same as above, but return only attribute names ldapsearch -A -h ldap.acme.com″ objectClass=*″
All entries on host ldap.acme.com using port 389, return ldapsearch -a always -h ldap.acme.com ″objectClass=*″
all attributes, and de-reference any aliases found
All entries on host ldap.acme.com using port 389, and ldapsearch -h ldap.acme.com ″objectClass=*″ mail cn sn
return attributes=mail, cn, sn, givenname givenname
(cn=Mike*) under base ″ou=West,o=Acme, c=US″ on ldapsearch -b ″ou=West,o=Acme,c=US″ -h ldap.acme.com
host ldap.acme.com using port 389, and return all ″(cn=Mike*)″
attributes and values
One level on host ldap.acme.com using port 389, and ldapsearch -s onelevel -h ldap.acme.com ″objectClass=*″
return all attributes and values
Same as above, but limit scope to base ldapsearch -s base -h ldap.acme.com ″objectClass=*″
All entries on host ldap.acme.com using port 389; return ldapsearch -l 5 -h ldap.acme.com ″objectClass=*″
all attributes and values; do not exceed the time limit of
five seconds
All entries on host ldap.acme.com using port 389; return ldapsearch -z 5 -h ldap.acme.com ″objectClass=*″
all attributes and values; do not exceed the size limit of
five
All entries on host ldap.acme.com using port 389, ldapsearch -h ldap.acme.com -D ″cn=john doe,o=acme″ -w
binding as user ″cn=John Doe,o=Acme″ with a password -L ″objectClass=*″
password of ″password″, and return all attributes and
values in LDIF format
Directory Assistance
Directory assistance is a feature a server can use to look up information in a directory other than a local
primary Domino Directory (NAMES.NSF). You can configure directory assistance to use a particular
directory for any of these services:
v Client authentication
v Group lookups for database authorization
v Notes mail addressing
v LDAP service searches or referrals
You can set up directory assistance for a remote LDAP directory or a Domino directory. A remote LDAP
directory can be any remote LDAP-compliant directory, either one on a foreign LDAP directory server or
one on a Domino server that runs the LDAP service.
A Domino directory is a directory created from the PUBNAMES.NTF template and accessed via
NAMELookup calls. Servers can use directory assistance to do lookups in either local or remote replicas
of a Domino directory. A Domino directory configured for directory assistance can be a secondary
Domino Directory, an Extended Directory Catalog, or a primary Domino Directory.
A secondary Domino Directory is any Domino Directory that is not a server’s primary Domino Directory.
A secondary Domino Directory can be a directory associated with another Domino domain. A secondary
Domino Directory can also be a Domino Directory created manually from the PUBNAMES.NTF template
that is not associated with a Domino Domain, used, for example, to store and track Web user
information.
An Extended Directory Catalog contains documents aggregated from multiple secondary Domino
Directories. A server must use directory assistance to look up information in an Extended Directory
Catalog, unless you integrate the Extended Directory Catalog directly into the primary Domino Directory.
For more information, see the topic ″Directory assistance for an Extended Directory Catalog″ later in this
chapter.
The primary Domino Directory is the directory a server searches first that describes the Domino domain
of the server. You can set up directory assistance for a primary Domino Directory, usually to specify
which replicas of primary Domino Directories that servers with Configuration Directories can use.
For more information, see the topic ″Directory assistance for the primary Domino Directory″ later in this
chapter.
565
Note: Directory assistance is not supported in a hosted environment. When working in a hosted
environment, the Directory assistance database name field on the xSP Server document should be blank.
You create a Directory Assistance document in the directory assistance database to describe a particular
directory and how it will be used, and to define how to connect to the directory and to find alternate
replicas for failover. To set up directory assistance for a Domino Directory or an Extended Directory
Catalog , you select ″Notes″ in the ″Domain type″ field in the Directory Assistance document. To set up
directory assistance for a remote LDAP directory, you select ″LDAP″ in the ″Domain type″ field. You use
one Directory Assistance document to configure all the services for a directory and its replicas.
Each server process that provides directory services and detects a local directory assistance database
configuration loads directory information configured in the directory assistance database into an internal
memory table. During server startup and thereafter at five-minute intervals each server process checks for
changes to the directory assistance database configuration and if found, each process reloads its internal
memory table to reflect the changes.
To look up names in a Domino Directory or an Extended Directory Catalog, a server uses NAMELookup
calls. To look up names in a remote LDAP directory, a server uses a gateway feature that translates
NAMELookup calls to LDAP operations, and then translates LDAP operations back to NAMELookup
calls -- a Domino server doesn’t have to run the LDAP service to use a remote LDAP directory for
directory services.
To allow a server to use a directory for Internet client authentication that is configured in a directory
assistance database, do the following in the Directory Assistance document for the directory:
v On the Basics tab, next to ″Make this domain available to,″ select ″Notes clients and Internet
Authentication/Authorization.″
v On the ″Naming Contexts (Rules)″ tab, enable at least one rule that corresponds to the distinguished
names of the users in the directory to be authenticated, and next to ″Trusted for Credentials,″ select
Yes.
For example, if your organization registers Web users in a foreign LDAP directory, when a Web user
attempts to access a database on a Domino Web server, the server can connect to the remote foreign
LDAP directory server to look up the user name and password to do the authentication.
For more information on creating rules that are trusted for credentials, see the topic ″Trusted naming
rules″ later in the chapter.
For information on specifying a domain name for a directory in a Directory Assistance document, see the
topic ″Directory assistance and domain names″ later in the chapter.
Note: You use an Internet Site document or the Ports - Internet Ports tab of the Server document to
control the types of client authentication an Internet protocol server allows.
Though a server can accept a name other than a distinguished name from a client to search for a user’s
entry in a directory, it is always the user’s distinguished name in the directory entry that the server
compares to trusted rules in the Directory Assistance document to determine whether to authenticate the
client. For example, suppose a user is registered in a directory with the distinguished name cn=alice
browning,o=Acme, but the user configures the name alice browning on the client. During authentication,
the server searches for an entry that contains the name alice browning. When it finds the entry, it can
only authenticate the client if ″cn=alice browning,o=acme″ matches a trusted naming rule for the
directory.
A user’s distinguished name is also used as the basis for access control in Domino, so you should use
users’ distinguished names in database ACLs, in groups used in database ACLs, in access lists in Server
documents, and in Web server File Protection documents.
For more information on name-and-password security, see the chapter ″Setting Up Name-and-Password
and Anonymous Access to Domino Servers.″
Encountering duplicate names during client authentication: If a server finds more than one directory
entry containing the name presented by the client that corresponds to a valid distinguished name for
Chapter 25. Setting Up Directory Assistance 567
authentication, within one directory or across directories, the server authenticates the client using the
entry with the valid password or X.509 certificate. If more than one such entry has a valid password or
X.509 certificate and the same distinguished name, the server authenticates the user using the first
password or X.509 certificate it finds.
Consistent client names and passwords across protocols: If Domino servers authenticate a client over
more than one Internet protocol, for ease of directory administration, create one directory entry for the
client with one name and password that applies to all the protocols. Then set up the client to use the
same name and password for all protocols.
For example, if a client connects to Domino over HTTP for Web browsing and over LDAP for directory
services, create one directory entry for the cllient with a name and password, and set up the client to use
the name and password for both types of connections.
Features available for client authentication using a remote LDAP directory: The following features are
available specifically for client authentication using a remote LDAP directory:
v Configurable search filters to control the search filter used to look up names in the remote LDAP
directory
v LDAP-to-Domino name mapping to enable users to authenticate using Notes distinguished names
rather than LDAP distinguished names.
For more information, see the topics ″Configuring search filters in a Directory Assistance document for
a remote LDAP directory″ and ″Using Notes distinguished names in a remote LDAP directory″ later in
the chapter.
Notes client authentication: By default, when a server authenticates a Notes client it does not use
information in Domino Directory Person documents. However, if you enable the option ″Compare Notes
public keys against those stored in Directory″ on the Basics tab of the server’s Server document, the
server authenticates a Notes user only if the public key presented by the Notes client matches the public
key in the user’s Person document.
If a Notes user who connects to a server to authenticate is registered in a secondary Domino Directory
rather than the server’s primary Domino Directory, and the ″Compare Notes public keys against those
stored in Directory″ option is enabled for the server to which the user connects, you must select the
option ″Make this domain available to: Notes clients and Internet Authentication/Authorization″ on a
Directory Assistance document to allow a server to do the public key comparison. This Directory
Assistance document can be for:
v The secondary Domino Directory in which the Notes user is registered
v An Extended Directory Catalog that aggregates the secondary Domino Directory in which the Notes
user is registered.
To use one additional directory for group authorization, do the following in the Directory Assistance
document for the directory:
v On the Basics tab, next to ″Make this domain available to,″ select ″Notes clients and Internet
Authentication/Authorization.″
v On the Basics tab, next to ″Group Authorization,″ choose Yes.
Tip: Enable ″Group Authorization″ for an Extended Directory Catalog effectively enables you to store
groups used for database authorization in multiple secondary Domino Directories, as long as you
aggregate the directories into the directory catalog.
A server verifies a client’s access to a database after the client authentication process is complete. You can
use different directories for client authentication and group authorization. For example, you can use a
remote LDAP directory for client authentication, and an Extended Directory Catalog to look up groups
during database authorization.
Note: When you enable Group Authorization for a remote LDAP directory, you can select a custom
search filter for servers to use for searching the groups.
For more information, see the topic ″Configuring search filters in a Directory Assistance document for a
remote LDAP directory″ later in the chapter.
Nesting groups used for database authorization: When authorizing database access, a server can search
a group that is nested in a group listed in a database ACL, and search a group nested in the nested
group, and so on, as long as all of the groups are located in the same directory.
If you enable ″Group Authorization″ for a secondary Domino Directory or an Extended Directory
Catalog, a server always searches nested groups in the directory. If you enable ″Group Authorization″ for
a remote LDAP directory, use the ″Nested group expansion″ option to control whether a server searches
nested groups. Choose Yes (the default) to search nested groups, or No to prevent nested group searches.
If there are many nested groups, selecting No can improve search performance.
Note that Domino does not apply directory assistance name rules for searches of nested groups.
Sometimes the DN of a group will match the name rules established for a secondary directory, but the dn
of a member of that group - either a user or a nested group - does not. By not applying directory
assistance name rules, this circumvents the problem and enables the search to return a complete nameslist
for any search request.
The restrictions on the location for groups used for database authorization do not apply to groups used
for other purposes. For example, the Router can search groups in any directory configured for directory
assistance, and can search nested groups even when the nested groups are located in different directories
than their parents.
Notes mail addressing using a Domino Directory or Extended Directory Catalog: To enable Notes
users to address mail easily to Notes users registered in a secondary Domino Directory or to users that
have entries aggregated into an Extended Directory Catalog, you can set up directory assistance for the
directory on the users’ mail servers or directory servers. Then, a Notes user can:
v Use the ″Select Addresses″ dialog to browse and select names from the directory, if the ″Mail file
location″ field in the active Location document is set to ″On server.″
v Enter a name of a user or group from the directory and have type-ahead use directory assistance to
find a matching name if the ″Recipient name type-ahead″ field in the user’s active Location document
is set to ″Local then server.″
v Press F9 to resolve the address of a user name from the directory; if the Notes user doesn’t resolve the
address, either the Notes client uses directory assistance to resolve the address when the user sends the
mail or, if the client doesn’t resolve the address, the Router uses directory assistance to resolve the
address.
Note that if a Notes user uses a local Mobile Directory Catalog that aggregates secondary Domino
Directories, name and address lookups of users in a secondary Domino Directory can occur locally on the
client without the use of directory assistance. Note that type-ahead addressing never extends to a server
on a Notes client set up to use a Mobile Directory Catalog.
Note: A server can always use a Domino directory in the directory assistance database for Notes mail
addressing if the domain specified for the directory is the same domain as the primary domain for the
server; this is true regardless if you select ″Make this domain available to: Notes clients and Internet
Authentication/Authorization.″
Notes mail addressing using a remote LDAP directory: To enable Notes users to address mail easily to
users registered in a remote LDAP directory, you can set up directory assistance for the directory on the
users’ mail servers or directory servers. Then, a Notes user can press F9 to resolve an address for a name
from the LDAP directory entered in an addressing field of a Notes message. If the user doesn’t resolve
the address, either the Notes client uses directory assistance to resolve the address when the user sends
the mail or, if the client doesn’t resolve the address, the Router uses directory assistance to resolve the
address. A Notes client doesn’t use type-ahead addressing to find names in a remote LDAP directory, and
Notes users can’t use the ″Select Addresses″ dialog box to browse and select names from a remote LDAP
directory.
LDAP accounts compared to directory assistance for Notes mail addressing using a remote LDAP
directory: A Notes client can use an LDAP account in the Personal Address Book to connect directly to a
remote LDAP directory server, without using directory assistance. Using an LDAP account, a Notes user
can search for addresses in a remote LDAP directory using LDAP-style search queries.
Configure directory assistance to use a remote LDAP directory for Notes mail addressing, rather than use
LDAP accounts if there are users with Notes Release 4 clients, since these clients don’t support LDAP
Accounts. You might also use directory assistance rather than LDAP Accounts to avoid having to
maintain the LDAP Accounts, for example, if the remote LDAP directory configuration changes in some
way.
Choosing a preferred mail format for Notes mail addressing using a remote LDAP directory: If you
set up directory assistance so that Notes users can address mail to users in a remote LDAP directory, use
the ″Preferred mail format″ option on the LDAP tab of the Directory Assistance document for the LDAP
directory to select the format of the mail address for Notes clients to use:
v Keep the default selection, ″Internet Mail Address,″ to use the Internet mail format, for example,
jdoe@acme.com, which is the format used in previous Notes/Domino releases.
v Select ″Notes Mail Address″ to use Notes-style addressing, for example, John Doe/Acme@Acme.
If you select ″Notes Mail Address″ user entries in the remote LDAP directory must have values for the
mailDomain attribute. Typically the ″Notes Mail Address″ option is used only in some cases if the remote
LDAP directory is a Domino Directory.
Processing LDAP operations using a secondary Domino Directory or Extended Directory Catalog: The
LDAP service can use a secondary Domino Directory or an Extended Directory Catalog to process LDAP
client requests if there is a Directory Assistance document for the directory in a directory assistance
database that the LDAP service uses, and ″LDAP Clients″ is selected in the ″Make this domain available
to″ field on the Basics tab of the document. To prevent the LDAP service from using a Domino Directory
or Extended Directory Catalog when processing LDAP client requests, do not select ″LDAP Clients″ in
the Directory Assistance document for the directory. Naming rules configured for the directories affect
which of the directories the LDAP service uses.
You control LDAP client access separately for each directory that the LDAP services uses. For example,
you can allow anonymous LDAP users to access specific attributes in one directory, but not in another.
If the Domino Directory or Extended Directory Catalog is remote, the remote server does not have to run
the LDAP service. To process an LDAP search request using a remote directory, the directory ACL on the
remote server must give the server running the LDAP service Reader access through a ″Server group″ or
″Server″ user type entry if either of the following is true:
v The search request comes from an authenticated LDAP client
v Extended access is enabled on the directory.
Servers typically have this required access through the LocalDomainServers and OtherDomainServers
groups default access in the directory ACL.
The LDAP service does not process write operations to a remote Domino Directory or Extended Directory
Catalog. Instead, it returns the client an LDAP referral to the administration server for the directory, or if
there is no administration server, the server that stores the remote replica specified in the directory
assistance database. This referral occurs regardless if the remote server runs the LDAP service.
For more information on how naming rules for Domino Directories and Extended Directory Catalogs
configured in the directory assistance database affect the LDAP service, see the topic ″Naming rules and
the LDAP service″ later in the chapter. For information on controlling LDAP access to a directory, see the
chapter ″Setting Up the LDAP Service.″
For more information, see the topic ″Using directory assistance to prevent the LDAP service from
searching the primary Domino Directory″ later in the chapter.
LDAP service referrals to a remote LDAP directory: If the LDAP service can’t find information for
which an LDAP client is searching in the primary Domino Directory, a condensed Directory Catalog, or a
Domino Directory or Extended Directory Catalog configured in a directory assistance database, it can
refer the client to a remote LDAP directory. In the Directory Assistance document for the remote LDAP
directory on the Basics tab, next to ″Make this domain available to,″ select ″LDAP Clients″. To prevent the
LDAP service from referring clients to the directory, do not select ″LDAP Clients″.
To return a referral, the Domino LDAP service uses information in the Directory Assistance document for
the remote LDAP directory. The referral is compliant with LDAP v3 and includes:
v The URL hostname for the LDAP directory server
v The base distinguished name configured for the directory in the Directory Assistance document.
v The port the LDAP directory server uses
Note that when returning a referral, the Domino server running the LDAP service never connects to the
remote LDAP directory server.
Some LDAP clients can accept more than one referral so that if the host name specified in one referral is
unavailable, the client can attempt to use another. By default, for a given search, the LDAP service can
refer an LDAP client to only one remote LDAP directory host name. If there are LDAP clients that use the
LDAP service that can accept more than one referral, you can use the LDAP service configuration setting
″Maximum number of referrals″ to increase the number of referrals that the LDAP service can return.
For information on how naming rules affect which host names the LDAP service refers to clients, see the
topic ″Naming rules and the LDAP service″ later in the chapter.
Each directory assistance naming rule includes six parts, with each part containing one of the following:
v The name of a specific directory tree branch, for example, the organization Acme or the organizational
unit Sales.
v An asterisk (*) to represent all branches at a specific level in the directory tree name hierarchy
It’s common to assign an all-asterisk rule to a directory (*/ */ */ */ */ */ *) to represent all names in a
directory. However if directories configured in directory assistance use discrete name hierarchies, then it’s
useful to define rules for the directories that corresond to the hierarchies, so servers can target a specific
directory when searching for specific names.
For example, assume Directory A and Directory B are both configured in a directory assistance database.
Names in Directory A fall under o=acme, c=us so you specify the rule, */ */ */ */ acme/us for it, and
the names in Directory B fall under o=acme,c=fr so you specify the rule */ */ */ */ acme/fr for it. To
find the name cn=jack brown,o=acme,c=fr, a server searches only Directory B, and not Directory A, and to
find the name cn=joan brown,o=acme,c=us, a server searches only Directory A and not Directory B.
To find a flat name, a name without distinguishing parts, or to process an LDAP search request that
doesn’t specify a search base, a server ignores naming rules and searches directories according to search
orders specified for the directories in the Directory Assistance documents.
Note: Some LDAP directories do not use the country (c), organization (o), and organizational unit (ou)
naming model. If you set up directory assistance for an LDAP directory such as this, use an all-asterisk
naming rule for the directory.
Trusted naming rules: When an Internet client passes a logon name to a server to initiate authentication,
the server looks for the name in a directory configured in the directory assistance database only if the
directory has at least one configured naming rule that is ″Trusted for Credentials″ -- known as a trusted
rule. If the client logon name is hierarchical, the server looks for the name only in directories with a
trusted rule that matches the client logon name, in addition to the primary Domino Directory. If the client
logon name is flat, for example John Smith, then the server looks for the name in all directories with a
trusted rule.
When a server finds the client logon name in a user entry in a directory, the server compares the
distinguished name assigned to the user entry to the trusted rule(s) defined for the directory. The server
only authenticates the client if the distinguished name matches a trusted rule. If you use a remote LDAP
directory for client authentication and add Notes distinguished names to the directory, the Notes
distinguished names, not the original LDAP distinguished names, must match a trusted rule for the
directory.
For more information on using Notes names in a remote LDAP directory, see the topic ″Using Notes
distinguished names in a remote LDAP directory″ later in the chapter.
Examples of naming rules: The following table provides examples of naming rules, illustrating how
each rule includes or excludes names such as:
v Marilyn Jenkins/Omega
Randi Bowker/Marketing/East/Acme/US
Cheryl Lordan/IS/West/Acme/US
Derek Malone/Accounting/West/Acme/US
Deborah Jones/West/Acme/US
Karen Lessing/West/Acme/DE
/ / */West/Acme/* Cheryl Lordan/IS/West/Acme/US Marilyn Jenkins/Omega
Karen Lessing/West/Acme/DE
/ / /West/Acme/* Deborah Jones/West/Acme/US Marilyn Jenkins/Omega
Randi Bowker/Marketing/East/Acme/US
Cheryl Lordan/IS/West/Acme/US
Derek Malone/Accounting/West/Acme/US
// Karen Lessing/West/Acme/DE Marilyn Jenkins/Omega
*/West/Acme/DE
Alan Jones/Sales/East/Acme/US
Randi Bowker/Marketing/East/Acme/US
Cheryl Lordan/IS/West/Acme/US
Derek Malone/Accounting/West/Acme/US
Deborah Jones/West/Acme/US
/ /IS/West/Acme/* Cheryl Lordan/IS/West/Acme/US Marilyn Jenkins/Omega
Alan Jones/Sales/East/Acme/US
Randi Bowker/Marketing/East/Acme/US
Derek Malone/Accounting/West/Acme/US
Deborah Jones/West/Acme/US
Karen Lessing/West/Acme/DE
For example, if the Directory Assistance documents for directory A and directory B are assigned search
orders of 2 and 1, respectively, and both documents contain only an all-asterisk rule, then directory
assistance searches directory B before directory A.
The Directory Assistance view in the directory assistance database sorts Directory Assistance documents
by their specified search order.
If you don’t specify a search order, or if you assign the same search order to two directories, directory
assistance searches the directories in alphabetical order, according to the value specified in the ″Domain
name″ field of the Directory Assistance document.
For more information on how Notes and Domino search multiple directories, see the chapter ″Planning
Directory Services.″
Naming rules and the LDAP service: Naming rules affect how the LDAP service processes LDAP
search operations and LDAP write and compare operations. Naming rules also define naming contexts
for the LDAP service.
For information on directory assistance and the processing of LDAP service write and compare
operations, see the chapter ″Setting Up the LDAP Service.″ For more information on how the LDAP
service uses directory assistance, see the topic ″Directory assistance for the LDAP service″ earlier in the
chapter.
How naming rules affect LDAP search operations: An LDAP client can specify a search base when searching
a directory. A search base limits the scope of a search by specifying a point in the directory tree at which
to begin. You use naming rules to define a search base for a directory. If an LDAP client specifies a search
base, the LDAP service searches a Domino Directory or Extended Directory Catalog configured in
directory assistance only if the directory has a naming rule that matches the search base. For example, if
an LDAP client specifies the search base ou=sales,o=acme, the LDAP service searches only Notes
directories that have rules such as:
*/ */ */ */ */ *
*/ */ */ */ acme/ *
*/ */ */ sales/ acme/ *
*/ */ */ mktg/ acme/ *
*/ */ */ */ org2/ *
*/ */ */ */ acme/ us
Note: You can’t define a search base for the primary Domino Directory.
If the LDAP service can’t find the information for which an LDAP client is searching in its primary
Domino Directory, a condensed Directory Catalog, or a Domino Directory or Extended Directory Catalog
configured in a directory assistance database, it can refer the client to a remote LDAP directory.
If the client doesn’t specify a search base, the LDAP service refers the client to an LDAP directory that is
enabled for LDAP clients, and if there is more than one, it refers the client to the one assigned the lowest
search order.
If there is more than one host name specified in the Directory Assistance document for the LDAP
directory that the LDAP service picks for a referral, the LDAP service refers the client to the first host
name listed.
If you increase the number of referrals the LDAP service can return to a client, the LDAP service follows
the logic described above to pick the first directory referral. If there is more than one host name specified
in the Directory Assistance document for this directory, the LDAP service uses the additional host
name(s) as the additional referral(s), up to the maximum number of referrals the LDAP service
configuration allows. If there is no additional host name specified for the first directory picked for
referrals, then LDAP service can refer the client to an LDAP directory with a different Directory
Assistance document.
Naming rules as LDAP naming contexts: Some LDAP client applications, for example the IBM WebSphere®
Application Server, can discover naming contexts configured for an LDAP directory server by searching
the directory server’s root directory server entry (DSE). When an LDAP user doesn’t specify a search
base, these applications can use the naming contexts configured on the server to contruct one to apply to
the LDAP client searches.
The LDAP service uses naming rules configured in the directory assistance database to define naming
contexts in its root DSE.
If the directory is a remote LDAP directory, make up a unique domain name for the directory that is not
the name of any Domino domain.
If the directory is the Domino Directory for a Domino domain -- Domino server setup created it -- specify
the name of the directory’s Domino domain.
If you created the directory manually from the PUBNAMES.NTF template, and so it is not associated
with a Domino domain -- for example the directory is an Extended Directory Catalog, or a Domino
Directory used to track Web user information -- do one of the following to specify a domain name for the
directory:
v If you want servers with Configuration directories to use the directory as their remote primary Domino
Directory, specify the Domino domain of the servers with the Configuration directories.
v If servers won’t use the directory as a remote primary Domino Directory, make up a unique domain
name for the directory.
Note: If the domain name you specify for a Domino Directory or Extended Directory Catalog is the same
as the domain of the servers that use the directory assistance database, the servers can use the directory
automatically for client authentication, group lookups for database authorization, and Notes mail
addressing, regardless if you select ″Make this domain available to: Notes clients and Internet
Authentication/Authorization.″ In addition, servers search a directory in the same domain first,
regardless of the search order specified for the directory.
Directory assistance and failover for a Domino Directory or Extended Directory Catalog: When you
set up directory assistance for a Domino Directory or Extended Directory Catalog, on the Replicas tab of
the Directory Assistance document you specify the replicas of the directory for directory assistance to use.
When you specify replicas in a Directory Assistance document for a Domino Directory or Extended
Directory Catalog:
v Configure directory failover, so that if one replica is unavailable, directory assistance has at least one
alternate replica it can try to use. Directory assistance can use one of two methods to fail over to an
alternate replica of a Domino Directory or Extended Directory Catalog: directory assistance failover, the
failover method also available in previous releases, or cluster failover.
v Make sure servers that use the directory assistance database have fast network access to the directory
replicas you specify. Fast network access to replicas is particularly important if servers use a directory
to look up groups for database authorization.
v Make sure servers that do remote lookups to a replica have access to the server that stores the replica,
and have at least Reader access in the directory access control list (ACL).
v If a directory is used for Notes mail addressing, make sure the Notes users that use the feature have at
least Reader access in the directory ACL, so they can browse the directory. If Extended Access is
enabled for a directory, then the users must also have at least Reader access to use typeahead or F9
address resolution.
The directory assistance failover method: Servers can use the directory assistance failover method, rather
than cluster failover method, to find an available replica of a Domino Directory or Extended Directory
Catalog. To use the directory assistance failover method, on the Replicas tab of the Directory Assistance
document for the directory, specify up to five replicas of the directory that are potentially available for
use.
When a server starts up, directory assistance searches for an available replica among the replicas you
have specified. If directory assistance cannot find an available replica during server startup, in five
minutes it attempts to locate an available replica again, continuing this attempt at five-minute intervals
until successful.
Once directory assistance finds an available replica at server startup, it continues to use the replica unless
the replica becomes unavailable, at which point failover occurs and directory assistance looks for an
alternate replica. When a replica is unavailable for any reason, directory assistance continues to use the
alternate replica, even after the previously unavailable replica becomes available.
Directory assistance finds that a replica is unavailable if it attempts to access the replica during server
startup, or during normal server operation when it processes a client lookup request. A directory replica
is unavailable to directory assistance if:
v The server that stores the replica is unavailable, for example, the server is down or there is a network
connectivity problem.
v A view in the replica required for directory lookups is locked because the server that stores the replica
is rebuilding the view.
v A replica no longer exists because it has been deleted.
Note: Directory assistance run on servers running Domino Release 5.0.9 or earlier do not fail over when
locked out of a view. To have this failover capability in a mixed Lotus Domino 6 or higher/Lotus
Domino Release 5 environment, upgrade Domino Release 5 servers to at least Lotus Domino Release
5.0.10.
The cluster failover method for directory assistance: If replicas of a Domino Directory or Extended Directory
Catalog configured in the directory assistance database are on servers that are members of a cluster, you
can set up directory assistance to use cluster failover and workload balancing instead of the directory
assistance failover method. To use cluster failover and workload balancing, in the Replicas tab of the
Directory Assistance document for the directory specify only one of the directory replicas that is within
the cluster. Be sure to specify only one replica; if you specify more than one, directory assistance ignores
cluster failover, and instead uses the directory assistance failover method described above to find an
available replica.
Cluster failover is particularly useful in environments with centralized directory services. For example,
you can configure cluster failover in a Directory Assistance document for a remote primary Domino
Directory, so that servers with Configuration Directories use cluster failover to find an available replica of
the remote primary directory.
Directory assistance and failover for a remote LDAP directory: To provide failover in the event that a
remote LDAP directory configured in directory assistance is unavailable, on the LDAP tab of the
Directory Assistance document for the remote LDAP directory, enter more than one host name in the
Hostname field. Separate hostnames with commas. If the first LDAP directory server specified is
unavailable, a Domino server attempts to use the next one listed, and so on.
The configuration selections made in the Directory Assistance document apply to each host name
specified in the Hostname field except for the value specified in the Port field. You can specify a port for
a hostname that is different than the port specified in the Port field by adding a colon (:) followed by a
port number after the hostname. For example, you can enter the following in the Hostname field:
ldap1.acme.com:390, ldap2.acme.com:391
When you create a Directory Assistance document for an Extended Directory Catalog, the following
selections are the important ones to consider:
1. On the Basics tab, next to Domain type, select Notes.
2. On the Basics tab, next to Domain name, make up a unique domain name. Or, if the Extended
Directory Catalog functions as a remote primary Domino Directory used by servers with
Configuration Directories, specify the domain of the servers with the Configuration Directories.
3. If there are other Directory Assistance documents in the database, on the Basics tab, next to Search
order, typically you should specify a search order of 1.
4. On the Basics tab, next to ″Group Authorization,″ select Yes if you want servers to use groups
aggregated in the Extended Directory Catalog for authorizing database access. You can choose this
option for only one directory in the directory assistance database. Choose the option for an Extended
Directory Catalog if you want serves to be able to use groups from any of the aggregated directories
for database authorization.
Note: When servers use an Extended Directory Catalog, to optimize lookup performance, remove any
Directory Assistance documents that exist for the directories aggregated in the directory catalog. For
example, if you aggregate Directory A into an Extended Directory Catalog, if there is a Directory
Assistance document for Directory A, remove the document.
For more information on Extended Directory Catalogs, see the chapter ″Setting Up Directory Catalogs.″
For information on the advantages to servers’ using an Extended Directory Catalog rather than a
condensed Directory Catalog, see the chapter ″Setting Up Directory Catalogs.″
If you do set up servers to use a condensed Directory Catalog, you may also want to set up directory
assistance for the individual Domino Directories aggregated into the directory catalog, so that:
v A server can use directory assistance to look up information not aggregated in the condensed Directory
Catalog.
v A server can trust a particular aggregated directory, but not all aggregated directories, for client
authentication.
Note: Do not create a Directory Assistance document for a condensed Directory Catalog itself, only for
the directories aggregated into the directory catalog.
Using directory assistance to look up information not aggregated into a condensed Directory Catalog:
While you always aggregate fields containing mail addressing information into a condensed Directory
Catalog to support the common task of looking up users’ mail addresses, typically you would not
aggregate fields containing information such as the following, because this would make the directory
catalog too large:
v X.509 certificates used for client authentication
v Information LDAP clients only occasionally search for
v Notes users’ public keys used to send encrypted mail
Instead, set up directory assistance for a Domino Directory aggregated into the directory catalog, so
servers can use directory assistance to look up the missing information directly in the Domino Directory.
Each entry in a condensed Directory Catalog includes the replica ID of the Domino Directory from which
the entry was derived and the UNID for the entry, a unique ID associated with a replicated document. In
the cases where the condensed Directory Catalog doesn’t aggregate a field being searched for, a server
uses this directory catalog information and information available through directory assistance to access
If you aggregate a Domino Directory into a condensed Directory Catalog, and you don’t also set up
directory assistance for the directory itself, a server can’t use the directory to look up information omitted
from the Directory Catalog.
If you set up directory assistance for a Domino Directory but do not aggregate the directory into a
condensed Directory Catalog, a server can use directory assistance to search the Domino Directory after
searching the directory catalog.
Note: If a Domino Directory is aggregated into a condensed Directory Catalog, but particular entry from
the directory is not aggregated, for example a selection formula excludes the entry, servers cannot use
directory assistance to look up the missing entry directly in the Domino Directory.
Using directory assistance trust for client authentication one or some directories aggregated into a
condensed Directory Catalog: To indicate that a server should trust for client authentication all
directories aggregated into a condensed Directory Catalog, select the option ″Trust the server based
condensed directory catalog for authentication with internet protocols″ on the Basics tab of the server’s
Server document in the Domino Directory. In this case, directory assistance is not required to indicate
trust.
However to tell a server to trust for client authentication only one or some directories aggregated in a
condensed Directory Catalog, create a Directory Assistance document in a directory assistance database
for each of the aggregated Domino Directories to be trusted. In the Directory Assistance document for
each such directory, do the following:
v On the Basics tab, next to ″Make this domain available to,″ select ″Notes clients and Internet
Authentication/Authorization.″
v On the ″Naming Contexts (Rules)″ tab enable at least one rule that corresponds to the names to be
authenticated, and select ″Trusted for Credentials″ for the rule.
v On the ″Replicas″ tab include the replica of the Domino Directory that the Dircat task uses to aggregate
the directory into the condensed Directory Catalog. Note that you do not include the replica of the
directory catalog.
Note: You are not required to store user passwords, and you shouldn’t store X.509 certificates, in a
condensed Directory Catalog. Instead you can set up directory assistance for the secondary Domino
Directories that are aggregated to enable servers to find the passwords/X.509 certificates.
If multiple domains use replicas of one directory assistance database, you might also create a Directory
Assistance document for the primary Domino Directory so that servers in other domains that use the
directory assistance database can do lookups in the directory.
Note: You cannot prevent a server from using its primary Domino Directory for Notes mail addressing,
client authentication, or group lookups for database authorization. A server can always use a primary
Domino Directory for these purposes, regardless of the options you select for the directory in the
Directory Assistance document.
For more information on Configuration Directories and on the default logic used to find a remote
primary Domino Directory, see the chapter ″Setting Up the Domino Directory.″
If you set up directory assistance to control which remote replicas of the primary Domino Directory
servers with Configuration Directories can use, the key options to select in the Directory Assistance
document are the following ones.
On the Replicas tab, make sure to configure failover for the directory.
For more information, see the topic ″Directory assistance and failover for a Domino Directory or
Extended Directory Catalog″ later in this chapter.
For complete information on all the configuration fields in a Directory Assistance document for a Domino
Directory or Extended Directory Catalog, see the topic ″Creating a Directory Assistance document for a
Domino Directory or Extended Directory Catalog″ later in this chapter.
Using directory assistance to prevent the LDAP service from searching the primary Domino
Directory: You can set up directory assistance for the primary Domino Directory to prevent a server that
runs the LDAP service from using the primary Domino Directory when processing LDAP requests. For
example, you might want the LDAP service to use a secondary Domino Directory, but not the primary
Domino Directory.
The primary Domino Directory from which you exclude LDAP searches can be local, or can be remote if
the server running the LDAP service has a Configuration Directory.
If you set up directory assistance to prevent LDAP searches of the primary Domino Directory, the key
options to select in the Directory Assistance document are the following ones.
For complete information on all the configuration fields in a Directory Assistance document for a Domino
Directory, see the topic ″Creating a Directory Assistance document for a Domino Directory or Extended
Directory Catalog″ later in the chapter.
For example, suppose all servers use an Extended Directory Catalog, but one group of servers only use,
in addition, a remote LDAP directory for client authentication. You would set up a separate directory
assistance for that group of servers that contains Directory Assistance documents for both the directory
catalog and the LDAP directory. For the other servers, create a directory assistance database configured
for the directory catalog only.
Tip: Using the same file name and path for the replicas on each server makes it easy to use the
Administration Process to add the file name and path to Server documents.
For more information on replication, see the chapter ″Creating Replicas and Scheduling Replication.″
3. Create Connection documents to schedule replication of the database to all the servers that will use it.
4. Continue to the procedure ″Setting up servers to use a directory assistance database.″
Use the Administration Process to automate adding a directory assistance database file name to multiple
Server documents -- the Administration Process creates a ″Set Directory Assistance Field″ request to add
the file name. Or enter the file name of the directory assistance database to Server documents manually.
Using the Administration Process to add the directory assistance database file name to multiple Server
documents: To use the Administration Process to add a directory assistance database file name to
multiple Server documents:
1. Make sure that you:
v Created and replicated the directory assistance database
v Have either Author access and the ServerModifier role, or Editor access in the ACL of the Domino
Directory to which you will add the file names.
v Have set up the Administration Process
2. From the Domino Administrator, click the Configuration tab.
3. Next to ″Use Directory on,″ select the administration server for the Domino Directory.
4. In the left pane, expand Server - All Server Documents.
5. Select the Server documents for all servers that use the same file name for the directory assistance
database. A check mark appears next to each document.
6. Choose Actions - Set Directory Assistance Information.
7. Enter the file name that you gave to the directory assistance database on these servers -- for
example, DA.NSF. If the directory assistance database is in a subdirectory under the data directory,
include the path relative to the data directory -- for example, DIRECTORIES\DA.NSF.
8. Click OK.
9. When you see the dialog box stating ″Request has been submitted,″ click OK again.
10. Use the command ″tell adminp process interval″ to force processing of the ″Set Directory Assistance
Field″ request, or wait until the Administration Process processes the request when it next processes
interval requests.
For more information, see the appendix ″Server Commands.″
Entering the directory assistance database file name to a Server document manually:
1. Make sure that you:
v Created and replicated the directory assistance database
v Have either Author access and the ServerModifier role, or Editor access in the ACL of the Domino
Directory to which you will add the file names.
2. From the Domino Administrator, click the Configuration tab.
3. Next to ″Use Directory on,″ select the server whose Domino Directory you want to modify.
4. In the left pane, choose Server - All Server Document.
5. Select a specific Server document, and then click Edit Server.
6. In the ″Directory Assistance database name″ field in the ″Directory Info″ section on the Basics tab,
enter the file name that you gave to the replica of the directory assistance database on this server --
for example, DA.NSF. If the directory assistance database is in a subdirectory under the data
directory, include the path relative to the data directory -- for example, DIRECTORIES\DA.NSF.
7. Click Save & Close.
8. If the Domino Directory you changed is not the replica of the server whose directory assistance
database file name you specified, replicate the updated Domino Directory to the server.
9. Restart the server so it detects the directory assistance database file name now in its Server
document.
10. Continue to one or both of these procedures:
v Creating a Directory Assistance document for a Domino directory
v Creating a Directory Assistance document for a remote LDAP directory
Note: Do not create a Directory Assistance document for a condensed Directory Catalog.
1. Make sure you have read about directory assistance services and concepts.
2. Make sure that you have created and replicated a directory assistance database and have set up
servers to use it.
3. From the Domino Administrator, choose File - Open Server, and select a server that you have set up
to use the directory assistance database.
4. Click the Configuration tab.
5. In the left pane, expand Directory - Directory Assistance. If you see ″Server Error: File does not
exist,″ the server you selected in step 3 is not set up to use the directory assistance database.
6. Click Add Directory Assistance.
7. On the Basics tab, complete these fields:
Field Enter
Domain type Choose Notes.
If the domain specified in the ″Domain name″ field is the same Domino domain (the
primary domain) of the servers that use directory assistance, the servers use the
directory for these three services automatically, even if you do not choose this option. If
you are using a configuration directory server, you can then make this option equal to
the primary address book domain and have the secondary address book available
through directory assistance.
Choose ″LDAP Clients″ to enable the LDAP service running on servers to use the
directory for search and write operation when processing LDAP requests. To use the
directory for LDAP write operations, you must also enable the directory for write
operations in the ″All Servers″ Configuration Settings document. By default, the option
is enabled. To prevent the LDAP service from using the directory for search and write
operation, do not choose this option.
Fore more information, see the topics ″Directory assistance services″ and ″Directory
asssistance and domain names.″
Group Authorization Choose one:
v Yes to search the members of groups in the directory when authorizing database
access. You must also select ″Make this domain available to: Notes Clients and
Internet Authentication/Authorization.″
v No (default) to prevent searching the members of groups in the directory when
authorizing database access.
Enable this option in only one Directory Assistance document, Notes or LDAP, in the
directory assistance database.
If the domain specified in the ″Domain name″ field is the same Domino domain (the
primary domain) of the servers that use directory assistance, the servers use the
directory to look up groups for database authorization automatically, even if you choose
No for this option.
For more information, see the topic ″Directory assistance and group lookups for
database authorization.″
8. Click the Naming Contexts (Rules) tab, and for each rule you want to define, complete the following
fields. By default, an all-asterisk rule is enabled with ″Trusted for Credentials″ set to No.
Field Enter
N.C. # A naming context (rule) that describes names in the directory. For more information, see
the topic ″Directory assistance and naming rules.″
Enabled Choose one:
v Yes to enable a rule
v No to disable a rule
Trusted for Credentials Choose one:
v Yes to allow servers to use credentials in this directory to authenticate Internet clients
whose distinguished names in the directory correspond to the rule.
v No (default) to prevent servers from using this directory to authenticate Internet
clients whose distinguished names correspond to the rule.
If the domain specified in the ″Domain name″ field on the Basics tab is the same
Domino domain (the primary domain) of the servers that use directory assistance, the
servers trust all user names in the directory for client authentication, even if you do not
choose this option.
9. Click the Replicas tab. Use either the ″Database links″ field or the ″Replica#″ fields to specify replicas
of the directory for servers to use. If you make any entry in a Replica# field, then directory
assistance ignores all entries in the ″Database links″ field.
To set up directory assistance to use cluster failover to locate an available replica of the directory,
specify only one replica of the directory within the cluster.
For more information on failover, see the topic ″Directory assistance and failover for a Domino
Directory or Extended Directory Catalog.″
Field Enter
Database links For each replica you want to specify:
v Open the replica of the directory, and choose Edit - Copy As Link - Database Link.
v Select the ″Database links″ field, and choose Edit - Paste.
Using database links may delay server startup. When you restart a server that uses
directory assistance, server tasks retrieve database information from the remote servers
to which the links refer. Use database links only if the servers to which the links refer
are consistently available.
Shortcut for specifying local replicas of a Domino Directory or Extended Directory Catalog in a
Directory Assistance document: You can enter an asterisk (*) in the Server Name field on the Replicas
tab of a Directory Assistance document for a Domino Directory or Extended Directory Catalog to indicate
that directory assistance should first look on its local server for a replica of the directory. This feature is
useful in an environment where multiple servers use directory assistance to search local replicas of a
directory with the same file name. Use an asterisk to represent all the servers that have local replicas of
the directory with the same file name, rather than specifying each server individually in its own Server
Name field.
For example, if servers A, B, C, and D each store local replicas of the directory ACMEWEST.NSF
configured for directory assistance, use an asterisk to specify only one Server Name/Directory Filename
entry in the Directory Assistance document for ACMEWEST.NSF:
If you do not enter an asterisk, you muse make these four Server Name/Directory Filename entries:
If some servers use directory assistance but don’t have local replicas of the directory, add at least one
explicit Server Name/Directory Filename entry in the Directory Assistance document for these servers to
use. If you use the directory assistance failover method, specify at least one explicit Server
Name/Directory Filename entry for servers with local replicas to use as an alternate in the event the
replica is unavailable.
Note: Do not use * in the Server Name field in a Directory Assistance database that Lotus Domino
Release 4 servers use. Instead, create a separate Directory Assistance database that uses explicit server
names for Release 4 servers to use.
Field Enter
Domain type Choose LDAP.
Domain name A domain name of your choice that is different from the domain name specified for any
other Directory Assistance document - Notes or LDAP - in the directory assistance
database. For more information, see the topic ″Directory assistance and domain names.″
Company name (Optional) The name of the company associated with this directory. Multiple Directory
Assistance documents can use the same company name.
Search order (Optional) A number affecting the order in which servers search or refer LDAP clients to
this directory relative to other directories configured in the directory assistance database.
For more information, see the topic ″How naming rules relate to directory search
orders.″
Make this domain Choose one or both:
available to v ″Notes clients and Internet Authentication/Authorization″ to use this LDAP directory
for Notes mail addressing, Internet client authentication (including LDAP client
authentication), or to look up the members of groups for database authorization. For
group authorization, you must also enable ″Group Authorization″ (see below).
v ″LDAP Clients″ to enable a server running the LDAP service to refer LDAP clients to
this LDAP directory when an LDAP search is not succesful in any Domino Directory.
Choose Yes for only one directory, Notes or LDAP, configured in the directory assistance
database.
If you select Yes, in the ″Nested group expansion″ field that appears choose one:
v Yes (default) to search nested groups -- groups that are members of groups listed in
database ACLs.
v No to search only the members of groups listed in database ACLs, and not the
members of groups nested within those groups.
For more information on group authorization, see the topic ″Directory assistance and
group lookups for database authorization.″
Enabled Choose Yes to enable directory assistance for this LDAP directory.
Note: You can also enable and disable directory assistance for this directory from the
main view of the Directory Assistance database. Select the directory assistance record for
the directory and, on the toolbar, click Enable/Disable.
8. On the Naming Contexts (Rules) tab, for each rule you want to define for the directory, complete the
following fields. By default, an all-asterisk rule is enabled with ″Trusted for Credentials″ set to No.
Field Enter
N.C. # Enter a naming context (rule) that describes the user names in the LDAP directory. For
more information, see the topic ″Directory assistance and naming rules.″
Enabled Choose one:
v Yes to enable a rule
v No (default) to disable a rule
Trusted for Credentials Choose one:
v Yes to allow servers to use credentials in the LDAP directory to authenticate Internet
clients whose distinguished names in the directory correspond to the rule.
v No (default) to prevent servers from using this directory to authenticate Internet
clients whose distinguished names in the directory correspond to the rule.
Field Enter
Hostname The host name for the remote LDAP directory server -- for example, ldap.acme.com. A
Domino server uses this host name to connect to the remote LDAP directory server, or
to refer LDAP clients to the LDAP directory.
Enter an additional host name or host names so that a Domino server can use an
alternate LDAP directory server if the directory server represented by the first host
name specified is unavailable. Separate host names with commas, semicolons, or by
entering each host name on a new line.
If you specify more than one directory server and each listens on a different port,
specify the ports after the host names. For example:
ldap1.acme.com:390, ldap2.acme.com:391
Port values entered in this field override those specified in the Port field. If no port is
specified in this field, then the value specified in the Port field will be used.
Note: IPv6 addresses are also supported for use in this field. However, it is important
to note that ifan IPv6 address is specified in this field, than the Directory Assistance
database should not be used by a pre-7.0 servers, as they do not support IPv6.
For more information, see the topic ″Directory assistance and failover for a remote
LDAP directory.″
For more information, see the topic ″Specifying a name and password for Domino
servers in a Directory Assistance document for a remote LDAP directory.″
This setting may affect change detection for LDAP servers. For more information, see
the topic ″Special considerations for change detection.″
Base DN for search A search base, if the LDAP directory server requires one. For example:
o=Ace Industry
o=Ace Industry,c=US
This setting may affect change detection for LDAP servers. For more information, see
the topic ″Special considerations for change detection.″
Channel encryption Choose one:
v SSL (the default) to use SSL when a Domino server connects to the remote LDAP
directory server
v None to prevent SSL from being used.
Keep SSL selected in the ″Channel encryption″ field if you use the remote LDAP
directory for client authentication or to look up the members of groups for database
authorization.
For more information, see the next topic ″Configuring SSL in a Directory Assistance
document for a remote LDAP directory.″
Port The port number Domino servers use to connect to the remote LDAP directory server.
v If you choose SSL in the ″Channel encryption″ field, the default port is 636.
v If you choose None in the ″Channel encryption″ field, the default port is 389.
If the LDAP directory server doesn’t use one of these default ports, enter a different
port number manually.
Timeout The maximum number of seconds allowed for a search of the remote LDAP directory;
default is 60 seconds.
If the remote LDAP directory server also has a timeout setting, the lower setting takes
precedence.
Maximum number of The maximum number of entries the LDAP directory server can return for a name for
entries returned which a Domino server searches. If the LDAP directory server also has a maximum
setting, the lower setting takes precedence. If the LDAP directory server times out, it
returns the number of names found up to that point.
Default is 100.
If aliases aren’t used in the LDAP directory, selecting ″Never″ can improve search
performance.
For more information, see the topic ″Configuring alias dereferencing in a Directory
Assistance document for a remote LDAP directory.″
Preferred mail format If directory assistance is set up to allow Notes users to address mail to users in an
LDAP directory, use this option to specify the format of addresses from the directory to
be used in Notes mail. Choose one:
v ″Notes Mail Address″ - for example, John Doe/Acme@Acme. Typically, this option is
used only when the LDAP directory is a Domino Directory.
v ″Internet Mail Address″ (default) - for example, jdoe@acme.com.
For more information, see the earlier topic ″Notes mail addressing using a remote LDAP
directory.″
Attribute to be used as (Optional) If a Domino server uses the remote LDAP directory for client authentication
Notes Distinguished or for database authorization, optionally map users’ LDAP directory distinguished
Name names to corresponding Notes distinguished names. For information, see the topic
″Using Notes distinguished names in a remote LDAP directory.″
Type of search filter to Choose one to control which LDAP search filters are used to search the directory:
use v ″Standard LDAP″ (default)
v ″Active Directory″
v ″Custom″
For more information, see the topic ″Configuring search filters in a Directory Assistance
document for a remote LDAP directory.″
Configuring SSL in a Directory Assistance document for a remote LDAP directory: If a Domino server
uses a remote LDAP directory to look up credentials during Internet client authentication, or to look up
the members of groups during database authorization, specify that the server use SSL to connect to the
LDAP directory server. Specify SSL so there are secure communications between the Domino server and
the LDAP server, and so that the Domino server can use an X.509 certificate to verify the remote LDAP
directory server’s identity.
To use SSL, select SSL in the ″Channel encryption″ field on the LDAP tab of the Directory Assistance
document for the remote LDAP directory. When you select SSL, you must also make selections for three
associated fields:
v ″Accept expired SSL certificates″
″Accept expired SSL certificates″: In the ″Accept expired SSL certificates″ field choose one:
v Yes (the default) to accept a certificate from the LDAP directory server, even if the certificate has
expired.
v No, to reject an expired certificate, to provide tighter security.
″SSL protocol version″: In the ″SSL protocol version field,″ select the version number of the SSL protocol
to use, as follows:
″Verify server name with remote server’s certificate″: In the ″Verify server name with remote server’s
certificate″ field, choose one:
v Enabled (the default)
v Disabled
Choose Enabled to require that the subject line of the remote server’s certificate include the LDAP
directory server host name. For this option to work properly, the subject line in the remote server’s
certificate must include its DNS host name. Keep the option enabled if you are sure that the X.509
certificate of the remote LDAP directory server contains the remote server’s host name in the appropriate
format.
The Domino CA and some other CAs provide a dialog box into which users enter the subject line when
requesting a certificate. For example, the Domino CA prompts each user to enter the remote server’s
information -- such as, the common name, organizational unit name, organization name, state (or
province), and country name. The Domino CA places this information in the subject line and adds the
appropriate prefix (cn=, ou=, o=, and so on) to each field. If you used a Domino CA to create the remote
server’s certificate, enter the remote server’s host name in the common name field when using the ″Verify
server name with remote server’s certificate″ option. For example, the Domino CA allows users to enter
the following valid subject lines (mailserver.acme.com is the server’s DNS host name):
To ensure that users enter the DNS host name properly, recommend that they enter it as the common
name (cn=) when they request a certificate from the Domino CA. Other CAs may have different dialog
boxes for entering the subject line; users must follow these dialog boxes to enter the remote server’s DNS
host name.
If you don’t specify a name and password, a Domino server attempts to connect to a remote LDAP
directory server anonymously. You must specify a name and password if the remote LDAP directory
server does not allow anonymous access.
Enter a distinguished name in the Username field, and a password in the Password field. The name and
password must correspond to a valid name and password in the remote LDAP directory. Enter the
distinguished name in LDAP format, for example cn=domino server,o=acme.
The Username and Password fields are encryptable fields. Do the following to encrypt the fields to limit
which Domino administrators and servers can read their contents:
1. Create a secret encryption key.
2. Use the secret encryption key to encrypt the Directory Assistance document.
3. Distribute and merge the encryption key only into the ID files of administrators and Domino servers
who should read the user name and password.
Only administrators and servers with the secret encryption key can read the user name and password.
Any Domino server that connects to the remote LDAP directory server or that replicates changes to the
directory assistance database requires the encryption key.
For information on creating and using secret encryption keys, see the book Application Development with
Domino Designer.
Configuring search filters in a Directory Assistance document for a remote LDAP directory: If servers
use directory assistance to search a remote LDAP directory, you can use the field ″Type of search filter to
use″ in the Directory Assistance document for the directory to control which LDAP search filters are used
to search the directory. The following choices are available.
Note: The Active Directory search filter option replaces the Release 5 NOTES.INI setting
WebAuth_AD_Group, which allowed for searches of Active Directory groups.
Defining custom search filters: You might need to define custom search filters if searches are not returning
results or are returning results for the wrong entries. This situation can occur if the remote LDAP
directory server uses a non-standard schema. Typically, custom filters are targeted at a particular attribute
that can be used to produce unique, efficient matches - unique in that the attribute value is different for
each entry, efficient in that there is an index or some other fast mechanism to ensure quick searches.
Selecting ″Custom″ in the ″Type of search filter to use″ field displays the following three fields used to
define the custom search filters.
If a user specified ″Pat Smith″ in a mail recipient field, the resulting filter used on the LDAP
search request would be:
(|(cn=Pat Smith)(|(&(sn=Pat)(givenname=Smith))(&(sn=Smith)(givenname=Pat))))
You may want to customize the mail filter if users always type in their UID attribute in a mail
recipient field. The custom filter would look similar to the following:
(uid=%*)
With this filter, if a user specified ″BAK12345″ in a mail recipient field the resulting filter used
on the LDAP search request would be:
(uid=BAK12345)
Authentication Filter If directory assistance is configured to trust a remote LDAP directory for client authentication,
this filter is used to look up a name in the directory. Leave the field blank to use the
following default search filter:
(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)(givenname=%a))))
If a user specified ″Maryanne Brown″ in the HTTP login prompt, the resulting filter used on
the LDAP search request would be:
(|(cn=Maryanne Brown)(|(&(sn=Maryanne)(givenname=Brown))(&(sn=Brown)
(givenname=Maryanne))))
You may want to customize the authentication filter if users typically specify their employee
ID or mail attribute at the login prompt. In this case, the custom filter would look similar to:
(|(employeeID=%*)(mail=%*))
So, if a user specified ″MB12345″ at the login prompt, the resulting filter used on the LDAP
search request would be:
(|(employeeID=AS12345)(mail=AS12345))
Authorization Filter Specify a search filter to use to look up the members of groups for Notes database
authorization. Leave the field blank to use the following default search filter:
(|(&(objectclass=groupOfUniqueNames)(UniqueMember=%*))
(&(objectclass=groupOfNames)(Member=%*)))
If the LDAP server that is enabled for ACL group expansion stores the groups with an
objectClass of aclGroup, then you may want to specify the following custom filter:
(&(objectclass=aclGroup)(Member=%*))
Syntax for custom LDAP search filters: To define a custom search filter, insert parameters into standard
LDAP search filters to represent a part of the names being searched for.
Configuring alias dereferencing in a Directory Assistance document for a remote LDAP directory: An
alias entry in an LDAP directory is an entry that points to another entry. Searching the entry an alias
entry points to is known as dereferencing an alias. Dereferencing aliases can cause poor search
performance for some LDAP directories. Select one of the following options in the ″Dereference alias on
search″ field in a Directory Assistance document for an LDAP directory to control the extent to which
alias dereferencing occurs when searching the remote LDAP directory.
o=Acme1
cn=John Doe, o=Acme2 (alias entry that points to cn=John Doe, o=Acme1)
The following table describes which of these entries are returned for a subtree search of o=Acme 2
(o=Acme2 and subordinate entries) for each ″Dereference alias on search″ option.
Using Notes distinguished names in a remote LDAP directory: You can set up directory assistance for
a remote LDAP directory so that a Domino server:
v Uses a Notes distinguished name rather than an LDAP distinguished name for Internet client
authentication
v Accepts the Notes distinguished name in database ACLs, and in groups used in database ACLs, for
database access authorization.
This feature allows organizations that migrate users from a Domino Directory to a remote LDAP
directory to continue to use the original Notes distinguished names for users. This feature is also useful
as a way to hide complex LDAP distinguished names from users.
To set up this feature, you add an attribute for storing Notes name values to the user entries in the LDAP
directory, and then add the Notes distinguished names as values for the attributes. Then you specify the
attribute you use for the Notes names in a Directory Assistance document for the LDAP directory.
Note: If you enable this feature and some user entries in the LDAP directory do not have a value for the
Notes distinguished name attribute, then the users must specify their LDAP distinguished names to
authenticate, and Domino database ACLs and other access control lists must use the LDAP distinguished
names.
Example of using Notes distinguished names in a remote LDAP directory: Acme corporation uses the LDAP
distinguished name uid=675894,ou=boston,o=airius.com for a particular user in a remote LDAP directory.
For the same user Acme uses the name Jack Johnson/Boston/Acme in Notes database ACLs and in
groups used in database ACLs. The Domino server uses directory assistance to look up user credentials
for client authentication in the remote LDAP directory.
An Acme administrator does the following to configure the use of the Notes distinguished name for
client authentication and for database access control:
1. In the remote LDAP directory, the administrator adds an attribute called notesname to the user entry
for uid=675894, ou=boston, o=airius, and gives the attribute the value cn=Jack
Johnson, ou=Boston,o=Acme.
2. On the LDAP tab of the Directory Assistance document for the LDAP directory, the administrator
adds the attribute notesname to the field ″Attribute to be used as Notes distinguished name.″
3. On the ″Naming contexts (rules)″ tab of the Directory Assistance document, the administrator
specifies an all-asterisk trusted rule.
The user can then use any of the following names as the client logon name for authentication:
Chapter 25. Setting Up Directory Assistance 597
v cn=Jack Johnson/ou=Boston/o=Acme
v cn=Jack Johnson, ou=Boston,o=Acme
v Jack Johnson/Boston/Acme
v uid=675894, ou=boston, o=airius
v 675894
The Notes name Jack Johnson/Boston/Acme is used in database ACLs and groups.
Special considerations for change detection: Some subsystems in the Domino server perform searches
against LDAP servers. Directory Assistance, for instance, uses and retains LDAP search results for a
period of time, eliminating the need to obtain refreshed information from the LDAPservers. Domino 7
allows these subsystems to quickly detect if entries in certain LDAP directories have changed, allowing
Domino subsystems to flush stale search results and conduct another search for current LDAP
information.
Domino 7 takes advantage of LDAP servers that support the following change detection mechanisms.
While Domino automatically senses the LDAP server’s change detection mechanism, so configuration
user interfaces are not necessary to enable this feature, there may be requirements for the existing
Directory Assistance LDAP or (target) LDAP server settings.
Network connections between domains are slow, so the company creates replicas of the Domain B
directory on two Domain A servers for servers in Domain A to use, and creates replicas of the Domain A
directory on two Domain B servers for servers in Domain B to use.
The following table shows the settings for the Domain B Directory Assistance document in the directory
assistance database that servers in Domain A use. Domain B uses a similar document for the Domain A
directory in its directory assistance database.
The company creates replicas of the Extended Directory Catalog on two servers in Domain A that are
members of a cluster. Network connections between domains are fast, so servers in Domains B and C use
the replicas of the directory catalog on the Domain A servers.
Administrators from each domain want local control of the directory assistance database, so each domain
creates and uses its own directory assistance database.
The following table shows the settings for the Directory Assistance document for the Extended Directory
Catalog that is in each domain’s directory assistance database.
Domino servers in Domain A register Internet users in a remote Active Directory server which they use
to authenticate the users. Domain A creates its own directory assistance database because only Domain A
servers use the remote Active Directory.
The following tables show the settings in the Directory Assistance documents for the Extended Directory
Catalog and for the remote Active Directory server in the directory assistance database that Domain A
servers use.
Password: adminspass
Base DN for search cn=recipients, dc=east, --
dc=acme, dc=com
Channel encryption Yes Since DomainA servers use the Active Directory
for client authentication, Company Z selects the
″Channel Encryption″ so that Domino servers can
use a Secure Sockets Layer (SSL) certificate to
verify the Active Directory server’s identity.
Port 636 Necessary for SSL connections.
Accept expired SSL certificates Yes --
SSL protocol version Negotiated --
Verify server name with remote Yes --
server’s certificate
Timeout 60 --
Maximum number of entries 100 --
returned
Dereference alias on search Never The Active Directory server does not use alias
dereferencing so Company Z selects Never to
improve search performance.
Preferred mail format Internet Mail Address --
Attribute to be used as Notes notesname Company Z uses Notes-style distinguished
Distinguished Name names, rather than the original LDAP names of
the users in the Active Directory, for client
authentication and in Notes database ACLs. The
specified attribute, notesname, is defined in
Active Directory as the attribute to store the
Notes name. Company Z uses its own tool to add
Notes-style distinguished names as values for the
notesname attribute in user entries.
Type of search filter to use Active Directory Ensures that the Domain A servers use LDAP
search filters that are customized for Active
Directory searches.
Statisic Description
Database.DAReloadCount Number of times directory assistance reloaded because of changes to
the directory assistance database.
Database.DARefreshServerInfoCount Number of times directory assistance refreshed because of changes
to Server documents in the Domino Directory.
Database.DAFailoverCount Number of times directory assistance failed over to an available
replica.
Directory Catalogs
A directory catalog is an optional directory database that typically contains information aggregated from
multiple Domino Directories. Clients and servers can use a directory catalog to look up mail addresses
and other information about the people, groups, mail-in databases, and resources throughout an
organization, regardless of the number of Domino domains and Domino Directories the organization
uses. A directory catalog includes the type of information that is important for directory services, and
excludes other types of information that are part of a Domino Directory, for example Domino
configuration information, such as information in Connection documents.
You use a directory catalog in conjunction with, rather than instead of, the primary Domino Directory
and the Personal Address Book. A server searches its primary Domino Directory, and a Notes client
searches its Personal Address Book, before searching a directory catalog.
There are two types of directory catalogs: condensed Directory Catalogs and Extended Directory
Catalogs. Condensed Directory Catalogs use a unique design based on the DIRCAT5.NTF template that
enables them to be extremely small. Condensed Directory Catalogs are designed for use on Notes clients.
A condensed Directory Catalog on a Notes client is also known as a Mobile Directory Catalog.
Extended Directory Catalogs use the same design as the Domino Directory, which is based on the
PUBNAMES.NTF. They are larger than condensed Directory Catalogs, but are the recommended directory
catalog for server use because they allow faster and more flexible directory lookups.
Servers can use a directory catalog for mail addressing, for processing LDAP service operations, to look
up client authentication credentials, and to look up the members of groups in database ACLs when
authorizing users’ database access.
To achieve its small size, a condensed Directory Catalog uses a unique design that combines multiple
documents from the Domino Directories into single documents in the directory catalog, and that limits
the number of sorted views available for lookups.
Aggregate documents
One reason a condensed Directory Catalog is small is it combines many entries from the source Domino
Directories into single aggregate documents. A single Directory Catalog aggregate document can contain
up to 250 source directory entries, although on average the maximum is about 200. This means that a
condensed Directory Catalog needs to use only about 1000 aggregate documents to store information
from 200,000 documents in the source Domino Directories.
605
Limited number of views
A condensed Directory Catalog is also small because it contains only a few, small views. By contrast a
Domino Directory and an Extended Directory Catalog have multiple, typically large views.
$Users view This is the one view used in a condensed Directory Catalog for name lookups. When you
configure the directory catalog you choose how to sort this view, either by distinguished name, by last
name, or by alternate name. To find names that don’t correspond to the selected sort order, a full-text
search is done of the directory catalog rather than a view lookup.
You shouldn’t open the aggregate documents in the $Users view manually; these documents are not
intended for viewing, and it can take a considerable amount of time to format them for that purpose.
$Unid view This view contains information needed by the Dircat task to replicate the source directory
entries into the directory catalog. The $Unid view isn’t created on replicas of the directory catalog, which
further reduces the directory catalog size.
$PeopleGroupsFlat view This view displays directory names when Notes users click the Address button
to browse directories.
Configuration view This view shows the Configuration document that contains the directory catalog
configuration settings.
Users view This is a view that users can open and programs can access to see the names included in the
directory catalog. This view is not stored on disk but is instead built as needed.
Design changes
In general, you should not change the database design of a condensed Directory Catalog. One exception
is changing the name of the Users view; you can change the name of this view, as long as you keep the
original view name, Users, as an alias.
Application access
Notes applications can use these methods to access a condensed Directory Catalog programmatically:
v NAMELookup calls to the $Users view
v NAMEGetAddressBooks calls, if you use the NOTES.INI setting Name_Include_Ed=1.
v NIFFindByKey, NIFReadEntries, and NIFOpenNote calls.* You can’t use NSFNoteOpen to open notes
passed back from NIFReadEntries; you must call NIFOpenNote instead.
v LotusScript methods*
v @NameLookup function
*Can access the Users view but not the $Users view.
In addition, LDAP applications can search a condensed Directory Catalog used by a server that runs the
LDAP service.
The advantage to doing lookups in individual secondary Domino Directories is there is no need to build,
maintain, and replicate a directory catalog. Instead you create and replicate only a small directory
assistance database.
Setting up servers to use directory catalogs is useful for organizations that use multiple Domino
Directories, for example, organizations with multiple Domino domains.
Multiple views
The Extended Directory Catalog uses the same design as the Domino Directory, so it includes multiple
views that sort names in different ways. Regardless of the format of a name, there’s a view in the
Extended Directory Catalog that a server can use to quickly find the name. A condensed Directory
Catalog has one view used for lookups, which you choose how to sort when you configure it. To look up
a name in a condensed Directory Catalog that doesn’t correspond to the selected sort order, the server
uses the full-text index to search for the name, which takes longer than a view search.
Using an Extended Directory Catalog on servers that route mail is a particular advantage, because a mail
server can use views to quickly find an address regardless of the address format. When a mail server
uses a condensed Directory Catalog, mail routing can back up if the Router uses the full-text index to
look up addresses, for example, some Internet addresses, that don’t correspond to the selected sort order.
When a Notes user with a condensed Directory Catalog on the client sends mail to a group, if the client’s
directory catalog doesn’t contain the members of the group, there can be a delay while a server does a
full-text search of a condensed Directory Catalog to look up the members. Delays when sending mail to
groups are not an issue if mail servers use Extended Directory Catalogs.
Remote lookups
Servers use Directory Assistance to locate an Extended Directory Catalog, so you need to replicate the
Extended Directory Catalog only to two or a few strategic servers to which the Directory Assistance
database then points. You can configure failover so that if one replica of the directory catalog is
unavailable, servers can use an alternate.
Each server that uses a condensed Directory Catalog requires a local replica of the directory catalog,
which makes its smaller size less of an advantage overall.
You can also create a Configuration Settings document in an Extended Directory Catalog and use access
control settings on the LDAP tab of the document to control anonymous LDAP search access to the
directory catalog.
These access control features are not available for a condensed Directory Catalog.
Native documents
You can add documents manually to an Extended Directory Catalog, in addition to aggregating
documents through Dircat task processing. These ″native″ documents that originate in the database are
not affected by Dircat task processing. You cannot add native documents to a condensed Directory
Catalog.
If you choose to create a full-text index on an Extended Directory Catalog, users can do full-text searches
of it from the Notes client. Users can’t do full-text searches of a condensed Directory Catalog from the
Notes client.
Server documents
You can aggregate Server documents into an Extended Directory Catalog, but not a condensed Directory
Catalog.
When the Dircat task combines multiple documents from source Domino directories into single
documents in a condensed Directory Catalog, the intra-document ordering must match the view’s default
sort ordering. You set the CDC’s view sort ordering through File - Database - Properties - Design ″Default
sort order″
After you complete the configuration document, you run the Directory Cataloger task (Dircat task) to
build the directory catalog. A server that runs the Dircat task is referred to as a Dircat server, and
typically there is one Dircat server dedicated to aggregating directory catalogs. The Dircat task replicates
information from the Domino Directories indicated in the configuration document, and then combines --
aggregates -- the entries into the directory catalog. After the directory catalog is built, you then continue
to run the Dircat task at regular intervals to keep the information in the directory catalog current with the
information in the source Domino Directories. The Dircat task can build and maintain multiple directory
catalogs.
After the Dircat task has built a directory catalog, you set up clients and/or servers to use the directory
catalog. You can automate setting up a condensed Directory Catalog on clients by using a Setup policy
settings document or a Desktop policy settings document. This process replicates the directory catalog to
the client, and adds the directory catalog file name to ″Local address books″ field in the User Preferences
dialog for mail.
To set up a server to use an Extended Directory Catalog, you set up the server to use a directory
assistance database, and then create a Directory Assistance document in the database for the Extended
Directory Catalog. To set up a server to use a condensed Directory Catalog, you specify the file name of
the directory catalog in either the servers’ Server document, or in the Domino Directory Profile.
In addition, if you don’t aggregate all fields from documents as recommended, you must make sure to
aggregate the fields required for the authentication. For example, to use name-and-password security,
aggregate the HTTPPassword field from Person documents. Or to use X.509 certificate security, aggregate
the userCertificate field.
If you want servers to use some secondary Domino Directories for Internet client authentication but not
others, you can create one Extended Directory Catalog that aggregates the Domino Directories to use for
authentication, and another that aggregates the other Domino Directories. Then create a Directory
To allow a server to look up credentials for user names from only one or some of the source Domino
Directories aggregated into a condensed Directory Catalog, do not select the above option. Instead, create
a directory assistance database on the server. In the database, create a Directory Assistance document for
each aggregated Domino Directory you want to use for authentication. In each Directory Assistance
document, enable a rule that is trusted for credentials.
If you use name-and-password security for Internet client authentication, you can store the passwords in
the condensed Directory Catalog. To do this, aggregate the HTTPPassword field from Person documents.
In this case, a server looks up the passwords in the directory catalog, and doesn’t require directory
assistance to look them up in the source Domino Directories.
If you use X.509 certificates for client authentication, storing the certificates in a condensed Directory
Catalog isn’t recommended due to their size. Instead, set up directory assistance to look up the
certificates directly in the source Domino Directories. Similarly, servers can use directory assistance to
look up passwords in the source Domino Directories, rather than aggregating the passwords into the
directory catalog, as a way to keep the condensed Directory Catalog small.
When you don’t store passwords and X.509 certificates in a directory catalog, using the directory catalog
and directory assistance in conjunction is quicker than using directory assistance alone, because only one
database, the directory catalog, needs to be used to find a name.
For more information on using directory assistance in conjunction with a directory catalog for client
authentication, see the chapter ″Setting Up Directory Assistance.″
Aggregate C and D into EDC2. Create Aggregate C and D into CDC2 and set up
another DA database, DA2, and in it S3 and S4 to use CDC2. Enable the option
create a DA document for EDC2 with ″Trust the server based condensed
the */*/*/*/*/* naming rule enabled directory catalog for authentication with
and trusted for credentials. Set up S3 internet protocols″ in the S3 and S4 Server
and S4 to use DA2. documents.
Storing public keys in a condensed Directory Catalog isn’t recommended because it greatly increases its
size. Instead, set up directory assistance for the aggregated Domino Directories so servers can look up the
public keys in them.
Servers do not have to trust a directory catalog or a Domino Directory for credentials to use the directory
to look up public keys for mail encryption.
Typically it’s best to run the Dircat task to build and maintain a directory catalog on a server in one
domain, and then replicate the directory catalog to servers throughout an organization that need to use
the directory catalog. Using this approach, rather than having each domain build an maintain its own
version of the directory catalog, is beneficial because only one server then does the CPU-intensive Dircat
processing of the directory catalog. Aggregate the primary Domino Directory of the domain in which you
build the directory catalog so that servers in other domains can use the directory catalog to look up
information from the directory.
The Dircat task on one server can process more than one directory catalog. The Dircat task is
single-threaded so it processes directory catalogs sequentially rather than simultaneously. Because Dircat
is a CPU-intensive task, it’s often beneficial to dedicate one server solely to Dircat processing.
If you enable the option ″Remove duplicate users,″ if a user’s distinguished name is found in more than
one Person document, the Dircat task aggregates information from only the first Person document with
the name the Dircat task encounters, according to the order in which the source directories are listed in
the ″Directories to include″ field.
As the following table shows, you can store a source Domino Directory locally on a Dircat server, or on a
remote server that the Dircat server accesses over the network. It’s best to store the source directory
replicas locally for high availability and quick access. If you store replicas of the source directories locally,
make sure to keep them up-to-date by regularly replicating with the replicas on the remote servers.
If a Dircat server accesses the source Domino Directories over the network, it must have certifiers in
common with the servers that store the remote directories, or must be cross-certified with those servers.
portname!!!servername!!filename
where:
v portname is the name you gave to the port
v servername is the hierarchical name of the server that stores the
directory
v filename is the file name for the directory on the server
For example:
TCPIP!!!dirserv/east/acme!!names.nsf
If you don’t care which port is used, omit the port, for example:
DIRSERV/EAST/ACME!!NAMES.NSF
Note: The server running the Dircat task must have a certifier in
common with the remote server, or be cross-certified with that server.
*Users can’t use a condensed Directory Catalog to reserve resources, only to view them.
Note: The Dircat task does not aggregate documents that contain Readers lists by default. Use the
NOTES.INI setting Dircat_Include_Readerslist_Notes to aggregate documents that contain Readers lists.
If there are occurrences of more than one Person document with the same distinguished name, and the
multiple documents really represent one user, keep ″Remove duplicate users″ selected so that:
v Notes users aren’t required to choose between duplicate entries in the ″Ambiguous Name″ dialog box
when they resolve the mail address for the name.
v The Router doesn’t encounter duplicates names that prevents it from delivering mail.
The ″Remove duplicate users″ field does not apply to Group documents. To distinguish between different
groups with the same name in multiple directories, the Dircat task uses the ″Domain defined by this
Domino Directory″ field in the Directory Profile of the source Domino Directories to append the domain
to all group names.
Deleting Person documents from the source Domino Directories when ″Remove duplicate users″ is
selected: If you choose the ″Remove duplicate users″ option, and later remove a Person document from
a source Domino Directory that is the one aggregated into the directory catalog, the Dircat task removes
the corresponding user entry from the directory catalog the next time it runs, so the name is longer be
found in the directory catalog.
To cause the Dircat task to add the user entry back into the directory catalog, make a minor change to a
remaining Person document in one of the source Domino Directories for the user. The next time Dircat
runs, it then aggregates information from the remaining Person document into to the directory catalog.
You can also correct the problem by clicking the ″Clear History″ button in the directory catalog
configuration document, although this approach isn’t recommended because it causes a rebuild the entire
directory catalog.
For example, if Source Directory A and Source Directory B both contain a Person document with the
name Phyllis Spera/Acme, if ″Remove duplicate users″ is enabled and Directory A is listed first in the
″Directories to include″ field, when the Dircat tasks runs, it includes only the entry from Directory A. If
someone then removes the Person document from Directory A, the name Phyllis Spera/Acme is removed
from the directory catalog the next time Dircat runs. To add the name back, make a small change to the
remaining Person document in Directory B, so the Dircat task adds the name back to the directory catalog
the next time it runs.
If your organization uses a Notes application to look up the members of ″Access Control List only,″
″Servers only,″ or ″Deny List Only″ groups in an Extended Directory Catalog or a condensed Directory
Catalog used by servers, choose ″All″ or ″All in first directory only″ to add these types of groups to the
directory catalog.
If the directory catalog you are configuring is an Extended Directory Catalog servers use to look up
groups to authorize users’ database access, and these groups in the source Domino Directories are
defined as ″ACL only″ groups, choose ″All″ or ″All in first directory only″ to ensure the groups are
aggregated.
LocalDomainServers and OtherDomainServers groups: The Dircat task doesn’t aggregate the
LocalDomainServers and OtherDomainServers groups into a directory catalog because the servers listed
in these groups can’t be used for mail addressing, and because excluding them improves performance of
the Dircat task.
For more information, see ″Choosing which fields to aggregate in a directory catalog.″
Or to aggregate only Person documents for people assigned to a specific mail server, use a selection
formula such as:
The ″Selection Formula″ field replaces the replication setting ″Receive only a subset of the documents″ -
″Documents that meet a selection formula″ used in other databases. Keep in mind that a selection
formula applies to all the aggregated directories, so the formula should be valid for all of them. Note that
you can’t use a selection formula to aggregate documents that are never aggregated into a directory
catalog. For example, you can’t use a selection formula to aggregate Server Configuration documents or
Server Connection documents.
How a selection formula interacts with the ″Group types″ option: The ″Group types″ field in a
directory catalog configuration document controls the types of groups that the Dircat task aggregates into
a directory catalog. If you use a selection formula and you want to aggregate groups, you must select the
groups as part of the selection formula as well as use the ″Group types″ field to indicate which types of
groups to aggregate. For example, to aggregate only Person documents with a Location of Atlanta, and
only Mail and Multipurpose groups:
v Use this selection formula: SELECT (Form = ″Person″ & Location = ″Atlanta″) | (Form = ″Group″)
v Select the ″Group Type″ option ″Mail and Multi-purpose.″
A selection formula can select only the types of groups indicated by the ″Group types″ option.
How a selection formula interacts with the ″Include Servers″ option: The ″Include Servers″ field in a
directory catalog configuration document for an Extended Directory Catalog controls whether the Dircat
task aggregate Server documents. If you use a selection formula that includes Server documents, you
must select the Server documents as part of the selection formula as well as select Yes in the ″Include
Servers″ field.
How a selection formula interacts with the ″Include Mail-In Databases″ option: The ″Include Mail-In
Databases″ option in a directory catalog configuration document controls whether to aggregate Mail-In
Database documents. If you use a selection formula that includes Mail-In Databases documents, you must
select the Mail-In Database documents as part of the selection formula, as well as select Yes for the
″Include Mail-In Databases″ option.
1
Required fields that ensure that each document aggregated in the directory catalog has a known name
and type
2
Aggregated by default only in an Extended Directory Catalog
Use the ″Additional fields to include″ field in a directory catalog configuration document to aggregate
additional fields into a directory catalog. To avoid making a mistake, use Domino Designer to copy and
paste the fields from forms in the Domino Directory template. Be sure to copy the field itself, not the
field label -- for example, copy the field OfficePhoneNumber, not the label Office phone.
If you use a directory catalog configuration option to exclude a particular type of document, that
document isn’t aggregated even if you specify a field from the document in the ″Additional fields to
include″ field. For example, if you choose ″None″ next to the ″Group types″ option, the Dircat task does
not aggregate group documents, even if the Members field is listed in the ″Additional fields to include″
field.
Guidelines for modifying the ″Additional fields to include″ field: Follow these general guidelines
when modifying the ″Additional fields to include″ configuration field:
v Do not remove the fields aggregated by default because these field selections are the optimum ones for
mail addressing.
v In an Extended Directory Catalog, aggregating all fields is recommended, since there is no way for
servers to use directory assistance to look up missing information directly in the full Domino
Directories themselves that are aggregated. To aggregate all fields from the aggregated documents,
including custom documents added to a Domino Directory, leave the ″Additional fields to include″
field blank. If you don’t aggregate all fields, then follow the guidelines described in the following table.
In addition to the above general guidelines, follow these more specific guidelines:
When you replicate a condensed Directory Catalog, the replica you create is full-text indexed
automatically. However, if you use the file system to make a copy of a condensed Directory Catalog, the
copy is not full-text indexed. If you delete a full-text index from a condensed Directory Catalog, you
must re-create the index manually.
If only clients use a condensed Directory Catalog, conserve disk space by deleting full-text indexes on
any server replicas.
After you create a Directory Assistance document for an Extended Directory Catalog in a directory
assistance database, to optimize look up performance, remove any Directory Assistance documents for
the individual Domino Directories aggregated into the directory catalog.
Make sure to aggregate all the fields that need to be searched because once servers search an Extended
Directory Catalog they cannot use directory assistance to access the source Domino Directories directly to
retrieve field values that are not aggregated, as can occur with a condensed Directory Catalog.
For more information on setting up directory assistance for an Extended Directory Catalog, see the
chapter ″Setting Up Directory Assistance.″
Select the option ″Group authorization″ in the Directory Assistance document for the Extended Directory
Catalog to enable this feature. If you enable group authorization for an Extended Directory Catalog, you
cannot enable it for any other directory, Notes or LDAP, configured in the directory assistance database.
If you enable ″Group authorization″ for an Extended Directory Catalog, and groups used for database
access control in the directory catalog contain groups as members -- nested groups -- a server only looks
up names in the nested groups if the nested groups are located in the Extended Directory Catalog.
Note: A server cannot use groups aggregated in a condensed Directory Catalog for database
authorization.
When you integrate an Extended Directory Catalog into a primary Domino Directory, a server within the
domain of the primary Domino Directory searches the aggregated information automatically as part of its
primary Domino Directory search, and so the use of directory assistance isn’t required. Person documents
that the Dircat task aggregates are trusted for client authentication, and Groups documents that are
aggregated can be used automatically for database authorization.
Servers outside the domain of the Domino Directory into which the Extended Directory Catalog is
aggregated can use directory assistance to access the integrated directory. From the perspective of these
servers, the integrated directory is a secondary directory that is searched after their primary Domino
Directory; these servers only trust the integrated directory for client authentication, and can only use
groups in the integrated directory for database authorization, if you set up the Directory Assistance
document for the directory to allow this.
Dircat task processing affects only the documents the Dircat task aggregates from other Domino
Directories, and not native documents that originate in NAMES.NSF. For example, rebuilding an
Extended Directory Catalog that is integrated into a primary Domino Directory does not have any effect
on the native documents.
You can remove an Extended Directory Catalog that is integrated into a primary Domino Directory by
deleting the directory catalog configuration document, and then rebuilding the Extended Directory
Catalog by running the dircat on it with the -r switch. Any native documents created outside of the
aggregation process remain.
You can set up a condensed Directory Catalog on a server to work in conjunction with directory
assistance. For example, you can set up directory assistance to look up information directly in a Domino
Directory when the information isn’t aggregated into a condensed Directory Catalog. For information, see
the chapter ″Setting Up Directory Assistance.″
The ″Sort by″ option is unnecessary and isn’t available for an Extended Directory Catalog because this
type of directory catalog retains the multiple sorted views available in a Domino Directory.
Note: Always keep the default ″Sort by″ selection, ″Distinguished name,″ if servers use the condensed
Directory Catalog.
How the ″Sort by″ selection affects type-ahead addressing on Notes clients: Type-ahead addressing is
a feature that assists Notes users with mail addressing. As a user begins typing a name when addressing
mail, type-ahead searches for the name in order to fill in the name automatically for the user.
The Notes client only uses type-ahead addressing to look up a name in a condensed Directory Catalog if
the user types the name in a way that corresponds to the ″Sort by″ selection. For example, if the selected
″Sort by″ format is ″Distinguished name,″ type-ahead looks up the name in a condensed Directory
Catalog only when a user types the first name before the last name. Or, if the ″Sort by″ format is set to
″Last name,″ type-ahead looks up the name only when a user types the last name before the first name.
Make sure your ″Sort by″ selection corresponds to the way in which type-ahead is typically used in your
organization. For example in large, enterprise organizations, users often address mail by entering the
recipients’ last names, in which case the Sort by selection should be set to Last name.
You can create more than one condensed Directory Catalog, each with a different ″Sort by″ selection to
accommodate different styles of type-ahead use.
Note: If there is a condensed Directory Catalog on a Notes client, type-ahead never searches a directory
on a server, even if the client Location document is set to ″Recipient name type-ahead - Local then Server.
How the ″Sort by″ selection affects browsing a directory catalog: The ″Sort by″ selection in a
condensed Directory Catalog also determines how names are sorted when users open the directory
catalog, for example when using the ″Select Addresses″ dialog box to browse the directory catalog.
To set both a CDC’s view sort order and the ordering of the multiple entries in a document, set the
desired sort order in the database’s File - Database - Properties - Design ″Default sort order″ tab and run
the Dircat task. End users must not change the default sort ordering of the CDC replicas themselves,
since doing so will not have the desired effect (CDC entry intra-document ordering is fixed at the time of
aggregation), and may return fewer than expected lookup results in response to a lookup.
If you have different sets of end users each wishing to have different sort orderings, you must create
separate copies (not replicas) of the CDC with the desired sort orders. For example, if you have English,
French, and Danish users who each want their CDC contents ordered according to their locale, you must
create three separate copies of the CDC. The files should have their default sort order set respectively to
Latin1, French, and Danish/Norwegian. It may be useful to establish a naming convention where the sort
order appears in the CDC file names: CDC-EN.NSF, CDC-FR.NSF, and CDC-DK.NSF.
Extended Directory Catalogs are created using the same design the Domino Directory, and therefore
contain views that have a Unicode sort ordering set by default so that directory searches yield consistent
search results across Domino servers, even if those servers have different sort orderings. However, if you
wish to use a CDC on a server, you must enable ″Unicode standard sorting″ on the design tab in the
CDC’s database properties.
When the Dircat task performs the initial build or full rebuild of a CDC, it stores the entries inside the
CDC documents in accordance with the default sort order. If the default sort order is blank, the Dircat
task will obtain a sort ordering from the Domino environment and explicitly set the CDC’s default sort
order with it. When the Dircat task updates a CDC, it first verifies the default sort order matches the
ordering of entries in CDC documents. If it discovers discrepancies between the two orderings, the Dircat
task will issue an event telling the administrator to use Dircat to perform a full rebuild.
Soundex allows Notes users to use phonetic spellings to search for names. Supporting Soundex lookups
increases the size of the directory catalog by about 4 bytes for every entry. Soundex is not effective for
finding names in non-Latin characters.
This field is not available in a configuration document for an Extended Directory Catalog, since
minimizing the size of an Extended Directory Catalog is not a typical goal.
Note: Change these settings only on a condensed Directory Catalog used only by servers, and not on a
condensed Directory Catalog used by clients.
These settings are irrelevant and unavailable for an Extended Directory Catalog which doesn’t combine
multiple source Domino Directory entries into aggregate documents.
Incremental fields: Because a single field in an aggregate document contains values for the field from
many of the source Domino directories, it’s likely that at any one time every field in the aggregate
document might require updating and, therefore, would need to replicate. To manage changes to fields in
a condensed Directory Catalog, the Dircat task, by default, uses an incremental merge process that stores
the changes in temporary fields in aggregate documents until, by default, 5 percent of the total entries
from the source Domino Directories change. Then the Dircat task merges the changes stored in the
temporary fields into the permanent fields in the aggregate documents and deletes the temporary fields.
This process occurs somewhat randomly over a period of time so that at any time, only a few aggregate
documents need to replicate. When the directory catalog on the server running the Dircat task replicates,
only the updated fields replicate. This incremental replication results in improved replication
performance, especially when replication occurs over a dial-up connection.
The alternative to incrementally merging fields is to make changes as they occur directly in the original
fields in aggregate documents. Disabling incremental merging provides some modest gains in search
performance. However, if replication with the source Directory Catalog occurs over dial-up connections,
keep incremental merging enabled.
Next to the Incremental fields option in a configuration document for a condensed Directory Catalog,
Choose Yes (the default) to use incremental merging and temporarily store field changes in duplicate
fields in aggregate documents to optimize replication performance. Or choose No to immediately makes
changes in the original fields in the aggregate documents.
Merge factor: The Merge factor option in a configuration document for a condensed Directory Catalog is
a value representing the percent of total field changes that must occur before Domino merges the changes
stored in duplicate fields into the original fields in aggregate documents; default is 5 percent.
Notes clients should replicate local condensed Directory Catalog with a replica on a server either daily or
weekly, depending on whether the clients have fast connections to the server. It’s best for clients that
connect on the road over dial-up connections to wait to replicate a directory catalog until a fast
connection is available.
Give all servers that are not Dircat servers, as well as all clients, only Reader access (the default) to a
condensed Directory Catalog, to prevent the clients/servers from being able to replicate changes to the
replica on a Dircat server.
For more information on type-ahead addressing and directory catalogs, see ″Deciding how to sort entries
in a condensed Directory Catalog.″
You can set up servers to use specific Extended Directory Catalogs or condensed Directory Catalogs in a
similar manner.
Used for an
Extended
Directory
Document/Database Field(s)/Tab(s) Purpose Catalog too?
Directory Profile of each ″Domain defined by Associates groups in the directory with a Yes
Domino Directory to be this Domino Directory″ domain to distinguish between different
aggregated in the directory on the Basics tab groups with the same name in more than
catalog one Domino Directory
Directory Catalog All fields Used for directory catalog configuration No
Configuration document in
database created from
DIRCAT5.NTF
File / Database / Default sort order Provides the Dircat task with the sort order No
Properties / Design in of entries in the condensed directory
database created from catalog
DIRCAT5.NTF
Domino Directory Server All fields in the Server Provides the Dircat task with the file Yes
document of Dircat server Tasks - Directory name(s) of the local directory catalog(s) to
that builds the directory Cataloger tab aggregate and a schedule for running
catalog
1
Can use directory assistance instead to trust for client authentication only some rather than all of the
aggregated directories
Step 1: Verify that each Domino Directory has a defined domain: Each Domino Directory aggregated
in a directory catalog should have a domain defined in its Directory Profile. The Dircat task appends the
domain name to the names of groups in the directory catalog, to distinguish between identically named
groups from different directories.
Do the following for each Domino Directory you will aggregate into the directory catalog:
1. Open a Domino Directory.
2. Choose Actions - Edit Directory Profile.
3. Make sure the field ″Domain defined by this Domino Directory″ contains a valid domain name. This
field is usually filled in automatically.
4. Click Save & Close.
Note: Keep the - Default - entry in the database access control list (ACL) set to Reader.
Step 3: Create the directory catalog configuration document and run the Dircat task::
1. In the database you created, choose Create - Configuration.
2. Complete the following fields in the Directory Catalog Configuration document:
Note: The ″Directories to include″ field is the only field you must complete. In many situations you
can accept the default values in the other fields. However, read the complete descriptions of the fields
before you run the Dircat task to build the directory catalog.
Step 4: Set up clients to use the condensed Directory Catalog: Use Desktop policy settings or Setup
policy settings to automate setup of a condensed Directory Catalog on Notes clients. The automated
setup creates a replica stub (an empty replica) of the directory catalog on the clients, with a replication
schedule enabled to a replica of the directory catalog on a server that you specify. When the client
replicates with a replica of the directory catalog on a server, a full-text index is created on the client
replica after replication is complete. The automated setup process also adds the file name of the
condensed Directory Catalog to the ″Local address books″ field in user preferences for mail, after the file
name of the Person Address Book.
If you don’t automate the directory catalog setup, you must create the replica and add the file name to
clients manually.
Note: User Setup Profiles used in Lotus Domino Release 5 for automated directory catalog setup
continue to work in Lotus Domino 7.
Note: Notes users should do pull replications regularly with up-to-date replicas of the directory catalog
on servers.
Note: It is strongly recommended that you use the Extended Directory Catalog on servers, as they
provide faster and more flexible directory lookups.
Note: Make sure the CDC has ″Unicode standard sorting″ enabled in the CDC’s database properties
design tab. See Step 3.
Note: To specify instead that the server trust for authentication names from only one or some of the
directories aggregated in the directory catalog, in a directory assistance database used by the server,
create a Directory Assistance document for each aggregated Domino Directory to trust that has a
trusted rule enabled.
For more information, see the topic ″Using a condensed Directory Catalog for client authentication″
earlier in the chapter, and also the chapter ″Setting Up Directory Assistance.″
8. Click Save & Close
9. If necessary, wait for the Domino Directory changes to replicate to the server. Or force the
replication.
10. Use the Restart Server command to Restart the server so it detects the changes to the Server
document.
Tip: If multiple servers use the same file name for their local replicas of the condensed Directory Catalog,
you can specify that file name once in the Directory Profile of the domain Domino Directory, rather than
multiple times in individual Server documents. To use the Directory Profile method, from the Domino
Directory for the servers that will use the directory catalog, choose Actions - Edit Directory Profile and
add the directory catalog file name to the ″Directory catalog database name for domain″ field. Then a
server that doesn’t have a directory catalog file name entered in its Server document uses the Directory
Profile to find its local replica of the condensed Directory Catalog.
Used for a
condensed
Directory
Document/Database Field(s)/Tab(s) Purpose Catalog too?
Directory Profile of each ″Domain defined by this Associates groups in the directory with Yes
Domino Directory to be Domino Directory″ field on a domain to distinguish between
aggregated in the the Basics tab different groups with the same name in
Directory Catalog more than one Domino Directory
Extended Directory All Used for directory catalog configuration No
Catalog document in
Database created from
PUBNAMES.NTF
Domino Directory Server All fields in Server Tasks - Provides the Dircat task with the file Yes
document of the Dircat Directory Catalog tab name(s) of the local directory catalog(s)
server that builds and to aggregate and a schedule for running
updates the directory
catalog
1
Unnecessary if the Extended Directory Catalog is built directly into the primary Domino Directory
Step 1: Verify that each Domino Directory has a defined domain: Each Domino Directory aggregated
in a directory catalog should have a domain defined in its Directory Profile. The Dircat task appends the
domain name to the names of groups in the directory catalog, to distinguish between different groups
with the same name in more than one Domino Directory.
Do the following for each Domino Directory you will aggregate into the directory catalog:
1. Open the Domino Directory.
2. Choose Actions - Edit Directory Profile.
3. Make sure the field ″Domain defined by this Domino Directory″ contains a valid domain name. This
field is usually filled in automatically.
4. Click Save & Close.
Note: If you will integrate an Extended Directory Catalog into a primary Domino Directory, skip this
step.
1. Choose File - Database - New.
2. Next to Server, select the Dircat server you picked to aggregate the directory catalog.
3. Next to Title, enter a title for the directory catalog, for example Extended Directory Catalog.
4. Next to Filename, enter a file name for the directory catalog, for example EDC.NSF. Do not use the
file name NAMES.NSF.
5. Select ″Show advanced templates.″
6. Below Template server, select a server that stores the Domino Directory template.
7. Select the Domino Directory template (PUBNAMES.NTF).
8. Keep ″Inherit future design changes″ selected.
9. Click OK.
Step 3: Create the Extended Directory Catalog configuration document and run the Dircat task::
1. Open the database you created in Step 2.
Note: To integrate the Extended Directory Catalog into a primary Domino Directory, open that
primary Domino Directory instead.
For more information, see the earlier topic ″Using a selection formula in a
directory catalog configuration document.″
Replication history Shows the date and time when the Dircat task last replicated the aggregated
directories
Click Clear History to do a full rebuild of the directory catalog. Do not click Clear
History unless you understand Dircat rebuilds. For more information, see the later
topic ″The Dircat task.″
Step 4: Create at least one replica of the Extended Directory Catalog: Create at least one replica of the
directory catalog on another server for performance and failover benefits. Make sure replication occurs
between the server(s) with the replica(s) and the Dircat server, so the replicas of the directory catalog are
kept up-to-date.
Step 5: Set up servers to use the Extended Directory Catalog: To set up a server to use an Extended
Directory Catalog, create a Directory Assistance document for the Extended Directory Catalog in a
directory assistance database the server uses.
Note: If you integrate the Extended Directory Catalog into a primary Domino Directory, steps 4 and 5 are
unnecessary.
Full rebuilds
If you change any of the following fields in a directory catalog configuration document, the Dircat task
must do a full rebuild of the directory catalog to incorporate the indicated changes into the directory
catalog:
v Directories to include
v Additional fields to include
v Sort by (condensed directory catalog)
v Use Soundex (condensed directory catalog)
v Remove duplicate users
v Group types
v Include Mail-in Databases
v Include Servers (Extended Directory Catalog)
v Selection Formula
When the Dircat task does a full rebuild, it completely re-aggregates of all the configured source Domino
Directories, similar to what occurs during the initial build of the directory catalog. For example, if you
add a field to the ″Additional fields to include″ field to aggregate an additional field, that field isn’t
aggregated until the Dircat task does a full rebuild of the directory catalog. A full rebuild is a much
longer process then an update. After a full rebuild, there must also be a full replication of the directory
catalog to the servers and clients that use it, which can be time consuming, especially for replication of
condensed Directory Catalogs.
When you change one of the above fields in a configuration document for a condensed Directory Catalog,
the next time the Dircat task runs, it automatically does a full rebuild. When you change one of these
fields in a configuration document for an Extended Directory Catalog, the Dircat task does not do a
rebuild automatically. Instead, you must initiate the rebuild by running the Dircat task with the -r switch
against the Extended Directory Catalog, or by clicking the Clear History button on the Advanced tab of
the directory catalog configuration document.
Note: Dircat processing of changes to the ″Directories to include″ field in a configuration document for
an Extended Directory Catalog causes a partial rebuild, rather than a full rebuild, that processes only
directories affected by the change.
Partial rebuilds
If the replica of a source Domino Directory the Dircat task uses is deleted, and then replaced with a file
operating system copy with the same replica ID, then the Dircat task does a partial rebuild, which
involves comparing all documents in the new file system copy of the Domino Directory to the
corresponding contents in the directory catalog to look for changes. The Dircat task also does a partial
Note: This is true of any replica of the Domino Directory that the DirCat task aggregates. If a replica of a
Domino Directory is replaced with a file operating system copy with the same replica ID, when the Fixup
task runs on that replica those changes are replicated back to the aggregation server’s Domino Directory.
This in turn flags the DirCat task to do a partial rebuild on the aggregation server.
Always run the Dircat task on one server to build and update a particular directory catalog. If you run
the Dircat task on more than one server against the same directory catalog, replication conflicts occur. Use
the field ″Restrict aggregation to server″ in a directory catalog configuration document to ensure that the
Dircat task on only one server can process a particular directory catalog.
Running the Dircat task on schedule: Schedule the Dircat task on a Dircat server to run at regular
intervals by doing the following:
1. Make sure there is a directory catalog database with a completed configuration document.
2. From the Domino Administrator, click the Configuration tab.
3. Expand Directories - Directory Cataloger, and choose Settings.
4. Click the Server Tasks tab, then the Directory Cataloger tab.
5. Complete these fields, and then click Save & Close:
Field Enter
Directory Catalog The file name(s) of the directory catalog(s) the Dircat task should process. Separate
filenames multiple file names with commas.
Schedule Select Enabled.
Run Directory Catalog A time range or one or more specific times to update the source directory catalog.
aggregator at Separate multiple time entries with commas (,).The default is the range 08:00 AM to
10:00 PM.
Repeat interval of A number representing the minutes between updates that are scheduled during a time
range. The default is 360 minutes (every 6 hours). Consider reducing this interval to
have the Dircat task run every 60 or 120 minutes.
Days of week The days of week to run the Dircat task. The default is daily.
Running the Dircat task manually: To run the Dircat task manually on a Dircat server, issue this server
command:
load dircat dc.nsf
where dc.nsf is the file name of a local directory catalog on the server.
You can do a full rebuild of a directory catalog. Keep in mind that a full rebuild removes and recreates all
the aggregated documents so that the first replication after the rebuild will require a full replication of the
database.
To do a full rebuild of a directory catalog, you can run the dircat task against the directory catalog using
the -r switch, for example:
load dircat dc.nsf -r
Pausing the Dircat task: Before you shut down a server that is in the middle of Dircat processing, pause
the Dircat task. When you pause the Dircat task, the Dircat task finishes aggregating the directory catalog
it is currently running on and then goes idle. if you don’t pause the Dircat task before server shutdown,
the Dircat task must reaggregate the directory catalog it was processing at the time of server shutdown
from the beginning.
You can then shut down the server. Or, to resume Dircat processing, enter this server command:
Tell Dircat Resume
Note: Change a directory catalog configuration document on the Dircat server that aggregates the
directory catalog.
Extended ACL
An extended access control list (ACL) is an optional directory access-control feature available for a
directory created from the PUBNAMES.NTF template -- a Domino Directory or an Extended Directory
Catalog. An extended ACL is tied to the database ACL, and you access it through the Access Control List
dialog box using a Notes 7 or Domino Administrator 7 client. You use an extended ACL to apply
restrictions to the overall access the database ACL allows a user -- you cannot use it to increase the access
the database ACL allows. Use an extended ACL to set access to:
v All documents with hierarchical names at a particular location in the directory name hierarchy, -- for
example all documents whose names end in OU=West/O=Acme.
v All documents of a specific type, -- for example all Person documents
v A specific field within a specific type of document
v A specific document
For information on using Extended ACLs in a multi-release environment, see the Upgrade Guide.
Note: Server processes such as the Router task do not enforce extended ACL restrictions. However, in the
case of the Router task specifically, you can prevent some users from sending mail to a group by editing
the Readers field for the group and including only the names of users you want to allow to send mail to
the group. When users omitted from the Readers field attempt to send mail to the group, the Router
won’t deliver the mail.
For more information, see the chapter ″Customizing the Domino Mail System.″
Access set through a security feature in the database design also restricts the access you can specify in an
extended ACL. For example, if a Readers field on a particular form prevents a user from reading fields in
documents created with that form, giving a user Browse access to the form in the extended ACL does not
override the access specified in the Readers field.
637
Elements of an extended ACL
To set up an extended ACL, you use the ″Extended Access at target″ dialog box, which you open from the
database Access Control List dialog box. The elements of an extended ACL are:
v Access settings -- the allowed access
v Subjects -- the users and groups whose access you control
v Targets -- categories of documents or specific documents to which access settings apply
Access settings apply to existing documents at a selected target. If the selected target is a category of
documents, access settings also apply to documents added to the category in the future.
An extended ACL cannot restrict the access of a user with Manager database access or an administrator
with ″Full Access administrators″ access to a server (controlled through the Server document in the
Domino Directory.) An extended ACL also cannot prevent a user with Designer or Manager database
access from modifying the directory design.
Note: For ease of reading, this topic uses the terms document, field, and form. If an extended ACL will
control LDAP access, apply the LDAP-equivalent terms instead: entry, attribute, and object class.
Access
setting Tasks allowed
Browse Allows a user to access a document.
Create Allows a user to create a document.
Delete Allows a user to delete a document.
Access
setting Tasks allowed
Read Allows a user to read a field. The user must also have Browse access to the document.
Write Allows a user to modify a field.
When more than one type of document uses a particular field, you control access to the field separately
for each type of document.
If you are controlling the access of Notes and Web users, be aware of the following issues. These issues
do not apply to access through other means, such as LDAP access or Notes application access, except
where indicated.
v If you deny a Notes or Web user access to a field in a document, when the user opens the document,
the document does not show the field and the text (TRUNCATED) shows in the tab of the document.
In addition, the user is unable to edit the document, even if the user has write access to the fields in it.
v If you deny a Notes or Web user access to a field in a document that a view uses to sort the document,
the name of the document is blank in the view. The user can still select the document to open it.
Administer access
Grant Administer access to allow someone with Designer or Editor access in the database ACL to modify
access settings at an extended ACL target. Someone with Manager access in the database ACL can modify
an extended ACL without having Administer access. Grant Administer access to allow someone to
manage access to documents under a target category without granting the person Manager access in the
database ACL. A user with Editor or Designer access in the database ACL does not have the Administer
access by default; you must grant the user that access explicitly. You grant someone Administer access to
a target category and not to a specific document.
Note: You can give a Domino 7 server Administer access to a selected target category. This access enables
the server to be an extended administration server whose Administration Process manages documents
below the selected target category.
For more information, see the chapter ″Setting Up the Administration Process.″
Default access: You use the ″Extended Access at target″ dialog box to set a subject’s default access to a
target. The following figure shows default access set to Deny all for the -Default- subject at / (root):
Displaying LDAP attributes and object classes when setting form-specific access
Use the Schema option in the ″Form and Field access at target″ dialog box to control whether the dialog
box shows the directory contents in terms of LDAP object classes and attributes or in terms of Domino
forms and fields. Domino is selected by default, meaning the dialog box shows Domino forms and fields.
To show LDAP object classes and attributes, select LDAP next to the Schema option.
When you set a subject’s access to a form or field, the access setting automatically applies to the
corresponding LDAP object class or attribute, if there is one. Similarly, if you set a subject’s access to an
object class or attribute, the access also applies to the corresponding form or field if there is one.
For example, if you deny a subject Read access to the InternetAddress field of a Person form when
Domino is selected as the Schema option, the subject is also denied LDAP Read access to the mail
attribute of the dominoPerson object class that shows when LDAP is selected as the Schema option. If the
Schema option is set to LDAP and you deny a subject Read access to the mail attribute of the
dominoPerson object class, the subject is also denied Read access to the InternetAddress field of a Person
form that shows when the Domino is selected as a Schema option.
Some object classes and attributes that the ″Form and Field access at target″ dialog box displays when
you select LDAP as the Schema option do not correspond to forms and fields and are useful only for
controlling LDAP access. For example, the object class residentialPerson does not correspond to a form.
Similarly, some forms and fields that the dialog box displays when you select Domino as the Schema
option do not correspond to LDAP object classes and attributes and are useful only for controlling Notes
or Web user access. For example, the form DirectoryProfile does not correspond to an object class.
For more information on the LDAP schema, see the chapter ″Managing the LDAP Schema.″
More than one subject that is shown at a selected target can apply to a particular user. For example, a
user might be a member of two groups, both of which have access set to the target O=Acme. The
following precedence rules are applied to determine the access a user has to a target when there are
multiple subjects that apply to the user at the target.
Note: Even after precedence rules are applied, a user’s access can never exceed the access the database
ACL allows the user.
1. Access set for a subject with the scope ″This container only″ take precedence over access set for a
subject with the scope ″This container and all descendants″ regardless of subject type. For example,
the access set for the subject */Acme and the scope ″This container only″ takes precedence over the
access set for the subject Kathy Brown/Acme and the scope ″This container and all descendants.″
2. Among subjects with the same scope, access for a more-specific type of subject take precedence over
access for a less-specific type of subject. The order of subject specificity, from most specific to least
specific, is:
a. Individual user or server
b. Self
c. Group
d. A wildcard, -- for example */Acme
e. -Default-
For example, the access set for Kathy Brown/Acme with the scope ″This container and all
descendants″ takes precedence over the access set for the group Admins/Acme with the scope ″This
container and all descendants″.
3. When evaluating more than one group subject or more than one wildcard subject, the access settings
of the subjects are combined, with Deny access taking precedence over Allow access. For example, if
the group Admins/Acme denies Write access and allows all other access, and the group
Managers/Acme denies Create access and allows all other access, users that are members of both
groups are denied Write and Create access and allowed all other access.
Tip: To determine a user’s effective access to an extended ACL target after extended access settings and
database access are evaluated, select the target in the ″Extended Access at target″ dialog box, then click
Effective Access.
For more information on using the Effective Access tool, see the topic ″Showing a subject’s effective
access to an extended ACL target″ later in the chapter.
Scope: ″This container and all Scope: ″This container only″ Deny: Read, Browse
descendants″
Allow: Create, Delete, Write
Allow: Read, Browse
Deny: Read, Browse
Deny: Create, Delete, Write
Subject: Admins/Acme group Subject: */Acme Allow: All Rule 2
Scope: ″This container and all Scope: ″This container and all
descendants.″ descendants″
The following figure shows an example of the -Default- subject selected at the / (root) target.
With the exception of Self, these are the same types of entries that are acceptable in a database ACL.
For more information on the database ACL, see the chapter ″Controlling User Access to Domino
Databases.″
You specify more than one subject at a target to give each subject its own access to the target. For
example the group Admins/West/Acme and the group Admins/East/Acme might each have access set
at the / (root) target. You can also add the same subject at multiple targets, to give the subject different
access to each target.
If the database ACL and an extended ACL both list a particular subject, Administration Process requests
can rename or delete the subject in the extended ACL, as well as in the database ACL.
Self as a subject
The subject Self is available only for an extended ACL and not the database ACL. At a target category
only, you can use Self to define the access that all users have to their own documents that fall under the
target category. A user’s own document is one with a distinguished name that matches a distinguished
name presented by the user. Use Self so that you can use one subject to control all users’ access to their
own documents at a target category.
-Default- as a subject
Adding and setting access for the -Default- subject at a target is optional. If you set access for -Default- at
a target, all users and servers whose access is not determined by another subject at the selected target get
the access set for -Default-. If you add the -Default- subject to a target and you want some users to have
different access to the target than the -Default- access, add a subject or subjects that represent those users
to the target with the desired access.
For more information, see the chapter ″Setting Up the Administration Process.″
The following figure shows the / (root) target selected in the ″Extended Access at target″ dialog box. By
default you can see only the document categories in the Target box and not individual documents.
Deselect ″Show only containers″ to see the documents below the categories.
/ (root)
O=Acme
Alan Jones/Acme
OU=East
Derek Malone/East/Acme
OU=West
Karen Lessing/West/Acme
For a document to be categorized by name hierarchy in a subcategory below / (root) its name must
contain more than just one part. For example a Person document whose name is defined by a certifier is
subcategorized in a category below / (root). In addition, the name of the document must be stored in a
A document with a flat name -- a name with only one part --, or a document with a name specified in a
field other than FullName, ListName, or Servername, is categorized directly under / (root). The Target
box does not show the documents under / (root) that are named through a field other than FullName,
ListName, or ServerName. You can set access to these types of documents through the / (root) target, but
cannot set access to an individual one. For example, the names of Holiday and Connection documents are
not controlled through a FullName, ListName, or ServerName field, so you cannot see or select these
documents under / (root). However, when you set access at / (root), the access applies to the documents.
Domino can verify a subject’s directory access more quickly when there are fewer occurrences of the
subject in an extended ACL than when there are many. In addition, when you use categories as targets
it’s easier to manage the extended ACL because there are fewer subjects to track.
To take full advantage of using categories as targets, you may want to specify hierarchical names for
documents that have flat names in a FullName, ListName, or ServerName field so the Target box can
subcategorize them under an appropriate location in the directory name hierarchy. For example, Group
documents often have flat names, and in this case the Target box categorizes them directly below / (root),
so you may want to change the names of such Group documents to hierarchical.
The following documents usually have hierarchical names defined in a FullName, ListName, or
ServerName field and are therefore subcategorized below / (root) under at the appropriate location in the
directory name hierarchy.
v Person documents
v Server documents
v Certifier documents
v Policy documents
Target scope
When you select a category as a target in the Target box, you use the Scope of Target box to specify
whether a subject’s access settings apply only to documents at that category or also to documents under
subcategories as well. Keep ″This container and all descendants″ (the default) selected to apply the
subject’s access settings to documents under the selected target category as well as to documents under
subcategories. Select ″This container only″ to apply the subject’s access settings to documents under the
selected target category only.
The following figure shows the target scope ″This container and all descendants″ selected for the subject
Admins/Acme at the / (root) target.
Example of using ″This container and all descendants″ as a target scope: Suppose you want users who
access the database through the -Default- entry to see any Person and Group document in the directory
but no other type of document. You could do the following:
v Give the -Default- subject Reader access in the database ACL.
v In the extended ACL, add the -Default- as the subject at / (root) and deny it all access by default, but
allow it Browse and Read access to the Person and Group forms.
v Keep ″This container and all descendants″ as the scope to apply the access settings to the entire
directory.
Adding a subject twice to a target category with different target scopes: Although not typically done,
you can add one subject two times to one target category with different access settings. Add the subject
to the target category and specify access for the scope ″This container only.″ Add the subject again to the
same target category and specify access for the scope ″This container and all descendants.″ Using this
approach, you can use one subject entry to set a subject’s access to multiple target subcategories, rather
than setting the subject’s access separately at each subcategory.
For example, suppose you want to allow members of the group Admins/Acme full access to documents
categorized directly under O=Acme. You also want to allow members of the group to browse and read
documents categorized under OU=East and OU=West, but want to prevent them from creating, deleting,
Assuming there are no other subjects in the extended ACL that control access for the members of the
Admins/Acme group, precedence rules determine that the access set for Admins/Acme at O=Acme with
the scope ″This container only″ controls Admins/Acme’s access to the documents directly under
O=Acme. The access set for Admins/Acme at O=Acme with the scope ″This container and all
descendants″ controls Admins/Acme’s access to the documents subcategorized under OU=East and
OU=West below O=Acme.
Security goals
How Acme achieve its goals: The following tables describe how Acme sets up the Domino Directory
database ACL and the extended ACL to accomplish its security goals.
Database ACL:
When you use a sparse access control model Domino can check extended ACL access settings quickly
and you can manage extended ACL access settings easily.
For more information on converting anonymous LDAP access settings in a domain Configuration Settings
document to database ACL and extended ACL settings, see the chapter ″Setting Up the LDAP Service.″
CAUTION:
Do not enable extended access if you have any uncertainty about doing so.
Tip: Below the Target box, deselect ″Show only containers″ to show the documents under each
target category. Select the option to show only the target categories. You can choose a single
document as a target, but doing so is discouraged.
8. Next to ″People, Servers, Groups″ below the Access List box, select one:
v Show Modified -- to show only subjects whose access to the selected target is set at the target.
v Show All -- (default) to show subjects whose access to the selected target is set at a higher target
using the ″This container and all descendants″ scope, as well as to show subjects whose access to
the selected target is set at the target.
9. To add the subject for which you are setting access to the selected target, do one:
v Click Add - Name and type or select a subject name, then click OK. If the subject is a user, server,
or group that is not in the directory for which you are controlling access, this prompt appears:
″Subject can not be found in the directory. To continue, please specify the subject’s type: Person,
Server, Group.″ Select one of the options presented, then click OK.
Note: If you selected a single document as a target in Step 7, the ″This container and all
descendants″ option is not available.
11. Below the Attributes section at the right of the ″Extended Access at target″ box, for each of the
following select Allow or Deny to set the selected subject’s default access to the selected target.
v Browse
v Create
v Delete
v Read
v Write
v Administer
For more information, see the topics ″Extended ACL access settings″ and ″Default access compared
to form-specific access″ earlier in the chapter.
12. (Optional) Set form-specific access to make exceptions to the default access.
13. Click OK to save the extended ACL changes and close the ″Extended Access at target″ box.
For each form for which you want to set different access than the subject’s default access set for the
selected target, do the following:
1. Select the subject for which you are setting access in the ″Extended Access at target″ dialog box and
click ″Form and Field Access″ to open the ″Form and Field access at target″ dialog box. The dialog
box shows the forms in the directory in the Forms box. When you select a form in the Forms box,
the Fields box shows only the fields in the selected form.
2. (Optional) To set the ″Form and Field Access at target″ dialog box to display LDAP object classes and
attributes rather than forms and fields, next to Schema select LDAP. This option works only if you
are setting access to a directory on a server running the LDAP service.
For more information, see the topic ″Displaying LDAP attributes and object classes when setting
form-specific access″ earlier in the chapter.
3. (Optional) To look at the subject’s default access to the selected target you previously specified in the
″Extended access at target″ dialog box.
Note: You cannot determine the effective access for the subject Self.
6. Click ″Calculate Access.″
7. The Default Access section shows the subject’s default access to the selected target.
To modify a subject’s access to an extended ACL target: To modify a subject’s set at an extended ACL
target, follow the steps described in the topic ″Setting a subject’s to an extended ACL target,″ except in
step 9 select the subject rather than add it.
Note that if you select a subject in the ″Extended access at target″ dialog box and the subject’s access
settings are grayed out, check that you have the access required to change the settings: Manager access in
the database ACL or Editor access in the database ACL with Administer access to the selected target.
If you have the required access to make the change and the subject’s access settings are grayed out, the
subject’s access to the selected target is set at a higher target with the scope ″This container and all
descendants.″ In this case you can do one of the following:
v At the selected target, click Add to add the subject to the selected target and set different access for the
subject at the target. The new access to the selected target overrides the access set at the higher target.
If you choose the scope ″This container and all descendants″ the new access applies to all documents
subcategorized below the selected target as well. If you choose the scope ″This container only,″
documents categorized immediately below the selected target get the new access settings, but
documents under subcategories of the selected target continue to have the access settings specified at
the higher target.
v Select the higher target, select the subject at the higher target, and change the access. The changes
apply to documents directly under the higher target and to documents below all subcategories of the
higher target, including the target for which the subject’s access is grayed out.
To remove a subject’s access settings from an extended ACL target: Remove a subject from an
extended ACL target to remove the access settings specified for the subject at the target.
1. Make sure you have one of the following levels of access:
v Manager access in the database ACL.
v Editor or Designer access in the database ACL and Administer extended ACL access to the target
from which you are removing the subject. A database manager or someone with the Administer
access to the target must give you this access.
2. Open the database with the extended ACL, and choose File - Database - Access Control.
3. With Basics selected, click Extended Access.
4. In the Target box at the left of the ″Extended Access at target″ box, select the target from which you
want to remove the subject.
For information, see the topic ″Extended ACL target″ earlier in the chapter.
Disabling extended access removes all evidence of extended ACL settings, information that cannot be
recovered unless you restore it from a recent backup or archive of the directory, or unless you write
down the settings prior to disabling them and then reapply them manually later.
CAUTION:
Do not disable extended access if you have any uncertainty about doing so.
Note: Disabling extended access may take a few minutes on a very large directory database. The Notes
client or Domino Administrator client is unavailable for other purposes during this process.
Messaging overview
The Domino mail system has three basic components: Domino mail servers, Domino mail files, and mail
clients. The Domino mail server is the backbone of an organization’s messaging infrastructure, acting
both as an Internet mail server and a Notes mail server. Domino provides standards-based Internet
messaging through its support of the Simple Mail Transfer Protocol (SMTP), Post Office Protocol version
3 (POP3), Internet Message Access Protocol (IMAP), and Multipurpose Internet Mail Extensions (MIME).
At the same time, Domino supports Lotus Notes mail through the use of Notes routing protocols -- Notes
remote procedure calls (NRPC) -- and the Notes rich text message format.
Domino mail servers provide services that directly and indirectly support messaging. These include
specialized databases for locating users and servers, for message storage and transit, and for collecting
statistics; and processes that initiate and receive connections between servers, route messages, and allow
users to retrieve mail.
Every mail user in a Domino system has a mail file on a Domino mail server. You can create a replica of
the mail file on other servers for failover in case the primary server is unavailable. Users create mail
messages using a mail client, such as Lotus Notes, or a POP3 or IMAP client, and send mail through the
Domino mail server, which routes the message to its recipient. The recipient then uses a mail client to
read the message. To protect confidential information in mail messages, Domino supports Notes public
key encryption and S/MIME encryption.
The Lotus Notes client and the Domino mail router (the Router) create and send messages in the format
(MIME or Notes rich text) appropriate for each recipient, as determined from the address format and
settings in the recipient’s Person document. If conversion between formats is necessary, Domino performs
the conversion automatically.
The Router uses information in the Domino Directory to determine where to send messages and what
transfer protocol to use. For messages sent over SMTP, the Router also uses information from the Domain
Name System (DNS).
Domino provides tools for monitoring mail, controlling unsolicited commercial e-mail (UCE), and
preventing unauthorized access to the mail system. To reduce the space needed to store users’ mail, you
can set quotas on users’ mail files, restrict users from creating full-text indexes, and implement Domino
shared mail on the server. Domino provides migration tools and message transfer agents to help you
move from a heterogeneous system to a Domino mail server, which combines support for Notes mail
alongside support for Internet mail standards.
659
v Mail performance and monitoring
Domino sends and stores messages in both MIME format and Notes rich text format, and the Notes client
creates and sends messages in either format.
Mail clients retrieve messages from the server using NRPC, IMAP and POP3. In addition, Web clients,
such as the Domino Web Access client, access mail through the Domino HTTP service. The Notes client
sends and retrieves mail using NRPC, or Internet protocols (SMTP, IMAP and POP3).
You can also configure Domino to use SMTP to route mail. SMTP routing can be used instead of, or in
addition to, Notes routing. You can configure a Domino server to use SMTP when transferring mail to
destinations within the local Domino domain only, to external Internet domains, or both.
The format used to store a message depends on the storage preference specified in the user’s Person
document. A mail file can store messages in MIME format only, Notes rich text format only, or in both
formats, accepting messages as is, regardless of format. Administrators should ensure that each user’s
Person document specifies the format preference appropriate to their mail client. For example, because
IMAP clients require messages in MIME format, the Person document of a user who always accesses mail
from an IMAP client should specify MIME as the format preference for incoming mail.
To ensure that users receive messages in the format best suited to their chosen mail clients, Domino
converts messages between formats as needed. The Router may convert a message during transfer
between servers or when delivering the message to a user’s mail file. Conversion during transfer occurs
when a message in Notes format must be sent over SMTP, or when routing a MIME message to a Notes
user that is set to Notes Rich Text in their Person document. For example, The Domino IMAP and POP3
services also convert messages, as when an IMAP or POP3 client needs to retrieve a message stored in
Notes format.
Because Notes routing can transport messages in MIME format, on networks that support both Notes
routing and SMTP, a MIME message may travel over both protocols enroute to its destination.
If a recipient is not listed in the Domino Directory, the client software sends the message in the format
that corresponds to the address type; sending recipients with Internet-style addresses, such as
jane_doe@acme.com, messages in MIME format; and recipients with Notes-style addresses (Jane
Doe/Sales/Acme@Acme), Notes rich text.
When sending messages to multiple recipients, the client software creates the message in both MIME and
Notes rich text formats if necessary. For example, the client software creates a Notes rich text format
message for a recipient who uses a Release 4 Notes client and creates a MIME message for a recipient
who uses a POP3 client.
By combining SMTP, Notes routing, and automatic message conversion, Domino provides flexibility in
setting up your mail infrastructure. For example, you can set up a mail system that is based completely
on Internet standards and use the Router to route MIME messages over SMTP. You can set up a mail
system that is based completely on Notes mail and use the Router to route Notes format messages over
Notes routing. Or you can set up a mail system that uses both SMTP and Notes routing, sends both
MIME and Notes format messages, and uses automatic message conversion to ensure that clients receive
mail in the proper format.
The following table lists some of the required and optional components Domino uses to route mail:
Component
type Name Description
Server tasks
Router task Monitors the MAIL.BOX database for new messages. Responsible for
transferring messages to other servers and delivering messages to local mail
files. Can transfer mail using Notes remote procedure calls (NRPC) as well as
SMTP. Converts message format between Notes rich text and MIME as needed.
Maintains a routing table comprised of information derived from the Domino
Directory and NOTES.INI file.
SMTP task (Optional) Enables the SMTP listener, which lets the server receive messages
sent over SMTP routing.
Server task Listens for incoming messages sent by clients and servers over Notes routing
and for Notes client requests.
Mail databases support full-text indexing, encryption, replication, soft deletions, and archiving.
Administrators can specify properties or policies to limit the use of these features on mail files.
For users who access mail primarily or exclusively from the Notes mail client, you must create User IDs
during registration. A User ID is not required if a user accesses mail only from a mail client other than
the Notes client. For example, although a user who accesses mail from a Domino Web Access, POP3, or
IMAP client must have a Person document and Internet passwords, a User ID is not required. However, a
User ID is required for iNotes Web Access users who wish to work offline or read encrypted mail.
The Router on a user’s home server delivers incoming messages for the user to the mail file. Messages in
a mail file may be stored in either Notes rich text format (also known as Compound Document, or CD
format) or MIME format. The format used depends on settings in the user’s Person document. If a user’s
mail client opens or downloads a message that is stored in a format it cannot read, Domino automatically
converts the message. For example, if an IMAP client opens a message stored in Notes rich text format,
the Domino IMAP service converts the message to MIME before passing it to the client.
In environments where all users access mail from Notes mail clients, you might specify rich text storage.
For users who always access mail from IMAP or POP3 clients, MIME storage eliminates the need to
convert messages before they can be read. If you set a user’s preferred storage format to ″Keep in
sender’s format,″ the Router does not change the format of messages before placing them in the mail file,
so the mail file is likely to contain a mix of rich text and MIME messages.
By default, each user is considered to be the owner of their personal mail file, and as such, is granted
Manager access in the mail file’s Access Control List (ACL). Users with Manager access can delegate
subsidiary access to their mail files to specified, trusted individuals from a Notes client, Domino Web
Access client, or Webmail client. For example, executives in an organization may allow their secretaries to
read and send mail on their behalf.
To allow for mail delivery, the default ACL also grants Manager access to a user’s mail server and other
servers in the local Domino Domain. The ACL provides no access to other users in the mail system.
During registration, the presiding administrator can assume Manager access of a user’s mail file by
resetting the mail file owner access from Manager to Designer. Users require a minimum of Editor access
to their mail files to perform routine mail operations -- creating, sending, replying to, and deleting
messages. Other mail file operations require greater access privileges. For example, users must have at
least Designer access to create a full-text index.
In addition to a user’s primary mail file, users and administrators can replicate mail files to other
locations. Administrators can create server replicas to provide failover. A user can create a local replica on
a workstation or laptop and use it to work off-line.
Notes client users can create mail filtering rules to manage inbound messages. Administrators can use the
Domino Administrator and other standard Notes database tools, such as Compact and Fixup, to perform
a variety of maintenance tasks.
Mail clients
Clients interact with mail files on the Domino server in different ways. All clients can create, send, and
receive mail. Some clients, such as Web browsers, can only interact with mail on the server and cannot
store mail locally. Some clients, such as POP3 clients, can only download mail from the server and work
with it locally. Some clients, such as Lotus Notes, Domino Web Access, and IMAP clients, can download
mail or work with it on the server and can store mail locally. You can use the following types of clients
with the Domino mail server:
v Lotus Notes clients
v IMAP clients, such as Microsoft Outlook Express
v POP3 clients
v Web browsers, such as Mozilla Browser and Microsoft Internet Explorer
v Domino Web Access clients
v Domino Access for Microsoft Outlook clients
Notes clients access the Domino Directory using either Notes protocols or Lightweight Directory Access
Protocol (LDAP). Users can create a local replica of their mail file while maintaining a complete mail file
on a Domino server. Notes users can work off-line and then connect to their server to replicate changes to
documents and send mail.
IMAP clients
Users with IMAP clients can download mail to a local mail file or interact with and manage mail directly
on a Domino server that runs the IMAP service. They use the IMAP protocol to read and manage mail,
use SMTP to send mail, and can use LDAP to access the Domino Directory.
Enable the IMAP service and enable the SMTP listener to let IMAP clients use the Domino server for
mail.
For more information, see the chapter ″Setting Up the IMAP Service.″
POP3 clients
Users with POP3 clients can download mail to a local mail file and interact with it there, as well as leave
a copy of the mail in their file on the Domino server. POP3 clients retrieve mail from a Domino server
that runs the POP3 service, use SMTP to send mail, and can use LDAP to access the Domino Directory.
Enable the POP3 service and enable the SMTP listener so that POP3 clients can use the Domino server for
mail.
From a Web browser, a user accesses mail using either the standard mail template or the Domino Web
Access template (DWA7.NTF). Users whose mail files are based on the standard mail template can
interact with mail on the server but cannot store mail locally.
Users whose mail files are based on the Domino Web Access template and who use Internet Explorer as
their Web browser can use the Domino Web Access mail client. On servers running Domino Off-Line
Services (DOLS), Domino Web Access users can create a local mail file replica and work offline. Changes
made to the offline mail file are replicated to the server the next time the user connects. Users whose mail
files are based on the standard mail template cannot access a local mail file replica from the browser.
Enable the HTTP service for Web clients to use the Domino server for mail.
For more information, on setting up the HTTP service, see the chapter ″Setting Up the Domino Web
Server.″ For more information on supporting Domino Web Access, see the chapter ″Setting Up Domino
Web Access.″
Domino Access for Microsoft Outlook communicates with the server using a Notes MAPI service
provider. Installing Domino Access for Outlook on the client automatically creates and configures a MAPI
profile associated with the user’s Domino server and mail file. Data exchanged between client and server
travels over Notes routing protocols. Users can send and receive Mail using Outlook, as well as create
and update entries in the mail file’s calendar view using calendaring and scheduling tools in the Outlook
client.
Using Domino Access for Microsoft Outlook, users store their Domino data in Outlook’s local .PST file,
which is synchronized with the Domino mail file on the server. Domino Access for Microsoft Outlook can
also be used offline. Any changes to the offline .PST file are replicated to the server and synchronized the
next time the user connects.
For more information about Domino Access for Microsoft Outlook, see the chapter ″Setting up Domino
Web Access.″
Mail security
To provide secure message transfer among clients and servers, the Domino mail server supports name
and password authentication and Secure Sockets Layer (SSL) for SMTP mail routing, IMAP, and POP3
access, and supports Notes encryption when routing mail over Notes routing.
To encrypt and sign messages, Notes clients can use Notes encryption with User ID files and
public-private keys or Internet mail security with X.509 certificates. Internet mail clients can use X.509
certificates.
For more information, see the chapters ″Planning Security,″ ″Setting Up SSL on a Domino Server,″
″Encryption and Electronic Signatures,″ and ″Setting up Clients for S/MIME and SSL.″
If you have some users who use Microsoft Exchange, you need at least one Exchange server running the
Exchange message transfer agent (MTA) to connect your Domino system to the Microsoft Exchange
system.
If you have users in the local Internet domain who are not listed in the Domino Directory, set up a smart
host so the Router can forward messages for users in other local mail systems.
Domino and the Domino Administrator have a number of monitoring features to help you plan, review,
and troubleshoot your Domino system. You can record server statistics, see which tasks are running on
servers, track mail messages, and make changes to multiple databases at once.
For more information, see the chapters ″Setting Up Shared Mail,″ ″Monitoring the Domino System,″ and
″Monitoring Mail.″
When you set up the first Domino server, the setup program creates your Domino domain’s Domino
Directory. Each server in the domain stores a replica of the Domain’s Domino Directory. Domino
replication synchronizes the Domino Directories on each server.
In addition to the Domino Directory, Domino retrieves information from the server’s NOTES.INI file and,
when routing mail over SMTP, from the Domain Name System (DNS), which is maintained separately.
The Domino Directory supports LDAP so that Internet mail clients can use LDAP to query and modify
the directory if they have access to do so.
For more information on LDAP, see the chapter ″Setting Up the LDAP Service.″
Note: Changing routing information in the NOTES.INI file or in the Domino Directory, does not force the
Router to immediately recalculate the routing table.
You can use a TELL command to refresh the routing table without having to restart the Router. The
ability to update the routing table on demand is especially useful when testing new configuration
settings. See the chapter ″Setting Up Mail Routing″ for more information about using the update
configuration TELL command.
How the Router uses the Domino Directory to look up mail recipients
When a user sends mail to a recipient in the local domain, the Router looks up the complete address in
the ($Users) view of the Domino Directory (if you set up Directory Assistance, the Router can also look
up the address in a secondary directory) for the recipient’s Person document, which lists the recipient’s
home server. If the recipient’s home server is the current server, the Router will deliver the message. If it
is a different server, the Router consults the routing table to determine the best route, or least-cost path,
for transferring the message to the destination home server and routes the message along that path..
If the Router cannot find a match for the recipient in the specified directories, it can forward the message
to a ″smart host,″ which is a server that has a directory of users who are in the local domain but who are
not listed in the Domino Directory. For example, if you are migrating users from a UNIX sendmail
system to a Domino mail system but you have not migrated all users yet, you set up a UNIX server as a
smart host that can locate the sendmail users and route mail to them. Enter the name of the smart host in
the Local Internet domain smart host field on the Router/SMTP-Basics tab of the Configuration Settings
document.
For more information setting up routing in the local Internet domain and setting up a smart host, see the
chapter ″Setting Up Mail Routing.″
Documents Description
Server documents Every Domino server requires a Server document. Server documents specify the
following for each server: Notes name; IP address; fully-qualified Internet
hostname; Domino domain; the Notes Named networks it is a member of;
Internet messaging ports and services available, such as the IMAP, POP, and
SMTP ports; the security options for each port.
Configuration Settings Configuration Settings documents provide additional information that determines
documents how servers process incoming and outgoing mail. They define Router settings for
SMTP and Notes routing; set inbound SMTP restrictions; provide MIME
conversion information; configure mail access for IMAP and Domino Web Access
clients.
Connection documents Connection documents define the routing path to servers outside the current
Domino domain or Notes Named Network.
Global Domain documents Global Domain documents identify the Internet domains considered to be
internal to a Domino domain and for which the local domain can accept mail.
Also provides instructions for converting the sender’s Notes mail address to an
SMTP address.
Note: Servers within the same domain may or may not be in the same Notes named network. Servers
that share a Notes named network are always in the same Domino domain.
If the two servers share a Notes named network, the Router immediately routes the message from the
MAIL.BOX file on the sender’s server to the MAIL.BOX file on the recipient’s server. The Router on the
recipient’s server then delivers the message to the recipient’s mail file. Because mail routes automatically
within a Notes named network, you do not need to create any additional connections or documents.
When a Connection document provides the information for routing mail between NNNs, the source and
destination networks can be in different Domino domains. The document contains all of the information
the Router needs to locate the destination network.
Using a ″bridge″ server to connect two networks in the same Domino domain
Two networks in the same domain can communicate with each other in the absence of a Connection
document if any one server is a member of both networks. Servers that reside in multiple networks can
act as a bridge between networks running diverse protocols. For example, if you have one Notes named
network running TCP/IP and another running SPX, you can set up a server that runs both protocols to
be a member of both Notes named networks. This server acts as a bridge between the networks.
When a user in the TCP/IP network sends a message to someone in the SPX network, the Router
transfers the message from MAIL.BOX on the sender’s server to MAIL.BOX on this ″bridge″ server. After
the message reaches a server in the destination Notes named network, the Router on that server transfers
the message to the MAIL.BOX on the recipient’s server. The Router on the recipient’s server delivers the
message to the recipient’s mail file.
If the path between servers involves multiple server ″hops,″ the Router transfers the message to
MAIL.BOX on the next server in the path. Each Router on the path transfers the message to the
MAIL.BOX on the next server in the path.
After the Router finds a connection between the two Notes named networks, it routes the mail to the
next server along the connection path.
For more information about connecting servers in different Notes named networks, see the chapter
″Setting Up Mail Routing.″
After finding the Connection document, the Router routes the message to the server in the sender’s
domain that connects to a server in the recipient’s domain. When the servers connect, the message is
transferred to the other domain, where it routes to the recipient’s server and mail file.
To make it easier to address mail to users in other domains, users can create an entry in their Personal
Address Book to specify the recipient’s complete address -- for example, jdoe@Acme. Alternatively, an
administrator can create an entry in the Domino Directory to specify the recipient’s address in the
Forwarding address field of the recipient’s Person document, or use Directory Assistance or a Directory
Catalog to share Domino Directories across domains.
For information about setting up Directory Assistance and Directory Catalogs, see the chapter, ″Planning
Directory Services″. For information on using LDAP directories, see the chapter, ″Setting up the LDAP
Service.″
Message transfer over SMTP routing is performed as a point-to-point exchange between two servers. The
sending SMTP server contacts the receiving SMTP server directly and establishes a two-way transmission
channel with it. To send a message over SMTP:
The Router task for SMTP is the same Router task that handles Notes routing. When a message in
MAIL.BOX requires transfer to another server, the Router determines where to send it and whether to
send it over Notes routing or SMTP.
By default, SMTP is disabled. To configure Domino to use SMTP to send mail, you must change settings
on the Router/SMTP-Basics tab of the Configuration Settings document. You can configure Domino to
use SMTP when sending mail to destinations:
v Outside the local Internet domain
v Within the local Internet domain
For more information, see the chapter ″Setting Up Mail Routing.″
When the Router picks up a message in MAIL.BOX, it reads the address to determine whether the
recipient is in the local domain. If the recipient is local, the Router looks in the ($Users) view of the
Domino Directory for a Person document containing that address. If SMTP is allowed within the domain
and the message format matches the format specified in this setting, the Router uses TCP/IP to connect
to the destination server, establishes an SMTP connection, and transfers the message.
By default, enabling SMTP within the local Domino domain allows the Router to use SMTP to transfer
mail to any other Domino SMTP host in the same Domino domain. You can restrict the use of SMTP
within the local domain so that SMTP is allowed only for message transfers that take place between
If the receiving server is running the SMTP listener, servers configured to send SMTP within the local
Domino domain always use SMTP to send MIME messages to destinations within the same Notes named
network. For messages in Notes format, the Router sends SMTP only if the server is configured to send
all messages over SMTP.
If a message in MAIL.BOX has a recipient address that contains an @ sign and a domain part (the part of
the address to the right of the @ sign) that does not resolve to the local Domino domain, the Router
identifies the message destination as non-local. A non-local address can be an RFC 821 Internet address
(where the domain part contains a period and is in the form localpart@org.domain) or an address in
another Domino domain (including Foreign domains such as a pager or fax gateway).
To determine whether an Internet address is local, the Router checks whether the domain part of the
address matches any of the local Internet domains defined in the Global Domain document in the
Domino Directory. Local Internet domains include any domains listed in the Local primary Internet
domain and Alternate Internet domain aliases fields in the Global Domain document. If there is no
Global Domain document, the Router compares the domain in the recipient’s address to the server’s host
name. For example, if the message is addressed to jdoe@mailhost3.acme.com and the Router is on the
server mailhub.acme.com, the Router knows that the recipient is in the local Internet domain.
For information on connecting Domino to the Internet, see the topics Preparing to send and receive mail
to the Internet and Routing mail to external Internet domains.
For information on connecting Domino to the Internet, see the chapter ″Setting Up Mail Routing.″
Mail servers also use other DNS records. For example, servers that receive Internet mail perform a
reverse lookup to a DNS PTR record to determine the host name for a given IP address. Reverse lookups
are useful in verifying the source of a message, an important tool for restricting relay access through your
server or preventing unsolicited commercial e-mail (UCE).
You must correctly configure DNS to support your use of SMTP. To determine the IP address of the mail
server for the destination domain, Domino does the following:
1. The server looks up the domain part of each recipient’s address in DNS.
2. If DNS finds an MX record, the server tries to connect to the server listed in that MX record. If there
is more than one MX record, the server tries to connect to the record that has the lowest cost. If more
than one MX record has the lowest cost, the server randomly selects one and tries to connect to the
server listed in that MX record.
Note: There may be more than one MX record for a specific domain name. The host name is looked
up in DNS to find an A record. An A record contains the IP address for the host.
3. If DNS finds only an A record, Domino routes the message to the IP address in that A record.
4. If DNS does not find a record, Domino cannot deliver the message and sends a nondelivery message
to the sender.
An MX record maps a domain name to one or more host names. An A record maps a host name to the IP
address of a server. You may want to use a host name in the MX record instead of just an A record for
the following reasons:
v Some third-party tools recognize only host names, not IP addresses.
v If you replace or relocate a machine, you can assign the existing host name and IP address to the new
or relocated machine. This change is transparent to users, and messages continue to route properly.
You can use DNS to provide failover and load-balancing for your mail servers by creating multiple MX
records for a domain name on the DNS server. When you set more than one MX record for a name, you
can set preference values to control how DNS selects those records. DNS selects lower value preferences
first -- for example, DNS selects 5 before 10. If more than one MX record has the same preference value,
DNS randomly selects from among those MX records. If one of those MX records fails -- for example,
because a server is unavailable -- DNS caches that failure and tries other MX records of equal weight,
followed by less-preferred MX records.
When a server tries to connect to acme.com, the DNS first uses MX records with preferences of 5. If there
are two MX records with preferences of 5, DNS randomly selects between the MX record for
For example, configure a backup SMTP server (mail2.acme.com) to deliver or forward mail when the
primary SMTP server (mail1.acme.com) is unavailable:
1. MX record: acme.com IN MX 5 mail1.acme.com
A record: mail1.acme.com IN A 192.168.10.17
2. MX record: acme.com IN MX 10 mail2.acme.com
A record: mail2.acme.com IN A 192.168.10.18
Messages addressed to acme.com route to mail1.acme.com first because the record’s preference (5) is
lower. If mail1.acme.com is unavailable, mail is routed to mail2.acme.com.
Note: Users can address mail to each domain name and each domain has a backup SMTP server.
1. MX record: acme.com IN MX 5 mail1.acme.com
2. MX record: acme.com IN MX 10 mail2.acme.com
3. MX record: qrs.com IN MX 5 mail1.acme.com
4. MX record: qrs.com IN MX 10 mail2.acme.com
5. MX record: qrs.com IN MX 5 mail1.acme.com
6. MX record: xyz.com IN MX 10 mail2.acme.com
For more information on connecting servers, see the chapter ″Setting Up Server-to-Server Connections.″
677
The Domino mail router
The Domino mail router (the Router) is a special server task responsible for the delivery and transfer of
the messages in MAIL.BOX. Delivery refers to moving messages from MAIL.BOX into a local mail file or
database; while transfer refers to sending messages from MAIL.BOX across the network to another server.
Mail routing on a Domino server begins when a mail server receives a message from a mail client, a
Router on another Domino server, or an application. The message is transferred to a special Notes
database, called MAIL.BOX, on the server. The server temporarily stores all incoming and outgoing mail
in the MAIL.BOX database.
The Router periodically checks MAIL.BOX for new or changed messages. When it finds a message that
requires processing, the Router reads the recipient list and for each recipient determines whether the
destination mail file is on the current server or a different server. The Router then moves the message,
delivering it to local mail files on the server or transferring it to MAIL.BOX databases on other servers as
necessary.
When a recipient’s mail file is not on the local server, but is in the Domino domain, Domino calculates
how to route the message to the recipient’s server and whether to use SMTP or Notes routing (NRPC).
The configuration of the local server and the message format determine how Domino moves the message
to the server. For messages in MIME format, if the local server can send SMTP within the local Internet
domain and the home mail server can receive SMTP, the Router uses SMTP to send the message.
Otherwise the message is routed using NRPC.
When necessary, the Router converts the format of the message. Conversion can occur during message
delivery and during message transfer. For example, if a recipient’s Person document specifies MIME
storage for incoming mail, but the original message was sent in Notes rich text format, the Router
converts the message to MIME before delivering it to the local recipient’s mail file. To determine whether
the receiving server can handle MIME messages, the sending server checks the Server document of the
receiving server to find out what version of Domino it’s running.
To minimize the number of conversions, Domino servers running Release 5 or later support the transfer
of MIME messages over Notes routing. As a result, MIME messages destined for Internet recipients can
route through internal servers ″as is,″ regardless of whether the intermediate servers use Notes routing or
SMTP.
To shut down the Router from the console: Enter this command at the console:
tell router quit
This shuts down the Router. Mail accumulates in MAIL.BOX, since other servers and clients continue to
deposit mail, but the Router does not deliver or transfer the messages.
The Router task starts and begins routing and delivering mail.
To prevent the Router from automatically starting when the server starts:
1. Shut down the server.
2. Edit the NOTES.INI file to remove Router from the ServerTasks setting.
3. Restart the server so that the change takes effect.
When you restart the server, it does not load the Router task.
To restore automatic loading, add Router back to the ServerTasks setting in the NOTES.INI file.
To shut down the Router from the console: Enter this command at the console:
tell router restart
The Router task restarts and begins routing and delivering mail.
By default, at intervals of approximately 5 minutes, or after you restart the task, the Router examines the
Domino Directory for changes that would warrant rebuilding the routing table. In cases where you want
new settings to take effect immediately, but do not want to interrupt the flow of mail by stopping and
restarting the Router, you can use a TELL command to force an update.
To update the server’s routing table: Enter the following command at the server console:
Tell router update config
The Router checks the Server, Server Configuration, Connection, Adjacent and Non-Adjacent domain
documents, and the NOTES.INI file for changes that might effect the routing topology. The Router then
builds a new routing table that incorporates the changes. The Router reprocesses any messages currently
in MAIL.BOX based on the new routing table.
When deciding how to route local mail, keep in mind what types of mail clients you support. For
example, if users have Internet mail clients, such as POP3 or IMAP, you’ll need servers that can receive
mail over SMTP. On the other hand, if most users send mail from the Lotus Notes mail client, you’ll want
to implement Notes routing to ensure support for Notes public key security and features such as Notes
Document links and workflow applications.
For more information about Domino mail clients, see the chapter ″Overview of the Domino Mail System.″
In this example, a single Domino server, Mail2, handles messages from the Acme organization destined
for other Internet domains (external addresses) and receives all mail addressed to the Acme Internet
domain (acme.com). Mail2 has the field ″SMTP used when sending messages outside of the local Internet
domain″ enabled on the Router/SMTP-Basics tab of the Configuration Settings document that applies to
the server, and has the SMTP listener task enabled on the Basics tab of its Server document.
If a user on either of the two Acme internal mail servers, Mail1 or Mail3, sends a message to an external
address -- one with a domain other than acme.com -- the server routes the message to Mail2, which can
route mail to external domains. Any mail from an external Internet domain -- one other than acme.com --
is routed to Mail2, which is listed in the DNS as the Mail Exchanger (MX) host for acme.com. After the
mail reaches Mail2, the server routes it to its destination.
The two internal mail servers, Mail1 and Mail3, can route Internet mail to the server with SMTP enabled
for external mail (Mail2) either via Notes routing, with a Foreign SMTP Domain document and SMTP
Connection document linking to Mail2, or via SMTP routing, with Mail2 configured as the relay host.
In this example, one Domino server, Mail2, routes messages from the Acme organization destined for
other Internet domains (external addresses) and a second Domino server, Mail3, receives mail addressed
to the Acme Internet domain (acme.com). Mail2 has the field ″SMTP used when sending messages
outside of the local Internet domain″ enabled on the Router/SMTP-Basics tab of the Configuration
Settings document that applies to the server. Mail3 has the SMTP listener task enabled on the Basics tab
of its Server document, and has an MX (mail exchanger) record in the external DNS.
If a user on the Acme internal mail server, Mail1, sends a message to an external address -- one with a
domain other than acme.com -- the server routes the message to Mail2, which can route mail to external
domains. Any mail from an external Internet domain -- one other than acme.com -- is routed to Mail3,
which is listed in the DNS as the MX host for acme.com. Once the mail reaches Mail3, the server routes it
to its destination.
The internal mail server, Mail1, can route Internet mail to the server with SMTP enabled for external mail
(Mail2) either via Notes routing, with a Foreign SMTP Domain document and SMTP Connection
document linking to Mail2, or via SMTP routing, with Mail2 configured as the relay host.
In this example, two Domino servers, Mail1 and Mail3, route messages from the Acme organization
destined for other Internet domains (external addresses) and receive mail addressed to the Acme Internet
domain (acme.com). Mail1 and Mail3 have the field ″SMTP used when sending messages outside of the
local Internet domain″ enabled on the Router/SMTP-Basics tab of the Configuration Settings document
that applies to the servers and have the SMTP listener task enabled on the Basics tab of their Server
documents.
If a user on the Acme internal mail server Mail2 sends a message to an external address -- one with a
domain other than acme.com -- the server routes the message to Mail1, which can route mail to external
domains. If a user on the Acme internal mail server Mail4 sends a message to an external address -- one
with a domain other than acme.com -- the server routes the message to Mail3, which can route mail to
external domains. This splits the load of outbound messages -- half route to Mail1 and half route to
Mail3.
Any mail from an external Internet domain -- one other than acme.com -- is routed to either Mail1 or
Mail3. The external DNS has two MX records for the acme.com domain, one for Mail1 and one for Mail3.
When an Internet mail server tries to connect to the acme.com domain to transfer a message, it looks up
acme.com in the DNS. The server finds the MX records for acme.com and, based on the record
preferences of the MX records, returns the IP address of either Mail1 or Mail3. If the MX records have
equal weight, the server randomly selects one of the records and returns the IP address of that record’s
server. Should that server be unavailable, the other MX record is selected and the IP address of the other
server is returned. This provides load balancing through the random selection of the MX records when
record preferences are equal and provides failover since the DNS shifts to another MX record when a
connection fails. Once the mail reaches Mail1 or Mail3, that server routes the message to its destination.
Example of using SMTP to route mail within the local Internet domain
In this example, Acme users send messages in the acme.com domain (internal messages) over SMTP.
Mail1, Mail2, and Mail3 are Domino mail servers with ″SMTP allowed within the local Internet domain″
enabled for ″MIME messages only″ on the Router/SMTP-Basic tab of the Configuration Settings
document that applies to the servers and have the SMTP listener task enabled on the Basics tab of their
Server documents. This allows the servers to send mail to each other over SMTP and to receive mail over
SMTP.
The servers must be in the same Notes named network, based on TCP/IP, to route mail unless each
server has the field ″Servers within the local Domino domain are reachable via SMTP over TCPIP″ set to
Always in the Configuration Settings document that applies to it.
Example of mail routing between a third-party server and Domino in the same
Internet domain
In this example, Acme has three Domino servers and a third-party SMTP host in the local Internet
domain that handles mail for some users. All users have entries in the Domino Directory. When a user
sends mail to another user in the acme.com domain, the Domino server looks up the recipient in the
Domino Directory. If the recipient has a mail file on one of the Domino mail servers -- Mail1, Mail2, or
Mail3 -- the server routes the message to its destination over Notes routing. Notes routing handles both
MIME and Notes format messages. If the recipient has a mail file on the third-party server,
non-Notesserver.acme.com, their Person document has a forwarding address with the domain
″non-Notesserver.acme.com.″ To route mail over SMTP, Mail1 and Mail3 find a Foreign SMTP Domain
document for ″*.non-Notesserver.acme.com″ that corresponds to an SMTP Connection document listing
Mail2 as the server to which to transfer messages. The server sends the message via Notes routing to
If a user on non-Notesserver.acme.com sends a message to a user on Mail1, Mail2, or Mail3, the server
transfers the message over SMTP to Mail2, which has the SMTP listener task enabled on the Basics tab of
its Server document, and Mail2 routes the message to its destination over Notes routing.
If the local Internet domain includes mail systems other than Domino, users who have Internet addresses
ending in yourdomain.com may not have mail files on a Domino server or Person documents in the
Domino Directory. When Domino receives a message for such a user, the Router cannot resolve the
address. To prevent Domino from generating delivery failures, set up the Domino server to forward mail
it receives for unknown local domain users to a local smart host. A smart host is typically a more central
computer that has an authoritative directory of all users in the local domain. When Domino receives mail
it doesn’t know how to deliver, it sends it to the smart host.
In this example, Acme has three Domino servers (Mail1, Mail2, and Mail3) and a third-party SMTP host,
smarthost.acme.com, that houses the directory for users who have non-Domino mail files within the
acme.com domain. Users in the non-Domino system do not have Person documents in the Domino
Directory. The Domino servers have the field ″SMTP allowed within the local Internet domain″ enabled
If a user on one of the Domino mail servers sends a message to a user in the acme.com Internet domain,
and the Router cannot find the recipient in the Domino Directory, the Router forwards that message to
smarthost.acme.com over SMTP.
Example of using all servers to route outbound mail and one to route inbound
mail
In this example, Acme has three mail servers, Mail1, Mail2, and Mail3, each of which can route messages
from the Acme organization destined for other Internet domains (external addresses). All three servers
have the field ″SMTP used when sending messages outside of the local Internet domain″ enabled on the
If a user on one of the mail servers sends a message to an external address -- one with a domain other
than acme.com -- the server looks up the destination domain in the DNS, connects to the destination
server over TCP/IP, establishes an SMTP connection, and transfers the message.
Any mail from an external Internet domain -- one other than acme.com -- is routed to Mail2. The DNS
lists Mail2 as the MX host for acme.com. Once the mail reaches Mail2, the server routes the message to its
destination.
Since each server can send messages directly to external domains, no relay host, Foreign SMTP Domain
documents, or SMTP Connection documents are needed.
You can designate a Configuration Settings document to serve as the default for all servers in the Domino
domain by selecting the field ″Use these settings as the default settings for all servers″ or by entering a
wildcard (*) in the Group or Server field. Using a default Configuration Settings document simplifies
administration and saves time because you can change the settings for the entire Domino domain by
editing a single document.
Each setting applies to every server included in the Configuration Settings document. Therefore, you
need multiple Configuration documents if you need different settings for specific servers. For example, if
your Domino domain includes three geographic locations, you may want a Configuration Settings
document for each location. You can create groups that include all the servers in the specific location and
use the location as the group name.
To specify additional restrictions for a server that is included in a group, create a separate Configuration
Settings document for the specific server. For example, assume you have a Configuration Settings
document for a group of servers or for all servers. The executives in your organization have their own
mail server and require different settings. You will need to create a Configuration Settings document for
the specific server. The document that is most specific (in terms of which servers it applies to) will take
precedence.
Each server checks the Configuration Settings documents in the following order -- a document specific to
the server, then a group document for any group the server is in, and then for the default document. If
there are multiple Configuration documents for groups containing the same server, the results are
undefined. For example, if ServerA has a Configuration Settings document and is also listed in a Group
For more information about creating groups, see the chapter ″Setting Up and Managing Notes Users.″
Note: Use fully qualified host names in fields on the Configuration Settings document instead of IP
addresses. While IP addresses will work and are fully supported, using host names ensures that you
won’t need to change a server entry in the event that a subnet change requires a change to the server’s IP
address. You can change the server’s record once in the Domain Name Service (DNS) rather than having
to search through the Domino Directory to find every instance where the server is referenced.
Field Enter
Use these settings as the default Select the Yes checkbox to have this document serve as the default
settings for all servers Configuration Settings document for all Domino servers in the Domino
domain. If you create additional Configuration Settings documents in the
Domino Directory for specific servers or groups of servers, settings in those
documents override equivalent settings in the default document.
Group or server name Enter the name of the individual server or server group to which this
Configuration Settings document applies.
For information about configuring Notes routing to support messaging across multiple Notes named
networks and domains, see the topic ″Setting up Notes routing″ later in this chapter.
To use SMTP routing to transfer local mail, you must enable the SMTP listener for receiving mail and
enable servers to send SMTP within the local Domino domain. In addition, the Server document for each
SMTP-enabled server must specify a valid, fully qualified Internet host name for the server. In most cases
the host name field is populated during server setup or by the Admin process (AdminP).
For information about setting up internal SMTP routing, see the topic ″Setting up SMTP routing within
the local Internet domain″ later in this chapter.
For information about setting up a smart host, see the topic ″Setting up a smart host″ later in this chapter.
A Domino SMTP server in your organization may receive Internet mail for recipients in Domino domains
that are within the local Internet domain, but outside the local Domino domain, and thus not listed in the
Domino Directory. To ensure that the server can access other Domino Directories and route messages to
servers in other Domino domains, configure Directory Assistance on the server.
To set up routing between servers that are not in the same Notes named network, you must create
documents in the Domino Directory to specify how to route mail within the Notes mail system, as
follows:
1. Create Connection documents to enable message transfer between servers in different Notes named
networks. A Connection document specifies how and when two servers connect to exchange mail and
update common databases through replication. To route mail between servers in different Notes
named networks requires a pair of Connection document, one from each server to the other.
2. Depending on your messaging system topology, create these documents, as necessary:
v Non-adjacent domain documents.
v Adjacent domain documents.
v Foreign domain documents.
v Foreign SMTP domain documents.
v SMTP Connection documents.
In addition, the number of Connection documents you need to create depends on how you want to route
mail -- that is, whether you want to route mail both to and from a server, only to a server, or only from a
server. Since, in most cases, you’ll want to route mail in both directions, you generally need to create two
Connection documents for each connection.
This table describes the typical types of connections and the documents required to set them up.
Two Non-adjacent domain documents, one in each Domino domain that are not
adjacent, to provide restrictions and simplify addressing across the intermediary
domain between the first and third domains.
To a gateway for a foreign One Foreign domain document to identify the foreign domain for non-mail
domain messaging systems, such as fax or pager systems.
To an SMTP-enabled server One Foreign SMTP domain document to identify the destination for messages being
(for example, a server that can sent to the Internet.
send mail to the Internet)
One SMTP connection document to specify the SMTP-enabled server.
Note: When you create a Connection document, Notes routing is enabled by default.
For complete information on creating Connection documents, see the chapter ″Setting up Server-to-Server
Connections.″
But suppose you want to allow mail from A, but deny mail from domain Z, which uses A and B as
intermediate domains to reach C. If the administrator in domain B removes domain A from the deny list
of the Adjacent domain document for domain C, and adds domain Z, domain Z is allowed to route mail
to C. This is because once the message arrives in domain B the domain of origin appears to be A, rather
than Z. In the absence of restrictions on transferring mail from A to C, Domino allows the message to
route.
You also use Adjacent domain documents to allow Free Time searches across domains. For more
information, see the chapter ″Setting up Calendars and Scheduling.″
Note: Restrictions set in an Adjacent domain document work in conjunction with those in the
Configuration Settings document. Domino always defaults to the most restrictive entry.
Using Adjacent domain documents to restrict mail: By default, a domain that can route mail to your
domain can also route mail through your domain to another adjacent domain. When mail routes from
one domain to another through your domain, it ties up your resources. To prevent your servers from
being used to transfer mail between other domains, you can selectively allow and deny mail routing
through your domain to the domain named in the Adjacent domain document.
The Allow and Deny fields on the Restrictions tab of the Adjacent domain document let you control the
flow of messages from other domains to the adjacent domain. Entries in these fields must be the names
of adjacent domains; the Router ignores entries for non-adjacent domains beyond the previous hop. If
you deny a domain from sending mail through your domain, the Router denies all mail received from
that domain, including messages the domain may have passed on from another, non-adjacent domain.
There is no way to restrict specific users from routing to a Notes domain. Restrictions apply to all users
in specified domain.
The settings in the Allow and Deny fields work in conjunction with the Allow and Deny fields on the
Router/SMTP - Restrictions and Controls - Restrictions tab of the Configuration Settings document. In the
event of any conflict between settings, Domino applies the most restrictive entry.
Messages may be further restricted by Adjacent Domain documents, Non-adjacent Domain documents,
and Configuration Settings documents set up between domains along the routing path.
Field Enter
Domain type Choose Adjacent domain
Adjacent domain name The name of the adjacent Domino domain. The current domain must have a Connection
document to this domain.
Domain description Optional description of the domain
5. To restrict other domains from routing mail through the current domain to the adjacent domain, click
the Restrictions tab, complete the following fields, and then click Save and Close:
Field Enter
Allow mail only from Enter the names of adjacent Domino domains that are allowed to route mail to this
domains adjacent domain.
To allow any domain to route mail through the local domain to this adjacent domain,
leave this field blank.
Deny mail from domains Enter the names of adjacent Domino domains that are not allowed to route mail to this
adjacent domain.
To allow any domain to route mail through the local domain to this adjacent domain
leave this field blank.
Note: You cannot use wildcards in the Restrictions fields. You must enter explicit domain names.
Because there is no direct connection between two non-adjacent domains, you cannot define the routing
path between them in a Connection document. Connection documents can only be used between two
directly-connected, adjacent domains. However, users in non-adjacent domains can send mail to each
other by routing it through the intermediary domain.
One way to do this is to use explicit addressing -- telling the Router how to reach the destination domain
through the intermediary domain by placing the entire routing path in the address field. For example, if
Kathy Burke in domain A wants to send a message to Robin Rutherford in the non-adjacent domain C,
she addresses the message by way of domain B, as follows:
Robin Rutherford@C@B
In processing the message, the Router on the domain A mail server looks only at the last part of the
address, and uses the Connection document to determine the route to domain B. The domain B server
then uses the Connection document in its Domino Directory to transfer the message to domain C.
Although the use of explicit addressing is an effective method for directing mail to non-adjacent domains,
because it relies on a complete knowledge of the inter-domain routing topology, it’s also not a very
practical solution. This information is not readily available to a typical user. To simplify routing and
addressing to non-adjacent domains, you can create a Non-adjacent domain document in the Domino
Directory to define the path between the non-adjacent domains.
Using a Non-adjacent domain document: Administrators can create a Non-adjacent domain document
to control message routing to a non-adjacent domain. A Non-adjacent Domain documents serves three
functions:
v Specifies a routing path to the non-adjacent domain by supplying next-hop domain information
694 Lotus Domino Administrator 7 Help
v Restricts mail from other domains from routing to the non-adjacent domain
v Defines the Calendar server used to enable free time lookups between two non-adjacent domains.
For more information on how to enable free time lookups between non-adjacent domains, see the
chapter ″Setting up Calendars and Scheduling.″
Non-adjacent domain documents are only required to specify routing restrictions to a non-adjacent
domain. However, to simplify addressing on messages destined for a non-adjacent domain, it’s useful to
have a Non-adjacent domain document for that domain. Without a Non-adjacent domain document in
the Directory, the Router has no defined routing path to the non-adjacent domain. The Router can
transfer a message to the non-adjacent domain if the recipient address uses explicit path routing
(User@AdjacentDomain@NonAdjacentDomain), but cannot transfer a message with a simple domain
address (User@NonAdjacentDomain). When explicit addressing is used the Router uses the Connection
documents between domains to calculate the path to the next-hop domain.
But when a Non-adjacent domain document is available, the Router obtains intermediary domain
information from that document. This eliminates the need for users sending mail to a non-adjacent
domain to use complex, explicit addressing. Thus, if domain A has a Non-adjacent domain document for
domain C, when Kathy Burke in domain A sends mail to Robin Rutherford in domain C, she uses the
address Robin Rutherford@C (rather than Robin Rutherford@C@B). Because the Router finds the
intermediate domain information in the Non-adjacent domain document, the message is transferred
successfully to domain C by way of domain B.
Using Non-Adjacent domain documents to restrict mail: Using Non-adjacent domain documents to
simplify addressing makes them valuable enough. But Non-adjacent domain documents play another
equally significant role. Although they are not strictly required to enable routing between non-adjacent
domains, they are needed if you want to restrict routing of messages from certain domains.
By default, any domains that can route mail to your domain can also route mail to the destination
domains named in a Non-adjacent domain document. Mail routed from one domain to another through
your domain consumes your network resources. To prevent your servers from being used to transfer mail
between other domains, you can selectively allow and deny mail routing through your domain.
The Allow and Deny fields on the Restrictions tab of the Non-adjacent domain document let you control
the flow of messages from other domains to the non-adjacent domain. Entries in these fields must be the
names of adjacent domains; the Router ignores entries for non-adjacent domains beyond the previous
hop. If you deny a domain from sending mail through your domain, the Router denies all mail received
from that domain, including messages the domain may have passed on from another, non-adjacent
domain.
The ″Deny mail from domains field″ in a Non-adjacent domain document does not block messages that
use explicit domain addressing, that is, addresses that explicitly name every domain on the routing path.
A Non-adjacent domain document can only block mail that relies on information in the Non-adjacent
domain document to supply the name of a a missing intermediate domain. If the entire routing path is
contained in the recipient address, the Router doesn’t need to check the document to determine where to
route the message, and thus cannot block it. For example, if in the previous example, the administrator in
domain B creates a a Non-adjacent domain document for domain D and adds domain A to the Deny mail
from domains field. Kathy Burke in domain A can still send mail to Judy Kaplan in domain D by
specifying the following explicit domain address: Judy Kaplan@D@C@B.
To prevent Kathy Burke from sending this message, the administrator in Domain B would have to create
an Adjacent domain document for domain C that names domain A in the Deny mail from domains field.
The settings in the Allow and Deny fields work in conjunction with the Allow and Deny fields on the
Router/SMTP - Restrictions and Controls - Restrictions tab of the Configuration Settings document. In the
event of any conflict between settings, Domino applies the most restrictive entry.
Field Enter
Domain type Choose Non-adjacent domain
Mail sent to domain The name of the non-adjacent Domino domain you want to route mail to.
Route through domain The name of the intermediary Domino domain through which you want to route mail
for the destination domain. The current domain must have a Connection document to
this domain.
Also, the Domino Directory in the intermediary domain must have a Connection
document to the destination domain.
Domain description An optional description of the domain
5. Click the Restrictions tab, complete one or both of these fields, and then save the document:
Field Enter
Allow mail only from Enter the names of Domino domains adjacent to the current domain that are allowed to
domains route mail to this non-adjacent domain.
Leave this field blank to allow any domain to route mail through the local domain to
the non-adjacent domain.
Deny mail from domains Enter the names of Domino domains adjacent to the current domain that are not
allowed to route mail to this non-adjacent domain.
Leave this field blank to allow any domain to route mail through the local domain to
the non-adjacent domain.
Note: You cannot use wildcards in the Restrictions fields. You must enter explicit domain names.
6. Create a Connection document to specify how servers in the current domain connect to the
intermediary adjacent domain.
Note: Since, by definition, all servers in a domain use the same Domino Directory, only one Non-adjacent
domain document is required for each non-adjacent domain. You do not have to create a separate
document for each server.
Creating a Foreign domain document: A Foreign domain document defines the path between a Domino
domain and an external application, such as a fax or pager gateway. A Foreign domain document
identifies the Domino server that acts as the gateway to the external application.
Although Foreign domains are mostly used for third party applications, you can also use them to transfer
messages between a Release 5.0 or later server and a Release 3.x SMTP server.
Field Enter
Domain type Choose Foreign domain.
Foreign Domain Name The domain name of the foreign mail system. This name was chosen when the
MTA or gateway was installed.
Domain description An optional description of the gateway or MTA.
Field Enter
Allow mail only from domains The names of Domino domains that are allowed to route messages to this foreign
domain. Leave this field blank to allow any domain to route mail through the
local domain to the foreign domain.
Deny mail from domains The names of Domino domains that are not allowed to route messages to this
foreign domain. Leave this field blank to allow any domain to route mail through
the local domain to the foreign domain.
6. Click the Mail Information tab and complete these fields, and then save the document:
Field Enter
Gateway server name The name of the Domino server running the gateway software.
Gateway mail filename The gateway’s mail file name. See the documentation that came with the gateway
for the proper file name.
7. Create a Connection document to specify how servers in the current domain connect to the foreign
domain.
The Domino SMTP servers you use for inbound and outbound Internet mail can connect to the Internet
either directly or through an SMTP relay host or firewall. Routing between the Domino Internet mail
server and internal mail servers can be over either SMTP or Notes routing. It’s not necessary to enable
SMTP routing on your internal servers.
Using a single server to route mail to external Internet domains: In this configuration, a single
designated mail server connects to the Internet. All other internal mail servers route messages addressed
to recipients in external Internet domains to this server. If you use SMTP for internal mail routing, you
can configure all of your internal servers to use the server that is connected to the Internet as a relay
host. In the Configuration Settings documents that apply to any mail servers that do not connect directly
To set this up using Notes protocols, create a Foreign SMTP Domain document and an SMTP Connection
document. When the Router on a server not connected directly to the Internet finds a message addressed
to a recipient in an external Internet domain, the Router forwards the message to the domain in the
Foreign SMTP Domain document, which is connected to the server with an Internet connection by the
SMTP Connection document. When that server receives the message, its Router connects to the external
Internet domain and routes the message.
Using multiple servers to route mail to external Internet domains: In this configuration, a few
designated mail servers connect to the Internet. Other mail servers route messages addressed to recipients
in external Internet domains to these servers. To set this up using SMTP, configure the servers that are
connected to the Internet as relay hosts -- for example, create a DNS name, such as outbound.acme.com,
that maps to multiple MX records. Each MX record lists one of the connected servers. Enter the DNS
name in the ″Relay host for messages leaving the local Internet domain″ field in the Configuration
Settings document that applies to all servers that do not connect directly to the Internet. When the Router on
those servers finds a message addressed to a recipient in an external Internet domain, it forwards the
message to one of the servers that are listed in DNS and correspond to that name.
To set this up using Notes protocols, create Foreign SMTP Domain and SMTP Connection documents.
When the Router on a server not connected directly to the Internet finds a message addressed to a
recipient in an external Internet domain, the Router forwards the message to the domain in the Foreign
SMTP Domain document, which is connected to one of the servers with an Internet connection by the
SMTP Connection document. When that server receives the message, its Router connects to the external
Internet domain and routes the message.
Enabling all mail servers to route mail to external Internet domains: In this configuration, every mail
server connects to the Internet and runs the TCP/IP network protocol. Each server has the setting ″SMTP
used when sending messages outside of the local Internet domain″ enabled in its Configuration Settings
Document. When a user sends a message to a recipient in an external Internet domain, the Router looks
up the domain in the Domain Name Service (DNS) and uses SMTP to connect to the receiving server in
that domain. The Router transfers the message and closes the connection.
Routing SMTP mail over dialup connections: Your organization may connect to the Internet and
external Internet domains through a dialup connection -- for example, to an Internet Service Provider
(ISP). To set up a dialup connection in your Domino mail system:
v For Notes routing, create a Notes Direct Dialup Connection document
v For SMTP routing, create a Network Dialup Connection document that specifies TCP/IP as the
network protocol
After you create the appropriate Connection document, specify how Domino exchanges messages over
that connection.
For more information on creating Connection documents for dialup connections, see the chapter ″Setting
up Server-to-Server Connections.″ For information on setting up mail routing over a dialup connection,
see the topic ″Routing mail over transient connections″ later in this chapter.
Routing Internet mail through a relay host: A relay host is an SMTP server that receives mail from
other servers and then transfers, or relays, it to the next SMTP server on the route to the recipient’s
domain. A relay host can be a Domino SMTP server, or a non-Domino SMTP host -- for example, you
might relay mail to an SMTP server hosted by your ISP, or through a firewall server. If only a small
number of servers on the network have direct connections to the Internet, set these servers up as relay
hosts to which other internal servers forward messages for recipients in external Internet domains. You
For more information on setting up relay hosts, see the topic ″Configuring Domino to send mail to a
relay host or firewall″ later in this chapter.
To define a route between your internal servers and the SMTP gateway server, create:
v One or more Foreign SMTP domain documents that define the next domain for sending SMTP mail
addressed to a given set of destination addresses
v SMTP Connection documents specifying the server that processes outbound SMTP mail for each
Foreign SMTP domain document
The gateway server receives outbound mail from internal servers over Notes routing and then transfers it
to the Internet over SMTP. The gateway server can connect to the Internet directly or through an SMTP
relay host or firewall that connects to the Internet.
The Foreign SMTP domain document: A Foreign SMTP domain document provides servers that don’t
use SMTP routing and which do not have access to DNS with the next hop information required to route
Internet mail. You can also use Foreign SMTP domain documents with servers that route mail over SMTP
to configure different routing paths for mail sent to different destinations.
A Foreign SMTP Domain document provides servers in a Domino domain with information on where to
transfer mail destined for external SMTP addresses. The Foreign SMTP domain document specifies the
name of the next hop domain to which messages addressed to a specific Internet domain or domain
pattern are sent. For example, a Foreign SMTP Domain document might specify that the next hop for
messages addressed to the domain company.com should be the domain TheInternet.
The next hop domain can either be an actual Domino domain -- that is, a group of servers sharing a
Domino Directory -- or a ″virtual″ domain. Use the name of an existing Domino domain if you can create
a Connection document to it and it already has SMTP servers connected to the Internet. If the network
does not currently have a Domino domain that routes outbound Internet mail, use a virtual, or logical,
domain name. The name must not correspond to the name of any servers or domains in the Domino
Directory. Domino uses the virtual domain name to link this SMTP domain document with an SMTP
Connection document, which, in turn, specifies the name of an SMTP-enabled server that can process
outbound mail, for example, a firewall server that can route outbound Internet mail.
Configuring different relay hosts for different destination domains: To explicitly control message
routing, you can set up multiple Foreign SMTP domain documents, splitting outbound mail traffic so that
messages destined for one Internet domain route through one Domino host and those destined for others
go to a different host.
For example, you can configure one Foreign SMTP Domain document to route all mail addressed to
domains ending in lotus.com; a second can route all mail addressed to domains ending in ibm.com; and
a third can process mail addressed to all other Internet domains (*.*). For each of the three configured
Foreign SMTP domains, you must create an SMTP Connection document that describes how to transfer
the messages routed to that domain.
Note: If you use a wildcard when specifying which messages to route to a domain, you can still restrict
messages destined for specific Internet domains using the SMTP Outbound Controls in the Configuration
Settings document.
After the Router determines which Foreign SMTP Domain document most closely matches the address of
the message, it forwards the message to the specified next domain. If the domain is a real Domino
domain, the Router looks in the Domino Directory for a connection to that domain and routes the
message. If the domain is a logical domain, the Router checks for an SMTP Connection document that
describes the next hop for mail routed to that domain.
Field Enter
Domain type Foreign SMTP Domain
5. Click the Routing tab, complete these fields, and then click Save & Close:
Field Enter
Messages Addressed to -- The name of the Internet domain to which this document applies, for example,
Internet Domain company.com, or a wildcard (*.*) to indicate all Internet domains.
Should be Routed to -- A fictitious, logical domain name -- for example, TheInternet -- to which messages that
Domain name match the pattern in the Internet Domain field will be routed. The name you specify
serves as a placeholder; Domino uses the name to pair the Foreign SMTP Domain
document with the connection document you create in the next step.
6. Create an SMTP Connection document to associate the Foreign SMTP Domain document with an
SMTP server that can send outbound mail to the Internet.
SMTP Connection documents link the virtual foreign SMTP domain specified in a Foreign SMTP Domain
document, to a Domino SMTP server. For example, an SMTP Connection document might link the virtual
domain TheInternet to the firewall server that routes mail to the Internet. In the SMTP Connection
document, you specify the source server (the server that can connect directly to the Internet and route
SMTP mail), the destination domain (which must match the Internet domain in the Foreign SMTP
Domain document), and the method to use when connecting to the source server (direct or dialup). An
SMTP Connection document lets Internet messages travel from a Domino domain to a server that is
enabled to use SMTP to route outbound Internet mail.
When the Router receives a message for a recipient outside the local Internet domain, it forwards the
message to the domain specified in the Foreign SMTP Domain document. After the message reaches a
Domino server that can connect to the Internet, that server establishes a connection with a server in the
destination domain and routes the message.
Field Enter
Connection type SMTP
Source server The name of the SMTP-enabled server where non-SMTP servers send mail destined for the
Internet domains specified in the Foreign SMTP domain document. This server must have
access to DNS and have SMTP enabled for sending messages outside the local Internet
domain.
Connect via Choose one:
v Direct connection - For servers that communicate over LAN connections
v Dial-up connection - For servers that communicate over transient connections, such as
phone lines. If you select this option, Domino displays the field ″Dial using connection
record.″
Dial using connection Specifies the Network Dialup Connection document containing the dialup settings for
record connecting to the SMTP server specified in the Source server field. This field appears only
if you selected ″Dial-up connection″ in the preceding field.
Click ″Choose record,″ to select a Network Dialup Connection document (remote LAN
service connection record) from the list of previously created Network Dialup Connection
documents.
Destination server A unique, fictitious, placeholder name -- such as, all_internal_hosts. Domino does not use
the value in this field, but the Connection document will not work if the field is empty.
The name you specify must not match the name of any server on the network.
Destination domain The fictitious, logical domain name specified in the Internet Domain name field of the
corresponding Foreign SMTP domain document. The name in this field links this SMTP
connection document with the Foreign SMTP Domain document.
SMTP MTA relay host Specifies the SMTP host to which the source server transfers outbound mail. This allows a
SMTP server to further split Internet destinations and configure multiple relays.
If this field is blank, the Router transfers outbound mail to the relay host specified in the
server’s Configuration Settings document.
If there is no relay host specified in either this field or in the Configuration Settings
document, the Router determines the next hop by looking up the destination domain in
the DNS or a local hosts file, depending on the value of ″Host name resolution″ field on
the Router/SMTP- Basics tab of the Configuration Settings document.
For information on configuring how the Router resolves host names, see the topic ″Specifying how
Domino looks up SMTP hosts when sending outbound mail″ later in this chapter.
4. On the Replication/Routing tab, complete these fields:
Field Enter
Replication task Disabled
Routing task Choose Mail Routing. Because the same routing task is responsible for transferring
messages over NRPC and SMTP, there’s no need to specify SMTP routing. The source
server must have SMTP routing enabled in its Server document; otherwise, the Router
discards the information in the SMTP Connection document.
Route at once if The number of pending messages that will force routing. Default is 5.
For example, to support POP3 and IMAP clients, which use SMTP to send mail, you must have at least
one internal server running the SMTP Listener task. However, the server does not have to use SMTP
when transferring messages it receives over SMTP to the next hop on the routing path. After the server
has accepted a message over SMTP, it can use Notes routing to transfer the message to other servers.
By default, Domino uses Notes routing only and is not configured for SMTP routing. To have Domino
use SMTP to send and receive mail, do the following:
v Prepare your system for sending messages to the Internet by testing your Internet connection and
verifying that DNS is set up properly.
v Enable the SMTP Listener task in the Server document of each server you want to receive mail over
SMTP
v Enable SMTP routing within the local Internet domain so that servers can send mail over SMTP within
the local Internet domain.
v Enable SMTP to be used to send messages outside the local Internet domain.
v Specify the relay host, if any, to be used when sending mail outside the local Internet domain.
Configure a relay host for SMTP servers that do not have direct access to the Internet.
v Set up inbound and outbound mail restrictions to protect against misuse of the mail infrastructure.
v To allow POP3 or IMAP users who connect to Domino from an external network to send mail to
external Internet domains, specify exceptions to inbound relay enforcement for authenticated users.
If you intend to allow users to access mail from POP3 or IMAP mail clients, you must install and enable
these access protocols on users’ mail servers. By default, Domino supports only Notes client access.
For information about using POP3 mail, refer to the chapter ″Setting Up the POP3 Service.″ For
information about using IMAP mail, see the chapter ″Setting Up the IMAP Service.″
Field Enter
SMTP used when sending messages Choose one:
outside the local Internet domain v Enabled to use SMTP to route mail to the Internet
v Disabled (default) to prevent the server from routing mail outside the
local Internet domain
7. The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
You can enable SMTP routing on every server or only on servers that route to destinations outside of the
Notes named network. For example, you may not have a direct IP connection between all the servers in
one TCP/IP Notes named network and all the servers in another. You may still require that all messages
moving from one Notes named network to another be routed through hub servers.
Field Enter
SMTP allowed within the Choose one:
local Internet domain v MIME messages only -- The Router uses SMTP to transfer MIME messages to other
Domino servers that are within the same Domino domain and that run the SMTP
Listener.
v Disabled (default) -- The Router uses Notes routing to transfer mail to other servers
in the same Domino domain.
v All messages -- The Router uses SMTP to transfer both Notes format and MIME
format messages to other Domino servers that are within the same Domino domain
and that run the SMTP Listener. This will cause Notes format messages to be
converted to MIME format before being transferred. This may cause loss of fidelity
and performance. For example, Notes Doclinks will not work.
Note: You can limit the use of SMTP to transfer mail within the Domino domain by
setting the next field (″Servers within the local Domino domain are reachable via
SMTP over TCPIP″) to only allow SMTP within the same Notes named network.
7. The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
Enabling the SMTP listener causes the server SMTP task to start up automatically every time the server
starts. Disabling the SMTP listener prevents the SMTP task from starting up when the server starts.
Note: Do not add SMTP as a task to the task list in the NOTES.INI file or this feature will not work.
Field Enter
Fully qualified Internet The server’s complete combined host name and domain name, including the top-level
host name domain. For example, smtp.acme.com; smtp is the host name; acme is the second-level
domain; and .com is the top level domain.
In the absence of a Global Domain document, the Router uses the entry in this field to
determine the local Internet domain. Typically, the fully qualified host name is added to
the Server document during server setup or by the Administration process (AdminP). A
routing loop can result if this field does not contain a valid entry.
SMTP listener task Choose one:
v Enabled to turn on the Listener so that the server can receive messages routed via
SMTP routing
v Disabled (default) to prevent the server from receiving messages routed via SMTP
routing
For more information about creating a Person document for a user, see the chapter ″Setting Up and
Managing Notes Users.″
By default, the Router supports use of the ″Send copy to″ rule action, which lets Notes users create mail
rules to automatically forward copies of messages delivered to their mail files to another address, such as
a forwarding address.
For information on disabling automatic message forwarding, see the chapter ″Customizing the Domino
Mail System.″
Typically, a smart host is used in organizations that employ multiple mail systems within a single
Internet domain. Users on these systems may not be in the Domino Directory. For example, if some users
are on a UNIX sendmail system but their inbound messages are routed through the Domino mail system,
you can set up a smart host to ensure proper address resolution.
After you set up a smart host, when Domino receives a message, if the domain part of the recipient’s
address matches the local Internet domain or one of the alternate Internet domain aliases defined in the
Global Domain document, the Router looks up the address against all configured directories. If the
address is not found, the Router then uses SMTP to forward the message to the configured smart host.
Domino sends all messages addressed to unknown recipients in the local Internet domain to the
configured smart host. You cannot configure Domino to send to the smart host only messages addressed
to recipients in some subset of the internal domains and domain aliases defined in the Global domain
document.
Note: Domino does not send messages addressed to unknown Notes addresses to the smart host.
You must have DNS set up correctly to use a smart host. For more information about DNS, see the
chapter ″Overview of the Domino Mail System.″
Field Enter
Local Internet domain The host name for the server that hosts the directory for SMTP recipients who are not in
smart host the local Domino Directory. To provide a level of failover and load-balancing, specify a
host name that maps to an existing MX record. You can also specify IP address.
Note: If this field contains a host name entry and the field ″Verify that local domain
recipients exist in the Domino Directory″ is enabled, messages addressed to local
recipients that can not be resolved are not accepted; therefore, there is no transfer of
messages to the smart host.
Smart host is used for all Choose one:
local Internet domain v Enabled to route all incoming SMTP messages to the smart host for lookup before
recipients routing elsewhere.
v Disabled (default) to route only messages whose recipients are not found in the
Domino Directory to the smart host for lookup.
Note: If this field is set to Enabled, and the field ″Verify that local domain recipients
exist in the Domino Directory″ is enabled, messages are received only for recipients
whose names can be resolved in the Domino Directory. If this field is set to Enabled, and
messages are accepted, all of these messages for local recipients are forwarded to the
smart host.
7. The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
In addition to having a primary Internet domain, some organizations use alternate Internet domain
names. If your organization uses more than one Internet domain name, you’ll want Domino to consider
other domain suffixes as local. Using multiple Internet domain names typically results when:
v An organization changes names
v An organization acquires or merges with another company that already has an existing Internet
domain name, and users continue to use the other Internet domain in their addresses
v You set up a mail topology to route messages addressed to other subsidiaries through your firewall
before routing the messages to the Internet or another private network
v You set up a mail topology specifically to include more than one Internet domain name
If for any of the preceding reasons people in your organization have addresses in an Internet domain
other than the primary domain, create a Global Domain document. A Global Domain document identifies
the Internet domains that are considered to be internal to a Domino domain and for which the local
domain can accept mail. By default, the Domino Directory does not contain a Global domain document.
Within the Global Domain document, you specify one primary Internet domain name and multiple
secondary domains. Secondary domains are listed as alternate Internet domain aliases.
You must ensure that the DNS is set up to include all the Internet domain names that your company
uses.
Field Enter
Domain type Choose Global Domain
Global domain name (Optional) A word or phrase that describes the domain. Never use the
name of an existing domain for your Global Domain
Global domain role Choose one:
v R5 Internet Domain - For Domino Release 5 and greater SMTP servers.
v R4.x SMTP MTA - For Domino servers that use the SMTP MTA to send
Internet mail.
Field Enter
Domino domains and aliases The Domino domain name and aliases. Domino uses the
domain name and aliases when accepting mail from the
alternate domains listed in the Global Domain document.
5. Click the Conversions tab, complete these fields, and then save the document:
Field Enter
Local primary Internet The primary Internet domain name that your company uses to represent themselves to the
domain outside world -- for example, another.com.
Alternate Internet Additional Internet domain names that your company uses -- for example,
domain aliases still.another.com, yet.another.com, have.another.com, and so on.
Use the asterisk (*) as a wildcard to represent the names of subdomains. Wildcard use is
valid only if the wildcard character appears as the first character of a given entry and
represents an entire subdomain name, for example: the entry *.another.com indicates that
Domino treats any subdomain of ″another.com″ as a local domain.
Entries that use wildcards in any other way are considered invalid, including:
v Using a wildcard in any position other than as a leading character in the entry. For
example, the entries another.*, and still.*.com are not valid.
v Using a wildcard on its own to represent an entire domain suffix. For example, the
entry * is not valid.
v Using a wildcard to represent a portion of a name only. For example, the entries
*other.com and *ill.another.com are not valid.
These fields represent the only ones you must complete if you are using the Global Domain document
solely for the purpose of defining the internal Internet domains in an organization running Domino
Release 5 and greater.
6. Restart the server to put the changes into effect. The server reloads information in the Global Domain
document into memory only after a restart.
For more information about DNS, see the chapter ″Overview of the Domino Mail System.″
If a Domino server uses ETRN to pull mail for multiple Internet domains from another mail host, you
can set up the Connection document to that host to request mail for alternate Internet domains.
Note: To display the hidden $Users view: Open the directory, press CTRL-SHIFT and select View-Go To.
In the Go To dialog box, select the view ($Users) and click OK.
Inbound recipient lookups are controlled by the Address lookup setting on the Router/SMTP - Basics tab
of the Configuration Settings document. This setting determines the criteria that the Router uses when
attempting to match the SMTP address on an incoming message to an entry in the $Users view. The
Router matches addresses based on:
v The full SMTP address only -- for example, Genevieve_Martin@acme.com
v The local part of the SMTP address (that is, the part to the left of the @ sign) only -- for example,
Genevieve_Martin
v The full SMTP address, and then if no match is found, the local part address
When using full name matching, the Router searches the Domino Directory for an exact match of the
entire SMTP address (for example, First_Last@Acme.com). If an exact match is not found, the Router
performs a secondary search if the domain suffix of the incoming address is listed in the Global domain
document as an Internet domain alias. For this secondary search, the Router replaces the given domain
suffix with the domain suffix designated in the Global domain document as the Primary domain name.
To prevent the Router from using domain aliases when looking up addresses, do not include alternate
Internet domain aliases in a Global domain document. Instead, create multiple Global Domain
documents, each specifying a different primary Internet domain.
Restricting the Router to matching addresses on the full Internet address only ensures that each user’s
Internet address complies with a standard format. Users cannot receive inbound mail addressed to their
short names, soundex names, or other name variations that exist in the $Users view. When configuring
the Router to look up users’ full Internet addresses only, complete the Internet address field in all Person
documents, and Mail-in database documents for mail-in databases that receive mail over SMTP.
Field Enter
Address lookup Specifies how the Router searches the Domino Directory to determine the Notes
recipient of an inbound Internet message. Choose one:
v Fullname then Local Part - (default) The Router first searches the Domino Directory
for a match for the full Internet address (localpart@domain.com). If no match is
found, it searches the directory again, looking for a match for the local part of the
address only.
v Fullname only - The Router searches the Domino Directory for full Internet
addresses only. For example, it searches for ″user@domain.com″ but not for ″user.″ If
an exact match is not found and the domain suffix is equivalent to an Internet
domain alias defined in the Global domain document, a secondary search is
performed using the domain suffix of the primary Internet domain.
v Local Part only - The Router searches the Domino Directory for a match of the local
part of the Internet address, that is, the part before the @ symbol. Local part
matching matches periods and underscores in the address with spaces in the
directory.
Exhaustive lookup Choose one:
v Enabled - The Router searches all directories to ensure that there are no duplicate
recipient names that might prevent the message from getting to the right person.
Performing exhaustive lookups is time-consuming and places a heavy load on the
server.
v Disabled - (default) The Router limits its search to the first directory that contains
the address.
7. The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
Specifying how Domino looks up SMTP hosts when sending outbound mail
You can specify how the Router determines the IP address(es) for destination SMTP systems (for
example, the Internet). Known as address resolution, the method you select determines how the Router
performs domain-name-to-IP-address translation.
If you configure TCP/IP to use the Domain Name System (DNS), select Dynamic mapping only or
Dynamic then local. For Dynamic mapping only, the Router queries a DNS server to map a fully
qualified host name to an IP address.
For Dynamic then local, the Router first queries the DNS and then checks a file on your local drive. This
file, known as a hosts file, maps destination host names to IP addresses. The Dynamic then local option
can be useful if you need to connect to internal hosts that are not listed in the DNS.
If you configure TCP/IP to use local hosts lookup, select ″Local lookup only.″ If you use this option, the
IP address and fully qualified host name for each destination must exist in the hosts file. This option
requires more administrative attention than the Dynamic mapping only option because you need to
maintain the file.
If the DNS does not list a destination host name, the Router designates the message as non-deliverable. If
the DNS is unavailable, the Router retries delivery up to the configured number of times as indicated in
the Initial transfer retry field on the Configuration Settings document.
Field Enter
Host name lookup Choose one:
v Dynamic lookup only (DNS only) - The Router determines the IP address for a host by
looking it up in DNS. SMTP transfer can occur only if the destination host is listed in
DNS.
v Local lookup only (host files only) - The Router determines the IP address for a host
by looking it up in a hosts file on the local machine.
v Dynamic then local - (default) The Router determines the IP address for a host by
looking it up in DNS first and then checking the local hosts file if no DNS entry exists.
7. The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
Enabling the Router to look up the sender’s Internet address from the Person
document
When a Notes client is configured to send mail for Internet recipients in Notes rich text format, a Domino
server must convert outbound mail from the client to MIME format for Internet mail transport over
SMTP. The Domino server responsible for the conversion must ensure that all addresses in the message
headers, including both the recipient and sender addresses, are in Internet mail (RFC 821/822) format.
If the sending user’s Location document specifies an Internet address, Domino places this address in the
From field of the MIME message. However, if the Location document does not specify an Internet
address, Domino must obtain the address by other means. By default, Domino forms an Internet address
by converting spaces in the user’s Notes address into underscores, and prefixing the names of Domino
domains in the address with percent signs. For example, a Domino server in the acme.com Internet
domain converts the Notes address John Smith@Notes to the Internet address
John_Smith%Notes@acme.com. Domino determines the Internet domain from the Server document or the
Global Domain document.
If your organization prefers to standardize Internet addresses using a format that does not reveal internal
domain names, you can specify an Internet address in each user’s Person document and configure
Domino to look up the specified addresses during MIME conversion.
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers you want to administer, and
click Edit Configuration.
5. Click the MIME - Conversion Options - Outbound tab.
Field Description
Lookup Internet address for all Addresses on all messages sent to Internet recipients must be in Internet format
Notes addresses when Internet (RFC 821/822 format). A Notes user may send a message to both Notes addresses
address is not defined in and Internet addresses. To specify how Domino converts the addresses of Notes
document recipients on messages sent to the Internet, choose one:
v Enabled - On outbound Internet messages, if the address of the sender or any
recipient is in Notes format, Domino looks up the user’s Internet address from
the Person document and, if found, substitutes it for the Notes address before
sending.
v Disabled - (default) Domino forms Internet addresses based on rules in the
Global Domain document. If a Global domain document is not present, Domino
constructs addresses by converting spaces into underscores and encoding
Domino domains with percent signs. For example, Domino converts the Notes
address John Smith@Notes to the Internet address
John_Smith%Notes@acme.com
Note: When this option is disabled, Domino will continue to perform Internet
address lookups if configured to do so in the field ″Internet address lookup″ in the
SMTP Address Conversion section of the Conversion tab of the Global Domain
document.
To comply with Internet addressing standards, Domino uses RFC 821 or RFC 822 address formats for any
message sent over SMTP, as illustrated in the following table.
Internet
Address Style Address Format Example
RFC 821 Username@IPDomain.TopLevelDomain Tyler_Hamilton@acme.com
RFC 822 ″FriendlyName″ ″Tyler Hamilton″
<Username@IPDomain.TopLevelDomain> <Tyler_Hamilton@acme.com>
If a Domino SMTP server receives a message that is in Notes mail format -- as when a server in the local
network transfers a message to an SMTP server for routing to the Internet -- it must convert that message
to MIME before transferring it over SMTP. As part of the conversion process, the Router replaces
Notes-style addresses in the message, including the sender’s address, with an Internet-style address.
It’s easy for the Router to add the appropriate address when it’s been defined in the sender’s Person
document. In this case, the sender’s Notes client enters the Internet address in the INetFrom field of the
message. When converting the message for SMTP transfer, the Router uses the supplied Internet address.
For more information about Location documents, see the topic ″Creating or editing a Location document
manually″ in Lotus Notes 7 Help. You can download or view Notes 7 Help from the Documentation
Library of the Lotus Developer Domain at http://www.lotus.com/ldd/doc.
If the sender’s Internet address is not present in the Notes message, the Router can attempt to retrieve it
from the Person document. For address lookups to occur, you must enable them on the MIME -
For information about enabling outbound address lookup in the Configuration Settings document, see the
chapter ″Customizing the Domino Mail System.″
Finally, if the Router cannot obtain the sender’s Internet address from either the message itself or the
Person document, it will construct the address. You can specify the rules for constructing this address in
the Global domain document, but in the absence of a Global domain document, the Router constructs
Internet addresses using the following default format:
Full_Name/Org%DominoDomain@IPDomain.TopLevelDomain
For example, the Router on the host smtp.acme.com would construct the following default Internet
address for the Notes user Tyler Hamilton/Sales@Europe: Tyler_Hamilton/Sales%Europe@acme.com.
To ensure that messages always include the sender’s correct and reply-able Internet address, always add
the Internet address to a user’s Location document and Person document. To fill in the Internet Address
field for all Person documents in which the field is blank, use the Internet Address Tool.
For more information about the Internet Address tool, see the Upgrade Guide.
Changing the default format for constructing the sender’s Internet address on
outbound mail
When converting a Notes message for SMTP transfer, the Router replaces the Notes address of the sender
with an Internet address. If the Router cannot determine the sender’s Internet address, either from the
InetFrom field of the Notes message, or the Internet address field of the user’s Person document, it
constructs an Internet address by combining the user’s Notes name with Domino domain and Internet
domain information. The rules for constructing the sender’s Internet address are specified in the Global
domain document. By default, the Global domain document constructs addresses in the following format:
First_Last/ou/org%DominoDomain@Internetdomain.TopLevelDomain
For example:
Meredith_Richards/East/Acme%Acme@acme.com
The address conversion settings in the Global domain document apply to all mail sent over SMTP from
servers in this Global domain -- including messages for recipients in the local Internet domain as well as
messages for recipients in external Internet domains.
The Router uses the address conversion settings in the Global domain document for outbound mail only
in cases where the sender does not have an Internet address defined in the Location and Person
documents, or address lookup to the Domino Directory either fails or is disabled.
Generally speaking, if all users have Internet addresses in their Person documents and address lookups
are always successful, address construction on outbound SMTP messages never occurs. However, even if
you complete the Internet address field of every user’s Person document, configure address conversion in
at least one Global domain document to ensure that addresses are formed correctly in the event that
lookups fail and address conversion occurs. Only in the most limited of deployments can one expect
never to require address conversion.
For information about enabling Internet address lookup for outbound SMTP mail, see the topic ″Enabling
the Router to look up the sender’s Internet address from the Person document″ earlier in this chapter.
How Domino uses Global domain documents during inbound and outbound SMTP
routing
When Domino receives an inbound SMTP message, it attempts to determine whether the message is for a
local recipient. When the Domino Directory does not include a Global Domain document, Domino
accepts only messages addressed to users in the same Internet domain as the server, as indicated in the
Fully-qualified Internet host name that appears in the Server document.
But if the Domino Directory includes a Global domain document, Domino can receive mail for multiple
Internet domains. To determine whether to accept a message, Domino compares the domain part to the
local primary Internet domain listed in the Global domain document. If it does not find a match in this
field, it examines the secondary Internet domains -- the ″alternate Internet domain aliases″ -- listed in that
document.
The role of Global domain documents in determining whether to accept inbound SMTP mail: If the
Domino Directory contains multiple Global domain documents, Domino uses a similar process to
determine whether a recipient is local: it first checks the primary Internet domain in each Global Domain
document, and then, if it still hasn’t found a match, it continues by checking the alternate Internet
domains. If the domain in the address does not match any of the domain entries in any Global domain
document, the message is considered an attempt to relay, and Domino rejects the message.
Inbound address lookup when the Domino Directory contains multiple Global Domain documents:
After Domino accepts a message, the Router attempts to match the recipient’s Internet address to an
entry in the Domino Directory. When looking up the recipient in the Domino Directory, if the domain
suffix in the address matches an alternate Internet domain aliases defined in a Global Domain document,
and no Person document includes this address, the Router performs a secondary lookup. In this
secondary lookup, the Router pairs the local part of the address with the domain suffix of the primary
Internet domain specified in the Global domain document.
For example, a server receives a message for craig_bowker@acmewest.com. The Router searches all of the
Person documents in the Domino Directory for this Internet address, but cannot find a match. However,
in the Domino Directory, there is a Global domain document that includes the domain suffix
acmewest.com as an alternate Internet domain alias. In this same Global Domain document, the primary
Internet domain is acme.com. After the primary lookup fails, Domino performs a secondary lookup,
using the address craig_bowker@acme.com. Domino performs secondary lookups only if the Router is
configured to perform fullname, or fullname, then local part lookups.
In cases where the Domino Directory contains multiple Global domain documents, and a secondary
lookup is required, when replacing the domain suffix in the original address with the domain suffix of
the primary Internet domain, the Router only considers Global domain documents that list the alternate
To prevent the Router from using domain aliases when looking up addresses, do not include alternate
Internet domain aliases in a Global domain document. Instead, create multiple Global Domain
documents, each specifying a different primary Internet domain.
Controlling outbound addresses construction with multiple Global domain documents: When the
Domino Directory contains a single Global Domain document, the address construction rules in that
document determine how a server forms the sender’s address in an outbound SMTP message. However,
if the Domino Directory contains multiple Global Domain documents, when constructing the sender’s
address, Domino uses the Internet domain specified in the Server document and the address construction
rules defined in the Global Domain document listed last, alphabetically, in the directory. If you want
Domino to form the sender’s outbound address from the primary Internet domain and the address
construction rules contained in a particular Global domain document, designate that document as the
default Global Domain document.
Designating a default Global domain document: When there are multiple Global Domain documents in
the Domino Directory, designate one as the default so that when a servers construct a sender’s outbound
Internet address, the addresses created are based on the primary Internet domain and address
construction rules specified in the designated document.
1. From the Domino Administrator, click the Configuration tab and then expand the Messaging section.
2. Choose Domains, and click Global Domain
3. Select the Global Domain document you want to designate as the default and click Edit Domain.
4. On the Basics tab, complete following field, and then click Save & Close:
Field Enter
Use as default Global Domain (for use Select Yes to designate this Global Domain document as the default Global
with all Internet protocols except domain for this Domino Directory.
HTTP)
To configure internal SMTP servers to send mail to a relay host, you specify the IP address or host name
of the relay host in the Configuration Settings document. If connections from the internal mail server to
an ISP mail server pass through a firewall, specify the internal interface of the of the firewall in this field,
and configure the firewall to forward traffic received on port 25 to the ISP mail server.
Servers that do not route mail over SMTP require special configuration to transfer messages to a relay
host or firewall. For more information, see the topic ″Transferring outbound Internet mail to an SMTP
server over Notes routing″ earlier in this chapter.
For information about restricting relay access through an Internet domain, see the chapter ″Customizing
the Domino Mail System.″
Configuring multiple relay hosts: To enable greater control over outbound message routing, you can
configure multiple relay hosts. Using multiple relay hosts enables Domino to route mail addressed to
certain Internet domains to certain relay hosts, without first performing a DNS lookup. For example, you
To configure multiple relay hosts, create a Foreign SMTP Domain document for each set of destinations,
and then create SMTP connection documents to match these foreign SMTP domain documents. For
example, using the previous example, you would create one Foreign SMTP Domain document for *.* and
another for *acmepartner.com.
Foreign SMTP Domain documents are used by servers that route mail over SMTP as well as those using
NRPC. For servers that use SMTP routing, Foreign SMTP Domain document indicate the destinations that
need relay hosts and the relay hosts to use in each case.
For more information on creating Foreign SMTP Domain documents, see the topic ″Transferring
outbound Internet mail to an SMTP server over Notes routing″ earlier in this chapter.
Field Enter
Relay host for messages leaving the local Internet The host name, domain name, or IP address of the server being
domain used as a relay host.
7. The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
8. After you set up a relay host, you can set up restrictions based on where the message originated or
the message destination.
For example, an organization that does not have a constant connection to the Internet might use a remote
mail server at its ISP to hold mail until a local mail server calls in to the ISP server to retrieve or ″pull″
pending messages from the ISP server. If the ISP mail server supports the SMTP ETRN command, you
can configure the Domino server to ″pull″ mail over SMTP. A local Domino server can also use Notes
routing protocols to pull messages from a remote Domino server over a Notes Direct Dialup connection.
Setting up Domino to pull mail from a remote server: By default, when a local server initiates a
connection to a remote server, it uses the connection to push messages to the remote server. The local
server does not ″pull″ pending messages from the remote server. Instead, the local server only receive
mail from the remote server when the remote server initiates a connection to route those pending
When the local server is configured to send a ″pull request,″ it sends a message to the remote server
requesting that the server deliver any messages it has pending for the local server. The remote server
receiving the pull request can be any SMTP host; it does not have to be a Domino server. When the
remote server receives the ″pull request,″ it checks its mail queues for any messages pending for the
initiating server and starts the processing necessary to transfer those messages.
If you are using SMTP routing, you must make sure that ETRN protocol extension has been enabled on
the other server (the one receiving the ″pull request″), or it will not be able to receive the pull request.
Also the remote server must be able to resolve the DNS host name of the initiating server to an IP
address to ensure that the messages can be sent. Generally, ETRN requires that the initiating server has a
static IP address, which is available in DNS to the server holding the pending messages.
Note: Some ISPs use DHCP to assign a host a new IP address whenever it connects. If the remote system
assigns a new IP address every time you connect, do not configure dialup systems to use pull routing.
When configuring dialup routing, you can indicate how long the initiating server keeps the line open to
allow the remote server to establish a connection. This is useful to prevent the initiating server from
hanging up the line before the remote server is able to attempt to transfer any pending mail. The
initiating server sends a pull request, then pushes any messages it has for the remote server, and then
waits for any messages pending from the remote server.
When sending a pull request, the initiating server can also request messages for other servers, domains,
hosts, or any queue name within your organization for which the initiating server is responsible.
The ETRN command: With ETRN support, a dialup SMTP host can notify an SMTP server holding
messages for it when to deliver those messages. ETRN enables servers to use bandwidth resources
efficiently, because the dialup host sends and receives mail during the course of a single session.
ETRN stands for Extended Turn and is an SMTP service extension command, defined in RFC 1985. that
provides improved security over the SMTP TURN command, originally defined in RFC 821. The TURN
command allows hosts involved in a SMTP session to reverse their respective roles, so that, for example,
if Server1 is sending an SMTP message to Server2, Server1 can issue the TURN command so that Server2
then becomes the sender and Server1, the receiver.
However, because the TURN command has no mechanism for verifying the identity of the calling host,
use of the command poses a security risk. A malicious user who spoofs the identify of a server can
falsely appear to belong to a someone else’s Internet domain and then use the TURN command to
retrieve messages intended for that domain.
The ETRN command plugs this security hole by redefining the sending and receiving roles during the
course of the SMTP session. For example, after Server1 issues the ETRN command to Server2, ETRN
instructs Server2 to open a new SMTP session with Server1. Because Server2 has to resolve the name of
Server1 to an IP number in the DNS, Server2 is more likely to open a new SMTP session with the correct
machine.
For Domino to use ETRN to retrieve new mail over a dialup connection, your ISP must support this
command. Check with your ISP to verify whether they support this command or not. You can also verify
support for the command by establishing a telnet connection to port 25 of the ISP’s SMTP server. After
the SMTP session starts, type EHLO and press Enter. The response from the ISP’s SMTP server indicates
whether the server supports ETRN.
Field Description
Connection type Choose one:
Network Dialup - Choose this option for servers that will route mail over SMTP using this
dialup connection. You can also use this option for NRPC routing.
Notes Direct Dialup - Choose this option only for servers that will use this connection to
route mail over NRPC to another Domino server.
Source server The Notes hierarchical name of the local Domino server initiating the routing request, for
example, SMTP/East/Acme.
Source domain The Domino domain of the source server, for example, AcmeEast
Use the LAN port(s) For Network dialup connections, enter the port name for the Domino TCP/IP port on the
local server.
Use the port(s) For Notes Direct Dialup connections, specifies the name of the communications port that
the source server uses.
Destination server The name of the Domino server, or SMTP server to which you want to route mail.
For SMTP routing connections to an ISP server, enter the host name of the ISP server, for
example, internet.isp.com. Depending on the requirements of your ISP, the specified host
can be used for outbound mail, inbound mail (using ETRN), or both. If the host is used
for outbound mail, enter the same host name on the Router/SMTP - Basics tab of the
Configuration Settings document, in the field ″Relay host for messages leaving the local
Internet domain.″
Destination domain For routing to Domino servers over Notes routing, enter the Domino domain of the
destination server.
Leave this field blank when configuring SMTP routing to an ISP server.
6. On the Routing and Replication tab, complete these fields, and then click Save & Close:
Field Description
Routing task Select Mail routing
You can use a server console command to manually trigger such a service update. Using the console
command allows you to immediately put into effect changes to the SMTP configuration without
disrupting normal service operation.
Customizing mail
After you set up basic mail routing, you can customize the Domino messaging system to improve
performance and meet the specific needs of your organization. For example, you can set inbound
messaging restrictions to prevent unwanted commercial e-mail (UCE) from entering your system;
implement restrictions on message size to conserve network bandwidth; enforce database quotas to
ensure that users promptly delete old messages; set system mail rules to automatically process messages
that meet certain criteria; and enforce security policies by encrypting messages delivered to user mail files
and restricting message transfer to the Internet.
For more detailed information on setting up mail routing, see the chapter ″Setting Up Mail Routing.″
Controlling messaging
After you set up basic mail routing, use Domino’s administrative controls to customize the messaging
system to your environment. Using the Domino Administrator and other tools you can change settings
that affect routing performance, protect the system from unauthorized use, schedule message transfer,
and ensure efficient use of network bandwidth and storage space.
Some of the settings you change apply to all of the messages that the server processes, regardless of
whether a message is sent or received using Notes routing or SMTP routing; other settings are specific to
a particular routing protocol.
721
As you customize your messaging system, you may need to troubleshoot problems that occur. To assist in
troubleshooting, Domino lets you:
v Change the log level to record additional messaging information
v Temporarily disable mail routing
Server processes -- including server threads and the Router -- that write to MAIL.BOX require exclusive
access to it. To ensure exclusive access, processes that write to or read from MAIL.BOX lock the database
to prevent simultaneous access by other processes. Other processes trying to access the database must
wait until the currently active process completes and unlocks the database before they can complete.
In most cases, a mail process locks MAIL.BOX for only an instant. However, longer wait times occur
when the Router or another process reads or writes a large message. When there is a large amount of
new mail -- for example, on a busy system with heavy mail traffic -- several server threads may try to
deposit mail into MAIL.BOX while the Router attempts to read and update mail. Under heavy loads,
such contention for a single MAIL.BOX database degrades performance.
On servers that run Domino Release 5 and higher, you can improve performance significantly by creating
multiple MAIL.BOX databases on a server. Using multiple MAIL.BOX databases removes contention for
MAIL.BOX, allows multiple concurrent processes to act on messages, and increases server throughput.
While reading one MAIL.BOX, the Router marks the database ″in use″ so other server threads trying to
deposit mail move to the next MAIL.BOX. As a further benefit, having multiple MAIL.BOX databases
provides failover in the event that one MAIL.BOX becomes corrupted.
When creating additional MAIL.BOX databases, consider placing each one on a separate disk. Because
disk contention is rarely an issue for MAIL.BOX, placing each additional MAIL.BOX database on a
different disk will not improve performance per se. However, distributing the databases across multiple
disks does ensure greater availability in the event of a disk failure.
Creating a second MAIL.BOX database offers a large performance improvement over using a single
MAIL.BOX. Depending on server mail traffic, adding a third and fourth MAIL.BOX database may further
improve performance. However, the improvement gained with each additional MAIL.BOX is increasingly
smaller.
You specify the number of MAIL.BOX databases on the Router/SMTP - Basics tab of the Configuration
Settings document. Changes to the mailbox count take effect only after the next server restart.
After you configure a second MAIL.BOX database, you can use mail statistics to determine whether
additional MAIL.BOX databases are needed.
After the new mailboxes are created, the old MAIL.BOX file is no longer used by the router. Any
messages in MAIL.BOX need to be copied into one of the newly created mailboxes on the server. The file
Field Description
Number of mailboxes Indicates the number of mailboxes (MAIL.BOX databases) on servers that uses this
Configuration Settings document. If this field is blank, one mailbox is used. Configure a
maximum of ten mailboxes.
For servers that support a small number of users, access conflicts are rare, and the default of a single
MAIL.BOX usually provides an acceptable level of service. However, on servers that support a higher
numbers of users, creating an additional MAIL.BOX database can eliminate most access conflicts.
For example, if there are three mailboxes configured, and there are four
concurrent accesses, the conflict count would be incremented.
Note: Mailbox statistics are available only on servers where two or more MAIL.BOX databases are
configured. You must restart the server to put into effect any changes to the number of mailboxes.
To save bandwidth and improve server performance, you can disable type-ahead addressing. If you
disable type-ahead addressing on a mail server, users can still use type-ahead addressing to find
addresses in their Personal Address Book or mobile Directory Catalog.
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers to administer, and click Edit
Configuration.
5. On the Basics tab, complete this field, and then click Save & Close:
Field Enter
Type-ahead Choose one:
v Enabled - (default) The server checks the Domino Directory for an address that matches
what a user enters in the To, cc, or bcc field of a message.
v Disabled - The server does not try to match addresses. Matches occur only in the user’s
Personal Address Book or local Directory Catalog.
Field Enter
Logging level Choose one:
v Minimal - Domino logs all mandatory status messages and fatal error messages.
v Normal (default) - Domino logs all minimal events, plus warning messages indicating
conditions that do not cause processing to stop.
v Informational - Domino logs all minimal and normal events, plus informational
messages involving intermediate storage, MAIL.BOX access, message handling,
message conversion, and transport status.
v Verbose - Domino logs all minimal, normal, and informational events, plus additional
messages that may help you troubleshoot system problems.
Note: To prevent the log file from becoming excessively large, use Verbose logging only
when troubleshooting specific problems.
The change takes affect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
You set delivery controls in the Configuration Settings document on the Router/SMTP - Restrictions and
Controls - Delivery Controls tab. You can also set quota controls to help control the size of user mail files.
Using client mail rules: Notes users can create mail file rules that automatically process new mail.
Servers that are delivering mail and running client mail rules must be running Domino 6.0.3, Domino 6.5,
or more recent versions. Client mail rules specify an action to take when a newly-delivered message
meets certain conditions. For example, one action that may be included in client mail rules is the stop
processing action. The stop processing action stops the processing of all rules that are preceded by the
rule containing the stop processing action. You can use the stop processing action alone, that is, as the
only action in a mail rule, or you can use it with another action in a rule. The stop processing action can
also be included in one rule that is in a series of rules. This is especially useful when more than one rule
applies to a message, but you want execution of client mail rules to stop after the first action is executed.
For information about client mail rules see the Notes client online help.
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers you want to administer, and
click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Delivery Controls tab.
Field Description
Maximum delivery The maximum number of server threads Domino can create to deliver mail from
threads MAIL.BOX to local mail files. The Router automatically sets the default maximum
number of delivery threads based on server memory. Letting the Router select the
maximum number is usually best. To set the maximum number manually, enter a
maximum between 1 and 25, based on the server load.
Encrypt all delivered Choose one:
mail v Enabled - When delivering messages to local mail files, Domino encrypts the messages,
regardless of whether the sender encrypted the message or the recipient’s mail file
encrypts messages.
v Disabled (default) -- Domino encrypts messages only if the recipient’s mail file is set to
encrypt received messages.
Note: When encryption is enabled and an external user requests a return receipt for a
message sent to a user whose mail file is on the server, the return receipt message that
Domino generates contains a blank message body.
Pre-delivery agents Users who create LotusScript or Java agents for their mail files can set the agent to run
before new mail arrives. When delivering a new message, if the Router detects such a
pre-delivery agent, it runs the agent against the message before the message ever appear
in the recipient’s Inbox. Use this field to specify whether the server permits the use of
pre-delivery agents. Choose one:
v Enabled - (default) Allows the Router to run agents that process mail before delivering
it to user mail files on the server.
v Disabled - Prevents the Router from running pre-delivery agents.
Pre-delivery agent The maximum time (in seconds) that a pre-delivery agent, such as a mail filter, can run
timeout before the Router interrupts it. Because the Router waits for pre-delivery agents to
complete, failure to restrict agents can slow routing performance on the server. The
default time-out is 30 seconds.
User rules mail Notes users can create mail file rules that automatically process new mail. User mail
forwarding rules specify an action to take when a newly-delivered messages meets certain
conditions. Use this field to specify whether the Router on this server supports the rule
action to send copies of selected messages automatically to other recipients. Choose one:
v Enabled - The Router supports the ″Send copy to″ action for Notes client mail rules,
allowing users to send copies of messages automatically to other recipients.
v Disabled - Prevents Notes clients from using the ″Send copy to″ rule action.
The change takes affect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
You can configure the Router to respond in several ways when a mail file exceeds its quota, each
representing a higher level of enforcement. The least restrictive response is to have the Router issue
automatic notifications to users when their mail files exceed the quota. If users fail to respond to
notifications, you can hold pending messages in MAIL.BOX or return messages to the senders as
undeliverable until the users reduce the size of their mail files.
In addition to setting a quota, you can configure a warning threshold and use it as the basis for
providing users with advance notice that their mail files have grown too large. For example, you might
When used with the setting ″Hold mail and retry″ in the Over quota enforcement field of the
Configuration Settings document, the NOTES.INI setting, MailTimeout, designates the number of days
that mail is held for the user when the user’s mail file exceeds the mail file size quota. By default,
MailTimeout=1. If a user’s mail file exceeds the quota for mail file size, mail is held for that user for one
day. If the user does not reduce the size of the mail file within one day, mail is returned to the sender as
undeliverable. If the mail file size is reduced during that one day, mail that was being held is delivered.
You may want to use a value greater than one so that users are allowed a reasonable grace period before
their mail is returned to the sender. For example, if a user is on vacation and is notified that their mail
file exceeds the set mail file size quota, the user would not be able to reduce the size of the mail file.
After being held for one day, mail would be returned to the sender as undeliverable. You can set a value
greater than one (1) to allow mail to be held for several days before being returned to the sender.
Note: MailTimeout affects all message time-outs, including other delivery errors that can be retried and
transient transfer errors.
Along with the methods the Router uses to enforce quotas, the Notes client also displays a warning to
any user who has exceeded their designated warning threshold or quota whenever the user attempts to
send mail.
Setting mail file quotas: You can set two types of size limits on a user’s mail file: an absolute quota size
and a warning threshold. Set a quota if you intend to establish a policy of interrupting users’ mail usage
if their mail files exceed a specified size. Set a warning threshold to provide users with advance notice
when their mail files approach the designated mail file quota, so they can reduce the size of their mail
files before message flow is interrupted. You must set a quota before you can set a warning threshold.
Quotas and warning thresholds are associated with a particular mail file database only, not with a user
ID. If a user has access to an alternate mail file, the quota set on the primary mail file has no effect on the
alternate mail file.
Note: While this topic refers to behavior of the Router during delivery of new messages to a mail file, be
advised that the ″Check space used in file when adding a note″ setting is a server-wide setting that
applies to all updates to databases with quotas enabled on the server. For example, when a mail message
is sent for delivery and the message is saved in the Send folder, the Notes client initiates saving the sent
mail message on a server-based mail file, and the server then processes the note update.
If quota enforcement is enabled, whenever the Router delivers mail, it compares the current size of the
destination mail file against its configured database quota or threshold. If the size exceeds one of these,
the Router takes appropriate action.
When calculating mail file size, Domino does not take into account the space consumed by a file’s
full-text index. When setting a mail file quota, be sure to consider the additional space required for the
file’s full-text index. Over time, the full-text index of a typical mail database can reach a size between 5
and 15 percent of the database size.
To specify the method a server uses to calculate the size of a mail file:
1. From the Domino Administrator, click the Configuration tab, expand the Server section, and click ″All
Server Documents.″
2. Select the Server document to edit, and then click Edit Server.
3. Click the Transactional Logging tab, and in the Quota enforcement field, select one of these methods
and then click Save & Close:
The Router calculates the current size of a mail file from the amount of space that
messages occupy in the database and determines whether mail files are in compliance
with configured warning thresholds or quotas based on this calculation. White space in
the database is discounted. If the user is over quota and quota enforcement is enabled,
no new messages are delivered. If the mail file is close to its quota, the Router continues
to deliver messages only until their cumulative size exceeds the quota; thereafter,
messages are held or rejected, depending on the enforcement setting.
When a user deletes a message, the space occupied by that message is immediately
removed from the calculated size of the mail file. There is no need to run the Compact
task to recover space. Users who cannot receive mail because of a quota violation can
reduce the current size of the mail file immediately by archiving or deleting messages.
If transaction logging is enabled on the server, select this method of enforcement, because
it does not require administrative intervention to compact mail files.
Check file size when (Default) The Router calculates the current size of a mail file from its actual physical size.
extending the file The calculated physical size includes the unused ″white space″ in a file that results when
a user deletes or archives a message. Domino does not immediately recover this white
space. As a result, accumulated white space may account for a large portion of the file
size, so that the actual mail file size is considerably larger than the combined size of its
stored messages.
The size check occurs only if adding a message requires an increase in the size of the
mail file. When quota enforcement is enabled and this option is selected, if a message
delivered to the mail file requires an increase in the file size that would result in a quota
violation, delivery fails. However, a message is always delivered if there is sufficient
white space to accommodate it.
On servers that do not use transaction logging, users can run the Compact task to
remove white space and decrease the file size. However, when transaction logging is in
effect, users cannot compact their own mail files. An administrator must run Compact
with the -B option to reduce the size of the file.
This option is more restrictive than the preceding option, because the Router checks the
quota every time it adds a message to the mail file, regardless of whether this results in
an increase in file size.
On servers that do not use transaction logging, when quota enforcement is enabled,
select this option to eliminate inconsistent behavior during delivery to the mail files of
users who exceed their quotas. Because the Router always checks the current file size
when delivering a message, after a mail file reaches quota, no new messages are
delivered, even if a particular message is small enough to fit within the available white
space in the mail file.
Note: On servers where transaction logging is enabled, selecting this option can prevent
a user from recovering from a quota violation, since compacting the mail file does not
reduce its size, preventing the user from getting back under quota. An administrator
must run Compact with the -B option to reduce the size of the file.
How the configured size method effects over-quota enforcement: Unless you configure the Router to withhold
mail from or send warnings to users whose mail files exceed their quotas or warning thresholds, you
won’t notice any differences between the various methods for calculating file size. However, the method
you select for calculating file size becomes significant if you enable quota enforcement or warning
notifications on the server.
When servers are set to use file size to determine whether a user is over quota, a user who is over quota
might not be able to receive mail immediately after deleting messages. This is because white space
remains in the mail file until the Compact task removes it. As a result, a user whose mail is withheld due
to a quota error typically experiences some delay between removing messages and achieving the reduced
mail file size required to reinstate mail delivery.
On servers where quota enforcement is set to ″Hold mail and retry,″ you choose whether the Router
attempts delivery to mail files that exceed quota.
If database usage is enabled as the method for calculating size, message delivery always fails after a mail
file exceeds its quota. If a mail file is close to its quota but has not yet exceeded it, the Router may
succeed in delivering smaller messages. But eventually the file will exceed its quota, and subsequent
deliveries will fail.
Reclaiming space in mail files for which soft deletions are enabled: When soft deletions are enabled for a mail
file, deleting messages from a mail file doesn’t immediately reduce its size. Instead, the ″deleted″
messages are moved to the Trash view until they expire - after 48 hours, by default. Only then are the
messages permanently removed from the database.
To reclaim space immediately, a user must open the Trash view of the mail file and click Empty Trash or
select a message in the view and then click Delete Selected Item. By default, soft deletions are enabled for
mail files that use the Release 7 mail template (MAIL7.NTF) or more recent mail template.
For more information about soft deletions, see the chapter ″Improving Database Performance.″
Notifying users who exceed their mail file’s quota or warning threshold: You can configure the Router
to notify a user whose mail file exceeds a warning threshold or quota. The following table lists the
information contained in the notification message:
For information on adding custom text to over quota and quota warning reports, see the topic
″Customizing the text of mail failure messages″ later in this chapter.
Users who exceed the quota for their mail file receive over quota warnings. Over quota warning
threshold notifications are sent to mail files that are over the warning threshold but under the database
quota. Over quota notifications are sent to mail files that exceed database quota.
Message tracking is not enforced or supported for either type of warning notification.
If Domino rejects an inbound message as the result of a quota violation, it returns a failure message
stating the reason for the failure to the sender.
Specifying how often users receive notifications: You have three options for specifying how often the Router
delivers warning notifications to users who violate their mail file’s warning threshold or quota:
v None - (Default ) - Users receive no warning if their mail files exceed the size limit.
v Per Message - Users whose mail files exceed the size limit receive a warning notification every time
MAIL.BOX receives a new message for them.
v Per time interval - Users whose mail files exceed the size limit immediately receive a warning message;
the warning message is not sent according to the specified per time interval setting.
Withholding mail from users who exceed their quota: Quota controls enable the Router to selectively
hold or reject mail if the destination mail file has exceeded its quota. When the Router has new mail to
deliver to a user whose mail file is already full, it checks the Configuration Settings document to
determine the appropriate action. By default the Router continues to deliver mail, even after a mail file
exceeds its quota. To change the default behavior, you must configure the Router to refuse or hold mail.
When delivering mail to a user’s mail file, the Router checks the mail file’s size. If the file will remain
within the specified threshold after delivery of the message, no action is taken.
The Router recognizes certain exceptions to the specified quota setting. For example, users who are over
quota continue to receive over quota notifications from the Router, regardless of the current setting.
However, if the Router is configured to Hold and Retry, all messages are held, and the owner of the mail
file receives no further notifications until the size of the mail file is reduced or the administrator takes
action to allow messages to be delivered.
To prevent an excessive number of messages from accumulating in MAIL.BOX when you choose the
Hold and Retry method of enforcing quota violations, it’s best to have Domino calculate database size
Limiting the size and number of messages held for retry: If you set the Router to temporarily hold mail
intended for users whose mail files exceed the specified quota, the increased number of pending
messages can increase the size of MAIL.BOX and decrease Router performance. To help ensure service
quality, you can limit the number of pending messages.
You can also specify the maximum size of messages that the Router will hold. If a message is larger than
the configured size, it is returned to the sender as undeliverable, rather than held.
Restrictions do not apply to sent messages: Router enforcement of mail file quotas is limited to withholding
new mail from users who exceed their quotas. The Router continues to accept outgoing mail from whose
mail files are full. However, these users are not able to save any messages to mail files on the server.
When a user who exceeds the configured warning threshold or quota sends a message from a Notes
client, the client displays a warning, but the user can still send the message.
Field Enter
Over Warning Specifies how often the Router delivers notifications to users who exceed their warning
Threshold threshold.
Notifications
Choose one:
v None - The Router does not deliver notifications when mail files grow larger than the
specified warning threshold.
v Per Message - The Router delivers a notification for every message it delivers after the mail
file exceeds the specified warning threshold.
v Per Interval N - Send notifications at a specified interval until the user deletes or archives
enough messages to bring the size of the mail file below the specified Warning Threshold.
When this option is selected, an additional field, ″Warning Interval Minutes,″ appears.
Warning Interval Specifies, in minutes, how long the Router waits to send the next Over Warning Threshold
Notification
Over Quota Specifies how often the Router delivers notifications to users who exceed their quota.
Notification
Choose one:
v None - The Router does not deliver notifications when mail files grow larger than the
specified quota.
v Per Message - The Router delivers a notification for every message it delivers after the mail
file exceeds the specified quota.
v Per time interval - When a message delivery is attempted and no notifications were sent
during the previous time interval, the router sends an ″over quota″ notification to the user’s
mail file. Over quota notifications are triggered by normal mail delivery; therefore, over
quota notifications may not be sent at the exact time interval setting. The router limits the
number of notifications sent to one notification during each time interval.
Choose one:
v Deliver anyway (don’t obey quotas) - (Default) The Router continues to deliver mail to a
mail file that is over quota.
v Non Deliver to originator - The Router stops delivering new messages to the mail file and
returns a nondelivery message to the sender reporting that the message could not be
delivered because the intended recipient’s mail file was full.
v Hold mail and Retry - The Router stops delivering new messages to the mail file and
temporarily holds incoming messages in MAIL.BOX until space is available in the mail file.
After an interval, the Router tries to deliver the message. If the user has sufficiently reduced
the size of the mail database by the next scheduled delivery attempt, the mail is delivered.
Messages that cannot be delivered before the expiration time (default =1 day) are returned to
the sender as undeliverable. If you choose this option, the document displays additional
fields where you can specify how the server handles held messages.
Note: To prevent an excessive number of messages from accumulating in MAIL.BOX when
this option is selected, it’s best to have Domino calculate database size based on usage, rather
than file size.
7. If you selected ″Hold mail and Retry″ in the ″Over Quota Enforcement″ field, complete the following:
Field Description
Attempt delivery Pending messages may be of different sizes. A mail file that has reached its quota may have
of each message sufficient space available to fit some messages, but not others. Use this field to specify whether
the Router delivers messages small enough to fit the available space in a destination mail file.
Choose one:
v Enabled - The Router attempts delivery of each new message. Messages that fit the available
space are delivered. Other messages are held.
v Disabled - After a mail file reaches its quota, the Router holds all messages until the file size
is reduced.
Maximum number Specifies the maximum number of messages that the Router will hold in MAIL.BOX for a
of messages to given mail file. After the number of pending messages reaches the specified number, the
hold per user Router returns a delivery failure report to the sender of each additional message in first-in,
first-out order.
Maximum message Specifies the maximum size, in KB, of messages that the Router can hold in MAIL.BOX for
size to hold over quota users. If a message larger than the specified size is received for the user, the Router
returns a delivery failure report to the sender.
Overriding quotas: Administrators can provide users who are over quota with temporary access to their
new mail by:
v Modifying the quota currently in effect for the user’s database.
v Changing the Router setting, so that the Router ignores database quotas and delivers mail. If you set
the Router to ignore database quotas, all users who exceed their quotas are able to receive mail.
Mail rules automatically handle mail in a variety of situations. By configuring a set of conditions and
actions, you can customize rules to block spam mail or intercept messages with questionable content. For
example, you could create a rule that rejects mail with subjects like ″make money fast″ or that comes
from a known spam vendor. Similarly you can restrict users from receiving message attachments that do
not have a business purpose by setting up a rule to intercept messages that contain attachments of certain
file types (EXE, VBS, VBE, SCR, and so forth) and redirect them to a quarantine database where they
could be reviewed by an administrator and optionally sent on to the intended recipient.
Except where a rule action explicitly indicates, Domino does not notify the sender or recipient if a rule
prevents a message from reaching its destination. For example, if a rule results in a message being routed
to a graveyard database, Domino does not generate a delivery failure report or indicate to the intended
recipients that a message for them has been intercepted. By contrast, if a message triggers a rule with the
specified two-part action ″Don’t deliver message/ Send NDR,″ the sender receives a delivery failure
report stating that the message was rejected for policy reasons.
Note: Although Domino does not generate a notification to the sender when a rule condition triggers the
action ″don’t accept message,″ because rules execute as mail is deposited to MAIL.BOX, the sender may
still receive notification that the message was rejected. For example, when the Domino SMTP listener
refuses a message because of a mail rule, the sending SMTP server receives the error indicating that the
transaction was rejected for policy reasons. Typically, servers receiving this type of error generate a
delivery failure report to the sending user. Similarly, when a mail rule prevents the server from accepting
a message, a Notes client attempting to deposit the message in MAIL.BOX displays an error indicating
that the message cannot be sent.
Mail rules are not intended to serve as an anti-virus solution and should not be considered a replacement
for anti-virus software. Although you can configure rules to quarantine messages with known virus
attachments, the available rule actions do not include typical anti-virus features such as generating
warnings upon detecting a virus or automatically disinfecting files.
Domino stores the mail rules you create in the Configuration Settings document. On startup, each server
retrieves from the appropriate Configuration Settings document and registers them as monitors on each
MAIL.BOX database in use.
Whenever MAIL.BOX receives a new message from any source -- the SMTP process, the Router on
another server, or a client depositing a message -- the server evaluates the various message fields against
the registered mail rules. Each message is evaluated only once. Additional updates occurring after a
message is added to MAIL.BOX -- such as updates to reflect the number of recipients handled -- do not
cause reevaluation of the rules.
Note: The stop processing action requires new formula language that is available on Domino server
versions 6.0.3, 6.5, or more recent. The stop processing rule does not execute correctly on Domino servers
released prior to versions 6.0.3 and 6.5. If mail is delivered to a Domino 5.x server with this rule defined,
the rule does not execute as expected and processing of mail server rules does not stop. Action that is
indicated by subsequent mail server rules would occur.
When you add a new rule, it takes effect only after the server reloads the mail rules. A reload is
automatically triggered if the Server task detects a rule change when performing its routine check of the
Configuration Settings document. This check occurs approximately every five minutes.
You can force the server to reload rules, using a console command.
Note: If you create a rule that includes a backslash, semicolon, comma, asterisk, or quotation mark, an
error message appears indicating that these characters are not allowed. This message does not yet display
for forward slashes, but forward slashes should not be used when setting rules.
1. Make sure you already have a Configuration Settings document for the server(s) where the rules will
apply.
If you are creating a new Configuration Settings document, complete the Group or Server name field
on the Basics tab, and then click Save & Close. Then reopen the document to begin adding rules.
If you attempt to add a new rule before saving a new document, you are prompted to save the
configuration before proceeding.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers you want to administer,
and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Rules tab.
6. Click New Rule.
7. In the Specify Conditions section of the New Rule dialog box, set the criteria the server uses to
determine whether to apply a rule to a given message. A rule condition can include the following
components:
For example, if you selected the message item Attachment Name, selecting the qualifier
″is″ defines a rule that acts on all messages having an attached file with a name that
exactly matches the name you specify.
Value to check in message Specifies the content to search for in the target message item.
item
For example, if the target message item is Attachment Name and the qualifier is
″contains,″ enter .VBS to create a rule that acts on all messages having an attached file
with a name containing the string .VBS, including, LOVE-LETTER.VBS,
CLICK-THIS.VBS.TXT, and MY.VBS.CARD.EXE.
Note: When defining a match against a user’s name, specify the canonical format, for
example, UserName/Sales/East
v Text fields do not support wildcard values, such as the asterisk character (*). To
specify a search string for a target field, use the ″contains″ operator and enter the
search string in the accompanying text field. For example, as in the preceding
example, to search for an attached file with a name that contains the string .VBS,
create the condition ″Attachment Name contains .VBS,″ not ″Attachment Name is
*.VBS.″
v Search string text is not case sensitive.
v When indicating numeric values, always enter a numeral, rather than its text
equivalent (that is, enter 2, not two).
8. Click Add.
9. (Optional) Modify the condition by doing the following:
v Add more conditions, by selecting Condition, selecting ″AND″ or ″OR,″ and repeat Steps 7 and 8
for each new condition.
v Add an exception by selecting Exception and repeating Steps 7 through 9 for each exception. You
can add only one exception to a condition statement.
10. In the Specify Actions section specify the action to perform when a message arrives that matches the
condition statement, and click Add Action. You can specify one action per rule.
The following actions are available:
For information on enabling mail journaling, see the topic ″Mail journaling″ later in this chapter.
11. To save the rule and put it into effect immediately, click OK.
To save the rule but wait before putting it into effect, click the Off radio button at the top of the
dialog box, and then click OK.
12. (Optional) After you create several rules, you can rearrange them to indicate their relative priority.
The server executes each rule in turn, beginning with the rule at the top of the list. To change the
position of a rule, select it and click Move Up or Move Down. Place rules with security implications
higher in the list to ensure that the server processes them before other rules.
13. Click Save & Close.
14. The change takes affect the server task registers it or after the ″set rules″ command is received.
Transfer settings apply to messages sent using either Notes routing or SMTP.
Domino uses the maximum message size you specify as the upper limit of the low-priority size range.
Before specifying a low-priority size range, you must set a maximum message size.
The size restrictions you set in the Configuration Settings document apply to every message the Router
handles, regardless of whether the message is inbound or outbound, routed over Notes routing or over
SMTP. To set a unique size limit on some part of your messaging traffic, you must set up distinct routing
paths for that traffic and then create separate Configuration Settings documents for servers on those
paths. For example, if you want to place a 500KB limit on inbound SMTP mail and a 1000KB size limit on
Field Enter
Maximum message size The maximum message size in KB (thousands of bytes) the server accepts. The
Router rejects any messages that exceed this size for both transfer and delivery. The
default is 0 KB, which does not limit message size.
Send all messages as Choose one:
low-priority if message size is v Enabled
between
v Disabled (default)
If you choose Enabled, specify the lower limit of the size range in KB. By default the
lower limit is 50KB. The upper limit of the size range is defined in the field
Maximum message size. When enabled, messages with a size between the value
entered in this field and the value in the Maximum message size field are sent as
low-priority messages.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
v Total message size is equal to the sum of the message text and the size of all attachments.
v You can change the default hours for routing low-priority mail.
For more information, see the topic ″Setting transfer limits″ later in this chapter.
v You can customize the text of delivery failure messages.
For more information, see the topics ″Customizing the text of mail failure messages″ later in this
chapter and ″Routing mail by priority″ earlier in this chapter.
v On Domino SMTP servers you can use the ESMTP SIZE extension to prevent inbound transfer of
messages that exceed the specified maximum message size. You can also use the outbound ESMTP
SIZE extension to configure Domino to honor size restrictions on a target server when transferring
outbound SMTP mail.
For information on setting the inbound and outbound SIZE extensions, see the topics ″Supporting
inbound SMTP extensions″ and ″Supporting outbound SMTP extensions″ later in this chapter.
For information on changing the default time for routing low-priority mail, and setting the Router to
ignore message priority, see the topics ″Setting transfer limits″ and ″Setting advanced transfer and
delivery controls″ later in this chapter.
The Router typically processes delayed messages within 5 minutes of the start of the low-priority time
range.
Forcing low-priority mail to route: By default, the Router delays low-priority mail until the low-priority
time range, even for servers in the same Notes Named Network. If you do not want to delay low-priority
mail you can:
v Set Domino to ignore message priority.
For information on configuring Domino to ignore message priority, see the topic ″Setting advanced
transfer and delivery controls″ later in this chapter.
v Change the low-priority time range in the Configuration Settings document.
For information on changing the low-priority time range, see the topic ″Setting transfer limits″ later in
this chapter.
v Use the ″ROUTE servername″ command at the console to force all mail in the transfer queue of the
specified server to route immediately.
For information on using the ROUTE command, see the appendix ″Server Commands.″
You can configure the Router to notify senders when low-priority mail is delayed. Of course, you should
also educate users about your policy on routing low-priority mail. When delay notifications are enabled,
the Router delivers a message to the sender of the delayed message that explains that the message is
being held until the specified routing time.
When a message is delayed, users receive an informational Delay report, which identifies the number and
addresses of the intended recipients and indicates that transfer is delayed until the low-priority time
range. The notification includes the headers of the original message, but not the message body, and
explains that no additional user action is required to deliver the message. You can also customize the text
of the notification to include additional information.
For information on customizing the text of a delay notification, see the topic ″Customizing the text of
mail failure messages″ later in this chapter.
For information on configuring Domino to send delay notifications when it holds low-priority messages,
see the topic ″Setting transfer limits″ earlier in this chapter. For information on setting size limits on
messages, see the topic ″Restricting mail routing based on message size″ earlier in this chapter.
Normally, a server sends only one delay notification for each message. However, restarting a server or
Router can result in duplicate delay notifications. Also, a user may receive multiple delay reports for a
message that is delayed by servers at successive hops along the routing path. Servers at successive hops
can each send a delay report if delay notifications are enabled and they each receive the message before
their configured low-priority routing time and buffer time.
For example if a first hop server has a low-priority range of 12:00 AM to 3:00 AM and receives a
low-priority message at 11:30 PM, it generates a delay notification. At the start of the low-priority routing
time, the server routes the message to the next hop server. If this server also defers low-priority mail and
has a low-priority range of 4:00 AM to 6:00 AM, it generates an additional delay notification.
By default, the Router does not send delay notifications for low-priority messages that a user sends
within the low-priority time range or a buffer time of 30 minutes before the start of the time range. You
can alter the default behavior by adding the variable RouterLPDelayNotifyBufferTime to the NOTES.INI
file and setting its value to the length of the desired buffer time, in minutes. For example, if you would
like to prevent low-priority messages sent within an hour of the start of the time range from generating a
delay notification, enter the following line in the NOTES.INI file:
RouterLPDelayNotifyBufferTime=60
Exceptions to sending delay notifications: The Router does not send delay notifications in the following
cases:
v If you enabled the following setting in the Configuration Settings document: Router/SMTP -
Restrictions and Controls - Advanced - Controls- Advanced transfer controls - Ignore message priority.
v When inbound SMTP messages include a Delivery Status Notification (DSN) request that is set to
NOTIFY=NEVER. Only DSN requests with the value NOTIFY=DELAY result in delay notifications.
v If the delayed message is a delivery failure report. For example, if a message is demoted to low
priority and delayed because its size exceeds the threshold for normal priority mail, the resulting delay
notification (which includes the original message) is not delayed.
v If a Notes client user sets the Delivery Reports option to None in the Delivery Options dialog box.
Restricting users from sending mail to groups listed in the Domino Directory
By default, all users can send mail to groups defined in the Domino Directory. To reduce unnecessary
mail traffic, you can edit the reader fields for a Group document to restrict access to the group, specifying
the users who are allowed to send mail to the group. Only users to whom you grant reader access can
send mail addressed to the group. Users who do not have reader access to the group will not be able see
the group name listed in the Domino Directory.
The restrictions apply to messages sent to either a group’s Notes address or its Internet address and to
messages originating from a Notes client as well as messages sent and received over SMTP (as from an
IMAP or Notes client). From a Notes client, a user who does not have permission to use the group
receives an error when attempting to send mail to the restricted group. If the same user attempts to mail
from a POP3 or IMAP client, the Router generates a Nondelivery report indicating that the sender is not
authorized to send mail to the specified recipient.
Field Enter
Maximum transfer threads The maximum number of server threads Domino creates to transfer messages
to all other servers. The value applies to both Notes routing and SMTP. The
Router sets a default maximum number of transfer threads based on server
memory. Letting the Router select the maximum number is usually best. If
you set the maximum number manually, set the maximum to between 1 and
25 threads, depending on server load.
Maximum concurrent transfer The maximum number of server threads the Domino Router can use to
threads transfer messages to a single destination. The value applies to both Notes
routing and SMTP.
For low-priority mail to route at the specified time, the Router must be
configured to obey message priority. If you configure the Router to ignore
message priority, low-priority mail does not receive special handling.
Low-priority delay notifications If you configure the Router to hold low-priority messages until a given time
period, message originators may not be aware of the reason for the delay. To
inform senders when low-priority messages are delayed, have the Router
automatically generate delay notifications. The Router can either generate
delay notifications for every low-priority message it holds or when it holds
messages for a specific reason only. Choose one:
v Disabled - The Router does not notify senders when messages are delayed
for priority reasons.
v Only if priority changed for policy reasons - The Router notifies senders of
priority-related delays only for messages that were designated low-priority
as the result of a size restriction.
v Only if user requested low-priority - The Router notifies senders of
priority-related delays only for messages that the sender designated as
low-priority.
v All low-priority messages -- The Router notifies senders of priority-related
delays for all low-priority messages.
Note: Domino Release 5.0.x used the variable RouterLowPriorityDelayNotify
in the server’s NOTES.INI file to control the use of low-priority delay
notifications. If this setting is present, it takes precedence over the setting
specified in the Configuration Settings document.
Initial transfer retry interval The time (in minutes) that the Router waits after a message transfer failure
before retrying the transfer. If failure recurs, Domino doubles the interval
before a second retry. If additional retries are needed, they occur at three
times the initial retry value.
The default interval is 15 minutes. Lower values increase the retry attempts
per hour and could possibly increase the success rate of routing the messages.
Higher values decrease the retry attempts per hour, resulting in longer
routing times.
The Router continues attempts to transfer a pending message until the age of
the message reaches the configured time-out value (by default, 24 hours).
After a message times out, the Router generates a delivery failure report to
the sender.
Expired message purge interval Specifies, in minutes, how often the Router checks MAIL.BOX for expired
messages to purge. The default is 15 minutes.
Values specified in the NOTES.INI file override settings in the Configuration Settings document. If
you use the NOTES.INI file to configure message transfer settings, the Domino server console
displays informational messages indicating that the setting can be specified in the Configuration
Settings document.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
Enabling multiple concurrent transfer threads between Domino domains: In a Domino network,
message transfer over SMTP is always multithreaded, allowing multiple transfer threads to a single
destination. However, by default, Notes routing is multithreaded only for transfers within the local Notes
To transfer a message, the Router assigns a transfer thread to a message in its transfer queue. When
Notes routing is used, the transfer thread moves the message across the network by copying it from the
queue and writing it to the MAIL.BOX database on the destination server by means of a Notes remote
procedure call. Each transfer thread processes a single message for a single destination only. If a message
has multiple recipients at that destination, the thread deposits a single message addressed to all of them.
To send additional messages or send the same message to additional destinations, the Router must
activate additional transfer threads.
When the transfer queue has many messages for a given destination, the messages may be able to be
transferred more efficiently if the server can create multiple transfer threads to that destination. However,
for multiple transfer threads to improve efficiency there must be ample bandwidth on the connection
between the servers. On a slow link, multiple active threads are forced to contend for bandwidth, with no
resulting increase in the total throughput, thus defeating the purpose of multiple threads. Furthermore, if
a high proportion of the total transfer threads are busy on a slow link, the server may be unable to
transfer messages to destinations over other, faster links because of a lack of available threads.
For Notes routing, connections that rely on Connection documents, including connections to remote
domain servers, are typically slower than local domain connections; so, by default, Domino does not
allow multiple concurrent transfer threads to destinations that require a Connection document. To ensure
that message transfer is not adversely affected, alter only the default behavior servers that have
high-bandwidth connections to other Domino domains.
Note: When this variable is set, the server does not attempt to determine the connection speed or
number of messages pending for a particular destination. The server allows multiple concurrent
transfer threads, regardless of whether the speed of a particular connection justifies the additional
threads. The number of transfer threads for each destination remains limited by the value you set for
the number of Maximum concurrent transfer threads.
Setting the message time-out value: When the Router is unable to transfer a message on the first
attempt, it continues to attempt delivery at intervals, as specified in the ″Initial transfer retry interval″
field of the Configuration Settings document. If a message cannot be delivered (or forwarded to the next
server on the path to the user’s mail server) within a specified time-out period, the Router returns a
delivery failure report to the sender. By default, the message time-out value is 24 hours.
On the Internet, the time-out value for message transfer is typically five days - that is, if the next hop
server is unreachable, the connecting server continues to retry transfer for five days before giving up and
generating a delivery failure report.
Increasing the time-out value to n days may result in senders receiving a delivery failure report for
undeliverable mail n days after the message was sent.
Because each successive retry consumes server resources, a high volume of undeliverable mail can place a
significant extra load on the server. If you notice an increase in the amount of pending mail in
MAIL.BOX, examine messages to determine the validity of their origins and destinations. If a large
portion of pending messages are addressed to nonexistent users or originate from known or possible
spam mailers, consider resetting the time-out interval to a lower value. Using a lower time-out value
reduces the time before the server marks a message as undeliverable, thereby decreasing the number of
retries.
For information about managing undeliverable mail, see the topic ″Managing undeliverable mail in
MAIL.BOX″ later in this chapter.
For information about methods for unwanted mail before servers accept it, see the topic ″Restricting
SMTP inbound routing″ later in this chapter.
For information about using mail rules to process mail automatically, see the topic ″Setting server mail
rules″ earlier in this chapter.
Note: To specify a time-out period shorter than one day, specify the variable MailTimeoutMinutes in
the Item field in Step 5, and specify a time-out period, in minutes, in Step 6.
7. Click Save & Close.
Field Enter
Ignore message priority Choose one:
v Enabled - The Router sends all messages as Normal priority.
v Disabled - (default) The Router honors message priority settings assigned by the
sender or another server process.
Note: Do not enable this setting if you restricted Domino to routing messages of a
specified size as low priority and want to confine routing of large messages to the
specified low priority routing time.
Dynamic cost reset The time, in minutes, after which the Router resets the costs for the various connections.
interval For example, if the cost reset interval is 15 minutes and a network failure caused the
Router to increase a connection cost from 1 to 2, the Router resets the connection cost to
1 after the 15-minute cost reset interval.
7. Complete these fields in the Additional Controls section, and then click Save & Close:
Field Enter
Restrict name lookups to Choose one:
primary directory only v Enabled - The router can only look up names and groups in the Domino Directory for
the server’s Domino domain. The router cannot look up names and groups in other
directories that are available through Directory Assistance or Directory Catalog.
v Disabled - (default) The router can look up names and groups in any directories
available from the server.
Cluster failover Choose one:
v Disabled - If a recipient’s server is unavailable, the Router does not automatically route
mail through a clustered server.
v Enabled for last hop only - (default) When the Router detects that a recipient’s mail
server (the last hop in the routing path) is unavailable, it attempts to locate a clustered
server and transfer the message to that server. For example, Server1 routes a message
addressed to Jane Doe, whose mail file is on Server3. Server1 fails to connect to
Server3, which is unavailable. Server1 checks the Domino Directory to see if there are
any servers clustered with Server3. Server2 is clustered with Server3, so the Router on
Server1 attempts to connect to Server2. If the connection is successful, the Router
transfers the message to Server2.
v Enabled for all transfers in this domain - When the Router detects that a server for any
hop in the routing path is unavailable, it attempts to locate a server clustered with that
hop server. If the Router can find another clustered server, it transfers the message to
that server. For example, if the Router on Server 1 attempts to transfer to HubA but
HubA is unavailable, the Router checks the Domino Directory to see if there are any
servers clustered with HubA. Because HubB is clustered with HubA, the Router
attempts to connect to HubB. If the connection is successful, the Router transfers the
message from Server1 to HubB, which continues routing the message.
Hold undeliverable mail v Enabled - When the Router cannot transfer or deliver a message, it leaves the message
in MAIL.BOX rather than generate a delivery failure report. Select this option if you
want to be able to examine messages with failures. You can then access these messages
and either release them, forward them, or delete them
v Disabled - (default) When the Router cannot deliver a message, it generates a delivery
failure report.
Note: If you configure MAIL.BOX to hold undeliverable messages, examine the database
frequently to check for accumulated messages.
For more information on directory assistance, see the chapter ″Setting Up Directory Assistance.″ For
more information on clusters, see Administering Domino Clusters.
Managing undeliverable mail in MAIL.BOX: MAIL.BOX databases on the server may contain two
types of undeliverable messages: dead messages, designated by a stop sign icon; and held messages,
designated by a red exclamation point.
By default, when Domino cannot transfer or deliver a message -- for example, when the address is typed
incorrectly -- the Router returns a delivery failure report to the sender. If the Router can neither deliver
the message to its intended recipient (To, CC, or BCC) nor deliver the failure report to the sender -- for
example, when the recipient’s address is typed incorrectly and the sender’s mail server is unavailable --
the Router changes the routing state of a message to Dead.
A message that is marked Dead lists the originator of the message in the Recipients field and the address
to whom the originator first sent the message in the Intended Recipient field. You can correct addressing
errors in these fields to resend a delivery failure report to the originator or the original message to its
intended destination.
Undeliverable messages result when a server receives mail addressed to nonexistent local recipients.
Some undeliverable messages might be legitimate, as in the case where a recipient’s name is misspelled
or the intended recipient has left the organization. But a high volume of undeliverable messages may
represent what’s known as a ″dictionary attack″ in which a spam mailer attempts to harvest e-mail
addresses in a domain by guessing every possible user name in the domain. The attacker directs a bogus
mass-mailing to the target domain, using a list of names automatically generated by a script. The attacker
then uses delivery failure reports returned from the target domain to determine which names are valid.
Held messages: In some cases, rather than letting Domino generate delivery failure reports automatically,
you may want to examine messages before returning them. To trap undeliverable messages, you can
configure the Router to mark them as Held. For example, if you suspect that spam sites are using
delivery failure responses to test addresses in your organization, you can hold undeliverable mail to
eliminate this source of feedback.
When you configure the Router to hold undeliverable messages, each held message remains in
MAIL.BOX indefinitely and is processed only if an administrator releases the message.
Note: If you configure MAIL.BOX to hold undeliverable messages, examine the database frequently to
check for accumulated messages.
You can prevent servers from accepting mail addressed to nonexistent users by requiring Domino to
check whether a recipient has a Person document in the Domino Directory before it can accept a message.
For more information on configuring Domino to validate recipients before accepting messages, see the
topic ″Restricting users from receiving Internet mail″ later in this chapter.
The Router also changes the routing state of a message to Held when directed to do so by a mail rule.
By default, when you configure the Router to hold undeliverable mail, it does not mark messages as
Dead. Only if the Router cannot deliver a held message or its delivery failure report after you release it
for a final delivery attempt does the Router mark any message Dead.
For each held or dead message, the views in MAIL.BOX display information about when the server
received the message, as well as the sender and recipient, message size, and the reason why the message
failed. In addition, Dead messages display a Dead failure reason explaining why the message could not
be returned to the sender.
To check MAIL.BOX for undelivered mail: Periodically examine MAIL.BOX for messages, especially if you
configure MAIL.BOX to hold undeliverable messages.
1. From the Domino Administrator, select the server on which you want to resolve undelivered mail.
2. Click the Messaging - Mail tab.
3. Select the MAIL.BOX database you want to examine by clicking Servername Mailbox (mail.box). On
servers with multiple mailboxes, a separate view is available for each mailbox.
4. Check Held and Dead messages. You can do one of three things with undeliverable messages:
v Correct the addresses of the message recipients
v Release the messages to their intended recipients
v Delete the messages
To edit and release held or dead messages: Edit messages in MAIL.BOX to specify the destination address for
resending the original message or resulting delivery failure report. You can also edit the Subject line to
insert additional information about the message, such as the reason it was held or the name of the
original recipient.
1. In the MAIL.BOX database, select the Held or Dead message for which you want to correct addresses
and click CTRL-E to edit the message.
2. Edit the address in the Recipients field or Intended Recipient field as follows:
To edit the address of a held message:
To correct the destination address to which the Router resends an original message, edit the Recipient
field. You can specify a Notes address or an Internet address.
When you release held messages, the Router ignores the entry in the Intended Recipient field.
To edit the address of a dead message:
To correct the destination address to which the Router resends the original message, edit the address
in the Intended Recipient field, and click Release - Resend dead message to originally intended
recipient. You can specify a Notes address or an Internet address. The Router ignores the entry in the
Recipients field. The received message displays the original recipient address.
To correct the destination address to which the Router resends the delivery failure report for a dead
message, change the address in the Recipients field, and click Release - Return Non Delivery Report
to sender. You can specify a Notes address or an Internet address.
To release held and dead messages from MAIL.BOX: Depending on what caused a message to be retained in
MAIL.BOX, you may be able to successfully resend it to its originally intended recipients or return a
delivery failure report to the sender. For example, if messages were marked held or dead as a result of a
temporary network failure, you may be able to release messages to their destinations after restoring
network connections. Or, if a message failed to reach its destination because of a misspelled address, you
can resend it by correcting the address and releasing the message.
When deciding what to do with dead messages, always examine them carefully before taking action.
Check the message origin and the list of intended recipients, and determine the failure reason. If the
From or Recipients fields of a dead message are blank or contain invalid addresses, or if the failure
reason indicates a null SMTP reverse path, consider deleting the message, rather than releasing it.
1. From the Domino Administrator, select the server on which you want to resolve undelivered mail.
2. Click the Messaging - Mail tab.
If the Router cannot transfer or deliver a released message, it again marks the message
Held.
Resend selected held The Router attempts to resend the selected held messages to the originally intended
messages for a final time recipient (To, CC, or BCC) listed in the Recipients field. The Router ignores the entry in
the Intended Recipient field.
If the Router cannot deliver the messages to the recipients, it sends a nondelivery
failure report to the message originator and removes the message from MAIL.BOX. If
the delivery failure report cannot be sent, the Router marks the message Dead.
When you finish processing undeliverable messages, close the MAIL.BOX database.
To delete messages from MAIL.BOX: The Router automatically deletes sent messages from MAIL.BOX. If
you cannot resend a message or delivery failure report, or choose not to resend it, delete the message.
1. Select the Held or Dead to delete.
2. Click Delete Message. The messages are marked for deletion.
3. Press F9, and click Yes when prompted to delete the document.
Customizing the text of mail failure messages: You can customize the text of messages that Domino
sends when various mail failures occur. The text you specify is added to the default text for the message.
Customize messages to provide text in multiple languages or supply users with additional information
about how to respond to a failure. For example, add text that provides the phone number to call in case a
mail message does not reach your server.
You can enter customized text directly on the Configuration Settings document or create text files for
each customized message and then use the Configuration Settings document to specify the location of
each file.
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
Method Description
Text file The Router adds customized text to failure messages from external files. For each
condition listed, enter the complete path to a text file that contains customized text you
want to add to the default failure message.
Text The Router adds customized text to failure messages from text entered in the
Configuration Settings document. For each condition listed, enter the customized text you
want to add to the default failure message.
Field Enter
Transfer failure Transfer failures occur when there is a transient connection failure between the servers --
for example, a network problem.
If you specified Text in Step 6, enter text to add to the default transfer failure message;
otherwise specify the path to a file containing the text -- for example,
C:\DOMINO\DATA\TRANSFER.TXT.
Delivery failure Delivery failures occur when the server is unable to deliver the message to the recipient’s
mail file -- for example, if the recipient’s mail file has moved and the Domino Directory
has not been properly updated.
If you specified Text in Step 6, enter text to add to the default delivery failure message;
otherwise specify the path to a file containing the text -- for example,
C:\DOMINO\DATA\DELIVER.TXT.
Message expiration Message expiration failures occur when Domino cannot transfer the message to its
destination in a given period of time.
If you specified Text in Step 6, enter text to add to the default message expiration
notification; otherwise specify the path to a file containing the text -- for example,
C:\DOMINO\DATA\EXPIRE.TXT.
Domain failure Domain failures occur when Domino cannot identify the destination domain for a
recipient of a message. For example, if you send a message to jdoe@lotus.com and
Domino cannot locate lotus.com in either the Domino Directory or the DNS, the server
generates a domain failure message.
If you specified Text in Step 6, enter text to add to the default message for domain
failures, or specify the path to a file containing the text -- for example,
C:\DOMINO\DATA\DOMAIN.TXT.
Server failure Server failures occur when Domino cannot connect to the destination server. For
example, if you send a message to jdoe@lotus.com, and DNS instructs you to send mail
for the lotus.com domain to mail1.lotus.com but Domino cannot connect to
mail1.lotus.com, the sending Domino server generates a server failure message.
If you specified Text in Step 6, enter text to add to the default message for server failures;
otherwise, specify the path to a file containing the text -- for example,
C:\DOMINO\DATA\SERVER.TXT.
If you specified Text in Step 6, enter text to add to the default message for user name
failures; otherwise, specify the path to a file containing the text -- for example,
C:\DOMINO\DATA\USER.TXT.
Size failure Size failures occur when Domino rejects a message because its size is greater than the
maximum message size (which you can specify in the ″Maximum message size″ field on
the Restrictions and Controls - Restrictions tab of the Server Configuration document)
and generates a size failure message.
If you specified Text in Step 6, enter text to add to the default message for size failures;
otherwise, specify the path to a file containing the text -- for example,
C:\DOMINO\DATA\SIZE.TXT.
Restriction failure Restriction failures occur when Domino rejects a message based on outbound Router
restrictions. For example, if you send a message to jdoe@lotus.com, but lotus.com is listed
in the ″Deny messages from the following Internet addresses to be sent to the Internet″
field on the Router/SMTP - Restrictions and Controls - SMTP Outbound Controls tab of
the Server Configuration document, Domino rejects the message and generates a
restriction failure message.
If you specified Text in Step 6, enter text to add to the default message for restriction
failures; otherwise, specify the path to a file containing the text -- for example,
C:\DOMINO\DATA\RESTRICT.TXT.
Delay notification Low-priority routing delays occur when MAIL.BOX receives a message that is marked
low priority and the Router waits to process the message until the specified low-priority
routing time (12:00 AM to 6:00 AM by default). If low-priority delay notifications are
enabled for the message, the Router sends a delay notification to the originator’s address.
If you specified Text in Step 6, enter text to add to the default low-priority delay
notification; otherwise, specify the path to a file containing the text -- for example,
C:\DOMINO\DATA\DELAY.TXT
Note: Domino Release 5.0.x specified this file using the MailTextFileForTransferDelays
setting in the server’s NOTES.INI file. If this setting is present, it takes precedence over
the setting specified here.
Quota warning The Router sends Quota warning notifications to users whose mail files exceed their
notification configured quota warning threshold.
If you specified Text in Step 6, enter text to add to the default quota warning notification;
otherwise, specify the path to a file containing the text -- for example,
C:\DOMINO\DATA\WARNING.TXT.
Quota error notification The Router sends Quota error notifications to users whose mail files exceed their
configured quota.
If you specified Text in Step 6, enter text to add to the default quota error notification;
otherwise, specify the path to a file containing the text -- for example,
C:\DOMINO\DATA\QUOTA.TXT.
For information on setting inbound mail restrictions see the topics ″Restricting mail routing based on
message size″ earlier in this chapter and ″Restricting who can send Internet mail to your users″ later
in this chapter.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
Default schedule: By default, Connection documents instruct the Router to connect to the destination
server to transfer mail every six hours between 8:00 AM and 10:00 PM, or whenever the number of
pending messages in MAIL.BOX reaches 5. You can customize the schedule to specify the number of
pending messages that trigger routing, as well as the day, time range, and repeat interval for a
connection.
Using Connection documents to control routing within a Notes Named Network (NNN): You can use
Connection documents to restrict routing within a NNN to a specified schedule. Connection documents
apply to both Notes routing and SMTP routing. In the absence of any Connection documents, the Router
transfers all mail within a NNN immediately, except for low-priority messages. If the Router is
configured to use both SMTP and Notes routing, it queues messages pending in MAIL.BOX for each
protocol separately. Regardless of the schedule, high-priority messages continue to route immediately.
Forcing mail to route to a specific server: To force the server to immediately route all pending mail to
another server, use the Route command at the server console.
Routing schedules and low-priority messages: Routing schedules in Connection documents do not
apply to low-priority messages. Low-priority messages route only during the configured low-priority
mail interval, even among servers in the same Notes named network.
You can configure Domino to designate messages over a certain size as low-priority and send them when
the server is less busy.
For more information on changing the priority of large messages and scheduling the low-priority mail
interval, see the topics ″Restricting mail routing based on message size″ and ″Setting transfer limits″
earlier in this chapter.
Field Enter
Schedule Choose one:
v Enabled to use this schedule to control connections between the specified servers.
v Disabled to cause the server to ignore the schedule.
Field Enter
Routing task Choose one or more:
v Mail Routing - (default) Enables Notes mail routing between the servers
v X400 Mail Routing - Enables routing of X.400 mail between servers in a system with an
X.400 Message Transfer Agent
v SMTP Mail Routing - Enables routing of Internet mail to a server that can connect to
the Internet
v ccMail Routing - Enables routing of cc:Mail mail between servers in a system with a
cc:Mail Message Transfer Agent
v None - The Connection document is not used to route mail between the servers
Route at once The number of normal-priority messages that accumulate before the server routes mail.
The default is 5.
Routing cost The relative cost of this server connection. Do not modify this cost unless you are an
experienced Domino administrator.
Router type How Domino routes mail between the servers.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
For more information on Router types, see the chapter ″Setting Up Mail Routing.″
Example: Scheduling immediate 24 x 7 routing: To route mail immediately 24 hours a day, 7 days a
week, create a routing schedule for a 24-hour, 7-day period. Then set routing to begin as soon as
MAIL.BOX contains a single pending message.
1. Complete these fields in the Scheduled Connection section of the Connection document:
Field Enter
Schedule Enabled
Call at times 12:00 AM - 12:00 PM
Repeat interval Blank
Days of week Select Sun, Mon, Tue, Wed, Thu, Fri, Sat
Field Enter
Route at once if 1 message pending
3. Update the routing configuration to ensure that the new schedule takes effect.
The Router uses information in Server, Domain, and Connection documents to create the routing tables. A
LAN connection has low cost; a dialup modem connection has high cost. By default, each LAN
connection has a cost of 1, while each dialup modem connection has a cost of 5.
If server connections are disrupted or a network fails, the Router selects an alternate path and increases
the cost for the path that failed.
The routing tables reside in memory and are dynamic. When you restart the server or modify a
Connection, Server, Configuration Settings, or Domain document, the Router rebuilds the routing tables.
To override the default routing cost: You can override the default setting for the routing cost for a
connection. You can change this setting only for connections between servers in different Notes named
networks. Change the default routing cost for a connection only if you are an experienced Domino
administrator. Improperly changing routing costs can create routing loops and disable the Router’s
selection of an alternate route.
1. Make sure that you have already created the necessary Connection documents.
For more information on Connection documents, see the chapter ″Setting Up Server-to-Server
Connections.″
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Connections.
4. Select the Connection document for the server connection you want to configure, and click Edit
Connection.
5. Click the Replication/Routing tab.
Field Enter
Routing cost A number from 1 to 10. The default is 1. The Router chooses connections with lower cost
first; for example, the Router chooses a connection with a cost of 2 over a connection
with a cost of 3.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or
modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group
names that have a group type of Mail-only or Multi-purpose. This applies to settings on the Restrictions
tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.
Field Enter
Allow mail only from Domino domains from which the server accepts mail. If you enter Domino domains in
domains this field, only messages from those domains can enter your domain over Notes routing.
Domino denies mail from all other Domino domains. For example, if you enter Lotus in
the field, Domino accepts only messages sent from the Lotus domain to your users.
Domino denies messages sent from all other Domino domains.
You can specify individual domain names or a group name. Group entries cannot contain
a domain part or dot (’.’). For example, the group with the name AllowMail is valid, but
the groups named Allow.iris.com or Allowmail@iris are not.
Note: This restriction does not affect mail in the local Domino domain.
You can specify individual domain names or a group name. Group entries cannot contain
a domain part or dot (’.’). For example, the group with the name DenyMail is valid, but
the groups named Deny.iris.com or Denymail@iris are not.
Note: This restriction does not affect mail in the local Domino domain.
Allow mail only from Organizations and/or organizational units from which the server accepts mail. If you
the following enter organizations and/or organizational units in this field, only messages from users in
organizations and those organizations and/or organizational units can enter your domain over Notes
organizational units routing. Domino denies mail from all other organizations and/or organizational units.
For example, if you enter */East/Lotus in the field, Domino accepts only messages from
the /East/Lotus organizational unit to your users. Domino denies messages from
organizations and/or organizational units other than */East/Lotus.
You can specify individual ogranization names, organizational unit names or a group
name.
Deny mail only from the Organizations and/or organizational units from which the server does not accept mail. If
following organizations you enter organizations or organizational units in this field, all messages except those
and organizational units from users in the organizations and/or organizational units in this field can enter your
domain over Notes routing. Domino denies mail only from organizations and/or
organizational units in this field. For example, if you enter */West/Lotus in the field,
Domino accepts messages from all organizations and organizational units except
/West/Lotus. Domino denies messages from the /West/Lotus organizational unit.
You can specify individual ogranization names, organizational unit names or a group
name.
Note: If you specify the same entry in an Allow field and a Deny field so there is a conflict between
the two fields, Domino denies messages for that entry. The Deny setting takes precedence for security
reasons. Avoid placing the same entry in both the Allow and Deny fields for the same setting.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
If the SMTP listener task is enabled on the Basics tab of the Server document, the SMTP service starts
automatically when you start the server. You can stop and start the SMTP service manually from the
Domino Administrator client or the server console. The following table shows how to restart, stop, and
start the SMTP service using both methods.
Note: The SMTP Server task is represented in the server task list by three related subtasks. The status of
all three tasks changes when you change the status of any one of them.
As an alternative to restarting the SMTP service to incorporate configuration updates, you can use a
console command to refresh SMTP service parameters.
For information on using a console command to refresh the SMTP configuration, see the chapter ″Setting
Up Mail Routing.″
Configuring SMTP authentication options on servers that use Internet Site documents: On servers
that use Internet Site documents, the SMTP service obtains inbound port authentication settings from the
Security tab of the SMTP Site document, rather than from the Server document. As a result, when
Internet Site documents are used, the TCP/IP and SSL port authentication settings described in the
procedures that follow are not available in the Server document. Settings in the Server document
continue to provide the inbound SMTP port number and status and determine whether the Domino
server allows incoming connections from the authenticated user.
If the server uses Internet Site documents, and an Inbound SMTP Site document is not present in the
Domino Directory, or the authentication options in a configured Inbound SMTP Site document are set to
No, the SMTP service rejects incoming connections. In each case, connecting hosts receive the following
error when attempting to authenticate with the SMTP service:
This site is not enabled on the server.
For information on creating and using Internet Site documents, see the chapter ″Installing and Setting Up
Domino Servers.″
Ensuring that SMTP clients can connect to a nonstandard port: Because remote SMTP clients attempt
to connect to port 25 by default, if you specify a different port number, be sure to configure connecting
clients to use the new port, otherwise inbound SMTP connections will fail. This can cause routing
problems, especially if the server with the nonstandard SMTP port acts as a relay host for outbound
Internet mail.
To configure your other Domino servers to transfer outbound SMTP mail to a nonstandard SMTP port,
change the Outbound SMTP setting on the Port - Internet Ports - Mail tab of the Server document.
For example, if a server must initiate an SMTP session with a receiving server on which the SMTP task is
listening on port 26, set the SMTP Outbound port to 26 on the Server document of the initiating server.
Configuring SMTP port security: To prevent unauthorized access to the SMTP Listener and to protect
SMTP sessions from eavesdropping, you can require users and servers to provide name and password
credentials to authenticate with the server, and you can enable the use of SSL to encrypt both inbound
and outbound SMTP sessions.
On servers that support SSL, you can encrypt SMTP mail sessions by having the server send and receive
mail over the SSL port (port 465 by default). Domino also supports negotiated SSL for both inbound and
outbound sessions, which allows for encryption over the TCP/IP port between servers that support the
STARTTLS command.
For information on the STARTTLS command, see the topic ″Securing SMTP sessions using the STARTTLS
command″ later in this chapter.
You can restrict access to the SMTP listener so that only users who are allowed to access the server can
connect to the server’s inbound SMTP port. For more information on securing the SMTP port, refer to the
topic ″Changing the inbound SMTP port settings″ later in this chapter. For more information on
restricting server access, see the chapter ″Controlling Access to Domino Servers.″
Changing the inbound SMTP port settings: Inbound port settings affect how other SMTP hosts connect
to Domino. For inbound connections, you can specify TCP/IP port settings and SSL port settings. For
both ports you can define port numbers, port status, and the supported authentication methods.
Configuring SMTP authentication options on servers that use Internet Site documents: On servers that use
Internet Site documents, the SMTP service obtains port authentication settings from the Security tab of
the SMTP Inbound Site document, rather than from the Server document. As a result, when Internet Site
documents are used, you cannot use the Server document to configure TCP/IP and SSL authentication
settings for the SMTP port. Settings in the Server document still provide the port numbers and status for
the SMTP TCP/IP and SSL ports, and enable the SMTP ports to honor server access restrictions.
If the server uses Internet Site documents, then you must use Site documents to configure all Internet
protocols on the server. If an SMTP Site document is not present in the Domino Directory, or the
authentication options in a configured SMTP Site document are set to No, users cannot connect to the
SMTP service. In each case, SMTP clients receive the following error when attempting to connect to the
SMTP service:
This site is not enabled on the server.
For information on creating and using Internet Site documents, see the chapter ″Installing and Setting Up
Domino Servers.″
Changing the default port number: By default, after you enable the SMTP task, it ″listens″ for client
connections on TCP/IP port 25 on the Domino server. The default SMTP SSL port is port 465. In some
cases -- for example, on partitioned servers -- you might need to specify a port number other than the
default to avoid conflicts. You might also change the default port to a nonstandard port number to ″hide″
it from clients attempting to connect to the default port or if another application uses the default port on
the server.
Disabling the SMTP inbound TCP/IP port or SSL port prevents other servers from accessing the SMTP
Listener on that port.
Note: On servers with multiple TCP/IP ports, by default, the SMTP service uses the port listed first in
the NOTES.INI file as the preferred path. You can configure the service to use a different port.
For information on configuring the SMTP service on a server with multiple TCP/IP ports to use a specific
TCP/IP port, see the chapter ″Setting Up the Domino Network.″
Changing the default SMTP greeting: You can modify the default reply that the SMTP service sends in
response to a connecting host. By default, the Domino SMTP server reveals its host name and software
version to connecting clients. For security reasons, you can change the default greeting so that the server
does not disclose essential information. Use the variable SMTPGreeting in the NOTES.INI file to
customize the SMTP service greeting.
Field Enter
TCP/IP port number Choose 25 (default) to use the industry standard port for SMTP connections over
TCP/IP. You can specify a different port, but 25 works in most situations. When
specifying a nonstandard port, make sure the port is not reserved for another service.
Port numbers can be any number from 1 to 65535.
TCP/IP port status Choose one:
v Enabled (default) - SMTP clients can connect to the Domino SMTP service using the
designated TCP/IP port. Depending on the authentication options you choose, users
may have to supply a user name and Internet password to connect.
v Disabled - SMTP clients cannot connect to the Domino SMTP service using the
TCP/IP port.
Note: If you enable the TCP port, at least one authentication option must be set to Yes to save the
document.
Note: To support inbound SMTP connections, the server must have at least one SMTP port enabled
and be running the SMTP task.
4. Restart the SMTP task to put the new settings into effect.
As an alternative to restarting the SMTP service to incorporate configuration updates, you can use a
console command to refresh SMTP service parameters.
For information on using a console command to refresh the SMTP configuration, see the chapter
″Setting Up Mail Routing.″
If you change the default SMTP port, inbound SMTP connections fail if the connecting host is not
configured to use the new port. See the topic ″Ensuring that SMTP clients can connect to a
nonstandard port″ earlier in this chapter for information about configuring Domino servers to connect
to nonstandard SMTP ports.
Field Enter
SSL port number Choose 465 (default) to use the industry standard port for SMTP connections over SSL.
You can specify a different port, but 465 works in most situations. When specifying a
nonstandard port, make sure the port is not reserved for another service. Port numbers
can be any number from 1 to 65535.
SSL port status Choose one:
v Enabled - SMTP clients can connect to the Domino SMTP service using the designated
SSL port.
v Disabled (default) - SMTP clients cannot connect to the Domino SMTP service using
the designated SSL port.
Authentication options: Choose one:
Name & password v Yes - Enables the SSL port to support the SMTP AUTH command. POP3 and IMAP
clients, and remote SMTP servers that send AUTH, must supply a name and
password to connect to the SMTP service over the SSL port and transfer mail. To
allow remote SMTP servers that do not send the SMTP AUTH command to connect
to the SMTP service over this port, set Anonymous authentication to Yes.
v No - (default) Domino does not support name and password authentication for hosts
connecting to the SMTP service over the SSL port. If a connecting host sends AUTH,
Domino rejects the command and returns an error indicating that the command is not
implemented. If you choose No, you must set Anonymous authentication to Yes to
allow SMTP connections to this port.
Note: On servers supporting negotiated SSL on the inbound TCP/IP port (STARTTLS),
the setting in the SSL Name & password field -- not the setting in the TCP/IP Name &
password field -- determines whether the server accepts SMTP AUTH commands for
SSL-over-TCP/IP sessions.
Authentication options: If the ″SSL port status″ field is set to Enabled, choose one:
Anonymous v Yes - (default) The SMTP service allows clients and servers to connect to the SSL port
anonymously to transfer mail. If Anonymous is set to Yes and Name and password
authentication is also set to Yes, IMAP and POP3 clients are prompted to supply a
name and password when connecting to this port, but servers can connect
anonymously.
v No - The SMTP service does not allow anonymous connections over the SSL port.
IMAP and POP3 clients, and servers that send the SMTP AUTH command, may
connect to the SSL port if you set Name and password authentication for the port to
Yes.
6. Restart the SMTP task to put the new settings into effect.
As an alternative to restarting the SMTP service to incorporate configuration updates, you can use a
console command to refresh SMTP service parameters.
For information on using a console command to refresh the SMTP configuration, see the chapter
″Setting Up Mail Routing.″
If you change the default SSL port, inbound SMTP SSL connections fail unless the connecting host is
configured to use the new port.
For information about configuring Domino servers to connect to nonstandard SMTP ports, see the topic
″Ensuring that SMTP clients can connect to a nonstandard port″ earlier in this chapter.
Changing outbound SMTP port settings: Outbound SMTP port settings affect how Domino connects to
other SMTP servers. Change the default port numbers and the status of the TCP/IP and SSL ports to
match the settings on servers to which this server sends SMTP mail.
The outbound port settings apply to all outbound SMTP sessions. If you change an outbound port
number to a nonstandard value, the server cannot establish SMTP connections with servers that listen for
SMTP requests on the standard port. Similarly, if you set up the server to send SMTP over SSL only,
disabling the outbound SMTP TCP/IP port, the server cannot establish SMTP connections with a remote
server that accepts SMTP connections over the TCP/IP port only.
Field Enter
TCP/IP port number The number of the TCP/IP port on the remote server to which Domino attempts to connect
when initiating an SMTP session. The default and industry standard port for SMTP
connections over TCP/IP is 25. Specify a nonstandard port only if this Domino server
makes all of its outbound SMTP connections over TCP/IP to a server that uses the
nonstandard port.
TCP/IP port status Choose one:
v Enabled - The Domino SMTP Router connects to the designated TCP/IP port number on
a remote server to initiate an SMTP session. If the SSL port status is also set to Enabled,
the Router attempts to use the SSL port first and uses the TCP/IP port only if it cannot
connect to the SSL port.
v Disabled (default) - The Domino SMTP Router cannot initiate an SMTP session using the
TCP/IP port on a remote server.
v Negotiated SSL - The Domino SMTP Router connects to the designated TCP/IP port on a
remote server to initiate an SMTP session. If the remote server advertises STARTTLS
during the EHLO greeting, Domino issues a STARTTLS command to request that the
remainder of the session be encrypted using SSL. If the remote server does not support
STARTTLS, an unencrypted TCP/IP session ensues.
SSL port number The number of the SSL port on the remote server to which Domino attempts to connect
when initiating an SMTP session. The default and industry standard port for SMTP
connections over SSL is 465. Specify a nonstandard port only if this Domino server makes
all of its outbound SMTP connections over SSL to a server that uses the nonstandard port.
SSL port status Choose one:
v Enabled - The Domino SMTP Router connects to the designated SSL port number on a
remote server to initiate an SMTP session. If the Router cannot connect to the SSL port
and the TCP/IP port is also enabled on both the Domino server and the remote server,
Domino makes a second attempt to connect, using the designated TCP/IP port.
v Disabled (default) - The Domino SMTP Router cannot initiate SMTP sessions over the
SSL port of a remote server.
Securing SMTP sessions using the STARTTLS extension: SMTP sessions conducted over a standard
TCP/IP channel are vulnerable to eavesdropping because the unencoded transmission can be easily
intercepted. To protect SMTP communications, servers can use transport-layer security (TLS), more
commonly known as SSL encryption, to provide privacy and authentication.
To provide SSL security for SMTP transfers over TCP/IP, Domino supports the use of negotiated SSL. In
a negotiated SSL scheme, the sending and receiving hosts each use the SMTP STARTTLS extension,
defined in RFC 2487, to signal their readiness to negotiate an SSL connection. The receiving server
displays the STARTTLS keyword in response to the sending server’s EHLO command. The sending
server issues the STARTTLS command to request the creation of a secure connection. After the initial TLS
handshake completes successfully, the two parties proceed to set up an SSL channel between them. Both
the sending and receiving server must possess SSL certificates.
For more information on obtaining server certificates, see the chapter ″Setting Up SSL on a Domino
Server.″
Supporting STARTTLS for outbound SMTP sessions: A Domino server configured to use negotiated SSL for
outbound mail connects to the receiving server’s SMTP TCP/IP port (port 25 by default). If the initial
SMTP response from the receiving server indicates that it supports the STARTTLS extension, Domino
issues the STARTTLS command to request the use of SSL to encrypt the rest of the session.
If the receiving server did not advertise support for STARTTLS in response to the Domino server’s EHLO
command, the sending Domino server continues with an unencrypted SMTP TCP/IP session.
To enable outbound STARTTLS support, set the SMTP outbound TCP/IP port status to: Negotiated SSL.
Supporting STARTTLS for inbound SMTP sessions: You can configure Domino to support the STARTTLS
command for inbound SMTP transactions. When a Domino SMTP server is set to use negotiated SSL for
inbound sessions, the server advertises support for STARTTLS in response to EHLO commands the
TCP/IP port receives from connecting hosts. A connecting host can then issue the STARTTLS command
to request an encrypted session.
If Domino is configured to require STARTTLS for SMTP sessions over TCP/IP and a connecting host
cannot meet this demand, no mail is sent over the connection.
For information about enabling the ESMTP extension for inbound STARTTLS, see the topic ″Supporting
inbound SMTP extensions″ later in this chapter
Requiring name and password authentication for SMTP STARTTLS sessions: Enabling ESMTP support for
negotiated SSL allows a server to accept requests to use SSL over TCP/IP from remote servers that
connect anonymously. However, not all inbound connections are anonymous. A connecting SMTP server
may be configured to send Domino a name and password by means of the ESMTP AUTH command.
To support connections from SMTP clients that send a name and password during a negotiated SSL
session, set the value of the Name & password field for the SMTP inbound SSL port to Yes. You do not
Even though Domino receives the AUTH command over the TCP/IP port, Domino uses the SSL
name-and-password authentication settings to determine whether to accept the AUTH request because it
receives the command in the context of an SSL session. The Name & password authentication setting for
the TCP/IP port is ignored.
In addition, on servers that receive some of their inbound mail over Notes routing, you can restrict
routing based on Domino domains, organizations, and organizational units
Error handling of messages rejected by SMTP inbound controls: The inbound SMTP restrictions are
enforced by the SMTP Listener before a message is accepted, rather than by the Router after a message is
already in the system. This difference in where restrictions are enforced affects how errors are handled
when a message is rejected. When a Router restriction results in a message being rejected, Domino
returns a failure message stating the reason for the failure to the sender. Domino-generated nondelivery
reports contain default text, which you can customize. For example, when you configure a maximum
message size for a server, Domino checks the size of the message only after it is received in MAIL.BOX. If
the message exceeds the configured size, the Router generates a failure message to the sender.
However, if you set an SMTP restriction that causes Domino to reject an inbound message, the SMTP
listener returns a permanent error during the SMTP transfer; the message never enters the server. In this
case, it is the responsibility of the originating SMTP server to generate a failure message to the sender.
For example, if both the receiving Domino SMTP server and the sending SMTP server support the
ESMTP SIZE extension, and the Domino server is configured to honor a maximum message size, when
the Domino SMTP listener receives a message that exceeds the defined limit, it rejects the message before
it is ever received and returns a permanent error to the sending server. You cannot use Domino
administrative tools to customize the server’s SMTP response.
Using Extension Manager to customize the server’s SMTP response: You can control the content of
SMTP responses using SMTP logical function hooks available in the Extension Manager services of the
IBM Lotus C API Toolkit for Notes/Domino 7. For additional information, and to download the toolkit,
see the web site at http://www.lotus.com/capi .
Restricting inbound SMTP connections: To prevent your mail system from accepting unwanted mail,
Domino provides a set of controls that let you restrict incoming SMTP connections. The Inbound
Connection controls let you specify:
v Whether Domino checks the names of connecting hosts in DNS
v By host name or IP address, the remote hosts from which the server allows and denies connections
Chapter 30. Customizing the Domino Mail System 763
To determine whether a connection attempt is allowed or denied, the Domino SMTP task first checks the
remote host’s IP address, which the server’s TCP/IP stack reads from the incoming IP packet headers. If
the IP address does not match any entry in the Inbound Connection control fields, the SMTP task
performs a second check, querying DNS to obtain the host name for the given address. If the query is
successful, Domino compares the name obtained against the host names in Allow and Deny fields.
If you create a separate Configuration Settings document for your internal SMTP servers, you can use the
inbound connection controls to ensure that these internal servers accept SMTP connections from specific
SMTP hosts only. For example, configure servers to allow SMTP connections only from servers that
receive mail from the Internet. Restricting connections in this way prevents users with POP3 or IMAP
clients from sending mail through the server, helps you define valid outbound routing paths, and limits
the load on the server.
Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or
modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group
names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary
directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP
Outbound Controls tab.
In addition to these inbound connection controls, Domino provides two other means for blocking
connections: DNS blacklist filters and access to the SMTP Listener through Domino Extension Manager
(EM) services. DNS blacklist filters enable a server to check a host against one or more blacklists during
the SMTP conversation. If a connecting host matches an entry in a blacklist, you can configure the server
to reject the connection, tag any received messages, or record the transaction in the Notes Log.
For more information on DNS blacklist filters, see the topic ″Enabling DNS blacklist filters for SMTP
connections″ later in this chapter.
Extension Manager (EM) services allow developers to access some functions of the SMTP Listener task.
The Extension Manager (EM) allows an executable program library, such as a dynamic link library or
shared object library, to register a callback routine that will be called before, after, or before and after
Domino performs selected internal operations. Using EM hooks in the SMTP Listener can extend current
functionality by providing:
v Additional anti-spam controls
v Custom address translation
v Custom SMTP responses
v Interception of messages
The Domino C API header file EXTMGR.H, included in the Software Development Kit, defines symbols
for the supported Extension Manager notification events and types. For additional information on the
Extension Manager and registering callback routines, see the Lotus C API Toolkit for Notes/Domino 7.
The toolkit is available at http://www.lotus.com/capi .
Field Enter
Verify connecting host Choose one:
name in DNS v Enabled - Domino verifies the name of the connecting host by performing a reverse
DNS lookup. Domino checks DNS for a PTR record that matches the IP address of the
connecting host to a host name. If Domino cannot determine the name of the remote
host because DNS is not available or no PTR record exists, it does not allow the host to
transfer mail. Although Domino accepts the initial connection, later in the SMTP
transaction it returns an error to the connecting host in response to the MAIL FROM
command.
Note: Internet SMTP hosts are not required to have PTR entries in DNS. As a result,
when this field is enabled, the SMTP task may reject connections from valid SMTP hosts.
v Disabled - (default) Domino does not check DNS to verify the name of the connecting
host.
Allow connections only The host names, group names, and/or IP addresses allowed to connect to the SMTP
from the following service on this server. If you enter host names and/or IP addresses in this field, only
SMTP Internet host servers matching these entries can connect to the SMTP listener; connection requests from
names/IP addresses all other servers are denied.
Host name entries may be complete, as in the fully qualified host name of a particular
server, or partial and imply the existence of a wildcard. That is, if you enter:
abc.com
Domino extends accepts only connections from mail hosts in the domains represented by
*abc.com, that is, all host names ending in abc.com, including smtp.abc.com and
mailhost.abc.com. Domino rejects all other connection requests.
If you specify host name entries, each time a host connects, Domino checks DNS for a
PTR record for the connecting host. If Domino cannot resolve the IP address to a host
name because DNS is unavailable or no PTR record exists, no mail is accepted from the
connection.
Deny connections from The host names, group name, and/or IP addresses that are not allowed to connect to the
the following SMTP SMTP service on this server. If you enter host names and/or IP addresses in this field, all
Internet host names/IP servers except those matching entries in this field can connect to the SMTP listener;
addresses connection requests are denied only for servers matching the entries in this field.
Host name entries may be complete, as in the fully qualified host name of a particular
server, or partial and use an implied wildcard. That is, if you enter:
abc.com
Domino implicitly extends the restriction to all mail hosts within the denied domain,
denying connections from *abc.com, that is, all hosts in the abc.com domain, including
smtp.abc.com and mailhost.abc.com.
Do not use a leading dot (.) in an entry; for example, .abc.com. Because Domino does not
match the leading dot, the entry .abc.com does not prevent connections originating from
the domain abc.com.
7. Reload the SMTP task or update the SMTP configuration to put changes into effect.
Note: Be careful not to specify the same entry in an Allow field and a Deny field because Domino will
deny messages for that entry. The Deny setting takes precedence for security reasons.
How Domino uses reverse DNS lookups to control inbound SMTP sessions: Domino’s inbound relay
controls, DNS blacklist filters, and inbound connection controls allow or deny mail based on where
messages originate. For these controls to work, Domino must be able to identify the connecting host’s IP
address, host name, and Internet domain.
Domino obtains this information from two sources: the IP stack and the Domain Name Service (DNS).
When a host originates a connection to the Domino SMTP service, the connecting host passes its IP
address to the IP stack of the computer running the Domino server. The SMTP service reads the IP
address directly from this source.
For Domino to obtain host name and domain information, it must have access to the Domain Name
Service (DNS) and be able to locate a PTR record for the connecting host. A PTR record resolves an IP
address to a host name.
To request a PTR record, the Domino SMTP listener performs a reverse lookup to the DNS. From the host
name returned by this query, Domino parses out the domain name of the connecting host, comparing this
domain name to the list of local Internet domains in the Global domain document. Hosts from domains
listed in the Local primary Internet domain or Alternate Internet domain aliases fields of the Global
Domain document are considered to be part of the local Internet domain; all others are treated as external
hosts.
Preventing unauthorized SMTPhosts from using Domino as a relay: To protect SMTP servers from
unauthorized relaying, Domino provides inbound relay controls used to define the hosts to which and
from which a server can relay messages. The Domino SMTP listener denies requests to relay messages to
or from unauthorized hosts.
Setting and enforcing inbound relay controls: To prevent misuse of your system, configure Domino to
prevent open relaying, while allowing relays originating from and destined for known domains and
hosts. By default, a new Domino SMTP server prevents external hosts from relaying mail to any
destination. You can further customize Domino’s anti-relay controls to specify when relays are and are
not allowed.
The Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab of the Configuration Settings
document provides two sets of controls for managing relay access:
v Inbound relay controls
v Inbound relay enforcement
Use the Inbound relay controls to restrict relays by destination and origin. Use the relay enforcement
controls to selectively apply the relay restrictions based on the originator’s relation to the local Internet
domain, host name, or authentication status.
Open relays: An SMTP server that indiscriminately accepts mail from outside the local Internet domain
and attempts to dispatch it to another external destination is known variously as a spam relay,
third-party relay, or open relay host (open relay, for short). Leaving a mail server open to use by
anonymous third parties is generally considered irresponsible, largely because open relays are often the
target of Internet mass-mailers who use them to distribute unsolicited commercial e-mail (UCE),
When someone reads a spam message that has been relayed through one of your SMTP servers, the
message appears to originate in your Internet domain. In other words, your organization seems to be
linked with the spam source.
Not only does relaying spam reflect badly on your organization, but there are other more serious and
costly implications. Relayed mail consumes network bandwidth and server resources, reducing your
system’s ability to handle legitimate mail. As mail backs up, administrators and help desk personnel are
faced with service interruptions and the task of sorting out the backlog of undeliverable messages.
Failure to restrict access to an open relay could result in the server being reported on Internet blacklists.
Because SMTP hosts in many organizations will not accept mail from blacklisted servers, if your
outbound mail server is blacklisted, your organization may be unable to transfer mail to other Internet
domains.
Setting inbound relay controls: To block relays to a specific domain or from a specific host, set restrictions
in the inbound relay controls on the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls
tab of the Configuration Settings document.
In determining whether to allow a relay, Domino checks the original sender, not just the last hop domain.
This prevents people from routing from a denied source through an accepted one to your domain.
Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or
modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group
names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary
directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP
Outbound Controls tab.
To name a domain explicitly, prefix an @ sign to the entry. For example, if you enter
@xyz.com the server relays messages only if the domain part of the address matches
xyz.com exactly, such as User@xyz.com. Messages to addresses in other domains that end
in xyz.com, such as User@uvwxyz.com or User@abc.xyz.com, are denied.
Prefix a percent sign (%) to specify the name of a Domino domain to which mail can be
sent; for example, enter %AcmeEast to specify that the server can send mail to the
Domino domain AcmeEast.
Group entries cannot contain a domain part or dot (’.’). For example, the group with the
name AllowMail is valid, but the groups named Allow.iris.com or Allowmail@iris are not.
Deny messages to be Internet domains to which Domino will not relay messages. An asterisk (*) in this field
sent to the following prevents Domino from relaying messages to any external Internet domain.
external Internet
domains Domino denies only messages destined for recipient addresses in the specified domains.
All other messages may relay.
For example, if you enter abc.com in the field, Domino relays messages to recipients in
all external Internet domains except abc.com. Domino denies messages for recipients in
the abc.com domain.
To name a domain explicitly, prefix an @ sign to the entry. For example, if you enter
@xyz.com, the server rejects messages addressed to users if the domain part of the
address matches xyz.com exactly, such as user@xyz.com, but allows messages to relay to
other domains that end in xyz.com, such as user@server.xyz.com.
Prefix a percent sign (%) to specify a Domino domain name; for example, entering
%AcmeEast specifies the Domino domain AcmeEast. This lets you prevent SMTP users
from sending mail to certain internal Domino domains or even foreign domain servers,
such as FAX systems.
Group entries cannot contain a domain part or dot (’.’). For example, the group with the
name DenyMail is valid, but the groups named Deny.iris.com or Denymail@iris are not.
Allow messages only Specifies the hosts or domains that the Domino SMTP service allows to relay outbound
from the following Internet mail. If this field contains valid entries, Domino allows only servers matching
Internet hosts to be sent these entries to relay. Message relays from other servers are denied. You can specify
to external Internet individual host names or a group name.
domains
Enter host names or IP addresses to designate the sites that are authorized to use
Domino to relay messages to recipients outside your local Internet domain. For example,
if you enter lotus.com or ibm.com in the field, Domino accepts messages for recipients in
external Internet domains only from servers with host names that end in lotus.com or
ibm.com. Domino rejects messages for external recipients from any server not listed in
this field.
Enter host names or IP addresses to designate the sites that cannot use Domino to relay
messages to recipients outside the local Internet domain.
For example, you enter lotus.com in the field. Domino accepts messages to recipients in
external Internet domains from all servers except those with host names ending in
lotus.com. Domino denies messages to recipients in external Internet domains from
servers in the lotus.com domain.
An asterisk (*) in this field prevents Domino from relaying messages from any host
subject to the relay controls.
7. Reload the SMTP task, or update the SMTP configuration to put the changes into effect.
v You can use an asterisk (*) to indicate ″all domains.″ For example, putting * in an Allow field
allows all hosts in all domains to perform that operation.
v Wildcards may be used in place of an entire subnet address; for example, [127.*.0.1]. Wildcards are
not valid for representing values in a range -- for example, the entry [123.234.45-*.0-255] is not valid
because the asterisk is used to represent the high-end value of the range that begins with 45.
v When entering multiple addresses, separate them with carriage returns; after the document is
saved, Domino automatically reformats the list, inserting semicolons between the entries.
v When entering an IP address, enclose it within square brackets; for example, [127.0.0.1].
How Domino resolves conflicts between settings in the inbound relay controls: When there is a conflict between
the allowed and denied relay destinations, and the allowed/denied relay sources, the entry in the
″Allow″ field takes precedence. Thus, a host that you explicitly allow to relay can always relay to any
destination, including denied destinations. Similarly, if you allow relays to a given domain, all hosts can
relay to that destination, including hosts to which you have explicitly denied relaying. Denied hosts
cannot relay to domains other than those that you specifically list in the Allow field. The following table
provides several examples of how Domino resolves conflicts between entries in the Allow and Deny
fields of the Inbound relay controls.
Example of conflict between an allowed relay destination and denied relay source:
Example of conflict between a denied relay destination and allowed relay source:
Example of conflict between allowed and denied relay destinations: If the same entry is placed in the list of
allowed and denied destinations, or the list of allowed and denied sources, Domino honors the entry in
the Deny list. For example, Domino rejects relays to xyz.com if you configure the relay controls as
follows:
Field Entry
Allow messages to be sent only to the xyz.com, abc.com, qrs.com
following external internet domains:
Deny messages to be sent to the xyz.com
following external internet domains: (*
means all)
Specifying enforcement of inbound relay controls: When you first create a Configuration Settings document
for a server, by default, the SMTP inbound relay controls, or anti-relay settings, apply to all external hosts
only, that is, to hosts that are not located in the local Internet domain. After you set inbound relay
controls, you can customize how Domino applies them by selecting inbound relay enforcement options.
The available options allow you to specify how strictly to enforce the relay controls by letting you exempt
certain hosts from enforcement. You can exempt hosts from relay enforcement based on:
v Domain location - By default, Domino enforces relay controls for hosts outside the local Internet
domain only. You can enforce stricter control by applying them to all connecting hosts or relax
enforcement entirely so Domino does not perform any relay checks (not recommended).
v Authentication status - By default, Domino applies relay controls to authenticated SMTP sessions. You
can relax enforcement by exempting all authenticated users from relay checks.
v Host name or IP address - By default, all external hosts are subject to relay controls. You can specify a
list of hosts (by IP address or host name) to exempt from relay checks.
Applying relay restrictions to internal hosts: By default, Domino enforces anti-relay settings for external
hosts only. Internal hosts are exempt from anti-relay checks so Domino does not consider an internal host
as a possible relay, even if it’s explicitly listed in the Inbound relay controls’ ″Deny messages from the
following Internet hosts to be sent to external Internet domains″ field.
Depending on your environment, you may want to extend the scope of enforcement by applying relay
restrictions to both internal and external hosts. This is equivalent to setting the variable
SMTPAllHostsExternal=1 in the NOTES.INI file.
Applying relay enforcement to internal hosts lets you achieve more secure and controlled routing. For
example, you can configure your Domino SMTP server so that only other Domino mail servers are
allowed to relay. By doing so you can prevent internal users who run other mail clients (for example,
POP or IMAP clients), as well as servers in other internal mail systems, from using the Domino SMTP
server to send mail to the Internet.
You might also enable relay enforcement for internal hosts if you have a Domino SMTP server that
receives mail from a dual-interface firewall server. For security purposes, some organizations may not
connect their Domino SMTP servers directly to the Internet, choosing instead to set up an internal SMTP
A host in the local Internet domain can always relay to external Internet domains unless it is explicitly
denied by an entry in the field ″Deny messages from the following internet hosts to be sent to external
internet domains.″
If the internal relay or the firewall does not implement its own relay controls, the Domino SMTP server
may then receive mail that is not destined for a local user. If the Domino server is set up to perform
anti-relay enforcement on external hosts only, then mail received from the internal relay or firewall is not
subject to the Inbound Relay Controls because the sending system, the relay or the firewall, belongs to
the same local Internet domain. Thus, when the Router determines that the Internet address listed in the
RCPT TO command has no match in the $Users view in the Domino Directory, it routes the message back
out to the Internet.
Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or
modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group
names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary
directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP
Outbound Controls tab.
Allowing relays from authenticated users connecting from outside the local domain: By default, if you deny
relaying for a domain or set of domains (for example, all external domains), all hosts in the denied
domains are subject to the relay controls. This level of restriction prevents remote IMAP or POP3 clients
that connect to Domino by way of Internet service providers (ISPs) in external domains from sending
outbound Internet mail because Domino does not recognize the source of the message as a valid relay
origin.
To ensure that Domino allows POP3 or IMAP users to send outbound Internet mail, you can customize
relay enforcement to allow all authenticated users to relay. After the Domino SMTP listener determines
that a connecting host has been authenticated, it treats the connection as though it originated from a local
user and exempts it from the Inbound relay controls.
Specifying enforcement exceptions based on host name or IP address: By default, after you deny relaying for a
domain, all hosts in that domain are subject to the relay controls. You can customize relay enforcement to
allow specific clients or servers in a domain to relay by entering host names or IP addresses in the field
″Exclude these connecting hosts from anti-relay checks.″ For each specified exception, Domino does not
enforce the inbound relay controls. Use exceptions to allow hosts outside the local Internet domain to use
the Domino SMTP server as a relay to send and receive their mail from the Internet, while still
preventing Domino from being used as an open relay by unauthorized Internet hosts.
Note: Because many ISPs use the dynamic host control protocol (DHCP) to assign IP addresses to each
connecting user, a user’s IP address may differ from session to session. As a result, specifying
enforcement exceptions based on host name or IP address is not effective for ensuring relay access for
IMAP and POP3 users who connect to Domino from an ISP. To ensure relay access for these users, enable
enforcement exceptions for authenticated users.
For more information on relay hosts and Global domain documents, see the chapter ″Setting Up Mail
Routing.″
Inbound Relay
Enforcement
Field Description
Perform Anti-relay Specifies the connections for which the server enforces the inbound relay controls.
enforcement for these Choose one:
connecting hosts v External hosts (default) - The server applies the inbound relay controls only to hosts
that connect to it from outside the local Internet domain. Hosts in the local Internet
domain are exempt from anti-relay restrictions. The local Internet domain is defined by
either a Global Domain document, if one exists, or as the Internet domain of the host
server.
v All connecting hosts - The server applies the Inbound relay controls to all hosts
attempting to relay mail to external Internet domains.
v None - The server ignores the settings in the Inbound relay controls. All hosts can
always relay.
Exceptions for Specifies whether users who supply login credentials when connecting to the server are
authenticated users exempt from enforcement of the inbound relay controls. Choose one:
v Perform anti-relay checks for authenticated users - The server does not allow
exceptions for authenticated users. Authenticated users are subject to the same
enforcement as non-authenticated users.
v Allow all authenticated users to relay - Users who log in with a valid name and
password are exempt from the applicable inbound relay controls. Use this to enable
relaying by POP3 or IMAP users who connect to the network from ISP accounts
outside the local Internet domain.
Exclude these connecting You create an exceptions list containing the IP addresses or host names of hosts that relay
hosts from anti-relay to any permitted domain. For each specified exception, the inbound relay controls will
checks not be enforced. Enter the IP addresses or host names of hosts to be exempted from the
restrictions specified in the Inbound relay controls section. You can also enter group
names in this field.
When entering an IP address, enclose it within square brackets; for example, [127.0.0.1].
You can use wildcards to represent an entire subnet address, but not to represent values
in a range. For example, [127.*.0.1] is valid; [123.123.12-*.123] is not.
7. Reload the SMTP task or update the SMTP configuration to put changes into effect.
How inbound anti-relay settings control message transfer to external Internet domains:
1. The SMTP listener receives a connection request.
2. The server performs a reverse DNS lookup, querying DNS to find the host name that matches the
connecting host’s IP address. If the address resolves to a name in one of the local Internet domains,
the host is considered internal. IP addresses that resolve to host names outside the local Internet
domains or that do not have DNS entries are considered external.
3. The server checks the setting in the field ″Perform Anti-Relay enforcement for these connecting hosts″
to determine whether anti-relay controls are enabled, and if so, whether they apply to all hosts or
external hosts only. If connections from the sending domain are not subject to inbound relay controls,
the server allows relays for this session.
4. If the relay controls apply, Domino next checks whether the host name appears in the field ″Exclude
these connecting hosts from anti-relay checks. ″If the host name is found, the server allows relays for
this session.
Note: A connecting host provides authentication credentials only when Domino requests them.
Because Domino closes the session if authentication is not successful, there is no case where Domino
needs to determine whether a host that could not authenticate might be allowed to relay.
6. The SMTP listener receives ″RCPT TO″ commands from the connecting host.
7. The server examines each recipient address to see if the message would be a relay to an external
domain. If so, the server checks the Inbound relay controls to determine:
v Whether the connecting host is allowed to relay
v Whether relays are allowed to the target domain
Matching for domain is performed by looking for the restricted domain name as a trailing substring
of the recipient’s domain. If you deny the domain spamme.com, you also deny the domain
you.spamme.com. Rejected recipients receive a failure status in response to the RCPT commands.
Enabling DNS blacklist filters for SMTP connections: To prevent unsolicited commercial e-mail (UCE),
or spam, from entering your system, you can set up Domino to check whether incoming SMTP
connections originate from servers listed in one or more DNS blacklists (DNSBLs). DNSBLs are databases
that keep a record of Internet SMTP hosts that are known sources of spam or permit third-party, open
relaying.
When DNS blacklist filters are enabled, for each incoming SMTP connection Domino performs a DNS
query against the blacklists at the specified sites. If a connecting host is found on the list, Domino reports
the event in a console message and in an entry to the Mail Routing Events view of the Notes Log. Both
the console message and log entry provide the host name and IP address of the server, and the name of
the site where the server was listed.
In addition to logging the event, you can configure Domino to reject messages from hosts on the blacklist
or to add a special Notes item to flag messages accepted from hosts on the list.
Specifying the DNS blacklist sites to check: After you enable the DNS blacklist filters, you can specify the
site or sites the SMTP task uses to determine if a connecting host is a ″known″ open relay or spam
source. Specify sites that support IP-based DNS blacklist queries.
If Domino finds a match for a connecting host in one of the blacklists, it does not continue checking the
lists for the other configured sites.
For performance reasons, it’s best to limit the number of sites because Domino performs a DNS lookup to
each site for each connection.
You can choose from a number of publicly available and private, paid subscription services that maintain
DNS blacklists. When using a public blacklist service, Domino performs DNS queries over the Internet. In
some cases, it may take a significant amount of time to resolve DNS queries submitted to an Internet site.
If the network latency of DNS queries made over the Internet results in slowed performance, consider
contracting with a private service that allows zone transfer, so that Domino can perform the required
DNS lookups to a local host. During a zone transfer, the contents of the DNS zone file at the service
provider are copied to a DNS server in the local network.
Each blacklist service uses its own criteria for adding servers to its list. Blacklist sites use automated tests
and other methods to confirm whether a suspected server is sending out spam or acting as an open relay.
The more restrictive blacklist sites add servers to their list as soon as they fail the automated tests and
By searching the Internet, you can find Internet sites that provide periodic reports on the number of
entries in various DNS blacklist services.
Hosts that are exempt from DNS blacklist checks: To avoid unnecessary DNS lookups, Domino performs
DNS blacklist checks only on hosts that are subject to relay checks, as specified in the SMTP inbound
relay restrictions. Any host that is authorized to relay is exempt from blacklist checks. For example, by
default, Domino enforces the inbound relay restrictions only for external hosts (Router/SMTP -
Restrictions and Controls - SMTP Inbound Controls - Perform Anti-Relay enforcement for these
connecting hosts). If the default setting is used, internal hosts are not subject to relay controls and thus
are also exempt from blacklist checks.
For more information on configuring relay enforcement, refer to the topic ″Setting inbound relay controls
to prevent unauthorized mail relaying″ earlier in this chapter.
Specifying how Domino handles connections from hosts found in a DNS blacklist: You can configure Domino to
take the following actions when it finds a connecting host on one of the blacklists:
v Log only
v Log and tag message
v Log and reject message
In each case, the server records the following information in the Notes log: the host’s IP address and host
name (if a reverse DNS lookup can determine this information) and the name of the site that listed the
host.
When tagging messages, Domino adds a special Note item to messages received from hosts found on a
blacklist. After Domino determines that a connecting host is on the blacklist, it adds the Note item,
$DNSBLSite, to each message it accepts from the host before depositing the message in MAIL.BOX. The
value of a $DNSBLSite item is the blacklist site in which the host was found. Administrators can use the
$DNSBLSite note item to provide custom handling of messages received from hosts listed in a blacklist.
For example, you can test for the presence of the item through the use of formula language in an agent
or view and provide conditional handling of messages that contain the item, such as moving the
messages to a special database.
When considering what action to take when Domino finds a host on the blacklist, choose an action that’s
consistent with the policies of the DNS blacklist site you use. For instance, if the service you use is very
restrictive, its blacklist may include ″false positives″; that is, it may blacklist hosts that are not known
sources of spam. As a result, if you take the action of rejecting mail from any host found on the blacklist,
it could prevent the receipt of important messages.
Use restraint when taking action, particularly if you use the blacklist of a more restrictive site. The action
you select applies to each of the specified blacklist sites. That is, you cannot configure Domino to deny
connections for hosts found on one site’s list and log the event only for hosts found on another site’s list.
DNS blacklist statistics: The SMTP task maintains statistics that track the total number of connecting hosts
that were found on the combined DNSBL of all sites combined, as well as how many were found on the
DNSBL of each configured site. Because the statistics are maintained by the SMTP task, they are
cumulative for the life of the task only and are lost when the task stops.
You can view the statistics from the Domino Administrator or by using the SHOW STAT SMTP command
from the server console. You can further expand the statistics to learn the number of times a given IP
address is found on one of the configured DNSBLs. To collect the expanded information, you set the
Note: Domino uses IP version 4 (IPv4) addresses when querying DNS blacklist sites to find out if a
connecting host is listed. If the connecting host has an IP version 6 (IPv6) address, Domino skips the
DNSBL check for that host.
Changing the default error message: When denying a blacklisted host, Domino returns to it a default SMTP
response, which includes the remote host’s IP address and the blacklist site that listed the host. You can
customize this response in the ″Custom error message for denied hosts″ field in the Configuration
Settings document. The text of a customized response can include the string format specifier ″%s″ to
represent a denied host’s IP address and the DNSBL site where the host was found. Refer to the table in
the following procedure for more information.
Field Enter
DNS Blacklist filters Choose one:
v Enabled - When Domino receives an SMTP connection request, it checks
whether the connecting host is listed in the blacklist at the specified sites.
v Disabled - Domino does not check whether a connecting host is on the
blacklist.
DNS Blacklist sites If DNS blacklist filters are enabled, specify the DNSBL sites to check when
Domino receives an SMTP connection request.
Desired action when connecting Choose one:
host is found in a DNS Blacklist v Log - When Domino finds that a connecting host is on the blacklist, it accepts
messages from the host and records the host name and IP address of the
connecting server and the name of the site where the server was listed.
v Log and tag message - When Domino finds that a connecting host is on the
blacklist, it accepts messages from the hosts, logs the host name and IP
address of the connecting server, and the name of the site where the server
was listed, and adds the Notes item $DNSBLSite to each accepted message.
v Log and reject message - When Domino finds that a connecting host is on the
blacklist, it rejects the connection and returns a configurable error message to
the host.
You can use the format specifier ″%s″ to specify the IP address of the denied
host and the DNS blacklist site where Domino found the host listed. For
example, if you enter the following:
Your host %s was found in the DNS Blacklist at %s
7. Reload the SMTP task, or update the SMTP configuration to put changes into effect.
Enabling DNS whitelist filters for SMTP connections: Use DNS whitelist filters as a means to help
identify legitimate email. When DNS whitelist filters are enabled, the SMTP listener task determines
whether a connecting host is a member of a DNS whitelist by relying on the results of a DNS query of a
DNS blacklist-style host name. If the query returns an IP address, the host is added to the whitelist and
the remaining DNS whitelists are not searched. If the host is not found in the DNS whitelist , processing
continues with DNS blacklist filters. If the query returns an error indicating that the host name is not
valid, the host is not added to the whitelist and may be subject to blacklist filtering if that is enabled.
Note: DNS whitelists can be used independently of blacklists but private blacklists override DNS
whitelists.
Enabling the use of DNS whitelist filters: This procedure assumes you have previously set up a
Configuration Settings document for the server on which you are enabling DNS whitelist filters.
1. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the server on which you are enabling DNS whitelist
filters.
4. Click Router / SMTP - Restrictions and Controls - SMTP Inbound Controls.
5. Complete these fields in the DNS Whitelist Filters section and then click Save and Close.
Field Action
DNS Whitelist Filters Note: DNS whitelist filtering applies only to hosts
subject to inbound relay enforcement.
DNS whitelist statistic: The SMTP listener task maintains a statistic to keep a cumulative count of the
number of connections accepted from DNS whitelisted hosts. The statistic, SMTP.DNSWL.TotalHits, can
be viewed using the Domino Administrator client, or by issuing this command from the server console:
show stat SMTP
To determine the number of times a particular IP address is listed in one of the configured DNS
whitelists, expand the statistic as shown:
SMTP.DNSWL.<WhitelistSite>.IP address.Hits
To collect the expanded information, set the NOTES.INI variable SMTPExpandDNSWLStats =1.
Enabling private blacklist filters for SMTP connections: Use private blacklists to specify hosts and/or
domains responsible for sending unnecessary, unwanted mail to your Internet domain. For consistency,
Domino’s private blacklists follow the model currently used by existing anit-spam functionality. Private
blacklists are stored in the Domino Directory to simplify the process of maintaining and distributing
blacklist information between servers.
When private blacklists are enabled, the SMTP listener task compares the names of hosts that may be
subject to relay enforcement against the private blacklist prior to performing DNS blacklist queries. This
prevents unnecessary DNS lookups. If the host is found in the private blacklist, the action specified in the
field ″Desired action when a connecting host is found in a private blacklist″ in the Private Blacklist Filters
section of the Configuration Settings document applies. If the host is not found in the private blacklists,
processing continues with DNS whitelist filters and then DNS blacklist filters.
Enabling the use of private blacklist filters: This procedure assumes you have previously set up a
Configuration Settings document for the server.
1. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the server on which you are enabling the private
blacklist filters.
4. Click Router / SMTP - Restrictions and Controls - SMTP Inbound Controls.
Field Action
Private Blacklist filter Note: Private blacklist filters apply only to hosts that are
subject to inbound relay enforcement.
Private blacklist statistic: The SMTP listener task maintains a cumulative count of the number of
connections accepted from blacklisted hosts, and stores that count in the SMTP.PrivateBL.TotalHits
statistic. The SMTP.PrivateBL.TotalHits statistic is part of the SMTP statistics package and can be viewed
using the Domino Administrator client or from the server console by entering the following command:
show stat SMTP
Enabling private whitelist filters for SMTP connections: Use Domino’s private whitelist filters to
specify exceptions to blacklist filters.
Prior to the introduction of private whitelist filters, to exclude a host from blacklist filter processing, you
had to either define the client’s mail server as a relay exception -- which creates a security risk, or disable
the DNS blacklists filters. Now you can use private whitelist filters to specify the hosts and/or domains
to exclude from blacklist processing. Hosts that are specified in private whitelists are exempt from
blacklist checks. Whitelisted hosts bypass blacklist filter checks but there are other controls which may
prevent the message from being accepted. Members of the private whitelist are still subjected to
connection, relay, sender, and recipient controls. Being whitelisted does not guarantee that the message
will be delivered to the recipient.
When private whitelists are enabled, the SMTP listener task compares hosts that may be subject to relay
enforcement against the defined private whitelist. If there is a match, the private blacklist, DNS whitelists,
and DNS blacklists are skipped. Otherwise, processing continues beginning with the private blacklist.
Setting up private whitelist filters: This procedure assumes you have previously set up a Configuration
Settings document for the server.
1. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the server on which you are enabling private whitelist
filters.
4. Click Router / SMTP - Restrictions and Controls - SMTP Inbound Controls.
5. Complete these fields in the Private Whitelist Filters section and then click Save and Close.
Field Action
Private Whitelist Filters Note: Private whitelist filtering applies only to hosts
subject to inbound relay enforcement.
Private whitelist statistic: The SMTP listener task maintains a statistic to keep a cumulative count of the
number of connections accepted from whitelisted hosts. The statistic, SMTP.PrivateWL.TotalHits, can be
viewed using the Domino Administrator client, or by issuing this command from the server console:
show stat SMTP
Restricting who can send Internet mail to your users: Unsolicited commercial e-mail (UCE) can flood
your server with numerous copies of the same message. Accepting UCE reduces performance and
consumes system resources. You can specify restrictions to prevent UCE from being routed to or relayed
through your server. Specifying restrictions prevents malicious users from using your system to spoof
addresses or send UCE.
To save system resources, before it accepts a message, the Domino SMTP listener checks the Mail From
address specified in the message envelope during the SMTP transaction. If you set the Domino server to
Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or
modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group
names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary
directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP
Outbound Controls tab.
During the SMTP conversation, the Domino SMTP listener compares the
address in the MAIL FROM command received from the connecting host with
the entries in this field.
For example, if you enter lotus.com in the field, Domino accepts incoming mail
only if the address in the MAIL FROM command ends in lotus.com. Domino
denies messages from all other Internet addresses.
You can create a Notes group containing a list of addresses from which to
allow messages and enter the group name in this field. A group entry is valid
only if it does not contain a domain part or dot (″.″). For example, the group
with the name group1 is valid, but the groups named iris.com or group2@iris
are not.
If you enter addresses in this field, all messages except those matching
addresses listed in this field can route to your users. Mail is denied only from
addresses matching the entries in this field.
For example, if you enter lotus.com in the field, Domino accepts messages
from all Internet addresses and domains except those ending in lotus.com.
Domino denies messages from senders whose addresses end in lotus.com.
You can create a Notes group containing a list of addresses from which to
deny messages and enter the group name in this field. A group entry is valid
only if it does not contain a domain part or dot (″.″). For example, the group
with the name group1 is valid, but the groups named iris.com or group2@iris
are not.
7. Reload the SMTP task, or update the SMTP configuration to put changes into effect.
Note: Be careful not to specify the same entry in an Allow field and a Deny field because Domino will
deny messages for that entry. The Deny setting takes precedence for security reasons.
Restricting users from receiving Internet mail: Domino provides SMTP intended recipient filters that
let you control the users for whom the server accepts mail sent over SMTP connections. One filter
triggers a directory lookup that enables the server to verify that an intended recipient exists before
accepting a message. The other two filters let you explicitly specify the Internet addresses that can and
cannot receive mail. To ensure that you don’t unintentionally block desirable mail, use discretion when
applying these settings.
During the SMTP conversation, the connecting host sends the Domino SMTP listener a RCPT TO
command, which specifies the recipient’s Internet address. Each of the Inbound Intended Recipient
Controls works by examining the addresses specified as arguments to the RCPT TO command. For
example, if you enable directory verification and the address specified in the RCPT TO command is in
the local Internet domain, the SMTP listener refers to the Domino Directory to determine whether the
address is valid. Messages for invalid addresses are rejected, preventing them from becoming ″dead″
messages in MAIL.BOX.
Note: Because enabling this setting results in messages for recipients not found in the directory being
rejected, do not use this setting in environments that require mail to be forwarded to a smart host for
further processing.
The ″Allow messages″ setting lets you list Internet addresses that are allowed to receive mail. If the RCPT
TO command contains one of the specified addresses, the SMTP listener accepts the message; messages
for all other recipients are rejected. The ″Deny messages″ setting lets you explicitly deny mail to certain
addresses. If the RCPT To command contains a denied address, the SMTP listener rejects the message, but
messages for all other recipients are accepted.
Note: If the server supports Local Part name lookups, users whose addresses are listed in the Deny field
may still receive mail addressed to any alternate Internet addresses configured for them. To ensure
greater control, specify the Internet address in each user’s Person document and allow users to receive
inbound mail destined for their fullname addresses only.
For information on restricting how Domino looks up recipient names, see the chapter ″Setting Up Mail
Routing.″
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers you want to administer, and
click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab.
6. Complete these fields in the Inbound Intended Recipients Controls section, and then click Save &
Close:
Field Description
Verify that local domain Specifies whether the SMTP listener checks recipient names specified in RCPT TO
recipients exist in the Domino commands against entries in the Domino Directory
Directory
Choose one:
v Enabled - If the domain part of an address specified in an SMTP RCPT TO
command matches one of the configured local Internet domains, the SMTP listener
checks all configured directories to determine whether the specified recipient is a
valid user. If all lookups complete successfully and no matching user name is
found, the SMTP server returns a 550 permanent failure response indicating that
the user is unknown. For example:
Choosing this setting can help prevent messages sent to nonexistent users (for
example, spam messages and messages intended for users who have left the
organization) from accumulating in MAIL.BOX as dead mail.
To avoid unnecessary directory lookups, Domino applies this setting only after
performing all other configured SMTP inbound checks (inbound relay, sender, and
recipient controls).
Note: When this setting is enabled, and there is an entry in the field ″Local Internet
domain smart host″, messages that cannot be resolved are not accepted; therefore,
they will not be forwarded to the smart host. When this setting is enabled, and the
field ″Smart host is used for all local Internet domain recipients″ is enabled, only
those messages sent to recipients that can be resolved are accepted, and these will be
forwarded to the smart host.
v Disabled - (default) The SMTP listener does not check whether local domain
recipients specified in the RCPT TO command are listed in the Domino Directory.
You can create a Notes group containing a list of addresses allowed to receive mail
from the Internet and enter the group name in this field. A group entry is valid only
if it does not contain a domain part or dot (″.″). For example, the group with the
name group1 is valid, but the groups named yourdomain.com or
group2@yourdomain are not.
Deny messages intended for Internet addresses within the local Internet domain that are prohibited from
the following Internet receiving mail from the Internet. If you enter addresses in this field, all addresses
addresses except those listed in this field can receive Internet mail. Domino denies mail for
only the addresses in this field.
You can create a Notes group containing a list of addresses that cannot receive mail
from the Internet and enter the group name in this field. A group entry is valid only
if it does not contain a domain part or dot (″.″). For example, the group with the
name group1 is valid, but the groups named yourdomain.com or
group2@yourdomain are not.
Note: The SMTP listener accepts messages addressed to any variant of a user’s name that is not
explicitly denied and that is otherwise acceptable to Domino. For example, if you deny mail to
Kieran.Campion@acme.com, a message addressed to Kcampion@acme.com may be accepted and
delivered to the same user.
7. Reload the SMTP task, or update the SMTP configuration to put changes into effect.
Note: Be careful not to specify the same entry in an Allow field and a Deny field because Domino will
deny messages for that entry. The Deny setting takes precedence for security reasons.
Supporting inbound SMTP extensions: Domino supports a number of extended SMTP (ESMTP)
functions. These include the ability to combine (or ″pipeline″) commands, set the server to check message
size before accepting transfer, create a secure SSL connection with another server, and create delivery
status notifications in MIME format. You enable or disable each of these options in the Configuration
Settings document for the server or servers for which you want to use these extensions.
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers you want to administer, and
click Edit Configuration.
5. Click the Router/SMTP - Advanced - Commands and Extensions tab.
6. Complete these fields in the Inbound SMTP Commands and Extensions section, and then click Save &
Close:
For more information about the authentication settings required to support STARTTLS, see the topic
″Securing SMTP sessions using the STARTTLS command earlier in this chapter.″
7. Reload the SMTP task, or update the SMTP configuration to put changes into effect.
Note: Enabling VRFY and EXPN allows people outside your organization to expand group names and to
check for valid e-mail addresses in your organization. You may not want to enable these extensions for
security reasons.
To prevent an SMTP server from sending outbound messages that exceed the specified maximum size on
the destination server, set the outbound SMTP SIZE extension.
For information on enabling the outbound SMTP SIZE extension, see the topic ″Supporting outbound
SMTP extensions″ later in this chapter.
Restricting users from sending Internet mail: You can control the transfer of outbound mail from your
organization to the Internet. Domino provides two methods for restricting outbound Internet mail:
v Outbound sender controls - These controls specify which users in your organization are allowed to
send mail to the Internet.
v Outbound recipient controls - These controls specify the Internet destinations to which users can send
mail.
Setting outbound sender controls: The outbound sender controls let you specify who can and cannot send
mail to the Internet. The controls are implemented in two sets of Allow and Deny lists:
v Internet addresses of users who can/cannot send mail to the Internet
v Notes addresses of users who can/cannot send mail to the Internet
Domino sends a restriction failure message to restricted users who attempt to send outbound mail. You
can customize the text of mail failure messages.
For more information, see the topic ″Customizing the text of mail failure messages″ earlier in this chapter.
Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or
modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group
names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary
directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP
Outbound Controls tab.
For more information on setting the inbound relay controls, see the topic ″Setting inbound relay controls″
earlier in this chapter.
Note: Because you might unintentionally block desired mail, be careful when you use these fields.
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers you want to administer, and
click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Outbound Controls tab.
6. Complete these fields in the Outbound Sender Controls section, and then click Save & Close:
Wildcards (for example, *acme.com) and isolated Internet domain suffixes (for
example, acme.com) are not acceptable values in this field.
Group entries cannot contain a domain part or dot (’.’). For example, the group
with the name DenyMail is valid, but the groups named Deny.iris.com or
Denymail@iris are not.
Wildcards (for example, *acme.com) and isolated Internet domain suffixes (for
example, acme.com) are not acceptable values in this field.
Group entries cannot contain a domain part or dot (’.’). For example, the group
with the name DenyMail is valid, but the groups named Deny.iris.com or
Denymail@iris are not.
Allow messages only from the Specifies the Notes user names from which Domino accepts mail destined for
following Notes addresses to be external Internet addresses. If this field contains entries, Domino accepts
sent to the Internet outbound Internet mail from the specified entries only and rejects outbound
Internet mail sent from all other Notes addresses. Rejected mail is returned to
the sender.
Note: Group entries cannot contain a domain qualifier (’@’ sign). For example, an entry for a group
with the name DenyMail is valid, but if you add the domain name to the entry, as in
Denymail@acme, Domino does not expand the entry to determine its members. This restriction
applies to nested groups also. That is, if the group DenyMail includes Sales@AcmeWest as a member,
Domino does not expand Sales@AcmeWest to determine its members.
7. The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
The outbound sender controls are not intended to control relaying. For information on controlling
message relaying, see the topic ″Setting inbound relay controls″ earlier in this chapter.
Setting outbound recipient controls: The Outbound recipient controls let you specify the Internet domains,
and host names users are allowed to and denied from sending mail to. The controls consist of a set of
pair of lists, one specifying the Internet domains or host names to which users can send mail and another
listing the domains and host names to which users cannot send mail.
If you specify an Internet domain, users can send mail to any host or
sub-domain in that domain. Domino matches entries against the last part of
domain names or host names, so entering host.acme.com allows mail to
mail.host.acme.com as well inbound.host.acme.com.
Note: If you list a host name that matches an MX record for a domain,
Domino allows mail to all recipients in that domain. For example, if
mailhost.acme.com exactly matches the name of an MX host in the DNS for the
domain acme.com, entering it in this field allows all mail to that domain.
Deny messages to recipients in the Specifies the Internet domains, such as acme.com, and Internet host names,
following Internet domains or host such as mailhost.acme.com, to which Domino cannot send mail. Domino
names allows mail to all other domains or host names. Domino matches entries
against the last part of domain names or host names, so entering
host.acme.com denies mail to smtp.host.acme.com as well as
inbound.host.acme.com.
Note: If you enter a host name that matches an MX record for a domain, mail
to all host names / MX records for that domain is denied. Thus, specifying a
host name that matches an MX record for a domain denies all mail to that
domain.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
Note: For security reasons, if there is a conflict between the two fields for a given setting, entries in the
Deny field take precedence. For example, if acme.com appears in both the ″Allow messages only to
recipients in the following Internet domains or host names″ field and the corresponding ″Deny messages″
field, Domino denies messages sent to acme.com. Be careful not to have the same entry in an Allow field
and a Deny field for the same setting.
Note: Domino checks each address to see if it is an Internet address or a Notes address. The Router then
applies the restrictions specified for that type of address.
Note: If you are entering multiple names in a field, consider creating a group and entering the group
name in the field. Domino expands the group into a list of members. If you update the group list in this
document or edit the group members in the Domino Directory, changes do not take effect immediately.
Supporting outbound SMTP extensions: Domino supports outbound extended SMTP (ESMTP) features
to interact with other messaging servers. These extensions are controlled in the Configuration Settings
document.
Field Enter
SIZE extension Choose one:
v Enabled - (default) If the destination SMTP host also supports the SIZE extension,
Domino declares the estimated size of messages before transfer.
v Disabled - Domino does not declare message size before transferring messages to
another SMTP server.
Pipelining extension Choose one:
v Enabled - (default) If the remote SMTP host also supports pipelining, Domino sends
multiple SMTP commands in the same network packet to improve performance.
v Disabled - Domino sends each SMTP command in a separate packet.
DSN extension Choose one:
v Enabled - When sending a message to a server that also supports the DSN extension,
Domino appends a NOTIFY parameter to the SMTP RCPT TO command to request a
particular type of delivery status notification for the message. For messages sent from
Notes clients, Domino uses the Delivery report options specified by the client (Confirm
delivery; Trace entire path; Delivered) to determine the type of DSN requested.
v Disabled - (default) Domino does not send DSN requests.
8-bit MIME extension Choose one:
v Enabled - When sending a message to a remote server that also supports 8-bit MIME,
Domino improves performance by sending messages containing multinational
characters as is, without first encoding them.
v Disabled - (default) Domino encodes messages containing 8-bit characters as 7-bit
ASCII before sending.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
Message disclaimers are notices -- usually short text blocks -- that are added to email messages. They are
often used by organizations in an attempt to protect the organization’s legal interests. For example,
message disclaimers can be used to limit an organization’s exposure to vicarious liability, that is, to limit
the organization’s responsibility for the actions of its employees. This type of disclaimer informs the
message recipient that the organization Is not responsible for anything written by the author of the
message. Another commonly used type of message disclaimer consists of a warning stating that the
message may not be intended for the current recipient and that it may contain confidential information.
The disclaimer directs the ″unintended recipient″ to dispose of the message without sharing its contents
with others.
To set up and enable message disclaimers on the Notes client, you need to create a Policy document or
use an existing Policy document. You then create a mail policy settings document to define and enable
the message disclaimers. Complete the fields on the mail policy settings document, including those on the
Message Disclaimers tab. Message disclaimers are enabled on the Notes client when you choose Enabled
in the field ″Notes client can add disclaimers.″ The message disclaimer text that is added to electronic
mail messages is derived from the text that you enter in the field ″Disclaimer text.″ Message disclaimers
are written to the mail files of every user to whom the policy applies. The disclaimer is stored in the
Domino Directory.
To set up and enable message disclaimers on the server side, you need to create a Policy document or use
an existing Policy document. You then create a mail policy settings document to define the message
disclaimer text. The message disclaimer text that you enter in the field ″Disclaimer text″ on the mail
policy settings document is the disclaimer that is added to your email messages. You enable and disable
message disclaimers for the server using the server Configuration Settings document - Router/SMTP -
Message Disclaimers tab. When disclaimers are enabled on the server, all messages sent from that server
are disclaimed, regardless of the message source.
The mail policy settings document is applied to all users’ mail files on a given server by the
administration process, using the mail file owner’s hierarchical name to determine the corresponding
Policy document. By default, the administration process runs every twelve hours; therefore, changes do
not take effect until the next time the administration process runs. You can force the administration
process to process new information in the mail policy settings document, by using the server console
command:
tell adminp process mailpolicy
Message disclaimers are not added to incoming SMTP messages; they are only added to outgoing SMTP
messages.
Note: In some cases, all recipients, including local Notes users, receive the disclaimer, but only if all local
Notes users receive MIME messages. Any local Notes users who have the setting Prefers Notes Rich Text
selected in their Person document in the Domino Directory will not receive the disclaimer. This is the
only situation in which the Notes client splits messages: one message for Notes client rich text users, and
one message for all other users.
For information about the mail policy settings document, see the topic Creating a mail policies settings
document.
You need to be aware of the following information regarding enabling and disabling message disclaimers:
v If message disclaimers are enabled for the client and the server, message disclaimers can be added to
mail messages via the server or the client. The server is able to determine whether a disclaimer has
been added by the Notes client. For performance reasons, the client usually adds the disclaimer if
message disclaimers are enabled on both the client and the server.
v If message disclaimers are enabled for the server, but disabled for the client, message disclaimers can
only be added to mail messages from the server.
v If message disclaimers are disabled for the server but enabled for the client, message disclaimers can
only be added from the Notes client.
v If message disclaimers are disabled from both the server and the client, message disclaimers cannot be
added to any mail messages.
You can create one disclaimer and apply it to all messages sent from an organization or organizational
unit, or you can create multiple disclaimers for any combination of messages, or create individual
disclaimers for individual senders. To associate a disclaimer with an individual sender, use the Policy
document to define an Explicit policy that applies to specific individuals or groups. To associate multiple
If multiple disclaimers apply to a given sender, choose the correct disclaimers using a hierarchical
approach with a default disclaimer applying when no other disclaimer applies to the sender. Policies exist
in a hierarchy, ordered from the most specific policy to the least specific. For example, the most specific
policy for an individual is an Explicit policy that applies directly to that person. The next most specific
policy could be an organizational policy defined for all members of that individual’s entire organization.
In this case, using a hierarchical model, the Explicit policy would be used. To ensure that all Internet mail
is assigned a disclaimer, you can also create one general disclaimer to be used if no other disclaimer
applies to the sender’s mail message.
Use the Mail policy settings document to ensure that the correct disclaimer for a given sender is available
on the server for the mail router and is also deployed to the Notes mail client.
For information about the mail policy settings document, see the topic Creating a mail policies settings
document.
The Message Disclaimers feature is primarily designed for use with Internet-bound messages. While It is
possible to add disclaimers to S/MIME signed and encrypted messages at the mail router, S/MIME
signed and encrypted messages are not handled well by Notes. When an S/MIME signed message has a
disclaimer added and is received by a Notes user, the message body can be viewed, but the signature
cannot be verified. When an S/MIME encrypted message with a disclaimer added to it is received by a
Notes user, the message body can not be viewed and the message can not be decrypted.
Whenever possible, use the Notes client to add disclaimers instead of adding them from the server. Issues
with signed and encrypted messages do not apply to disclaimers added from the Notes client because the
disclaimer is added before the message is signed. Issues with character sets also do not apply to
disclaimers added from the Notes client because the Notes client determines the Internet character set
used for outgoing messaging. Adding disclaimers at the Notes client avoids any potential performance
problems or ″bottlenecks″ at the router.
Field Action
Message disclaimers Choose one:
v Enabled -- Allows message disclaimers to be added by the
server.
v Disabled -- Prevents message disclaimers from being
added from the server.
Mail journaling
By default, after the Router processes a message, it does not retain a copy of the message. That is, after
ServerA successfully sends a message to ServerB, the Router on ServerA deletes the message from its
MAIL.BOX database. Likewise, when ServerB successfully transfers or delivers the message to the next
server on the routing path, the Router on ServerB removes the message from its MAIL.BOX database.
To comply with laws or regulations that apply to your business, your organization may be required to
save a copy of every message processed by the local mail system and permanently store or otherwise
process the message copies. For example, government agencies such as the Securities and Exchange
Commission (SEC) require a business to retain all messages related to the transactions they undertake.
Mail journaling enables administrators to capture a copy of specified messages that the Router processes
by the Domino system. Journaling can capture all messages handled by the Router or only messages that
meet specific defined criteria. When mail journaling is enabled, Domino examines messages as they pass
through MAIL.BOX and saves copies of selected messages to a Domino Mail Journaling database
(MAILJRN.NSF) for later retrieval and review. Mail journaling works in conjunction with mail rules, so
that you create a journaling rule to specify the criteria for which messages to journal. For example, you
can journal messages sent to or from specific people, groups, or domains. Before depositing messages in
the Mail Journaling database, the Router encrypts them to ensure that only authorized persons can
examine them. Journaling does not disrupt the normal routing of a message. After the Router copies a
message to the Mail Journaling database, it continues to dispatch the message to its intended recipient.
Domino mail journaling differs from message archiving. Journaling works dynamically, making a copy of
each message as it passes through MAIL.BOX to its destination and placing the copy in the Mail
Journaling database. A copy of the message is retained, even if the recipient, or an agent acting on the
recipient’s mail file, deletes it immediately upon delivery. Archiving is used to reduce the size of an
active mail file database by deleting messages from one location and moving them to an offline database,
usually in another location, for long-term storage. Archiving acts on messages that have already been
delivered. Journaling is performed automatically by the server; while archiving is a manual operation,
performed by end users on their own mail files. End users can search for and retrieve messages from a
mail file archive, but only an authorized administrator can examine a Mail Journaling database.
To provide access to certain journaling routines, Domino implements several Extension Manager (EM)
hooks. EM hooks enable an executable program library, such as a dynamic link library or shared object
library, to register a callback routine that will be called before, after, or before and after Domino performs
selected internal operations. Using EM hooks, developers can customize mail processing. For example,
EM hooks to the Journaling task could be used in conjunction with a third-party archiving program to
route certain messages directly to an archive center. For more information about Extension Manager, see
the IBM Lotus C API Toolkit for Notes/Domino 7. The toolkit is available at http://www.lotus.com/capi.
After you enable journaling, Domino automatically creates the Mail Journaling database in the specified
location.
Field Description
Journaling Specifies whether the server supports mail journaling. Choose one:
v Enabled - Domino supports mail journaling on the servers governed by this document. To
journal mail, create a server mail rule with the action ″Journal this message.″
v Disabled - (default) Mail journaling is not supported on the servers governed by this
document.
Field encryption Specifies the names of Notes message fields that Domino does not encrypt when adding
exclusion list messages to the Mail Journaling database. Encrypted fields cannot be displayed in a view. List
any fields you want to display in a view. By default, the following fields are not encrypted:
Form, From, Principal, and PostedDate.
Note: When using a mail-in database for journaling, Domino does not automatically encrypt
messages added to the database. To encrypt messages in a mail-in database use the Mail-in
database document to specify encryption of incoming messages.
Click the down-arrow to select the name of the mail-in database from the Domino Directory.
Note: You must create the mail-in database beforehand; Domino does not automatically create
mail-in databases for journaling.
Encrypt on behalf If you specified ″Copy to local database″ as the journaling method, enter the fully qualified
of user Notes Name of the user whose certified public key Domino uses to encrypt messages added to
the database. To ensure privacy, consider creating a special user ID for reviewing journaled
messages, and protect the ID with multiple passwords.
To encrypt messages sent to a mail-in database, enable encryption on the Administration tab of
the Mail-in database document.
Database For local Mail Journaling databases, the entry in this field specifies how Domino controls the
Management - size of the Mail Journaling database. When the database management method in effect calls for
Method Domino to create a new Mail Journaling database, on the day that it creates the new database, it
does so at approximately 12:00 AM. Choose one of the following methods:
v Periodic Rollover - (default) When the current Mail journaling database reaches the age
specified in the Periodicity field, Domino renames the existing Mail Journaling database and
creates a new Mail Journaling database with the original name.
v None - Domino does not automatically control the size of the Mail Journaling database. If you
do not use one of the available methods for controlling database size automatically, be sure to
monitor the database size and use appropriate tools to archive the journal data.
v Purge/Compact - Domino deletes documents from the database after the number of days
specified in the Data Retention field and then compacts the database.
v Size Rollover - When the current database reaches the size specified in the Maximum size
field, Domino renames the database and creates a new Mail Journaling database with the
original name.
Periodicity If you specified Periodic Rollover in the preceding field, Domino displays this field for
specifying the length, in days, of the rollover interval. The default value is 1 day.
Data Retention If you specified Purge/Compact in the Database Management-Method field, Domino displays
this field for specifying the time, in days, that a message remains in the Mail Journaling
database before being deleted.
Maximum size If you specified Size Rollover in the Database Management-Method field, Domino displays this
field for specifying a size limit, in megabytes (MB), for the Mail journaling database. After the
database reaches the specified size, Domino renames it and creates a new one.
Specifying the journaling method: There are two methods available for journaling messages, copying
messages to a local database (local journaling) and forwarding messages to a mail-in database (remote
journaling). In local journaling the Router moves messages from MAIL.BOX to a Mail Journaling database
on the same server. If you enable local journaling on more than one server, each server maintains its own
unique Mail Journaling database. Since local journaling doesn’t require messages to be transferred
between servers to reach the Mail Journaling database, this is the preferred method for minimizing
network traffic.
Remote journaling lets you journal messages from multiple servers to a single location, sending them to
the mail-in database specified in the ″Mail Destination″ field. Domino does not automatically create
mail-in databases for journaling; you must manually create both the destination database and the
necessary Mail-in database document.
Using a mail-in database to journal messages greatly increases mail traffic, since messages must travel
over the network to be deposited in the Mail Journaling database.
For information about using Mail-in databases, see the chapter ″Rolling Out Databases.″
Managing security of the Mail Journaling database: The Mail Journaling database contains private
information about many people. Domino employs two methods to restrict access to the Mail Journaling
database. First, it conceals the database from users. By default, Domino makes the Mail Journaling
database ″invisible″ to users; that is, the database does not appear in the Open database dialog box when
a user opens a new database. To display the database, check ″Show in ’Open Database’ dialog″ on the
Design tab of the Database properties dialog box.
Second, when local journaling is enabled, Domino encrypts the information in the Mail Journaling
database, using the Certified public key of a specified Notes user. To specify the ID to use when
encrypting messages, enter a user name in the field ″Encrypt on behalf of user.″ By default, Domino
exempts certain summary information fields from encryption so that the information they contain can be
used in database views. You can specify other fields to exempt in the field, ″Field encryption exclusion
list.″
Setting up a Mail Journaling user: To maximize security, create and register a special user ID for the
Mail Journaling database and assign multiple passwords to the ID. Distribute passwords in such a way
that no one person knows them all, so that the consent of multiple parties is required to view the
contents of the database.
For information on assigning multiple passwords to an ID, see the chapter ″Protecting and Managing
Notes IDs.″
The user’s name is preserved in the ACL during daily rollovers and size rollovers, but if you remove the
Mail Journaling database, the next time the server starts, it automatically creates a new database using
the original ACL. Add the ID used for encryption in square brackets [User.ID] to the ACL of the template,
JOURNAL.NTF, to automatically add the user’s name to the ACL of JOURNAL.NSF.
Enabling encryption for remotely journaled messages: By default, mail-in databases do not encrypt
incoming mail. To ensure privacy when sending journaled messages to a mail-in database, enable the
mail-in database to encrypt incoming mail. When enabling encryption for a mail-in database, you select a
user whose Notes certified public key Domino uses to encrypt messages stored in the database.
For more information on setting up a mail-in database, see the chapter ″Rolling Out Databases.″
No encryption of previously encrypted messages: A message that Notes has previously encrypted for
its recipients is not re-encrypted with the certified public key of the specified Journal user. As a result,
when depositing encrypted messages in the Mail Journaling database, Domino preserves the original
encryption, so that the message content cannot be decrypted with the ID of the designated Mail
Journaling user, unless, of course, that user was included in the original recipient list. A Mail Journaling
user who was not on the recipient list can view header information only.
Managing the size of the Mail Journaling database: Depending on how you set up journaling rules, the
size of the Mail Journaling database may increase rapidly. Domino provides several methods for
automatically controlling the database size:
MJ<date>.NSF
where <date> is an 8-digit number representing the current date in a format that
standardizes the database name. The name is created using this format:
MJMMDDYYYY.NSF.
Purge/Compact Domino deletes documents from the database after a specified number of days and
then compacts the database to eliminate deletion stubs and white space.
MJXXXXXX.NSF
These methods for controlling database size are not available if you use a mail-in database for journaling
messages. If you select this method of journaling, be sure to monitor the database size and use
appropriate tools to archive data to another location.
For information about setting mail rules, see the topic ″Setting server mail rules″ earlier in this chapter.
If you specify All documents and a message is returned as undeliverable, Domino journals the delivery
failure report as well as the original message.
When Domino journals a message, it sets a journal flag on the message before transferring it to the next
server on the route. This ensures that servers later in the routing path do not journal the message again.
When the Router on the destination mail server delivers the message to the user’s mail file it removes the
journal flag so to that the user remains unaware that the message was been journaled.
On servers running the ISpy task, this task sends mail probes in the form of trace messages to test mail
connectivity approximately every five minutes. Under normal use, the ISpy task automatically deletes
these probes from the ISpy mail-in database and the only trace of them are entries in the Routing events
view of the server log file and on the server console. However, if you enable a journaling rule on these
servers and specify the condition ″All documents,″ the Mail Journaling database will capture each trace
message that the ISpy task sends. To prevent the Mail Journaling database from filling up with these
entries, configure a rule exception for messages where the sender includes ″ISpy.″
By default, the Mail Journaling database does not appear in the Open database dialog box. You can open
the database by specifying its file name -- for example MAILJRN.NSF -- in the Filename field in the Open
Database dialog box. To list the database in the Open Database dialog box, check ″Show in ’Open
Database’ dialog″ on the Design tab of the Database properties dialog box.
Note: Notes database views do not display encrypted fields. By default, Domino encrypts the subject
field of messages added to the Mail Journaling database, when you open a view of the database, the
Subject column may be blank. To display message subjects, add ″Subject″ to the ″Field encryption
exclusion list.″
For information on how to specify the fields to encrypt when journaling mail, see the topic ″Setting up
the Mail Journaling database″ earlier in this chapter.
Viewing messages that use forms not included in the Mail Journaling database: The Mail Journaling
database does not include all of the form types that can be used to send messages. If a message copied to
the database was sent using a form that is not part of the Mail Journaling database design, the database
substitutes the memo form to display the message. To view the document using the original form type,
copy the form design element into the design of this database.
By default, Notes return receipts are not compatible with SMTP messages, which use MIME headers to
identify return receipt requests. For return receipts to work seamlessly when a Notes message is
converted to MIME and vice versa, you must set up Domino to translate between the two formats.
Enabling return receipts lets Domino honor return-receipt requests on inbound SMTP mail and add
return-receipt requests to outbound SMTP mail. On inbound messages, Domino converts MIME
return-receipt headers to Notes ″ReadReceipt″ requests before delivering the message. On outbound
Internet mail, Domino maps a Notes return receipt request to the MIME header specified in the Return
Receipt Mapping field.
There are two MIME headers that can be used to request a read receipt. You can specify which header
Domino uses for outbound mail when converting a Notes return-receipt request into a MIME
return-receipt request. The Return-Receipt-To header is the older method; the Disposition-Notification-To
header is the newer, preferred method. Choose the method supported by the majority of the systems to
which your organization sends mail. For return receipts to work, the receiving server and client must
both support the header used. Newer mail clients may not support the older header.
When you disable return receipts, Domino ignores the Return-Receipt-To or Disposition-Notification-To
headers on inbound SMTP mail and does not return the return receipt to the sender. It also does not
convert Notes client requests for return receipts into a corresponding MIME header field.
Note: Disabling return-receipt support affects SMTP messages only. Internal messages sent over Notes
routing continue to process return receipts.
Enabling return receipts in your system does not guarantee that your users will receive return receipts
every time they are requested. The Internet mail specifications do not require servers or clients to honor
return-receipt requests. If the recipient’s server does not honor the request, it is ignored. Generally, large
organizations with LAN-based mail systems that provide their own internal return-receipt features
implement return-receipts over SMTP, while commercial Internet mail systems, such as Web-based mail
systems tend not to.
Requesting Return Receipts from an IMAP or POP client: Disabling return receipts on a server does
not affect non-Notes clients. If users request return receipts for messages sent from an IMAP or POP
client, such as Microsoft Outlook, the client generates the proper MIME header (that is, either a
Return-Receipt-To or Disposition-Notification-To field in the header). Domino does not strip the messages
of the return receipt request. Domino leaves existing MIME headers intact on outbound messages and
sends a MIME message that asks the receiving server to send a receipt when it delivers the message.
Field Description
Return Receipts Choose one:
v Enabled to allow the sender of a message to receive a return receipt.
v Disabled to prevent the sender of a message from receiving a return receipt.
Return Receipt Choose one:
Mapping v Use Disposition-Notification-To - (default) When converting an outbound Notes message
that includes a return receipt request into MIME format, the server converts the Notes
ReturnReceipt item into the MIME header item Disposition-Notification-To.
v Use Return-Receipt-To - When converting an outbound Notes message that includes a return
receipt request into MIME format, the server converts the Notes ReturnReceipt item into the
MIME header item Return-Receipt-To.
Note: This field appears only if you enable Return Receipts.
Note: Domino does not map the Return Receipt request to one of the MIME headers if the address
specified in the Disposition-Notification-To or Return-Receipt-To header does not match the sender’s
address. Domino sends return receipts only to the sender.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
When converting a MIME message into Notes rich-text, Domino uses the information in the character set
tags to determine the appropriate characters for representing the message text. Similarly, when Domino
converts a Notes rich-text message into MIME, it must determine which MIME character set tag to apply.
On the MIME - Basics tab of the Configuration Settings document, you can define a primary character set
group and one or more secondary character set groups. These primary and secondary choices control,
among other things, how Domino detects character sets to correctly identify ambiguous text data in a
message when converting inbound MIME messages to Notes rich-text and outbound Notes rich-text
message to MIME.
Note: If your organization sends and receives messages that use US-ASCII characters only, there’s no
need to change the default settings.
Domino can interpret text represented in 16 different character set groups (also known as language
groups) including the Unicode standard for encoding character systems (www.unicode.org/ ). A language
group can correspond to a single language (for example, Japanese) or to a region where multiple
languages use more or less the same characters (for example, Central Europe). A language group can also
support multiple character sets.
If the MIME messages your organization receives always contained the correct character set information,
there would be no need to change the default settings. However, some mail systems do not provide
character set information when sending mail. For example, older mail systems may not support MIME at
all, and some Web-based systems enable users to create messages in a given language but don’t correctly
generate MIME character set information when sending the message. Thus a user sending mail from a
Web-based mail system might be able to compose and send messages written in Chinese, but in the sent
message, the character set tag US-ASCII is incorrectly applied to the message text. If your SMTP server is
configured to use the default character set group, it would be unable to correctly convert this message.
In such cases, Domino examines incoming messages to determine the byte range used and identify
unique control codes. It then attempts to match patterns in the incoming message to a probable character
set. This process is effective in distinguishing among certain character sets only. For example, it can
correctly distinguish messages in the CJKT languages (Simplified Chinese, Japanese, Korean, and
Traditional Chinese ) from each other and from an English message), but it cannot distinguish between
messages in English or any other Western languages, which tend to use the identical bytes and byte
ranges.
To ensure accurate character set detection for the CJKT languages, configure a priority order among the
languages by specifying a primary and secondary character. For example, if Domino cannot distinguish
whether a MIME message uses EUC-KR (a Korean character set) or GB2312 (a Simplified Chinese
character set), it uses the priority order assigned to the primary and secondary character set groups to
determine which character set to use in converting the message to Notes rich-text. Domino chooses the
primary character set first, then the secondary character set (in an undefined order -- the order of
multiple secondary choices doesn’t matter), then the operating system group (for operating systems
where the locale can be queried).
When converting outbound messages to MIME format, Domino chooses a MIME character set based on
the text of the message. Outbound messages are examined by the Router and the appropriate character
set is selected for the message. For example, messages in Japanese are converted using the ISO-2022-JP
character set; messages in Simplified Chinese, using the GB character set; messages in Traditional
Chinese, using the Big5 character set; and messages in French, using the ISO-8859-1 character set. When
Domino cannot automatically detect which character set to use, as with some European languages, it
refers to the primary, secondary, and operating system groups, in that order, to determine which character
set to use. For example, if all of the characters in a message could be French or Turkish, Domino uses the
information about the primary and secondary character set groups to determine which character set to
use.
Field Enter
Primary character set group The character set group for this domain’s primary language. English is the
default value. Choose the language or region appropriate for your organization,
for example, Simplified Chinese.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
Characters set group Character set language code Header and body encoding
Arabic Windows-1256, ISO-8859-6 Base64, Quoted Printable, None
Baltic Rim Windows-1257 Quoted Printable, Base64, None
Central Europe ISO-8859-2, Windows-1250 Quoted Printable, Base64, None
Cyrillic KO18-R, ISO-8859-5, Windows-1251 Base64, Quoted Printable, None
English US-ASCII None, Base64, Quoted Printable , None
Greek Windows-1253, ISO-8859-7 Base64, Quoted Printable, None
Hebrew Windows-1255, ISO-8859-8, ISO-8859-8-I Base64, Quoted Printable, None
Japanese ISO-2022-JP Header - Base64, Quoted Printable, None
Settings in this section do not apply to messages delivered to mail files on the server or messages
transferred over Notes routing. Nor do they apply to messages sent in MIME format from the client --
either messages sent by POP3 or IMAP clients or messages from a Notes client where the Location
document specifies the use of MIME format for messages sent to Internet addresses.
Note: If the Internet mail format specified in the client’s current Location document is set to Notes
rich-text (Mail tab - Format for messages addressed to Internet addresses), the client sends all messages in
Notes rich-text, even if the Internet mail format in the User Preferences dialog box (File - Preferences -
User Preferences - Mail - Internet - Internet Mail Format) is set to send HTML.
Providing the richest content when converting messages on internal servers: By default, when
converting messages in Notes rich-text format to MIME format, Domino generates MIME messages in
plain text format only, resulting in a loss of formatting. This default setting, which is required to ensure
that recipients can read messages that are received by SMTP servers that do not correctly process
multipart MIME messages, is not necessary for internal servers. To enable conversion on internal servers
to generate the richest possible MIME from messages in Notes format, change the default Message
Content setting to ″Convert from Notes to Plain Text and HTML.″
Field Description
Attachment encoding When a Notes client sends a rich-text message with a file attachment that contains 8-bit
method data -- for example, program, image, sound, video, and application files -- Domino
encodes the attachment data as ASCII text for SMTP transport. Choose the encoding
method best suited to the file types sent and supported by the majority of likely message
recipients.
If there is a table or forwarded mail headers, then the line length default is doubled so no
line break occurs until 150.
Lookup Internet All addresses on messages sent to Internet recipients must be in Internet format (RFC
address for all Notes 821/822 format). A Notes user may send a message to both Notes addresses and Internet
addresses when addresses. To specify how Domino converts the addresses of Notes recipients on messages
Internet address is not sent to the Internet, choose one:
defined in document v Enabled - On outbound Internet messages, if the address of any recipient is in Notes
format, Domino reads the user’s Internet address from the Person document and adds it
to the message before sending.
v Disabled - (default) Domino forms Internet addresses by converting spaces into
underscores and encoding Domino domains with percent signs. For example:
John_Smith%Notes@acme.com
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
Field Enter
Use character set Choose one of the following:
auto-detection if message has v Yes - Domino examines the text of inbound messages to determine the character
no character set information set if it is not specified in the message. Select this option if your site routinely
receives non-MIME messages that are encoded in character sets other than ASCII.
Provides the most accurate rendering of the original character information, but
slows performance.
v No - (default) Character set auto-detection is disabled.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
Inbound settings specify font options that control how the text of a MIME message using a given
character set tag displays in Notes. Outbound settings determine the character set tag and encoding to
apply when converting Notes rich-text messages to MIME.
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers you want to administer, and
click Edit Configuration.
5. Click the Basics tab. If it is not already selected, select the field ″International MIME Settings for this
document.″
6. Click the MIME - Settings by Character Set Groups tab.
Field Enter
For outbound message options below When unchecked (default), Domino’s Outbound Message Options are set to
use all possible choices (Advanced use the standard character set and encoding method for the language group
users) specified in the field ″MIME settings by character set.″ The options in the
Character Set field are limited to the standard character sets for the
language group.
Check this box to enable use of nonstandard character set choices in the
header and body of messages in any language group.
MIME settings by character set group Click the drop-down list to choose the language group to configure. You
can accept the default settings or configure specific settings for one or more
language groups.
The language group displayed at the time you save and close the document
is not the only one for which Domino saves settings. After you save the
Configuration Settings document, Domino retains the settings for each
language group that you modified.
These fields allow you to override default values for character sets, fonts, and so on, for individual
character set groups.
Note: If no Server Configuration document exists, Domino uses the default typeface and point size
settings. The default typeface used for HTML text is Default Sans Serif, and the point size is
determined by the sender of the message. The default typeface for Plain Text (US-ASCII) is Default
Monospace with point size of 10.
Field Enter
HTML Proportional The typeface style to be used for proportional type in inbound SMTP messages.
(default = 12)
Plain text The typeface to be used for plain text in inbound SMTP messages.
(default = 10)
To set character set options for outbound messages: You can specify the character set and encoding
type for the header and body text of outbound messages. The settings you select do not affect
attachments. For each language (or region) there is a default character set. For example, for Western
Europe the default character set is ISO-8859-1, but other Latin character sets can also be used. You can
indicate the specific character set and encoding to be used for outbound SMTP message headers and
body content. In general, use the same character set for both the headers and the body of outbound
messages. However, because some characters set groups, such as Korean, typically use different character
sets for the headers and body, by default, for these languages, the character set specified for header text
differs from the character set for body text.
For a complete list of character set groups and the default characters sets used in the headers and body
of messages in those groups, see the topic ″Language codes supported in Notes and Domino″ earlier in
this chapter.
1. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the mail server or servers you want to administer, and
click Edit Configuration.
4. Click the Basics tab and select ″International MIME settings for this document.″
5. Click the MIME - Settings by Character Set Groups tab.
6. In the Outbound Message Options section, complete the following fields, and then click Save & Close:
Field Choose
Header - Character Set The character set Domino uses to display message headers. The default entry depends
on the character set language group currently selected in the field ″MIME settings by
character set group.″ In most cases, the default entry is the best choice for representing
header text for this language group.
Body - Character Set The character set used to display message body. The default entry depends on the
character set language group currently selected in the field ″MIME settings by
character set group.″ In most cases, the default entry is the best choice for representing
body text for this language group.
Header - Encoding The encoding method for outbound headers. The default entry depends on the
character set language group currently selected in the field ″MIME settings by
character set group.″In most cases, the default entry is the best choice for encoding
header text for this language group.
Choose one:
v Base64
v Quoted Printable
v None
Choose one:
v Base64
v Quoted Printable
v None
7. The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter, ″Setting Up Mail
Routing.″
Field Description
Resent headers take Specifies whether Domino uses resent- headers on inbound messages. When
precedence over original forwarding a message, some mail programs add header lines that describe the
headers forwarding sender. These headers begin with the resent- prefix, such as
″Resent-From:″ The received message contains both the resent- headers and headers
describing the original sender, for example:
From: original-sender
Resent-From: forwarding-sender
When generating a reply to a forwarded message, some older mail programs address
the reply to address specified in the resent-from header. However, most modern mail
programs consider resent- headers to be for informational purposes only and do not
normally use them to generate replies. Instead, when forwarding a message, a
MIME-compliant mail program creates a new message and encapsulates the original
message within this message as a MIME body part of content type message.
Choose one:
v Enabled - When receiving a forwarded message over SMTP, Domino places the
value of the Resent-From header in the From header. Select this option only if a
large number of users in your organization find that when replying to Internet
messages that use resent- headers, their replies are incorrectly addressed to the
original sender, rather than the forwarding sender.
v Disabled - (default) Domino ignores resent- headers in inbound messages.
Choose one:
v Yes - Domino strips RFC 822 group names from address headers on incoming
SMTP messages.
v No - (default) Domino preserves RFC 822 group names in the address headers of
incoming SMTP messages.
If each recipient’s address Choose one:
does not appear in any v Yes - Enables Domino to resolve differences between addresses in the SMTP RCPT
address header, then add TO commands and the RFC 822 message header. If an address is referenced in the
their address to the BCC list SMTP RCPT TO command, but not in the message header, Domino creates a new
copy of the message and places the address in the BCC: field of the new message.
v No - (default) Domino ignores differences between the recipients listed in the RCPT
TO command and the message header.
For non-MIME messages or Specifies the default character set that Domino uses to render messages with 8-bit
MIME messages with an characters if the message does not contain character set information, and automatic
unknown character set, 8-bit character set detection is disabled (on the MIME - Conversion Options - Inbound tab).
character set is assumed to
be
Character set name aliases Enter the substitute name for the equivalent character set to allow MIME to be
converted to native MIME. An alias allows a character set name tag in an inbound
message to be treated as though it were a different character set.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
For information on how to reload the routing configuration, see the chapter ″Setting Up Mail
Routing.″
Use the advanced outbound MIME options to specify how servers determine the following message
items:
v Encoding for attachments sent from Macintosh clients
v Use of phrases specifying the sender’s user name in the sender’s Reply address
v Sending of Notes mail items that do not have standard MIME equivalents
v Removal of Notes fields from message headers
v Character set to use when converting multilingual messages
v Character set alias to use in place of one that is typically mislabeled in outgoing messages
Field Enter
Macintosh attachment The format for Macintosh attachments. Choose one:
conversion v AppleDouble [base64 only] - (default) Provides standard MIME encoding for sending
Macintosh files to recipients using newer Macintosh and PC mail programs.
AppleDouble splits the data fork and the resource fork of the file and encodes the
resulting data in Base 64 for transport. PC clients receiving the attachment discard the
resource fork and use the data fork only.
The AppleDouble header is effectively the resource fork and includes the original Mac file
name of the file. If the AppleDouble data part has a recognizable MIME type, Domino
uses it to label the MIME part of the converted message; for example, the data part of a
Microsoft Word attachment is described as application/msword. If the MIME type cannot
be determined, Domino labels the MIME part as application/octet-stream.
v BinHex4.0 - Sends Macintosh attachments with the MIME type application/mac-
binhex40. Use this method for sending Macintosh files to other Macintosh users who do
not use MIME-compliant mail programs. Because few Windows mail programs can
decode BinHex, this method should not be used when sending files to recipients who
use Windows.
RFC822 phrase Specifies how the server handles phrases in an address header. Choose one:
handling v Do not add phrase (default) - Outbound mail displays the sending user’s RFC 821
address. The Router permits user-defined phrases in recipient addresses.
v Use DN as phrase (Use domain name for the phrase) - The Router constructs an RFC
822-style address using a phrase part derived from the person’s hierarchical,
distinguished name; for example, ″John Jones/Sales/ACME″ <JJones@acme.com>. The
Router permits user-defined phrases in recipient addresses.
v Use alt. name if available - otherwise DN (Use the alternative name or domain name) -
If an Alternate name is specified in the user’s Person document, constructs an RFC
822-style address using it as the phrase part; otherwise uses the hierarchical,
distinguished name; for example, ″John Jones/Sales/ACME″ <JJones@acme.com>. The
Router permits user-defined phrases in recipient addresses.
v Remove phrase - Only RFC 821-style addresses allowed. The Router strips user-defined
phrases in recipient addresses.
v Use CN as phrase - Constructs an RFC 822-style address using a phrase part derived
from the person’s common name; for example, ″John Jones″ <JJones@acme.com>. The
Router permits user-defined phrases in recipient addresses.
Choose one:
v Enabled - When converting Notes rich-text messages for SMTP transport or download
by a POP3 or IMAP client, Domino converts all Notes private items in the message to
custom ″x-notes-item″ headers. The resulting ″x-notes-item″ is a structured header with
parameters that reflect the attributes of the original notes item, for example, data type,
value, summary flags, item name, and so on. Because Notes private items are not
generally used in Internet mail, do not select this option unless you have a specific
reason for sending private items.
Note: Items specified in the field ″Notes items to be removed from headers″ are excluded
from the headers of the converted message.
v Disabled - (default) When converting Notes rich-text messages for SMTP transport,
Domino removes nonstandard Notes header items.
Always send the List the Notes header items to always include as RFC 2822 headers in outbound SMTP
following Notes items messages, mapping each specified Notes item to a valid nonstandard RFC 2822 header
in headers item. For example, the Notes item, header-1 would be mapped to the RFC 2822 header,
x-header-1. The header body is the first 255 bytes of the item value, converted to text if
necessary.
Domino sends the items specified in this field even if sending of Notes private items is
disabled. Use this field to send specific items only, while preventing export of all
unspecified Notes private items.
Note: If an item listed in this field is also listed in the field ″Notes items to be removed
from headers,″ the item is not included.
Notes items to be List the Notes header items to exclude from x-headers in outbound SMTP messages.
removed from headers
When converting a Specifies the character set Domino uses when converting a Notes rich-text message with
multilingual message to text content that cannot be represented by a single character set group -- for example, a
MIME message in which part of the content is in French (Western character set group) and part
in Arabic. Choose one:
v Send it in Unicode [UTF8] - (default) Domino converts all the text to an 8-bit encoding
of the Unicode character set. To read the resulting message, recipients’ mail programs
must support Unicode.
v Send it in most representable character set - Domino selects the character set that best
matches the majority of characters in the message. If the message is sent as plain text,
any character that cannot be represented by the selected character set is replaced by a
fallback character -- typically a question mark. If the message is sent as HTML, a
Unicode-enabled mail program is required to decode the message because such a mail
program can replace unrepresentable characters with their Unicode numeric values.
Character set name Specifies the name of a nonstandard character set alias to be used when converting Notes
aliases rich-text messages for outbound SMTP transfer. For example, you can send messages sent
in ISO-8859-1 with the tag ″My-Character-Set.″ It is not recommended that you provide
aliases here because outbound messages will be understood only by similarly configured
mail clients.
Note: These settings apply to messages sent outbound over SMTP to another host, or exported to the
IMAP or POP3 service. They are not applied to messages delivered locally or messages transferred over
Notes routing.
The change takes effect after the next Router configuration update. To put the new setting into effect
immediately, reload the routing configuration.
In the following examples, unless noted otherwise, it is assumed that the application required to open the
attachment is properly installed on the user’s computer. Also, it is assumed that both sender and recipient
are using MIME-compliant mail programs.
v A Macintosh Claris Emailer user sends a Lotus 1-2-3 spreadsheet to two Notes recipients: one uses a
Macintosh, and one uses a PC.
Both recipients receive an intact Lotus 1-2-3 spreadsheet attachment. The Macintosh recipient can
launch it from within Notes or can detach it and double-click to launch -- regardless of the name given
to the attachment.
The PC user can launch it from within Notes or detach it and double-click to launch, only if the file
name ends in WK1, WK3, 123, or some other extension associated with the Lotus 1-2-3 application.
(This is a Windows restriction, not a Notes restriction.)
v A Lotus Notes user sends a Lotus 1-2-3 spreadsheet from a PC to a Macintosh recipient using Claris
Emailer.
The PC user must save the spreadsheet as a 1-2-3 R1 spreadsheet because it is the most recent version
of 1-2-3 available on the Macintosh. The spreadsheet is encoded with the MIME type ″X-Lotus-123R1,″
a private MIME type defined by Lotus. Since this is a private MIME type, by default, it cannot be
launched directly from Claris Emailer. To view the file, the recipient can detach it, launch Lotus 1-2-3,
and then open it using the File - Open command.
As an alternative, Macintosh users can install Internet Config (a widely used free software utility) and
configure a mapping for the ″X-Lotus-123R1″ MIME type. Claris Emailer can then use the file mapping
table in Internet Config to determine the application to use to launch the attachment directly from the
message.
Configuring outbound Internet mail to use RFC 822 address format (phrase parts)
RFC 821 defines the standard convention for naming mailbox addresses as ″user@domain″ or more
broadly, ″Localpart@Domainpart.″ This format has come to be known as RFC 821-style addressing.
Subsequently, RFC 822 specified a format for a more human-readable Internet address, which adds a
phrase part, also known as a friendly name or display name, before the actual address. Phrase-style
addresses use the form ″Phrase″ <localpart@domainpart>; an optional display name indicates the name of
the recipient for display to the user of a mail application, for example, ″John Jones″ <JJones@acme.com>.
You can have Domino add a phrase to the sender’s address on outbound SMTP mail and specify the
name component to use as the address phrase. By default, addresses do not include phrases. If you
choose not to support phrase-style addresses, you can specify that Domino remove any user-added
phrases in the recipient fields of outbound messages.
You configure this address format using the ″RFC822 phrase handling″ field in the Configuration Settings
document, under the MIME - Advanced - Advanced Outbound Message Options tab.
The Router adds phrases to Internet addresses both when taking the address from a Person document in
the Domino Directory and when constructing the address from rules in the Global domain document.
This ensures that the contents of attached files are correctly interpreted by the recipient’s mail client.
Upon opening the message in a MIME-aware mail program, the recipient can open the attached
document from within the message, provided that the mail program recognizes the MIME type and the
associated application is installed on the recipient’s computer.
You can add, modify, or delete File Identification documents from the Domino Directory. Add new
documents to support additional file types. When adding a new File Identification document, you must
know the MIME type for the application and the file extension associated with the application. Modify a
File Identification document in the event that a default mapping is incorrect or later standards dictate a
change. You might also edit a File Identification document to specify which of multiple MIME types and
subtypes Notes and Domino assign to files with a given file extension when sending outbound mail.
How Domino uses File Identification documents when processing inbound mail: When receiving an
inbound MIME message that includes a file attachment, Domino reads the MIME headers to determine
the name and type of the attached file. If, however, the MIME headers do not specify the name of the
attached file, Domino must assign a name to the file that is both unique within the document and
includes the appropriate file extension. To determine the file extension to use in creating the file name,
Domino refers to the File Identification documents in the Domino Directory.
For example, if Domino receives a message that has a MIME header indicating that it contains a
Microsoft Word attachment (MIME type/subtype of application/ms-word), but neither the content-type
header or content-disposition header specify a file name, the server has to provide a name for the
attachment. To ensure that Domino creates a name using the correct file extension for a file of this type,
the server checks the Domino Directory for a File Identification document for this file type and subtype,
and then checks the ″Extension″ field of the matching document. Because, by default, the only document
that matches files with the MIME type application/ms-word indicates that the file uses the extension
DOC, Domino creates a file name using this extension.
How Domino uses File Identification documents when processing outbound mail: Domino servers
and Notes clients both use File Identification documents when sending MIME messages that include file
attachments. In both cases, information in the document is used to specify the MIME content type of the
message attachment.
Domino servers use File Identification documents when converting messages that include file attachments
from Notes rich-text format to MIME format for sending over SMTP. When converting an outbound
message that includes a file attachment, Domino first searches for a File Identification document that
corresponds to the file extension of the attachment. After locating the correct document, Domino uses the
MIME type and subtype information from the document to construct the MIME Content-type header for
the message part that describes the attachment.
When a Notes client attaches a file to a message it sends in MIME format (for example, when sending to
Internet recipients or to Notes mail recipients whose mail storage preference is set to MIME), the client
first checks the operating system to determine what file associations are defined. Clients running on
Microsoft Windows check the Windows registry, while clients running on the Macintosh check Internet
Config. If the client cannot locate MIME type information from these sources, it then checks the Domino
Directory for a File Identification document that applies to files with the same extension as the attached
file. After locating the correct document, the client places the MIME type and subtype information from
the document in the MIME header describing the attachment.
In the case of both servers and client, if more than one File Identification document applies to a given file
extension, the setting in the ″Outbound″ field of the documents determines which MIME type and
subtype to assign to file attachments with this extension when sending mail.
Field Description
MIME type General MIME category used to describe files of this content type or media; for example,
application, audio, image, or video. When sending attachments in MIME messages, the
information in this field is placed in the MIME Content-type header.
Each MIME type/subtype combination can be mapped to zero or more file extensions.
Each MIME type/subtype combination can be mapped to zero or more file extensions.
File extension The Windows or UNIX file name extension associated with files of this type; for example,
JPG, BMP, or NSF.
The Domino Directory can contain multiple File identification documents for a given file
extension.
If the MIME headers of an inbound message do not specify the name of an attached file,
Domino creates a file name for the attachment using this extension.
Description Use this field to specify the type of file or the name of the application used to create and
open the file.
Outbound If the Domino Directory contains multiple File Identification documents for files with this
file extension, this setting determines which MIME type and subtype Notes and Domino
use to send file attachments with this extension.
Note: Notes clients also use settings in the Windows registry or the Macintosh Internet
Config object to determine the MIME type and subtype to associate with a given file
extension.
Choose one:
v Send - When sending outbound messages in MIME format, Domino assigns this MIME
type and subtype specified in this document to attachments that have this file extension.
If there are multiple File Identification documents for a given file extension, select this
option for one document only. If the value in this field is set to Send in multiple File
Identification documents for a given file extension, Domino uses the first document
listed in the File Identifications view to set the MIME information for attachments with
the extension.
v Do not send - When sending outbound messages to MIME format, Domino does not
assign the MIME type and subtype specified in this document to attachments that have
this file extension. If there are multiple documents for a given file extension, specify this
option in the Outbound field in all but one of the documents.
To use disk space more efficiently, you can set up shared mail on each mail server after you set up the
Domino mail system. Shared mail, sometimes referred to as the Single Copy Object Store (SCOS), offers
an alternative to message-based mail, allowing servers to store a single copy of messages received by
multiple recipients in a special central database, or object store. Every server using shared mail contains
one or more of these object stores, or shared mail databases, to hold all shared messages. After you
enable shared mail on a server, all mail databases on the server automatically use the shared mail
database to store the content of new messages, unless you explicitly exclude a database from using
shared mail. You do not need to configure each user’s mail file individually for shared mail use.
When shared mail is enabled and an incoming message is addressed to multiple local recipients, the
Router divides the message into a message header and message body. The header includes the message’s
To, cc, bcc, Subject, and From fields. The body includes the text and other content, as well as any file
attachments. The Router then writes the message body to a shared mail database and the message header
to each recipient’s mail file. The message body stored in the shared mail database contains an object store
link, which identifies all of the mail files linked to that message. Similarly, the corresponding message
headers stored in each recipient’s mail file each contain a pointer to the object store that contains the
message body.
To keep shared mail databases small, Domino automatically purges the shared portion of a message from
the shared mail database after all recipients delete the message from their mail files. Domino purges the
shared portion of these obsolete messages immediately; you do not have to wait for a task to run before a
message can be removed.
To improve efficiency and support encryption, Domino excludes certain messages from the object store.
Users always receive messages smaller than one kilobyte (1 KB) as complete messages. This guarantees
that message pointers in a mail file never exceed the size of the message body in the shared mail
database. In addition, users always receive complete messages if instructions in their Person documents
specify to encrypt incoming mail.
Using a shared mail database is completely transparent to users. When a recipient opens a message, the
link between the mail file and the shared mail database causes the message to appear in its entirety.
Users can delete, reply to, change the view or folder, edit, save, resend, and perform all the same tasks on
a mail message stored in a shared mail database as they would with the same message stored in their
own mail files. If a users edit and save, or encrypt and save a message, the complete message is then
stored in their personal mail file, with no effect on how the original message appears to other users.
Shared mail works for all messages, regardless of the mail client used to compose the message. That
means that users who use a POP3, IMAP, or Notes mail client and who have a mail file on the Domino
mail server can all use shared mail. However, shared mail is not used if the various recipients have
different format preferences for incoming mail. For example, if a message is sent to four users, half of
817
whom have Notes rich text format specified as their format preference, and half whose format preference
is set to MIME, all of the users receive the complete message.
You can configure the server to use as many as ten active shared mail directories at one time. Each
configured shared mail directory can contain as many as 100 shared mail databases, to a maximum of
1000 total shared mail databases per server.
If a server has less than 1000 active databases configured, it can continue to reference a number of
inactive shared mail databases up to the maximum of 1000. Inactive databases no longer receive new
mail, but store previously received messages. A server can support as many as 40 inactive shared mail
directories, As with active shared mail directories, each of these inactive directories can contain a
maximum of 100 shared mail databases. A single shared mail directory can contain both active and
inactive databases.
A shared mail database is automatically set to inactive if the parent directory exceeds the maximum size
you specify for it in the Server document.
When a server has multiple active shared mail databases, user mail files on the server may contain links
to any or all of them, as well as to inactive shared mail databases. If you create additional shared mail
databases, Domino distributes a portion of all new incoming messages to each of them. Previously
received messages continue to reside in the shared mail databases where Domino originally stored them.
Using multiple shared mail databases reduces the amount of shared mail that could be lost or become
temporarily inaccessible as a result of database corruption. You can enable transaction logging for shared
mail databases, so that databases corrupted as the result of a server crash or power outage can be
automatically recovered at server startup. Enabling transaction logging frees you from the need to restore
shared mail databases manually.
If transaction logging for shared mail is not enabled, to protect shared mail databases against data loss,
install a backup utility that can back up and verify open NSF files and back up all shared mail databases
at least once a day. Because security settings on shared mail databases prevent replication, you cannot
replicate shared mail databases to provide backup.
For more information on restoring shared mail databases, see the topic Restoring a shared mail database″
later in this chapter.
The actual file size of the mail database that uses shared mail therefore does not necessarily reflect its
logical size. For example, a user’s mail file might exceed its quota limit of 60MB even though the physical
size of the file is only 35MB.
Note: If the combined size of a message and its attachments is 1KB or less, Domino delivers the
complete message to the recipient’s mail file and does not use the object store.
3. The Router stores a copy of the header in each recipient’s mail file and stores a single copy of the
content in the shared mail database.
4. When a recipient opens the message, the header activates a link to the message content, which is
stored in the shared mail database. The message appears as though the entire message is stored in the
recipient’s mail file.
5. If the recipient deletes a shared message, Domino deletes only the header in the recipient’s mail file.
The content is not affected because it is stored in the shared mail database.
6. After all of the recipients delete the message header from their mail files, Domino automatically
purges the obsolete message, including the content in the shared mail database.
For more information on how Domino removes obsolete message from a shared mail database, see the
topic ″Purging obsolete shared mail messages″ later in this chapter.
v If a user edits and saves a received message, Domino stores the revised message in the user’s mail
file in its entirety and deletes links between the user’s mail file and the message body in the shared
mail database.
Shared mail directories must reside within the logical directory structure that is controlled by the server
or be referenced by a directory link within that directory structure. To improve performance, you can
place shared mail databases on another file system. When creating shared mail databases in a directory
that is not a subdirectory of the Domino data directory, Domino creates a link to point to the shared mail
directory. If no link exists, Domino cannot locate the shared mail databases.
5. For each shared mail directory you want to create, complete the following fields and then click Save
& Close:
C:\LOTUS\DOMINO\DATA\SHAREDMAIL
If the directory you specify does not exist, Domino creates it for you.
You can configure up to 10 active shared mail directories. In addition, Domino recognizes
as many as 40 inactive shared mail directories, from which users can continue to access
messages. Inactive directories are directories that no longer appear in the server document,
but remain in the last location specified.
Number of files The number of shared mail databases to create in the specified directory. Enter a number
between 1 and 100.
Maximum directory The maximum total size, in megabytes (MB), of all shared mail databases in the directory.
size Enter a number between 1 and 8192. If the directory size exceeds this value, Domino stops
adding new mail to the shared mail databases in the directory.
Delivery status Specifies whether the Router can deliver messages to shared mail databases in the
directory. Choose one:
v Open - (default) The Router can access active shared mail databases in this directory for
delivery. Although the delivery status for the directory is set to Open, individual
databases in the directory may be closed to delivery.
v Closed - The Router does not deliver new messages to shared mail databases in this
directory. Domino closes a directory automatically if it exceeds its size or as the result of
certain error conditions. Select this option if you have a temporary need to shut off
access to the database to prevent directory growth -- for example, if another service that
stores data on the disk needs immediate space -- but you don’t want to change the
configured directory size.
6. To put the new configuration into effect, restart the server or enter the following command at the
server console:
Show SCOS
For more information about using the SHOW SCOS command, see the appendix ″Server Commands.″
Using shared mail for delivery only or for transfer and delivery
There are two ways of setting up shared mail. One is for delivery only, and the other is for transfer and
delivery. When shared mail is enabled for delivery only, the Router places the body of an incoming
message in the shared mail database only if there are multiple local recipients. Messages for a single local
user are delivered as complete messages. The server uses its normal transfer mechanism for messages
being routed through the server to another destination; that is, messages in MAIL.BOX that are awaiting
transfer to another server always remain intact.
In contrast, when shared mail is enabled for transfer and delivery, the server splits every message it
receives (that is, the content goes to the shared mail database and the header goes to MAIL.BOX),
regardless of the number of recipients. Then, during delivery, the Router merges the header and content
together, examines the recipient list, and either transfers the message to the next server, or delivers it to
the local recipients (with the content staying in the shared mail database and the header going to the
users’ mail files).
The shared mail setting that you decide to use depends on your situation. In general, use shared mail for
transfer and delivery on servers that have mostly deliveries and few transfers to other servers. Because
most incoming messages are likely to be for local delivery, it’s efficient to have the server automatically
place all incoming messages in the object store. On the other hand, on servers such as hub servers, which
perform mostly transfers and have few local mail file deliveries, use shared mail for delivery only.
Because incoming messages on these servers are likely to be transferred to another server, it’s
counterproductive to have the server absorb the cost of preparing mail for the object store.
In the end, both settings provide similar disk space savings, but because the ″transfer and delivery″
setting always places the message body directly in the object store, rather than in MAIL.BOX, it provides
faster delivery for local users by eliminating the transfer time required to move mail from MAIL.BOX to
the object store.
If a shared mail directory reaches the configured maximum size, Domino automatically deactivates it,
changing the delivery status of the directory to Closed, so that it can no longer receive new mail. Existing
links between users’ mail files and the inactive shared mail database continue to work, so users can read
and otherwise work with these messages. If another shared mail directory is available, the Router places
future messages into the active shared mail databases in that directory. If no shared mail directories are
available, the Router delivers new messages as complete messages to user mail files.
If there’s still adequate space on the current disk, after the existing shared mail directories reach their size
limit, you can increase the maximum size of the existing directories. If the amount of additional space on
the current disk is limited, create another shared mail directory on a separate disk that has more space.
If database contention (too many users accessing the database at the same time) is affecting performance,
and space allows, increase the number of databases (not the size) within the existing shared mail
directories or create new shared mail directories on the same disk or a separate disk.
If the server has a drive mapped to another computer, you can place the directory on that drive by
entering its full path. For example:
J:\Shared\SHAREDMAIL
You cannot specify a path in the form of a Universal Naming Convention (UNC) name (that is, using the
format: //hostname/sharepoint).
CAUTION:
If Domino loses access to the remote directory for any reason, users will be unable to access messages
stored in that directory.
Whether you extend the size of current directories or add new ones depends on whether physical space
or concurrent usage is the limiting factor.
If your existing shared mail directories reach their size limit, and there’s still adequate space on the
current disk, increase the maximum size of the existing directories. If the amount of additional space on
the current disk is limited, create another shared mail directory on a separate disk that has more space.
If database contention (too many users accessing the database at the same time) is affecting performance,
and space allows, increase the number of databases (not the size) within the existing shared mail
directories or create new shared mail directories on the same disk or a separate disk.
Use the Shared Mail tab on the Server document to change the directory settings. In addition, you can
also use the SET SCOS command to change the status of individual shared mail databases within a
directory. For more information about using the SET SCOS command, see the appendix ″Server
Commands.″
C:\LOTUS\DOMINO\DATA\SHAREDMAIL
If the server can has a drive mapped to another computer, you can place the directory on
that drive by entering its full path. For example:
J:\Shared\SHAREDMAIL
Note: If the server is unable to connect to the remote drive, access to directories on the
drive will be interrupted.
If the directory you specify does not yet exist, Domino creates it for you.
You cannot specify a path in the form of a Universal Naming Convention (UNC) name
(that is, //hostname/sharepoint)
Number of files The number of shared mail databases to create in the specified directory. Enter a number
between 1 and 100.
5. To add more shared mail databases to an existing shared mail directory, increase the value in the
Number of Files field for that directory.
6. To increase the size of an existing shared mail directory, enter a new value in the Maximum directory
size field for that directory. A directory can have a maximum size of 8192MB. If the directory size
exceeds this value, Domino stops adding new mail to the shared mail databases in the directory.
7. At the server console, enter the following command to put the new configuration into effect:
Show SCOS
For more information about using the Show SCOS command, see the appendix ″Server Commands.″
These statistics provide information you need before administering shared mail by showing how shared
mail is currently used on a server. You can see the object store filename, the mail databases that use the
object store, the number of documents referenced in the object store for each mail database, and the total
size of documents in the object store for each mail database. This information can help you determine
how much disk space you would need if you were to unlink the user’s mail file from the shared mail
database. Likewise, you can see the total size of all documents in the shared mail database, so you’d
know how much space you would need if you unlinked the entire shared mail database.
To run the Object Collect task to generate shared mail statistics: Enter the following at the server
console:
Load Object Info -Full SHARED.NSF
where SHARED.NSF is the full pathname of a shared mail directory or a specific shared mail database.
To eliminate redundant copies of messages received by multiple users to save additional space, you may
want to transfer these existing messages to the object store. To store these messages in a shared mail
database, you use the Object Link command to link the user’s mail file to a shared mail directory.
During the linking operation, the Object Store Manager moves the content of each shared message from
the user’s mail file to the shared mail databases in the specified directory. Message headers remain in the
mail file with a link to the shared mail database containing the shared portion. If more than five
messages are moved to the shared mail database, the Object Store Manager automatically compacts the
user’s mail file to reclaim the disk space that was previously occupied by the message content. Linking
does not determine whether the mail file stores future messages it receives as complete messages or uses
the object store. If you disable shared mail on the server, or exclude the mail file from using shared mail,
the messages placed in the object store during the linking process remain there, even if the mail files
receive complete messages in the future.
You can also use the Object Link command to unlink a mail file from all shared mail databases so that
existing messages in the mail file will be stored as compete messages; and unlink a shared mail database
from all mail files.
To link a mail file: The linking operation splits complete messages in a mail file into headers and
content and distributes the content to the shared mail databases on the server. Typically, you would use
linking to process the complete messages in a mail file that is newly replicated to another shared mail
server, or that existed on a server before you enabled shared mail.
where USERMAIL is the name of the directory containing user mail files. Running this command links
messages in the specified user mail files to the configured shared mail databases in a distributed fashion.
You cannot link a mail file to a specific shared mail database.
To link a mail file without compacting it: By default, if linking a mail file results in more than five
messages being moved to the shared mail database, the Object Store Manager compacts the user’s mail
file. To link a mail file without compacting it, use the -Nocompact option.
where USERMAIL is the name of a single user mail file or a directory containing user mail files.
For example:
Load Object Link -Nocompact Mail\DMalone.NSF
E:\Lotus\Domino\Shared\SCOS1
Unlinking messages in a user’s mail file from the object store: You can restore complete messages to a
user’s mail file by unlinking the mail file from the shared mail databases.
After you unlink existing messages from the shared mail databases, new messages delivered to the mail
file continue to use shared mail as long as shared mail is enabled on the server, unless you explicitly
exclude the mail file from using shared mail.
For information about excluding a mail file from using shared mail, see the topic ″Excluding a mail file
from using shared mail″ later in this chapter.
where USERMAIL.NSF is the complete path to a user mail file or a directory containing mail files.
where OBJECTSTORE is the name of a shared mail directory or an individual shared mail database.
CAUTION:
Unlinking an object store can significantly increase the size of all mail files that previously linked to
the object store. Before unlinking an object store, confirm that the disk where user mail files reside
includes enough available space to accommodate the resulting increase.
where USERMAIL.NSF is the complete path to the user’s mail file or a directory that contains mail files.
For example, to determine the shared mail use of all mail files in a directory, enter:
Load Object Info C:\LOTUS\DOMINO\DATA\MAIL
For each mail database in the directory, the results indicate whether the mail file is set to use shared mail
and currently has links to messages shared in any shared mail databases:
12/06/2001 03:45:03 PM Object Store Manager: mail\gthiers.nsf is not an object store
12/06/2001 03:45:03 PM Object Store Manager: mail\gthiers.nsf contains notes which use an object store
12/06/2001 03:45:03 PM Object Store Manager: mail\gthiers.nsf is set always to use object store (multiple)
12/06/2001 03:45:05 PM Object Store Manager: mail\ewilson.nsf is not an object store
12/06/2001 03:45:05 PM Object Store Manager: mail\ewilson.nsf contains no notes which use an object store
12/06/2001 03:45:05 PM Object Store Manager: mail\ewilson.nsf is set always to use object store (multiple)
To exclude a mail file from using shared mail: Enter this command at the console:
Load Object Set -Never
USERMAIL.NSF
where USERMAIL.NSF is the full path for a mail file or a directory that contains mail files.
For example:
Load Object Set -Never C:\LOTUS\DOMINO\DATA\MAIL\RBOWKER.NSF
sets the mail file RBOWKER.NSF to never use shared mail on the server. The process has no effect on
existing messages.
To include a previously excluded mail file: If you previously excluded a mail file from shared mail and
then want it to use shared mail again, you can re-enable the mail file to use shared mail for new
messages. The process has no effect on existing messages. Enter this command at the console:
Load Object Reset -Never
USERMAIL.NSF
where USERMAIL.NSF is the full path for a mail file or a directory that contains mail files.
For example:
Load Object Reset -Never C:\LOTUS\DOMINO\DATA\MAIL\
resets all mail files in the MAIL directory that were previously excluded from using shared mail so they
use the object store for new mail.
Enabling messages added during replication to be placed in the object store: When shared mail is
enabled on a server, mail files hosted on the server automatically use shared mail for new messages
received through the Domino routing process. However, when the replication process, rather than the
Router, adds new mail to a replica mail file, by default, the mail file stores the mail as complete
documents.
To enable messages added during replication to be placed in the object store: To enable messages
added during replication to be placed in the object store, you must set a mail file to always use shared
mail. Enter this command at the console of the server that stores the replica mail files and that uses
shared mail:
Load Object Set -Always USERMAIL.NSF
where USERMAIL.NSF is the name of a replica mail file or a directory that contains replica mail files. For
example,
Load Object Set -Always Dmalone.nsf
causes Domino to store the content of messages replicated to DMALONE.NSF in one of the configured
shared mail databases on the server during future replications.
To split messages that were previously replicated and place the message bodies in a shared mail
database, use the Load Object Link command.
For more information on the Load Object Link command, see the topic ″Linking unshared messages in a
mail file to the object store″ earlier in this chapter.
To enable existing messages in a replica to be placed in the object store: To have a mail file use shared
mail for messages that already existed at the initial replication, link the mail file to the object store on the
second server. For more information on linking a mail file to an object store, see the topic ″Linking
unshared messages in a mail file to the object store″ earlier in this chapter.
To disable shared mail for replica mail files: Enter this command at the console of the server that
stores the replica mail files:
Load Object Reset -Always USERMAIL.NSF
where USERMAIL.NSF is the name of a replica mail file or a directory that contains replica mail files.
Using shared mail with Domino clusters: For a Domino cluster in which some servers have shared
mail enabled, you can create replicas of user mail files, and use cluster replication to increase mail
reliability. Although you cannot use cluster replication to keep shared mail databases synchronized, you
can use cluster replication to replicate information to another mail file replica and then configure that
replica to use shared mail on the local server. Each server in the cluster must have shared mail enabled.
You can also use this same procedure for mail file replicas located on servers not in a cluster -- that is,
servers kept synchronized by standard Domino replication.
When all recipients have deleted a message from their mail files, the reference count for the message
reaches zero, and the message becomes obsolete. Domino automatically purges the shared portion of
obsolete messages from the shared mail databases immediately after all users have deleted it from their
mail files.
In earlier releases of Domino, links to user mail files and obsolete messages were not immediately deleted
after users deleted messages from their mail file. Deletions occurred only after the Object Collect task was
run, an expensive process that examines each link in the referencing databases to determine whether the
referring note still exists.
In Domino, the Object Collect task is used to resynchronize mail files with a shared mail database and to
generate shared mail statistics. Synchronization between a shared mail database and the mail files that
use it can become disrupted if a shared mail database is restored from a backup that doesn’t include the
most recently received messages. As a result, these messages are incomplete and cannot be read: the
message headers appear in users’ mail files, but no message body exists in the object store. Running the
Object Collect task resynchronizes a mail file with the object store by purging incomplete messages. The
task checks each mail file that uses the object store and removes those messages that have no message
body in the object store.
If a mail file has replicas on other servers, messages removed during resynchronization can be restored to
the shared mail database when replicated to the mail file on the shared mail server.
Running the Object Collect task to purge messages, automatically generates shared mail statistics. For
information about using the Object Collect task to generate shared mail statistics without purging
messages, see the topic ″Generating and viewing shared mail statistics″ earlier in this chapter.
To preview which messages will be purged: Before purging obsolete messages, enter this command at
the console to determine which documents will be deleted and how much space will become available:
Load Object Collect -Nodelete
To purge messages from the shared mail database: Enter one of these commands at the console:
Load Object Collect SHARED.NSF
Load Object Collect -Force SHARED.NSF
where SHARED.NSF is the name of the shared mail directory or a specific shared mail database. Use the
-Force option after you delete a user’s mail file to reclaim the disk space used by shared messages that
reference the deleted mail file only.
To purge messages from a user’s mail file: Enter this command at the console:
Load Object Collect USERMAIL.NSF
If you do not use transaction logging, back up the shared mail database at least once a day and use
multiple shared mail databases on the server. Using multiple shared mail databases on different physical
disks can reduce the amount of shared mail data lost in the event of database corruption or disk failure.
If data loss occurs on a server that does not use transaction logging or was not backed up using a utility
that supports transaction logging, you may be unable to restore some messages to the shared mail
database. Therefore, users’ mail files might still contain message headers that reference message content
that was not restored in the shared mail database. These users cannot read these messages because the
shared mail database doesn’t contain the corresponding message content.
Before deleting a shared mail database, unlink all mail files from it. Unlinking mail files from a shared
mail database places a complete copy of each message in the shared mail database in all of the mail files
listed in the message’s object store link. If you delete a shared mail database that is still linked to users’
mail files, those users lose access to message bodies contained in the database.
To take advantage of the space savings already achieved, you may choose to preserve inactive shared
mail databases in their current state. If you do decide to retain these inactive databases, they must remain
in their current location to allow users to access messages.
The Domino POP3 service acts as an intermediary for communications between POP3 mail clients and
the Domino mail server. By default, the Domino POP3 service monitors TCP port 110, where POP3 clients
connect to submit requests to the service to retrieve mail. After receiving a request, the POP3 service
sends mail to the client. POP3 clients let users specify whether to leave a copy of a message on the server
after retrieving it. By default, messages downloaded by the client are deleted from the server.
The POP3 service complies with RFC 1939 - Post Office Protocol Version 3.
For information about specifying the SMTP server that a POP3 client uses for outbound mail, see the
topic ″Configuring POP3 client software″ later in this chapter.
To authenticate POP3 users, Domino relies on authentication methods built into the Internet protocols.
The methods available depend on the server ports you configure the POP3 service to use. The POP3
service can use a TCP/IP port, a Secure Sockets Layer (SSL) port, or both the TCP/IP and SSL ports.
If POP3 uses the TCP/IP port only (the default), the server uses basic name-and-password authentication
to identify users. The login names that the server accepts as valid depend on the setting in the Internet
authentication field on the Security tab of the Server document.
For more information on configuring how Domino authenticates Internet clients, see the chapter ″Setting
Up Name-and-Password and Anonymous Access to Domino Servers.″
If the SSL port is enabled, you can specify whether a client certificate is required to authenticate (SSL
authentication), and whether clients must also supply a name and password.
833
For information on setting up an SSL server, see the chapter ″Setting Up SSL on a Domino Server.″ For
information on setting up clients for SSL, see the chapter ″Setting Up Clients for S/MIME and SSL.″
Accessing a mail file from the Notes client and a POP3 client
POP3 clients use the standard Domino mail file database. This allows registered Notes users to access
their mail files from both a POP3 client and the Notes mail client.
load POP3
Start the POP3 service automatically when you Edit the ServerTasks setting in the NOTES.INI file to include the
start the Domino server command POP3. Domino adds the POP3 task by default to the
NOTES.INI file if you select the POP3 service during installation.
Stop the POP3 service Enter the following command at the console:
Configuring POP3 authentication options on servers that use Internet Site documents: On servers that
use Internet Site documents, the POP3 service obtains port authentication settings from the Security tab
of the POP3 Site document, rather than from the Server document. As a result, when Internet Site
documents are used, the TCP/IP and SSL port authentication settings described in the procedures that
follow are not available in the Server document. Settings in the Server document still provide the port
numbers and status for the POP3 TCP/IP and SSL ports, and enable the POP3 ports to honor server
access restrictions.
To determine whether the use of Internet Site documents is enabled for a server, check the value of the
following field on the Basics tab of the Server document: ″Load Internet configurations from
Server\Internet Sites documents.″ If this field is set to ″Enabled,″ the server uses Internet Site documents
to configure all of its Internet protocols (POP3, IMAP, SMTP, and so forth).
For information on creating and using Internet Site documents, see the chapter ″Installing and Setting Up
Domino Servers.″
Note: On servers with multiple TCP/IP ports, by default, the POP3 service uses the port listed first in
the NOTES.INI file as the preferred path. If you want the service to use a port other than the default one,
you can configure it to use a specific port.
For information on configuring an Internet service to bind to a specific TCP/IP port, see the chapter
″Setting Up the Domino Network.″
Field Enter
TCP/IP port number Choose 110 (default) to use the industry standard port for POP3 connections over
TCP/IP. You can specify a different port, but 110 works in most situations. When
specifying a nonstandard port, make sure the port is not reserved for another service.
Port numbers can be any number from 1 to 65535.
TCP/IP port status Choose one:
v Enabled (default) - Allows POP3 clients to connect to the Domino server without
using SSL. Users must provide their name and Internet password to connect.
v Disabled - Prevents POP3 clients from connecting to the Domino server, unless they
can connect using SSL.
Enforce server access Choose one:
settings v Yes - Access to the POP3 service is controlled by the server access settings on the
Security tab of the Server document. Users who are not allowed to access the server
cannot access mail through the POP3 service.
v No - (default) The POP3 service ignores the server access settings in the Server
document.
4. Restart the POP3 task to put the new settings into effect.
Field Enter
SSL port number Choose 995 (default) to use the industry standard port for POP3 connections over SSL.
You can specify a different port, but 995 works in most situations. When specifying a
nonstandard port, make sure the port is not reserved for another service. Port numbers
can be any number from 1 to 65535.
SSL port status Choose one:
v Enabled - Allows POP3 clients to connect to the POP3 service over SSL.
v Disabled - (default) Prevents client connections over SSL.
Authentication options: If ″SSL port status″ is set to Enabled, choose one:
Client certificate v Yes - The POP3 SSL port authenticates POP3 clients that use client certificates. If a
connecting client does not have a certificate, the server reverts to using
name-and-password authentication.
v No - (default) The POP3 SSL port does not support client certificate authentication.
Authentication options: If the ″SSL port status″ field is set to Enabled, choose one:
Name & password v Yes - POP3 clients use name-and-password authentication when connecting to the
POP3 service over SSL.
v No - (default) The POP3 SSL port does not support name-and-password
authentication.
5. Restart the POP3 task to put the new settings into effect.
Performing additional POP3 configuration: In addition to configuring the POP3 service port, you can
customize the operation of the POP3 service by setting variables in the server’s NOTES.INI file. Variables
used to configure the POP3 service begin with the prefix ″POP3.″
For more information on setting variables in the NOTES.INI file, see the appendix ″NOTES.INI File.″
Note: By default, the Domino registration process generates a Notes ID file (and corresponding Notes
Public Encryption Key in the Domino Directory) for each user in addition to creating the Person
documents and mail files required by a POP3 user. Because users who will access Domino from POP3
clients only do not require a Notes ID, during registration you can deselect the option to ″Create a Notes
ID for this person.″ However, if a new POP3 user also requires access to Domino from a Notes client,
Domino Administrator client, or Domino Designer client, be sure to enable creation of an ID file.
The following procedure specifies the Person document settings required for POP3 users and explains
how to create a Person document manually.
Field Description
First name The name the client uses to authenticate with the POP3 server must be unique in the
Domino Directory.
Last name
Depending on the level of Internet access security established for the server (Server
User name document - Security tab), the login name or user name configured on the POP3 client
must match an entry in one of these fields. Entries in the User name field are always
accepted as the login name. If Internet authentication is set to allow ″More name
variations with lower security″ entries in the First name and Last name fields may also
be accepted as login names.
Internet password The password that the user enters to access the Domino server from the POP3 client.
POP3 users must have an Internet password that complies with your organization’s
password quality requirements.
Mail system Choose POP or IMAP if the user does not require Notes client access.
Domain The name of the Notes domain to which the server belongs.
Mail server The name of the POP3 user’s Domino mail server.
Mail file The path for the user’s mail file, relative to the Domino data directory -- for example:
MAIL\AJONES.
Forwarding address Leave this blank for users who access mail files on the Domino server from a POP3
client.
Internet address The Internet address at which the user can receive mail within your organization. This
address must match the Internet address specified in the POP3 client.
For more information about password quality requirements, refer to the chapter ″Protecting and
Managing Notes IDs.″
5. Complete the procedure ″Creating a mail file for a POP3 user.″
If a user does not have an existing mail file on a Domino server, create a new mail one as described in
the following procedure.
Field Enter
Server The Domino mail server that stores the user’s mail file.
Title The name of the client’s mail file -- for example, Alan Jones’ Mail.
File name The full path to the mail file, relative to the Domino data directory -- for example,
MAIL\AJONES.NSF.
4. From the list of template names, select Mail (R6) with the filename MAIL6.NTF, and click OK.
The requirements for configuring POP3 client software differ for each product. This table presents general
requirements.
Field Description
Incoming mail (POP3) server Fully qualified host name of Domino POP3 server.
Outgoing mail (SMTP) server The fully qualified host name of a server running SMTP to which the user can
send mail addressed to intranet or Internet recipients. The SMTP server may be
the Domino server running the POP3 service, a different Domino server, or a
non-Domino SMTP server.
Authentication required to send Specifies whether the configured SMTP server requires users to provide a name
outbound mail and password before they can send outgoing messages.
Account/Login name The name by which the user authenticates with the Domino server. Valid user
name values depend on the setting in the Internet authentication field of the
Server document:
v If the server is set to use ″More name variations with lower security,″ users can
enter a login name that matches any entry in the First name, Last name, User
name or Short name/UserID field of the Person document, as long as it is
unique within the Domino Directory, for example, JCorrer.
v If the server uses ″Fewer name variations with higher security,″ a user’s login
name must match an entry in the User name field of the Person document, for
example, Jada Correr/ACME
Password The Internet password from the user’s Person document.
Automatically delete mail By default, when downloading messages from the server, most POP3 clients
documents from the POP3 server delete the server copy to conserve disk space. For users who read mail from both
after the client copies them the Notes client and a POP3 client, make sure the POP3 client is set to leave
locally. messages on the server.
POP3 client should check for Determines how often the POP3 client checks for mail. If the client checks for
mail no more than every five (5) mail more frequently, it may affect server performance.
minutes.
E-mail address The Internet address specified in the user’s Person document.
For more information on the relationship between security settings and valid login names, see the chapter
″Setting Up Name-and-Password and Anonymous Access to Domino Servers.″
The Domino IMAP service acts as an intermediary for communications between IMAP mail clients and
the Domino mail server. By default, the IMAP service monitors TCP port 143 for IMAP client requests.
After connecting to the IMAP service, IMAP mail clients can:
v Access messages on the Domino mail server
v Retrieve messages from the Domino mail server and store them locally
v Copy messages for offline use and then later synchronize with mail on the server
v View folders in another user’s mail file or public folders in a shared database (requires a client that
supports the IMAP NAMESPACE extension)
For information about specifying the SMTP server that an IMAP client uses for outbound mail, see the
topic ″Configuring IMAP client software″ later in this chapter.
To authenticate IMAP users, Domino relies on authentication methods built into the Internet protocols.
The methods available depend on the server ports you configure the IMAP service to use. The IMAP
service can use a TCP/IP port, or a Secure Sockets Layer (SSL) port, or both the TCP/IP and SSL ports.
If IMAP uses the TCP/IP port only (the default), the server uses basic name-and-password authentication
to identify users. The name under which a user can log in to the IMAP service must match one of several
fields in the user’s Person document. The set of names that the server accepts as valid depends on the
setting in the Internet authentication field on the Security tab of the Server document.
For more information on configuring how Domino authenticates Internet clients, see the chapter ″Setting
Up Name-and-Password and Anonymous Access to Domino Servers.″
841
If the IMAP SSL port is enabled, you can specify whether a client certificate is required to authenticate
(SSL authentication), and whether clients must also supply a name and password.
For information on setting up an SSL server, see the chapter ″Setting Up SSL on a Domino Server.″ For
information on setting up clients for SSL, see the chapter ″Setting Up Clients for S/MIME and SSL.″
A standard Domino mail file stores information about the messages it contains within database items of
the message. Notes clients can read and interpret the information stored in these items, but IMAP clients
cannot. To support IMAP clients and store IMAP-specific information, the Domino mail file requires the
addition of special IMAP database items.
IMAP stores message information within its own set of attributes. For a Domino mail file to be used with
IMAP, Notes/Domino items in the mail file have to be translated into IMAP attributes. In addition, the
mail file must be set up so that all future messages delivered to it store attribute information in IMAP
format.
To enable IMAP clients to access Domino mail files, run the mail conversion utility. The conversion
process places information about each message, such as its message ID and folder location, into the
message’s IMAP attributes, and sets a flag in the mail file that notifies the Router to add these IMAP
attributes when delivering future messages.
You can run the conversion utility manually to convert mail files before users log in to the IMAP service,
or set up the IMAP service so that it converts mail files automatically the first time a user logs in.
Note: To avoid possible conversion delays, run the conversion utility before users log in.
Before running the conversion utility, you may first need to prepare the mail file. For more information,
see the topic ″Preparing a mail file for IMAP access″ later in this chapter.
Note: The Router adds these attributes only if the recipient’s Person document specifies MIME as the
preferred mail storage format. The attributes are not added to messages delivered in MIME format to a
user whose storage preference is set to ″Keep in sender’s format.″
These attributes contain summary information about the MIME content type, structure, and size of a
message. Exactly how the attributes are used depends on the client. Almost all clients request size
information. In addition, some request type and body structure information. If these summary attributes
are present, when the IMAP service returns message headers in response to a client FETCH request, it
uses the attribute information to fulfill the request, rather than opening each message to obtain the
information. As a result, the client displays message headers much more quickly than it can in the
absence of the summary attributes. The improved response time is especially significant for large mail
files with a a high percentage of messages in Notes rich text format.
After you run the conversion utility to enable a mail file for IMAP use, you have to run the conversion
utility a second time, using the -h option, to add these attributes to messages. The initial mail file
conversion performed to enable a mail file for IMAP use does not add IMAP-specific attributes to
pre-existing messages in the mail file, regardless of whether you run CONVERT manually or let the
IMAP service automatically enable mail files. Thus messages added to a mail file before it is enabled for
IMAP never contain these summary attributes.
After you enable a mail file for IMAP use, the Router automatically adds these IMAP attributes to
messages, if the mail storage preference is set to Prefers MIME in the user’s Person document. However
it does not add them to messages stored in Notes rich text format.
For more information about running the mail conversion utility using the -h option, see the topic ″Using
the conversion utility to add IMAP summary attributes to messages″ later in this chapter
IMAP provides a mechanism for retrieving mail only; IMAP clients send mail using SMTP. For
information about enabling SMTP, refer to the chapter ″Setting Up Mail Routing.″
load imap
Start the IMAP service automatically when you start Edit the ServerTasks setting in the NOTES.INI file to include
the Domino server the command imap. Domino adds the IMAP task by default
to the NOTES.INI file if you select the IMAP service during
installation.
Stop the IMAP service Enter the following command at the console:
By default, IMAP clients connect to TCP/IP port 143 on the Domino server. You might need to specify a
different port number if there are multiple instances of the IMAP service on the host machine as, for
example, on a partitioned server. You might also change the default port to a nonstandard port number
to ″hide″ it from clients attempting to connect to the default port, or if another application uses the
default port on the server. Disable the port or change the security options to prevent IMAP clients from
accessing the Domino server.
Configuring IMAP authentication options on servers that use Internet Site documents: On servers that
use Internet Site documents, the IMAP service obtains port authentication settings from the Security tab
of the IMAP Site document, rather than from the Server document. As a result, when Internet Site
documents are used, the TCP/IP and SSL port authentication settings described in the procedures that
follow are not available in the Server document. Settings in the Server document still provide the port
numbers and status for the IMAP TCP/IP and SSL ports, and enable the IMAP ports to honor server
access restrictions.
To determine whether the use of Internet Site documents is enabled for a server, check the value of the
following field on the Basics tab of the Server document: ″Load Internet configurations from
Server\Internet Sites documents.″ If this field is set to ″Enabled,″ the server uses Internet Site documents
to configure all of its Internet protocols (IMAP, POP3, SMTP, and so forth).
If the server uses Internet Site documents, and an IMAP Site document is not present in the Domino
Directory, or the authentication options in a configured IMAP Site document are set to No, users cannot
connect to the IMAP service. In each case, IMAP clients receive the following error when attempting to
connect to the IMAP service:
This site is not enabled on the server.
For information on creating and using Internet Site documents, see the chapter ″Installing and Setting Up
Domino Servers.″
Note: On servers with multiple TCP/IP ports, by default, the IMAP service uses the port listed first in
the NOTES.INI file as the preferred path. If you want the service to use a port other than the default one,
you can configure it to use a specific port.
Field Enter
TCP/IP port number Choose 143 (default) to use the industry standard port for IMAP connections over
TCP/IP. You can specify a different port, but 143 works in most situations. When
specifying a nonstandard port, make sure the port is not reserved for another service.
Port numbers can be any number from 1 to 65535.
TCP/IP port status Choose one:
v Enabled (default) - Allows IMAP clients to connect to the Domino server without
using SSL. Users must provide their name and Internet password to connect.
v Disabled - Prevents IMAP clients from connecting to the Domino server, unless they
can connect using SSL.
v Redirect to SSL - Denies access to clients connecting to the IMAP TCP/IP port, but
returns a message indicating that they must connect over SSL. You can specify the
contents of the message.
Note: To support IMAP clients, either the IMAP TCP/IP port or the IMAP SSL port
must be enabled, and the IMAP task must be running on the server.
Enforce server access Choose one:
settings v Yes - Access to the IMAP service is controlled by the server access settings on the
Security tab of the Server document. Users who are not allowed to access the server
cannot access mail through the IMAP service.
v No - (default) The IMAP service ignores the server access settings in the Server
document.
For information on customizing IMAP service greetings, see the topic ″Specifying the default IMAP
service greetings″ later in this chapter.
For instructions on setting up the IMAP SSL port, refer to the next topic, ″To enable and configure the
IMAP SSL port.″
4. Restart the IMAP task to put the new settings into effect.
Field Enter
SSL port number Choose 993 (default) to use the industry standard port for IMAP connections over SSL.
You can specify a different port, but 993 works in most situations. When specifying a
nonstandard port, make sure the port is not reserved for another service. Port numbers
can be any number from 1 to 65535.
SSL port status Choose one:
v Enabled - Allows IMAP clients to connect to the IMAP service over SSL.
v Disabled - (default) Prevents client connections over SSL.
5. Restart the IMAP task to put the new settings into effect.
Specifying the maximum number of IMAP sessions: To maintain a session with a client, Domino
allocates a main session thread, which uses a certain portion of the server’s memory. Each IMAP client
connecting to the server consumes an additional session thread, and thus a certain amount of memory. If
the number of IMAP sessions exceeds the amount of available memory, the server can become unstable.
To ensure that servers can properly support the number of connecting IMAP clients, you can set a limit
on the number of concurrent IMAP sessions allowed. By default, servers do not place limits on the
number of concurrent IMAP sessions.
After the number of sessions reaches the specified limit, the IMAP service rejects additional connection
attempts.
Note: You cannot use the NOTES.INI variable, IMAPMaxSessions, available in Domino 5.0.3, to limit the
number of IMAP sessions on a Domino Release 6, and more recent, server.
Specifying a default IMAP session timeout value: After a user opens a session with the IMAP service,
the service waits for commands from the mail client. If no commands are received, the session is
considered to be idle. Sessions that are idle for a long period may be the result of a user forgetting to log
out after completing their mail processing. Because servers must allocate memory for each IMAP session
and send periodic keep-alive messages to a client to maintain the connection, idle sessions represent a
waste of server resources.
You can limit how long the server continues to maintain client sessions that do not show any activity.
Specify the number of minutes that the IMAP service waits before disconnecting idle IMAP client
sessions. Many IMAP clients poll for new mail every 10 minutes, so it’s best to set the value to greater
than 10 minutes, because the overhead of supporting an idle session is less than the overhead required to
support clients logging in and opening mailboxes.
Note: You cannot use the NOTES.INI variable, IMAP_Session_Timeout, available in earlier versions of
Domino, to configure the IMAP session timeout on a Domino Release 6, and more recent, server.
Field Enter
Maximum number of The maximum number of concurrent IMAP client sessions the server allows. By default,
IMAP sessions no limit is imposed.
IMAP session timeout The time, in minutes, that the IMAP service continues to maintain an idle session. If
there is no client activity by the end of the specified time, Domino closes the session. By
default, servers drop idle sessions after 30 minutes.
Note: These settings apply to Domino Release 6 and more recent. To specify IMAP session limits on a
Domino Release 5 or earlier server, use the IMAPMaxSessions and IMAP_Session_Timeout settings in
the NOTES.INI file.
For more information on these settings, see the appendix ″NOTES.INI File.″
Note: When the mail conversion utility enables a mail file for IMAP use, it does not automatically add
IMAP summary attributes, which enable clients to download message headers more efficiently, to
messages that were already in the file before conversion occurred. To add IMAP summary attributes to
preexisting messages, rerun the conversion utility manually, using the -h option.
For information on adding IMAP summary attributes to messages in a user’s mail file, see the topic
″Using the conversion utility to add IMAP summary attributes to messages″ later in this chapter.
By default, the IMAP service is set to automatically enable mail files during login. When the default
setting is used, whenever a user logs in, the IMAP service checks the user’s mail file to see if it is
enabled. If a mail file is not currently enabled, the IMAP service provides a dedicated conversion thread
to enable it. This conversion thread continues to work on this one mail file until it completes the task. If
additional users require conversion services at the same time, the IMAP service provides an additional
conversion thread for each instance.
Each conversion can require several minutes to complete, with conversion times for users with slow
connections typically needing more time. Because the conversion threads are drawn from the same thread
pool responsible for servicing other IMAP requests, a high number of conversions can place a high
demand on the available IMAP resources. This can result in increased response times and service delays
not only for the those whose mail files require conversion, but for other users connecting to the service as
well. The likelihood of delay naturally increases if there are a large number of users accessing the server
for the first time.
To prevent service delays on busy servers where many mail files require conversion, consider disabling
automatic conversion during peak hours, particularly if users typically log in over a phone line or other
slow connection. If you disable automatic conversion, users whose mail files are not enabled for the
Domino Release 6, or more recent, IMAP service cannot access their mail files from an IMAP client and
receive the following error message after each login attempt:
The database has not been enabled for IMAP.
Field Enter
Enable IMAP during login Choose one:
v Enabled - (default) The IMAP service automatically converts mail files to Lotus
Domino Release 6 IMAP format the first time a user logs in from an IMAP client.
v Disabled - Administrators must manually convert mail files for IMAP use before
users can access mail from an IMAP client.
As with personal mail files, an IMAP client can access Public and other users’ mail files only if they
reside on the same server as the IMAP service. In addition, the IMAP service must be able to authenticate
the user from an entry in a configured directory on the server.
To configure namespace support on the server, enable NAMESPACE support so that IMAP users can
view other users’ and public mail files to which they’ve been granted access, and then do one or both of
the following:
v Configure IMAP public folders
v Configure IMAP other users’ folders
For information about enabling IMAP namespace support, see the topic ″Enabling the IMAP service to
automatically display all accessible mail folders″ later in this chapter.
For information about delegating access to a mail file, see Lotus Notes 7 Help, which is available from
the Documentation Library at the Lotus Developer Domain at http://www.lotus.com/ldd/doc.
Note: To provide IMAP users with access to other users’ mail files, you must use a Notes client or
Domino Web Access client to delegate mail file access. You can not delegate access by adding names to
the ACL of the mail file. To enable IMAP access to other users’ mail files, the Domino Administration
Process (AdminP) must process an IMAP delegation request, which is only generated in response to a
user setting delegation preferences from a Notes or IMAP mail client.
About IMAP namespaces: Typically, most users have a personal mail file to which they alone have
access. The IMAP service considers messages in a personal mail file to exist in a hierarchy known as the
personal namespace.
Other mail files for example, mail-in databases that are intended to be shared amongst users, do not exist
within a single user’s namespace at all, but are intended for public access. Messages in these mail files
exist only in the shared or public namespace.
Enabling the IMAP service to automatically display all accessible mail folders
The Domino IMAP service complies with RFC 2342, which defines a method by which the IMAP service
automatically presents a client with a list of all mail files to which the current user has access, including:
v The user’s personal mail file
v Other users’ personal mail files to which the user has been delegated access
v Public mail files, such as mail-in databases, to which the user has access, and which are set up as
IMAP public folders.
For information about delegating access to a mail file, see Lotus Notes 7 Help.
Note: To provide IMAP users with access to other users’ mail files, you must use a Notes client or
Domino Web Access client to delegate mail file access. It is not sufficient to add the names of users to the
ACL of the mail file.
Enabling clients that do not support the NAMESPACE extension to access shared folders: By default,
only IMAP clients that support the NAMESPACE extension can display mail files other than the user’s
personal mail file. However, you can configure the IMAP service so that it presents public and others
users’ folders even if the user’s IMAP client does not have built-in NAMESPACE support. Configured in
this way, the IMAP service always returns to the client the complete range of mail folders to which the
current user has access.
Field Enter
Public and other users’ Choose one:
folders support v Enabled - (default) In addition to presenting an IMAP client with the current user’s
mail folder, the IMAP service also presents any public folders and other users’ mail
files that the current user has access to.
v Disabled - The IMAP service does not present IMAP clients with public and other
users’ mail folders. The IMAP client can access the current user’s personal mail file
only.
The IMAP service does not automatically enable databases other than the user’s personal mail file for
IMAP use. To enable a mail-in database for IMAP use, run the mail conversion utility.
Users’ access to a shared database is defined by their entries in the database ACL. Before users can access
a public folder, an administrator must explicitly grant them access to the database by editing the ACL. If
the database ACL does not grant a user access to an IMAP public folder, when the user logs in from an
IMAP client, the client displays the folder, but does not display the folder Inbox.
To designate a Notes database as an IMAP public folder, copy its database link and paste it into the
Configuration Settings document.
Note: To be configured as a public folder, a database must be created from a Notes mail template. The
IMAP service does not support the use of NNTP or discussion databases as IMAP public folders.
Field Description
Public folder prefix The name of the virtual root folder Domino uses to organize the hierarchy of Notes mail
databases configured as IMAP public folders. When an IMAP client connects to the server
it displays the public folders available to the user as subfolders of this folder.
Unless you have a specific reason to change the folder prefix, accept the default name to
ensure IMAP clients can access public folders on the server.
Public folder database Database links for IMAP-enabled Notes mail databases you want to designate as IMAP
links public folders. Paste the database link copied in Step 2 into this field.
For example, insert the cursor in the field and click Edit - Paste. The Notes database
represented by the link is now designated as an IMAP public folder. Users with the
appropriate access privileges can open the database from an IMAP client.
The default configuration for the Other Users’ namespace on the server will support most installations. If
necessary you can customize the Other Users’ namespace on the server, by doing the following:
v Changing the default folder prefix
v Changing the default domain delimiter the IMAP service uses to display user mail file names
v Specifying IMAP users who can change other users’ unread marks
Changing the default folder prefix: To enable IMAP users to view other personal mail files to which
they have access, the IMAP service maintains a virtual list, or collection, of those mail files on the server
whose owners have granted access privileges to one or more secondary users. This collection of other
users’ mail files represents the hierarchy, in addition to a user’s own mail folders hierarchy and the
hierarchy of publicly-accessible mail files, in which a message may exist.
Specifying IMAP users who can change other users’ unread marks: By default, the only user allowed
to change unread marks in a mail file is the Notes user with primary access to the file. If a secondary
user accesses the mail file, any documents opened are marked as read for the secondary user, but not for
the primary user. This is similar to what happens in a discussion database, where multiple users can read
documents and each maintain their own set of unread marks.
Some organizations employ third-party messaging services that run in conjunction with the Domino
IMAP service to provide users with alternate means for accessing their mail files. For example, a unified
messaging service might connect to the IMAP service to access the Domino mail server, acting, in effect,
as an IMAP client. Users connecting to the third-party service can open, read, send, and forward mail. To
ensure that the unread marks in users’ mail files are properly maintained, the third-party service must
have the ability to change unread marks on the user’s behalf, as if it were the mail file owner.
To provide a third-party application with access to a mail file, at minimum, the mail file ACL must grant
the application Designer access.
Field Enter
Other users’ folder prefix The name of the virtual root folder which contains Notes mail databases whose owners
delegated access to other users. When an IMAP client connects to the server it displays
the other users’ folders to whom the user has access as subfolders of this folder.
Unless you have a specific reason to change the folder prefix, accept the default name to
ensure IMAP clients can access other users’ folders on the server.
Other users’ domain The character that Domino uses to separate the common name, organizational unit(s),
delimiter and organization name in a users’ Notes hierarchical names when displaying the user’s
mail file to an IMAP client as part of the Other users’ folder list. Default is forward
slash ( / ). For IMAP clients that cannot display hierarchical names that contain the
default separator character, specify a different character, for instance a dot (″.″) or pipe
character ( ″|″).
For example, if you enter the pipe character, Domino sends the mail folder of a user
named Jada Mendez/Sales/Acme to IMAP clients as Jada Mendez|Sales|Acme.
IMAP users who can The fully-qualified Notes names of users who are permitted to change the unread status
change other users’ of messages in other users’ mail files. You can also enter the name of a Notes group.
unread marks
The change takes effect after the next IMAP service update. You can restart the IMAP service to force
an immediate update to the IMAP service configuration.
7. To provide other another user with access to a personal mail file, instruct the mail file owner to
delegate access from a Notes client.
For information about delegating access to a mail file from a Notes client, see the topic ″Delegating
mail access″ if you have installed Lotus Notes 7 Help. Or, visit the Documentation Library in the
Lotus Developer Domain at http://www.lotus.com/ldd/doc to download or view Lotus Notes 7
Help.
Note: To provide IMAP users with access to other users’ mail files, you must use a Notes client or
Domino Web Access client to delegate mail file access. It is not sufficient to add the names of users to
the ACL of the mail file.
An IMAP session begins when a user at an IMAP client logs in to the Domino IMAP service. Domino
allocates each IMAP session its own session thread from the server’s main thread pool. This session
thread becomes the sole channel for all communications between the client and the IMAP service. When
the session ends, Domino returns the thread to the pool for use by another client.
A Domino server can interact with multiple clients simultaneously because it allocates a new thread to
service each client session. Clients connect to a port and exchange all input and output through that port.
Threads require memory and CPU time. The thread pool contains a limited number of physical threads,
but thread use is virtualized so that a single thread works on different tasks. Thus in a fraction of a
second, a single thread that is idled by one task as it waits for information, can switch to another task.
This allows Domino to maximize processor use and minimize memory.
By avoiding the need to create a new physical thread for each requested connection, Domino makes the
best use of available memory. However, a high number of IMAP sessions can place a strain on the server.
If clients experience slow response during times of peak usage, consider limiting the number of IMAP
sessions.
The internal IMAP thread pool: The Domino IMAP service provides an internal IMAP thread pool that
is independent of the thread pool that Domino uses to create client sessions. The default number of
available threads is based on the amount of physical memory the server has. The service has a minimum
of 50 threads available and a maximum of 400 threads. To ensure that the IMAP service continues to
function properly, it’s best to use the default thread pool settings and modify these settings only at the
direction of a qualified IBM support representative.
The IMAP thread pool consists of three types of worker threads as shown in the following table:
Available threads become active when the main session thread queues a request.
Field Description
Maximum number of IMAP The total number of threads available in the IMAP service’s thread pool, including
worker threads Login conversion threads for upgrading mail files to Domino Release 6 IMAP format;
FETCH threads for transmitting validated client requests to the Domino mail server;
and FETCH response threads for transmitting message data from the mail server in
response to client FETCH requests.
When a client connects, the IMAP service responds by sending the client the greeting that is associated
with the port the client uses to connect. On the Configuration Settings document, you can customize the
greetings that the IMAP service returns to clients connecting over each port.
The IMAP service checks for new settings at the specified update configuration interval. If you change
the greeting text, sessions that begin after the new configuration takes effect will receive the updated
greeting.
*OK Domino IMAP4 Server Release 6 ready Wed, 17 April 2002 17:57:13
-0400
IMAP SSL The greeting the By default the service sends a greeting that includes the server name, Notes
greeting IMAP service sends to release number, and the current date and time.
clients connecting
over SSL. For example:
*OK Domino IMAP4 Server Release 6 ready Wed, 17 April 2002 17:57:13
-0400
Note: To specify IMAP greetings for Domino Release 6, and more recent servers, you must use the
Configuration Settings document. However, you cannot use the Configuration Settings document to
specify service greetings for Domino Release 5 and earlier. To configure IMAP service greetings on earlier
Domino release, use the settings IMAPGreeting, IMAPRedirectSSLGreeting, and IMAPSSLGreeting in the
NOTES.INI file.
For more information on these settings, see the appendix ″NOTES.INI File.″
Note: By default, the Domino registration process generates a Notes ID file (and corresponding Notes
public encryption key in the Domino Directory) for each user in addition to creating the Person
documents and mail files required by an IMAP user. Because users who will access Domino from IMAP
clients only do not require a Notes ID, when registering these users, deselect the option to ″Create a
Notes ID for this person.″ However, if a new IMAP user also requires access to Domino from a Notes
client, Domino Administrator client, or Domino Designer client, be sure to enable creation of an ID file.
For more information on using the Domino registration process, see the chapter ″Setting Up and
Managing Notes Users.″
The following procedure specifies the Person document settings required for IMAP users and explains
how to create a Person document manually.
Field Enter
First name The login name a client uses to authenticate with the IMAP server must be unique in
the Domino Directory.
Last name
Depending on the level of Internet access security established for the server (Server
User name document - Security tab), the login name or user name configured on the IMAP client
must match an entry in one of these fields. Entries in the User name field are always
accepted as the login name. If Internet authentication is set to allow ″More name
variations with lower security″ entries in the First name and Last name fields may also
be accepted as login names.
Internet password The password that the user enters to access the Domino server from the IMAP client.
IMAP users must have an Internet password that complies with your organization’s
password quality requirements.
Mail system Choose IMAP if the user does not require Notes client access.
Domain The name of the Notes domain to which the server belongs.
Mail server The name of the IMAP user’s Domino mail server.
Mail file The path for the user’s mail file, relative to the Domino data directory -- for example,
MAIL\AJONES.
Forwarding address Leave this blank for users who access mail files on the Domino server from an IMAP
client.
Internet address The Internet address at which the user can receive mail within your organization. This
address must match the Internet address specified in the IMAP client.
Format preference for Choose one:
incoming mail v Keep in sender’s format - (default) The mail file may contain messages in either Notes
rich text or MIME format. When delivering messages to the mail file, the local Router
preserves the current message format. Thus messages received at the server in MIME
format are stored in the mail file in MIME format, and messages received at the
server in Notes rich text format are in Notes rich text format. When an IMAP client
requests a message that is stored in Notes rich text format, the IMAP service must
convert the message to MIME before sending it to the client. Because the stored
message remains in Notes rich text format, each time an IMAP client requests the
message, the IMAP service must perform the conversion.
v Prefers MIME - The mail file stores messages in MIME format only. Choose this
option for users who access mail exclusively from an IMAP client. Since IMAP clients
require messages in MIME format, storing mail in MIME format ensures the best
performance for IMAP users, eliminating the need for the IMAP service to convert
messages before passing them to the client. In addition, using MIME storage allows
the Router to add special IMAP attributes to the messages it delivers.
v Prefers Notes Rich Text - The mail file stores messages in Notes format only. The
Router converts messages received as MIME into Notes rich text before delivery. In
addition, the IMAP task must convert messages to MIME format when sending them
to an IMAP client. To ensure the best performance, do not choose this option for
users who access their Domino mail file primarily from an IMAP client.
For more information about password quality requirements, refer to the chapter ″Protecting and
Managing IDs.″
5. Complete the procedure ″Creating a mail file for an IMAP user.″
If a user does not have an existing mail file on a Domino server, create a new mail one as described in
the following procedure.
Field Enter
Server The Domino mail server that stores the user’s mail file.
Title The name of the client’s mail file -- for example, Alan Jones’ Mail.
File name The full path to the mail file, relative to the Domino data directory -- for example,
MAIL\AJONES.NSF.
4. From the list of template names, select Mail (R6) with the filename MAIL6.NTF, and click OK.
5. After Domino creates and opens the mail file, determine what level of access is appropriate for both
the user and you, as the administrator. Then, edit the Access Control List (ACL) as follows:
a. Choose File - Database - Access Control.
b. From the Access Control List dialog box, create an ACL entry for the user by clicking Add and
then selecting the user’s name from the Domino Directory.
c. Set the user type to Person and select the level of access. Users require at least Editor with Delete
document access.
d. (Optional) Select your name from the ACL and click Remove. As the administrator, you can
choose to retain Manager access, particularly for users who do not have Notes client access.
e. Click OK to save the entry and close the ACL.
6. Complete the procedure ″Preparing a mail file for IMAP access.″
The IMAP service does not rely on template views to store IMAP folder and message data; you can
enable mail files created from any mail template.
For users with multiple mail file replicas -- for example, users with mail files on clustered servers -- you
must independently enable each replica for IMAP access. Because Domino does not replicate IMAP
database items between databases, by default, when you create a new replica of an IMAP-enabled mail
file, it is not enabled for IMAP use.
Differences when viewing mail files from IMAP clients and Notes client: Some aspects of a mail file
are structured in template items that are visible only to a Notes client, and as such are not available to
IMAP clients. As a result, IMAP clients display certain folders and views in a mail file differently from
Notes clients. For instance, from an IMAP client, the Inbox and Trash folders, and any public folders,
appear as IMAP mailboxes. Also, hidden and private folders are not visible to IMAP clients. And finally,
IMAP clients do not display views that are part of the Notes mail file template, such as the Draft and
Sent view.
The Domino IMAP service does not support renaming of the Inbox folder in a Notes mail file from an
IMAP client.
For users who access their mail files from both an IMAP client and a Notes client, Domino synchronizes
unread message marks between the two. Thus, a message marked as read in Notes is also marked as
read for an IMAP client, and vice versa.
IMAP clients cannot read messages that use Notes encryption. IMAP clients do not have access to the
Notes private key needed to decrypt messages encrypted with a user’s Notes public key certificate. As a
result, when a user opens an encrypted Notes message from an IMAP client, only the unencrypted
header information is available. The server replaces the blank message body with the following text:
[Portions of this MIME document are encrypted with a Notes certificate and cannot be read.]
Running Compact to update the ODS version of a mail file: To be enabled for IMAP, a mail file must
use the Domino Release 5 or later file format, Notes ODS (on-disk structure) version 41 or greater. If a
mail file is at a previous ODS version, you must run Compact on it to update the ODS version. It is not
necessary to run Compact to enable newly mail files that are based on either the MAIL6.NTF or
MAIL50.NTF mail templates.
The ODS version of a mail file database is listed on the Info tab of the Database properties dialog box.
For information on how to determine the file format of a database, see the chapter ″Improving Database
Performance.″
To run Compact using a console command: Compacting converts Release 4 databases to the Lotus Domino 6
file format or ODS 43.
Note: You can also enter Step 4 directly at the console on a server.
After you run compact on the mail file, continue preparing the file for IMAP users by running Fixup.
Running Fixup to prepare a mail file for IMAP use: You do not need to run Fixup on newly created
mail files that are based on a Lotus Domino Release 5 or later mail template.
After you run Compact on a user’s mail file to ensure that it uses the correct file format, run the Fixup
task on the mail file.
Because the Fixup task requires exclusive access to the mail file database, you must shut down the server
before running Fixup.
To run Fixup:
1. Shut down the server.
2. From the Windows NT command prompt, change to the Domino program directory. For example, if
you installed Domino in the default location, enter:
cd c:\lotus\domino
3. To run Fixup on a specific mail file, enter:
nFixup path\mailfile
where path is the database path relative to the Domino data directory and mailfile is the name of the
mail file database. For example, to run Fixup on the mail file database USER.NSF in the DATA\MAIL
folder, enter:
nFixup mail\user.nsf
Note: If transaction logging is enabled on the server, run Fixup with the -j switch, for example:
nFixup -j mail\user.nsf
Running the mail conversion utility to enable a mail file for IMAP:
Note: If you used the Domino registration process to add a user account, and set the user’s mail system
type to IMAP, Domino automatically enables the mail file for IMAP use.
After you run Fixup on the mail file, run the mail conversion utility (the Convert task) to enable
IMAP-specific features in the mail file. The conversion utility sets an option bit in the database indicating
that this database is IMAP enabled. After you enable a mail file for which the format preference is set to
MIME, the Router automatically adds special IMAP attributes to new messages delivered to the database.
These attributes provide IMAP clients with summary information which enables them to download
For users with multiple mail file replicas -- for example, users with mail files on clustered servers -- you
must independently enable each replica for IMAP access. Because Domino does not replicate IMAP
database items between databases, by default, when you create a new replica of an IMAP-enabled mail
file, it is not enabled for IMAP use.
After the conversion utility enables a mail file for IMAP, the following information is added to the
bottom of the Information tab of the mail file’s Database Properties dialog box:
Database is IMAP enabled
Deciding whether to convert mail files manually or automatically: By default, when a user connects to the
IMAP service, the service checks whether the user’s mail file is currently enabled for IMAP. If the mail
file is not already enabled, the IMAP service automatically launches the conversion utility to format it for
use with IMAP. To prevent conversions from occurring during login, change the default configuration by
disabling automatic conversion.
For information on enabling and disabling automatic conversion, see the topic ″Setting the IMAP service
to automatically enable mail files at login″ earlier in this chapter.
Although the IMAP service can automatically convert mail files, consider manually converting them
before users first log in to the IMAP server to ensure that mail files are properly converted. By
performing conversions ahead of time, you can ensure that users are not confronted with conversion
errors that they are unable to recover from. For example, because the conversion utility requires that a
mail file be at least at ODS version 41, for mail files that use an earlier ODS version you must run
Compact before converting the mail file; using automatic conversion would fail. Similarly, in databases
where some type of internal corruption has occurred (for example, an invalid note, or corrupt meta data),
you must run Fixup against the mail file before running the conversion utility.
You might also choose to run the conversion utility manually if many of your first-time IMAP users
access the server over slow modem connections, particularly if a large proportion of them would be
logging in at the same time. The reason for this is related to the way the IMAP service allocates threads
to perform automatic conversions. The IMAP service dedicates a single conversion thread for each
conversion and it draws this conversion thread from the same thread pool that provides the threads
responsible for servicing other IMAP client requests, such as logging in users or retrieving messages.
Because mail file conversions can require a significant amount of time, with conversion times increasing
as connection speeds decrease, a conversion thread typically remains busy longer than other thread types.
As a result, an IMAP service flooded with conversion requests can experience a thread shortage. This
shortage affects not only the users awaiting conversion, but current IMAP users, too, who encounter
unexpected delays attempting to log in and retrieve messages. When the conversion utility is run
manually on the mail server, the operation completes in a very short time, even if the mail file is
relatively large.
Finally, you must run conversions manually to enable mail files in the other users’ and public folders
namespaces. Automatic mail file conversion can occur only for the personal mail file of the currently
authenticated user.
To manually convert mail files for use with IMAP: You can run the mail conversion utility on a single mail
file or on all mail files in a directory.
1. At the server console of the Domino server on which you want to enable mail files, shut down the
Router by entering:
tell router quit
Note: On UNIX systems, use a forward slash (/) as the hierarchy separator, rather than a backslash
(\). For example, enter:
load convert -e mail/user.nsf
To specify all files in a directory, make sure the directory contains only mail files and that they are the
mail files you want to convert. For example, to enable IMAP for all mail files in the \MAIL
subdirectory, enter:
load convert -e mail\*.nsf
3. After you finish enabling mail files for IMAP on this server, load the Router by entering:
load router
4. Configure IMAP client software.
For information on configuring IMAP client software, see the topic ″Configuring IMAP client
software″ later in this chapter.
For information about disabling IMAP access to a mail file, see the topic ″Disabling an IMAP mail
file″ later in this chapter.
Option Use
-e Enables mail files for IMAP use.
-h To enable clients to download message headers more efficiently, the Convert task processes
all messages in the mail file in the order in which they are listed in the mail file’s ″All
Documents″ view and adds the special IMAP attributes ($Content_Type, IMAP_BodyStruct,
and IMAP_RFC822Size) to messages that don’t have them.
Because the Convert task is single-threaded, and this option requires the Convert task to
process every message in the mail file, it is resource-intensive and can take a long time,
especially for mail files where messages must also be converted from Notes rich text to
MIME format.
How the conversion utility handles unread marks: In previous versions of Notes and Domino, mail
files maintained separate sets of unread marks for IMAP clients and Notes clients, with IMAP-enabled
mail files relying on special template views to indicate that a message was read. With the introduction of
native IMAP in Domino Release 6, a mail file enabled for IMAP displays a consistent set of unread marks
to the IMAP and Notes clients opening the file.
Preserving folder references during upgrade of IMAP mail files: In earlier releases of Domino, the
IMAP service used hidden folder reference views in the mail template to retrieve IMAP folder and
message data. By contrast, the Domino Release 6 IMAP service doesn’t use folder references. Instead, it
enables native storage of IMAP folder and message attributes in the mail file, thus eliminating the need
for hidden views in the mail template.
By default, when you convert mail files to Lotus Domino 6 IMAP format, the conversion utility disables
folder references in the mail file. In most environments, use the default and disable folder references to
ensure the best performance.
If your environment uses Domino applications that rely on folder references in user mail files to gather
information, you may need to preserve folder references. To preserve folder references during conversion,
you can set the variable IMAP_CONVERT_NODISABLE_FOLDER_REFS in a server’s NOTES.INI file.
When this variable is set, folder references are preserved during all mail file conversions, whether
performed manually from the server console, or automatically as the result of an IMAP user logging in to
the IMAP service for the first time.
Immediately following conversion, the folder and message information stored in the folder references
matches the information stored in the mail file’s IMAP attributes. However, because Domino does not
continue to update folder references after the initial conversion, over time, as a user receives, moves, and
sends messages, folder reference information will no longer be synchronized with the information stored
in the mail file attributes.
Using the conversion utility to add IMAP summary attributes to messages: The IMAP service uses
special IMAP summary attributes ($Content_Type, IMAP_BodyStruct, and IMAP_RFC822Size) in
messages to facilitate the process of sending message headers in response to client requests. After you
convert a mail file for IMAP use, for users who receive messages in MIME format, the Router
automatically adds these items to new messages it delivers.
However, these items might not be added to all messages in a mail file. Messages delivered in Notes rich
text format do not contain the items. And Domino does not automatically add these items to messages
delivered before conversion occurred.
Although an IMAP client can read messages that do not contain IMAP summary attributes, the client
must first download each message in its entirety before it can display headers. To enable faster header
fetching, run the mail conversion utility with the -h switch to add IMAP summary attributes to messages
that don’t have them.
Updating IMAP attributes following mail file changes: Changing a message that contains the
IMAP_RFC822Size attribute, might affect a user’s ability to access the message. When the size value of
the IMAP attribute no longer matches the actual message size, IMAP clients might have difficulty
downloading the message. If the actual message size is larger than the size indicated by the attribute, the
IMAP client might not download the entire message. If the actual size is smaller than the size indicated
by the attribute, the IMAP client can hang as it attempts to download the remaining expected message
data.
Message size might change inadvertently as a consequence of an agent running after a message is
delivered or of changes to certain server configuration options, such as the settings governing outbound
MIME conversion options. Although the outbound MIME conversion options apply primarily to
messages sent outbound over SMTP, they also affect any message exported from the server, including
messages retrieved by the IMAP service for sending to a client. For example, if you change the setting for
To prevent changes to the server configuration from contributing to download errors, update IMAP
attributes to reflect the new settings. To update IMAP message attributes and refresh the mail file’s MIME
directory, you must remove the existing attributes and then add them again. Because IMAP clients cache
header information, users must also recreate their IMAP accounts to download messages successfully.
Note: A similar problem occurs for IMAP users whose Person documents specify Notes rich text as the
mail storage preference. In this case, the Router does not add IMAP attributes to messages delivered to
mail files, but the IMAP client still caches size information. When you modify the server’s configuration,
for example, by setting the server to export message content as HTML rather than plain text when
converting messages to MIME, this changes message size. Because the client expects the size of existing
messages to match their cached size, user can no longer retrieve these existing messages from an IMAP
client. To remove the header information cached by the IMAP client, the user must recreate the IMAP
account.
Note: On UNIX systems, use a forward slash (/) as the hierarchy separator, rather than a backslash
(\). For example, enter:
load convert -h mail/user.nsf
To specify all files in a directory, make sure the directory only contains mail files and that they are the
mail files you want to convert. For example, to add IMAP attributes to all mail files in the \MAIL
subdirectory, enter:
load convert -h mail\*.nsf
CAUTION:
When the conversion utility is run with the -h option, the conversion operation can take a long
time to complete. The exact time depends on server processing speed and memory, as well as on
the size and composition of the mail file. To ensure that you can complete conversions in the
available time, run a test with a single mail file before using a wildcard to run multiple
conversions.
3. After you finish enabling mail files for IMAP on this server, load the Router by entering:
load router
If you are unable to repair the mail file, contact Lotus Support Services for assistance.
Running Fixup to repair a corrupted IMAP mail file: To repair a corrupted IMAP mail file, the Fixup
task requires exclusive access to the mail file database. Before running Fixup, you must shut down the
server. After the server is shut down, run Fixup as described below:
To run Fixup:
1. From a command prompt, change to the Domino program directory. For example, if you installed
Domino in the default location, enter:
cd c:\lotus\domino
2. To run Fixup on a specific mail file in the MAIL directory, enter:
nFixup path\mail file
where path is the database path relative to the Domino Data directory. For example, to run Fixup on
the database USER.NSF in the DATA\MAIL folder, enter:
nFixup mail\user.nsf
Note: If transaction logging is on, run Fixup with the -j switch, for example:
nFixup -j mail\user.nsf
Disabling an IMAP mail file: If you need to disable IMAP-specific features in a mail file, run the mail
conversion utility with the -e- option file. The example below removes the IMAP capability of the mail
database USER.NSF in the \MAIL subdirectory of the Notes data directory:
load convert -e- mail\user.nsf
Note: On UNIX systems, use a forward slash (/) as the hierarchy separator, rather than a backslash (\).
For example, enter:
load convert -e- mail/user.nsf
Re-enabling a mail file for IMAP: After disabling the mail file as described in the preceding section,
you can re-enable it. For more information on enabling a mail file, see the topic ″Running the mail
conversion utility to enable a mail file for IMAP″ earlier in this chapter.
IMAP clients display Notes folders as IMAP mailboxes. When users receive or delete documents in an
IMAP mailbox, the changes also occur in the Notes folder, and vice versa.
Users can access their mail files from both an IMAP client and the Notes mail client. Domino IMAP
clients can send mail to other Notes users and to IMAP and POP3 clients on the Domino mail system or
other mail systems.
For a complete list of IMAP clients and for more information on IMAP, visit the Web site
http://www.imap.org.
The specifics of configuring IMAP client software differ for each product. This table presents some
general requirements.
For more information on determining the login names that a server will accept, see the chapter ″Setting
Up Name-and-Password and Anonymous Access to Domino Servers.″
Syntax Example
INBOX-PATH {fully qualified domain name of IMAP INBOX-PATH {East.Acme.com}INBOX
server}INBOX
Folder collections {fully qualified domain name of IMAP Folder collections {East.Acme.com}
server}
While users simply need a name and Internet password to log on and use Domino Web Access, a Notes
ID is required if a user wants to work offline. Be sure to create a Notes ID for each user when registering
new users with the Domino Web Access template.
Security
Domino Web Access requires user log-on and logout security. When a user logs onto Domino Web
Access, they must enter their name and Internet password, as specified in their Person document. The
login names that the server accepts as valid depend on the setting in the ″Internet authentication″ field
on the Security tab of the Server document.
When the user logs out, Domino Web Access closes the browser and removes the user’s log-on
credentials and private data from the browser’s cache. By deleting this data, Domino Web Access
prevents an unauthorized user from using cached information to access the user’s mail file. In Internet
Explorer, you can use Browser Cache Management to improve the client side performance and security of
Domino Web Access sessions by controlling which entries are stored in the cache and which are removed
when the Domino Web Access session ends. The removal of private data from the browser’s cache and
more secure data clearing capabilities are available only if the user accepts the Domino Web Access
control.
Domino Web Access will not remove some personal data unless the user explicitly selects ″Logout for
Shared PCs or Kiosk Users.″ With this selection, users can choose one of two secure logouts:
v Secure - This option deletes all traces of the user’s personal use of Domino Web Access and any Web
pages that they may have browsed, but keeps Domino Web Access program elements (this boosts
performance when the next person logs on).
v More secure - This option deletes all traces of Domino Web Access and all other Web pages in the
temporary Internet files folder.
You can also redirect users to a specific Web page after they logout.
867
enables users to work offline, disconnected from the network, and provides many replication features that
Notes users expect when working in the Notes client. Sametime provides integrated, real-time chat
features for Domino Web Access users. Neither DOLS nor Sametime are required for Domino Web Access
use.
Follow the instructions for registering new users, and keep the following information in mind:
v The mail system, ″Domino Web Access,″ does not automatically create a Notes ID for the person. You
must select ″Create a Notes ID for this person.″
v When deploying Domino Web Access to a large number of users, make any hierarchical or name
changes before registering new users.
v To enable the mail usage indicator for users, set a mail quota.
Follow the instructions for registering new users, and make sure to check the following options on the
Mail tab, visible when using Advanced registration:
v Set database quota -- Click to enable, and then specify a size limit (maximum of 10GB) for a user’s
mail database.
v Set warning threshold -- Click to generate a warning when the user’s mail database reaches a certain
size, and then enter the warning size (maximum of 10GB).
Note: If you are using Policies, set these options in the Registration Policy Settings document.
The default URL displays the Welcome Page. However, you can give users a URL that will initially
display other views. Appending the following text to the URL with a specific keyword (see following
table) will cause Domino Web Access to initially display a different view:
.../username.nsf/inotes/keyword/?OpenDocument&ui=inotes
An individual Domino Web Access portal view is limited to one of the following:
v Inbox
v Calendar
v To Do List
v Notebook
v Contact List
The URL syntax for a Domino Web Access portal showing just the mail Inbox is, for example:
.../username.nsf/inotes/mail/?OpenDocument&ui=portal
To place all of Domino Web Access within a portal page, use the normal Domino Web Access URL
without the &ui=portal parameter.
Note: See the NOTES.INI setting iNotes_WA_PortalOffline for information on including offline and local
archive options in a portal.
If SSL connection is required for either the client or both the client and server, Domino Web Access users
cannot read or send encrypted messages when connected via HTTP. If the user is connected via HTTP,
they must switch to HTTPS when accessing the encrypted message on the server. This switch occurs
automatically when sending encrypted mail. The user will be prompted to switch when reading
encrypted mail.
S/MIME is supported in Domino Web Access. Users can verify an S/MIME signature on a received
message. Users who have an X.509 certificate in their mail file-based Notes ID can decrypt received
S/MIME messages as well as S/MIME sign messages they send. Outgoing messages can be S/MIME
encrypted for recipients who have an X.509 certificate in the Domino Directory or in Domino Web Access
contacts. Note that for an X.509 certificate to be used by Domino Web Access, an Internet cross-certificate
must be issued from the user’s organizational certifier to the certificate authority that issued the X.509
certificate. This Internet cross-certificate must be present in the Domino Directory.
When both Notes and S/MIME sign and encryption are possible, Domino Web Access uses S/MIME sign
and encryption by default. This could cause problems in a mixed environment that includes both Domino
7 and pre-Domino 7 servers. Pre-Domino 7 servers do not support S/MIME, so messages sent S/MIME
signed and encrypted could not be verified or decrypted. Use the NOTES.INI setting
iNotes_wa_SecMailPreferNotes to turn on Notes sign and encryption when both S/MIME and Notes sign
and encryption are possible. This setting is not supported offline.
On Windows, create a realm document to map your Domino data directory, for example c:\domino\data
(or wherever your Domino data directory is located), to return a realm of ″/″.
On UNIX, create a realm document that specifies a Domino data directory of /local/domino_data (or
wherever your Domino directory is located).
For example, you may want to add choices to the list of Web sites that can be displayed in the Welcome
Page. To do this, you modify the Custom_WelcomePage form. There are two arrays that can be modified.
One array is for the title of the web site, the other array is for the URL of the web site. The template uses
JavaScript, so it is possible to ″calculate″ a web site, for example, one based on the user’s name or current
mail database. You can write code in the Scene_PreSubmit function (inside the Custom_JS form) to
validate the new field. Note that the Welcome Page in this example uses the monthly calendar view.
var gWelcomePageChoices = {
titles:[
"Yellow Pages"
,"CNN"
,"IBM"
,"My monthly calendar"
],
urls:[
"http://www.superpages.com/"
,"http://www.cnn.com/"
,"http://www.ibm.com/"
, "../../inotes/calendar/?opendocument&ui=portal&presetfields=s_CalView;M"
]
};
Note: If you modify the default CalendarProfile values, the new values affect only new user registrations.
Default values for existing users are not changed.
When determining which forms to customize using Domino Web Access agents, keep in mind how often
the form is used. Design your agents to run only on the specific page you want to act on. An agent that
acts on a form or subform that runs constantly may impact performance adversely.
Example
To add QueryOpen and QuerySave agents to the Memo, Reply, and Reply with History forms, open
FORMS7.NSF and add $$QueryOpenAgent and $$QuerySaveAgent NOTESVARS to the
s_mailMemoDictionary subform. Using the names testopen and testsave, for example, the edited subform
would look like this:
<NotesDictionary><NOTESFIELD NAME={MailOptions}>
<NOTESFIELD NAME={Form}>
<notesvar name="CalendarOwner"
Initialvalue={@Name([Canonicalize];@DbCommand("Haiku";
"h_GetProfileField"; "calendarprofile"; "Owner"))}>
.
.
.
<NOTESVAR NAME={$$QueryOpenAgent} VALUE={’(testopen)’}>
<NOTESVAR NAME={$$QuerySaveAgent} VALUE={’(testsave)’}>
</NotesDictionary>
For information about creating and using Web agents, see the section on Programming Domino for Web
Applications in the Domino Designer help. If you have not installed Lotus Domino Designer 7 Help, go
to http://www.lotus.com/ldd/doc to download or view Designer Help.
Setting Action
Welcome Page Setup
Default Welcome Page Click View/Modify to set Welcome Page settings.
v Default Page -- Lets users customize the Welcome Page.
v Selected Web Page -- Forces users to use a specific Web page
as the Welcome page. Enter the URL and title.
v Custom Layout -- Choose from six custom layouts to specify
new mail, calendar schedule, Web links, and other options
to appear in a layout.
Allow user to edit the Welcome page Enable (default) to allow users to create custom Welcome
pages and override any settings on the server.
CN=John Doe/O=Acme
1 -- Deletes all URLs that begin with the mail file path.
2 -- Deletes all URLs in the cache that originate from the server
hostname, except for URLs that contain /iNotes/Forms7.nsf,
the current forms file (or /iNotes/Forms6.nsf).
3 -- Deletes all URLs in the cache that originate from the server
hostname.
4 -- Deletes all URL s in the cache except for URLs that contain
/iNotes/Forms7.nsf, the current forms file (or
/iNotes/Forms6.nsf).
Note: The Instant Messaging settings and the Local Archiving setting (under Other Settings) on this tab
in the Configuration Settings document apply to users whose mail file is based on the DWA7 mail
template. In a mixed environment, for users whose mail file is based on iNotes6, you must use the
equivalent NOTES.INI settings. For information on those settings, see the topic Using NOTES.INI settings
in a mixed environment.
To add a disclaimer to an e-mail message, edit the mail server’s Configuration Settings document and
complete the fields under Disclaimer Text.
You can set the cache scrubbing level to remove all cache entries or only those related to the user’s mail
database. Browser Cache Management improves client side performance, for example, by archiving static
design elements of Domino Web Access locally, and then restoring them to the cache the next time the
browser is accessed. This is particularly useful when Domino Web Access is accessed via a lower
bandwidth connection.
Setting up Browser Cache Management: You set up Browser Cache Management in the Domino Web
Access server’s Configuration Settings document. Once you have enabled this feature, you can choose
whether to install it on Domino Web Access clients automatically, or to give users the option of installing
it. If you install it automatically, the first time a user accesses Domino Web Access, a Browser Cache
Management system confirmation displays, prompting the user to close all browser windows for Browser
Cache Management to take effect.
If you enable Browser Cache Management but do not install it automatically, users can install (and
uninstall) it using a Domino Web Access preference (Preferences - Logout). If you have not enabled
878 Lotus Domino Administrator 7 Help
Browser Cache Management, this preference is not visible. As an additional security measure, you can
prevent users who have not installed Browser Cache Management from adding or accessing e-mail
attachments.
Once the Browser Cache Management feature has been installed on a user’s system, the cache cleanup
occurs based on the cache scrubbing level set in the server’s Configuration Settings document. The user
cannot change this. However, if it has not been installed, users can manually clear the cache at logout by
clearing the history, and selecting one of these logout options:
v Secure -- deletes all entries in the cache except Domino Web Access design elements, which are
archived locally when the last instance of Internet Explorer is closed, and restored back into the
browser cache when the next instance of Internet Explorer is opened.
v More Secure -- deletes all entries in the cache.
By default, Domino Web Access allows users to view alternate names but not in any language other than
English. You can change Domino Web Access to allow users to send and view alternate names in their
own native language.
Note: Before a user can use an alternate name for a primary name, you must register and certify the
alternate name.
To allow users to display alternate names in the language of their choice: Complete this procedure so
that the ″Display alternate names″ option appears in the Domino Web Access Basic Preferences. Users
will be able to display alternate names in the language of their choice.
1. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the Domino Web Access mail server(s) and click Edit
Configuration.
4. Select the Domino Web Access tab.
5. Under Mail, enable ″Name resolution and validation.″
6. Under International, enable ″Alternate name support.″
7. Under International, enable ″Allow user to choose the alternate name display.″
8. Save the document and restart the Domino server.
To allow users to view alternate names in the languages set by the server: Complete this procedure so
that the ″Display alternate names″ option appears in the Domino Web Access Basic Preferences. Users
will be able to display alternate names in the languages set by you on the server.
1. Perform steps 1 through 6 in the preceding procedure.
2. Disable ″Allow user to choose alternate name display.″
3. In the field ″Preferred Alternate name languages,″ choose languages from the list.
4. Save the document and restart the Domino server.
You can enable this feature globally, which enforces it for all users. If you do not enable it globally, end
users can still enable it on an individual basis by setting a Domino Web Access preference.
To enable reuse child windows globally, edit the mail server’s Configuration Settings document and check
″Reuse Child Windows″ under Other Settings.
To disable reuse child windows globally so that the end user preference ″Reuse child windows″ does not
appear in the client preferences, use the NOTES.INI setting iNotes_WA_DisableReuseChildWindows=1.
Using Domino Web Access Redirect to access mail in Domino Web Access
Domino Web Access users can access their mail files using Domino Web Access Redirect. With Domino
Web Access Redirect, users do not need to know the name of their mail file and mail server, they need
only know the name of the Domino Web Access Redirect server. Domino Web Access Redirect uses
Domino authentication methods to redirect a user’s browser to their mail file based on their user name
and password.
During setup, you can enforce SSL security for anyone using DWA Redirect to open their mail file in one
of two ways. You can enforce SSL for the entire session, or enforce SSL only for authentication, after
which the user is switched back to non-SSL. You can change the SSL port number, if it is not the default
443.
Setting up Domino Web Access Redirect: The Domino Web Access Redirect template (IWAREDIR.NTF)
is in the Domino data directory. To set up Domino Web Access Redirect:
1. Create a database from the IWAREDIR.NTF template.
2. In the Notes client, open the database that you created.
3. Click Setup and follow the prompts to set up Domino Web Access Redirect.
Note: If you select ″MailServer″ as the Redirection Type under Server Settings, the common name of the
Domino mail server must be the same as its fully-qualified TCP/IP domain name. For example, if the
mail server field in the Person document is set to serverA/domainA, the server’s TCP/IP fully-qualified
domain name must be serverA.lotus.com.
Using Domino Web Access Redirect with portal views: If you have enabled Personal Options for users
to display Domino Web Access in portal views, you should also use the following NOTES.INI variables
so that the Logout and the Offline buttons display in portal views. Also note that offline is required for
local archiving in portals.
iNotes_WA_PortalLogout=1
iNotes_WA_PortalOffline=1
Using Domino Web Access Redirect: To use the Domino Web Access Redirect:
1. Launch the browser.
2. Enter the URL of the Domino Web Access Redirect server (for example server.acme.com).
3. When prompted, enter your user name and password.
Using the new DWALoginForm: To use the new DWALoginForm, you must have created a Domino
Web Server Configuration database.
1. Open the Domino Web Server Configuration database (DOMCFG.NSF).
2. Click Add Mapping.
3. Change the Target Database to your Domino Web Access Redirect database.
Note: This field will not display unless you perform step 2.
For information on how to enable this feature see Collecting detailed information from user calendars.
In the Server or Web Site document, set these settings higher than the Domino Web Access ″Maximum
attachment size″ field:
v In the Server document -- Internet Protocols - HTTP - Maximum Size of Request
v In the Server or Web Site document -- Internet Protocols - Domino Web Engine - Maximum Post data
Taking the directory catalog rather than the Domino directory offline improves performance and saves
space on the user’s disk drive.
The Active Content Filter is intended to remove potentially harmful active content (JavaScript, Java,
ActiveX) from HTML in mail messages prior to display in a browser. Active content filtering can reduce
server performance because it requires a full parse of HTML content and a rewrite of the content.
iNotes_WA_LogoutScrubType=value
For instance:
iNotes_WA_LogoutRedirect=http://www.ibm.com
After compression, Domino Web Access generated pages are cached in the web server’s page cache,
which also improves server performance.
iNotes_wa_GZIP_Disable: Use this setting to turn compression on and off. The default is 0 (on). For
example to turn off compression:
iNotes_wa_GZIP_Disable=1
iNotes_wa_GZIP_Content_Types_Included: Use this setting to define which types of content you want
to compress. The default is:
"text/*;application/*"
Note: You can also disable GZIP compression using the ″Compress HTTP response data″ setting on the
Domino Web Access tab of the Configuration Settings document.
Although you cannot use these NOTES.INI settings for Domino 7, they have not been removed, and are
still valid for users who have the iNotes6 mail template. In a mixed environment with both iNotes6 and
DWA7 users, the NOTES.INI setting will apply to iNotes6 users, but the corresponding Configuration
Settings will override these NOTES.INI settings for DWA7 users.
For information on these NOTES.INI settings, see the Domino 6.5 Administrator help, available on on
www.Lotus.com/ldd/doc.
Domino Access for Microsoft Outlook (DAMO) includes out of office and change password features, and
the ability to import and export Internet certificates. Users can set Domino Preferences including mail file
preferences, setting up free time and busy hours, autoprocessing, and customizing replication settings.
Replication synchronizes the Outlook client with Domino so that the Outlook .PST file is identical to the
If more than one person shares a single workstation, they can share a DAMO installation, by using the
multi-user installation option. In a multi-user installation, each individual user can have a private folder
hierarchy as their data directory (for example, C:\Documents and Settings\<user>\DAMO_Data). This
provides a certain level of privacy. However, for security users also need to assign a password to their
local mail database (*.PST file), because with DAMO, all files are local on the workstation. (Typically, in
both a standard Notes environment and a standard Outlook environment, this is not necessary because
the mail database is on the server, and the server controls access.)
Note: Microsoft Outlook 2000, Outlook XP, and Outlook 2003 each have a different method of assigning a
password to the local data file. Users should refer to the on-line help for their release of Outlook.
Before installing Domino access for Microsoft Outlook, you must set up users for installation.
If you are upgrading from 6.5.x to 7.0, see the topic Upgrading Domino Access for Microsoft Outlook
from 6.5.x to 7.0.
End users must have Microsoft Outlook 2000, 2003, or XP installed on their systems. The Microsoft
Outlook client must be a Corporate or Workgroup client. Users can install Domino Access for Microsoft
Outlook using a standard Windows MSI installer. The setup program used during installation is similar
to the setup that is used for the Notes client. It prompts the user for a minimum amount of information
and, based on this information, sets up the Location documents, Connection documents, and NOTES.INI
settings needed for Outlook to access the server.
End users need the following information to install Microsoft Outlook for Domino Access:
v The name of their mail server and domain for their mail database
v Their Notes user name and password
v Information regarding their Internet certificate (if applicable)
v A copy of the installation instructions
To register DAMO clients, follow the instructions for registering new users keeping the following
information in mind:
v A Notes ID is not automatically created during registration. You must select ″Create a Notes ID for this
person.″
v When deploying Domino Access for Microsoft Outlook to a large number of users, it is recommended
that you make any hierarchical or name changes before registering new users.
During the upgrade users will be asked if they want to create a profile at the end of the upgrade process.
If they choose not to, they can create new profiles at anytime in the future by choosing ″Create New
MAPI Profile″ from the Start - Programs - IBM Lotus Domino Access for Microsoft Outlook shortcut.
Users cannot create a DAMO profile using the Outlook Setup Wizard. They must use the ″Create New
MAPI Profile″ on the start menu.
Choose how you want to install Domino Access for Microsoft Outlook:
v Administrator installation
v End user installation
Note: Domino Access for Microsoft Outlook on Outlook 2000 does not support ″Internet Mail Only″
clients. Previous versions of this product used Open Standards (IMAP and ICAL) to access Domino. The
current release, however, uses the Notes remote procedure call (NRPC) service, which allows a more
accurate matching between Notes features and Outlook. Internet mail clients can still access their mail
using POP3 and SMTP, but without the full functionality that Notes or Outlook provides.
If you installed an earlier version of this product, see the topic Upgrading from 6.5.x to 7.0.
For additional information about system requirements and the most current installation information, see
the release notes that shipped with this product, or view them on http://www.Lotus.com/ldd/doc.
Administrator installation
If you are installing Domino Access for Microsoft Outlook on a workstation for an end user(s), Windows
security requires that you assume the identity of the user for whom you are creating the DAMO user
profile. Creating a profile in any other way will hide that profile from the intended user.
Note: For a multi-user installation, each registered user on the workstation must be a member of the
Power Users group to be able to select their profile when DAMO starts.
Silent install: Use the silent installation to install Domino Access for Microsoft Outlook and create a
profile without end user involvement. This process uses the inherent InstallShield capabilities that call a
setup file containing the user’s connection information to the Domino server.
For example, to set up Domino Access for Microsoft Outlook for multiple users on one workstation, you
can run Silent Install and assume the users’ logon rights with the RunAs capability for each user.
There is one setup file for each user. The setup file is a text file that contains the following connection
information:
-u <User Name> -s <Server IP address> -f <Full path to ID file> -p <id file Password>
For example:
-u John Smith -s 1.11.11.111 -f c:\lotus\notes\data\john.id -p 123456
For example:
setup.exe /s /v"/qn SETUPFILE=C:\user\info.txt"
Note: The syntax must be exact. Notice that after /v there is no space before the quotation mark (″).
Also, there is a closing quotation mark (″) at the end of the line.
Note: Because of the possible need for nested quotes, you may need to use an escape character (\) if
spaces are involved.
If you are a member of the Windows Administrator group, you can choose whether to do a single user or
a multi-user installation on a workstation. If you are not a member of this group, the installation is a
single user install by default.
v Single user install -- Use this method if only one person uses DAMO on the workstation. This type of
install creates only one data directory.
v Multi-user install -- Use this method if more than one person uses DAMO on the workstation. This
type of install allows the creation of data directories specific to each user. This means that each user
can have their own local files, that can provide some measure of security.
Outlook 2000 users -- if you configured Outlook for Internet Only support, you must reconfigure
Outlook for Corporate or Workgroup. To reconfigure Outlook, run Outlook and select Options - Mail
Services - Reconfigure Mail Support. You may be required to supply your Microsoft Office install CD for
this operation.
1. Set Microsoft Outlook as the default mail program. For example, open the Control Panel and choose
Internet Options. Select the Programs Tab - E-mail Option, and then select Microsoft Outlook. (This
path may vary slightly depending on which Windows OS you are using and how you have your
system set up.)
2. If this is a new installation of Microsoft Outlook, you must launch the client to complete the
installation process of Microsoft Outlook. From the Start menu, select Microsoft Outlook and accept
the user name. Then do one of the following:
v Outlook 2k -- Choose ″Manually configure.″ Make no other selections, and then click Finish.
v Outlook XP (2002) and Outlook 2003 -- To the question ″Would you like to configure an E-mail
account?″ choose No. Click Finish.
3. While Outlook is open, select Tools - Options - Mail Services and select the option ″Prompt for a
profile to be used.″
Part 3 -- Create a user profile for DAMO: You cannot create a DAMO profile using the Outlook Setup
Wizard. You must use the following procedure.
1. From the Start menu, choose Programs - IBM Lotus Domino Access for Microsoft Outlook - Create
New MAPI Profile.
2. For ″Your Name,″ enter your Domino common user name. For example, John Smith not
jsmith/sales/acme.
3. For ″Domino server name,″ enter the name or the IP address of your mail server.
4. If you installed a multi-user version, and you want your Data directory to be in a different directory
than your program files, enter a path for your mail files in the ″Data Directory″ field. For example,
C:\Documents and Settings\jsmith\DAMOData or C:\DAMO jsmith.
Tip: You can use Windows folder security settings, to protect these folders as necessary.
5. If DAMO does not find your Notes ID in your Person Document on the Domino server, you will be
prompted for one. Type the path or browse to locate your Notes ID.
6. (Optional) Copy your Notes ID file to your Data directory. (It is always good to have a backup copy
of your ID file.)
7. Your DAMO profile will be created.
For the most current installation information, and for information on the differences between Microsoft
Outlook and Domino Access for Microsoft Outlook, known problems, and migration issues, users can
view the installation and setup guide (which includes the release notes) on
http://www.Lotus.com/ldd/doc.
The feature ″this and all future″ is not provided in Microsoft Outlook. If the chair is using Lotus Notes
and the invitee is using Microsoft Outlook, selecting this option generates an invitation to each of the
subsequent occurrences of the meeting. To maintain compatibility between Microsoft Outlook and Lotus
Notes, an invitee that is added to an existing repeat meeting receives instance updates for the entire
repeat set. If you anticipate there will be significant changes to the repeat meeting invitee list, you may
want to keep the number of meeting instances to a minimum. That way there will not be too many
meeting notices arriving in an invitee’s mailbox. This is also the case for rescheduled meetings and other
meeting updates.
Note: For additional information about known problems and limitations, see the release notes that
shipped with this product.
When you configure mail tracking, you can specify which types of information Domino records. For
example, you can specify that Domino not record message-tracking information for certain users, or you
can choose not to record the subject line of messages sent by specific users.
The Mail Tracker Collector task (MTC) reads special mail tracker log files (MTC files) produced by the
Router and copies certain messaging information from them to the MailTracker Store database
(MTSTORE.NSF). The MailTracker Store database is created automatically when you enable mail tracking
on the server. When an administrator or user searches for a particular message, either a message tracking
request or a mail report, Domino searches the MailTracker Store database to find the information.
Note: The Mail Tracker Collector differs from the Statistics Collector (Collect task), which is responsible
for gathering statistical information about servers.
891
Delivery Status Meaning
Group expanded The message was addressed to a group, and the group was expanded on this server.
Unknown The status of the message on the server cannot be determined.
Mail usage reports provide important information that you can use to resolve problems and improve the
efficiency of the mail network. In addition, this information is valuable when you plan changes or
expansions to the mail network. For example, you can generate reports that show the 25 users who
received the most mail over a given period of time (a day, a week, a month, and so forth), or the volume
of mail sent by a specified user over some interval. With this information, you can identify users who
might be misusing the mail system. Other reports show the most frequently used next and previous hops,
enabling you to assess compliance with mail use policies.
Agents stored in the Reports database let administrators schedule reports on a one-time, daily, weekly,
and monthly basis. By default, Domino generates scheduled reports at midnight at the interval you
specify -- daily, weekly, or monthly. When a report query is run, the active report agent examines the data
collected in the Domino MailTracker Store database to generate the resulting report. You can configure a
report to save results in the Reports database or mail results to one or more administrators. Saved reports
are organized in the Reports database under several different views. Reports that are mailed, but not
saved, are not added to the Reports database.
You can use the Reports database to analyze server mail usage. Views in the database display previously
saved reports according to date, schedule, report type, and user. In addition, a view displays all
scheduled reports by interval.
For more information on mail routing event generators, see the chapter ″Monitoring the Domino Server.″
Field Enter
Server The name of the server that stores the Mail Tracking Store database (MTSTORE.NSF)
Title Reports
File name Reports.nsf
Template server The name of the server entered in the Server field
Template Reports.ntf
CAUTION:
Do not edit the Mail Tracking Store database directly.
In addition to collecting message data, the MTC task performs several maintenance operations on the
Domino MailTracker Store database. You can enter commands at the server console to instruct the MTC
task to perform these operations. The following table lists the commands for performing various MTC
operations:
load mtc
Performing a manual collection resets the automatic collection interval to its full value.
For example, if the collection interval is set to 15 minutes (900 seconds), after you run
the collection manually, the next automatic collection occurs in 15 minutes.
To check the collection interval that is currently in effect, as well as the time remaining
to the next collection, enter the Show Tasks command at the console.
Establish a different If mail tracking is enabled on the Router/SMTP - Mail Tracking tab of the
collection interval Configuration Settings document, the MTC task collects data from mail tracking log
files at the interval specified in the ″Message tracking collection interval″ field. If there
is new data to report, it creates an entry in the MailTracker Store database. To specify a
different interval, enter the following command at the server console:
The specified value remains in effect until the next Router restart. At that time the
value specified in the Configuration Settings document again goes into effect.
To check the collection interval that is currently in effect, as well as the time remaining
to the next collection, enter the Show Tasks command at the console.
Compact the MailTracker By default, the MTC task compacts the Domino MailTracker Store nightly at 2 am. To
Store database compact the database immediately, enter the following command at the server console:
You can also change the default time for compacting the database, by setting the
variable MTCDailyTasksHour in the server’s NOTES.INI file.
Reindex the MailTracker The Message Tracking Store must be full-text indexed by the MTC task only.
Store database
For a one time reindex of the database by MTC, enter the following command at the
server console:
To improve performance of the full text index, the index should be periodically rebuilt.
If the admin believes a daily reindex is necessary they may set the following INI:
MTCCompactReIndex=1
where value is the maximum number of days to retain documents in the Mail Tracker
Store database. The MTC task removes all documents older than value from the
database.
For information about replication settings, see the topic Table of replication settings.
For more information about the MTCDailyTasksHour setting, see the appendix ″NOTES.INI File.″
Field Enter
Message tracking Choose one:
v Enabled to log message-handling activity information in the Mail Tracking
Store database.
v Disabled (default) to not log any message-handling information.
Don’t track messages for The names of users and/or groups whose messages will not be logged and,
therefore, cannot be tracked. This field applies only to messages sent by the
specified person or group.
If you leave this field blank (default), authorized administrators can track
messages for all users and groups on all servers that are enabled for mail
tracking.
On servers running the ISpy task to test mail connectivity, this task sends trace
messages at 5-minute intervals. To prevent the Domino MailTracker Store
database from filling up with entries for these trace messages, enter the name of
the ISpy mail-in database on the server in this field, for example, ISpy on
MailHub1.
Log message subjects Choose one:
v Yes - The server records the subject of each message in the MailTracker Store
database.
v No - (default) The server does not log message subjects.
If you leave this field blank (default), only members of the LocalDomainServers
group are authorized to track messages on this server. If you add any entries to
this field, you must list all servers and/or users that are allowed to track
messages on this server.
Allowed to track subjects The names of servers and/or users allowed to track messages by subject on this
server.
If you leave this field blank (default), only members of the LocalDomainServers
group are authorized to track messages by subject on this server. If you add any
entries to this field, you must list all servers and/or users allowed to track
subjects on this server.
Note: If you list servers and/or users in this field, you do not have to list them
in the ″Allowed to track messages″ field.
If disk storage space is a concern, use database replication settings to control how many days’ worth of
information the Mail Tracking Store database retains. The number of days restricts how far back in time
messages can be tracked, so choose a value that balances tracking needs and available disk storage.
For information on replication settings, see the chapter ″Creating Replicas and Scheduling Replication.″
Field Enter
From The user name of the sender.
Note: You can also select the name from the Domino Directory.
To The user name of the recipient.
Note: You can also select the name from the Domino Directory.
If you manage multiple servers, you can select a different server by clicking its name
from the Servers bookmark to the left of the Domino Administrator.
Subject The subject of the message that you want to track.
Message ID The message ID of the message you want to track.
For more information on enabling tracking by message subject, see the topic ″Configuring the server
for message tracking″ earlier in this chapter.
Domino displays summary results that include the sender’s name, recipient, delivery time and
message subject, if subject tracking is allowed.
5. From the Messages Found pane, select a message and then click Track Selected Message.
6. Expand the Message tracking results folder, and select a server to view more information about what
happened to the message on that server. Domino displays the following information:
Field Description
Delivery status Indicates whether the Router deposited the message in the recipient’s mail file or
transferred it to another server.
Mailbox status Indicates whether the message is unread, read, deleted, or unknown.
This server The name of the current server.
Previous server The name of the server that delivered the message to the current server in the message
path being examined. For messages originating outside the Domino network and
transferred over SMTP, this is the server from which Domino received the message.
Next server If the current server is not the final destination, the next server on the routing path.
Msg priority Indicates whether the message priority is high, normal, low, or unknown.
Unique message ID A value that uniquely identifies the message on the current server.
Inbound message ID The message ID of the message when it arrived on the server.
Outbound message ID The message ID of the message when it left the server.
In some cases, the SMTP Router changes the ID of the message before transferring it.
Inbound originator The sender’s e-mail address as it appeared in the message headers when the message
arrived at the current server.
Outbound originator The sender’s e-mail address as it appeared in the message headers after transfer from the
current server to the next hop server.
Inbound recipient The recipient’s e-mail address as it appeared in the message headers when the message
arrived at the current server.
Field Description
Description Required text to identify the report.
Report Type Specifies the type of report to create. Choose one:
v Top 25 Users by Count
v Top 25 Users by Size
v Top 25 Senders by Count
v Top 25 Senders by Size
v Top 25 Receivers by Count
v Top 25 Receivers by Size
v Top 25 Most Popular ″Next Hops″
v Top 25 Most Popular ″Previous Hops″
v Top 25 Largest Messages
v Message Volume Summary
v Message Status Summary
Time Range Choose one:
v Today
v Yesterday
v Over the last week (default)
v Over the last two weeks
v Over the last month
v All available information
Note: Each choice refers to the specified time period up to the current day. For example,
if you choose ″Yesterday,″ the report includes information from yesterday and today.
Note: The Earliest Message Found and Latest Message Found fields are filled in automatically when
you run the report. They display the date and time of the earliest and latest message found.
7. (Optional) To narrow the scope of a report, complete any of these fields:
Field Enter
Sender’s Name A text string for the sender’s name, and then choose whether the name should contain the
text string or exactly match the text string.
Recipient’s Name A text string for the recipient’s name, and then choose whether the string should contain
the string or exactly match the string.
Delivery Status Choose one:
v Is - Delivered (all messages that were delivered)
v Other than - Delivered (all messages that encountered delivery failures or are still being
processed)
v Is - Not Delivered (all messages that encountered delivery failures)
v Other than - Not Delivered (all messages that were either delivered or are still being
processed)
v Is - Being Processed (all messages that are still being processed)
v Other than - Being Processed (all messages that were delivered or encountered delivery
failures)
Note: The delivery status corresponds to the message tracking delivery status. ″Delivered″
refers to messages that were delivered, transferred, or ″group expanded″ (that is, the
message was addressed to a group, and the group was expanded to its member list on the
server). ″Not delivered″ refers to messages that were not delivered, not transferred, or
whose status is unknown.
Message Size The maximum or minimum message size (in bytes) to include in the report.
8. Reports are saved as Notes documents. Double-click the document to view it.
The following procedure requires you to have Domino Designer installed on the administrative
workstation.
If you created a scheduled report to diagnose a particular problem, you can disable the report to prevent
it from executing after obtaining the information you need. Disabling a scheduled report conserves server
resources, but lets you retain the report settings for future use. You can disable a report temporarily, or
remove it from the server altogether.
1. From the Domino Administrator, click the Messaging - Mail tab.
2. Expand the Reports for Servername view and open the Scheduled Reports folder.
3. Select the report view containing the scheduled report to disable; for example, Daily or Weekly.
4. Select the scheduled report and do one of the following:
v Click Enable Report - Activates a currently disabled report so that the server executes the report at
the next scheduled interval.
v Click Disable Report - Prevents a currently enabled report from running, so that the server cannot
execute it at the scheduled intervals. The report remains in the Reports database and can be
activated at a later time.
v Press the DELETE key - Permanently removes the report from the Reports database.
You can use the Reports database to analyze server mail usage. Views in the database display previously
saved reports according to date, schedule, report type, and user. An additional view displays all
scheduled reports by interval.
Note: For scheduled reports, the user is the server running the report; for reports that an administrator
runs manually, the user is the administrator.
Using Domino to store Web pages as documents in a database has a major advantage over storing static
HTML pages: using Domino, any change that you make to a database is automatically reflected on the
Web server.
The following diagram shows how the Web server displays a Notes document as an HTML page to a
browser client.
Any Domino application can be a Web application. Before you create a Web application, become familiar
with the Domino features that can be translated into HTML and determine whether Web browser users,
Notes clients, or both will access the application. You can use the Notes formula language to detect which
type of user is accessing the application and then, based on the user type, change the display of
information in the application.
A Domino Web site can consist of a single database or several databases that are connected by links. In
addition to hosting Web sites, the Web server can run other server tasks, such as mail or directory
services. Be sure to enforce security on databases if you do not want users outside your organization to
access the databases on the server.
903
For information on designing Web applications, see Application Development with Domino Designer.
For information on customizing the authentication of Web application users, see the DSAPI
documentation in the Lotus C API Toolkit for Domino and Notes.
If you use a staging server, give access only to Web content managers. Also be sure to give the Web
content managers replication access on both the staging server and the production server.
In this example, Web content managers make changes on Webstage-E and replicate these changes to
Web-E, which is available to users outside the firewall.
To check the server setup, start your browser and enter the DNS name or IP address for the server.
Note: When the HTTP task starts up, a server console message indicates the Domino Directory view the
task is using for Web configuration information (Servers\Internet Sites or Servers\Web Configurations).
For more information on server commands and NOTES.INI settings, see the appendices ″Server
Commands″ and ″NOTES.INI File.″
Field Action
TCP/IP port number Enter a port number. Default is 80.
TCP/IP port status Choose one:
v Enabled -- To configure the server to listen for HTTP requests on the specified
TCP/IP port.
v Disabled -- To prevent the server from listening for HTTP requests on the specified
TCP/IP port.
v Redirect to SSL -- To redirect any HTTP requests that come into the TCP/IP port to
the SSL port.
Enforce server access Choose one:
settings v Yes -- To enforce server access settings for this protocol on the server. Server access
settings are found on the Security tab of the Server document, and specify the names
of authenticated users who have been granted access to this server, and those who
have not.
v No -- To not enforce server access settings for this protocol.
SSL port number Enter a port number. Default is 443.
SSL port status Choose one:
v Enabled -- To configure the server to listen for HTTPS requests on the specified SSL
port.
v Disabled -- If you do not want to use SSL for this server.
Field Action
Bind to host name Choose one:
v Enabled -- To enter up to 32 IP addresses and/or DNS names in the Host name(s)
field to which the Domino server will bind. This allows users to access a Web server
using a name other than the Domino server name.
v Disabled (default) -- To bind to all IP addresses on the server.
DNS lookup Choose one:
v Enabled -- To have Domino look up the DNS name of the requesting client. The
Domino log files and database contain host names corresponding to the machine used
by the Web client.
v Disabled (default) -- To not look up the DNS name of the requesting client. The
Domino log files and database contain IP addresses.
v Choosing Disabled improves the performance of the Domino server because the
server does not use resources to perform the DNS name lookup.
Note: The majority of browser users connect to the Internet through Internet server
providers (ISPs), so the host names returned by DNS lookup are those of the ISP’s
proxy servers, not the individual user machines.
DNS lookup cache Choose one:
v Enabled -- To have Domino cache the results of a DNS lookup for faster retrieval.
v Disabled -- To not have Domino cache DNS lookup results.
DNS lookup cache size Specify the maximum size of the DNS lookup cache. Default value is 256.
DNS lookup cache found Specify the length of time, in seconds, that IP addresses remain in the cache. Default
timeout value is 120 seconds.
If you host third-party applications, set the limits to the most stringent values that still allow the
applications to work normally. If the request exceeds the limit, the Web server discards the request and
returns an error to the browser.
Field Action
Maximum URL length Enter the maximum size, in KB, allowed for URLs received from HTTP clients. The
length includes the query string. The default is 4KB.
Increase the default only if you host an application that requires an extremely long URL.
Maximum number of Enter the number of segments allowed. The default is 64, which is usually more than
URL path segments enough. A segment is delimited by slashes; for example, the URL
″/products.nsf/widgets″ contains two segments.
Addresses can include wildcard characters, so that all addresses within a certain class of address will be
restricted. For example, denying access to address 123.45.6.* denies access to all addresses for that subnet.
Similarly, denying access to address 123.45.* denies access to all subnets for that address.
IP address filtering is useful for managing incoming requests to your Web server -- for example, your
server is behind a firewall and should only be accepting requests from the firewall and from the Domino
Administrator client. It also helps in minimizing excessive requests, such as those generated by machines
infected by a Web worm.
CAUTION:
IP address restriction should not be used as the only means of protecting your site, or as a substitute
for user authentication. Client IP addresses are specified in the network packets sent by the client, and
this information is easily spoofed. Additionally, hackers routinely use attack techniques that hide their
true IP addresses. IP address restriction cannot protect the server against such attacks.
Field Action
IP address allow/deny priority Specify which IP address list -- Allow or Deny -- takes priority if an incoming IP
address is listed in both the allow list and the deny list (this can happen when both
lists contain wildcards).
Note: If a client IP address does not match either list, then the connection is allowed.
To run Java applets created with Java Notes classes on a Domino Web server, you must enable the
Domino IIOP (DIIOP) task on the server. This task allows Domino and the browser client to use the
Domino Object Request Broker (ORB) server program. The Domino ORB processes the applet requests
and transmits the information to the browser client to communicate. You must enable both the Domino
IIOP task and the Internet Inter-ORB protocol (IIOP) on the server before users can access the Domino
ORB to run the Java applets.
Application designers must create applets with the Java Notes classes and, in addition, they must specify
that the applets can use the Domino ORB to communicate with browser clients. Application designers
specify this setting when they add the applets to a document or form.
For information on designing Web applications, see Application Development with Domino Designer. For
more information on Java Notes classes, see Domino Designer Programming Guide, Volume 3: Java/Corba
Classes.
Field Enter
TCP/IP port number The name of the port the Domino IIOP task listens on. Do not change this port
unless you have assigned port number 63148 (the default) to another task.
Note: The default on Linux servers is 60148 because of an operating system
restriction.
TCP/IP port status Choose one:
v Enabled (default) -- To allow communication over this port.
v Disabled -- To prevent communication over this port.
Field Enter
Number of threads The number of threads you want to allow the DIIOP server task to process at
the same time. The default is 10.
Field Enter
Run restricted Java/Javascript/COM The name that the applet or application uses to access the
server. Applet or application names entered in this field
are allowed to run programs created using a restricted set
of Java and JavaScript features. If the applet or application
logs on anonymously, enter the word ″Anonymous″ in
this field.
Run unrestricted Java/Javascript/COM The name that the applet or application uses to access the
server. Applet or application names entered in this field
are allowed to run programs created using all Java and
JavaScript features. If the applet or application logs on
anonymously, enter the word ″Anonymous″ in this field.
For information on this setting, see the topic Customizing Web server setup.
5. To restrict the level of authentication, choose a setting in the Internet server authentication field on the
Security tab and save the document.
6. If necessary, edit the ServerTasks setting in the NOTES.INI file to include the DIIOP task.
7. Set up SSL server authentication, name and password authentication, or anonymous access to the
IIOP port for the application or applet.
8. Define server access by browser clients that use Java and JavaScript. If the applet or application uses
name-and-password authentication, enter the name for the applet or application. Otherwise, use the
name ″Anonymous″ when setting up server access.
9. Restart the server.
A typical example of how this feature is used is that of a user performing a domain search from a
browser. The user sends the search request to Server A, but some of the search hits are actually located in
a database on Server B. When Server A generates the HTML for the search results page, it needs to create
URL links to Server B for those hits. To create those links, Server A will look up the Server record for
Server B in the Domino Directory, and use the fields in the table below to generate the correct syntax for
the URLs.
Field Action
Does this server use IIS? (Domino 5.0x servers only) Specify whether this server uses the Microsoft IIS stack
instead of the native Domino HTTP stack.
Note: This setting is used only if the server is Domino 5.0x or earlier; Domino 6
and later servers always generate IIS-compatible links.
Protocol Indicate the protocol to be used in URL links to this server. Choices are HTTP and
HTTPS (for SSL).
Host name Indicate the fully-qualified host name to be used in URL links to this server; for
example, www.acme.com.
If Server A in the example above needs to generate a link to a database on Server B, and Server B’s
Server record has the fields set to these values:
Protocol: HTTP
For information on creating Java servlets, see Application Development with Domino Designer.
Field Action
Java servlet support Choose one:
v None (default) -- To not load the Java Virtual Machine (JVM) or the servlet
manager when the HTTP task starts.
v Domino Servlet Manager -- To load the JVM and the servlet manager that
comes with Domino.
v Third Party Servlet Support -- To load the JVM, but not the Domino servlet
manager. This lets you use a servlet manager other than Domino, such as
IBM WebSphere.
Servlet URL path Enter the path in a URL that signals Domino that the URL refers to a servlet.
The default is /servlet.
Class path Enter one or more paths that the Servlet Manager and JVM search to find
servlets and dependent classes. The standard Java libraries installed with
Domino are automatically in the class path. This setting allows you to add
additional paths. You may specify directories, JAR files, and ZIP files. Paths may
be absolute or relative to the Domino data directory. For example:
v domino\servlet specifies files in the c:\lotus\domino\data\domino\servlet
directory
v c:\apps\myservlets specifies files in the c:\apps\myservlets directory
v c:\javamail\mail.jar specifies the mail.jar file in the c:\javamail directory
v domino\servlet\sql.zip specifies the sql.zip file in the
c:\lotus\domino\data\domino\servlet directory
Domino uses this setting and the settings below only if the servlet uses the Java
Servlet API HttpSession interface. The HttpSession interface support is
completely separate from the Domino HTTP session authentication feature.
Idle session time-out Enter the amount of time in minutes the user is allowed to remain idle before
the session is terminated. The default is 30 minutes.
Maximum active sessions Enter the number of simultaneous active sessions allowed. The default is 1000.
After this limit is reached, the sessions that have been idle the longest are
terminated.
Session persistence Choose one:
v Enabled -- To save session data to a disk file called sessdata.ser in the
Domino data directory when the HTTP task exits. Domino saves the data in
the Domino data directory in a file named sessdata.ser. Domino reloads the
session data when the HTTP task restarts. Domino also saves objects that the
servlet has bound to sessions if the objects implement the java.io.Serializable
interface.
v Disabled (default) -- Discards all session data when the HTTP task exits.
3. If appropriate for your servlet engine, control access to the servlet by specifying who has access to the
servlet files.
For more information, see the chapter ″Controlling Access to Domino Servers.″
Special properties for individual servlets can be specified in a text file called servlets.properties, which
is located in the Domino data directory. For more information about the servlets.properties file, see
the book Application Development with Domino Designer.
Setting up WebDAV
WebDAV (Web-based Distributed Authoring and Versioning) is a set of extensions to the HTTP/1.1
protocol which allow users to collaboratively edit and manage files on remote Web servers.
WebDAV support in the Domino Web Server enables accessing file resource type design elements in a
Domino database. This allows application designers to work with design elements such as HTML files,
images and other file based resources using web based authoring and development tools.
The WebDAV implementation in the Domino Web Server supports, and has been tested with, the
following clients; Macromedia Dreamweaver 4.01, Microsoft Office 2000, Microsoft Internet Explorer 5.0x
and 6.0, Windows Explorer on NT4, Windows 98, Windows XP, and Windows 2000.
You must be using Web Site documents to configure and manage the Web sites on your server in order to
use WebDAV.
Be aware that enabling WebDAV also enables the following HTTP methods for the web site: PUT,
DELETE, GET, HEAD, OPTIONS.
Enabling WebDAV: Before you can use WebDAV (Web-based Distributed Authoring and Versioning), it
must be enabled.
1. From the Domino Administrator, choose Configuration - Web - Internet Sites.
2. Open the Web Site document on which you want to enable WebDAV.
3. Click the Configuration tab.
4. Under ″Allowed Methods,″ select ″Enable WebDAV.″
Note: If you enable WebDAV, the following HTTP methods are also enabled: GET, HEAD, OPTIONS,
PUT, and DELETE.
5. Enter this command at the console so that the settings take effect:
tell http refresh
For detailed information about using WebDAV, see the book Application Development with Domino Designer.
There are two types of directives in this file: Property and Rule. The property directive defines a browser
property that can be accessed by @BrowserInfo. The Rule directive specifies a regular expression pattern
which is used to match the browser User-Agent header.
Typically, Web application developers will make use of this file to ensure that their applications work
properly on the Domino Web server. However, because of the file’s location in the server data directory, it
is likely that you, as the Domino administrator, will need to make any necessary modifications.
Web Site documents contain Web site configuration information and are managed through the
Servers\Internet Sites view along with other types of Internet site documents. However, for backward
compatibility the Domino 7 HTTP task still supports the R5 Servers\Web Configurations view. If you are
migrating your site from Domino 5 to a later release you do not need to immediately convert from the
old view to the new view. However, you will need to convert to the Internet Sites view to take advantage
of many of the Web Site features.
Many of the HTTP task Server record settings used in Domino 5 are now available in the Web Site
document. If you enable the new Internet Sites view, the HTTP task uses the Web Site settings instead of
those in the Server record.
To enable the Internet Sites view, in the Basics section of the Server document, click ″Loads Internet
configurations from Server\Internet Sites documents.″
For more information, see the topic ″Converting from Web Server Configuration to Internet Sites view″
later in this chapter.
By default, Web Site documents are not associated with specific Domino servers. All servers that share
the same Domino Directory -- that is, reside in the same Domino domain -- automatically use the same
Web Site documents in the Internet Sites view. This means that you do not have to re-create the same
Web configuration each time you add a new server to the domain. When you add or modify a Web Site
document, the changes are picked up automatically by all servers in the domain.
An optional field in the Web Site document allows you to specify the Domino servers that will host a
site. Servers that are not listed in this field will not load the site configuration.
You set up each virtual server with a network connection with its own separate, permanent numeric IP
address or map multiple host names to the same IP address. The number of virtual servers is dependent
only on your operating system and the system hardware. See your operating system documentation and
hardware documentation for more information.
If you are using virtual servers or hosts, create one Web Site document for each virtual site. If you
provided a default site in the Release 5 server record, you must either make one of the Web Site
documents the default site, or create a document for the default site.
To convert from the Web Server Configurations view to the Internet Sites view: If you do not have
virtual servers or hosts, follow these steps to convert to the new view:
1. Create a Web Site document.
2. Select the Web Site document and choose Edit Document.
3. Click Web Site and create the corresponding documents in Lotus Domino 7: Web SSO Configuration,
Rule (URL Mapping/Redirection), File Protection (File Protection), or Authentication Realm (Realm).
4. Open the Server document.
5. Click Basics and check Enabled for ″Loads Internet configurations from Server\Internet Sites
documents.″
6. Save the document, and restart the HTTP server task to use the new view.
Note: If you have created Web SSO Configuration documents in the Web Server Configurations view,
these need to be disabled before you can enable the Internet Sites view. Otherwise, this generates an error
message. You have the option of disabling them yourself, on the Internet Protocols - Domino Web Engine
tab of the Server document, or allowing Domino to do it for you. You will be prompted about this if you
try to enable Internet Sites when you have existing Web SSO configuration documents.
To set up multiple Web sites on a partitioned server (for Web Site documents or for Virtual Servers):
1. Set up the partitioned server with separate TCP/IP addresses.
Configuring HTML, CGI, icon, and Java files for Web Site documents
Domino looks for individual HTML, CGI, and icon files in specific directories on the server’s hard drive.
You can change the URL path for icons and CGI program files. The URL path is where Domino looks for
icons or CGI programs when it encounters a reference in the HTML code to one of these.
Specifying icon and CGI URL paths is useful if you change the directory location of icons or CGI
programs and you do not want to modify HTML code that references the previous location of these files.
You need to add an extension to the file name for any files stored in the server CGI directory in order to
be able to execute them. For example, .exe must be added to the file names for executable files, .pl must
be added to the file names for Perl programs, and so on.
1. From the Domino Administrator, choose Configuration - Web - Internet Sites.
2. Choose the Web Site document you want to edit and click Edit Document.
3. Click Configuration. Under ″Default Mapping Rules,″ complete these fields:
Field Action
Home URL Enter the URL command to perform when users access the Web site without specifying a
resource -- for example, the user just requests ″http://www.acme.com.″ Usually the home
URL points to the Web site’s home page -- for example, ″/welcome.nsf/hello?OpenPage.″
HTML directory Specify the directory that will be used to find HTML files if a URL does not specify a path
-- for example, http://www.acme.com/welcome.html. Default is domino\html. The path
can be relative to the Domino data directory, such as domino\myhtml, or it can be fully
qualified, such as c:\websites\html.
Service providers: This directory is relative to the main Domino data directory, not to the
hosted organization’s data directory.
Icon directory Enter the directory where icon files are located. You can specify the path for the icon
directory using either the fully qualified path or a relative path. Default is domino\icons.
Service providers: This directory is relative to the main Domino data directory, not to the
hosted organization’s data directory.
Icon URL path Enter the URL path that is used to map to the icon directory. The default is /icons.
Service providers: This directory is relative to the main Domino data directory, not to the
hosted organization’s data directory.
CGI URL path Enter the URL path that is used to map to the default CGI directory. The default is cgi-bin.
Note: If you are using the Web Server Configuration view, open the Server document, choose Internet
Protocols - HTTP, and complete the fields in the ″Mapping″ section.
The Domino Web Server Application Programming Interface (DSAPI) is a C API that you can use to write
your own extensions to the Domino Web Server. These extensions, or ″filters,″ let you customize
authentication for Web users. For more information about DSAPI and filters, see the C API User’s Guide
and the C API Reference Guide.
WebDAV is a set of extensions to the HTTP 1.1 protocol which allows users to collaboratively edit and
manage files on remote Web servers. WebDAV clients can only access design elements in the design
collection of a database. Users must have Notes manager or designer level access rights to the database.
Application developers are the typical uses of WebDAV.
For more information, see the topic ″Setting up WebDAV″ later in this chapter.
For more information about WebDAV, see the book Application Development with Domino Designer.
Note: If you are using the Web Server Configurations view, the DSAPI fields appear in the Server
document on the Internet Protocols - HTTP tab.
1. From the Domino Administrator, click the Configuration tab, expand the Web section and click
Internet Sites.
2. Choose the Web Site you want to edit, and click Edit Document.
3. Click the Configuration tab and complete these fields:
Field Action
DSAPI filter file names Enter the name of one or more DSAPI filter files.
Service providers: Each DSAPI filter applies to the entire server; therefore,
if the services must be different for individual hosted organizations, the
DSAPI filter itself must be coded to handle those differences for each
individual hosted organization.
Methods Choose one or more:
v GET (default)
v HEAD (default)
v POST (default)
v OPTIONS (default)
v TRACE (default)
v PUT
v DELETE
WebDAV Choose this option to enable Web-based Distributed Authoring and
Versioning.
Note: If you enable WebDAV, the following HTTP methods are also
enabled: GET, HEAD, OPTIONS, PUT, and DELETE.
Note: If you are using the Web Server Configurations view, use the Server document.
When you enable progressive or interlaced rendering, the image appears to download quickly and you
can typically identify the image before it is completely downloaded.
Field Enter
Image conversion format GIF (default) -- To convert images in documents to GIF format.
Interlaced rendering Choose one:
v Enabled (default) -- To display each line of the image individually.
v Disabled -- To wait for the entire image to download before displaying the
image.
Field Enter
Image conversion format JPEG -- To convert images in documents to JPEG format.
Progressive rendering Choose one:
v Enabled (default) -- To display the image incrementally in several passes.
v Disabled -- To wait for the entire image to download before displaying the image.
JPEG image quality A percentage between 5 and 100 to indicate the level of image quality. The larger the
value, the larger the file, the longer the files take to transmit, and the better the image
quality.
Note: If you are using the Web Server Configuration view, open the Server document and click the
Internet Protocols - Domino Web Engine tab.
You can also specify the maximum number of lines to display in a view when the user specifies a line
count in a URL.
Entering a maximum number of lines prevents users from overloading server resources by requesting a
large number of lines to display.
Field Enter
Default lines per view page A number from 1 to the number specified in the ″Maximum lines per view
page″ field. Default is 30.
Maximum lines per view page A number that is limited only by the browser software. Default is 1000.
Note: If you are using the Web Server Configuration view, open the Server document and click the
Internet Protocols - Domino Web Engine tab.
Change these options to prevent users from overloading server resources with search results.
Field Action
Default search result limit Enter the maximum number of documents to display when users do not specify the
SearchMax parameter in the URL.
If you set the value to 0, the number of documents displayed is the same value as
that specified in ″Maximum search result limit.″
Enter 0 if you do not want to limit the number of documents displayed. The
default is 1000.
Field Enter
Redirect to resolve external Choose one:
links v Disabled (default) -- To prevent the server from accepting Redirect URL
commands and to prevent the server from generating Redirect URL commands as
a result of a domain search.
v By Server -- To look up the server name specified in the URL in the Domino
Directory on the Web server. The Web server searches for the server name in both
the Host names field on the Internet Protocols - HTTP tab or in the Fully qualified
Internet host name field on the Basics tab.
v By Database -- To find the database in the Domino Directory on any available
server. Domino locates the database in the domain catalog, if available, or in the
server’s local catalog. Make sure the domain catalog contains up-to-date
information on the location of databases. By choosing this option, resolving links
take more time than the By Server option since the Web server searches for the
database on an available server, instead of just the server presented in the URL.
The By Database option however, may resolve more links since the Web server
tries to resolve the link using a replica of the database on servers in addition to
the server presented in the URL. Use this option on the server that runs the
domain search so more links are resolved for the user.
Since By Server and By Database both rely on the information in the Domino
Directory, make sure the server information in the Domino Directory is complete and
correct.
Note: If you are using the Web Server Configuration view, open the Server document and click the
Internet Protocols - Domino Web Engine tab.
The Web Site document contains two additional settings that control POST and PUT methods that target
a database (for example, filling in a form or uploading a file attachment). These settings reside in the Web
Site document so that you can specify different values for each Web site.
Field Action
Maximum POST data Enter the amount of data in KB that a user is allowed to
send to the Web site in a POST request that targets a
database. The default is 0, which does not restrict the
amount of data that users can send (however, the
amount is still limited by the Server record setting
″Maximum request content″). This limit applies to both
the PUT and the POST HTTP methods.
For more information on byte-range serving, see the topic ″Improving file-download performance for
Web clients″ earlier in this chapter.
Note: If you are using the Web Server Configuration view, open the Server document and choose the
Internet Protocols - Domino Web Engine tab.
Field Enter
Default character set group A character set group to allow users to choose their preferred character set
when they create or edit documents. The default is Western.
Convert resource strings to A language to use for messages, HTML for default search pages, and static
strings in pages. You can choose a language other than English only for
international versions of the Domino server that have translated text. The
default is English.
Use UTF-8 for output Choose one:
v Yes -- To generate pages using UTF-8.
v No (default) -- To generate pages using the character set mapping you
select.
Use auto-detection if database has Choose one:
no language information v Yes -- To detect automatically the language to use for the database if no
default language is selected on the Design tab of the Database Properties
box.
v No (default) -- Tto use the language specified by the Use UTF-8 for output
field.
If the language is specified for a database on the Design tab of the Database
Properties box, Domino uses that language for text in the database.
Character set in header Choose one:
v Yes (default) -- To add the character set to the ″Content-Type″ HTTP header
of an HTML page. If you select Yes, then the browser finds the character
set before rendering the page.
v No -- To exclude the characters from the HTTP header of an HTML page.
Use this option if you use early versions of browsers that do not
understand the character set tag in the HTTP header.
4. In the fields that display the character set group names, select one of the available choices for
character set mapping.
5. Save the document.
Field Action
Store user preferences in cookies Choose one:
v Disabled -- Users cannot customize their regional preferences
v Single Server -- Cookies for customized preferences are generated for
current Web site/server only
v Multi-server -- Cookies for customized preferences are generated for the
DNS domain to which the current Web site/server belongs
Default regional locale Use this field for those cases in which a user does not have any custom
regional settings enabled for their browser, and the format option for
regional setting fields is set to ″user’s setting.″ This information is needed
for formatting date, time, number, and currency fields.
v Server locale -- Use server’s operating system settings.
v Browser’s accept-language (default) -- Use browser’s accept-language.
By default, both Internet Explorer and Netscape send HTTP requests
with the accept-language header in the user’s preferred language(s).
Note: If you are using Server document settings and the Web Server Configurations view, you can enable
these settings in the Server document in Internet Protocols - Domino Web Engine, under ″Web user
preferences.″
Field Action
Default string resource language Use this setting to select the default language string resource module
for Web clients who do not send ″accept-language″ information with
HTTP requests, or for cases in which the languages specified in the
″accept-language″ header are not in the languages available on the
server.
Additional string resource languages Use this setting to select the additional string resource languages that
are installed on the server.
Note: If you are using Server document settings and the Web Server Configurations view, you can enable
these settings in the Server document in Internet Protocols - Domino Web Engine, under ″Language.″
Windows-1252
Central European ISO-8859-2
JIS(ISO-2022-JP)
EUC-JP
Traditional Chinese Big5 (default)
EUC-TW
Simplified Chinese GB
Korean KSC5601(EUC)
Cyrillic ISO-8859-5
Windows-1251
KOI8-R (default)
Greek ISO-8859-7
Windows-1253 (default)
Turkish ISO-8859-9
Windows-1254 (default)
Thai Windows-874
Baltic Windows-1257
Arabic Windows-1256 (default)
ISO-8859-6
Windows-1255
Vietnamese Windows-1258
Web Site rules are created as response documents to Web Site documents, and apply only to that
particular Web Site document. If you want to apply a rule to more than one Web Site document, copy
and paste the rule document from one Web Site document to the other.
Before Web Site rules can be applied to an incoming URL, the URL is normalized according to a
predefined set of filtering and validation rules and procedures. These procedures reduce the URL to a
safe form before it is passed to an application for processing. Once the URL is normalized, the HTTP task
uses the rules defined for the Web Site to determine if the URL is to be modified in any way.
Note: Only the URL path is used for pattern matching. The query string is saved for use by the
application. Any patterns you specify for a rule’s Incoming URL pattern field should not include a host
name or query string.
There are four types of Web Site rules. If more than one type of Web Site rule has been created for a Web
Site document, the rules documents are evaluated in this order:
v Substitution
v Redirection
v Directory
v HTTP response header
Substitution rules: A substitution rule replaces one or more parts of the incoming URL with new
strings. Substitution rules should be used when you want to reorganize your Web site, and you don’t
want to have to rewrite all the links in the site, or when you want to provide user-friendly aliases for
complex URLs.
For example, a substitution rule would be useful if you moved a number of files on your Web site from
one directory to another. Instead of fixing all the links that refer to the old directory, your substitution
rule would map the old directory to the new directory.
The incoming and replacement patterns in substitution rules must each specify at least one wildcard. If
you do not explicitly include a wildcard somewhere in a pattern, the HTTP task automatically appends
″/*″ to the pattern when it stores the rule in its internal table.
Redirection rules: Redirection rules redirect incoming URLs to other URLs. There are two types of
redirection rules: external redirection and internal redirection. An external redirection rule causes the
server to inform the browser that a file or other resource requested by the browser is located at another
URL. If the incoming URL path matches an external redirection rule, the HTTP task generates a new URL
An internal redirection rule acts like a substitution rule, as the HTTP task generates a new URL and then
re-normalizes it. There are two differences, however. First, the redirection table is searched recursively, so
you can create and nest multiple redirection rules. Second, an internal redirection rule does not require
the use of a wildcard character. Thus, you can choose to use an internal redirection rule instead of a
substitution rule if you want to force an exact match on the URL path.
If the incoming URL path matches an internal redirection rule, the HTTP task generates a new path,
normalizes the path, and searches the redirection rule table again. Because the HTTP task does a
recursive search through the redirection rule table, you can write broad redirection rules that capture
URLs no matter what substitution or redirection has been applied.
Note: Having a recursive search means that there is the potential for getting into an infinite loop if you
write redirection rules that match each other. To eliminate this possibility, the HTTP task has a built-in
recursion limit of ten.
Directory rules: A directory rule maps a file-system directory to a URL pattern. When the Web server
receives a URL that matches the pattern, the server assumes that the URL is requesting a resource from
that directory.
When you install a Domino 7 Web server, several file-resource directories are created automatically. These
default directories are mapped by directory rules that are defined on the Configuration tab of the Web
Site document. When the Web server starts up, it automatically creates internal rules to map these
directories to URL patterns. The three default directories are:
v HTML directory for non-graphic files
v Icon directory for graphic images such as .GIFs
v CGI directory for CGI programs
Directory rules can only be used to map the location of files that are to be read directly (such as HTML
files and graphic files) and executable programs to be loaded and run by the operating system (such as
CGI programs). Directory rules cannot be used to map the location of other types of resources, such as
Domino databases or Java servlets.
When you create a Directory Web Site rule, you specify read or execute access to a file-system directory. It
is critically important to choose the right access. Only directories that contain CGI programs should be
enabled for Execute access. All other directories should have Read access. If you specify the wrong access
level, unexpected results will occur. For example, if you mark a CGI directory for Read access, when a
browser user sends a URL for a CGI program, the server will return the source code of the program
instead of executing it, which could be a serious security breach.
Directory rules cannot override file-access permissions enforced by the operating system.
Note: Access level is inherited by all subdirectories under the specified directory.
HTTP response header rules: Every HTTP browser request and server response begins with a set of
headers that describe the data that is being transmitted. An HTTP response header rule allows an
application designer to customize the headers that Domino sends -- such as an Expires header or custom
headers to HTTP responses -- with responses to requests that match the specified URL pattern.
The caching headers include the Last-Modified header, Expires header, and Cache-Control header. The
Last-Modified header indicates when the resource or resources used to generate a response were last
changed. The Expires header tells the browser when resources are expected to change. A designer can
define a rule to add Expires headers to responses based on when the designer expects resources to
change. The Cache-Control header provides explicit instructions to browser and proxy server caches, such
as ″no-cache″ for responses that should not be cached, or ″private″ for responses that are cacheable but
are specific to a particular browser configuration.
You can also use response rules to customize headers. For example, you can create response rules for
custom headers that display specific error messages -- for example, when a user is not authorized to
access an application.
Unlike other Web site rules, response rules are applied to the outgoing response, just before the HTTP
task transmits the response to the browser. For response header rules, the pattern is matched against the
final form of a URL, after substitution and redirection rules have been applied to it. For example, if you
have a substitution rule that transforms /help/* to /support.nsf/helpview/* and you want to create a
response rule to match the response, the pattern for the response rule should be
/support.nsf/helpview/*.
The pattern can include one or more asterisks as wildcard characters. For example, the pattern
/*/catalog/*.htm will match the URLs /petstore/catalog/food.htm, /clothing/catalog/thumbnails.htm,
and so on. A wildcard is not required in a response rule. This allows you to create a rule that matches a
specific resource, for example, /cgi-bin/account.pl. Also, as with all rules, the incoming pattern cannot
contain a query string.
Response header rules are different from other rules in that not only do they have to match a URL
pattern, they also have to match the HTTP response status code. You need to specify one or more status
codes in the HTTP response codes field.
Global Web Settings: Global Web Settings enable you to apply Web rules to multiple Web sites. You
define a name for the Global Web settings document, and specify the servers to which the Global Web
settings apply. You then create Web Rules documents for a Global Web Settings document. The Web rules
then apply to all Web sites hosted by the servers specified in the Global Web settings document.
Global Web Settings document and associated Web Site rule documents are not automatically created. If
you want to use the Global Web Settings document and Web Site rules in your Web environment, you
need to manually create them.
Creating a Web Site Rule document: You can keep database files, HTML files, CGI scripts, and other
related Web files in multiple locations or move them to new locations without breaking URL links or
changing documents. Domino displays the Rules document as a response to the Web Site document on
the Configuration tab in the Web - Internet Sites view.
Redirecting a URL displays the page in the new location and displays the URL in the location box for the
user. Mapping a URL or directory displays the page in the new location and hides that new location from
the user.
Field Action
Description Enter a name that differentiates this rule from others you create.
Type of Rule Choose one:
v Directory -- To allow a server file-system directory to be accessed by a URL
path.
v Redirection -- Resource identified by the URL has been moved to a different
location or Web site.
v Substitution -- To replace a string in the URL with another string.
v HTTP response header -- To add an Expire header or custom headers to
HTTP responses that match specified URL patterns and response codes.
Incoming URL pattern Pattern that describes the URLs affected by this rule.
If you are defining many rules, specify the longest unique pattern for each
rule. Do not include http or the host name in the pattern.
Redirect to this URL (Redirection only) Enter the new URL location. If the URL pattern in this field
starts with a slash, the rule is treated as internal redirection. Otherwise, the
rule is assumed to be external redirection.
The pattern for an external redirection needs to start with an Internet protocol
string that the browser understands, such as http: or ftp.
Replacement pattern (Substitution only) Enter the string that replaces the matching part of the
incoming URL.
Target server directory (Directory only) Enter the file-system directory path being mapped. This can
be specified as a fully-qualified path or a path relative to the data directory. If
you want to map a directory that isn’t under the Domino data directory,
specify the fully qualified path.
Note: If you are using Server document settings and the Web Server Configurations view, you can enable
these settings in the Server document. Open the Server document and click Create Web (R5) and select
″URL Mapping/Redirection.″
Configuring a Web Site rule to run PHP: PHP (from ″Personal Home Page Tools″) is a script language
and interpreter. The PHP script is embedded within a Web page along with its HTML. To enable a Web
Site document to use PHP, you need to create a directory rule for that site document to point to the PHP
executable files.
Note: The default directory for PHP scripts is defined by the DOCUMENT_ROOT CGI variable, and is
the /<notes root directory>/data/domino/html. PHP looks for scripts relative to this directory.
Field Action
Description Enter a name that differentiates this rule from others you create.
Type of Rule Select Directory
Incoming URL pattern Enter :/php-bin
Creating a Global Web Settings document: The settings you enable in the Global Web Settings
document apply to all Web Site documents that you have set up on this server. After you have created
the Global Web Settings document, you can create rules for this document. These rules will apply to all of
the servers that are specified in the Global Web Settings document.
Field Action
Descriptive name for this site Enter a name for this Web site.
Domino servers that host this site List all the servers in the domain that will host this Web
site
While you can also apply file protection to CGI scripts, file protection does not extend to other files
accessed by those scripts. For example, you can apply file protection to a CGI script that restricts access
to a group named ″Web Admins.″ However, if the CGI script runs and opens other files, or triggers other
scripts to run, the File Protection document cannot control whether ″Web Admins″ has access to these
additional files.
Do not create file protection documents that restrict access to the following directories, which contain
default image files and Java applets that are used by the Domino Web server and other applications, such
as mail databases:
v Domino\data\domino\java, accessed via Web browser using the path http://server/domjava
v Domino\data\domino\icons, accessed via Web browser using the path http://server/icons
File protection does apply, however, to files that access other files -- for example, HTML files that open
image files. If a user has access to the HTML file but does not have access to the JPEG file that the HTML
file uses, Domino does not display the JPEG file when the user opens the HTML file.
You can create a File Protection document for a directory or for an individual file. Protection defined for
a directory is inherited by all of its subdirectories. You must set up File Protection documents for all
directories accessible to Web users. Files and file directories that do not have File Protection documents
can be accessed by anyone using a Web browser.
Note: You do not need to use a file protection document to protect a database (.NSF) file; instead, you
use a database ACL.
Examples of controlling Web browser access to server files: Specifying these settings in fields in the
File Protection document allows all users in the Web User Group to open files and start programs in the
c:\notes\data\domino\html directory.
Path: c:\notes\data\domino\html
The file ″secret.htm″ resides in the notes\data\domino\html subdirectory. You can deny access to this file
to members of the Web User Group and allow access only to user Joe Smith. To do this, create an
additional File Protection document with the following settings:
Path: c:\notes\data\domino\html\secret.html
Creating file protection for Web Site documents: In Domino 7, you create a file protection document
for a specific Web Site. This file protection documents then only applies to that specific Web Site.
Field Action
Description (Optional) Enter a name that differentiates this document from others you
create.
Directory or file path Specify the directory or file path that you want to which you want to restrict
access. It should be either in the fully-qualified path format, which includes
the drive letter -- for example, ″c:\lotus\domino\data\domino\cgi-bin,″ or
enter the path relative to the server’s data directory -- for
example,″domino\cgi-bin.″
Current Access Control List Displays the users and groups who can access the file or directory you
specified, and the type of access they are allowed. Similar to a database ACL,
the access control list is always created with a -Default- entry, set to No Access,
which you can modify. As with a database ACL, those not listed in the Access
List receive the default access level.
Set/Modify Access Control List To add users to the Access Control List, click Set/Modify Access Control List.
Select a user name or group from the Domino Directory or type a name in the
Name field. Select ″Read/Execute access (GET method),″ or
″Write/Read/Execute access (POST and GET methods,″ or ″No Access.″ Click
Add to add the entry to the Access Control List.
GET lets the user open files and start programs in the directory. POST is
typically used to send data to a CGI program; therefore, give POST access only
to directories that contain CGI programs. No Access denies access to the
specified user or group.
cn=Anthony Jones,l=westford,o=airius.com
should be entered into the access list of a File Protection document like this:
cn=Anthony Jones/l=westford/o=airius.com
5. Click Administration and complete the Owners and Administrators fields. By default, the
administrator name you logged in with is the name that is assigned to both fields.
6. Save the document.
7. Enter this command to refresh the settings:
tell http refresh
Field Action
Applies to (Read-only) This setting applies to the base server, and all virtual servers or virtual
hosts that do not have file protection settings. If a virtual server or virtual host has any
file protection settings, then this setting does not apply.
Path Specify the drive, directory, or file to which you want to restrict access. You can use
fully-qualified path or the relative path.
4. Click Access Control, complete this field, and then save the document:
Field Enter
Current access control list The users and groups who can access the files or directories you specified and the type
of access they are allowed. By default, the access control list contains a -Default- entry,
set to No Access. Users who are not listed in this field receive the -Default- access level.
To remove an entry from the list, select the entry and click Clear.
If users connect to the server using Anonymous access, enter Anonymous in the Name
field and assign the appropriate access.
Domino displays the File Protection document as a response to the Server document.
The realm string also applies to requests mapped to paths that have the specified path as their root,
provided that the child paths of the root do not already have a specified realm. For example, the realm
string specified for D:\NOTES\DATA also applies to a request mapped to D:\NOTES\DATA\FINANCE,
if the latter does not have a realm specification.
If you are using Web Site documents, you can create a Web Site Authentication Realm document for a
specific Web Site document. The Authentication Realm document appears as a response document to the
Web Site document in the Internet Sites view.
If you are using the Web Server Configurations view, or a virtual server (Domino 5), you create a Web
realm. The Web Realm document appears as a response to the Server document which can be seen in the
Web Server Configurations view.
Field Action
Description (Optional) Enter a name that differentiates this document from others you
create.
Directory or file path Enter the name of the path that you want to protect. It should be in either
the fully-qualified path format, which includes the drive letter; for example,
use ″c:\lotus\domino\data\domino\cgi-bin,″ or the relative path to the
server’s data directory for example, ″domino\cgi-bin.″
Realm label returned to browser Enter a text string that describes the location on the server or any other
descriptive string, which will be used as the realm that is displayed to the
user and stored by the browser. This string should not contain any accented
or international characters, because they will not be displayed correctly by
the browser.
Field Enter
IP Address (Optional) The IP address of the virtual server. Complete this field only if you are
creating a Web realm for a virtual server.
5. Enter this command at the console so that the settings take effect:
tell http restart
To create a message page, create a form for each type of message and then create a mapping document in
the Domino Configuration database (DOMCFG.NSF) to specify which form to display. While you can
store message pages in any database, the one most commonly used is DOMCFG.NSF.
In addition, you can specify a general message that appears for all other types of errors or responses that
occur on the Web server.
Note: The general error message will not be generated for errors that occur when accessing non-database
files. This type of custom error message only works when errors are encountered while accessing .NSF
files.
If you enabled session-based name and password authentication, Domino displays an HTML page you
specify to request name and password information from the user. Domino does not use customized error
pages to display errors when authenticating with the server or accessing a database if session-based name
and password authentication is enabled.
Database designers also have the ability to create custom error messages for individual databases that
reside on Domino servers. These types of custom error messages are stored within the database and will
only be generated when errors occur while accessing that specific database.
For information on customizing messages that a user receives for a specific database on a server, see
Application Development with Domino Designer. For information on session-based name and password
In this example, the form for the message exists in the database ANYDB.NSF and is returned to the user
when the user encounters an error.
Users must have Reader access to the Domino Configuration (DOMCFG.NSF) database and Any database
(ANYDB.NSF).
You can create custom error pages that apply to the entire server, a specific Web site, or specific
databases. If you have a custom error page configured for a specific database, it overrides the server-wide
Web site specific custom error pages. If you have a Web site specific custom error page configured, it
overrides the server-wide custom error message.
For information on customizing HTML pages for name-and-password authentication, see the chapter
″Setting Up Name-and-Password and Anonymous Access to Domino Servers.″
1. Make sure the Web server exists.
2. From the Domino Administrator, choose File - Database - New.
3. Under Server, enter the name of the Domino server on which you want to create this database.
4. Select the Domino Web Server Configuration template (DOMCFG5.NTF) from the Advanced
Templates list.
5. Under Title, enter a name for the database.
6. Under File name, enter DOMCFG.NSF.
For information on creating forms and customizing Web server messages for a specific database on a
server, see Application Development with Domino Designer.
For more information, see the chapter ″Monitoring the Domino System.″ For more information on tuning
the performance of an application, see Application Development with Domino Designer.
Field Action
Maximum cached designs Enter the number of database design elements to cache for users. The default is 128.
When a user opens a database, Domino maps each design element name to an
identification number. This mapping procedure takes time. Use this field to specify
how many elements you want to store in memory so the next time a user accesses
that element, it is immediately available.
Maximum cached users Enter the number of users to cache. The default is 64.
After a user successfully authenticates with a server, Domino stores in memory the
user’s name, password, and the list of groups to which the user belongs. Use this
field to increase the number of users for whom Domino stores this information.
Cached user expiration Enter the time interval in seconds during which Domino regularly removes user
interval names, passwords, and group memberships from the cache. The default is 120.
Remove user names, passwords, and group memberships from the cache
periodically to force Domino to look up credentials in the directory the next time
those users access the server.
Field Action
HTTP persistent connection Specify whether you want to enable persistent HTTP connections on the Web server.
These connections remain active under the following conditions:
v HTTP protocol is 1.1.
v The server application returns an HTTP response code less than 400. (If the server
application returns an HTTP response code greater than or equal to 400, the
connection will be closed by the server.)
v The HTTP request did come through a proxy server.
v The client did not send a connection close header.
v The number of connections that the server can support is running low, or the
number of connections queued for the thread processing the request is too large.
You should set an execution time limit for Web application agents. The purpose of the time limit is to
prevent Web agents from running indefinitely and using server resources. However, do not rely on this
mechanism for the routine shutdown of agents. When the server shuts down an offending agent,
resources that the agent was using (such as disk files) may be left open.
Field Enter
Run Web agents concurrently? Choose one:
v Enabled -- To allow more than one agent to run on the Web server at the
same time (asynchronously)
v Disabled (default) -- To run only one agent at a time (serially)
Web agent timeout The maximum number of seconds (elapsed clock time) for which a Web
application agent is allowed to run. If you enter 0 for the value (default value),
Web application agents can run indefinitely.
Note: This setting has no effect on scheduled agents or other types of server or
workstation agents.
Domino is compatible with clients that support the HTTP 1.1 specification. The clients may be
implemented in a variety of ways -- for example, as browser plug-ins, applets, or stand-alone programs.
Attached files must be decompressed so that clients that support byte-range serving can access them.
When you attach a file, you must deselect the Compress option. To verify that an existing attachment is
decompressed, from a Notes client choose File - Document Properties, select the $FILE item, and verify
that the Compression Type property is NONE.
Example of downloading a file from the server’s file system: The file INSTALL.EXE is located in a
directory that is enabled for downloading using a URL-mapping. A GetRight 3.1 client can use the
following URL to download the file:
http://hostname/install.exe
If the download is interrupted, the client can restart the download from the point where it was
interrupted.
Example of downloading a file attachment: A user can download a PDF file one page at a time if the
PDF file is attached to a document and the user has set the configuration option in Adobe Acrobat to
download a page at a time. Downloading one page at a time can greatly improve performance if the user
is interested in only a portion of a large file. For example, a user accesses the PROJECT.PDF file using the
following URL:
http:// hostname/dbname/viewUNID/docUNID/$FILE/project.pdf
where hostname is the name of the site, dbname is the name of the database that stores the attachment,
viewUNID is the Universal ID of the view for the attachment, and docUNID is the Universal ID of the
document to which the file is attached.
A typical scenario is for the front-end server to be outside a firewall. The front-end server receives
requests from Web users, the plug-in relays the requests over HTTP, through the firewall, to the HTTP
task on the back-end Domino 7 server. The Domino 7 server then processes the request and sends the
reply back to the plug-in, which relays it to the user.
A plug-in can be configured to support any number of back-end servers. Since Domino uses the same
plugins as WebSphere, you can also combine Domino and WebSphere servers. For example, a Domino
server hosting a mail application and a WebSphere server hosting a J2EE application could both be
placed behind the same IIS front-end server.
The back-end Domino server can be on any supported operating system platform. The following
front-end servers are supported:
v IBM HTTP Server on AIX, Windows 2000/2003, and Windows 2000 Server.
v Microsoft IIS on Windows 2000/2003 4.0 and Windows 2000 Server.
The plug-in files are packaged with the Domino 7 server and their use is covered by your Domino
license. You do not need to install any other WebSphere components to use the Microsoft IIS plug-in.
However, to use the IHS plug-in you must install the IHS components of WebSphere on the front-end
server.
The following features are supported for the Domino back-end servers: core Domino database
functionality, Domino Web Access, and Lotus Domino Off-Line Services (DOLS). Additional Domino
products may also be supported; refer to the product documentation for details.
The plug-in files are also packaged with the Domino server. If the plug-in was not installed during
WebSphere or IHS installation, the administrator can copy the plug-in files from the appropriate
directory:
v Domino\data\domino\plugins\was4
v Domino\data\domino\plugins\was5
v Domino\data\domino\plugins\was6
941
Since several of the required directory structures and files are created during the WebSphere and IHS
installs, they can also be created or copied from an existing installation.
For AIX, Solaris, and Linux: For Win32 (you can use any drive):
/usr/WebSphere/Plugins/bin c:\WebSphere\Plugins\bin
/usr/WebSphere/Plugins/config c:\WebSphere\Plugins\config
/usr/WebSphere/Plugins/logs c:\WebSphere\Plugins\logs
3. Copy the following files from the Domino server to the IHS server:
Copy this file from the Domino server to this location on the IHS server
For AIX, Solaris, and Linux:
<Domino data /usr/WebSphere/Plugins/bin
directory>/domino/plugins/<WASversion>/<platform>/mod_was_ap20_http.so
<Domino data directory>/domino/plugins/ plugin-cfg.xml /usr/WebSphere/Plugins/config
For Win32:
<Domino data directory>/domino/plugins/<WAS c:\WebSphere\Plugins\bin
version>/<platform>/ mod_was_ap20_http.dll
<Domino data directory>/domino/plugins/ plugin-cfg.xml c:\WebSphere\Plugins\config
4. On the IHS server, edit the IHS configuration file httpd.conf (on a default installation this file is
located at <IHS install directory>/conf/httpd.conf). Add the following lines to the bottom of the file:
5. Modify the plugin-cfg.xml file according to the instructions for configuring the WebSphere plug-in.
6. Set up the Domino server according to the instructions for IHS.
7. Restart the IHS server and test your installation.
Chapter 37. Setting Up Domino to Work with Other Web Servers 943
To configure plugin-cfg.xml:
1. Open plugin-cfg.xml in Notepad.
2. Modify the <Transport> element to target the appropriate Domino server. To do this, change the
Hostname and Port parameters to the proper values required for the plug-in to reach your back-end
server’s HTTP task. For example:
<!-- Server groups provide a mechanism of grouping servers together. -->
<ServerGroup Name="default_group">
<Server Name="default_server">
<!-- The transport defines the hostname and port value that the web server
plug-in will use to communicate with the application server. -->
<Transport Hostname="mydomino.server.com" Port="81" Protocol="http"/>
</Server>
</ServerGroup>
3. Add these directives to the top of the <UriGroup> section. These directives specify common URL
patterns needed for accessing Domino Web applications.
<UriGroup Name="default_host_URIs">
<Uri Name=″/*.nsf″/>
<Uri Name=″/icons/*″/>
<Uri Name=″/domjava/*″/>
<Uri Name=″/execcgi/*″/>
<Uri Name=″/cgi-bin/*″/>
<Uri Name=″/servlet/*″/>
<Uri Name=″/download/*″/>
If your Domino application requires additional namespaces, you can create <Uri> directives for those
patterns also.
Note: All the WAS plug-ins automatically reread the configuration file once a minute to pick up changes.
If you don’t want to wait that long, you must stop and restart the front-end Web server. In the case of the
IIS plug-in, you must stop the World Wide Web Publishing Service from the Windows services control
panel, then restart the Web site from the Internet Services Manager. Just stopping and restarting the Web
site by itself won’t work because the plug-in DLL won’t be reloaded.
HTTPEnableConnectorHeaders=1
This setting enables the Domino HTTP task to process the special headers added by the plug-in to
requests. These headers include information about the front-end server’s configuration and user
authentication status. As a security measure, the HTTP task ignores these headers if the setting is not
enabled. This prevents an attacker from mimicking a plug-in.
Microsoft IIS supports four methods of user authentication. The Domino plug-in configuration supports
all except Digest authentication.
v Anonymous access (the user does not enter a name or password)
v Basic Authentication (the user enters a name and password)
v Digest authentication (an enhanced version of Basic authentication available only on Windows 2000).
The Domino plug-in configuration does not support this authentication method.
v Integrated Windows authentication (a special protocol supported by Microsoft Internet Explorer).
v SSL
IIS requires user authentication in order to control access to resources owned by IIS such as the file
system and Active Server Pages. If a user requests access to a Domino resource, the IIS plug-in passes the
authentication information to Domino. The information passed depends on the combination of
authentication methods enabled on IIS. After the information is passed, Domino authenticates the user
according to the procedures discussed in the topic ″Details of Microsoft IIS security.″ All of the Domino
directory options are available, such as using multiple Domino Directories and LDAP directories.
For information on setting up security options on the Domino server, see the chapter ″Planning Security.″
For information, see the chapter "Setting Up Name-and-Password and Anonymous Access to Domino
Servers.″
Basic Authentication: When using Basic Authentication, IIS verifies the user credentials that the browser
sends as a valid user account. If Basic Authentication is the only IIS authentication method enabled, IIS
Chapter 37. Setting Up Domino to Work with Other Web Servers 945
requires all browser requests to have credentials -- anonymous access is not allowed. Whenever a user
sends a Domino request, the IIS plug-in passes the user name to Domino and informs Domino that the
user has been authenticated by IIS. Such a user is called a ″pre-authenticated″ user. The plug-in passes
the pre-authenticated name exactly as the user entered it in the browser. Domino then attempts to look
up that name in its directories. Since IIS has already verified the user’s password, Domino does not use
the Internet password stored in the user’s Person document or LDAP entry.
If Domino finds the name in a Domino Directory, then Domino uses the primary name in the Person
record for authorization (ACL checking). If Domino does not find the name, then Domino uses the
pre-authenticated name as-is for authorization.
In both cases, Domino builds the user’s group list from the set of groups in the Domino Directory which
include the user as a member, and Domino also adds the special group ″-WebPreAuthenticated-″ to the
group list. You may use -WebPreAuthenticated- as a group entry in database ACLs and other access lists.
Note: If you want to list IIS users by name in database ACLs, you must be careful to use the correct form
of the name. Use the primary name if the user is listed in the Domino Directory, or the IIS
pre-authenticated name if the user is not in the directory. Remember that if a user is listed by name in an
ACL and is also a member of a group in the ACL (including ″-WebPreAuthenticated-″ or any other
group), the name entry takes precedence over the group entry.
Windows account names use the form domain\username or machinename\username -- for example,
SALES\JSmith. If Domino is using Person documents in the Domino Directory to authenticate the
Windows users, the documents must contain the exact Windows account names as aliases. For example, if
Joe Smith has a Notes ID in the ″CorpSales″ domain and a Windows user account in the ″SALES″
Windows domain, the User name field in Joe Smith’s Person document needs to contain:
Joe Smith/CorpSales
SALES\JSmith
This allows Domino to authenticate the Windows user SALES\JSmith as the Domino user Joe
Smith/CorpSales.
SSL: If you enable SSL on a Web server, IIS handles the actual SSL connection. However, if a Web user
provides a client certificate, the IIS plug-in passes the certificate to Domino and Domino uses the
certificate to authenticate the user. If Domino cannot find a certificate for the user, then Domino will
downgrade the user to Anonymous access.
Chapter 37. Setting Up Domino to Work with Other Web Servers 947
948 Lotus Domino Administrator 7 Help
Chapter 38. Setting Up the Web Navigator
This chapter describes how to set up the server that runs the Web Navigator and how to manage the
information retrieved from the Internet.
When someone requests a new page, the Web Navigator server connects to the Internet server, retrieves
the requested page, and copies the page as a document into the Web Navigator database (WEB.NSF). If
the requested page already exists in the database, Domino immediately opens the document without
requesting it again from the Internet server.
The following diagram shows the process the Web Navigator uses to retrieve a page that a Notes client
requests from a Web site.
949
For more information, see the chapter ″Installing and Setting Up Domino Servers.″
2. Start the Web task on the server.
3. Set up the connection between the server and the Internet.
For information on setting up the Internet connection, contact your Internet Service Provider.
4. If necessary, use a proxy to connect the Web Navigator server to the Internet.
5. Edit the Server document for the users’ home/mail server.
6. Set up users to use the Web Navigator.
For more information on server commands and NOTES.INI settings, see the appendices ″Server
Commands″ and ″NOTES.INI File.″
Field Enter
HTTP proxy The name or IP address of the proxy and the port to access HTTP pages.
FTP proxy The name or IP address of the proxy and the port to access FTP pages.
Gopher proxy The name or IP address of the proxy and the port to access Gopher pages.
SSL Security proxy The name or IP address of the proxy and the port you want to go through for pages on
Internet servers that use SSL.
HTTP Tunnel proxy Do not enter a value.
This field is used to send Notes remote procedure calls (NRPC). NRPC is the
architectural layer of Notes and Domino that control services such as replication and
mail. The Web Navigator does not use NRPC for communication.
SOCKs proxy The name or IP address of the proxy and the port.
If you enter a name or IP address in both the SSL Security proxy and SOCKs proxy
fields, Domino uses the SSL Security proxy.
If you enter a name or IP address in both the HTTP proxy and SOCKs proxy fields,
Domino uses the SOCKs proxy.
Do not enter the IP address in this field; you must use the name. Separate multiple
entries with commas or returns. You can use wildcard (*) characters, for example,
*lotus.com or www.*.com.
6. Complete the procedure ″Editing the Server document for the Web Navigator.″
Field Enter
InterNotes server The hierarchical name of the server running the Web task. This is the default server to
use if the InterNotes server field in the user’s Location document is blank.
Setting up users using a policy: If you are using policies, you can specify the browser setting as the
default for all users or groups. The option is located on the Basics tab of the Setup Policy document,
under ″Setup Policy Options for Browsers.″ Complete each field using the information described in the
procedure ″Setting up users individually.″
Field Enter
Internet browser Notes
Retrieve/open pages ″From InterNotes server″ to use the Web Navigator server specified in the InterNotes
server field on the Servers tab.
Field Enter
InterNotes server The hierarchical name of the server running the Web task. The server you specify in this
field takes precedence over the server specified in the InterNotes server field on the
Server document.
To ensure that the Web Navigator can encrypt these private pages, be sure that users’ public keys exist in
the Person documents in the Domino Directory on the server. Domino automatically adds the user’s
public key to the Person document when you register the user.
Field Enter
Concurrent retrievers The number you enter depends on the system configuration for your server. If user
access is slow because the number of users specified in this field is less than the number
of users attempting to retrieve pages from the Internet, increase the number.
Default is 50.
Field Enter
Allow access to these One or more of the following, separated by commas or spaces:
Internet sites v A DNS name -- for example, www.lotus.com
v An IP address -- for example, 205.159.212.10
v A DNS name or IP address with a wildcard (*) --for example, www.*.com. You can
use only one wildcard per entry -- for example you cannot enter w*.*.com.
Deny access to these Same as above.
Internet sites
Field Enter
Services One or more of the Internet services provided. The default is HTTP, FTP, and GOPHER.
The Web Navigator supports sites that have SSL certificates issued by the RSA Certificate Authority (CA),
so you do not need to obtain the Web site’s SSL certificate if it was issued by the RSA CA. If the Web site
does not have a certificate issued by the RSA CA, you must obtain the Web site’s certificate and add it to
the Domino Directory on the Web Navigator server. Obtaining the certificate from a secure location
ensures that the certificate you receive is valid and creates an optimally secure environment by allowing
access only to servers with which you share a valid certificate.
Although not recommended, you can set up Web Navigator to add the Web site’s SSL certificate
automatically to the Domino Directory. Set up this way, the Web Navigator allows users to access pages
on any Web site that uses SSL, even if the Domino Directory does not already contain the certificate. This
approach allows easy access for users, but compromises the security of the data sent by users, since the
server does not verify the identity of the remote server before allowing the user to access it.
Field Enter
Accept SSL site certificates Choose Yes.
3. Click the Server Tasks - Web Retriever tab, complete this field, and then save the document:
Field Enter
Services Choose HTTPS.
To view certificates:
1. From the Domino Administrator, click the Configuration tab, and choose Miscellaneous - Certificates.
2. Look at the Internet Cross Certificates category.
Note: If you use the Lotus SMTP MTA (Domino 4.6 and earlier) as the gateway for Internet mail, users
must append the foreign domain of the SMTP Gateway for each Internet address -- for example,
user@company.com@foreigndomain. So that users don’t need to specify the foreign domain each time,
you can specify the foreign domain of the gateway.
1. Make sure that users’ Notes workstations are already set up to use Notes mail.
For information, see the chapter ″Setting Up and Managing Notes Users.″
2. From the Domino Administrator, click the Configuration tab, and then open the Server document for
the Web Navigator server.
3. Click the Server Tasks - Web Retriever tab, complete this field, and then save the document:
Field Enter
SMTP Domain The name of the foreign domain of the SMTP mail gateway.
Database access
The default user access for the Web Navigator database is Editor, which allows users to create HTML
forms, Recommendation documents, and Web tours. Domino adds the administrator names listed in the
Administrators field in the Server document for the Web Navigator server to the ACL for the Web
Navigator database and gives them Manager access with the WebMaster role.
Administration document
The Administration document is stored in the Web Navigator database and controls default settings for
the database. You must have the WebMaster role to access the document. Open WEB.NSF and access the
document from the Actions menu.
The Refresh agent updates the contents of pages stored in the Web Navigator database with the Web site
content from which they were originally retrieved. Pages in the database are not automatically updated
after they are retrieved; therefore, the page content may quickly become outdated unless you use this
agent.
The Averaging agent creates an average rating of user-recommended pages. The top ten pages appear in
the Recommended by Top Ratings view.
Using a Web tour document, users can group a set of Web pages for others to view sequentially -- for
example, to create training materials or to collect a set of pages that you previously viewed on the Web.
Using a recommendation document, users can add useful Web sites to the Web Navigator database.
To display the name of the user who retrieved a page, the Web Navigator template provides a view titled
($All with Authors). The name displays next to the title of the Web page. To use this as the default view,
rename it to ($All) so that the references to ($All) in the navigators work.
1. Make sure you have Designer access in the ACL of the Web Navigator template (PUBWEB50.NTF)
on the server.
2. Start the Domino Designer, open the Web Navigator template, and select the ($All) view.
3. Choose Edit - Copy and then choose Edit - Paste to paste the ″Copy of ($All)″ view into the
template.
4. Delete the ($All) view.
5. Open the ($All with Authors) view.
6. Choose Design - View Properties and rename the view to ($All).
7. On the Options tab, select ″Default when database is first opened″ to make this view the default.
8. Close and save your changes.
9. Replace the design of the Web Navigator database.
10. Make sure you have the WebMaster role in the ACL of the Web Navigator database.
11. Select the Web Navigator database using a network connection to the server.
12. Choose View - Go to and select All Documents.
13. Choose Actions - Administration, and select Save author information.
Field Enter
URL links Anchors Underline/Blue
Font and size of elements not defined in other Body Text Times 11-point
fields in the HTML Preferences section
Font for text in the <PLAINTEXT>, <PRE>, and Plain Courier
<EXAMPLE> tags
The font size is defined by the Body Text
field.
This setting affects all pages retrieved by the Web Navigator server.
Field Enter
Web Navigator database The new file name of the Web Navigator database
CAUTION:
The options you set in the Server document affect all agents that run on the server.
Field Enter
Run restricted Your user name so that you can run agents that use a subset of the LotusScript features
LotusScript/Java agents and run agents created with Java
Run unrestricted Your user name so that you can run agents with the full set of LotusScript features and
LotusScript/Java agents run agents created with Java
Field Enter
Max LotusScript/Java Maximum is 360. The default is 10 (Daytime Parameters) and 15 (Nighttime
execution time Parameters.)
This field controls the time, in minutes, that the LotusScript agent has to run. Also
controls execution time of agents created with Java.
Max % busy before delay Maximum is 90. The default is 50 (Daytime Parameters) and 70 (Nighttime Parameters.)
This field controls the percentage of time the agent manager can spend running agents.
The time is a percentage of the Start and End times.
To specify the agent schedule: The Web Navigator agents run at default times, but you can reschedule
them. By default, the Purge agent runs at 1 AM; the Refresh agent runs at 3 AM; and the Averaging agent
runs at 12 AM.
1. Start the Domino Designer and select the Web Navigator database (WEB.NSF).
2. Open the agent that you want to reschedule.
3. Select a value in the ″When should this agent run″ field.
Using the Purge agent to manage the size of the Web Navigator database
As users open Web pages, the Web Navigator database gets larger. To manage the database, use the
Purge agent.
The Purge agent uses settings in the Web Navigator Administration document, which is in the Web
Navigator database (WEB.NSF), to determine what and how much to purge. Each night at 1 AM, the
Purge agent goes through the database three times, each time purging documents according to the criteria
you specify. As soon as the database size you specify is obtained, the Purge agent stops and queues to
run the following night.
Field Enter
Maximum database size The maximum size of the Web Navigator database
Using the Refresh agent to update pages in the Web Navigator database
Regularly refreshing pages keeps the page content up to date. You can refresh pages using the Refresh
agent or set an interval for the update cache.
To use the Refresh agent to update pages: To keep the most up-to-date pages in the Web Navigator
database, use the Refresh agent, which compares the date of each Web page inside the database with the
date of the Web page on the server. If the Web page on the server is newer, the Refresh agent replaces the
Web page in the Web Navigator database. By refreshing out-of-date pages, the Refresh agent ensures that
users can quickly access the latest version of a page.
The Refresh agent refreshes only HTTP pages. It does not refresh FTP pages, Gopher pages, or private
pages stored in a user’s private folder in the database.
By default, the Refresh agent is scheduled to run at 3 AM, but it does not start this schedule until you
enable the agent.
1. Make sure you have already set up security for Web Navigator agents and that you have the
WebMaster role in the ACL of the Web Navigator database.
2. Using a Notes client, select the Web Navigator database (WEB.NSF) using a network connection to the
server.
3. Choose View - Go to, and then select All Documents.
4. Choose Actions - Administration.
5. Click the Enable Refresh agent button.
6. Select the name of the server on which the Web Navigator runs in the ″Choose Server To Run On″
dialog box, and then save the document.
To update pages when users retrieve pages: Domino stores each retrieved Web page in the Web
Navigator database. You can specify how often you want Domino to check the Web page on the server to
determine if the page has changed.
1. From the Domino Administrator, click the Configuration tab, and then open the Server document for
the Web Navigator server.
2. Click the Server Tasks - Web Retriever tab, complete this field, and then save the document:
Field Enter
Update cache Choose one:
v Never (default) -- To perform no verifications
v Once per session -- To check only the first time the user accesses the page during a
session
v Every time -- To check each time the user opens a page that is already in the database
By default, the Averaging agent is scheduled to run at 12 AM, but it does not start this schedule until you
enable the agent.
1. Start the Domino Designer and open the Web Navigator database (WEB.NSF).
2. Select the Averaging agent , and then choose Actions - Enable.
3. Choose the Web Navigator server to run the agent.
Use the following tasks to guide you through your security planning:
v Know the business.
v Identify assets and threats (risk analysis).
v Develop strategies to protect your computing environment.
v Develop incident-handling procedures.
v Plan and deliver employee training.
v Keep processes current.
Once you have an understanding of the business requirements, you can then begin to plan the specifics
of your Domino infrastructure, including:
v Will more than one Domino domain be needed, or will the new domain need to interact with existing
domains?
v What is the best method to expose Domino data to the Internet?
v What service levels are needed to support the business?
v Who should have what level of access to the Domino Directory?
963
v Automated attacks from compromised systems in your intranet
v Interfaces with less secure systems
v Mistakes made by untrained or poorly trained users and administrators
v Data interception or alteration for criminal profit
v Malicious activity by former employees
You should also understand the Domino security model, in order to better understand the Domino assets
you need to protect and how they can be protected. For more information, see the topic ″The Domino
security model″ later in this chapter.
For more information on change control, see the chapter ″Using Activity Trends.″
Note: One of the best documents that describes the importance of incident handling is the National
Institute of Standards and Technology’s Contingency Planning Guide for Information Technology Systems
(NIST Special Publication 800-34).
Once you have your incident-handling plans in place, you will be better able to determine your
requirements for:
v Domino logging
v Domino HTTP logging
v Domino backup and restoring
v Parameters for Domino event monitoring
For more information on the Domino server and Web server logs, see the chapter ″Using Log Files.″ For
information on backing up Domino, see the chapter ″Troubleshooting.″ For more information on event
monitoring, see the chapter ″Monitoring the Domino Server.″
Note: The National Institute of Standards and Technology published a document about the relationship
among security awareness, training, and education, titled Information Technology Security Training
Requirements: A Role- and Performance-Based Model (NIST Special Publication 800-16).
The following includes brief descriptions of the various resources that you need to protect in a Domino
environment. Some of the topics are not specific to Domino security, but are included here in the interest
of thoroughness.
Physical security
Physically securing servers and databases is equally as important as preventing unauthorized user and
server access. It is the first line of defense against unauthorized or malicious users, by preventing them
from having direct access to your Domino servers. Therefore, we strongly recommend that you locate all
Domino servers in a ventilated, secure area, such as a locked room. If servers are not physically secure,
unauthorized users might circumvent security features -- for example, ACL settings -- and access
applications directly on the server, use the operating system to copy or delete files, or physically damage
the server hardware itself.
Physical network security concerns should also include disaster planning and recovery.
Network security
The goal for securing your network is to prevent unauthorized users from gaining access to servers,
users, and data. Physical network security is beyond the scope of this book, but you must set it up before
you set up Notes and Domino connection security. Physical network security is established through the
use of devices -- such as filtering routers, firewalls, and proxy servers -- that enable network connections
for various network services (such as LDAP, POP3, FTP, and STMP) that you want to provide for your
Server security
The Domino server is the most critical resource to secure and is the first level of security that Domino
enforces after a user or server gains access to the server on the network. You can specify which users and
servers have access to the server and restrict activities on the server -- for example, you can restrict who
can create new replicas and use passthru connections.
You can also restrict and define administrator access, by delegating access based on the administrator
duties and tasks. For example, you can enable access to operating system commands through the server
console for system administrators, and grant database access to those administrators who are responsible
for maintaining Domino databases.
If you set up servers for Internet/intranet access, you should set up SSL and name-and-password
authentication to secure network data transmitted over the network and to authenticate servers and
clients.
For more information, see the topic ″Server security″ later in this chapter.
ID security
A Notes or Domino ID uniquely identifies a user or server. Domino uses the information contained in IDs
to control the access that users and servers have to other servers and applications. One of the
responsibilities of the administrator is to protect IDs and make sure that unauthorized users do not use
them to gain access to the Domino environment.
Some sites may require multiple administrators to enter passwords before gaining access to a certifier or
server ID file. This prevents one person from controlling an ID. In such cases, each administrator should
ensure each password is secure to prevent unauthorized access to the ID file.
For more information, see the topic ″Notes and Domino ID security″ later in this chapter.
You can also secure Notes user IDs with Smartcards. Smartcards reduce the threat of user ID theft, as a
user who has a Smartcard needs their user ID, their Smartcard, and their Smartcard PIN to access Notes.
Application security
Once users and servers gain access to a Domino server, you can use the database access control list (ACL)
to restrict access that specific users and servers have to individual Domino applications on the server. In
addition, to provide data privacy, encrypt the database with an ID so unauthorized users cannot access a
locally stored copy of the database, sign or encrypt mail messages users send and receive, and sign the
database or template to protect workstations from formulas.
For more information on database ACLs, see the topic ″Application security″ later in this chapter.
For more information on execution control lists, see the topic ″Workstation data security″ later in this
chapter.
Getting started
You need to develop a set of security documentation for your organization. There are four basic types of
security documents needed for any security implementation:
v Policies are the driving documents for the business. These are typically high level statements about the
security needs of the business. Your organization probably already has policy documents for the
organization as a whole. You build and, if necessary, expand on these to develop the security policies
for your Domino environment.
v Guidelines provide overall guidance on how to support and maintain security in the enterprise.
v Standards are established rules on what will and will not happen in an enterprise. Audits may cover
all four types of documents, but the auditor will really focus on the standards set down by a company.
Standards typically cover things like minimum password strength, password expiration intervals,
server operating systems and physical environments, Internet and dial-in access controls, background
checks for administrators, and auditing requirements.
v Procedures typically include specific steps on how to implement security within an enterprise. This
will be the bulk of your Domino security documentation, covering everything from how to control
Domino and X.509 certifiers to what to do when users have forgotten their Notes or Internet passwords
to what steps to take when an employee leaves an organization. Procedures are developed after the
security framework is in place.
The Domino security team is responsible for initial direction, feedback, and auditing of these documents.
The team must include representatives from each department within the enterprise. With this approach,
the security documents created will meet the needs of the entire company. This has the added benefit of
creating buy-in from the participating departments.
Most companies will have a matrix of responsibility similar to the one below:
Role Responsibility
CEO The CEO needs to be a virtual member of the team. Security
must flow from the both the top-down and the bottom-up.
CIO / CTO All technology officers need to be members of the team. It is
appropriate for these members to delegate their role to someone
else, as long as the delegate has the authority to make decisions.
Security officer This person will be the driver of security in the organization.
Representatives from each functional department These representatives specify business needs and requirements.
They must have decision-making authority.
One way to involve users in security planning is to conduct a survey to determine the level of enterprise
security that users expect, as well as the assets they feel should be protected. An anonymous survey is a
good way to discover security issues that users may not be willing to express openly.
Note: The most respected and commonly used standard source for security policies and procedures is the
ISO17799 standard. The National Institute for Standards and Technology has multiple guidelines for
developing security policies, standards, and procedures, including information about ISO I7799.
Server administrators
Server administrators are responsible for managing the overall health and well-being of Domino servers.
A major responsibility of a server administrator includes defining and managing server access lists and
server restrictions, both for Notes clients and Web users. In large organizations, administration duties
may be delegated among several server administrators. In small organizations, a server administrator
might serve as the Domino certification administrator and the database manager for system databases,
such as the Domino Directory and the log file (LOG.NSF). A server administrator might also be
responsible for creating and maintaining File Protection documents for HTTP access and implementing
other Web-related security measures.
It is a best practice to separate Domino server administration from operating system server
administration, if your organization’s IT structure allows this.
You can define several levels of administrator for your organization, depending on the access required to
various administration resources. For example, you can set up an administrator for remote console access
only, or for system administration access only. These levels of administrative access are defined in the
Server document on the Domino server.
Database managers
Database managers are responsible for one or more Lotus Notes databases or database applications. A
major responsibility of a database manager includes managing database access control lists (ACLs). Some
organizations will use the concept of a database owner for management of sensitive data.
For more information on the server-based certification authority, see the chapter ″Setting Up a Domino
Server-Based Certification Authority.″
For more information on the registration authority role, see the chapter ″Setting Up a Domino
Server-Based Certification Authority.″
Server security
To secure Domino servers, you allow and prevent user and server access. In addition, you restrict the
activities that users and servers may perform on the server.
Task Use
Choose an internal or external Internet certificate Set up a certifier that will be used to issue Internet
authority certificates in your organization.
Cross-certify Notes user IDs and Domino server and Allow Notes users and Domino servers in different
certifier IDs hierarchically certified organizations to ascertain the identity
of users and servers in other Notes organizations.
Allow or deny access to a server Specify which Notes users, Internet clients, and Domino
servers are authorized to access the server.
Allow anonymous server access Give server access to Notes users and Domino servers
outside of the organization without issuing a
cross-certificate.
For more information on securing Domino servers, see the chapter ″Controlling Access to Domino
Servers.″
Application security
Restrict access to Domino applications to prevent unauthorized users from gaining access to information.
Task Use
Use the ACL to restrict application access Control Notes and Internet/intranet user and Domino server
access to an application.
Enforce a consistent ACL Protects databases and templates on the server by forcing all
changes to the ACL at a single location.
Encrypt applications Prevent unauthorized users from accessing an application
locally on a server or workstation.
Sign an application or template Identify the creator of an application or template. When a
user accesses the application, the signature is checked to
determined whether the action is allowed.
For more information on securing Domino applications, see the chapter ″Controlling User Access to
Databases.″
For more information on securing Notes mail, see the chapter ″Encryption and Electronic Signatures.″
Task Use
Create Read access lists for views Specify which Notes and Internet/intranet users can see a
view
For more information on securing application design elements, see the book Application Development with
Domino Designer.
Task Use
Require a password for all user and server IDs Prevent an unauthorized user from using an illicitly obtained
ID to authenticate with a server
Enforce password quality testing for IDs Prevent unauthorized users from guessing passwords
Assign multiple passwords to server and certifier Require multiple users to enter passwords before gaining
IDs access to the ID file to prevent one person from controlling a
server or certifier ID
Compare a password with the password stored in Prevent an unauthorized user from using an illicitly obtained
the Domino Directory and require users to change ID to authenticate with a server
their passwords periodically
Compare a Domino public key with the public key Prevent an unauthorized user from using an illicitly obtained
stored in the Domino Directory ID to authenticate with a server
Recover lost or damaged IDs Regain access to a user ID file instead of issuing a new ID
Set up a security settings policy document Manage Notes and Internet password properties, such as
password synchronization and expiration settings, on an
organizational level
Lock the user ID after x minutes of inactivity Automatically log off servers to prevent an unauthorized user
from using the workstation
Use F5 to log off Immediately log off servers to prevent an unauthorized user
from using the workstation
Save user IDs on a disk instead of on the Physically protect user IDs
workstation and keep disks in a safe place
Locate workstations in a secure area -- for example, Prevent unauthorized access to the ID files
a locked room
Install Smartcard readers on user workstations and Physically protect user IDs and private Internet keys
have users log in to Notes with Smartcards
Task Use
Configure the Administration ECL and deploy to Prevent unauthorized users from gaining access to data and
client workstations. applications on client workstations, by defining authorized
users and authorized actions
Set up a security settings policy document Use security settings policy documents to:
v Set up and configure one or more administration ECLs
v Specify how and when you want workstation ECLs to be
refreshed or replaced
Encourage users to use operating system and screen Discourage unauthorized workstation access
saver passwords
Encourage users to shut off workstations before Discourage unauthorized workstation access
leaving
For more information on execution control lists, see the chapter ″Protecting User Workstations with
Execution Control Lists.″
Security policies
Domino policies are a way of distributing administrative settings, standards, and configurations to users,
groups, or entire organizations. A policy is a collection of administrative settings that addresses an
administrative area, such as security. You then use this document to establish and enforce administrative
standards, and to distribute them throughout the organization. In addition, you can easily modify and
maintain standards across an organization by simply editing a settings document.
You can set up a security settings document to manage and deploy execution control lists (ECLs) and
Notes and Internet password settings and synchronization. As these two areas of security are user-specific
and are frequently changed by users, you can use a security policy to enforce settings for these areas
across the organization, and control the extent to which users can adjust or change these settings.
Certifiers can also issue trusted root certificates, which allow clients and servers with certificates created
by different CAs to communicate with one another.
Note: It’s important to distinguish between Notes certifiers and Internet certifiers. When you install and
set up the first Domino server in a domain, a Notes certifier is automatically set up to issue Notes
certificates to Notes clients. These certificates are essential for Notes clients to authenticate with a Domino
server and for Domino servers to authenticate one another. Hence Notes certifiers are important even in
This is a problem for Internet certifiers especially, because it is possible to revoke Internet certificates in
server-based certification authorities. To revoke an Internet certificate, however, you must select it in the
ICL. If the certificate was initially issued using a key ring, it won’t appear in the ICL, so it cannot be
revoked.
Therefore, it is strongly advised that you choose one way to operate -- CA process or CA key ring -- for
each certifier.
Server access for Notes users, Internet users, and Domino servers
To control user and server access to other servers, Domino uses the settings you specify on the Security
tab in the Server document as well as the rules of validation and authentication. If a server validates and
authenticates the Notes user, Internet user, or server, and the settings in the Server document allow
access, the user or server is allowed access to the server.
Grant server access to users and servers who need to access resources stored on the server. Deny access
to prevent specified users and servers from having access to all applications on the server.
Access settings in the Server document control server access for both Notes and Internet users. By
default, the Server access settings apply only to Notes clients. You can enable these settings for each of
the Internet protocols through the Ports tab of the Server document.
For more information, see the topic ″Setting up Notes user, Domino server, and Internet user access to a
Domino server″ later in this chapter.
For more information, see the topic ″Setting up Notes user, Domino server, and Internet user access to a
Domino server″ in this chapter.
For more information, see the topic ″Setting up Notes user, Domino server, and Internet user access to a
Domino server″ in this chapter.
For more information, see the topic ″Denying Notes users access to all servers in a domain″ later in this
chapter.
977
Anonymous access
Anonymous access lets Notes users and Domino servers access the server without having the server
validate and authenticate them. Use anonymous access to provide the general public with access to
servers for which they are not cross-certified. When you set up anonymous server access, Domino does
not record the names of users and servers in the log file (LOG.NSF) or in the User Activity dialog box.
When users attempt to connect to a server set for anonymous access and the server can’t authenticate
them, they see this message:
Server X cannot authenticate you because the server’s Domino Directory does not contain any
cross-certificates capable of authenticating you. You are now accessing the server anonymously.
You can also set up Internet clients to access servers anonymously. For more information on setting up
anonymous access for Internet/intranet clients, see the chapter ″Setting Up Name-and-Password and
Anonymous Access to Domino Servers.″
For more information, see the topic ″Controlling access to a specific server port″ later in this chapter.
Note: It is not necessary to specify Anonymous for the ″Access server″ and ″Not access server″ fields.
Anonymous access for Notes users is enabled through the ″Allow anonymous Notes connections field,″
and anonymous access for Internet users is enabled in the Internet Site document for each Internet
protocol (or the Server document if you are not using Internet Sites to configure Internet protocols).
Tip: To improve log-in performance for a group of frequent users and still allow access to everyone listed
in the Domino Directory, create a group named Frequent Users and then enter that group name first in
the ″Access server″ field. If Domino finds a user in the Frequent Users group first, it doesn’t check the
Domino Directory for the individual name. For example, enter the following in the ″Access server″ field:
Frequent Users, *
For more information on creating groups, see the chapter ″Setting Up and Managing Groups.″
Field Enter
Access server Click the check box to allow server access to users listed in all trusted directories. This box is
disabled by default. If this option is not selected, then only those users specified in the field
below the check box can access the server.
In the drop-down field that appears below the check box, add the names of specific Notes
users, servers, and groups to whom you want to give access to the server, such as:
v Names of users, servers, and groups.
v An asterisk (*) to allow all users in the Domino Directory to have access. This is the same
as enabling the ″Users listed in all trusted directories″ field.
v An asterisk, followed by a certificate name -- for example, */Sales/East/Acme -- to allow
all users certified by a particular certifier to have access.
v An asterisk followed by the name of the view -- for example, *($Users) -- to allow all
names that appear in a specific view in the Domino Directory to have access. Access time
is quicker if you specify a group name rather than a view name.
The default value for this field is blank, which means that all users can access the server.
The default value for this field is blank, which means that all names entered in the ″Access
server″ field can access the server.
Names entered in the ″Not access server″ field take precedence over names entered in the
″Access server″ field. For example, if you enter a group name in the ″Access server″ field
and enter the name of an individual member of this group in the ″Not access server″ field,
the user will not be able to access the server.
Note: An alternative way to deny Notes user access to a server is to lock out an individual
user’s ID from the server.
This procedure applies only to Notes users. It does not apply to Internet users attempting to access a
Domino server.
It’s better to lock out user IDs instead of adding a group to the ″Not access server″ field. Using ID
lockout ensures that users cannot view a list of names that have been denied server access.
1. Make sure that the Administration Process is set up and that you have Editor access in the ACL of the
Domino Directory.
2. From the Domino Administrator, click the People & Groups tab, and select the Person documents of
users to whom you want to deny access.
3. Choose Actions - Set Password Fields, and then click Yes when prompted to continue.
4. In the ″Check Notes password″ field, select Lockout ID, and then click OK.
5. Click the Configuration tab, open the Server document for the server to which you want to deny user
access, and then click the Security tab.
6. In the Security Settings section, select Enabled for the ″Check passwords on Notes IDs″ field.
7. Repeat Step 4 for each server to which you want to deny the user access.
Administrator access rights are granted hierarchically. The privilege hierarchy looks like this:
v Full access administrator -- gets all rights and privileges of all administration access levels listed.
v Administrator -- gets all rights and privileges of database administrator and full-console administrator
(but not system administrator).
v Full console administrator -- gets rights and privileges of view-only console administrator (but not
system administrator)
v System administrator -- gets rights and privileges of restricted system administrator
Note: With the exception of the Administrators field, all of these fields are blank by default, meaning
that no one has these access rights.
Field Action
Full access administrators Enter the names of administrators who have full access to administer the
server. This is the highest level of administrative privilege. For more
information, see below.
Administrators Enter the names of administrators who can administer the server. The
default value for this field is the name of the administrator who initially set
up the server. Administrators listed here have the following rights:
v Manager access to the Web Administrator database (WEBADMIN.NSF).
v Create, update, and delete folder and database links
v Create, update, and delete directory link ACLs
v Compact and delete databases
v Create, update, and delete full text indexes
v Create databases, replicas, and Master Templates
v Get and set certain database options (for example, in/out of service,
database quotas, and so on)
v Use message tracking and track subjects
v Use the console to remotely administer UNIX servers
v Issue any remote console command
Note: If you are using the (Java) Server Controller and you enter a group
name in this field, the group must have a group type of ″Multi-purpose″ to
allow the administrator names to appear in the Administrators field.
Note: For Domino 6.0 and subsequent releases, if the Notes.ini variable
Server_Restricted is used to restrict server access, administrators can still
open databases on the server.
Database administrators Enter the names of administrators who will be responsible for
administering databases on the server. Note that database administrators
are not automatically granted Manager access to databases on the server,
nor do they have any access to the Web Administrator database. Users
listed here have the following rights only:
v Create, update, and delete Folder and Database links
v Create, update, and delete directory link ACLs
v Compact and delete databases
v Create, update, and delete full text indexes
v Create databases, replicas, and Master Templates
v Get and set certain database options (e.g., in/out of service, database
quotas, etc.)
Full remote console administrators Enter the names of administrators who can use the remote console to issue
commands to this server.
The type and range of commands depends on the server operating system.
For example, if the Domino server is an NT server, then these
administrators can issue NT commands at the system command level
prompt. Similarly, administrators for a UNIX server would be able to issue
UNIX commands.
Note: This feature requires that you run the Domino server controller on
the server machine. For more information, see the topic The Server
Controller and Domino Console in the chapter ″Setting Up and Using
Domino Administration Tools.″
Restricted system administrator Enter the names of administrators who are allowed to issue only the
operating system commands that are listed in the Restricted System
Commands field (see below).
Note: This feature requires that you run the Domino server controller on
the server machine. For more information, see the topic The Server
Controller and Domino Console in the chapter ″Setting Up and Using
Domino Administration Tools.″
Restricted system commands Enter the subset of operating system commands that Restricted System
Administrators can issue. The type and range of commands depends on the
server operating system and the tasks that restricted system administrators
need to do.
For example, you may want to have a restricted system administrator for
managing UNIX print queues. Enter the UNIX commands for managing
print queues in this field. Any names you enter in the ″Restricted system
administrators″ field will then have access to these commands only.
Administer the server from a browser This setting applies only to pre-Domino 6 servers for the purposes of
(Obsolete as of Domino 6) backwards compatibility. The Domino Web Administrator client will only
work with Domino 6 and later servers. In the case where an existing
domain’s Domino Directory is upgraded from Domino 5 to a later release,
those servers that have not been upgraded will still need to have this
setting in their Server documents so they can use earlier versions of the
Web Administrator.
CAUTION:
Administrators who are listed in the Full Access Administrators, Administrators, and Database
Administrators fields on the Security tab of a server document are allowed to delete any database on
that server, even if they are not listed as managers in the database ACL.
Full access administrators: Full access administrator is the highest level of administrative access to the
server. The full access administrator feature replaces the need to run a Notes client locally on a server. It
resolves access control problems -- for example, such as those caused when the only managers of a
database ACL have left an organization.
Note: ACL roles must still be enabled manually for full access administrators.
v Manager access, with all roles and access privileges enabled, to the Web Administrator database
(WEBADMIN.NSF).
v Access to all documents in all databases, regardless of Reader names fields.
v The ability to create agents that run in unrestricted mode with full administration rights.
v Access to any unencrypted data on the server.
Note: Full access administrator does not allow access to encrypted data. The use of the specified user’s
private key is required to decrypt documents that are encrypted with public keys. Similarly, a secret
key is required to decrypt documents encrypted with secret keys.
Enabling full access administrator mode: In order to work in full access administrator mode, an
administrator must:
v Be using the Administrator Client.
v Be listed in the Full Access Administrators field in the Administrators section of the Security tab in the
Server document. By default, this field is empty.
v Enable ″Full Access Administration″ mode in the Administrator client by selecting Administration -
Full Access Administration. If this mode is not enabled, then users will not have full administrator
access to the server, even if they are listed as a full access administrator in the Server document. They
will instead be granted Administrator rights.
When full access administrator mode is enabled, the client’s window title, tab title, and status bar
indicate this. This is to remind users that they are accessing the server with the highest level of privilege
and should therefore proceed with caution.
If an administrator enables full administration mode in the Administration client, this mode is also
enabled for the Domino Designer and for the Lotus Notes clients. Full administrator access is also
reflected in their window titles, tab titles, and status bars.
If a user attempts to switch to full access administrator mode, but is not listed as one in the Server
document, the user is denied full access and a message appears in the status bar and on the server
console. The client will be in full access mode, but that user will not have full administrator access to that
particular server. If the user attempts to switch servers, that person’s access is checked against the server
document of the new server.
Disabling the full access administrator feature: You can disable the Full Access Administrators field by
setting SECURE_DISABLE_FULLADMIN = 1 in the NOTES.INI file. This setting disables full access
adminstrator privilege and overrides any names listed in that field in the Server document. This
NOTES.INI parameter can only be set by a user with physical access to the server who can edit the
NOTES.INI file for the server. This parameter cannot be set using the server console, the remote console,
or set in the Server document.
Options for managing the full access administrator feature: There are several ways to grant full access
administrator
v Create a special Full Admin ID file -- for example, ″Full Admin/Sales/Acme″ -- and only put that
name in the Full Admin field. You must then either log in with or switch to this user ID in order to
gain this level of access. Optionally, you could set up this ID file to require multiple passwords.
v Create an OU-level certifier for granting full administrator access, and issue additional IDs to trusted
administrators -- for example, Jane Admin/Full Admin/Acme.
v Leave the Full Access Administrator field empty. Add the name of a trusted individual for emergency
situations, and remove it when the situation has been resolved.
This extra level of key verification protects against misuse of a lost or compromised ID file. Typically, if
an ID file is lost, its owner needs to be registered to create a new ID file and directory entry; and if the
ID file has been compromised then the owner’s public and private keys need to be rolled-over and that
new set of keys need to be certified (thus updating the directory entry). By enabling directory-level key
checking, an attacker in possession of the old ID file will not be able to use it to access the server, even
though that old ID file may contain a valid certificate.
You can also choose to control whether a log message is generated if authentication succeeds but a
mismatch is detected. This allows admistrators to detect when the ID file contents have gotten out of
sync with directory entries, but to do so without preventing those users from authenticating because of
public key mismatches.
For more information on public key security, see the chapter ″Protecting and Managing Notes IDs.″
1. From the Domino Administrator, click the Configuration tab, and open the Server document.
2. Click the Security tab.
3. In the Security Settings section, click the drop-down list next to ″Compare public keys″ and choose
one of the following options:
v Enforce key checking for all Notes users and Domino servers --to compare the key value in the
certificates passed during authentication against the key value stored in in the Domino Directory.
Any user or server not listed in a trusted directory will be treated as if it failed this verification
check and will not be allowed to access this server.
v Enforce key checking for Notes users and Domino servers listed in trusted directories only -- to
compare the key value in the certificates passed during authentication against the key value stored
in in the directory only when the user or server is listed in a trusted directory. Any user or server
not listed in a trusted directory will be treated as if it passed this verification check.
Note: This option allows administrators to give users not listed in the directory access to databases
and applications on the server. For example, a database may have its Access Control List configured
to give editor access enabled for users listed in the Domino Directory, and reader access for
everyone else. So if this key checking option is enabled, users not listed in the directory can still
access the server to use the database, for which they will have reader access only.
v Do not enforce key checking -- if you want only the certificate signatures checked during
authentication, but not verify the keys against the directory contents.
4. Click the drop-down list next to ″Log public key mismatches″ and choose one of the following
options:
Setting up anonymous server access for Notes users and Domino servers
When a server is set up for anonymous access, Notes users and Domino servers do not need a valid
certificate to access the server, since the server does not validate or authenticate them. Use anonymous
access to allow users and servers outside your organization to access a server without first obtaining a
certificate for the organization. You can also set up anonymous access for Internet/intranet users.
For more information on anonymous Internet/intranet access, see the chapter ″Setting Up
Name-and-Password and Anonymous Access to Domino Servers.″
1. From the Domino Administrator, click the Configuration tab, and open the Server document.
2. Click the Security tab.
3. In the Security Settings section, enable ″Allow anonymous Notes connections.″
4. Save the document.
5. Create an entry named Anonymous in the ACL of all databases to which you want to allow
anonymous access. Assign the appropriate access level -- typically Reader access. If you don’t add
Anonymous as an entry in the ACL, anonymous users and servers get -Default- access.
6. Stop and restart the server so that the changes take effect.
If the server allows a user to create database replicas, but a particular database ACL prevents it, the user
cannot create a replica for that database.
Tip: Create a group named ″Replica Makers″ that lists the names of all people who can create replicas on
servers. Enter the group name ″Replica Makers″ in the ″Create replica databases″ field in each Server
document in the Domino Directory.
1. From the Domino Administrator, click Configuration, and open the Server document.
Field Action
Create databases and templates Enter any of these:
v Names of specific servers, users, and groups.
v An asterisk (*) followed by a certificate name -- for example,
*/Sales/East/Acme -- to allow all users certified by a particular certifier to
create databases.
v An asterisk (*) followed by a view name -- for example, *($Users) -- to allow
all names that appear in a specific view in the Domino Directory to create
databases. Access time is quicker if you specify a group name rather than a
view name.
The default value for this field is blank, which means that all users can create
databases on the server.
The default value for this field is blank, which means that no one can create
new replicas.
The default for this field is blank, which means only administrators can create
master database templates on the server.
For information on creating groups, see the chapter ″Setting Up and Managing Groups.″
Note: If many users use this feature, server performance may be slow.
Field Action
Allowed to use monitors Enter any of these:
v Names of specific users and groups.
v An asterisk (*) followed by a certificate name -- for example, */Sales/East/Acme -- to
allow all users certified by a particular certifier to use a monitor.
v An asterisk (*) followed by a view name -- for example, *($Users) -- to allow all
names that appear in a specific view in the Domino Directory to use monitors. Access
time is quicker if you specify a group name rather than a view name.
The default for this field is * (all users). Leave the field blank to allow no one to use
headline monitors.
Not allowed to use Enter any of these:
monitors v Names of specific users and groups.
v An asterisk (*) followed by a certificate name -- for example, */Sales/East/Acme -- to
prevent users certified by a particular certifier from using monitors.
v An asterisk (*) followed by a view name -- for example, *($Users) -- to prevent all
names that appear in a specific view in the Domino Directory from using monitors.
Access time is quicker if you specify a group name rather than a view name.
The default for this field is blank, meaning that no one is restricted from using
monitors. Use an asterisk (*) to prevent all users from using monitors.
For more information on passthru servers, see the chapter ″Setting Up Server-to-Server Connections.″
If your system uses multiple Domino Directories, Domino searches only the first Domino Directory
specified in the Names setting in the NOTES.INI file.
Internet and intranet clients cannot use passthru; therefore, these settings are valid only for Notes users
and Domino servers.
1. From the Domino Administrator, click Configuration, and open the Server document.
Chapter 40. Controlling Access to Domino Servers 987
2. Click the Security tab.
3. In the Passthru Use section, complete one or more of these fields, and then save the document:
Field Action
Access this server Enter any of these:
v Names of specific servers, users, and groups.
v An asterisk (*) followed by a certificate name -- for example, */Sales/East/Acme -- to
allow all users certified by a particular certifier to access the server.
v An asterisk (*) followed by a view name -- for example, *($Users) -- to allow access to
all names that appear in a specific view in the Domino Directory. Access time is
quicker if you specify a group name rather than a view name.
Any users or servers listed in this field can use a passthru server to access this server.
This field does not take precedence over other access fields -- for example, the ″Access
server″ and ″Not access server″ fields. For example, if the ″Access server″ field specifies
that only users listed in the Domino Directory can access this server, users who are not
in the local domain cannot access this server.
The default for this field is blank, which means that users and servers are prevented
from using a passthru connection to access this server.
Any users or servers listed in this field can use the server as a passthru server,
regardless of whether or not they are also included in the ″Access server″ or ″Not access
server″ fields.
The default for this field is blank, which means that users and servers are prevented
from using this server for passthru access.
Any users or servers listed in this field can instruct this server to call -- that is, place a
phone call to -- another server in order to establish a routing path to that server. If no
names are entered, no calling is allowed. In general, if the Replicator on another server
uses the modem on a server to reach its targets, the server name of the Replicator must
be included in this list on the server with the modem. Otherwise, the replication will
frequently fail.
The default for this field is blank, which means that users and servers are prevented
from using this server to route a path to another server.
The default for this field is blank, which means that all servers may be routed to.
Tip: Create a group for each class of users to be used in every category.
For a list of restricted LotusScript and Java features and information about agents, see Application
Development with Domino Designer.
For information on creating groups, see the chapter ″Setting Up and Managing Groups.″
1. From the Domino Administrator, click Configuration, and open the Server document.
2. Click the Security tab.
3. In the Programmability Restrictions section, complete one or more of these fields, and then save the
document:
Only users who have this access can choose an option other than ″do not allow
restricted operations.″ This access is enabled by default for the current server and Lotus
Notes Template developers.
If users in this list are also listed as a database administrator in the Server document,
they are allowed to perform database operations without having to be listed explicitly in
the database ACL. (for example, they can delete databases without being listed in the
ACL of those databases).
Note: To have the ability to run agents in unrestricted mode with full administration
rights, the agent signer should be listed in this field, or in the Full Access Administrator
field, as well as have this mode selected in the Agent Builder. Being listed in Full Access
Administrator list alone is not sufficient to run agents in this mode.
Sign agents to run on Enter the names of users and groups who are allowed to sign agents that will be
behalf of someone else executed on anyone else’s behalf. The default is blank, which means that no one can
sign agents in this manner.
Note: This privilege should be used with caution, as the name for whom the agent is
signed on behalf of is used to check ACL access.
Sign agents to run on Enter the names of users and groups who are allowed to sign agents that will be
behalf of the invoker of executed on behalf of the invoker, when the invoker is different from the agent signer.
the agent This setting is ignored if the agent signer and the invoker are the same. This is used
currently only for Web agents. The default is blank, which means that everyone can sign
agents invoked in this manner (this is for backwards compatability).
Run restricted Enter the names of users and groups allowed to run agents created LotusScript and Java
LotusScript/Java agents features, but excluding privileged methods and operations, such as reading and writing
to the file system. Leave the field blank to deny access to all users and groups.
Run simple and formula Enter the names of users and groups allowed to run to run simple and formula agents,
agents both private and shared. Leave the field blank to allow all users and groups to run
simple and formula agents, both private and shared.
Sign script libraries to run Enter the names of users and groups who are allowed to sign script libraries in agents
on behalf of someone else executed by someone else. For the purposes of backwards compatibility, the default
value is to leave the field empty, to allow all.
Controlling server access by browser clients that use Java and JavaScript
Note: These settings are for use only with pre-Domino 6.0 servers. They should not be used with
6.0
a Domino 6 or later server and are included for the purpose of backwards compatibility only, to be used
to manage prior releases of Domino servers with the Lotus Notes 7 client.
For more information on the DIIOP task, see the chapter ″Setting Up the Domino Web Server.″
1. From the Domino Administrator, click Configuration, and open the Server document.
2. Click the Security tab.
3. In the Programmability Restrictions section, complete one or both of these fields, and then save the
document:
Leave the field blank (default) to deny access to all users and groups.
Run unrestricted Enter the names of authenticated browser users and/or groups allowed to run server
Java/JavaScript/COM programs created with all Java and JavaScript features.
Leave the field blank (default) to deny access to all users and groups.
For a list of restricted Java and JavaScript classes, see Application Development with Domino Designer.
In order to use ACL files, you need to set the Notes.Ini variable Enable_ACL_Files=1. For more
information, see the chapter ″Appendix C: Notes.INI File.″
Note: ACL files are different than the access control list (ACLs) used to manage Notes databases,
although both serve the same function of restricting access to the directory or database, respectively, they
protect.
Note: The access restrictions apply to any subdirectories of the directory as well.
4. In the Tools pane on the right, select Folder - Manage ACL. The Manage Directory ACL dialog box
appears.
5. Below ″Who should be able to access this directory?″ click the person icon. Do the following for each
name that you want to allow to access the directory:
v Select the name from a Domino Directory, or type the name in the ″Add name not in list″ box. You
can specify the name of a user, server, group or a wildcard, for example, */Sales/Acme.
v Click Add.
6. When you are finished defining the access list, click OK.
7. Click OK again. In the left pane, the directory icon now appears with a padlock.
To ensure maximum physical security for servers, do one or more of the following:
v Use the server without a mouse, and keep the keyboard locked.
v Password-protect the server ID. If an ID uses a password, you must manually restart the server rather
than restart it automatically. To restart the server, you must know the server password.
v Use the Set Secure command to password-protect the console and restrict what can be done while the
server is running.
For more information on the Set Secure command, see the appendix ″Server Commands.″
v Use the Local Security option to encrypt databases on the server with the server ID. Then people at the
server can access databases only if they have access to the server ID that was used to encrypt the
databases.
v Use operating system features to secure data files and lock keyboard access. For more information, see
your operating system documentation.
Securing the server console with a Smartcard: Beginning with Lotus Notes 6, Notes users can use a
Smartcard with their User ID to log in to Notes. Smartcard use requires the installation of a Smartcard
reader on the user’s computer, along with the Smartcard software and drivers. The advantage of using a
Smartcard with Notes is that the Smartcard locks User ID. Logging into Notes with a Smartcard requires
the Smartcard, the User ID, and the user’s Smartcard PIN.
Administrators can take advantage of Smartcard security to physically secure the Domino server console.
In this case the administrator would be locking the Server ID with the Smartcard.
CAUTION:
Ensure that the SERVER.ID is recoverable via the ID File Recovery before proceeding. Also, verify
that the encrypted backup copy of the SERVER.ID exists in the ID file repository.
CAUTION:
If you do not modify the server’s NOTES.INI file to include the PKCS11_Library variable, when you
try to launch the Domino server, it will shut down and return a ″Login aborted by user″ error.
Note: If a user is in the process of requesting a new private key or a name change, the pending
information is also stored in the ID file. If a Notes private key is changed, then the obsolete
information is also stored in the ID file for backwards compatibility. For example, you would need the
obsolete information to read old encrypted e-mail.
Certificates
A certificate is a unique digital signature that identifies a user or server. Server and user IDs contain one
or more Notes certificates. In addition, user IDs may contain one or more Internet certificates that identify
users when they use SSL to connect to an Internet server or send a signed S/MIME mail message.
A certificate contains:
v The name of the certifier that issued the certificate.
v The name of the user or server to whom the certificate was issued.
v A public key that is stored in both the Domino Directory and the ID file. Notes uses the public key to
encrypt messages that are sent to the owner of the public key and to validate the ID owner’s signature.
v A digital signature.
v The expiration date of the certificate.
Certificates are stored in ID files and in Person, Server, and Certifier documents in the Domino Directory.
They are also referred to as Notes certified public keys.
Public keys are not secret. Any user may look up another user’s public key and use it to send encrypted
mail to or authenticate the user. It is important that someone looking up a public key learn it reliably
since Domino uses it for identification. Users must be able to obtain the public key of the certifier that
995
issued the certificate before they can authenticate the certificate’s owner. If a user has a certificate issued
by the same certifier as another user or server, the first user can verify the public key for the certificate
and then reliably know the public key associated with the server or user name. If a user doesn’t have a
certificate issued by the same certifier, the user needs a cross-certificate for authentication.
When you register users and servers, Domino automatically creates a Notes certificate for each user and
server ID. In addition, you can use a Domino or third-party certificate authority (CA) to create Internet
certificates for user IDs. Domino uses the x.509 certificate format to create Internet certificates.
Notes certificates have expiration dates. Therefore, you must recertify Notes IDs when their expiration
dates approach. In addition, if a user or server name changes, you must recertify the corresponding Notes
ID so that a new certificate will bind the public key to the new name.
Changing a name on a user ID may also affect Internet certificates. For example, a user who has changed
the name on a user ID may receive warning messages when sending signed S/MIME mail, warning the
user that recipients of the message may receive a signature by a name that isn’t on the original certificate
used for signing.
For example, the Certificates box displays certificates for a Notes user ID with the name Alan
Jones/Sales/East/Acme. The first certificate listed below is the one issued to Alan Jones for international
use. The second certificate listed below is the one issued to Alan Jones for North American use and for
electronic signing. Following these are the certificates issued to the certifier of the ID and to any ancestors
of the certifier. The last certificate listed below is the Internet certificate issued to Alan Jones.
Certificate Issued to
/Sales/East/Acme (International) Alan Jones/Sales/East/Acme
/Sales/East/Acme (North American) Alan Jones/Sales/East/Acme
/East/Acme /Sales/East/Acme
/Acme /East/Acme
/Acme /Acme
CN=AcmeCA/OU=East/O=Acme/L= EMAIL=alan_jones@acme.com/
Cambridge/ST=Massachusetts/C=US CN=AlanJones/OU=East/O=Acme/L=Cambridge
/ST=Massachusetts/C=US
To view certificates:
1. From the Domino Administrator, click Configuration - Certification.
2. Click ID Properties.
3. Choose the ID file to view.
4. Enter the password and click OK.
5. In the ID Properties dialog box, do the following:
a. Click Your Identity - Your Certificates to display a list of all Notes and Internet certificates issued
to this ID file.
b. Select the certificate in the Certificates box to display additional information about the certificate.
c. To get more information about a certificate, highlight it in the list and click Advanced Details.
Here you can specify a default Internet signing certificate if there are multiple Internet certificates
in the ID file.
For information on password protecting Internet clients, see the chapter ″Setting Up Name-and-Password
and Anonymous Access to Domino Servers.″
Password-protection features
Password quality
When you register a user or server or create a certifier ID, you use a scale of 0 to 16 to specify the level
of password quality you want enforced for the ID. The higher the level, the more complex the password
and, therefore, the more difficult it is for an unauthorized user to guess the password. For optimal
security, specify a password quality level of at least 8.
The password quality level you assign is enforced when you enter a password for new IDs or when users
change the password for an existing ID. When users change their passwords, Notes displays information
about the password quality level required by the ID file. Users must enter a password that meets the
criteria for the level; otherwise, they are not allowed to change the password.
When choosing a password, it is best to specify a random, alphanumeric string that includes mixed
uppercase and lowercase letters, numbers, and punctuation. Also, it is better to specify an entire phrase,
rather than a single word. A passphrase is easy to remember, difficult to guess, and generally longer than
a single-word password. If you choose to use a phrase, you should misspell one or more of the words to
make it more difficult for attackers to guess at the phrase.
To change the password quality level assigned to an ID, you must recertify the ID or use a security
settings policy document.
For more information about using a security settings policy document to manage IDs, see the chapter
″Using Policies.″
For more information on password quality, see the topic ″Understanding the password quality scale″ later
in this chapter.
Along with verifying passwords, you can set up servers to require users to change their password
periodically.
For more information on verifying passwords, see the topic ″Verifying user passwords during
authentication″ later in this chapter.
For more information on verifying public keys, see the topic ″Public key security″ later in this chapter.
For more information on 128-bit ID file encryption, see the topic ″Using 128-bit ID file encryption″ later in
this chapter.
For more information on larger document encryption keys, see the chapter ″Encryption and Electronic
Signatures.″
Multiple passwords
To provide tighter security for certifier and server IDs, assign multiple passwords to those IDs. Using
multiple passwords requires that a group of administrators work together to access an ID. For example,
this feature is useful when you want to avoid giving authority for a certifier ID to one person. You can
specify that only a subset of the assigned passwords be required to access the ID. For example, you can
assign four passwords to the ID but require that only any two of the four passwords be entered to gain
access to the ID. Requiring only a subset of the passwords allows administrators to access the ID, even
when all of the administrators are not available.
For more information on multiple passwords, see the topic ″Assigning multiple passwords to server and
certifier IDs″ later in this chapter.
ID file recovery
If you have ID recovery in place, when a user loses an ID file or forgets the password to the ID file, a
group of administrators can work together to recover the ID file. Losing an ID file normally prevents
users from accessing servers and reading messages and other data that they encrypted with the ID. Using
the ID file recovery feature, administrators can prevent this loss of access and prevent unauthorized users
from illicitly recovering IDs.
For more information on ID file recovery, see the topic ″ID file recovery″ later in this chapter.
For more information on how Notes users can use Smartcards, see Lotus Notes 7 Help.
For information on how to secure the Domino server console with a Smartcard, see the chapter ″Planning
Security.″
You create and apply custom password policies through a security policy settings document.
For more information, see the topic ″Custom password policies″ later in this chapter.
For more information on configuring the security settings document, see the chapter ″Using Policies.″
For more information on how to set up the Notes plug-in in IBM Workplace Collaborative Services, see
the IBM Workplace Information Center.
The algorithm used to calculate password quality is used to enforce the selection of passwords that are
sufficiently complex to meet the password quality scale level chosen to protect user ID files. When a user
is registered, the user’s ID file contains a password strength value. This setting is enforced if the user
changes the password.
The scale ranges from 0 (weakest -- no password required) to 16 (strongest). A quality of 1 indicates that
any password satisfies the criteria. Domino defines default levels for certifier, server, and user password
quality. You should change these defaults to meet your organization’s security criteria. You can set the
defaults in a security settings policy document, in Administration Preferences, or in the registration or
certification dialog boxes.
Password strength is not the same as password length. Not all passwords of equal length have equal
strength in the password quality scale. For example, the 8-character word ″password″ (because it is a
word) and the 8-character word ″1168Acme″ (because it contains numbers and alphabetic characters) do
not carry the same level of character complexity and do not have equal strength on the quality scale.
″stream8pond1river7lake2ocean″ (password
quality scale 16)
If a user has multiple ID files, the user change the password in each of them to match the new password.
You cannot use password verification on ID files that contain multiple passwords.
An expired password doesn’t prevent a user from reading encrypted mail or creating new signed
documents on local replicas; however, without specifying a new password, users cannot access databases
on servers.
Note that password verification during authentication will not work for Internet users because they do
not have Notes user IDs (unless their Notes and Internet passwords have been synchronized). If Notes
and Internet passwords are synchronized, then any changes to Notes password settings may affect
Internet passwords.
For more information on Notes and Internet password synchronization, see the chapter ″Using Policies.″
CAUTION:
Do not enable password expiration for users whose ID files are locked with Smartcards. Otherwise, it
is possible that a user’s ID could be locked out until the password digest can be cleared.
The first time the user logs onto a server that requires password verification, the Administration Process
generates a ″Change User Password in Domino Directory″ request in the Administration Requests
database. This request enters a corresponding hash of an RSA public key, which is derived from the hash
of the Notes password and some other secret information stored in the ID file, in the Password digest
field in the Administration section of the Person document. It also records the date the user provided the
password in the Last change date field in the Administration section of the Person document. To
authenticate with servers that are enabled for password verification, the user must provide the password
that corresponds to the digest.
From then on, when a user changes a password, the Administration Process generates a new ″Change
User Password in Domino Directory″ request in the Administration Requests database. This request
updates the Password digest and Last change date fields in the Person document. Note that if you
modify the change interval or grace period after you enable password verification, the Administration
Process must update the fields in the Person document and then user must change the password for the
change to take effect.
For information on the Administration Process, see the chapter ″Setting Up the Administration Process.″
In this case, delete the entry in the Password digest field, and ask the authorized user to log on
immediately and enter a new password.
CAUTION:
For users whose ID files are locked with Smartcards, set the required change interval and grace period
to 0. Otherwise, it is possible that a user’s ID could be locked out.
For more information on the security policy settings document, see the chapter ″Using Policies.″
Field Action
Required change interval Enter the length of time, in days, that a password can be in effect before it
must be changed. Default is zero.
Allowed grace period Enter the length of time, in days, that users have to change an expired
password before being locked out. Default is zero.
7. (Optional) You can also choose to force individual users to change their Internet passwords the next
time they log in. In the ″Force users to change Internet password on next login″ dialog box, click Yes.
CAUTION:
Do not enable password expiration for users whose ID files are locked with Smartcards. Otherwise, it
is possible that a user’s ID could be locked out until password expiration can be cleared. You should
also be sure that the required change interval and allowed grace period is set at zero.
To edit a password
1. From the Domino Administrator, click the Configuration tab, and then click Certification.
2. Choose Edit Multiple Passwords.
3. Select the ID containing a password you want to modify.
4. Enter the required passwords. The administrators need to be physically present to enter all of the
passwords.
5. Select a user who has a password in the file.
6. In the ″New Password″ field, type the new password.
7. In the ″Confirm password″ field, retype the new password.
8. Click Modify, and then click OK.
To delete a password
1. From the Domino Administrator, click the Configuration tab, and then click Certification.
2. Choose Edit Multiple Passwords.
3. Select the ID from which you want to remove an authorized password.
4. Enter the passwords required.
5. Select a currently authorized user, and then click Remove.
6. Repeat Step 5 to delete the password for each additional authorized user.
7. Click OK.
ID recovery
To recover from loss of, or damage to, an ID file, recommend to your users that they keep backup copies
of their ID files in a secure place -- for example, on a disk stored in a locked area. Losing or damaging an
ID file or forgetting a password has serious consequences. Without an ID, users cannot access servers or
read messages and other data that they encrypted with the lost ID. To prevent problems that occur when
users lose or damage ID files or forget passwords, set up Domino to recover ID files.
Note: You can only use the ID recovery process to recover user ID files. You cannot recover certifier ID
files.
Ideally, you should designate several administrators who will act as a group to recover IDs and
passwords. Although you can designate a single administrator to manage ID recovery, you should
consider having two or more administrators work together to recover ID files. Designating a group of
administrators helps to prevent a breach of security by one administrator who has access to all ID files.
When you designate a group of administrators, you can specify that only a subset of them be present
during the actual ID recovery. For example, if you designate five administrators for ID recovery but
require only three administrators to unlock the ID file, any three of the five can unlock the ID file.
Designating a group of administrators and requiring only a subset also prevents problems that occur if
one administrator is unavailable or leaves the company.
Before you can recover ID files, an administrator who has access to the certifier ID file must specify
recovery information, and the ID files themselves must be made recoverable. There are three ways to do
this:
v At registration, administrators create the ID file with a certifier ID that contains recovery information.
Domino stores ID recovery information in the certifier ID file. The information stored includes the names
of administrators who are allowed to recover IDs, the address of the mail or mail-in database where users
send an encrypted backup copy of their ID files, and the number of administrators required to unlock an
ID file. The mail or mail-in database contains documents that store attachments of the encrypted backup
ID files. These files are encrypted using a random key and cannot be used with Notes until they are
recovered.
An encrypted backup copy of the ID file is required to recover a lost or corrupted ID file. Recovering an
ID file for which the password has been forgotten is a bit easier. If the original ID file contains recovery
information, administrators can recover the ID file, even if an encrypted backup ID file doesn’t exist.
You can set up ID recovery for user IDs at any time. If you do so before you register users, ID recovery
information is automatically added to user IDs the first time that users authenticate with their home
servers. If you set up ID recovery information after you have registered Notes users, recovery information
is automatically added to the user IDs the next time users authenticate with their home servers.
CAUTION:
If your users will be enabling Smartcards to use with their Notes IDs, it is extremely important to set
up ID recovery information for these IDs before any Internet keys are pushed onto the Smartcard.
Otherwise, the ID file recovery process will not be able to restore those keys. Additionally, acquiring
recovery information, through any means, makes any Internet keys that had been previously pushed
to the Smartcard unrecoverable.
In Domino 7, you can select the number of characters, or password length, for recovery passwords, which
helps determine password strength, or likelihood to be compromised. A password length that is less than
16 is calculated using both alphanumeric characters and hexadecimals. Sixteen-character length
passwords are generated using hexadecimals only. While password strength is important, as a strong
password is less likely to be compromised, so is usability. A long and complex password can be difficult
to use, so administrators also have the ability to choose a shorter password length.
In addition, administrators can now configure a custom message to help walk users through ID recovery.
When users acquire a new public key, accept a name change, or accept or create a document encryption
key, Domino automatically sends updated encrypted backup ID files to the centralized database. In the
case of a server-based certificate authority , the recovery database will be updated once the user has
connected to the server. Recertifying a user does not generate an encrypted copy of the ID file to be sent
to the recovery database, as a user’s Person Document already contains the updated public key.
If a user has been renamed by or moved to a different certifier that contains recovery information that is
older than that of the user’s previous certifier, the new certifier’s recovery information will not be
accepted into the user’s ID file. Before using the new certifier, its recovery information must be updated
so that it is more recent than the previous certifier’s recovery information. To do this, the administrator
should modify the new certifier’s recovery information in some way and save it. This updates the
recovery information for that certifer with a new timestamp, and ensures that users who are subsequently
renamed with or moved to the updated certifier will have the correct recovery information propogated to
their user IDs. The administrator can then undo the change, if desired.
To help prevent unauthorized users from recovering IDs without the authorized user’s knowledge, make
sure that password verification is enabled for users and servers. If password verification is enabled, the
authorized user is aware of the change because the user cannot access servers using the legitimate ID.
When the unauthorized user recovered the ID file, that user was forced to make a password change.
For more information about password verification, see the topic ″Verifying user passwords during
authentication″ in this chapter.
As an extra precaution, after recovering IDs, ask users to re-accept the recovery information and then
change the public key on their ID files. Re-accepting recovery information changes recovery password
information in the ID file. As of Domino 6, re-accepting recovery information happens automatically
when the user accesses a database on the home server. Changing the public key changes the public and
private keys stored in the ID file.
ID recovery logging
As of Domino 7, important information about client ID recovery activities are automatically logged to the
local log.nsf file so that this information is available to administrators for troubleshooting purposes.
Setting up ID recovery
Before users can recover their ID files, you must set up ID recovery. Perform these steps before anyone
loses or corrupts an ID -- ideally before you begin registering users.
1. From the Domino Administrator, click Configuration, and then click Certification.
2. Click Edit Recovery Information.
3. In the ″Choose a Certifier″ dialog box, click Server and select the registration server name from the
Domino Directory (only if the correct server name does not appear).
4. Choose the certifier for which you are creating recovery information.
v If you are using a server-based certification authority, click ″Use the CA process″ and select a
certifier from the drop-down list. You must be a Certificate Authority (CA) administrator for the
certifier in order to change ID recovery information.
Note: Whenever you make changes in this dialog box, the Export button is disabled. You cannot
export recovery information until you save the new or updated information.
11. Click OK.
12. If you are using a server-based certification authority, at the server console type:
load ca
This starts the CA process with the new recovery information, or refreshes it if it is already running.
Then type:
tell adminp process all
to process the request to add recovery information to the certifier.
13. In the mail-in database ACL, set the -Default- access to No access and give administrators Reader
access.
Note: If you have created additional O-level Notes certifiers, be sure to cross-certify them with the initial
Notes certifier prior to setting up recovery information.
There are two ways that users can update their user IDs with recovery information:
v (Only for Domino 6 servers and later) Users authenticate to their home server after an administrator
has added recovery information to the certifier. The recovery information is automatically added to
their Notes ID.
v The administrator sends recovery information to users to incorporate into their user IDs. You must
complete these steps before a user loses or damages an ID or forgets a password.
In Domino 7, users can determine whether recovery information is present in their user ID by seeing
whether the ″Mail Recovery ID″ button on the User Security dialog box is active. They can then click the
button to send an encrypted backup of the user ID to the centralized mail or mail-in database.
Field Enter
To Names of users and groups whose ID files you want to back up.
CC Names of users and groups to whom you want to send a copy of the message.
Subject Information for users and groups that will appear in the Subject field of the message. If
this field is blank, Notes uses the following text:
New ID file recovery information is attached. Please add it to your ID file by using the
Actions menu ″Accept Recovery Information″ option.
Memo Information for users and groups that will appear in the Body field of the message.
Domino automatically attaches the encrypted backup file information to the message --
you do not need to specify it in this field.
To accept recovery information in the ID file: The user completes these steps.
1. After the administrator sends the recovery information, open the message in your mail database.
2. Choose Actions - Accept Recovery Information, and then enter your password.
3. Complete these fields, and then click Send.
Field Enter
To Name of the mail or mail-in database that will store the backup copy of your ID.
Domino enters the name of the database specified by your administrator.
CC Names of users and groups to whom you want to send a copy of the message.
Subject Information for administrators that will appear in the Subject field of the message. If
this field is blank, Notes uses one of the following messages:
v Backup of newly changed recovery information for user name
v Backup of recent changes to ID file for user name
Memo Information for administrators that will appear in the Body field of the message.
Domino automatically attaches the backup of the ID file to the message; you do not
need to specify it in this field.
Domino automatically sends the encrypted backup ID file to the centralized mail or mail-in database
specified by the administrator.
Note: You can store multiple copies of the ID file in the centralized mail or mail-in database. Domino
creates a new document every time an ID file is backed up. When attempting to recover an ID file, use
the most recent backup. If this fails, use the older versions.
Recovering an ID
If a user loses or damages an ID file or forgets a password, the user can work with administrators to
recover the ID file from backup.
To recover a user ID from a backup ID: The user completes these steps.
1. If you have recovery information set up for your user ID, contact your administrator to obtain the
password(s) needed to recover your ID.
Note: If you do not have access to your user ID file, contact your administrator, who can provide you
with an encrypted backup of your user ID. Once you have the backup user ID, continue with the
following steps.
2. When you first log in to Notes and the Password dialog box appears, do not enter your password.
Just click OK.
3. Click ″Recover Password″ in the ″Wrong password″ dialog box.
4. Select the user ID file to recover in the ″Choose ID File to Recover″ dialog box.
5. Enter the password(s) given to you by your administrator(s) in the ″Enter Passwords″ dialog box, and
repeat until you have entered all of the passwords, and you are prompted to enter a new password
for your user ID.
6. Enter a new password for your user ID, and confirm the password when prompted. Note that if you
do not enter a new password, you will need to recover your user ID again.
7. Replace all backups and copies of your user ID file with the newly recovered user ID file.
To obtain the ID file recovery password: For security reasons, it is recommended that administrators
complete these steps from their own workstations, rather than from the same workstation. Using separate
workstations prevents an unauthorized user from using a program to capture the keystrokes that the
administrators enter on the same workstation. If an unauthorized user obtains an administrator’s ID file
and password, the unauthorized user can obtain the administrator’s recovery password for all ID files.
Therefore, you must protect the administrator’s ID file and require that multiple administrators work
together to recover any given user ID file.
1. Detach the encrypted backup of the user’s ID file from the mail or mail-in database to the local hard
drive.
2. If the user’s ID file is damaged, send a copy of the ID file from the centralized mail or mail-in
database to the user.
3. From the Domino Administrator, click the Configuration tab, and choose Certification - Extract
Recovery Password.
4. Enter the password to the administrator’s ID file.
5. Specify the ID file you want to recover. This is the same ID you detached in Step 1.
6. Note the recovery password. Give the user the recovery password that is displayed.
Note: The Extract Recovery and Recover ID File dialog boxes now display timestamp information for the
recovery information contained in the copy of the ID file being recovered. Each time recovery information
is generated or regenerated for an ID file, the recovery passwords all change. Occasionally, the recovery
cookie acquired by an administrator can’t unlock a user’s ID file; the recovery information had been
regenerated at some point, and administrator is using a copy of the ID file that has a different set of
recovery information. In situations like this, administrators can check the timestamp information
displayed in these dialog boxes to see if they are trying to recover an ID file with outdated recovery
information.
To add or delete administrators: An administrator with access to the certifier ID completes these steps.
1. From the Domino Administrator, click the Configuration tab, and then click Certification.
2. Click Edit Recovery Information.
3. In the Choose a Certifier dialog box, if the correct server name does not appear, click Server and select
the registration server name from the Domino Directory.
4. Choose the certifier for which you are creating recovery information.
v If you are using a server-based CA, click ″Use the CA process″ and select a certifier from the
drop-down list.
v If you are not using a server-based CA, click ″Supply certifier ID and password.″ If the certifier ID
path and file name does not appear, click Certifier ID and select the certifier ID file and enter the
password.
5. Do one:
v To delete an administrator, highlight the administrator’s name, and then click Remove.
v To add new administrators, click Add and then select the names of administrators who are
authorized to recover ID files.
6. (Optional) Change the number of administrators required to unlock an ID.
7. When you finish adding or deleting names, click OK.
8. Prepare IDs for recovery.
A Notes user ID can also have a unique public key for an Internet certificate.
For information on encrypting and electronically signing mail messages, see the chapter ″Encryption and
Electronic Signatures.″ For information on Internet certificates, see the chapter ″Setting Up Clients for
S/MIME and SSL.″
Notes users can create a new public key for the Notes certificate. The new public key must be certified
before it can be used by Notes.
After certifying a new public key, you should set up servers to verify public keys. Public key verification
involves matching the public key stored in the Domino Directory with the public key on the ID. Verifying
public keys prevents an unauthorized user from using the ID with the original public key to access the
server.
For information on verifying public keys, see the topic ″Creating a new Notes public key and adding it to
the Domino Directory″ later in this chapter.
Creating a new Notes public key and adding it to the Domino Directory
For Domino 6 and earlier servers, creating and certifying a new public key requires the following
procedures, which are described below:
v The user creates the new public key and submits it for certification.
v The certification administrator certifies the user’s public key with a Notes certificate and adds it to the
Domino Directory.
v The user merges the new certificate into the user’s ID file.
In Domino 7, administrators can use the key rollover process for creating new public keys through a
security settings policy document. Users can also trigger key rollover through the User Security dialog
box.
To create a new Notes public key: The ID owner performs these steps.
1. Choose File - Security - User Security.
2. Type the password (if required).
3. Click Your Identity - Your Certificates, and click Other Actions. Choose ″Create New Public Keys.″
4. In the Create New Public Keys dialog box, users can choose the new key strength and the method for
requesting the certificate.
5. If the user chooses ″Authentication Protocol,″ then the next time the user authenticates with their
home server, the keys are created and the certificate request is automatically entered into the server’s
Administration Requests database.
At this point, the administrator needs to complete the certification process as described in the topic
″User and server key rollover″ in this chapter.
6. If the user chooses ″Mail Protocol,″ then the keys are created immediately, and the New Public Keys
Confirmation dialog box appears.
7. In the New Public Keys Confirmation dialog box, click Continue to use Notes mail to send your
request for adopting new public keys.
To recertify the ID with a Notes certificate and add the Notes public key to the Domino Directory:
The certification administrator performs these steps.
1. Open the certification request in your mail file.
2. Choose Actions - Certify Attached ID File.
3. Select whether to use a server-based certification authority or the certifier ID, and click OK.
4. If you chose to use the certifier ID, enter the password for the ID, and click OK.
5. (Optional) Change the expiration date for the certificate.
6. (Optional) Click Add to specify alternate user name information.
7. (Optional) Specify a minimum password length.
8. Click Certify. The ID owner’s name appears in the To field and explanatory text appears in the Subject
field of the Mail Certified ID dialog box.
9. Click Send.
To merge the new Notes certificate with the ID: The ID owner performs these steps.
1. Choose File - Security - User Security.
2. Click Your Identity - Your Certificates.
3. Click Get Certificates, and then click Import (Merge) Notes Certificates.
4. Select the recertified ID sent to you by the certification administrator, and then click OK.
To verify a Notes public key: Verifying Notes public keys against those in the Domino Directory helps
prevent an unauthorized user or server from accessing another server.
1. From the Domino Administrator, click Configuration and open the Server document for the server.
2. Click Security.
3. In the Security Settings section, select one of the following in the ″Compare public keys″ field:
v Enforce key checking for all users -- check all users’ public keys
v Enforce key checking for users in trusted directories only - only check public keys for users listed in
the Domino Directory.
v Do not enforce key checking - select only if you do not want to verify users public keys
4. Select one of the following in the ″Log public key mismatches″ field:
v Log key mismatches for all users -- to log any public key mismatch to the
v Log key mismatches for users in trusted directories only -- only log mismatches for users listed in
the Domino Directory
v Do not log key mismatches
5. Save the document.
6. Restart the server so that the changes take effect.
Note: You cannot paste Internet certificates into Person or Server documents.
5. Save the Person or Server document.
You configure triggers to initiate user key rollover through a security settings policy document, and for
the server key rollover, in the Server document. Triggers include:
v Existing key size
v Issue date of existing key
v Age of existing key
Prior to Domino 7, new keys could only be requested by individual users via email or by authenticating
with the server. In Domino 7, key rollover gives administrators the ability to deploy replacement keys to
groups of users through a security settings policy document
For more information on configuring triggers for user key rollover through a security settings policy
document, see the chapter ″Using Policies.″
Notes 7 users can also trigger key rollover through the ″Create New Public Keys″ button on the User
Security dialog box. If they choose ’Authentication protocol’ to as the certificate request method, the
current keys are rolled over just as if it were triggered by a policy setting. If they choose ″Mail Protocol,″
the R6 and earlier mail method is used.
For more information on how users can trigger key rollover, see Creating a new Notes public key and
adding it to the Domino Directory.
For more information on how users can trigger key rollover, see ″Creating a new Notes public key and
adding it to the Domino Directory″ in this chapter.
When a policy has been established, or if the user has triggered key rollover through the User Security
dialog box, the next time the user authenticates with the home server, key rollover information is written
to the ID file. When a trigger condition occurs, key rollover is initiated and new keys are created in the
user ID file and marked pending. When the user authenticates with the home server after the
new/pending keys are generated, a Certify New Key Request is created in the Administration Requests
database.
When the user next authenticates with the home server, a dialog box appears, asking the new user if they
want to accept the new public keys. The user must click OK to accept the new certificates. The
new/pending keys in the user’s ID file are activated and the old keys are archived.
Field Action
Minimum Allowable Key Specify the weakest key size allowed. Keys weaker than this will be rolled over.
Strength v No minimum (default).
v Maximum compatible with all releases (630 bits).
v Compatible with Release 6 and later (1024 bits).
Maximum Allowable Key Specify the strongest key size allowed. Keys stronger than this will be rolled over.:
Strength v Minimum (512 bits)
v Maximum compatible with all releases (630 bits).
v Compatible with Release 6 and later (1024 bits) (default).
Preferred Key Strength Specify the key strength to be used when a key is rolled over:
v Minimum (512 bits).
v Maximum compatible with all releases (630 bits).
v Compatible with Release 6 and later (1024 bits) (default).
Maximum Allowable Age for Specify the maximum age a key can reach before needing to be rolled over.
Key (in days)
Earliest Allowable Key Creation Any key created prior to this date will be rolled over.
Date
Don’t automatically generate a Specify the earliest date on which keys not meeting key width requirements can
new key before be rolled over
Maximum number of days the Specify the length of time that the old key can be used during network
old key should remain valid authentication. During Notes key verification, all of the certificates, old and new,
after the new key has been and all of the rollover keys are organized into a tree. That tree is traversed looking
created for a set of certificates that can be chained together to verify the key. If a certificate
has expired, it cannot be used in that chain. When rolling over a key because you
fear that it has been compromised, it is a good idea to set a short value for the
length of time the old certificates issued to that key can be used. Valid values for
this setting are 1 to 36500 days, and the default is 365.
3. Close and save the document.. Key rollover information is written to the server ID file. When a
trigger condition occurs, key rollover is initiated and new keys are created in the server ID file and
marked pending.
4. Restart the server.
5. In the Domino Administrator, open the Administration Requests database.
6. In the Certify New Key Requests view, select the request for the server, and then click Certify
Selected Entries.
7. In the Choose a Certifier dialog box, do one of the following:
v If you are using a server-based certification authority, choose one from the drop-down list.
v If you use the certifier ID, provide the certifier ID location and password.
8. In the Certificate Expiration Date dialog box, verify that the date is correct and click OK.
9. In the Processing Statistics dialog box, verify that there are no failures and click Ok.
10. At the server console, type ″tell adminp process all″ to complete the key certification processing.
11. Type ″restart server.″ Restarting the server causes the server to read its configuration and accept the
new certified keys.
Notes cross-certificates
To allow users and servers from the different hierarchically-certified organizations to access servers in the
other organization, and to verify the digital signature of a user from another organization, you use
cross-certificates. Domino servers store cross-certificates in the Domino Directory. To access Domino
servers, Notes clients obtain cross-certificates for those servers and store them in their Personal Address
Books. These cross-certificates can be used only by the user to whom they are issued.
For example, if Alan Jones/Sales/East/Acme wants to access the Support/Seascape server, he needs a
cross-certificate from /Seascape, and the Support/Seascape server needs a cross-certificate for
/Sales/East/Acme. When Alan tries to authenticate with the Support/Seascape server, it checks for the
cross-certificate in Alan’s Personal Address Book. If Support/Seascape finds a valid cross-certificate, the
server then checks whether Alan is allowed to access the server.
Cross-certification can occur at various levels of an organization. For example, to allow every user within
one organization to authenticate with every server in another, each user has a cross-certificate for the
other’s organization certifier in the Personal Address Book. Servers in each organization have a
cross-certificate for the other’s organization certifier in the Domino Directory. Cross-certification can also
occur at the level of an individual user or server ID. For example, to allow a single user to authenticate
with any server in another organizational unit or verify a digital signature from a user in that
organizational unit, the user ID needs a cross-certificate for the organizational unit certifier in the other
company, and that organizational unit certifier needs a cross-certificate for the user ID.
Two-way cross-certification does not need to be symmetric. For example, one organization can have a
cross-certificate for an organizational unit certifier and another organization can have a cross-certificate
for an organization certifier.
If you have cross-certificates for an organization or organizational unit certifier, set up server access
restrictions to prevent the other organization from accessing specific servers that store confidential
information. To allow your organization to access servers in another organization but prevent that
organization from accessing your servers, exchange cross-certificates as required, but then set up server
access lists on all servers to prevent access by the other organization.
Internet cross-certificates
An Internet cross-certificate is a certificate that validates the identity of a user or server. An Internet
cross-certificate ensures the recipient of an encrypted S/MIME message that the sender’s certificate can be
trusted and that the certificate used to sign an S/MIME message is valid. It also validates the identity of
a server when a Notes client uses SSL to access an Internet server.
An Internet cross-certificate is stored in a Certificate document in the user’s Personal Address Book and
can be used only by the user to whom it is issued. An Internet cross-certificate can be issued for a leaf
certificate -- that is, a certificate issued to a user or server by a CA -- or the CA itself. Creating a
cross-certificate for a leaf certificate indicates trust for only the owner of the certificate -- for example, the
sender of the signed message or recipient of an encrypted message. A cross-certificate for a CA indicates
trust for all owners who have a certificate issued by that CA. If you cross-certify a CA, you trust the CA
to issue certificates to users and servers lower in the hierarchical name tree. For example, after
cross-certifying Sales/ABC, you trust Sales/ABC to issue a certificate to Fred/Sales/ABC. Alternatively,
after creating a cross-certificate for Fred/Sales/ABC, you trust only Fred/Sales/ABC.
Accessing a server
If a user attempts to access a server in a different organization, and the user does not already have a
cross-certificate issued to that server or one of its ancestors, a dialog box gives the recipient the option to
add the cross-certificate ″on demand.″ Users can add a Notes cross-certificate this way. This is usually the
quickest and easiest way for a user to obtain a cross-certificate.
For more information, see the topic ″Adding a Domino or Internet cross-certificate on demand″ in this
chapter.
For more information, see the topic ″Adding a Domino or Internet cross-certificate on demand″ in this
chapter.
For more information, see the topics ″Adding a Notes cross-certificate for IDs by Notes mail″ and
″Adding a Notes cross-certificate for IDs by postal service″ in this chapter.
For more information on obtaining Internet cross-certificates for a Notes client, see Lotus Notes 7 Help.
By phone
Users can add a cross-certificate by providing the name and public key of the certificate by phone. Users
can use this method to add a Notes certificate only.
For more information, see the topic ″Adding a Notes cross-certificate by phone″ later in this chapter.
For more information, see the chapter ″Setting Up Clients for S/MIME and SSL.″
Examples of cross-certification
To authenticate with all servers in another organization: This example describes what the Acme
company and the ABC company do to allow all users and servers in both organizations to authenticate.
1. The Acme organization certifier (/Acme) obtains a cross-certificate for the ABC organization certifier
(/ABC) and stores it in Acme’s Domino Directory.
2. The ABC organization certifier (/ABC) obtains a cross-certificate for the Acme organization certifier
(/Acme) and stores it in ABC’s Domino Directory.
To authenticate with a specific server in another organization: The Acme company wants to let
Seascape users who have the hierarchical certification AppDevelopment/Seascape to access their
customer support server, CSSUPPORT/East/Acme.
1. The Acme organizational unit certifier (/East/Acme) has a cross-certificate for the Seascape
organizational unit certifier (/AppDevelopment/Seascape) and stores it in Acme’s Domino Directory.
2. The Seascape organizational unit certifier (/AppDevelopment/Seascape) has a cross-certificate for the
Acme organizational unit certifier (/East/Acme) and stores it in Seascape’s Domino Directory.
To send signed S/MIME messages: Alan Jones has an Internet certificate issued from the Acme CA, and
Dave Lawson has an Internet certificate issued from the ABC CA. If Alan wants to send Dave an
encrypted S/MIME message and Dave wants to send Alan an encrypted S/MIME message:
1. Alan has a trusted cross-certificate for ABC and stores it in his Personal Address Book.
2. Dave has a trusted cross-certificate for Acme and stores it in his Personal Address Book.
Both Dave and Alan can now also send encrypted S/MIME messages to each other.
Note: You cannot add an Internet cross-certificate on demand if a users’ Internet certificate already exists
in an LDAP directory.
Field Enter
Certifier File name of a user, server, or certifier ID. Specify a server or certifier ID when
creating a cross-certificate for a server. The ID specified indicates who can use the
cross-certificate.
Server Location of the Personal Address Book or Domino Directory where you want to copy
the cross-certificate. Add the cross-certificate to the Personal Address Book for Notes
clients.
Subject name Organization or organizational unit certifier that you want to cross-certify -- for
example, /Acme. You can also create a cross-certificate for the owner of the certificate.
Subject alternate name list An alternate name that identifies the subject. Alternate names allow you to assign
more than one name to an ID, which is recognizable in a user’s native language.
Expiration date Date when the cross-certificate will expire.
5. Click Cross Certify. Domino places the cross-certificate in the Server - Certificates view of the Domino
Directory of the server you specified in Step 4 or in the Advanced/Certificates view of the Personal
Address Book.
To request a cross-certificate for a user, server, or certifier ID: Use these steps to add a cross-certificate
for a user or server or for an organization or organizational unit when you have access to the user, server,
or certifier ID.
1. From the Domino Administrator, click the Configuration tab.
2. Click Certification - ID Properties.
3. Select the user, server, or certifier ID file, and click Open.
4. Type the password (if required).
5. Click Security Basics. Write down the name exactly as it appears in the Name field, including any
forward slashes (/) -- for example, Alan Jones/Sales/East/Acme, Mail-E/East/Acme, or /Acme.
6. Click Your Identity - Your Certificates. Write down the Key Identifier information exactly as it
appears, including spaces.
7. Call the organization that will add the cross-certificate, and provide the name and key exactly as you
recorded them.
To request a cross-certificate for an ancestral certifier of an ID: Use these steps to add a
cross-certificate for an organization or organizational unit when you have access to the user or server ID.
1. From the Domino Administrator, click the Configuration tab.
2. Click Certification - ID Properties.
3. Select the user, server, or certifier ID file, and click Open.
4. Type the password (if required).
To add a cross-certificate to a Domino Directory or Personal Address Book: After someone from
another organization provides the name and public key over the phone, use these steps to add a
cross-certificate for the ID.
1. From the Domino Administrator, click the Configuration tab.
2. Choose Certification, and then choose Cross Certify Key.
3. Select whether to use a CA-enabled certifier or use the Certifier ID, and click OK.
4. If you chose to use the certifier ID, enter the password for the ID, and click OK.
5. In the ″Subject name″ field, type the full hierarchical name for the ID you are cross-certifying exactly
as provided over the phone, including any forward slashes (/).
6. Type the public key for the ID you are cross-certifying exactly as it was provided over the phone,
including spaces.
7. (Optional) Change the expiration date for the certificate. The default is 10 years.
8. (Optional) Click Certifier to select a different certifier to issue the cross-certificate.
9. (Optional) Click Server and select a different registration server whose Domino Directory will store
the cross-certificate. To store the cross-certificate in a user’s Personal Address Book, choose Local as
the server. Then click OK.
10. Click Cross Certify. Domino places the cross-certificate in the Server - Certificates view of the
Domino Directory of the selected registration server.
To create a safe copy of an ID: Use these steps to create a safe copy of the user, server, or certifier ID
that you want to cross-certify.
1. From the Domino Administrator, click the Configuration tab.
2. Choose Certification and then choose ID Properties.
3. Select the user, server, or certifier ID file, and then click Open.
4. Type the password (if required). The ID Properties dialog box appears.
5. Click Your Identity - Your Certificates - Other Actions, and then select Export Notes ID (Safe Copy).
6. Enter a path and name for the safe copy, and then click OK. The default name is SAFE.ID.
7. Copy the file to a disk.
8. Use the postal service to send the disk to the certification administrator at the other organization.
To add a cross-certificate for the safe copy: Use these steps to add the cross-certificate to the Domino
Directory.
1. From the Domino Administrator, click the Configuration tab.
2. Click Certification, and then click Cross Certify.
Field Enter
Certifier Name of your organization’s certifier ID
Server Location of the Domino Directory where you want to copy the cross-certificate
Subject name Organization or organizational unit certifier to be cross-certified -- for example,
/Acme
Subject alternate name list An alternate name that identifies the certifier ID. Alternate names allow you to
assign more than one name to an ID, which is recognizable in a user’s native
language.
Expiration date Date when the cross-certificate will expire
7. Click Cross Certify. Domino places the cross-certificate in the Server - Certificates view of the Domino
Directory of the server you specified in Step 6.
Field Enter
Subject name Organization or organizational unit certifier to be cross-certified -- for example,
/Acme
Subject alternate name list An alternate name for the subject of the certificate. Alternate names allow you to
assign names that are recognizable in a user’s native language to an ID file.
Expiration date Date when the cross-certificate will expire
Certifier File name of your organization’s certifier ID
Server Location of the Domino Directory where you want to copy the cross-certificate
Field Enter
Certifier File name of a user, server, or certifier ID. Specify a server or certifier ID when
creating a cross-certificate for a server. The ID specified indicates who can use
the cross-certificate.
Server Location of the Personal Address Book or Domino Directory where you want
to copy the cross-certificate. Add the cross-certificate to the Personal Address
Book for Notes clients.
Subject name Organization or organizational unit certifier that you want to cross-certify -- for
example, /Acme. You can also create a cross-certificate for the owner of the
certificate.
Subject alternate names An alternate name for the subject of the certificate. Alternate names allow you
to assign names that are recognizable in a user’s native language to an ID file.
Expiration date Date when the cross-certificate will expire.
5. Repeat Steps 3 and 4 for every user for whom you want to create cross-certificates.
Field Enter
Certifier File name of a user, server, or certifier ID. Specify a server or certifier ID when
creating a cross-certificate for a server. The ID specified indicates who can use
the cross-certificate.
Server Location of the Personal Address Book or Domino Directory where you want to
copy the cross-certificate. Add the cross-certificate to the Personal Address Book
for Notes clients.
Subject name Organization or organizational unit certifier that you want to cross-certify -- for
example, /Acme. You can also create a cross-certificate for the owner of the
certificate.
Subject alternate name list An alternate name for the subject of the certificate. Alternate names allow you
to assign names that are recognizable in a user’s native language to an ID file.
Expiration date Date when the cross-certificate will expire.
4. Repeat Steps 2 and 3 for every user for whom you want to create cross-certificates.
To control the access rights of Notes users, select the access level, user type, and access level privileges
for each user or group in a database. You can set default entries in the ACL when you create the
database. You may also assign roles if the database designer determines this level of access refinement is
needed by the application. Work with the designer and user representatives of the application to plan the
correct access level before you put a database into production.
For each user name, server name, or group name in an ACL, you can specify:
v An access level
v Access level privileges
v A user type
v Roles
CAUTION:
Domino administrators with full access administration rights, as well as users who are allowed to run
agents with unrestricted access, can access databases without being explicitly listed in the database
ACLs.
For more information on full access administration rights and running agents with unrestricted access,
see the chapter ″Controlling Access to Domino Servers.″
Note: The database ACL should not be confused with other types of ACLs used by Domino
administrators. One such ACL is the extended ACL, which is used only in the Domino Directory and the
Extended Directory Catalog to restrict access to specific documents and fields within those databases. You
must enable extended access to use this feature. The other type of access control list is the .ACL file,
which is used by administrators to restrict user access to server directories.
Of the default ACL entries, the database creator’s user name is the only entry that is automatically
defined as a Person in the ACL.
1025
The -Default- entry is the only entry that is specific to a database, and not related to an entry in the
Domino Directory. For example, LocalDomainServers is created automatically in the Domino Directory,
and added to the ACL when a database is created. -Default- is created as an ACL entry only when the
database is created.
-Default-
Users and servers receive the access assigned to the -Default- entry if they have not specifically been
assigned another access level, either individually or as a member of a group, or from a wildcard entry. In
addition, if the database ACL does not contain an entry for Anonymous, then users accessing the
database anonymously get the -Default- level of access. The default access for -Default- depends on the
design of the database template and varies among the different templates.
The access level you assign to the -Default- entry depends on how secure you want the database to be.
Select No Access if you want a database available to a limited number of users. Select Author or Reader
access to make a database available for general use. The -Default- entry should have a user type of
″Unspecified″.
LocalDomainServers
The LocalDomainServers group lists the servers in the same domain as the server on which the database
is stored, and is provided by default with every Domino Directory. When you create a new database, the
default access for LocalDomainServers is Manager. The group should have at least Designer access to
allow replication of database design changes across the domain. The LocalDomainServers group is
typically given higher access than the OtherDomainServers group.
OtherDomainServers
The OtherDomainServers group lists the servers outside the domain of the server on which the database
is stored, and is provided by default with every Domino Directory. When you create a new database, the
default access for OtherDomainServers is No Access.
Add names to the ACL in hierarchical format for better security. For example:
Sandra E Smith/West/Acme/US
Randi Bowker/Sales/FactoryCo
For more information about creating hierarchical name schemes, see the chapter ″Installing and Setting
Up Domino Servers.″
Users and/or servers who do not already have a specific user or group name entry in the ACL, and
whose hierarchical names include the components that contain a wildcard, are given the highest level of
access specified by every one of the wildcard entries that match.
*/Illustration/Production/Acme/US
Mary Tsen/Illustration/Production/Acme/US
Michael Bowling/Illustration/Production/Acme/US
This entry does not grant the chosen access level to:
Sandy Braun/Documentation/Production/Acme/US
Alan Nelson/Acme/US
You can use a wildcard only at the leftmost portion of the ACL entry. For example, you can’t use the
entry:
*/Illustration/*/Acme/US
Michael Bowling/Illustration/West/Acme/US
Karen Richards/Illustration/East/Acme/US
When you use a wildcard ACL entry, set the user type as Unspecified, Mixed Group, or Person Group.
User names
You can add to an ACL the names of any individuals with certified Notes user IDs or Internet users who
authenticate using name-and-password or SSL client authentication.
v For Notes users, enter the full hierarchical name for each user; for example, John Smith/Sales/Acme,
regardless of whether the user is in the same hierarchical organization as the server that stores the
database.
v For Internet users, enter the name that appears as the first entry in the User name field of the Person
document.
Note: Many alias names can be entered in the user name field and used for authentication; however, it
is the first name in the list that is used to perform the security authorization check. This is the name
that should be used on all Domino database ACLs, in the security settings on the Server document,
and in .ACL files.
For more information about setting a maximum level of access for Internet users, see the topic
″Maximum Internet name-and-password access″ later in this chapter.
Group names
You add a group name -- for example, Training -- to the ACL to represent multiple users or servers that
require the same access. Users must be listed in groups with a primary hierarchical name or an alternate
name. Groups can also have wildcard entries as members. Before you can use a group name in an ACL,
you must create the group in the Domino Directory or in either a secondary Domino Directory or an
external LDAP Directory that has been configured for group authorization in the Directory Assistance
database.
Note: Be sure that any group names you use in an ACL comply with the specified guidelines for creating
them. The use of erroneous names may cause access problems.
Tip: Use individual names rather than group names for the managers of a database. Then when users
choose Create - Other - Memo to Database Manager, they’ll know whom they are addressing.
Groups provide a convenient way to administer a database ACL. Using a group in the ACL offers the
following advantages:
v Instead of adding a long list of individual names to an ACL, you can add one group name. If a group
is listed in more than one ACL, modify the group document in the Domino Directory or the LDAP
Directory, rather than add and delete individual names in multiple databases.
v If you need to change the access level for several users or servers, you can do so once for the entire
group.
v Use group names to reflect the responsibilities of group members or the organization of a department
or company.
Tip: You can also use groups to let certain users control access to the database without giving them
Manager or Designer access. For example, you can create groups in the Domino Directory for each level
of database access needed, add the groups to the ACL, and allow specific users to own the groups. These
users can then modify the groups, but they can’t modify the database design.
Terminations group
When employees leave your organization, you should remove their names from all groups in the Domino
Directory and add them to a Deny List Only group used to deny access to servers. The Deny Access list
in the Server document contains the names of Notes users and groups who no longer have access to
Domino servers. You should also make sure that the names of terminated employees are removed from
the ACLs of all databases in your organization. When you delete a person from the Domino Directory,
you have the option to ″Add deleted user to deny access group,″ if such a group has been created. (If no
such group exists, the dialog box displays ″No Deny Access group selected or available.″)
For more information on Deny List Only groups, see the chapter ″Setting Up and Managing Groups.″
For more information on the Deny Access list, see the chapter ″Controlling Access to Domino Servers.″For
more information on the Deny Access list, see the chapter ″Controlling Access to Domino Servers.″
Alternate names
An alternate name is an optional alias name that an administrator assigns to a registered Notes user. You
can add alternate names to an ACL. An alternate name provides the same level of security as the user’s
primary hierarchical name. For a user whose primary name is Sandra Brown/West/Sales/Acme, an
example of an alternate name format would be Sandy Smith/ANWest/ANSales/ANAcme, where AN is
an alternate name.
LDAP users
You can use a secondary LDAP directory to authenticate Internet users. You can then add the names of
these Internet users to database ACLs to control user access to databases.
You can also create groups in the secondary LDAP directory that include the Internet user names and
then add the groups as entries in Notes database ACLs. For example, an Internet user may try to access a
database on a Domino Web server. If the Web server authenticates the user, and if the ACL contains a
group named ″Web,″ the server can look up the Internet user’s name in the group ″Web″ located in the
foreign LDAP directory, in addition to searching for the entry in the primary Domino Directory. Note that
for this scenario to work, the Directory Assistance database on the Web server must include an LDAP
Directory Assistance document for the LDAP directory with the Group Expansion option enabled. You
can also use this feature to look up the names of Notes users stored in foreign LDAP directory groups for
database ACL checking.
When you add the name of an LDAP directory user or group to a database ACL, use the LDAP format
for the name, but use a forward slash (/), rather than a comma (,), as a delimiter. For example, if the
name of a user in the LDAP directory is:
uid=Sandra Smith,o=Acme,c=US
uid=Sandra Smith/o=Acme/c=US
To enter the name of a nonhierarchical LDAP directory group in an ACL, enter only the attribute value,
not the attribute name. For example, if the nonhierarchical name of the LDAP group is:
cn=managers
managers
To enter the name of a hierarchical group name, include LDAP attribute names in ACL entries. For
example, if the hierarchical name of the group is:
cn=managers,o=acme
cn=managers/o=acme
Note that if the attribute names you specify exactly correspond to those used in Notes -- cn, ou, o, c -- the
ACL won’t display the attributes.
cn=Sandra Smith/ou=West/o=Acme/c=US
because the attributes exactly correspond to those used by Notes, the name appears in the ACL as:
Sandra Smith/West/Acme/US
Anonymous
Any user or server that accesses a server without first authenticating is known by the name
″Anonymous″ at that server. Anonymous database access is given to Internet users and to Notes users
who have not authenticated with the server.
Anonymous access is generally used in databases that reside on servers available to the general public.
You can control the level of database access granted to an anonymous user or server by entering the
name Anonymous in the access control list, and assigning an appropriate level of access. Typically you
assign Anonymous users Reader access to a database.
The default ACL entry for Anonymous for all database templates (.NTF files) has an access level of
Reader, so that users or servers can successfully read from the template when creating or refreshing .NSF
files based on that template.
The default ACL entry for Anonymous for database (.NSF files) files is No Access.
The table below describes the different conditions for access that an anonymous user would have to a
database:
Anonymous users (both those who are given access to a database through the Anonymous entry and
those who have access through the -Default- entry) who attempt to do something in the database that is
not allowed for their access level will be prompted to authenticate. For example, if Anonymous is set to
Reader, and an anonymous user tries to create a new document, that user is prompted to authenticate
with a name and password.
Tip: If you want all users to authenticate with a database, then make sure that Anonymous is in the
database ACL with an access level of No Access, and be sure that the Read Public Documents and Write
Public Documents are not enabled. Add the Internet user’s name to the ACL with the level of access you
want them to have.
The Domino server uses the group name Anonymous solely for access control checks. For example, if
Anonymous has Author access in the database ACL, the true name of the user appears in the Authors
field of those documents. The Domino server can display only the true name of anonymous Notes users,
but not of anonymous Internet users, in the Authors field of the document. Authors fields are never a
security feature, regardless if anonymous access is used; if the validity of the author’s name is needed for
security, then the document should be signed.
Replica IDs
To allow an agent in one database to use @DbColumn or @DbLookup to retrieve data from another
database, enter the replica ID of the database containing the agent in the ACL of the database containing
the data to be retrieved. The database containing the agent must have at least Reader access to the
database containing the data to be retrieved. Both databases must be on the same server. An example of a
replica ID in a database ACL is 85255B42:005A8fA4. You can enter the replica ID in uppercase or
lowercase letters, but do not enclose it in quotation marks.
If you do not add the replica ID to the access control list, the other database can still retrieve data if the
-Default- access level of your database is Reader or higher.
Note: If you enter only the common name in the ACL (for example, Sandra E Smith), then that entry
matches only if the user’s name and the database server are in the same domain hierarchy. For
example, if the user is Sandra E Smith, whose hierarchical name is Sandra E Smith/West/Acme, and
Note: If the user matches an explicit entry in the ACL, and is a member of a group that is also listed
in the ACL, then the user always gets the level of access assigned to the explicit entry, even if the
group access level is higher.
v If no match is made on the group name, the ACL then checks to see if there is a wildcard entry that
can be matched. If the individual trying to access the database happens to match more than one
wildcard entry, the individual is granted the highest access level, as well as the union of the access
privileges of all of the wildcard entries that match.
v If a group entry and a wildcard entry both apply to a user attempting to access the database, then the
user has the access assigned to the group entry. For example, if the group Sales has Reader access and
the wildcard entry */West/Acme has Manager access, and both entries apply to a user, then the user
has Reader access to the database.
v Lastly, if no match can be made from among the database ACL entries, the individual is granted the
level of access defined for the -Default- entry.
You can make changes to multiple ACLs on a server through the Multi-ACL Management dialog box in
the Administration Client. For information about using the ACL dialog in the Notes client to edit an ACL
for a single database, see Notes 7 Help.
Note: You can add the same entry to more than one database. You can also edit and remove entries
from multiple databases. See the topic ″Editing entries in multiple ACLs″ later in this chapter.
4. From the Tools pane, select Database - Manage ACL.
5. Add entries for Notes users, servers, groups, and authenticated Internet users.
6. Set the access level for each entry.
7. (Optional) For additional security, select a user type for each entry.
8. (Optional) Refine the entries by restricting or allowing additional access level priviliges.
9. (Optional) Assign roles to ACL entries. The role displays a check mark when selected.
Access levels assigned to servers in a database ACL control what information within a database the
server can replicate.
To access a database on a particular server, Notes users must have both the appropriate database access,
as well as the appropriate server access specified in the Server document in the Domino Directory.
For more information on database access for Internet users, see the topic ″Maximum Internet
name-and-password access″ later in this chapter.
Note: If a user has full administrator access to a database, the database ACL indicates that by enabling
the ’Full Access Administrator’ check box that appears in the ’Effective Access’ dialog box.
v Administrators who are designated as administrators or database administrators in the Server
document are allowed to modify (for example, designate an administration server or create a full-text
index) or delete any database on the server, even if they are not listed as managers in the database
ACL.
v Administrators who can run arbitrary executables on the server, either through non-Domino access to
the server or through the use of Unrestricted Agents that launch executables.
v Administrators who run the Notes client directly on the server machine or on a machine that has file
level access to the server database files.
v Users may still have access to a database by running agents with the ″Unrestricted with Full Access″
privilege, even if they are not listed in the database ACL. This privilege bypasses the ACL and reader
lists.
This table lists the user access level privileges from highest to lowest. The section that follows describes
each privilege in detail.
Delete documents
Create documents
Select this privilege for all users with Author access. If you deselect this privilege to prevent Authors
from adding any more documents, they can continue to read and edit documents they’ve already created.
Delete documents
Authors can delete only documents they create. If this privilege is deselected, an author can’t delete
documents, no matter what the access level. If the form contains an Authors field, Authors can delete
documents only if their name, or a group or a role that contains their name, appears in the Authors field.
Whether or not a user can run agents is dependent on the access set by the Domino administrator in the
Programmability Restrictions section of the Server document in the Domino Directory. If you select
″Create LotusScript/Java agents″ for a name in the ACL, the Server document controls whether or not the
user can run the agent on the server.
Since private agents on server databases take up disk space and processing time on the server, you may
want to disallow this privilege.
If the ″Create personal folders/views″ privilege is not selected, users can still create personal folders and
views, but the folders and views are stored on their local workstations. Deselect this privilege to save
disk space on a server.
Note: Users who have this privilege can modify or delete any shared folder, view, or navigator in the
database, regardless of whether they created it. Use caution when granting this privilege.
Whether or not a user can run agents depends on the access set by the Domino administrator in the
Programmability Restrictions section of the Server document in the Domino Directory. If you select
″Create LotusScript/Java agents″ for a name in the ACL, the Server document controls whether or not the
user can run the agent on the server.
Note: If the privilege ″Read Public Document″ is granted to users have No Access or Depositor access,
you can also enable the privilege ″Replicate or copy document.″
Note: Users who have this privilege can also delete any public documents in the database.
Note: Deselecting this option is not a true security measure because users can still print using Ctrl+Print
Screen or they can open a document and copy data to the clipboard.
You can select this privilege for all access levels; for users with access levels of Depositor and No Access,
you can only enable this if ″Read public document″ has also been granted.
User types provide additional security for a database. For example, assigning the Person user type to a
name other than ″unspecified″ prevents an unauthorized user from creating a Group document with the
same person name, adding his or her name to the group, and then accessing the database through the
group name.
Designating a name as a Server or Server Group prevents a user from using the server ID at a
workstation to access a database on the server. Be aware, though, that designating a name as a Server or
Server Group is not a foolproof security method. It is possible for a user to create an add-in program that
acts like a server and uses a server ID to access the server database from a workstation.
Instead of assigning a user type to each name, you can automatically assign a user type to all unassigned
names in the ACL. The user type assigned to each name is determined by the Domino Directory entry for
that name. Using this method, a group is always designated as ″Mixed Group,″ and not as a ″Person
Group″ or a ″Server Group.″ To assign a ″Person Group″ or ″Server Group″ to a name, you must select
the name and manually assign that user type.
You can assign user types to entries in multiple database ACLs, or you can have the server automatically
assign user types to unspecified entries in a single database ACL.
The server uses the Domino Directory to look up each entry in the ACL and assign a user type of Person,
Server, or Mixed Group. If it cannot find a match in the Directory, then the entry in the ACL will be left
as ″Unspecified.″
Once a role is created, it can be used in database design elements or functions to restrict access to those
elements or functions. For example, you may want to allow only a certain group of users to edit certain
documents in a database. You could create a role named ″DocEditors.″ That role would then be added to
the Authors fields of those documents, and assigned to those users who are allowed to edit those
documents.
You must have Manager access to create roles in the database ACL. You must create a role before you
assign it to a name or group in the ACL. Once you have created roles in an ACL, they are listed in the
Note: If you do not have Manager access to the ACL (meaning that you are not allowed to edit the ACL),
the Roles tab does not appear in the ACL dialog box.
This table describes the design elements to which the database designer can restrict access by using roles.
Using roles to restrict access to database elements is not a foolproof security measure. For example, if a
designer restricts access to certain documents in a database, the database manager or Domino
administrator must remember that documents inherit their Reader access list from the Reader access
option that is set in the Form Properties box for the form used to create the document. Therefore, anyone
with Editor access or above in the database ACL can change a document’s Reader access list.
In the Domino Administrator you can create, modify, or delete roles for multiple database ACLs, but you
cannot assign a name to a role or remove a name from a role in the ACL or display names assigned to a
role, as you can in the Notes client.
To create and manage roles, you must have Manager access in the database ACL.
Note: In Domino Administrator, you do not need to include any brackets in the role name when
adding or removing a role. However, when you rename a role, you must type the role name exactly
as it appears in the ACL, including the brackets and case-sensitive characters.
To update ACLs
v Use the Administration Process
v Use the Web Administrator
v Edit entries in multiple ACLs
v View the list of all database ACLs on a server.
You can select an administration server for the Administration Process in the Access Control List dialog
box for single databases or in the Multi-ACL Management dialog box for multiple databases.
For more information on the use of public access lists with database design elements, see Application
Development with Domino Designer.
Note: When Notes users create databases, they can specify the administration server for their databases
on the Advanced panel of the database ACL. The database ACL list will automatically be updated when
the Administration Process is run on the specified administration server.
You can use the Web Administrator to perform the following tasks for Internet or Notes users:
v Add an ACL entry
v Remove an ACL entry
v Rename an ACL entry
v Add, remove, or rename a database role
v View the ACL change history
v Create a new database on the server based on templates
v Create a new copy of the database
v Delete a database
v Compact a database
v Create or update a full-text index of a database
v Force manual replication of a database with a remote server
To rename an entry
1. From the Domino Administrator Server pane, select the server that stores the databases.
2. Click Files, and select one or more databases from the Domino data directory.
3. Click Tools - Database - Manage ACL.
4. Click Modify.
5. In the From box, type the name of the person, server, or group that you want to rename.
6. Select Modify Name.
7. In the To box, type the new name of the person, server, or group that you want to rename.
8. Click OK to save your changes.
Note: If you enable an ACL for Extended Access, there is no longer a 20-line limit for the log. The log
also includes more details about Extended Access changes.
Select the ″Enforce a consistent Access Control List″ setting on a replica whose server has Manager access
to other replicas to keep the access control list the same across all server replicas of a database. If you
select a replica whose server does not have Manager access to other replicas, replication fails because the
server has inadequate access to replicate the ACL.
If a user replicates a database locally, the database ACL recognizes that user’s access as it is known to the
server. This happens automatically for local replication, regardless of whether ″Enforce a consistent
Access Control List″ is enabled.
It should be noted that local replicas with ″Enforce a consistent access control list″ enabled attempt to
honor the information in the ACL and determine who can do what accordingly. However, they have
some limitations. One limitation is that group information is generated on the server, not at the local
replica. When a database is replicated locally, information about the group membership of the person
doing the replication is stored in the database for use in ACL checking. If a person/identity other than
the one doing the replication accesses the local replica, there will be no group membership information
available for that person, and the ACL can use only the person’s identity, not group membership, to
check access.
Additionally, enforcing a consistent access control list does not provide additional security for local
replicas. To keep data in local replicas secure, encrypt the database.
Note: If a user changes a local or remote server database replica’s ACL when the ″Enforce a consistent
Access Control List″ option is selected, the database stops replicating. The log (LOG.NSF) records a
message indicating that replication could not proceed because the program could not maintain a uniform
ACL on replicas.
You must select an administration server if you want to select the option to modify Readers and Authors
fields. The default is to not modify Readers and Authors fields.
This option applies to users who use name-and-password authentication or access the server
anonymously over the Internet and connect to servers using either the TCP/IP port or the SSL port. This
option does not apply to users who have SSL client certificate IDs and who access the database over the
Internet on the SSL port. Users with SSL client access receive the level of access specified in the database
ACL.
Add an entry for the group Anonymous to the database ACL, if appropriate for this database. Then select
the maximum access level you want to assign to all Internet and intranet users who use
name-and-password authentication for a particular database. Users who access a Notes database over the
Internet, either anonymously or by using name-and-password authentication, never have an access level
higher than what is specified as the ″Maximum Internet name & password access″ level.
CAUTION:
The ″Maximum″ access level overrides the access level that a user may have been explicitly given in
the database ACL, but only to enforce the lower of the two access levels.
For example, a user, Sandra Smith/West/Sales/Acme can use name and password to access a server
using a Web browser. If Sandra Smith/West/Sales/Acme is assigned Editor access in the ACL and the
″Maximum Internet name & password access″ setting is Reader, the lower of the two access levels applies
and Sandra is allowed only Reader access. Similarly, if Sandra Smith/West/Sales/Acme is assigned
Reader access in the ACL and the ″Maximum″ access setting is Editor, Sandra is allowed only Reader
access. However, if Sandra Smith also uses a Notes client to access the database, the ″Maximum″ access
setting is ignored and Sandra is allowed Editor access.
The default for this option is Editor access. Tasks such as creating folders, views, and agents do not apply
to Internet users.
Tip: You can use this setting to prevent Internet users from accessing the database using
name-and-password authentication. By setting it to ″No Access,″ the database would then be accessible
only to Notes users or Internet users who authenticate using SSL client certificates.
If the server is not configured to require an SSL connection, clients will be able to use either SSL or
unsecured TCP/IP to connect to the server; for example, in a browser, by using HTTP (for non-SSL) or
HTTPS (for SSL).
For more information about Internet client access to Domino servers and databases, see the chapter
″Setting Up Name-and-Password and Anonymous Access to Domino Servers.″
″Active content″ includes anything that can be run on a user workstation, including formulas; scripts;
agents; design elements in databases and templates; documents with stored forms, actions, buttons, hot
spots; as well as malicious code (such as viruses and so-called ″Trojan horses″).
There are two kinds of ECLs: the Administration ECL, which resides in the Domino Directory
(NAMES.NSF), and the workstation ECL, which is stored in the user’s Personal Address Book
(NAMES.NSF). The Administration ECL is the template for all workstation ECLs. The workstation ECL is
created when the Notes client is first installed. The Setup program copies the administration ECL from
the Domino Directory to the Notes client to create the workstation ECL.
For each signature, the ECL contains settings that control the actions that active content signed with that
signature can perform and the workstation system resources it can access.
For a description of ECL access options, see the topic ″ECL security access options″ in this chapter.
1. Choose File - Security - User Security. Macintosh OS X users: Notes - Security - User Security.
2. Click What Others Do, and select either Using Workstation, Using Applets, or Using JavaScript.
Note: You need to be in the appropriate ECL pane to see the effective access for that ECL. For
example, to see who has access in the JavaScript ECL, you would need to select the JavaScript ECL.
3. Click the ″Effective Session ECL″ button.
v The listbox on the left shows the users and groups who have access to this ECL for the duration of
this session.
v Select a name to see the user or group access rights. The check boxes on the right side of the dialog
box indicate the access rights for the selected name.
1047
1. Notes verifies that the active content is signed and looks up the signer of the code in the workstation
ECL.
2. Notes checks the signer’s ECL settings to determine whether the action is allowed.
3. One of the following occurs:
a. If the signer of the code is listed in the workstation ECL and the appropriate setting is enabled,
the active content runs.
b. If the active content attempts an action that is not enabled for the signer, or if the signer is not
listed in the ECL, Notes generates an Execution Security Alert (ESA), which specifies the
attempted action, the signer’s name, and the ECL setting that is not enabled.
The ESA gives the user four options:
v Do not execute the action -- to deny the signer access to perform the specified action.
v Execute the action this one time -- to allow the signer access to perform the action only once. The
ESA appears again if the same action is attempted in the future. This option does not modify the
ECL.
v Trust the signer to execute this action for this Notes session -- to allow the signer access to perform
the action for the duration of the user’s Notes session, until the user logs out or Notes or switches
to another Notes ID. This option does not modify the ECL.
v Start trusting the signer to execute this action -- to allow the action to be performed and modify the
ECL configuration to add the signature of the active content to the ECL. This grants permission for
the signer to execute the specific action any time on that workstation.
v More Info -- to display a dialog box that provides information about the design type, design name,
Notes ID, signature status, and parent database of the code that caused the ESA.
For example, locally scheduled agents, as well as manual agents, can generate ESAs. Click ″More
Info″ to get information about the agent that generated the alert.
Note: The administration ECL has a setting that prevents users from changing their workstation ECLs. If
this setting is enabled, then the user’s option to trust the signer is disabled.
Note: If you restrict users’ abilities to change their ECL, the ″Effective Session ECL″ button will be
greyed out.
JavaScript options
These options control access to workstation data for JavaScript that runs in the Notes client, on a Notes
form or on a Web page rendered by the Notes browser. These options do not control JavaScript run by
other browsers, including the Microsoft Internet Explorer browser, even when the browser is embedded
in the Notes client.
JavaScript ECL settings control whether JavaScript code can read and/or modify JavaScript properties of
the Window object. You can allow read access from, and write access to, the properties of the Window
object. As the top-level object in the JavaScript document object model, the Window object has properties
that apply to the entire window. Securing access to the Window object secures access to other objects on
the page since the JavaScript program cannot access the objects further down in the object model
hierarchy without first traversing the Window object.
Chapter 43. Protecting User Workstations with Execution Control Lists 1049
Window object classes are described in the following table:
Two additional ECL options control whether JavaScript that runs in the Notes client is authorized to open
a new Web page or Notes document. You can enable open access for these options, described in the
following table:
If the home server is unavailable when a Notes client is installed -- for example, when a user is
disconnected -- the workstation ECL is created with default settings, rather than being created from the
administration ECL.
Note: Technically, when a server is initially installed, there is no Admin ECL. When a client attempts to
edit the workstation ECL, or refresh it from an admin ECL that does not exist, the client creates an ECL
You use the administration ECL to define and deploy customized ECLs for your users. You can control
ECL changes or allow users to modify their own ECLs. Furthermore, you can update your users’
workstation ECLs as security requirements change -- automatically, through the use of a security settings
document deployed through a policy, or manually, by asking users to refresh their workstation ECLs.
To create customized ECLs that can be deployed for specific groups of users, you must use a security
settings document that is deployed through a server policy. For example, you can create one ECL
exclusively for contract employees and another ECL for full-time employees.
For more information on using policies for security, see the chapter ″Using Policies.″
Chapter 43. Protecting User Workstations with Execution Control Lists 1051
Signature Applies to Default access options
BT Mail and Calendar Every template related to Binary Tree Mail and Access to file system, Access to
Migration Tools/Lotus Calendar Migration Tools. current database, Access to
Notes Companion environment variables, Access to
Products If your organization isn’t using this tool, you can external code, Ability to read other
remove this entry from the ECL. databases, Ability to modify other
databases
Domino Unified Every template related to Domino Unified Access to current database, Access
Communications Communications Services. If your organization isn’t to environment variables, Access to
Services/Lotus Notes using this tool, you can remove this entry from the external code, Access to external
Companion Products ECL. programs, Ability to send mail,
Ability to read other databases,
Ability to modify other databases
Lotus Fax Every template related to Lotus Fax for Domino. Access to current database, Access
Development/Lotus to environment variables, Ability to
Notes Companion If your organization isn’t using this tool, you can read other databases, Ability to
Products remove this entry from the ECL. modify other databases
Lotus Notes Template Every template shipped with Domino and Notes. All
Development / Lotus
Notes For example, the signer matches this type only if it
has the Lotus Notes Template Development/Lotus
Notes signature.
Sametime Every template related to Sametime. All except Access to workstation
Development/Lotus security ECL
Note Companion If your organization isn’t using this tool, you can
Products remove this entry from the ECL.
You can also add additional users or signature types to the ECL. You could add the hierarchical names of
specific users or groups -- for example, Phyllis Spera/Sales/East/Acme. If you create a special certifier to
certify the IDs of a group of trusted signers, you could use a wildcard character to name all signers -- for
example, */Trusted Signers/Acme.
The table below describes the access that these users (or signature types) in an ECL would have:
Signature Applies to
*/Trusted Signers/Acme Formulas and code that have */Trusted Signers/Acme signature.
You can deploy and maintain ECLs on a group and organizational basis through the use of policies. For
more information, see the chapter ″Using Policies.″
1. (Optional) Collect information for creating the administration ECL.
Note: Add entries to the ECL even if you want to deny access to a person, group, or
organization. Then you can overwrite existing entries in workstation ECLs and essentially undo
any trust users have granted. For example, to revoke access previously granted to someone, add
that person to the administration ECL, but don’t give them any privileges. When the updated
administration ECL is distributed, it will overwrite the workstation ECLs with the updated
privileges for that person.
8. To remove an entry, select it from the list and click Remove.
Note: Removing an entry will not deny access to that entry when existing client ECLs are refreshed.
To ensure that this entry no longer has access, leave the entry in the list and instead, remove all
rights.
9. To rename an entry, select it from the list and click Rename.
Note: It may be better to leave the existing entry and add a new entry with the new name instead.
Active content signed with the user’s previous name will then still be allowed the same access it had
before.
10. To let users modify their workstation ECLs or enable Java applets from trusted senders, select
″Allow users to modify.″
11. Click OK.
Note: If any of these entries are not listed in the ECL, it means that those entries are not needed.
2. Make a list of the entries you remove so that if those entries were, in fact, not needed, they can later
be added with ″No access″ in the administration ECL.
3. Make these changes to the remaining entries in the ECL:
4. For a designated time period (a week should be sufficient), when the Execution Security Alert dialog
box appears, click ″Trust signer,″ with the following exceptions:
v Do not trust any actions with ″-No Signature-″.
v Check with the administrator before trusting odd or unfamiliar signatures or before clicking
″Execute once″ for templates and applications signed with odd or unfamiliar signatures.
Note: Users who use the Lotus Notes Client 5.01 or earlier should choose ″No″ in the dialog box
that asks if you want to trust everybody in the organization of the user whose signature you are
about to trust.
The resulting ECLs for these users should contain more signers than what the ECL originally contained,
unless your organization has managed the signing process up front and only uses objects signed by a
small number of known trustworthy signers.
After the designated time period is complete, the administrator should combine the signatures in the
users’ ECLs to create an updated administration ECL.
The workstation ECL log: The Lotus Notes 6 Client logs ECL-related operations in the Client log
(LOG.NSF) in Miscellaneous Events. This includes:
v Results of Execution Security Alert (ESA) dialogs, as well as additional ESA details. These details
include information about the code that caused the ESA, such as the design type, design title, NoteID,
database title, and path.
v Any ECL modifications. This includes information on which ECL was modified; the ECL entries that
were changed, added or deleted; and the rights that were granted or revoked. It also includes all ECL
modifications resulting from such operations as dynamic ECL update, programmatic ECL refresh
(@ECLRefresh function), setup ECL refresh/creation and manual ECL changes made in the ECL Editor
or through the User Security Panel.
It is possible to write an agent to run on Notes clients and parse the ECL logging data to provide
administrators with specific information on how users are managing their workstation ECLs, as well as
current information about applications or other code that should be added to Admin ECLs.
When a workstation ECL is refreshed or replaced, the <ECLOwner> entry is replaced with the name of
the current user. This updates the user’s workstation ECL rights with those set in the Admin ECL for the
key string entry.
If this key string entry is not included in the Admin ECL, and if ″Allow user to modify″ is not enabled,
the current user entry is removed from the workstation ECL during ECL replace. If ″Allow user to
modify″ is enabled, the current user remains in the Workstation ECL
Refreshing the ECL without the key string leaves the current user’s entry as is.
For more information about using policies to create, deploy, and update ECLs, see the chapter ″Using
Policies.″
If you edit the administration ECL after users run setup, and you are not using a security policy, you can
use one of the following procedures to update user workstation ECLs.
v Use the @Refresh ECL function, through a memo or common database event
v Have users update their ECLs through the User Security dialog box.
Note: For MIME-enabled users who lose their active content in mail messages, add the button to a
document in a particular Notes database and tell those users to go there to update their ECLs.
4. Describe the purpose of the memo and instruct users to click the button.
5. Mail the memo.
Tip: Add the @Refresh ECL function to a common database event, so that all users in the
organization can use it to update their ECLs.
Chapter 43. Protecting User Workstations with Execution Control Lists 1055
To use the Refresh button to update workstation ECLs
1. Make sure the Domino Directory with the ECL changes has replicated throughout the domain.
2. Address a memo to users whose ECLs you want to update.
3. Describe the purpose of the memo and instruct the users to do the following:
a. Choose File - Security - User Security.
b. Click ″What Others Do,″ and then click ″Using LotusScript,″ ″Using Java,″ or ″Using JavaScript.″
c. Click ″Refresh All″
4. Mail the memo.
Note: Even after you distribute an updated ECL, users might still encounter Execution Security
Alerts. Make sure that users:
v Do not trust any actions with ″-No Signature-″
v Check with you before trusting any odd or unfamiliar signatures, or before clicking ″Execute once″
for templates or applications signed with odd or unfamiliar signatures. Investigate those signatures,
and if necessary, update and redistribute the administration ECL.
If you want to assign database access to an Internet/intranet client based upon Domino ACL security,
you must create a Person document for that client in the Domino Directory, or, optionally, in a secondary
Domino directory or an external LDAP directory. Clients who do not have Person documents are
considered Anonymous and can only access servers and databases that allow Anonymous access.
Note: For users with records located in an external LDAP directory, password verification takes place
through an LDAP bind operation that can only succeed if the user has provided the correct password.
Name-and-password authentication allows Domino to locate the Person document (if one exists) for the
client accessing the server. After the client is identified, access to server resources can then be determined.
For example, if you want Alan Jones to have Editor access to a database and all others accessing the
database to have Author access, you must create a Person document for Alan Jones. You can set up the
database ACL to include Alan Jones as an Editor and Anonymous as Author.
You can use name-and-password authentication with either TCP/IP or SSL on any servers that run an
Internet protocol -- namely, LDAP, POP3, HTTP, SMTP, IIOP, or IMAP. For each Internet protocol enabled
on the server, you can specify the method of security. For example, you might enable client certificate
authentication for HTTP connections but require name-and-password security for LDAP connections that
use TCP/IP. Or you might use name-and-password security with anonymous and SSL client
authentication -- for example, to allow users with SSL client certificates to authenticate using SSL client
authentication and to allow other users to enter a name and password if they do not have an SSL client
certificate.
Note: Name-and-password authentication is not supported when a Domino server acts as an SMTP client
-- for example, when a Domino server connects to an SMTP server to route mail. Name-and-password
security is supported only when a Domino server acts as an SMTP server -- that is, when SMTP clients
access a Domino server.
If you are setting up name-and-password authentication for an HTTP server, you have an additional
method to use with name-and-password authentication: session-based authentication. Name and
password authentication sends the name and password in unencrypted format and is sent with each
request. Session-based authentication differs in that the user name and password is replaced by a cookie.
The user’ name and password is sent over the network only the first time the user logs in to a server.
Thereafter the cookie is used for authentication. Session-based name-and-password authentication offers
1057
greater control over user interaction than basic name-and-password authentication and lets you customize
the form in which users enter their name and password information. It also allows users to log out of the
session without closing the browser.
For information on setting up an SSL server, see the chapter ″Setting Up SSL on a Domino Server.″
For information on setting up clients for SSL, see the chapter ″Setting Up Clients for S/MIME and SSL.″
For more information on DSAPI and filters, see the Lotus C API Toolkit for Domino and Notes. The
toolkit is available at www.lotus.com/techzone.
Note: If you want LDAP clients to access the server using name-and-password authentication, you must
also allow anonymous access for LDAP on the server as well. LDAP clients who access the server using a
browser supply an e-mail address for authentication, and the client searches for the address anonymously
before Domino can authenticate the user.
For information on setting up anonymous access, see the topic ″Setting up Internet/intranet clients for
anonymous access″ later in this chapter.
Note: Users can also be created in secondary Domino directories or external LDAP directories, if your
server is configured to use them.
2. In each Person document, complete these fields, and then save the document:
Field Action
First name, Middle initial, Last name Enter the user’s first name, middle initial, and last name. The user’s
last name is required.
Chapter 44. Setting Up Name-and-Password and Anonymous Access to Domino Servers 1059
Field Action
User name (Required) Enter the user’s full name. This is the name the user enters
when trying to access a server.
This field can contain multiple names. As Domino uses the first name
in this field to validate a user in database ACLs, design access lists,
groups, and File Protection documents, the first name in this field
should be the user’s Domino distinguished name (DN). The second
name should be the common name (CN) portion of the DN.
When prompted for his name and password, the user can enter ″Al
Jones″ as his name. However, Domino uses ″Alan Jones/Sales/Acme″
to validate him in database ACLs and design access lists. Therefore,
the name ″Alan Jones″ must be the one that appears in ACLs and
design access lists.
Note: You should always use the user’s hierarchical name -- for
example, Alan Jones/Acme/US -- to help eliminate ambiguous or
duplicate user names.
Internet password (Required) Specify the user’s Internet password.
For more information on setting up a database ACL, see the chapter ″Controlling User Access to Domino
Databases.″
Furthermore, you have two selections for enabling session-based authentication -- single and multi-server
selections. The single server option causes the server to generate a cookie that is honored only by the
server that generated it, while the multi-server option generates a cookie that allows single sign-on with
any server that shares the Web SSO configuration document.
To use session-based authentication, Web clients must use a browser that supports cookies. Domino uses
cookies to track user sessions.
Using session-based name-and-password authentication provides greater control over user interaction
than basic name-and-password authentication. For example, you can customize the form in which users
enter their name and password information. It also allows users to log out of the session without closing
the browser.
Domino provides a default HTML form -- ($$LoginUserForm), which is provided and configured in the
Domino Configuration database (DOMCFG.NSF). You can customize the form or create your own to
contain additional information.
You can also redirect the logout to a design element or URL. For example:
http://acmeserver/sessions.nsf?logout&redirectto=/logoutDB.nsf/logoutApp?OpenPage
http://acmeserver/sessions.nsf?logout&redirectto=http://www.sales.com
You can build this expression into an application -- for example, using it in a button -- or type it in as a
URL.
Note: If your servers are set up for round-robin DNS, you should use the multi-server (or single sign-on)
option for session-based name-and-password authentication. Servers cannot store the session information
in memory when using round-robin DNS with the single server cookie. In addition, if a server is
Chapter 44. Setting Up Name-and-Password and Anonymous Access to Domino Servers 1061
restarted or crashes, session information is lost, and then users must re-enter their names and passwords.
In the multi-server session setting, the session cookie might still be valid when a server is restarted (if the
cookie has not yet expired); however, the user must continue to access the server from the same browser
window in which the user’s logon was performed.
Field Action
Session authentication Select single server. This is disabled by default.
Idle session timeout Enter a default time period to log an inactive Web client off the server.
Default is 30 minutes.
Maximum active sessions Enter the maximum number of user sessions allowed on the server at the
same time. Default is 1000.
5. Click Security, and enable name-and-password authentication for the TCP and for SSL (if using SSL).
6. Save the document.
Field Action
Session authentication Select single server. This is disabled by default.
Idle session timeout A default time period to log an inactive Web client off the server. Default is
30 minutes.
Maximum active sessions The maximum number of user sessions allowed on the server at the same
time. Default is 1000.
4. Click Ports - Internet Ports - Web, and enable name-and-password authentication for the TCP/IP port
and for the SSL port (if using SSL).
5. Save and close the Server document.
Field Action
First name, Middle initial, Last name Enter the user’s first name, middle initial, and last name. The user’s
last name is required.
User name (Required) Enter the user’s full name. This is the name the user enters
when trying to access a server.
This field can contain multiple names. As Domino uses the first name
in this field to validate a user in database ACLs, design access lists,
groups, and File Protection documents, the first name in this field
should be the user’s Domino distinguished name (DN). The second
name should be the common name (CN) portion of the DN.
When prompted for his name and password, the user can enter ″Al
Jones″ as his name. However, Domino uses ″Alan Jones/Sales/Acme″
to validate him in database ACLs and design access lists. Therefore,
the name ″Alan Jones″ must be the one that appears in ACLs and
design access lists.
Note: You should always use the user’s hierarchical name -- for
example, Alan Jones/Acme/US -- to help eliminate ambiguous or
duplicate user names.
Internet password (Required) Specify the user’s Internet password.
To edit database ACLs: After you edit the Server document and create Person documents, edit the
database ACL of each database to which you want to give users access.
For more information on setting up a database ACL, see the chapter ″Controlling User Access to Domino
Databases.″
Domino provides a default HTML log-in form to allow a user to enter a name and password, and then
use that name and password for the entire user session. The Web browser sends the user’s name and
password to the server using the server’s character set. Therefore, a user can enter a name and password
in a character set other than ASCII or Latin-1.
The available set of characters to use for user name are different for basic authentication and
session-based authentication.
Chapter 44. Setting Up Name-and-Password and Anonymous Access to Domino Servers 1063
This form is created and configured in the Domino Web Server Configuration database (DOMCFG.NSF).
You can customize the form to contain additional information. To do this, the Domino Web server must
be set up.
For more information on setting up the Web server, see the chapter ″Setting Up the Domino Web Server.″
To create and use a custom sign-in form, you must complete these procedures:
v Create the Domino Web Server Configuration database. If you do not create the database, Domino uses
a generic log-in form.
v Create a custom form.
v Specify the custom form as the sign-in form. If the Domino Web Server Configuration database exists
on the Web server but you have not created and specified a custom sign-in form, Domino uses the
form $$LoginUserForm.
Note: The name of the database is not optional, because the Web server has this name incorporated
into its code. The name of the database must be domcfg.nsf.
5. Click OK.
6. Add an entry named Anonymous to the database ACL, and give the entry Reader access.
To create a custom form: The simplest way to create a custom log-in form is to modify a copy of
$$LoginUserForm, the example log-in form provided in the Domino Configuration database. You can also
create a new log-in form. You must have the Domino Designer 7 client to create and edit forms.
1. In the Domino Designer client, open the Domino Configuration database (DOMCFG.NSF).
2. Choose View - Design.
3. Do one of the following:
v To create a custom form using $$LoginUserForm, make a copy of $$LoginUserForm, then
double-click the copy to open it. (You can rename the copy if necessary -- for example,
CustomLoginForm.)
v Click New Form to create a new form.
4. When you finish designing the custom form, save and close it.
Configuring error messages: You can enable session-based Web authentication to return error messages
for log-in failures and session time-outs. This is accomplished by configuring two fields on your custom
login form -- the reasontext and reasontype fields. DOMCFG.NTF includes these two fields in the default
form provided, $$LoginUserForm. (To obtain the changes, you must refresh or replace the design of
DOMCFG.NSF with the most current DOMCFG5.NTF).
The five cases that cause the Login form to appear are encoded in the field ″reasontype″ and include:
v Prompt for the user to log in, at which no error message will display.
v ″User Name, you are not authorized to access application.nsf. Please sign in with a name which has
sufficient access rights.″ The user is authenticated with correct credentials for the server but is not
authorized to the database or file, for example.
v ″You provided an Invalid username or password. Please sign in again.″ The user has given an incorrect
name or password.
v ″Your connection has expired. Please sign in again.″ This occurs when the browser has not sent a
request to the server in the given amount of time as configured in the server document (default=30
minutes). If the session times out, they will lose what hasn’t been saved. Administrators should
lengthen the server’s session timeout, if this occurs frequently, to the length of a workday.
v ″User Name, your login has been invalidated due to a timing issue with the login server. (The servers
may need to have their clocks synchronized to resolve this.) Please sign in again.″ This occurs when
multi-server session authentication is configured and an idle session timeout is enabled. This message
indicates that the SSO servers do not agree on the current time, which may invalidate the user’s SSO
session.
Chapter 44. Setting Up Name-and-Password and Anonymous Access to Domino Servers 1065
More name variations with lower security
Domino tries to authenticate users based on the name and password entered. This authentication method
can be vulnerable to hackers who guess names and passwords in an attempt to use a legitimate user
account to access a server. This option allows users to enter any of the following in the name and
password dialog box in a Web browser:
Note: The Domino Web Server Application Programming Interface (DSAPI) is a C API tool that lets you
write your own extensions to the Domino Web server. These extensions, or filters, let you customize the
authentication of Web users. For more information on DSAPI and filters, see the current Lotus C API
Toolkit for Domino and Notes, which is available at www.lotus.com/techzone.
Example Description
Alan Jones Common name
Alan First name
Jones Last name
Ajones Short name
Alan Jones/Sales/East/Acme/US Full hierarchical name (abbreviated)
cn=Alan Jones/ou=East/ou=Sales/o=Acme/c=us Full hierarchical name (canonical)
cn=Alan Jones Common name with CN=prefix
If you want to authenticate Alan in an LDAP Directory, he can use a browser to enter the following
names:
Example Description
Alan Jones Common name
Alan Givenname
Jones Surname
Ajones UID
cn=Alan Jones, cn=recipients, ou=Sales, ou=East, Full hierarchical name (canonical)
o=Acme, c=us (valid for a Microsoft Exchange
server)
cn=Alan Jones (valid for Domino Directory) Common name with CN=prefix
uid=ajones, ou=Sales, ou=East, o=Acme, c=us (valid Full hierarchical name (canonical)
for a Netscape Directory Server)
uid=ajones (valid for Netscape Directory Server) UID with UID=prefix
Alan Jones/Sales/East/Acme/US Full hierarchical name (abbreviated)
alan_jones@acme.com LDAP mail attribute
Fewer name variations with higher security: Using the Fewer name variations authentication level,
Alan Jones/Sales/East/Acme can enter only the following names when using a browser to authenticate
with a Domino Directory:
Example Description
Alan Jones/Sales/East/Acme Full hierarchical name (abbreviated)
CN=Alan Jones Common name with CN= prefix
Alan Jones Common name
cn=Alan Jones/ou=East/ou=Sales/o=Acme/c=us Full hierarchical name (canonical)
alan_jones@acme.com Internet (e-mail) address
If you want to authenticate Alan in an LDAP Directory, he can use a browser to enter the following
names:
Example Description
AJones UID
Alan Jones CN
cn=Alan Jones, cn=recipients, ou=Sales, ou=East, DN
o=Acme, c=us (valid for a Microsoft Exchange server)
cn=Alan Jones (valid for a Domino Directory) CN with CN=prefix
uid=ajones, ou=Sales, ou=East, o=Acme, c=us (valid for a DN
Netscape Directory Server)
uid=Ajones (valid for a Netscape Directory Server) UID with UID= prefix
alan_jones@acme.com LDAP mail attribute
Chapter 44. Setting Up Name-and-Password and Anonymous Access to Domino Servers 1067
Authenticating Internet name-and-password clients in secondary Domino and
LDAP directories
When an Internet client authenticates with a server, by default the server checks the primary Domino
Directory to see if it can find a Person document with a name and password that match those entered by
the Internet client. If your organization uses a secondary Domino Directory and/or an LDAP directory to
verify Internet clients who use name-and-password authentication, you can set up Domino to check those
additional directories. To do so, you set up the secondary Domino Directories and LDAP directories as
trusted domains in the Directory Assistance database.
When you mark domains as trusted, Domino first searches the primary Domino Directory for the user
name and password and then searches the trusted secondary Domino Directories and LDAP directories.
When you set up directory assistance, you specify the order in which Domino searches the secondary
directories.
The hierarchical name returned by the Domino Directory or LDAP directory is checked against the
trusted rule in the Directory Assistance database to verify that the organization and organizational units
match the specified rule. For example, if the user name returned is Dave Lawson/Acme, the Directory
Assistance document must include the rule */Acme.
Searching multiple directories is also available for authenticating users with SSL client authentication.
Note: For Domino R5.x and earlier, searching multiple directories is only used by the HTTP protocol and
not the other Internet protocols.
For clients in secondary LDAP directories, it is also possible to map the name in an LDAP directory to a
Domino name, using the field ″Attribute to be used as Notes distinguished name.″ In this case, the user
may login by specifying a valid LDAP name and password, and as a result of successful authentication is
known within Domino as the corresponding Notes distinguished name.
You can force users to change their Internet password on the next login through a setting in the Person
document.
Note: In order to allow users to change their Internet passwords through a browser, you must have
session authentication enabled for your server.
You can enable Notes-Internet password synchronization for individual or multiple users on a server
through the use of a security settings policy document.
When a user changes their Notes password, the Internet password is eventually changed, as well.
If custom password policies have been established for Notes users in a security settings policy document,
and the security policy setting also specifies ″Update Internet password when Notes passwords change,’
Custom password policies are not applied to Internet passwords if users change them through a browser.
Note: The more secure password format is required if you choose to synchronize a user’s Internet
password with their Notes password.
For more information on using a security settings policy document to manage Notes and Internet
passwords, see the chapter ″Using Policies.″
For more information on changing password settings in the Person document, see the chapter ″Protecting
and Managing Notes IDs.″
For more information on custom password policies, see the chapter ″Using Policies.″
You can upgrade the password format for Person documents that already exist or automatically use the
more secure password format for all Person documents that you create.
Note: The more secure password format is required if you choose to synchronize a user’s Internet
password with their Notes password.
User Web browsers must have cookies enabled since the authentication token that is generated by the
server is sent to the browser in a cookie.
Chapter 44. Setting Up Name-and-Password and Anonymous Access to Domino Servers 1069
v Enabling the ″Multi-servers (SSO)″ option for session-based authentication in a Web Site document or
in the Server document.
You can enable single sign-on across multiple Domino domains. See the topic ″Setting up the Web SSO
Configuration document for more than one Domino domain″ later in this chapter.
General issues
v It is important that all servers participating in an SSO group must use the same mechanism for
configuring Internet access. They must either all use Internet Site documents, or they must all have
Internet access configured in the Server document.
v The DNS domain that applies to the participating SSO servers is specified in the SSO configuration
document. URLs issued to servers configured for single sign-on must specify the full DNS server name,
not the host name or IP address. For browsers to be able to send cookies to a group of servers, the
DNS domain is included in the cookie (as specified by the configuration), and the DNS domain in the
cookie must match the server URL. This is why cookies cannot be used across TCP/IP domains.
v Clustered servers must have the full DNS server name in the host name field of the Web Site or Server
document. This enables the Internet Cluster Manager (ICM) to redirect to cluster members using SSO.
If the DNS server host name is not there, ICM will redirect URLs to clustered Web servers with only
the TCP/IP host name, by default, and will not be able to send the cookie because the DNS domain is
not included in the URL.
v If you enable Internet Sites in the Server document, any existing SSO configuration is automatically
disabled.
WebSphere issues
v WebSphere and Domino do not need to be configured for the same LDAP directory; however, if
WebSphere and Domino will not share the same directory, you likely will have a multi-identity
problem to plan for and address.
See the multi-identity section (probably this would be the topic on configuring LTPA user names, as
well as the topic that covers the DA feature ″Attribute to be used as Notes distinguished name″ ).
v Websphere configurations support two different formats of SSO LTPA cookies. One cookie has a name
″LtpaToken″, and the other cookie format is named ″LtpaToken2″. Domino SSO supports the
″LtpaToken″ cookie only, therefore WebSphere must be configured to issue the correct format cookie in
order for SSO to work between WebSphere and Domino.
v Websphere cannot use Domino LTPA tokens. To include Domino and WebSphere in the same LTPA
group, you must export the LTPA token from WebSphere and import it into Domino.
v If you have imported WebSphere keys into your Domino SSO configuration for interoperability with
WebSphere, then you cannot specify an SSO idle timeout. WebSphere servers do not honor an idle
timeout.
v If the group of servers participating in single sign-on includes WebSphere servers that use a Domino
LDAP directory, users with flat names in that directory cannot use SSO (if the participating servers are
all Domino, then SSO will work with flat user names).
To create a Web SSO configuration document if you are using Internet Sites: You should have already
created a Web Site document, and enabled the use of Internet Site documents in the Server document.
Field Action
Configuration Name Enter the name of the SSO configuration.
Notes
v If you create multiple Web SSO Configuration documents, be sure to give each
document a unique name. Web SSO documents are located by name and if
multiple documents have the same name, the SSO configurations won’t work
well. However, creating multiple SSO documents can only work under limited
circumstances. Multiple SSO documents are not recognized by all protocols. In
particular, SSO involving the Notes client, any Java agents, and other components
using the local Java back-end classes will not function if a name other than the
default LtpaToken is used.
v If the single sign-on configuration is a mixed-release configuration that includes
Release 5.0x servers, the Configuration Name must be LtpaToken, as Release 5.0x
servers only work with this configuration name.
Organization Name (Required) Enter the name of the organization. This must match the organization
name for the corresponding Web site. The SSO document will then appear in the
Internet sites view, along with the Web Sites documents.
DNS Domain (Required) Enter the DNS domain (for example -- .acme.com) for which the tokens
will be generated. The servers enabled for single sign-on must all belong to the DNS
domain you specify.
When you enter the DNS domain, be sure you type the initial period. For example,
do not enter ″acme.com″; instead you should enter ″.acme.com″.
If the SSO domain includes WebSphere servers, WebSphere treats the DNS domain
as case-sensitive, so ensure that the DNS domain value is specified with appropriate
case.
Chapter 44. Setting Up Name-and-Password and Anonymous Access to Domino Servers 1071
Field Action
Map names in LTPA token Enable this option to map the user name that appears in a Domino-created LTPA
token to the user’s name that is expected by WebSphere SSO servers. You should
enable this setting if you have a mixed Domino and Websphere environment, and if
it is the case that Domino and WebSphere do not share the same directory.
Do not enable this option if you want Domino-created LTPA tokens to continue to
contain the user’s Domino distinguished name.
For more information, see the topic ″Configuring user name mapping in the SSO
LTPA token″ later in this chapter.
Domino Server Names Enter the names of the Domino servers that will be participating in single sign-on
(for example -- server1/acme, server2/acme). This document will be encrypted for
the creator of the document, the members of the Owners and Administrators fields,
and the servers specified in the Domino Server Names field.
Groups, wildcards, and the names of WebSphere servers are not allowed in this
field. Only Domino servers can be listed as participating servers in the Server Names
field.
Note: There is a 64K-size limit on this field. An error message appears when the
limit is reached, such as when the names of several hundreds of servers are entered.
It is recommended that you create more than one Web SSO Document if this limit is
reached.
Expiration (minutes) Specify the time period, in minutes, for which the token will be valid. This time
period begins at the time the token is issued. The token is valid for only the number
of minutes specified. Default is 30 minutes.
Note: If an Idle Session Timeout is configured, the session may timeout (based on
inactivity) at a time earlier than that specified by the expiration.
Idle Session Timeout (Domino-only SSO configuration) Enable this option to end a user’s SSO session if
there is no activity for a specified amount of time (see below).
Note: If you chose to import Websphere LTPA keys, this option will not appear on
the Web SSO Configuration document.
Minimum Timeout (minutes) If you enabled Idle Session Timeout, this option appears. Specify the length of time,
in minutes, that a user’s session must show no activity before timing out.
7. Save the Web SSO Configuration document. A message on the status bar indicates the number of
servers/people for whom the document was encrypted. The document(s) will appear in the Internet
Sites view.
To create a Web SSO configuration document if you are using the Web Server Configurations view:
Use this procedure to create a Web SSO configuration document if your server is a Release 5.0x server, or
if you are using Domino 6 or higher but you do not use Web Site documents to manage your Web sites.
1. In the Domino Administrator, click Files, and open the server’s Address Book (NAMES.NSF).
2. Select the Servers view.
3. Click Create Web SSO Configuration.
4. In the Web SSO Configuration document, click Keys.
5. Initialize the Web SSO Configuration with the shared secret key in one of two ways:
v Choose Domino only (no WebSphere servers participating in single sign-on), and then select ″Create
Domino SSO Key.″
v Choose Domino and WebSphere (single sign-on with WebSphere), and then do the following:
a. Select ″Import WebSphere LTPA Keys.″
b. Browse and select the WebSphere LTPA export file. (See WebSphere documentation for details
about generating ltpatoken keys.)
Field Action
Configuration Name Enter the name of the SSO configuration.
Notes:
v If you create multiple Web SSO Configuration documents, be sure to give each
document a unique name. Web SSO documents are located by name and if
multiple documents have the same name, the SSO configurations won’t work
well. However, creating multiple SSO documents can only work under limited
circumstances. Multiple SSO documents are not recognized by all protocols. In
particular, SSO involving the Notes client, any Java agents, and other
components using the local Java back-end classes will not function if a name
other than the default LtpaToken is used.
v If the single sign-on configuration is a mixed-release configuration that includes
Release 5.0x servers, the Configuration Name must be LtpaToken, as Release 5.0x
servers only work with this configuration name.
Organization Name Leave this field blank, and this document will appear in the Web Configurations
view.
DNS Domain (Required) Enter the DNS domain (for example, .acme.com) for which the tokens
will be generated. The servers enabled for single sign-on must all belong to the
same DNS domain.
When you enter the DNS domain, be sure you type the initial period. For example,
do not enter ″acme.com″; instead you should enter ″.acme.com″.
If the SSO domain includes WebSphere servers, WebSphere treats the DNS domain
as case-sensitive, so ensure that the DNS domain value is specified with
appropriate case.
Map names in LTPA token Enable this option to map the user name that appears in a Domino-created LTPA
token to the user’s name that is expected by WebSphere SSO servers. You should
enable this setting if you have a mixed Domino and Websphere environment, and if
it is the case that Domino and WebSphere do not share the same directory.
Do not enable this option if you want Domino-created LTPA tokens to continue to
contain the user’s Domino distinguished name.
For more information, see the topic ″Configuring user name mapping in the SSO
LTPA token″ later in this chapter.
Domino Server Names Enter the names of the Domino servers that will be participating in single sign-on
(for example -- server1/acme, server2/acme). This document will be encrypted for
the creator of the document, the members of the Owners and Administrators fields,
and the servers specified in the Domino Server Names field.
Note: Groups, wildcards, and the names of WebSphere servers are not allowed in
this field. Only Domino Servers can be listed as participating servers in the Server
Names field.
Expiration (minutes) Specify the time period, in minutes, for which the token will be valid. This time
period begins at the time the token is issued. The token is valid for only the
number of minutes specified. Default is 30 minutes.
Note: If an Idle Session Timeout is configured, the session may timeout (based on
inactivity) at a time earlier than that specified by the expiration.
Idle Session Timeout Enable this option to end a user’s SSO session if there is no activity for a specified
amount of time (see below).
Note: If you chose to import Websphere LTPA keys, this option will not appear on
the Web SSO Configuration document.
Chapter 44. Setting Up Name-and-Password and Anonymous Access to Domino Servers 1073
Field Action
Minimum Timeout (minutes) If you enabled Idle Session Timeout, this option appears. Specify the length of time,
in minutes, that a user’s session must show no activity before timing out.
7. Save the Web SSO Configuration document. A message on the status bar indicates the number of
servers/people for whom the document was encrypted. The document(s) will appear in the Web
Server Configurations view.
Note: If you receive messages on the client indicating that a particular key was not found for
encrypting the document, you may have to change your client’s location document to point to a
different mail/directory server that will have all the public keys included in server and person
documents.
Before you begin, make sure that the SSO keys have been created or imported from a WebSphere file.
To enable single sign-on and basic authentication for a Web Site: Use this procedure to enable single
sign-on for Domino servers (Domino 6 and higher) configured with Web Site documents.
Note: When you enable the use of Internet Sites on a Domino server, any existing SSO configurations are
automatically disabled. Make sure that you have enabled this option prior to configuring SSO.
1. In the Domino Administrator, click Configuration - Web - Internet Sites.
2. Open the Web Site document for which you want to enable single sign-on.
3. Click Domino Web Engine.
4. In Session authentication, select ″Multiple Servers (SSO).″
5. In the Web SSO Configuration field, select the Web SSO Configuration for this Web Site from the
drop-down list.
6. Click Security. For both TCP and SSL authentication, enable Name & Password.
7. Save and close the Web Site document.
8. At the server console, start the HTTP process by typing:
load HTTP
If the HTTP process is already running, type:
tell HTTP restart
Note: If something is wrong with the configuration, the browser will receive an Error 500 message
stating that single sign-on is not configured.
To enable single sign-on and basic authentication in the Server document: Use this procedure to
enable single sign-on for pre-Domino 6 servers, or for Domino 6 and higher servers not configured
6
Note: The ″Idle session timeout″ and ″Maximum active sessions″ fields will be disabled.
Note: You can optionally enable the use of client certificates for SSL authentication for users on an
SSO-enabled server. If the user authenticates with a client certificate, the server still creates an SSO token
for the user in case it will be useful for accessing resources on participating SSO servers.
Setting up the Web SSO Configuration document for more than one Domino
domain
This procedure lets you enable servers in your current Domino domain for SSO with servers in another
Domino domain, by setting up both domains to use the same key information. Two conditions must exist
in order to do this:
v You must be a registered Notes user and your server must be a registered server. This gives you and
the server the rights to decrypt the Web SSO Configuration document in your current domain, and the
right to create documents in the Domino Directory for the new domain. It may be necessary to have
administrative IDs cross-certified for operating in the two domains.
v The server document and the administrator’s person document must exist in the domain for which you
will be creating the Web SSO Configuration, as the public keys that are used for encryption are stored
in each registered person and server document.
v Participating SSO servers must still reside in the same DNS domain -- for example, acme.com.
To set up the Web SSO Configuration document for more than one Domino domain:
1. Copy the Web SSO Configuration document from the Domino Directory in which it was created, and
paste it into the Domino Directory in the new domain.
2. Open the Web SSO Configuration document for the new domain and edit the ″Participating Domino
Servers″ field to include only those servers with server documents in the new domain that will be
enabled for single sign-on.
3. The client must be able to find server documents for the participating single sign-on servers. Make
sure that the home server specified in your client’s location document is pointing to a server in the
same domain as those servers participating in single sign-on, so that lookups will be able to find the
public keys of the servers. If the home server cannot find participating servers, then the SSO
document cannot be encrypted and SSO will fail.
4. Save the document. It is encrypted for the participating servers in the new domain, and should enable
those servers in the new domain to participate in single sign-on with servers in the current domain.
This situation typically occurs in end-user configurations in which there are multiple directories used by
various servers participating in SSO, and consequently a user may have multiple identities. For example,
a user may be known in a Websphere LDAP directory as ″uid=jdoe,cn=sales,dc=acme, dc=com,″ but in a
Domino directory the same user is ″John P Doe/Sales/Acme.″ If Websphere receives an LTPA token
containing a user name like ″John P Doe/Sales/Acme,″ it attempts to find this user in the Websphere
directory and when it can’t, rejects the token.
Domino administrators can now map the user name that appears in a Domino-created LTPA token to the
name expected by WebSphere, to ensure that the name is recognized in a mixed Domino and Websphere
environment where Domino and WebSphere do not share the same directory.
Chapter 44. Setting Up Name-and-Password and Anonymous Access to Domino Servers 1075
Note: In a mixed-release Domino environment, user name mapping in the LTPA token only works if the
token is generated by a Domino 7.0 server. If the user name value that is used in the LTPA token is also
added as a secondary value in the fullname field of the Person record in pre-Domino 7.0 servers (for the
purposes of aliasing, for example), users will also be able to access databases on Domino 6.02 and higher
servers, as well as Websphere servers.
How you specify the user name to be used in the LTPA token depends on the directory configuration
used in your single sign-on environment:
v If Notes user information is contained only in a Domino Directory, you specify the user name mapping
in the Person document.
v If Notes user information is contained in a corporate LDAP directory, you configure the user name
mapping in Directory Assistance.
v If the organization uses both Domino and LDAP directories, you configure both the Domino person
record and the Directory Assistance SSO information.
As LDAP directory fields and Domino directory fields generally do not have a one-to-one
correspondence, the use of Directory Assistance documents for name mapping allows allows LDAP
administrators to specify which LDAP field should be used as the equivalent of the LTPA User Name
field.
Note: Any name mapping configuration in Directory Assistance documents will be ignored if the
mapping feature is not enabled in the SSO configuration document.
To configure user name mapping in a Domino Directory environment: In this environment, there are
Domino SSO users who have Person records in the Domino directory.
1. Enable name mapping for the LTPA token. In the Web SSO Configuration document that defines your
SSO environment, select Enabled for the ″Map names in LTPA token″ option.
2. In the user Person document, click Administration. Under ″Client Information,″ enter the user name
DN that is expected by WebSphere in the ″LTPA user name″ field. Typically, this will be the user’s
LDAP distinguished name (DN). Be sure to separate the name components with slashes.
For example, if the LDAP DN is
uid=jdoe,cn=sales,dc=acme, dc=com
enter the value as follows:
uid=jdoe/cn=sales/dc=acme/dc=com
Although the name is entered into the LTPA user name field in Domino format, Domino transforms the
configured LTPA user name into the appropriate LDAP format expected by Websphere before placing it
into the Domino-created LTPA token.
Note: The value entered in this field must be unique- that is, it should not match more than one person
in the organization.
To configure user name mapping in a corporate LDAP directory environment (a mixed Domino and
LDAP directory environment): In this environment, some or all Domino users do not have Person
records in the Domino directory. Instead, these Domino users have records in an external LDAP directory
that is accessible to Domino through Directory Assistance.
1. Enable name mapping for the LTPA token. In the Web SSO Configuration document that defines your
SSO environment, select Enabled for the ″Map names in LTPA token″ option.
2. Open the Directory Assistance document for the LDAP Directory. In the SSO Configuration section,
enter an LDAP attribute that should be used as the name in an SSO token created for this user. This
attribute will be used in the LTPA token when the LTPA_UserNm field is requested. It is important to
ensure that the selected field contains the user name that WebSphere expects. Options for this field
include:
If Directory Assistance is configured such that a search on a particular user finds a match in both the
Domino Directory and in an LDAP directory, Domino requires consistency between a Domino Person
record and an LDAP record. Domino takes extra steps to determine that there are matching values for the
Internet email address located in both directories. To accomplish this, DA searches for the user’s LDAP
″mail″ attribute. This value must match the information found in the Domino Person record field
″internetaddress.″
In order for SSO to succeed, you must ensure that the value of the Domino attribute ’Internet address’
matches the value of the LDAP attribute ’mail.’
Other considerations:
v To support aliasing, in the Person document, add the LDAP name to both the LTPA_UserNm field and
as a secondary value in the User Name (i.e. document property Fullname) field.
For more information on alias dereferencing, see the chapter ″Setting Up Directory Assistance.″
v Notes client integration with Sametime (and therefore SSO with Sametime) is not supported if the
Sametime server is configured to use Internet Sites, as the Notes client protocol (NRPC) for obtaining
an SSO token does not work with the use of Internet Sites.
v Name mapping in the LTPA token is not supported when user information is stored in condensed
directory catalogs.
With anonymous access, you never know who is accessing databases on the server. Therefore, you cannot
use the client’s identity -- that is, the client’s name and password -- to control access to databases and
design elements. Use anonymous access when you do not need to know who is accessing the database
and/or when you do not need to control access based on client identity.
You can use anonymous access with TCP/IP and/or SSL on any server that runs LDAP, HTTP, SMTP, or
IIOP. For each Internet protocol enabled on the server, you can specify the method of security. For
example, you can enable SSL for HTTP connections, but require name-and-password authentication for
LDAP connections that use TCP/IP.
In addition to using anonymous access, you can enable name-and-password authentication and SSL client
authentication. Then users can use any authentication method to connect to the server. For example, if the
user has an SSL client certificate, the user can access the server using SSL; whereas a user who does not
have an SSL client certificate can access the server anonymously.
Chapter 44. Setting Up Name-and-Password and Anonymous Access to Domino Servers 1077
For more information on how Domino validates and authenticates users when anonymous, SSL client
authentication, and name-and-password authentication are set up on a server, see the topic ″Validation
and authentication for Internet/intranet clients″ later in this chapter.
Tip: For strategic databases on the Domino server -- such as the Domino Directory -- set Anonymous to
No Access.
Note: You cannot enable anonymous access for IMAP and POP3 Internet Site documents.
3. In the Internet Site document, click Security.
v If you want to allow clients to use anonymous access when they connect using TCP, select Yes in
the Anonymous field in the TCP Authentication section.
v If you set up SSL on the server and you want to allow clients to use anonymous access when they
connect using SSL, select Yes in the Anonymous field in the SSL Authentication section.
4. Save and close the document.
To edit database ACLs for anonymous access: In the ACL of each database on the server for which you
want to enable anonymous access, do the following:
1. Create an entry named Anonymous. If you don’t add Anonymous as an entry in the ACL, users and
servers who access the server anonymously get -Default- access.
2. Assign the appropriate access level -- typically Reader access.
3. Leave user type set to Unspecified.
For more information on database ACLs, see the chapter ″Controlling User Access to Domino
Databases.″
For information on setting up SSL on a server, see the chapter ″Setting Up SSL on a Domino Server.″
For example, when a user tries to open a database that has an ACL with No Access as the -Default-,
Domino challenges the user for a valid user name and password. Authentication succeeds only if the user
provides a name and password that matches the name and password stored in the user’s Person
document (or in an LDAP directory - some users are authenticated against an LDAP directory rather than
a Person record) and if the database ACL gives access to that user. Anonymous users are not
authenticated.
You can use name-and-password and anonymous access with TCP/IP and SSL. Name-and-password and
anonymous access with TCP/IP are described below.
This section also applies to Web clients who are accessing a Domino Web server for which session
authentication has been enabled.
Note: The Domino Web Server Application Programming Interface (DSAPI) is a C API that you use to
write extensions to the Domino Web server. Using these extensions, or filters, you can customize the
authentication of Web users. For more information on DSAPI, see the Lotus C API Toolkit for Domino
and Notes. The toolkit is available at www.lotus.com/techzone.
Note: When Domino authenticates an Internet user, it uses the distinguished name (DN), which is
the first name that appears in the Full Name field of a Person document. This name should be
used in entries for groups, delegated server administration, database ACLs, and file protection
documents.
Chapter 44. Setting Up Name-and-Password and Anonymous Access to Domino Servers 1079
For users who do not have Person records, and instead have their records in a secondary LDAP
directory, the user’s LDAP name might appear on the ACL. To allow access to the user, the ACL
should include the user’s LDAP name (unless the user’s name is being mapped to a corresponding
Domino name by Directory Assistance, in which case the Domino DN should appear on the ACL).
a. Next, the server compiles a ″grouplist,″ which contains Andrew’s distinguished name, plus any
wildcard entries and any groups of which he is a member on that server.
b. The server then checks the database ACL to determine if Andrew’s name is listed explicitly on the
ACL, or if any of the grouplist entries for his name appear in the ACL.
c. If Andrew’s distinguished name, or the name of any group of which is a member, matches an
entry in the ACL, then Andrew gets access to the database using the access level specified for that
entry in the ACL. Otherwise, he is denied access.
Encryption
Encryption protects data from unauthorized access. Using Notes and Domino, you can encrypt:
v Messages sent to other users. Then an unauthorized user cannot read the message while it is in transit.
You can also encrypt saved and incoming messages.
v Network ports. Encrypting information sent between a Notes workstation and a Domino server, or
between two Domino servers, prevents unauthorized users from reading the data while it is in transit.
v SSL transactions. You can use SSL to encrypt information sent between an Internet client, such as a
Notes client, and an Internet server, to prevent unauthorized users from reading the data while it is in
transit.
v Fields, documents, and databases. Application developers can encrypt fields within a document, an
entire document, and local databases. Then only the specified users can read the information.
For information on SSL encryption, see the chapter ″Setting Up SSL on a Domino Server.″
For information on field, document, and database encryption, see the book Application Development with
Domino Designer.
Domino uses two types of public and private keys -- Notes and Internet. You use the Notes public key to
encrypt fields, documents, databases, and messages sent to other Notes users, while the Notes private
key is used for decryption. Similarly, you use the Internet public key for S/MIME encryption and the
Internet private key for S/MIME decryption. For both Notes and Internet key pairs, electronic signatures
are created with private keys and verified with public keys.
You can use one set of Internet public and private keys or you can set up Notes to use a set of Internet
keys for S/MIME signatures and SSL and another set for S/MIME encryption.
For information on dual Internet certificates, see the chapter ″Setting Up Clients for S/MIME and SSL.″
When you register a user, Domino automatically creates a Notes certificate, which contains the user’s
public keys, and adds it to the ID file and the Domino Directory. The private key is created and stored in
the ID file. You can also create Internet public and private keys after user registration. Domino stores
Internet certificates, which contain public keys, in the ID file and also in the Domino Directory. The
Internet private key is stored in the ID file, separately from the certificate.
To create Notes public and private keys, Domino uses the dual-key RSA Cryptosystem and the RC2 and
RC4 algorithms for encryption. To create the Internet public key, Domino uses the x.509 certificate format,
which is an industry-standard format that many applications, including Domino, understand.
1081
Both the Notes client and Domino server support 1024-bit RSA key and 128-bit symmetric key for
S/MIME and SSL. The Notes proprietary protocols support the use of 630- and 1024-bit keys for key
exchange, and use 64- and 128-bit keys for bulk data encryption.
Encryption strength
All Notes IDs contain two public/private key pairs. Prior to 5.0.4, key lengths were restricted for the
purposes of encrypting data, but not for authentication or signing. Anything over 512-bit RSA key and
56-bit symmetric key was considered strong encryption and was not allowed for export by the U.S.
Government. Customers were required to order and choose among kits of different cryptographic
strengths.
With the relaxation of US government regulations on the export of cryptography, the Domino server and
the Domino Administrator, Domino Designer, and Lotus Notes client products have consolidated all
previous encryption strengths -- North American, International, and France -- into one strong encryption
level resulting in a single ″Global″ release of the products. The Global release adopts the encryption
characteristics previously known as North American. Strong encryption in Global products can be used
worldwide, except in countries whose import laws prohibit it, or except in those countries to which the
export of goods and services is prohibited by the U.S. government. Customers are no longer required to
order Notes software according to cryptographic strength.
When you upgrade to a Global release of Domino and Notes, stronger cryptography will be used without
a requirement to reissue existing IDs. These changes are seamless to users as well as administrators.
When two different versions of software are communicating, the encryption negotiation will result in a
step-down to the weaker level. Therefore, the full benefits of stronger encryption will only be realized
when all software has been upgraded to the Global (release 5.0.4 and later) level. However, any mixed
versions of the software will interoperate.
The ″Register New User″ dialog box still offers a choice between North American and International IDs.
It was left this way because administrators often use the North American or International distinction for
administration purposes, or there may be older versions of the software still in use in some companies. In
addition, countries have their own import rules. Preserving this distinction will allow Lotus to respond to
specific country changes, if required.
Note: These regulations pertain only to export from the United States. For other countries with import
regulations, customers need to check the requirements of the specific country. While Lotus takes all steps
to acquiesce with governmental encryption regulations worldwide, Lotus recommends that customers
familiarize themselves with local encryption regulations to remain in compliance.
Interoperability issues
v Support for ID types. Both North American and International ID types continue to be supported for
the Global release. This is for backward compatibility with pre-5.0.4 clients. Lotus Notes users can keep
their existing International IDs if the Global version of the software is installed. The Global version will
automatically allow the use of stronger encryption. Browser users can keep their existing key ring, but
users must follow the manufacturer’s recommendations for upgrading the browser to stronger
encryption.
v Interoperability with post-5.0.4 releases. If your organization’s clients and servers are all running
release 5.0.4 or later, it makes no difference whether you create North American or International IDs.
Both types of ID will work the same way.
v Interoperability with pre-5.0.4 releases. Lotus Notes users, as well as Domino servers which have been
upgraded to release 5.0.4 and later, can authenticate and continue day-to-day operations securely with
clients and servers running on earlier releases of software. However, if your organization has clients or
servers running releases earlier than Notes and Domino 5.0.4, you should continue to create the same
types of IDs you created with the earlier versions. International versions of releases prior to 5.0.4 do
not allow users to switch to North American IDs, so when registering new international users, you
The best strategy for deciding between North American and International IDs is to continue using the
decision process that was in place for earlier releases of Notes and Domino. Eventually, as you upgrade
the Notes clients and Domino servers, the decision will not matter.
Mail encryption
Mail encryption protects messages from unauthorized access. Only the body of a mail message is
encrypted; the header information -- for example, the To, From, and Subject fields -- is not.
Notes users can encrypt mail sent to other Notes users or to users of mail applications that support
S/MIME -- for example, Microsoft Outlook Express.
Users can use Notes mail encryption to encrypt mail sent to other Notes users, encrypt mail received
from other Notes users, or encrypt all documents saved in a mail database. Notes uses the recipient’s
public key, which is stored in the sender’s Personal Address Book or in the Domino Directory, to encrypt
outgoing and saved mail.
In general, mail sent to users in a foreign domain cannot be encrypted. However, if the recipient of the
mail uses Notes and the sender has access to the recipient’s public key, the sender can encrypt the mail
message. The recipient’s public key can be stored in the Domino Directory, in an LDAP directory to
which the sender has access, or in the sender’s Personal Address Book.
Notes users can also use S/MIME to encrypt mail sent to recipients who use mail applications that
support S/MIME. Senders must have the recipient’s public key in order to encrypt the message for
S/MIME. The recipient’s public key is stored in an Internet certificate in either a Domino Directory or
LDAP directory to which the sender has access or in the sender’s Personal Address Book. The sender
must also have a cross-certificate that indicates to Notes that the recipient’s public key can be trusted.
For information on setting up a Notes client for S/MIME encryption, see the chapter ″Setting Up Clients
for S/MIME and SSL.″
Encrypting a message -- with either Notes mail encryption or S/MIME encryption -- does not affect the
speed at which the message is routed from sender to recipient. However, encryption does increase the
time required to send and to open a message. The extra time is required because the message must be
encrypted at the beginning of the transmission and decrypted each time the recipient opens it. The time
required to send and open a message is based on the size of the message and the number of bitmaps and
other graphics, objects, and attachments in the message. In most cases, the delay is not noticeable.
Encrypting mail
Encrypt outgoing, incoming, and saved mail to protect messages while they are in transit and stored in
mail databases on the server. Users can encrypt outgoing mail messages sent to recipients who use either
Notes or S/MIME. If recipients prefer to receive mail in MIME format, then encrypted mail will be in
S/MIME format. Users can encrypt incoming and saved mail only if they use Notes mail.
To encrypt outgoing mail: Encrypting outgoing mail ensures that only the recipient of a message can
read it while the message is in transit, stored in intermediate mailboxes, or in the recipient’s mail file.
Each Notes client user must encrypt outgoing mail. The administrator cannot encrypt all outgoing mail
on a server.
Senders control the choice of MIME format or Notes format when sending mail directly to the Internet or
for messages that are addressed to Internet addresses. Mail recipients control the format of incoming mail
in their user preferences. The message format determines the choice of encryption method.
Notes uses S/MIME encryption for outgoing mail in the following situations:
v The user selects ″directly to Internet″ in the ″Send outgoing mail″ field in the Mail tab of the current
Location document. Mail messages sent from this location will use MIME format.
The sender of an encrypted S/MIME mail message must find an Internet certificate for each intended
recipient and a cross-certificate that verifies the Internet certificate. The Internet certificate can be stored
in the Domino Directory, an LDAP directory that is accessible to the sender, or in the sender’s Personal
Address Book. The cross-certificate must be stored in the sender’s Personal Address Book. If a Notes
recipient’s Internet certificate is not available to the sender, Notes attempts to use the recipient’s Notes
public key (if available) to encrypt the message.
Some recipients may have dual Internet certificates, meaning one certificate is for encryption and the
other is for signatures and SSL. If the recipient uses dual certificates, Notes extracts the Internet
encryption certificate and uses it to encrypt the message.
The sender of an encrypted Notes mail message must have the public key for each intended recipient.
The public key can be stored in the Domino Directory, in an LDAP directory that is accessible to the
sender, or in the sender’s Personal Address Book.
To encrypt incoming mail for a mail file: If users have Editor access to their Person documents in the
Domino Directory, they can encrypt all incoming mail they receive. Otherwise, the administrator must
complete this procedure for them.
1. Open the user’s Person document in the Domino Directory.
2. Click Edit Person, and then click Basics.
3. In the field ″When receiving unencrypted mail, encrypt before storing in your mail file,″ select Yes.
4. Save the document.
To encrypt saved mail: Users can encrypt drafts of unsent messages and messages that they save after
sending. For unsent mail, the message is encrypted only with the sender’s public key. For sent mail, the
message is encrypted with the sender’s and the recipient’s public keys.
Only messages saved after this option is chosen are encrypted. To encrypt previously saved messages,
users must open and resave the messages. Encrypting saved mail prevents unauthorized access to
messages by other users with unauthorized access to the mail server.
Electronic signatures
Electronic signatures are closely associated with encryption. An electronic signature verifies that the
person who originated the data is the author and that no one has tampered with the data. Users can add
an electronic signature to mail messages and to fields and sections of documents. A database designer
controls whether or not users can sign fields and sections of a database can be signed; individual users
can choose to sign mail messages.
You can also set up Notes to use separate keys for S/MIME signatures and encryption, by adding two
Internet certificates to your Notes ID file and using one certificate for S/MIME encryption and the other
for S/MIME signatures and SSL client authentication. Having dual Internet certificates lets you maintain
separate public and private key pairs for encryption and electronic signatures and SSL client
authentication.
For information on creating signed fields and sections, see the book Application Development with Domino
Designer.
For information on dual Internet certificates, see the chapter ″Setting Up Clients for S/MIME and SSL.″
Note: Certificate trust checking occurs independently of hash decryption and comparison. Decryption
and comparison may succeed even if the certificate is not trusted. This might happen, for example,
when a user receives mail from a user in another company and that user doesn’t have a
cross-certificate.
S/MIME signatures
When the sender signs a message with an S/MIME signature, only the body of the message and
accompanying attachments are signed.
1. Notes generates a hash of the data being signed and then encrypts the hash with the private key of
the author of the data, forming a signature.
2. Notes attaches a certificate chain -- that is, all certificates in the hierarchy for the certificate -- and the
signature to the data.
3. When the reader accesses the signed data, Notes or the mail application attempts to decrypt the
signature using the public key that corresponds to the private key with which the data was signed. If
successful, Notes or the application verifies that the signer has a common certificate or common
certificate ancestor from a certifier that the reader trusts.
Note: Typically, the Notes user’s organizational certifier issues a cross-certificate to the signer’s
certificate authority (CA). Trust can also be established if the Notes user issues a cross-certificate
directly to the signer’s certificate or to the signer’s Certificate Authority. Or, the Notes user’s
organizational certifier can issue a cross-certificate directly to the signer’s certificate.
Note: Certificate trust checking occurs independently of hash decryption and comparison. Decryption
and comparison may succeed even if the certificate is not trusted. This might happen, for example,
when a user receives mail from a user in another company and that user doesn’t have a
cross-certificate.
For more information on cross-certificates, see the chapter ″Protecting and Managing Notes IDs.″
When sending signed messages to users of S/MIME mail applications, Notes users must have an
additional set of Internet public and private keys.
For information on obtaining Internet public and private keys, see the chapter ″Setting Up Clients for
S/MIME and SSL.″
You can set up both Notes and Internet certifiers to use the CA process.
To manage the CA process from the Domino console, you use a set of server Tell commands.
For more information on CA process Tell commands, see the appendix ″Server Commands.″
Another CA configuration document, the Certifier document, is created in the Domino Directory when
you set up the a certifier. This document can be modified.
1089
For more information, see the topic ″Modifying a certifier″ later in this chapter.
You configure the CRL when you create a new Internet certifier. You can specify the length of time for
which a CRL is valid and the interval between publication of new CRLs. After CRLs are configured, the
certifier issues them on a regular basis and they operate unattended.
Using CRLs, you can manage the certificates issued in your organization. You can easily revoke a
certificate if the subject of the certificate leaves the organization or if the key has been compromised.
HTTP servers and Web browsers check the CRLs to determine whether a given certificate has been
revoked, and is therefore no longer trusted by the certifier. When you use Internet Site documents to
configure Internet protocols on the Domino, you can also enable CRL-checking for each protocol.
There are two kinds of CRLs: scheduled and immediate. For scheduled CRLs, you configure a duration
interval -- the time period for which the CRL is valid -- and the interval at which new CRLs are issued.
Each certifier issues a CRL at the specified time, even if no certificates have been revoked since the last
CRL was issued. This means that if an administrator revokes a certificate, it appears in the next
scheduled CRL issued by the certifier. The CRL duration period should be greater than the time period
between each CRL issuance. This ensures that the CRL remains valid. Otherwise, the CRL could expire
before a new one is issued.
However, in the event of a critical security break -- for example, if the administrator needs to revoke a
particularly powerful certificate or the certifier certificate is compromised -- you can manually issue an
immediate CRL (that is, an unscheduled CRL ) to enforce the emergency revocation. This type of
revocation does not affect either the timing or the content of the next scheduled CRL. You use a Tell
command to issue an immediate CRL.
For more information on revoking a certificate, see the topic ″Revoking a certificate″ later in this chapter.
For more information on enabling CRL-checking, see the chapter ″Installing and Setting Up Domino
Servers.″
For more information on configuring a scheduled CRL, see the topic ″Creating an Internet CA″ later in
this chapter.
For more information on issuing a nonscheduled CRL, see the appendix ″Server Commands.″
If your organization has existing Domino certifiers, you can migrate them to the CA process.
Administering a Domino CA
There are a number of tasks associated with managing a certifier. If you implement a certifier that uses
the CA process, you can delegate Notes and Internet certificate request approval and denial to other
administrators, each of whom acts as a registration authority.
Note: Many of the manual tasks associated with managing a CA prior to Domino 6 are now automated
when you use the CA process.
The CAA must have at least Editor access to the master Domino Directory for the domain.
As a best practice, designate at least two CAAs for each certifier. You then have a backup if one leaves
the organization.
Note: By default, the administrator who creates a certifier is automatically designated as both a CAA and
an RA for that certifier. When you create additional CAAs, they must be assigned the RA role in order to
approve or deny a certificate request.
An RA should approve only those requests that will be accepted by the certifier. The CA Configuration
and Certificate Profile documents, stored in the CA’s ICL database, describes what is acceptable. A
current valid copy of the document is also stored with the certifier document as an attachment.
Domino administrators who register Notes users should also be listed as RAs for the Notes certifier, to
minimize the steps that are needed to have a certificate issued by the certifier.
If you are using the Web Administrator client, you need to set up a server-based certification authority to
register Notes users. The Web administrator, as well as the server on which the Web Administrator
database resides, must be listed as an RA for that certifier.
The Domino Registration Authority (RA) administrator is responsible for these tasks:
v Approve or deny Internet certificate requests.
v Revoke certificates if they can no longer be trusted, such as if the subject of the certificate leaves the
organization, or if the key has been compromised.
Field Action
Select the server where the certifier will run Select the server on which the migrated certifier will be
linked to the CA process. The ICL database for this certifier
will also be created on this server. Make sure that the client
location document points to this server.
Name of ICL database to be created (Optional) ICLs are created automatically when you create
a certifier, and named by default. You can modify the
default name (for example: ″icl\icl_Acme.nsf″ for the Acme
certifier).
Note: Although you can change the location of the ICL, it
is recommended that you use the default directory and
path.
Note: Encrypting a certifier ID with the password-protected Server ID protects only that certifier. If
you use a lock ID, you have the option of using it with multiple certifiers. You then need to lock and
unlock those certifiers simultaneously.
Field Action
Certificate duration for EE Enter the default, minimum, and maximum duration, in months, for an
certificate end-entity (EE) certificate. An end-entity certificate is granted to servers or end
users.
Certificate duration for CA Enter the default, minimum, and maximum duration, in months, for an
certificate certificate authority (CA) certificate. A CA certificate is granted to certifiers.
5. Click OK. A message appears saying that you have successfully migrated the certifier.
6. Add the certifier to the CA process.
Note: You need to reload the CA process each time you restart a server. You can do this through the
server console command ″load ca,″ or you can have it happen automatically by adding the parameter ca
to the ServerTasks= line in the server’s NOTES.INI file.
For more information on using CA server commands, see the appendix ″Server Commands.″
The server returns a list of all certifiers using the CA process and their current status. The number
associated with each certifier is used in some CA Tell commands.
For example:
10/22/2001 02:38:12 pm CA Process status:
10/22/2001 02:38:12 pm 1. O=Acme
10/22/2001 02:38:12 pm Certifier type: Notes
For more information about using CA Tell commands, see the appendix ″Server Commands.″
Note: Encrypting a certifier ID with the password-protected Server ID protects only that certifier. If
you use a lock ID, you have the option of using it with multiple certifiers. You then need to lock and
unlock those certifiers simultaneously.
9. (Optional) In the Administrators list, enter the names of additional CAAs and RAs. The name of the
administrator creating the CA is automatically included in the list as both a CA administrator and an
RA administrator.
10. On the Certificates tab, complete these fields:
Field Action
Include CRL distribution point extension Enable an attribute that identifies the location of for the certifier
CRL. It is recommended that you use this option so that you
can revoke certificates after they are issued. This is enabled by
default.
Backdate certificate validity The certificate validity period is the time interval during which
the CA warrants that it will maintain information about the
status of the certificate. In the event that the date on which the
certificate becomes valid is different than the date on which it is
created, you can choose to backdate the certificate’s validity
period. This option is enabled by default. You cannot enter a
date.
Certificate duration Enter the default, minimum, and maximum certificate duration
in months.
Key usage Choose the key usage extensions for this certificate.
Note: The only certificate type you can create is an end -entity certificate, and the option is enabled by
default. This means that Internet certificates issued by this certifier apply to users of certificates and/or
end-user systems that are subjects of a certificate.
11. Click Miscellaneous, and then click ″Create a local copy of the certifier ID.″ Specify the certifier ID file
name and password, and click OK. A copy of the certifier ID is saved to the default path
...\notes\data\ids\certs\cert.id. You can select a different path. Use this local copy of the certifier ID
as a backup to re-create the certifier if it become corrupted.
12. Complete these fields to specify Certificate Revocation List information for this certifier:
Field Action
Duration of CRL (in days) Enter the length of time, in days, for which a given CRL is valid. It is
recommended that this time period extend beyond the time period between
issued CRLs, as this ensures that the CRL is always valid.
Time between CRLs (in days) Enter the time interval, in days, between issued CRLs.
13. Complete these fields to specify ″Key and certifier certificate″ information for this certifier:
Field Action
Signing algorithm Select the algorithm used to encrypt the certificate’s signature.
14. Complete these fields to specify the Certifier PKIX Alternative Name(s) information for this certifier:
The Certifier PKIX Alternative name field is for the Issuer Alternate Name. The Domino server-based
CA does not support the use of Subject Alternate Names.
Note: A PKIX Alternative Name is not the same as a Notes alternate name. The Notes alternate name
is the foreign language version of a user name.
Field Action
Type Enter the type of alternative name you want to use.
Value Enter the alternative name you want to use.
The following table describes the key usage extensions available for certificates created using the CA
process.
Note: The digital signature and data encipherment key usage extensions are enabled by default for all
Internet certificates.
If the extension is non-critical, it indicates the intended purpose or purposes of the key and may be used
in finding the correct key/certificate of an entity that has multiple keys/certificates. The extension is then
only an informational field and does not imply that the CA restricts use of the key to the purpose
indicated. Nevertheless, applications that use certificates may require that a particular purpose be
indicated in order for the certificate to be acceptable.
If a certificate contains both a critical key usage field and a critical extended key usage field, both fields
must be processed independently, and the certificate be used only for a purpose consistent with both
fields. If there is no purpose consistent with both fields, the certificate must not be used for any purpose.
You can store Certificate Requests databases on any server in the domain, including servers that reside
outside of a network firewall.
For more information on using the Certificate Requests database to process certificate requests, see the
chapter ″Setting Up Clients for S/MIME and SSL.″
Field Action
Supported CA Do the following:
1. In the Server field, enter the name of the server that hosts the Internet certifier.
2. In the Certifier field, enter the name of the Internet certifier to associate with the
Certificate Request database.
Supported certificate types Choose one:
v Client certificates only -- Select this option if the certifier will issue client Internet
certificates. Do not select this option if you want to create a server key ring for
SSL. If you select this option, you must customize client requests.
v Server certificates only -- Select this if the certifier will issue server Internet
certificates. If you select this option, you must customize server requests.
v Both client and server certificates -- Select this if the certifier will issue both client
and server Internet certificates. If you select this option, then you need to
customize both server and client requests.
Field Action
Validity period Enter the number of years that client requests generated with this database will
specify as a validity period, beginning at the time of request submission. Default is 1
year.
Key usages Choose the default key usage that will be submitted in client certificate requests
generated from this database. Default settings are Key Encipherment and Digital
Signature, which are sufficient for a client S/MIME certificate.
Field Action
Validity period Enter the number of years that server requests generated with this database will
specify as a validity period, beginning at the time of request submission. Default
is 1 year.
Key usages Choose the default key usage that will be submitted in server certificate requests
generated from this database. Default settings are Key Encipherment and Digital
Signature, which are sufficient for an SSL server certificate.
Extended key usages The default extended key usage that will be submitted in server certificate
requests generated from this database. Default is Server Authentication.
9. For ″Processing method,″ choose the method by which requests are submitted to the Administration
Process:
v Manual (default) -- Choose this if you want an administrator to review requests submitted to the
Certificate Requests to approve or deny each request individually before it is submitted to the
Administration Request database (admin4.nsf) for further processing.
v Automatic -- Choose this to have requests submitted to the Administration Request database
processed without administrator intervention. Requests will be approved or denied according to
the certificate policy. If this method is chose, the ″Automatic Transfer Server field appears, in
which you need to specify the server running the administration process and to which certificate
requests will automatically be transferred.
Note: If the Automatic method is chosen, the administrator (signer of the agent) must be listed in
the group of users who can run unrestricted methods and operations on the server. This can be set
on the Security tab in the Server document. There must also be a replica of the Certificate
Requests database on the specified transfer server.
10. For ″Mail notification,″ choose whether or not to send e-mail notification when a certificate request
has been processed by the CA.
v Yes (default) -- Choose this if you want the requester to be notified by e-mail when a certificate
request has been processed by the CA.
v No -- Choose this if you do not want the requester to be notified by e-mail when a certificate
request has been processed by the CA.
11. Click Save & Close.
For information on approving server certificate requests for Domino servers that are not CA servers, see
the topic ″Signing server certificates″ later in this chapter.
Field Action
File name Enter a file name for the Key Ring file and keep the .kyr.
Password Enter a password for the key ring file.
Key size Choose a key size.
Common name Enter the fully qualified host name -- for example, server.company.com.
Organization name Enter the name of the certifier organization.
State or province Enter the full name of the state or province in which the organization is located.
Country Enter a two-letter abbreviation for the country in which the organization is located.
c. Verify the information in the ″Key Ring Created″ dialog box, then click OK to add your CA as a
trusted root and generate a certificate request for the server.
d. Verify the information in the ″Merge Trusted Root Certificate Confirmation″ dialog box and click
OK.
e. When the ″Certificate received into key ring and designated as trusted root″ confirmation dialog
box appears, click OK.
f. When the ″Certificate Request Successfully Submitted for Key Ring″ dialog box appears, click OK.
If you chose Automatic as the processing method used by the Certificate Requests database, continue
with Step 5. If you chose Manual, then complete Steps 4 through 6.
4. Do the following to transfer the certificate request to the Administration Requests database:
a. In the Certificate Requests database, open the Submitted/Waiting for Approval view. If the
request does not appear, press F9 to refresh the view.
b. If the request has been ″Submitted to Administration Process,″ continue with Step 5. If the
request is still Pending, highlight the request and click ″Submit Selected Requests.″
c. When you see ″Successfully submitted 1 request(s) to the Administration Process,″ click OK.
5. Have an authorized registration authority approve the request. This RA should be authorized for the
certifier for which you are setting up SSL.
a. Open the Administration Requests database (Admin4.nsf), and then open the Certification
Authority Requests/Certificate Requests view and find the new request.
b. Open the request and verify the information in it.
c. Click Edit Request, then Approve Request. Press F9 until the request changes to ″Issued.″
6. Transfer the certificate request out of the Administration Requests database:
a. Close the Administration Requests database and return to the Certificate Requests database.
b. Open the Pending/Submitted Certificates view and locate the request. If necessary, refresh the
view.
c. If the certificate has not yet been issued, click ″Pull Selected Request(s).″
7. After the CA signs the request for a server certificate and notifies you to pick up the certificate, do
the following:
a. Do one:
Note: As an optional step, while editing the Server document, enable ″Session authentication″ in
the Internet Protocols/Domino Web Engine section. This ensures that HTTP sessions will time
out in the number of minutes that are specified in the ″Idle session timeout″ field. The Maximum
active sessions may also be specified.
b. If HTTP is already running, at the console type ″te http restart″ to enable SSL on the server.
c. To show SSL status and to verify that the HTTP server is listening on both 80 and 443, type ″te
http show security″ at the server console.
10. Do the following to confirm that SSL is working on the server.
a. Open a browser, and enter the URL of the server -- for example:
https://Server.Company.com/certreq.nsf
b. If the ″New Site Certificate″ dialog box appears, click Next.
c. Click More Info to verify the information, then click Next.
d. Decide whether or not to accept the new site certificate, and for how long, then click Next.
e. Decide whether or not you want to see a warning every time you access the new site, then click
Next. When the dialog box appears, click Finish.
If the Security indicator (a padlock icon) is closed (locked), you have successfully established a secure
session over SSL.
Note: If you chose Automatic as the processing method used by the Certificate Requests database, you
only need to complete Step 3. If you chose Manual processing, then complete the entire procedure.
Modifying a server-based CA
After you migrate or create a certifier, you can modify it through the certifier ICL or through the certifier
document in the Domino Directory. Note that how you open a certifier to modify it affects the number
and type of changes you can make.
Note: Only CA administrators can modify a server-based CA. A CA administrator must have Editor
access to the Domino Directory in order to modify a certifier.
Note: If the certifier is protected with a lock ID, you must unlock it in order to modify it.
6. In the Certifier dialog box, modify the certifier as needed. You can change these features:
v Method for activating the certifier ID
v CAs and RAs, and roles of current entries
v CRL distribution point extension (Internet certifiers only)
v Enable or disable backdating of certificate
v Certificate duration
v Certificate key usage (Internet certifiers only)
v CRL publication and duration (Internet certifiers only)
7. Click OK.
Note: If the certifier is protected with a lock ID, you must unlock it in order to modify it.
v On the Basics tab, you can modify certifier name and issuer.
v Click ″Modify CA configuration″ to change CAA and RA associations.
2. Click Save and Close.
Revoking a certificate
A CA administrator can easily revoke an Internet certificate -- for example, if the subject of the certificate
leaves the organization, or if the key has been compromised. After a certificate is revoked, it can never
again be trusted.
If you revoke a certificate, especially if a key has been compromised, issue an immediate CRL so that any
entity checking CRLs has the most updated revocation information.
To revoke a certificate
1. From the Domino Administrator, click Files. Open the ICL directory.
2. From the list of ICL databases, open the ICL for the certifier that issued the certificate you need to
revoke.
3. Open the Issued Certificates\By Subject Name view.
4. Open the Issued Certificate document for the certificate you want to revoke. The document name is
the same as the subject name.
5. At the top of the document, click ″Revoke Certificate.″
6. In the Revocation Reason dialog box, select the reason for revoking the certificate, and click OK. This
sends a revocation request to the Administration Requests database.
7. Once you have made sure that the certifier has processed the revocation request and revoked the
certificate, issue an immediate (non-regular) CRL.
For more information on issuing immediate CRLs, see the appendix ″Server Commands.″
To back up a certifier
1. When you create a new certifier, keep a local copy of the certifier ID file.
2. After you create the certifier, make a copy of the ICL database and keep it in a safe place. Back up the
ICL periodically to incorporate any changes you make to the certifier.
3. Make copies of the following (if you use them) and keep in a safe place:
v the lock ID and its corresponding password;
v the activation password;
v the server ID file.
To recover a certifier
1. From the Admin client, click Configuration.
2. On the Tools pane, choose Certification - Modify Certifier.
3. Select the CA server from the list, and click OK.
4. Select the server that hosts the CA you want to modify, if necessary.
5. Select the certifier to recover by doing one of the following:
v Select the certifier document from the Domino Directory.
v Select the certifier ICL database.
6. You may be prompted for the certifier ID and password. Enter the path and filename for the local
copy of the ID that you created when you first set up the certifier, and click OK.
Note: You will be prompted for the certifier ID only if the certifier determines that it cannot proceed
without it.
7. In the Modify Certifier dialog box, confirm that the certifier information is correct. Click OK.
If the certifier is still having problems -- for example, configuration documents are corrupted or missing
-- replace the ICL database with the back up copy. The location of the ICL database is specified in the
certifier document.
Disabling a certifier
To modify a Certifier document, you must have Editor access to the Domino Directory. Full-access
administrators and administrators have this access by default; however, be sure that all certificate
authority (CA) administrators also have this access.
1. From the Domino Administrator, click Configuration and open the Certificates view in the Server
pane.
2. Select the certifier document you want to disable and double-click to open it.
3. Click Edit Certifier.
4. On the CA Configuration tab, disable the CA process for the certifier.
A Workplace user requests an S/MIME certificate by sending an email to the Certificate Request database
(certreq.nsf) of the CA from which the certificate is being requested. The email is signed by a Workplace
agent, which vouches for the identity of the requester.
Another database agent converts the email to a certificate request, which then undergoes the normal
certificate request process. When the certificate is approved, it is returned to the Certificate Request
database. Another agent then mails the certificate back to the original requester.
The approval process for WCS requests differs in that the Domino administrator must manually approve
or reject the email request in the Certificate Request database. The administrator does not have to be
listed as an RA for the certifier. If the request is approved, then the certificate is sent to the
Administration Request database for processing.
The Workplace server communicates with the Domino CA through a Workplace PKI adapter. The adapter
actually signs and sends the certificate requests to the Domino CA, and processes the issued certificates.
The first time a certificate request is sent to the Domino CA, the PKI adapter actually sends a certificate
request for itself to Domino. The certificate issued to the adapter as a result of this request is the
adapter’s signing certificate, which is used by the adapter to sign client certificate requests submitted to
the Domino CA. The Domino PKI adapter’s certificate request is itself unsigned, however, and is the only
unsigned certificate request submitted to the Domino CA.
Note: In order for the Certificate Request database to receive email requests, the administrator must
make it a mail-in database in the Domino Directory.
SSL security
Secure Sockets Layer (SSL) is a security protocol that provides communications privacy and
authentication for Domino server tasks that operate over TCP/IP.
To set up SSL on your server, you need a key ring containing a server certificate from an Internet
certificate authority. You can request and obtain a server certificate from either a Domino or third-party
certificate authority (CA) and then install it in a key ring. A server certificate is a binary file that uniquely
identifies the server. The server certificate is stored on the server’s hard drive and contains a public key, a
name, an expiration date, and a digital signature. The key ring also contains root certificates used by the
server to make trust decisions.
This describes the process to follow if you need to set up SSL on a Domino server that is not already a
Domino certificate authority server. You complete the setup process regardless of whether you request a
server certificate from a Domino or third-party CA.
1107
Note: You can enable SSL on a server when you register the server if you have already have a Domino
server-based certification authority running in the Domino domain.
For more information about enabling SSL on a server at server registration, see the chapter ″Installing
and Setting Up Domino Servers.″
Tip: To hide the Server Certificate Admin application when users choose File - Database - Open, deselect
″Show in ’Open Database’ dialog″ in the Database Properties box.
Note: If you are requesting a server certificate from a server-based certification authority, you can use the
Notes client to create the server key ring and request a server certificate in the Certificate Requests
database.
For more information, see the topic ″Requesting an SSL server certificate″ later in this chapter.
Field Action
Key Ring File Name Enter the key ring file name. The default is KEYFILE.KYR. It’s helpful to use the
extension .KYR to keep key ring file names consistent.
Note: the server’s key ring file name appears in any Internet Site documents that you
have configured, or, if Internet Site documents are not being used, on the Ports - Internet
Ports tab of the Server document. If you specified a name other than the default, you
need to edit the name where it appears - in the Internet Site documents or in the Server
document.
Key Ring Password Enter the password for the key ring.
Key Size Specify the key size Domino uses when creating the public and private key pairs. The
larger the size, the stronger the encryption.
Common name Enter the server’s TCP/IP fully-qualified domain name -- for example, www.acme.com.
Set up the server certificate so that the common name matches the host name since some
browsers check for this match before allowing a connection.
Organization Enter the name of the organization -- for example, a company name, such as Acme.
Organizational Unit (Optional) Enter the name of certifier division or department.
City or Locality (Optional) Enter the organization city or locality.
State or Province Enter the full name of the state or province in which the certifier organization resides.
Country Enter the two-character abbreviation of country in which organization resides
A certificate request is essentially certificate data that has not been signed by a CA. The CA turns the
request into a certificate by signing it.
If you are requesting a server certificate from a server-based certification authority, you can use the Notes
client to create the server key ring and the server certificate in the Certificate Requests database. You
must be able to access the Domino server using the Notes client.
Field Action
File name Enter a file name for the Key Ring file and keep the .kyr.
Password Enter a password for the key ring file.
Key size Choose a key size.
Common name Enter the fully qualified host name -- for example, server.company.com.
Organization name Enter the name of the certifier organization.
State or province Enter the full name of the state or province in which the organization is located.
Country Enter a two-letter abbreviation for the country in which the organization is located.
c. Verify the information in the ″Key Ring Created″ dialog box, then click OK to automatically add
the CA as a trusted root and generate a certificate request for the server.
d. Verify the information in the ″Merge Trusted Root Certificate Confirmation″ dialog box and click
OK.
e. Click OK when the ″Certificate received into key ring and designated as trusted root″ confirmation
dialog box appears.
f. Click OK when the ″Certificate Request Successfully Submitted for Key Ring″ dialog box appears.
After an RA approves the request for a server certificate, the CA issues a server certificate and sends
notification that you can pick up the certificate.
3. In the Issued/Rejected Certificates view, open the issued server request and copy the Request ID to
the Clipboard.
4. Choose Domino Key Ring Management - Pickup Key Ring Certificate.
5. Enter the key ring file name and password, paste the pickup ID into the form and click Pickup
Certificate.
6. Verify the information in the ″Merge Signed Certificate Confirmation″ dialog box and click OK.
7. When the ″Certificate received into key ring″ dialog box appears, click OK.
8. Copy or use FTP (in binary mode) to transfer the new key ring and its associated .STH file to the
server’s data directory.
Field Enter
Key Ring File Name The name of the server key ring file, including the path to the file
Log Certificate Request Choose one:
v Yes (default) to log information in the Server Certificate Admin application
v No to not log information
Method Choose Paste into form on CA’s site
Field Enter
Key Ring File Name The name of the server key ring file including the path to the file
Log Certificate Request Choose one:
v Yes (default) to log information in the Server Certificate Admin application
v No to not log information
Note: This procedure is the same regardless of whether you are using a Domino server-based
certification authority or a Domino 5 certificate authority.
1. Make sure that you requested the server certificate and mapped a drive to the directory that contains
the key ring file.
2. Browse to the certificate authority application (the Certificate Requests application for a server-based
certification authority, and the Domino Certificate Authority for a Domino 5 Certificate Authority) on
the Domino CA.
Note: If you use Microsoft Internet Explorer, use HTTP to connect to the application.
3. Click ″Accept This Authority in Your Server.″
4. Highlight the certificate text and copy it to the system Clipboard (include the Begin Certificate and
End Certificate lines).
5. From the Notes client, open the Server Certificate Admin application.
6. Click ″Install Trusted Root Certificate into Key Ring.″
7. Enter the name of the key ring file that will store this certificate. You specified this name when you
created the server certificate request.
8. Enter the name that the key ring file will use to identify this certificate. If you leave this field blank,
Domino uses the distinguished name of the certificate.
9. In the Certificate Source field, choose Clipboard. Paste the Clipboard contents into the next field.
10. Click ″Merge Trusted Root Certificate into Key Ring.″
11. Enter the password for the key ring file, and then click OK.
12. Have the CA sign the server certificate.
From a third-party CA: View the default trusted roots in the key ring file to make sure the third-party
CA’s certificate is not already included. If it is already included, you do not need to complete these steps.
For more information on how a Domino server-based certification authority signs certificates, see the
chapter ″Setting Up a Domino Server-Based Certification Authority.″
For more information on how a Domino 5 certificate authority signs certificates, see the chapter ″Setting
Up a Domino 5 Certificate Authority.″
Signing methods for third-party CAs will vary. If you choose to use a third-party CA, check with that CA
for information about how they sign certificates.
Note: This procedure is the same regardless of whether you are requesting a server certificate from a
Domino server-based certification authority or a Domino 5 certificate authority.
1. Make sure the CA signed the certificate and you mapped a drive to the directory that contains the
server key ring file.
2. Obtain the server certificate by doing one of the following:
v If the CA gave you the URL to use to pick up the certificate in the Domino Certificate Authority
database, browse to the URL provided in the e-mail.
or
v Obtain the pickup ID from the CA, and then do the following:
a. Open the Certificate Requests or Domino 5 Certificate Authority application with a browser.
b. Click Pick Up Server Certificate.
c. Enter the pickup ID and click ″Pick Up Signed Certificate.″
3. Highlight the certificate text and copy it to the system Clipboard (include the Begin Certificate and
End Certificate lines).
4. From the Notes client, open the Server Certificate Admin application.
5. Click ″Install Certificate into Key Ring.″
6. Enter the file name for the key ring that will store this certificate. You specified this key ring file
when you created the server certificate request.
7. In the Certificate Source field, choose Clipboard. Paste the Clipboard contents into the next field.
8. Click ″Merge Certificate into Key Ring.″
9. Enter the password for the key ring file, and then click OK to approve the merge.
10. Configure the SSL port.
You must enable SSL on a protocol-by-protocol basis. Some Internet protocols do not support client
certificate authentication.
If you are using Internet Site documents, you configure most SSL port parameters in the Internet Site
document for each protocol. However, you must still configure the following settings in the Server
document for each Internet protocol: TCP/IP port and status, SSL port and status. You must also specify
whether you want to enforce server access settings for the TCP/IP port of a given protocol.
Using server authentication only: Server authentication encrypts data and authenticates server identity.
To control access to databases on the server by user name, set up name-and-password authentication. To
enable SSL for server authentication only:
v The server must have a certificate from a Domino or third-party CA.
v The clients must have the server’s CA certificate marked as a trusted root. Clients can also trust the
SSL server certificate directly, by creating a cross-certificate for it.
v If you are using a Notes client, the Notes client must have a cross-certificate for the server CA or the
SSL server’s certificate.
For more information on name-and-password authentication, see the chapter ″Setting Up
Name-and-Password and Anonymous Access to Domino Servers.″
Using client certificate authentication: In addition to the security provided by server authentication,
client certificate authentication verifies the client’s identity through the use of Internet (x.509) client
certificates. Using server and client certificate authentication, you can control access to databases by
specifying individual client user names in the database ACLs. To enable SSL for client certificate
authentication:
v Complete the above requirements for server authentication.
v The clients must have certificates from a Domino or third-party CA.
v The server must have the client’s CA certificate marked as a trusted root.
v Each client must have a Person document in the Domino Directory that contains the SSL public key
from the client certificate.
For more information on setting up client authentication, see the chapter ″Setting Up Clients for
S/MIME and SSL.″
If you are using Internet Site documents, see the chapter ″Installing and Setting Up Domino Servers.″
Field Enter
SSL key file The file name of the server key ring file that the server uses.
Note: Domino does not use this field for IIOP, which uses a separate key ring file.
You cannot change the name of the IIOP key ring file.
SSL protocol version Choose one:
v V2.0 only to allow only SSL 2.0 connections.
v V3.0 handshake to attempt an SSL 3.0 connection. If this fails and the requester
detects SSL 2.0, then attempts to connect using SSL 2.0.
v V3.0 only to allow only SSL 3.0 connections.
v V3.0 and V2.0 handshake to attempt an SSL 3.0 connection, but start with an
SSL.2.0 handshake, which displays relevant error messages. Makes an SSL 3.0
connection, if possible.
v Negotiated (default) to attempt an SSL 3.0 connection. If it fails, the server
attempts to use SSL 2.0. Use this setting unless you are having connection
problems caused by incompatible protocol versions.
Note: Domino does not use this field for HTTP.
Accept SSL site certificates Choose one:
v Yes to allow this server to accept the site certificate and use SSL to access an
Internet server, even if the Domino server does not have a certificate in common
with the Internet server.
v No to not allow this server to accept site certificates.
Accept expired SSL certificates Choose one:
v Yes to allow clients to access the server, even if the client certificate is expired.
v No to not allow clients to access the server with expired client certificates.
4. Click the tab for the protocol that you want to configure, and then complete these fields:
Field Enter
SSL port number Enter the port number on which Domino listens for SSL requests. You configure
this here regardless of whether you are using Internet Sites or the Web
Configurations view.
Note: If you change the default port number, clients must change their
configurations as well. The default port number is usually changed only if a
firewall proxy uses the reserved port number.
SSL port status Choose Enabled to allow SSL connections on the port. You configure this here
regardless of whether you are using Internet Sites or the Web Configurations view.
Note: Since a Domino server can be either an SMTP server or an SMTP client, you
have two choices for the SSL port status field. To set up a Domino server as an
SSL-enabled SMTP server, choose Enabled in the SMTP Inbound field.
If you choose Yes for both Anonymous and Client certificate, Domino first tries to
authenticate the client. If that fails, Domino tries to connect the user anonymously.
If you choose Yes for Anonymous, Client certificate, and Name & password,
Domino first tries to authenticate the client using the client certificate. If that fails,
Domino tries to use name-and-password authentication. If that fails, Domino tries
to connect the user anonymously.
You can set up the redirection of TCP/IP to SSL for the HTTP, IMAP, and LDAP protocols only. POP3
and SMTP do not support the ″Redirect to SSL″ setting.
For individual databases: You can also require clients to use SSL to connect to the server on a
database-by-database basis, by configuring the requirement to connect with SSL in the database
application itself.
1. Start the Notes client.
2. Select the database for which you want to force clients to use SSL.
3. Open the Database Properties box.
For more information, see the chapter ″Controlling User Access to Domino Databases.″
If you obtained a server certificate from a Domino certificate authority, request a new one.
If you obtained a server certificate from a third-party certificate authority, you may be able to renew it by
submitting a request to the third-party CA’s Web site, which often includes your user name, password,
and a challenge phrase. If it is possible to renew your server certificate, this information is accepted and
you will be prompted to renew. If you cannot renew your server certificate, you will have to submit a
request for a new one.
Field Enter
Key ring file name A file name with the extension .KYR.
Key ring password At least 12 case-sensitive, alphanumeric characters.
Common name A descriptive name that identifies the server certificate -- such as, Acme SSLCA.
Organization The name of the organization -- for example, a company name, such as Acme.
Organizational Unit (Optional) Name of certifier division or department.
City or Locality (Optional) The organization city or locality.
State or Province Three or more characters that represent the state or province in which the organization
resides -- for example, Massachusetts. (For U.S. states, enter the complete state name,
not the abbreviation.)
Country A two-character representation of the country in which the organization resides -- for
example, US for United States or CA for Canada.
4. Copy the key ring file and stash (.STH) file to the Domino data directory of the server.
5. Configure the port for SSL.
6. Set up database access.
The session key is negotiated during the handshake -- the main purposes of the handshake are to
generate the session key and to identify the server to the client and, optionally, the client to the server.
The size of the session key is determined by the cipher being used. For example, the cipher
RSA_WITH_RC4_128_MD5 uses a 128-bit session key. The cipher
RSA_EXPORT_WITH_DES40_CBC_SHA uses a 40-bit session key.
What ciphers are available are also limited by the size of the server’s public key. The RSA_EXPORT_
ciphers can only be used with 512-bit RSA keys and smaller. The RSA_EXPORT1024_ ciphers can only be
used with 1024-bit RSA keys and smaller. Ciphers that do not contain the EXPORT designation do not
have any RSA key size restrictions.
You can restrict the use of SSL ciphers for Internet protocols. You can specify the use of a 128-bit cipher
only for the HTTP service, for example, to require users to access a server using a domestic browser
version. If no configuration parameters are set, then there is no restriction on the SSL ciphers used for
that protocol.
There are three ways to configure SSL ciphers, depending on how you choose to configure Internet
protocols on your Domino server:
For example, to enable 3DES and RC4128SHA ciphers, enter the following line in the NOTES.INI file:
SSLCipherSpec=050A
CAUTION:
Using SSLCipherSpec overrides all SSL cipher restrictions in Internet Site documents and in the
Server document.
When you mark the domain as trusted, Domino searches the primary Domino Directory for the user and
then searches the trusted secondary Domino and LDAP directories. When you set up directory assistance,
you specify the order in which Domino searches the secondary directories.
In addition, Domino checks the primary Domino Directory and secondary directories you trust when you
add SSL client certificates to the Domino Directory using the Domino Certificate Authority application.
You cannot, however, add client certificates to an LDAP directory even if the LDAP directory is set up on
a Domino server.
It is recommended that you use SSL to secure information sent between the server and the LDAP
directory server.
For information on using SSL for LDAP directory lookups, see the chapter ″Setting Up Directory
Assistance.″
The hierarchical name returned by the Domino Directory or LDAP directory is checked against the
trusted rule in the Directory Assistance database to verify that the organization and organizational units
match the specified rule. For example, if the user name returned is Dave Lawson/Acme, the Directory
Assistance document must include the rule */Acme.
Searching multiple directories is also available for authenticating users who use name-and-password
authentication.
For more information on setting up secondary Domino and LDAP directory authentication of SSL clients,
see the chapter ″Setting Up Directory Assistance.″
By default, the server caches information from the 50 most recently negotiated sessions. This number can
be modified by setting the variable SSL_RESUMABLE_SESSIONS in the NOTES.INI file. Increasing that
number may improve performance on servers that tend to carry large numbers of concurrent SSL
sessions.
SSL_RESUMABLE_SESSIONS has no effect on the Notes client. The Notes client will cache the most
recent SSL session.
Note: You cannot configure SSL sessions to time out and expire.
On the server, SSL is set up on a protocol-by-protocol basis. You can enable SSL on all protocols or enable
SSL on some protocols but not others. For example, you can enable SSL on mail protocols (IMAP, POP3,
SMTP) and disable it for HTTP.
Server authentication lets clients verify the identity of the server to which they are connecting, to make
sure that another server is not posing as the server they want to access.
Client certificate authentication lets server administrators identify the client accessing the server and
control access to applications based on that identity. For example, if you want Alan Jones to have Editor
access to a database and all others accessing the database to have no access, you can set up the
application database ACL to include Alan Jones as an Editor and Anonymous as No Access.
Notes and other Internet clients that use client certificate authentication have an Internet certificate that is
stored in the Notes ID file for Notes client, and in a local file for Internet clients. The certificate includes a
public key, a name, an expiration date, and a digital signature. The corresponding private key is stored in
the ID file, but is stored separately from the certificate. For Notes clients, the client certificate is also
stored in the Domino Directory so that others can access the public key.
Notes and Internet clients can obtain Internet certificates from either a Domino certification authority or a
third-party certifier.
How you set up the client depends on whether the server requires client certificate authentication.
As an administrator, you should carefully consider whether you want to require client certificate
authentication. If you do not need to identify Internet users who access the server, you do not need to set
up client authentication. In fact, in some cases, requiring an Internet certificate may deter users from
accessing a server -- for example, a server that hosts a Web site. If you require an Internet certificate,
users need to perform additional steps to obtain the certificate and set up client certificate authentication.
Note: By enabling the setting ″Accept SSL Site Certificates″ in the Location record, the Notes client can
ignore cross-certificates and server authentication entirely. The user can also choose to create
cross-certificates on the fly when connecting to a server using SSL.
1123
Outlook Express. The Notes client uses the public key stored in the Internet certificate in the Personal
Address Book, Domino Directory, or LDAP directory to encrypt messages.
Encrypted mail messages cannot be read by unauthorized users while the message is in transit.
Electronically signed messages show that the person who signed the message had access to the private
key associated with the certificate stored in the signature.
For more information on S/MIME signatures and encryption, see the chapter ″Encryption and Electronic
Signatures.″
On the server, SSL is set up on a protocol-by-protocol basis. You can choose to enable SSL on all
protocols, or enable SSL on some protocols but not others. For example, you can enable SSL on mail
protocols (IMAP, POP3, SMTP) and disable it for HTTP. You must also enable the port for anonymous
access; otherwise, Domino requires an Internet certificate or a name and password from the client.
Note: Secure transactions are indicated by the use of the term https:// in URLs for SSL-secured sites. A
browser user can specify this when initiating a secure transaction. More likely, the user will navigate to a
login page, where it is necessary to log in with a name and password in order to access the secure Web
page.
Notes clients can also obtain a trusted root certificate and cross-certificate to gain access to the server;
however, adding the trusted root certificate to the Domino Directory simplifies the process of setting up
server authentication for users.
Note: A users can accept certificates automatically, without having to obtain the roots or cross-certificates,
by enabling the option ″Accept site certificates″ in the location document for the Notes client. However,
accepting certificates from unknown servers is a security risk. If a user doesn’t know the sources of the
certificates being accepted, it is possible to accept certificates from malicious sources.
If the trusted root certificate is for a Domino CA, the Internet client performs these steps:
1. Browse to the Domino Certificate Requests (for Domino 7) or Certificate Authority (Domino 5)
application.
2. Select ″Accept This Authority In Your Browser.″
Note: If you use an SSL connection to browse to the application, the server prompts you to accept the
site certificate. Check the CA properties to make sure that the certificate that is presented is from a source
you trust before accepting the certificate as a trusted root.
If the trusted root certificate is for a third-party CA, the Internet client follows the third-party CA’s
established procedure to merge the trusted root certificate for the CA. If both the client and server have
certificates issued from the CA or already have a CA in common, then this step is not necessary.
SSL server authentication for Internet clients other than Notes does not require a cross-certificate.
A Notes client can also create a cross-certificate for a server or client; however, this allows the Notes
client to trust only that server or client. The Notes client does not then trust other servers and clients
with certificates issued by a CA.
To view Internet cross-certificates: Notes users can view the Internet cross-certificates contained in their
Personal Address Book.
For information on how Notes users can see their Internet cross-certificates, see Lotus Notes 7 Help.
You can also set up Notes clients to use different certificates for signing and encryption. You designate
one Internet certificate authentication and signing, and another for encryption.
For more information, see the topic ″Dual Internet certificates for S/MIME encryption and signatures″
later in this chapter.
Domino CA
1. If you are using a Domino server-based certification authority, browse to the Certificate Request
application. If you are using a Domino 5 certificate authority, browse to the Domino Certificate
Authority application.
Note: If you use Microsoft Internet Explorer, use HTTP without SSL to connect to the Certificate
Authority application. Internet Explorer does not allow you to accept site certificates into your
browser.
2. Click ″Request Client Certificate″ in the left pane.
3. Enter your name and organizational information. This information will appear on your Internet
certificate.
4. Enter any additional contact information that you want to send to the CA.
5. Enter the size for the public and private keys. The larger the number, the stronger the encryption.
6. Click ″Submit Certificate Request″ to send the request to the CA.
Third-party CA
The third-party CA determines how you request an Internet certificate. Browse to the third-party CA’s
site, and enter the certificate request. A dialog box appears that allows you to request the certificate.
The server on which you issue Internet certificates must be set up for the Administration Process, and the
users must have an Internet address specified in their Person documents. In addition, you must add
Internet certificates that are created using a Domino certifier.
Signing an Internet client certificate and adding the certificate to the Domino
Directory
When a CA signs an Internet client certificate, the CA adds a digital signature to the certificate and, if
you are using a Domino CA, adds the public key to the Domino Directory. If you are using a third-party
CA, you must complete additional steps to add the public key to the Domino Directory.
You do not need to complete these steps if you are using a Notes client and the CA issued certificates in
the Person document of the Domino Directory. Notes automatically adds Internet certificates stored in the
Person document to the Notes ID file when the user authenticates with the server.
The steps you follow to sign and add an Internet client certificate to the Domino Directory depend on
whether the certificate is issued from a Domino server-based certification authority, a Domino 5
Certificate Authority, or a third-party CA.
Domino server-based certification authority: The steps are completed by the Domino CA. You must be
a registration authority (RA) to approve client certificates for signing.
1. From the Domino Administrator, click Files, and open the Domino Certificate Requests application.
2. Transfer the certificate request into the Administration Requests database.
a. In the Certificate Requests database, open the Pending/Submitted Requests view. Press F9 to
refresh the view if the client request does not appear there.
b. If the view shows that the request has been ″Submitted to Administration Process,″ go to the next
step. If it is still in the Pending state, highlight the request and click ″Submit Selected Requests.″
c. You should see a ″Successfully submitted 1 request(s) to the Administration Process″ message.
Click OK.
3. Approve or deny the request.
Note: If the Certificate Requests database is configured for automatic request processing, then client
requests are sent to the Administration Requests database automatically by the database. The Registration
Authority only to approve or reject the request.
Domino 5 Certificate Authority: The Internet certificate request appears in the Client Certificate
Requests view in the Domino Certificate Authority application. When the CA signs a certificate, the CA
can automatically send e-mail to the client. This e-mail describes where to pick up the certificate and
includes a pickup ID, which the client must use to identify the certificate during the pickup process.
Domino automatically generates the pickup ID.
Note: The steps below apply to signing client certificates issued by a Domino CA. The steps are
completed by the Domino CA.
1. From the Domino Administrator, click Files, and open the Domino Certificate Authority application.
2. Click ″Client Certificate Requests″ in the left pane.
3. Open the request you want to sign.
4. Review the user information and distinguished name. Make sure the information provided complies
with your organization’s security policy.
5. Leave the option ″Register certificate in the Domino Directory″ selected to add the client’s public key
automatically to the Person document.
If you want to deny the request, complete step 6. Otherwise, go to step 7.
6. To deny the request:
a. Enter a reason for the denied request.
b. If you do not want to send the person e-mail, deselect ″Send a notification e-mail to the requester″;
otherwise, the Domino Certificate Authority application sends the person e-mail indicating that
you denied the request and the reason why you denied the request.
c. Click Deny.
7. To approve the request:
a. Enter a validity period. For short-term projects, 90 days is typical; for ongoing projects, you can
enter several years.
b. If you do not want to send the client e-mail indicating that the client can now pick up the
certificate, deselect ″Send a notification e-mail to the requester″; otherwise, the Domino Certificate
Authority application sends an e-mail with a URL indicating the location to pick up the certificate.
c. Click Approve and enter the password for the CA key ring file. This places a request in the
Administration Requests database. When the Administration Process next runs, it processes the
request and adds the certificate to the client’s Person document in the Domino Directory.
1128 Lotus Domino Administrator 7 Help
Note: The client cannot use the certificate to authenticate against database ACLs until the
Administration Process completes the request.
Third-party CA: If a user obtains an Internet certificate from a third-party CA using the Notes client, the
certificate is automatically added to their Person document.
If a user obtains an Internet certificate from a third-party CA through a browser, the certificate must then
be added to their Person document.
For more information, see the topic ″Publishing third-party CA client certificates in a Person record″ later
in this chapter.
An Internet client can still access the Domino server anonymously if you have anonymous access set up
on the server, or use name-and-password authentication to access the server. A Notes client can still send
unencrypted mail messages to the user.
You can also view information about Internet certificates in the Domino Directory.
For information on selecting MIME format for sent mail, see the chapter ″Encryption and Electronic
Signatures.″
Note: It is not necessary to have the cross-certificate prior to sending S/MIME encrypted mail. Users
will be prompted to generate the cross-certificate when they try to send the message.
For more information, see the topic ″Adding a recipient’s Internet certificate and cross-certificate for
encrypted S/MIME messages″ later in this chapter.
For more information, see the topic ″Creating Internet certificates for Notes S/MIME clients″ later in this
chapter.
To set up Notes clients with certificates for S/MIME: The CA and client complete these steps to add a
Domino Internet certificate to the Notes ID file. A Notes client can use one Internet certificate or use dual
Internet certificates for S/MIME encryption and signatures.
1. Before issuing certificates, the CA must determine if Internet certificates should be created using the
existing public and private keys from the Notes ID file or if the CA wants to issue certificates based
on new keys generated from a browser certificate request. If clients use a browser that supports PKCS
#12, clients can also import an existing Internet certificate into the Notes ID file. Depending on the
environment, the administrator may choose to use a combination of these options for different users.
For more information on importing Internet certificates in a Notes client, see Lotus Notes 7 Help.
2. The CA adds a trusted root certificate to a Domino Directory that the client can access.
The client can also add a trusted root certificate to the Personal Address Book; however, adding a
trusted root certificate to the Domino Directory simplifies the process of setting up Notes clients for
S/MIME because the trusted root is accessible to many clients.
3. The client creates a cross-certificate using the trusted root certificate for the CA and stores it in the
Personal Address Book.
4. To create a certificate using the existing public and private keys in the Notes ID file, do the following:
a. The CA adds an Internet certificate to the Person document.
b. The client authenticates with the home server. Notes automatically merges the Internet certificate
into the ID file.
5. To use new public and private keys to create an Internet certificate, do the following:
a. The client requests the Internet certificate from the CA.
b. The CA approves the request, and Domino automatically adds the client’s Internet certificate to the
user’s Person document.
c. The client merges the Internet certificate into the ID file.
For more information on how Notes clients merge Internet certificates into their ID files, see Lotus
Notes 7 Help.
If the Internet certificate is stored in a Domino Directory in another domain or in an LDAP directory, the
directory needs to be accessible using directory assistance.
3. To add the author’s Internet certificate to the Personal Address Book, choose Tools - Add Sender to
Address Book. Notes creates a Contact document for the person and adds an Internet certificate to the
document.
For information on adding an Internet certificate and cross-certificate when users have dual certificates,
see the topic ″Dual Internet certificates for S/MIME encryption and signatures″ later in this chapter.
Adding multiple certificates: To add multiple Internet certificates to your Notes ID file when the
certificates are issued by different CAs, follow the procedure provided by the CA. If the Internet
certificates you want to add are issued by the same CA, add one of the certificates by following the CA’s
procedure and add the second certificate by importing it into the ID file. If you try to add multiple
Internet certificates issued by the same CA and you do not import the certificate, Notes uses the last
certificate added to the ID file for S/MIME encryption and signatures.
Specifying the default signing certificate: Once the Internet certificates are added to the ID file, you
can specify a default certificate to use for S/MIME signatures. You specify this certificate in the User
Security dialog box. If the Internet certificate you select is used for both signatures and encryption, then
Notes uses this certificate as the default for signatures and encryption. Otherwise, Notes uses the Internet
certificate you specify for signatures and the last Internet certificate added to the Notes ID file for
encryption. The default signing certificate is also the certificate used for SSL client authentication.
For information on specifying a default signing certificate, see Lotus Notes 7 Help.
Adding an Internet certificate to the Personal Address Book: If you send a signed message and you
have two different certificates for signatures and encryption, Notes sends the recipient the default
Internet certificates used for encryption and signatures. When the recipient chooses Tools - Add Sender to
Address Book, Notes adds a Contact document and adds the Internet certificates for encryption and
Adding a cross-certificate on demand: When a recipient receives a signed message, Notes checks the
Personal Address Book for a cross-certificate that indicates that the signing certificate included with the
message is trusted. If the cross-certificate is not present, Notes displays a dialog box that allows the
recipient to cross-certify ″on demand.″ You can create a cross-certificate to either the leaf certificate or to
the CA. Creating a cross-certificate to a leaf certificate indicates trust for only the owner of the certificate,
in this case the sender of the signed message. A cross-certificate to a CA indicates trust for all people who
have a certificate issued by that CA.
When you cross-certify on demand, Notes creates a cross-certificate for the signing certificate, but does
not create a cross-certificate for the encryption certificate. However, if the signing and encryption
certificates are issued from the same CA and you create a cross-certificate for the CA, the cross-certificate
created for the signing certificate can also be used to validate the encryption certificate. If the signing and
encryption certificates are issued from different CAs, then you must create a cross-certificate for the CA
that issued the encryption certificate before you can send an encrypted message.
For more information on adding an Internet certificate and creating a cross-certificate on demand, see the
topic ″Adding a recipient’s Internet certificate and cross-certificate for encrypted S/MIME messages″ in
this chapter.
If an LDAP client supports the Simple Authentication and Security Layer protocol (SASL), Domino
automatically uses this protocol when the client uses SSL client authentication to connect to the server.
SASL is not supported for TCP/IP connections or SSL connections with only server authentication.
Setting up a Person document for an Internet user using SSL client authentication
In the Domino Directory on your Domino server, set up a Person document for Internet clients using SSL
client authentication to connect to a Domino server. The Person document for the user stores the user’s
Internet certificate, which is used to verify the user’s identity. The Person document also lists the names
that a Domino server can use to authenticate an Internet user. When an Internet user tries to connect to a
server, Domino looks for the Internet certificate name in the User name field in the user’s Person
document. Domino compares the Internet certificate presented with the one stored in the Person
document. The comparison lets Domino authenticate the user, even if there are multiple users with the
same name, since each user’s public key is unique. If Domino finds a match and the public key is valid,
then the first name listed in the User name field is used to check database ACLs and design element
access lists.
For example, if the User name field contains these entries: Alan Jones, AJones, Alan, Al Jones and the
client uses the name Al Jones to access the server, Domino authenticates the user, verifies that the public
key presented matches the public key in the Person document, and uses the name Alan Jones to check
database ACLs and design element access lists.
For more information, see the chapter ″Controlling User Access to Domino Databases.″
Tip: If the client wants to authenticate with a Domino server in another domain, add the user’s Person
document to the Domino Directory for that domain. Make sure you set up directory assistance so
Domino can find the client in the Domino Directory for the domain.
For information on setting up directory assistance, see the chapter ″Setting Up Directory Assistance.″
To publish a third-party client certificate in a user’s Person record, use the Certificate Publications
Request database. Clients submit certificate publication requests to the database, where they are approved
by an administrator. After a request is approved, a publication request is created automatically in the
Administration Process database. When the request is completed, the third-party client certificate is
published in the requester’s Person record.
In order for users to make a publication request, they must be able to authenticate to the Certificate
Publications database with the certificate they want to have published.
Note: The user does not have to have a Person document in the Domino Directory to make a publication
request. The administrator can create a Person document once the request has been entered, and it has
been decided that the certificate’s owner can be trusted.
For more information on SMTP, see the chapter ″Setting Up Mail Routing.″
For information on setting up a Notes client to use SSL to connect to an SMTP server, see Lotus Notes 7
Help.
Note: If you do not select Disabled in the TCP/IP port status field, Domino always connects to the
SMTP server without using SSL.
4. In the SMTP Outbound column, select Enabled in the SSL port status field.
5. Save and close the document.
6. Add the trusted root certificate for the CA of the SMTP server.
When setting up directory assistance for an LDAP directory, you can instruct a Domino server to use SSL
when connecting to the LDAP directory server. This helps secure communications between the Domino
server and the LDAP server. You should use SSL if a Domino server uses the remote LDAP directory to
authenticate Internet clients, or to look up groups for database authorization.
When a Domino server uses SSL to connect to an LDAP directory server, both servers must have
certificates trusted by the other. If this is not the case, you must add a trusted root certificate to the
server’s key ring file before your server can connect to the LDAP server.
For more information on directory assistance for LDAP, see the chapter ″Setting Up Directory Assistance.″
For more information on adding a trusted root certificate, see the chapter ″Setting Up SSL on a Domino
Server.″
Therefore, depending on your organization, make sure you work closely with the people who are
responsible for design, management, and administration tasks. For example, controlling user access is
primarily a Domino system administrator’s responsibility, yet the application developer may determine
these access levels because they are often integral to the database design. If design changes are necessary
after a database is in production, be sure to:
v Work with the application developer or database designer to implement and coordinate design changes
v Consider server resources and the connections between servers when putting databases on servers
For more information on designing or redesigning databases, see Lotus Notes and Domino Release Notes
and the book Application Development with Domino Designer.
Creating a database
Use the Domino Administrator to create a database. You can use one of Domino’s templates to create a
database or you can choose Blank to use a ″blank″ template.
You must have Domino Designer installed to make design changes to the database you create.
Many of the templates that ship with Domino are master templates. Changes made to a master template
are passed on to any databases created from that template unless you specify otherwise. If you plan to
customize a database and want to prevent design changes, either deselect the ″Inherit future design
changes″ option after you select a template, or deselect ″Inherit design from master template″ on the
Design tab of the Database Properties box for the database.
To create a database
1. From the Domino Administrator, choose File - Database - New.
2. Complete these fields:
Field Action
Server Do one:
v Select Local to store the database locally on your hard
drive.
v Enter the name of a server on which you want to store
the database.
Title Enter a database title. You can use a maximum of 96
characters
1137
Field Action
File name Use the default file name or specify a unique file name
of fewer than 32 characters, followed by the extension
.NSF. If you are creating the database locally, specify a
drive and directory in which to store the new database.
For example, C:/Databases/mydbs.nsf. Otherwise, the
database is stored in the Data directory. If you are
creating the database on a server, specify the server and
directory in which to store the database.
Create full-text index for searching Choose this option to enable full text searching on your
database. Full-text searching increases the speed of a text
search.
3. (Optional) Click Encryption if you want to encrypt the database and require an appropriate user ID in
order to open the database.
4. (Optiona) Click Advanced to set advanced database properties for the database you are creating.
5. Complete these fields:
Field Action
Server Specify the name of the server that contains the template
you are using to create the database.
Template Choose a template from the list or choose Blank if you
don’t want to use a template.
Show advanced templates Choose this option to select from all available Domino
templates.
Inherit future design changes Choose this option to update the database design when
the server task runs at night.
6. (Select ″Inherit future design changes″ if you want your database design to get updated when the
nightly server task runs.
7. (Recommended) Check ″Create full-text index for searching″ to speed searches on your new database.
Note: You can customize the ACL for a database that you create by updating the template’s ACL with an
entry that you specify. That is, you can specify an ACL entry such as [Alan Smythe/Sales/UK] and have
that value copied when you create the NSF database. For information, see the topics that reference
″CreateFromTemplate″ in the Domino Designer online help database.
For information about encrypting a database you are creating, see the topic ″To encrypt a database″ in the
Notes client online help.
Task Considerations
Set up the database ACL for users and If you plan to make replicas of a database, make sure that the
servers that require access database ACL lists the name of each server containing a replica. If the
database uses roles, assign all roles to each server.
Optional tasks
The following tasks are not required, but you may want to perform them after your database is in
production. Whether or not you need to do these tasks depends on the type of database you are rolling
out to the production server and the roles assigned to an application developer, database manager, or
Domino administrator in your organization.
Task Considerations
Create About This Database and Using This Provide the name, phone number, and e-mail address of database
Database documents managers in the About This Database document. Provide information
about the application in the Using This Database document.
For more information on encryption, see the book Application Development with Domino Designer.
If a database is designed to receive mail, you must create a Mail-In Database document in the Domino
Directory. This document must exist in the Domino Directory of every server that stores a replica of the
database. The database cannot receive mail until you create this document. When replicating Mail-in
databases to servers in another Domino domain, create a matching Mail-in database document in the
Domino Directory of the target server.
1. Make sure you have at least Author access with the Create Documents privilege selected.
2. From the People & Groups tab of the Domino Administrator, choose the Mail-In Databases Resources
view.
3. Click Add Mail-In database.
4. On the Basics tab, complete these fields and then save the document:
Field Description
Mail-in name The entry for this database in the Domino Directory.
Users and applications use this name to send documents
to the database.
Internet message storage The message storage preference:
v No preference (default);
v Prefers MIME
v Prefers Notes Rich Text.
Internet address SMTP address in the format
mailfile@organization.domain. Complete this field if you
want Internet users to be able to send messages to the
database.
Encrypt Incoming Mail Yes or no according to your preference. Mail sent to the
mail-in database is encrypted with the Notes certified
public key entered in the next field.
5. On the Administration tab, complete these fields and then click Save & Close:
Field Description
Owners Fully distinguished hierarchical name of users allowed to
modify this document.
Administrators Users or groups who can edit this document.
Allow foreign directory synchronization Choose one of these:
v Yes -- Allows entry to be exchanged with foreign
directories -- for example, a cc:Mail® directory -- so
that users on the other system can look up the mail-in
database in the cc:Mail post office directory and send
mail to it.
v No -- Does not allow the entry to be exchanged with
foreign directories.
Notes certified public key The certified public key to use when encrypting mail
sent to this database. To copy a certified public key from
the Domino Directory to this field, click ″Get Certificates″
and choose a name.
Internet Certificate This field displays the Internet Certificate if one exists. If
there is no Internet Certificate for this mail-in database,
the field displays the message ″Not Available.″
Issuer name The field is populated only if the Internet Certificate field
displays an Internet Certificate.
6. Give the name of the database to users so they can enter it in the To: field of messages destined for
the database.
For more information on setting up a database to receive mail, see Domino Designer 7 Help.
Note: If you want to sign only one specific design document or one design element in a document, for
example, a specific agent, you must first determine the Note ID for the document. To determine the Note
ID for a document, select the document, choose File - Document Properties, click the last tab of the
properties box. The bottom line is the Note ID, for example NT00000902.
1. Select the server that stores the databases or templates that you want to sign.
2. On the Files tab, select the databases or templates that you want to sign.
When you create directory and database links, you can increase database security by specifying the ACL
access for an individual user or group in the Create New Link dialog box. The database ACL, not the
database link, controls access to individual databases that have database links.
Directory links
You can store databases in a directory outside the Domino data directory to take advantage of disk space
available on other servers. Then you create a link in the Domino data directory that points to that
directory. In the Domino data directory, users see the directory link MKTG.DIR as the subdirectory
MKTG, with a directory folder icon next to it. Users who do not have access to a linked directory can see
the directory link, but cannot access the directory.
You can use a directory link on a Web server to point browser users to a directory outside the Domino
data directory. When you create this link, you must specify access for browser users -- for example, you
can specify access for anonymous users or enter the names of users who use name-and-password or SSL
client authentication.
Database links
You can store a single database outside the Domino data directory and create a database link to it from
the Domino data directory. A database link appears in the Domino data directory as a database icon
followed by the name of the linked database.
You can use a database link on a Web server to point browser users to a database in a directory outside
the Domino data directory. If the database link points to a database on another server, browser users
cannot access the database.
1145
5. Move designated databases into the directory you just created, and then create a directory or database
link.
Create the directory link to point to a subdirectory, not to a root directory. For example, create the
directory link PROJECTS.DIR to point to the directory D:\PROJECTS\SALES. On a Domino Server for
UNIX, a DIR file can point to /sales but not to /.
Create the database link using the complete path and file name of the database you want to link to. For
example, create the database link SALES.NSF to point to the database D:\PROJECTS\SALES\SALES.NSF.
Domino automatically appends the NSF extension to the database name. If you want to move a linked
database to another location, delete the old link, create a new database link, and move the database to the
new location. When you delete the database link, you remove the link, but not the database link
references.
Note: The database ACL, not the database link, controls access to individual databases that have
database links.
To delete a link
1. From the Domino Administrator Server list, select the name of the server.
2. Click the Files tab, and then select the directory or database link to delete.
3. Choose Tools - Folder - Delete, and then click Yes.
4. To verify that the link was deleted, click the refresh icon. View the result in the Results pane.
For information about controlling access to the server’s data directory, see the chapter ″Controlling User
Access to Domino Databases.″
To create an index for a single database, you must have at least Designer access to the database.
Sometimes the application developer of the database has already created an index. You can find out
whether or not a database is indexed by looking at the Database Properties box (Full Text tab, ″Last Index
Time″ from the Files tab of the Domino Administrator.)
The Domino Administrator lets you create single indexes for more than one database at a time. Users can
create full-text indexes for local databases.
For more information, see the chapter ″Creating Replicas and Scheduling Replication.″
The Domain indexing process is completely separate from that for individual databases, and including a
database in the Domain Index does not preclude the need to create a separate index for a popular
database.
For more information on adding the full text of a database to the Domain Index or on setting up the
Domain Index, see the chapter ″Setting Up Domain Search.″
1149
v The encryption key, which is part of the server ID, is active for all databases on the server. If you index
a different database and do not deselect ″Index encrypted fields,″ any fields using that encryption key
are compromised.
For more information on encrypted fields, see the chapter ″Encryption and Electronic Signatures.″
Lotus Domino stores the index file in a subdirectory of the directory where the database file is located,
usually the Domino data directory. The name of this subdirectory is filename.FT, where filename is the file
name of the indexed database -- for example, /EMPLOYEE.FT. The full-text directory must reside in the
directory in which the corresponding database resides. The full-text directory must reside in the directory
in which the corresponding database resides.
For more information on directory and database links, see the chapter ″Organizing Databases on a
Server.″
You must periodically update full-text indexes on servers to keep them synchronized with changes to the
databases. When you create an index, you can either accept the default schedule for updating it (nightly
at 2 AM) or specify a different schedule. You can modify this setting at any time.
You can also do manual index updates for server databases at any time from the Domino Administrator.
Note: Users update full-text indexes for local databases whenever they replicate with the server. Users
can also do manual index updates for local databases at any time.
CAUTION:
Selecting this option can compromise system security.
Index sentence and Includes sentence and paragraph breaks in addition to word breaks to allow users to
paragraph breaks do proximity searches.
Enable case sensitive Allows searches by exact case match. This option increases the size of the index by
searches about 15%, as each word must be indexed twice -- for example, apple and Apple.
Note: You can view your indexing selections later on the Search tab of the Database Properties box.
8. (Optional) Change the default setting for index update frequency. Update frequency options are
described in the following table.
9. Click OK.
10. Inform users that the database or databases are indexed.
Note: If you know you want multiple indexes to have the same frequency setting, you can select the
databases and use the Tools pane’s Databases - Full Text Index command to change all their indexes
to that setting, but the Tools pane does not provide a means to check whether databases are indexed
or verify current update settings.
5. In the ″Update frequency (servers only)″ box, select one of the options described here.
6. Click OK.
Note: The Database Properties box (Full Text tab) provides useful information about an index, such as
the number of unindexed documents currently in the database, the last time the index was updated, and
its size.
For information on the Domain Catalog, see the chapter ″Setting Up Domain Search.″
Database libraries
You can create a database library that contains databases that pertain to a specific collection of users or to
a specific topic. For example, a corporate database library might include all databases that deal with
corporate policies and procedures, and a marketing database library might include databases that are
useful to the marketing staff.
The main view in a library lists the databases it contains alphabetically by title, and gives a short
description of each database. Each database document displays the database’s title, short and long
descriptions, replica ID, and database manager, as well as buttons that let users browse the database or
add it to their bookmarks.
Note: Instead of creating database libraries to point users to the databases they need, you can use
Desktop policy settings to add bookmarks directly to their workspaces.
For more information on Desktop policy settings, see the chapter ″Using Policies.″
Server libraries
The databases you choose to include in a library can be located on any server. More than one library can
reside on a server. When a user opens a database from a database library, Lotus Domino uses the
database’s replica ID number to search for it. Domino first searches for the database on the user’s
workspace, then on the user’s home server, and finally looks for a Domain Catalog to find a path to a
replica of the database on another server. If a database is moved to another server, Domino automatically
opens the database at its new location and then updates the database’s replica ID in the database library.
When you create a database library on a server, you automatically become the librarian for that database
library with Manager access in the library ACL. The -Default- access in the library ACL is Reader. If a
user with Reader access in the database library ACL attempts to publish a database, Domino
automatically sends the librarian an e-mail containing the request to publish the database. The librarian
then publishes the database for the user. If you want users to be able to publish databases in the library
themselves, change -Default- access to Author.
Local libraries
You can create a local library for your own use, which lists databases on your own hard drive as well as
databases on servers. The only difference between a local library and libraries on servers is that no other
users can use your local library or become librarians for it.
1155
If you plan to create many libraries on a server, create a subdirectory in the Domino data directory to
store them. Then users can easily locate all available libraries.
To assign librarians
You must be a librarian of a database library in order to make other users librarians.
1. If someone other than you created the library, make sure you have Editor or higher access in the
library ACL.
2. Make sure that the users to whom you are giving librarian status have at least Author access in the
database library ACL.
3. From the Domino Administrator, select the server that holds the database library.
4. On the Files tab, double-click the title of the database library.
5. In the Librarians view, click ″Edit Librarians.″
6. Type the names of all users who will be librarians, pressing ENTER after each name.
7. Close and save the Librarians document.
Database catalogs
A database catalog provides a list of all databases on a server. You use the server Catalog task to create a
database catalog. The Catalog task bases the catalog file (CATALOG.NSF) on the CATALOG.NTF
template and adds the appropriate entries to the catalog’s ACL.
All databases on a server are included in the catalog when the Catalog task runs. Only administrators can
see listings for some databases (those with the ″List in Database Catalog″ option selected in the Database
Properties box), as these databases are not included in the default views.
For databases in the default views, you can specify categories in the Database Properties box to
determine how the databases appear in the categorized view of the catalog. For large catalogs, you can
create a full-text index to make searching the catalog faster.
To help users locate databases across an organization, or to keep track of all the replicas for each
database, you must set up a Domain Catalog -- a catalog that combines the information from the
database catalogs of multiple servers -- on one of your servers. You can set up a Domain Catalog
regardless of whether you plan to implement Domino’s Domain Search capability.
For more information on the Domain Catalog, see the chapter ″Setting Up Domain Search.″
To view the documents in the database catalog, open the catalog from the Domino Administrator or the
Web Administrator tool (Files tab).
Note: Excluding a database from a catalog’s default views does not prevent administrators from creating
views that display a complete listing of databases on the server.
1. Make sure you have at least Designer access in the database ACL.
2. From the Domino Administrator, select the server that holds the database that you want to exclude
from the catalog.
3. On the Files tab, select the database that you want to exclude.
4. Choose File - Database - Properties.
5. Click the Design tab, and then deselect ″List in Database Catalog.″
The Domino Administrator includes these system-monitoring tools that you use to configure, view, and
track the Domino system:
v Monitoring databases -- Store monitoring documents, information, and results. The Monitoring
Configuration database (EVENTS4.NSF) stores the documents you use to set up monitoring. It also
includes information about statistics, statistic thresholds, and event messages. The Monitoring Results
database (STATREP.NSF) stores the gathered statistics reports and can be configured to store
information about logged events. The log file (LOG.NSF) stores the server’s log documents.
v Monitoring Configuration documents -- Define and configure what constitutes an event, and how the
event is handled. Also allow you to customize the messages that appear on the console when an event
occurs.
v Server tasks -- Collect and record information about the Domino system. The Shutdown Monitor task
ensures that Domino terminates when requested to do so. The Process Monitor task applies only to
Domino on Microsoft Windows platforms, and monitors the processes that should be running in the
Domino server environment. The Event Monitor task determines if an Event Handler has been
configured for the event, and if so, routes the event to the specified person, database, or
server-management program for processing. The Statistic collector task gathers Domino server statistics
and creates statistics reports in the Monitoring Results database (STATREP.NSF) or to another database
you can specify. The ISpy task executes TCP server and mail-routing event generators.
v Statistics -- Domino gathers statistics that show the status of processes currently running on the system
-- for example, the statistic ″Free space on drive C″ indicates the amount of free space available on
drive C. You use these statistics along with the predetermined statistics thresholds to monitor both
your Domino system and platform statistics.
v Domino server monitor -- Provides a visual representation of the status of the servers you are
monitoring.
1159
For more information about the new configuration user interface, DDM, and the collection hierarchy, see
the topic Domino domain monitoring.
The Monitoring Configuration database (EVENTS4.NSF) includes a set of default documents you use to
set up system-monitoring. You can edit the default documents or use the configuration wizards in the
Monitoring Configuration database to create new ones. The Monitoring Configuration database includes
these documents:
Document Description
DDM Probe Defines the probe type, probe subtype, a general
description of the probe, configurable specifics on what
the probe monitors, how results are reported, and other
related information
DDM Filters Defines which event types, event classes and event
severities are reported to the DDM file.
Event Generator Defines the parameters of an event.
Event Handler Describes what action to take when an event occurs.
Event Notification Method Defines the notification method to use when the Event
Handler document prescribes notification.
Log Filter Specifies events that you do not want to log.
Server Console Configuration Sets the text, background, and color attributes for the
Domino server console.
Statistic Description Describes a statistic.
Server Statistic Collection Specifies one or more servers from which statistics are
collected and identifies the server that performs the
collecting.
You specify the amount of time that Domino monitors the shutdown activity in the field, Server
Shutdown Timeout, in the Automatic Server Recovery section of the Server document. To disable this
feature, enter 0 (zero) in the Server Shutdown Timeout field.
This functionality is implemented in Domino for Unix platforms without using a separate server task.
To disable the Process Monitor task, set the variable PROCESS_MONITOR_DISABLED=1 in the server’s
NOTES.INI file.
Domino generates events continuously. Therefore, to monitor the Domino system efficiently, you must
decide which events you want to know about. For example, the event ″Replicating files with servername″
occurs every time a file replicates with a specified server; consequently, you may want to know about the
event only if it fails. You configure events that you want to know about, based on what type of
information is important to you. To configure an event, you determine three critical pieces of information:
what type of event it is, what the severity level is, and how you want it handled. You configure your
events using Event Generator and Event Handler documents. Event generators describe the condition
that must be met for an event to be generated; event handlers describe what happens when the event
occurs.
After deciding which events you want to know about, decide what will happen when the event occurs.
You have several choices. You can log the event to the log file (LOG.NSF); you can mail a notification of
the event to a file or an administrator; or mail the event to another application for further processing.
You create an Event Handler document to specify to log the event to a specified destination, and
simultaneously receive notification of the event’s occurrence and run a program for additional processing.
You can also prevent the event from being logged or handled at all. However, if you want to know about
an event, you must have an Event Handler document. Otherwise the event is not recorded. There is no
default way of handling an event. So if you do not create event handlers, then events are not logged or
stored anywhere (except for server or add-in task events, which are stored in the log). After an event is
passed to the Event Monitor task, it can invoke one or more configured Event Handlers.
Event generators
Event generators gather information by monitoring a task or a statistic or by probing a server for access
or connectivity. Each event generator has a specified threshold or condition, which, when met, causes an
event to be created The event is passed to the Event Monitor task, which checks whether an associated
event handler has been defined. If an event handler has not been defined, the Event Monitor task does
nothing. If an event handler has been defined, the Event Monitor carries out the instructions in the event
handler. The Event Monitor task, formerly know as the Event task, starts automatically when you start
the server and must run on all servers that you want to monitor.
For more information about event handlers, see the topic ″Event handlers″ later in this chapter.
The Domino Administrator includes a set of default event generators, which are listed in the Event
Generators view of the Monitoring Configuration database (EVENTS4.NSF). To monitor other events that
are important to you, you must create an event generator and define the type and severity of the event.
The following table lists the types of event generators you can create. If you purchased an add-in product
designed to work with server-management programs, you may see additional types of events listed.
Field Action
File name Enter the name of the database.
Servers Choose one:
v All in the domain
v Only the following. Then select one or more servers to monitor.
Field Action
Server(s) with which the database must replicate Choose one:
v All in the domain.
v Only the following. Then select one or more servers
from the list.
Replication timeout Enter a time-out value. The default is 24 hours.
v Monitor unused space -- To monitor the amount of white space (free space) in one or more selected
databases on a server. Then complete these fields on the Unused Space tab:
v Monitor for user inactivity -- To monitor database activity and to determine which databases are
not being used. Then complete these fields on the user Inactivity tab:
Field Action
Time periods to monitor Choose one:
v Daily
v Weekly
v Monthly
Minimum sessions Enter a minimum number of sessions that will trigger an
event. The defaults are:
v Daily -- 10 sessions
v Weekly -- 50 sessions
v Monthly -- 300 sessions
5. On the Other tab, complete these fields, and then save the document:
Field Action
Generate a database event of severity Select a severity level.
Create a new event handler for this event Click this button to launch the Event Notification Wizard and create
an event handler.
Field Action
Target server(s) Choose one or more servers to probe.
Probing server (source) Choose the server that will probe the target servers.
4. For the field ″Interval n minutes,″ enter an interval in minutes at which you want to send the probe.
The default is three.
5. Choose one of the following options:
v Check just the ability to access the destination server
v Check the ability to access the destination server and open this database, and then enter a file name
Field Action
Ports Do one:
v Enable the field to use any configured port to check access.
v Disable the field, and specify the port to use.
Time-out threshold Enter a number that represents the allocated amount of time (in milliseconds)
to open the database or access the server. The default is 1000 milliseconds.
The Resulting Statistic field, which is not editable, shows the name of the statistic that is generated.
7. Click the Other tab, complete these fields, and then save the document:
Field Action
On time-out, generate a Server event of severity Select a severity level.
Create a new event handler for this event Click to launch the Event Notification Wizard and create
an event handler.
This event generator creates a statistic that indicates the amount of time, in seconds, it takes to deliver the
message. If the mail-routing trace fails, the statistic has the value -1. If the Statistic Collector task is
running, the Monitoring Results database (STATREP.NSF) stores the statistics. The format of a mail
routing statistic is:
QOS.Mail.RecipientName.ResponseTime
In addition, the ISpy task monitors the local mail server by default and generates events for traces that
fail. To monitor other Domino mail servers, create an event generator and set up an event handler to
notify you when an event has occurred.
Field Action
All Domino servers in the domain Do one:
will probe themselves v Check this option to have each server to probe only the local mail box.
v Uncheck this option to probe specified servers.
Recipient Enter the address of the recipient for which you want to check the mail
route or use the drop-down box to select a recipient from a Domino
Directory or Address Book. Do not enter more than one user and do not
enter a group name.
Probing servers (source) Select the name of the server from which to start the probe.
Show intermediate hop times Enable this option to track intermediate hop times.
Field Action
Send interval Enter the number of minutes between probes. The default is 15.
Time-out threshold Enter the number of minutes the probing server (source) waits for a response
before logging a failure.
6. Click the Other tab, complete these fields, and then click Save & Close.
Field Action
On time-out, generate a Mail event Select the severity level.
of severity
Create a new event handler for this Click this button to launch the Event Notification Wizard and create an event
event handler.
To generate statistic events, statistic alarms must be enabled on either the Domino Server or the Domino
Administrator. Enabling statistic alarms instructs the Collector task to periodically check the value of
configured statistics with the thresholds specified in their event generator documents. When a threshold
is exceeded an alarm document is created in the Monitoring Results database (STATREP.NSF). The first
time an alarm is reported, a statistic event is generated. Alarms continue to be reported at the alarm
interval specified when you enabled alarms. However, after the first alarm, subsequent events are
generated, by default, once daily until you clear the alarm in the Statistics - Alarms view of the Domino
Administrator.
You enable alarms in the Domino Administrator by setting Administration Preferences. You enable alarms
on the server, in the Server Statistic Collection document.
For more information on enabling statistics alarms in the Domino Administrator, see the chapter ″Setting
Up and Using Domino Administration tools.″ For more information on enabling alarms on the Domino
Server, see the topic ″Creating a Server Statistic Collection document,″ later in this chapter.
Field Action
Generate a statistic event of severity Select a severity level.
Create a new event handler for this event Click this button to launch the Event Notification Wizard
and create an event handler.
Field Action
Task name Select the name of the task.
Servers Choose one:
v All in the domain
v Only the following. Then select the name of one or
more servers
What to monitor v Monitor task down
v Monitor task up
v Monitor task not responding
v Monitor task resumed responding
4. Click the Other tab, complete these fields, and then save and close.
Field Action
Generate a monitor event of severity Select a severity level.
Create a new event handler for this event Click this button to launch the Event Notification Wizard
and create an event handler.
If the Collector task is running, the Monitoring Results database (STATREP.NSF) stores the Internet port
statistics.
By default, the ISpy task monitors all enabled Internet ports (TCP services) on the server on which it is
running. When you create a TCP server event generator, you can have each server probe its own
configured ports and all services that are running on those ports, or you can select which servers and
services to probe. To verify the statistic name and the type of event generated upon failure, click the tab
for each service.
Field Action
Probe interval Enter the number of minutes between probes. Default is
15.
Service time-out threshold Enter the number of seconds the probing server (source)
waits for a response before logging a failure. Default is
30.
8. If all servers are probing themselves, continue with Step 8. If you chose to specify services, choose
one.
v Probe all configured TCP services
v Probe these services. Then check the services to probe.
9. If all servers are probing themselves or if you selected the HTTP service to probe, click the HTTP tab
and choose one
v Probe just the port -- To probe the availability of the HTTP service on the port.
v Fetch this URL -- To probe for the availability of a Web server. Then enter a URL specifying the
file path. Do not include the server in the URL address.
10. If all servers are probing themselves or if you selected the NNTP service to probe, click the NNTP
tab and choose one:
v Probe just the port -- To probe the availability of the NNTP service on the port.
v Send this command -- Then enter the command and the news group name.
11. Click the Other tab, complete these fields, and then click Save & Close:
Field Action
On time-out, generate an event Select the severity level.
severity
Create a new notification profile for Click this button to launch the Event Notification Wizard and create an event
this event handler.
For more information about NOTES.INI settings and server commands, see the appendices.
To start a wizard:
1. From the Domino Administrator, click the Files tab.
2. Open the Monitoring Configuration database, and then choose the Setup Wizards view.
3. Click the wizard you want to use.
The Monitoring Configuration database (EVENTS4.NSF) includes default event handlers for server tasks.
However, to customize how events are handled, you may want to create a custom event handlers. You
can enable or disable an event handler, so you can easily disable a default event handler and replace it
with a custom one.
When you create an event handler, you specify the condition -- for example, when an event meets or
exceeds a threshold or meets a specified severity level -- that triggers it. To specify event handler
conditions, you define a set of criteria, specify a task, or select a custom event generator that triggers the
event handler.
For example, suppose you create an event handler that defines the criteria as a replication event with a
severity level of Fatal. Then any replication event that matches that criteria is handled based on the event
handler you created. Or, you can create an event handler for all events of any type that have a severity
level of Fatal. An event handler is generated only if the specified task creates an event. And event
handlers based on custom event generators are triggered only if the associated event generator creates the
event.
You can also create different handlers for different severities. For example, you may want to be notified
immediately if an event has a severity level of Fatal or Failure and choose to write the information to the
log file or to the Monitoring Results database (STATREP.NSF). Normal levels of events may not interest
you, so you may want to create a log filter to prevent normal events and severity levels from being
logged to the log file or the server console.
For more information on passing event parameters, see the topic Passing event
parameters using the Run Program notification method.
Send a console command to the Sends a console command, or commands, to the server according to the Event
server Handler that was configured. You can specify the server console commands to
be run. Any console command can be used with an event handler. The console
command must be delineated by quotes when you enter it. For example
For a local event handler configured for the Domino Administrator, you specify
the server on which to run the command or script. For event handlers that
exectute on a server, the command is sent to the server that is executing the
event handler.
Send Java Controller command Sends Java server controller commands based on an event. The commands that
can be sent to the controller are restart Domino, start Domino, and shutdown
Domino. You specify the server and the Java controller command. Your
username (short name) and Internet password are used by the event task to
access the Java controller. For more information, see the topic Setting, modifying
or deleting the server controller user’s ID properties.
You also need to create a Connection document to the server that is running the
server controller. For more information, see the topic Creating a Connection
document for use with a Java controller command.
Sound Sounds an alarm on the designated server when the event occurs. You specify
the sound file.
SNMP Trap Sends the event as an SNMP trap. Select this method only if the specified server
is running the Event Interceptor task and the Domino SNMP Agent.
Log to UNIX System Log Reports the event to the UNIX system log.
Using an API to create an event notification method: If you use an API, there may be additional types
of notification methods. To use one of these methods, create a notification based on the name and
description provided by the API.
1. From the Domino Administrator, click the Configuration tab, and open the Monitoring Configuration
view.
2. Open the Names & Messages (Advanced) - Notification Methods view, and click New Notification
Method.
3. Enter a description of the notification method.
4. Enter the name of the notification method.
You also have the option of entering switches for the event parameters.
Note: If you have created Event Handler documents that use the Run Program notification option, using
a Domino release issued prior to Domino 7, you need to re-edit and then save those Event Handler
documents to allow them to be compatible with Domino 7.
For information about how to create an event handler, see the topic Creating an event handler.
Setting, modifying or deleting the Java server controller user’s ID properties: Use this dialog box to
set, modify or delete the user ID and Internet password used to access the Java controller. The ID
properties for the server controller are stored in the server’s ID file.
The Java console command must be sent to a remote server and that server must be running within a
Java console. You need Administrator access to that server for authentication purposes. Set the
Administrator access in the Administrators field on the Security tab of the Server document.
When an event handler of notification type ″Send Java Controller command″ that you created or edited
runs, the event task uses your short name and Internet password to access the Java controller. When that
access is established, the event task sends the Java controller command.
1. From the Domino Administrator, click Configuration - Monitoring Configuration.
2. Click Tools - Set Server Controller’s ID.
Field Action
Server Controller username Enter the user’s short name for accessing the server controller.
Server Controller password Enter the user’s Internet password for accessing the server
controller.
3. Do one of these:
v To set or modify the user name or password for the server controller user, click Set and then
proceed to step 5.
v To delete the user name and password for the server controller user, click Clear and then proceed
to step 5.
Creating a Connection document for use with a Java controller command: To use the event handler of
notification type ″Send Java Controller command,″ you must create a Connection document between the
server running the Java controller and the server sending the Java controller command.
The server that is running the Java controller must have entries in these fields in order for the ″Send Java
Controller command″ notification to work correctly:
v Optional network address
v Use the port(s)
For more information on the wizard, see the topic ″Using event generator and event handler wizards,″
earlier in this chapter.
Field Action
Event type Choose one:
v Events can be any type
v Events must be this type. Then select the type from the list.
Event severity Choose one:
v Events can be any severity
v Events must be one of these severities. Then select a severity level from the list.
Message text Choose one:
v Events can have any message
v Events must have this text in the event message. Then type the message text.
If you choose ″A built-in or add-in task event,″ click the Events tab, and then click Select Event. Select
the event from the list, and choose one:
v Events can have any message
v Events must have this text in the event message. Then type the message text.
If you choose ″custom event generator,″ select it from the list or click New to create a new custom
event generator.
v (Optional) Click ″Details″ to view a custom Event Generator document.
5. Click the Action tab and choose the notification method.
Note: If you purchased an add-in product designed to work with server-management programs, you
may see additional notification methods.
6. Choose one enablement option:
v Enable this notification -- To enable the notification during all hours.
v Disable this notification -- To disable the notification so that it does not run.
v Enabled only during these times -- Then click the clock and move the slider to select the start and
end time during which this event handler is enabled.
7. Click Save & Close.
For more information about event types and event severity levels, see the topics ″Event types used to
specify event criteria,″ and ″Event generators,″ earlier in this chapter.
Tip: You can also create a log filter from the server console.
For more information about setting log levels, see the chapter ″Using Log Files.″
To view a report
1. From the Domino Administrator, click the Server - Analysis tab.
2. Click the Monitoring Results - Events view.
3. Double-click a report to view the information.
To set or remove a stop trigger: After you troubleshoot the problem for which you set the stop trigger,
be sure to remove it.
1. From the Domino Administrator, click the Server - Status tab.
2. Open the Server Console view.
3. Click Pause or Stop to stop the logging of information to the console.
4. Do one:
v To remove a stop trigger, select Live Console - Local - Remove Stop Trigger.
v To set a stop trigger, select the event for which to set a stop trigger. Then from the menu, select
Live Console - Set Watch.
5. Do one to restart the Domino Administrator server console:
v If you clicked Pause, click Resume.
v If you clicked Stop, click Live.
For more information on setting Administration Preferences, see the chapter ″Setting Up and Using
Domino Administration Tools.″
The Statistic Collector task loads automatically on a server if it is in the task line of the NOTES.INI file.
In the Domino Administrator, the Statistic Collector starts when you start the Domino server monitor,
when you chart real-time statistics, or when you access the Server - Statistic tab. You can also set a
Monitoring Administration Preference so that the Statistic Collector task starts automatically when you
start the Domino Administrator. The Statistic Collector task continually adds new servers from which it
gathers statistics as you monitor or chart statistics from additional servers.
For example, in the Domino server monitor, if you begin monitoring the servers in the Acme1monitoring
profile, the Collector task begins collecting statistics from the servers listed in the Acme1 profile. Then if
you switch to charting and chart the statistics in the AcmeEast statistics profile, the Statistic Collector task
simply adds the servers in the AcmeEast statistics profile to the list of servers from which it is gathering
statistics. It does not stop gathering statistics from the servers in the first group you monitored in the
Acme1 profile.
For information on setting preferences, see the chapter ″Setting Up and Using Domino Administration
Tools.″
Field Action
Database to receive reports Enter the name of the database to store the reports. The default is
STATREP.NSF.
Collection report interval Enter the number of minutes between reports. The minimum is 15;
the default is 60.
The server console displays a list of all server statistics that are collected on your server. The following
replication-related statistics may appear:
Statistic Description
NotesMergedBack The destination note sequence is actually higher than the source.
Domino will assume a replication merge happened here and
update the source as well
NotesReceived If the NSF Database is the source database
NotesReopened There is a possible replication conflict; Or Domino couldn’t find a
corresponding item for an incremental note, therefore domino can’t
perform an incremental update and will try again with a full note
open.
NotesSent If the NSF Database is the destination database
Platform statistics
In addition to tracking server statistics, Domino tracks operating-system performance statistics. You can
view these statistics from the Domino Administrator, along with your Domino statistics, which helps you
with Domino server monitoring and tuning. You can include platform statistics in any statistic monitoring
task you perform with the Domino statistics, including using them in monitoring and statistic profiles,
and charting them.
There may be slight overhead incurred while running platform statistics, however the overhead is
insignificant. No disk space is consumed by enabling platform statistics, since no log files are created. As
with Domino statistics, disk space is used only if you log platform statistics to the log file or to the
Monitoring Results database (STATREP.NSF). The amount of disk space used depends on the frequency
of capture.
Note: If Logical Disk statistics do not appear, ensure that the sysstat package is installed on your server.
To determine whether iostat is enabled to allow continuous collection of disk statistics, enter the
following command:
lsattr -E -l sys0 -a iostat
If a value of false is returned for the system attribute, iostat, continuous collection of disk statistics is
disabled.
To enable the continuous collection of disk statistics, enter the following command:
chdev -l sys0 -a iostat=true.
To view a list of all statistics: To view a list of all statistics, use the Show Stat command.
For more information on server commands, see the appendix ″Server commands.″
For information on using the Platform command, see the appendix ″Server Commands.″
Using Perfmon on Windows 2000 systems: If you use Perfmon on Windows 2000, some counters may
report inaccurate information because of the way that Perfmon collects statistics. Logical disks that are
actually very busy may report average queue lengths of zero. Unplugged network adapters may show
traffic.
Network statistics: On Solaris, AIX, Linux, Linux on z/Series and OS/400®, Domino provides statistics
for a maximum of ten network adapters. On Windows 2000, there is no limit on the number of network
adapters. The loopback interface is not included in the list of adapters. On AIX, only Ethernet and token
ring network adapters are supported.
Process statistics: On Windows 2000, when you view process statistics, the Percentage Total Domino
CPU Utilization value may be greater than the Total System CPU Utilization. This is because the CPU
utilization value for each individual process is calculated based on the total number of processes used in
a sampling interval.
On Windows 2000, Domino process names include the letter ″n″ as a prefix. For example, in Perfmon,
Adminp -- the process name for the Administration Process -- is nadminp. To maintain
platform-independence in naming, Domino does not include the prefix on any platform statistics.
On Solaris, AIX, and OS/400 platforms, process statistics indicate how busy the processes are, but these
are not absolute values. On these platforms, the utilization is based on how busy the processes are in the
current sampling period as compared to how busy they were in the previous sampling period. For
example, if a process reports 30% utilization in the first sampling and 60% in the second, the process is
twice as busy.
On all platforms, by default, the performance statistics for processes that are idle have the value zero.
Logical disk statistics: On Windows 2000 and Solaris, the values for disk utilization counters may
exceed 100%, indicating that the disks are being heavily utilized. Similarly, on multiprocessor systems, the
individual CPU utilization for a process may exceed 100%, depending on the number of processors in the
system.
On OS/400, there are statistics for a maximum of ten logical disks (auxiliary storage pools).
System statistics: On Windows 2000 the value of the combined CPU utilization statistic
(Platform.System.PctCombinedCpuUtil) is not defined as sum of the user and privileged CPU utilization
values (Platform.PctUserCpuUtil and Platform.PctPrivilegedCpuUtil). However, on Solaris, Linux, Linux
for zSeries, and AIX, the value of the combined CPU utilization statistic is defined as sum of the user and
privileged CPU utilization values.
To view statistics reports: You can view a predefined set of platform statistics reports for each server.
For more information on viewing platform statistics reports, see ″Viewing statistics reports″ later in this
chapter.
You can create an operating system statistic for use as a template. You can create a new statistic template
that includes a variable. For example, you can create a statistic that includes the variable <portname>.
Then to collect statistics on more than one port, copy the statistic and replace the variable with the actual
port name.
When you create a statistic, you define the type of data the statistic will collect and the measurement
unit. You also specify whether it is an operating system statistic or a trended statistic.
Trended statistics are gathered by the Activity Trends Collector task, and used to provide activity trends
statistics information.
For more information about Activity Trends and resource balancing, see the topic Resource balancing in
Activity Trends.
For more information about Activity Trends and resource balancing, see the chapter ″Using Activity
Trends.″
Field Action
Statistic name Enter the name of the new statistic.
Data type Choose one:
v Text
v Number
v Time
Statistic unit Enter one:
v The unit in which the statistic is measured -- for example, bytes or minutes
v The word ″none,″ if this is a text statistic
Statistic description Enter a description of the statistic
Field Action
Threshold operator Select the condition against which to evaluate the threshold:
v Less than
v Greater than
v Multiple of
v Percentage of
Threshold value Enter a number.
Event severity Select the severity that will cause an alarm.
Suggested response (Optional) Enter an explanation of a how to resolve the event that
caused the alarm.
Useful in setup Click Yes to use the statistic during setup and include this statistic when
a new Monitoring Configuration database (EVENTS4.NSF) is created.
When you start the Stats task, Domino creates a mail-in database (STATMAIL.NSF) for the server. The
title of the mail-in database is server Stats/org. For example, for the Everest server in the Acme
organization, the mail-in database is titled Everest Stats/Acme. By default, during server registration, a
Mail-in Database document is created. This document, which is stored in the Domino Directory, defines
the properties and location of a database that can receive mail. To open the document from the Domino
Administrator, click the People & Groups tab, and then open the Mail-in Databases & Resources view.
You can mail all or a subset of statistics to yourself. The names of all statistics are listed on the
Configuration tab in the Monitoring Configuration - Names & Messages (Advanced) view. The category
for a statistic is the first part of the statistic name. For example, the category for the statistic Disk.C.Free
is Disk.
Field Action
To Enter the title of one or more mail-in databases for one or more servers.
Subject Do one:
v Enter a statistic category -- for example, disk or platform -- to get a subset of statistics.
v Enter the name of one statistic -- for example, Disk.C.Free.
v Use an asterisk to indicate a group of specific statistics. For example, enter Disk.C.* to report
all disk statistics for drive C.
v Leave the field blank to mail all server statistics.
Charting statistics
You can graphically display the statistics generated by Domino, by creating statistics charts. To chart sets
of statistics on a regular basis, you can define statistics profiles. Using statistics charts you can track and
visualize statistics in real time or historically. Real-time charts reflect the current server activity. Historical
charts pull information from the local Monitoring Results database (STATREP.NSF). You can also create
statistic profiles so that you can chart a specified set of statistics routinely.
For more information on setting Administration Preferences for statistic monitoring, see the chapter
″Setting Up and Using Domino Administration Tools.″
When you chart statistics, you choose the servers and the statistics to chart. Using the charting feature
you can:
v Create and edit statistic profiles
v Remove existing statistic profiles or combine them into a new one
v Gather historical statistics over a specified period of time
v View the details of each statistic
v View an isolated statistic
v Start and stop real-time charting dynamically
v Use right-click functionality to add a statistic event generator
To scale the data: Before you chart statistics that are in vastly different number ranges -- for example,
dead mail, which has a usual range of 0 to 10, and disk space, which might be in gigabytes -- enable
Autoscale. Disable Autoscale when you chart statistics that all have a low number range -- for example,
from 0 to 500
To change the layout of the panes: You can change the layout of the chart display using the
Performance Monitor menu or the layout button:
1. From the Domino Administrator, click Server - Performance.
2. From one of the Statistics charting views, choose Performance Monitor - Layout, and then choose one:
v Maximized -- To display only the statistic chart.
v Maximum Width -- To display the list of statistics and the statistic chart.
v Maximum Height -- To display the statistic chart and the server pane.
v Restore -- To restore the original layout.
To manipulate statistic performance charts: The following table describes ways to view the information
on statistics performance charts.
Task Action
Stop or start the charting Click the Stop/Start button.
Get a numerical representation of a graphical Click the statistic in the profile list. Then look at the bar area
statistic between the profile list and the chart.
Get a textual representation of the statistic Double-click the chart to display a document that you can edit and
chart print.
Chart an isolated statistic Double-click a graph line.
To add or remove a statistic: You can add or remove a statistic or a server from a statistic chart without
affecting the statistic profile.
1. Select the statistic profile.
2. Do any of the following:
Task Action
Dynamically remove a statistic from the chart displayed In the profile list, clear the check box next to the statistic.
Dynamically add a statistic Click Add, and then select a statistic.
Dynamically add a server Click the down arrow, and then select a server.
Dynamically remove a statistic Select a statistic in the profile list, and then click Remove.
Task Action
Add a statistic 1. Click Add.
2. Select the Domain and server, and then select the statistic.
3. Click Add Statistic.
Add a server 1. Click the down arrow next to the Add button, and then click
Add Server.
2. Specify the Domain and server, and then click Add.
Delete (remove) a statistic from a profile Select the statistic, and click Remove.
Delete the entire profile 1. Select the name of the profile in the Statistics profile field.
2. Click Performance Monitor - Saved Statistics Profiles - Delete.
1189
Note: Rebooting is not supported on the zSeries® (S/390) platform.
As a security feature, these functions are not available by default. Each function must be configured on a
per-server basis.
The most important additional state is whether the server has been disabled intentionally. This avoids
situations such as paging support staff during periods of routine maintenance.
The method for determining the server state is a pulse between LNSNMP and its Domino server add-in
tasks (first the QuerySet Handler or else the Event Interceptor). Traps 13 and 16 get raised only if
LNSNMP first determines that the server is working by communicating with the SNMP add-in tasks.
Traps are not raised if the server starts up with a problem. Trap 16 will occur if the trap 13 condition
persists (server not responding); in other words, you will see a trap 13 before you see a trap 16.
TimeStamp -- Time stamp is converted to UNIX Epoch format. Note that this is the server’s time stamp,
not the console’s.
Text -- The Event Message (in the local language of the server).
Note: All of these fields come directly from the Domino server except for the Seq field.
Type codes are numeric and correspond to the respective Event Types seen in Domino Event Monitors:
0 Unknown
1 Comm
2 Security
3 Mail
4 Replica
5 Resource
6 Misc
7 Server
8 Statistic
9 Update
Severity codes are numeric and correspond to the respective Event Severities seen in Domino Event
Monitors:
0 Unknown
1 Fatal
2 Failure
3 Warning (high)
4 Warning (low)
5 Normal
SNMP security
SNMP version 1 is not a secure protocol. SNMP’s native security uses only community names and IP
addresses. All sites should review deployment of the Domino SNMP Agent with their security staff.
However, the control functions provided by the Domino SNMP Agent do not present significant security
risks (for example, access to the console or databases is not affected).
Note: Some Domino statistics are in floating-point format. SNMP version 1 does not support
floating-point numbers, truncating these statistics to integers.
System requirements
System requirements for the Domino SNMP Agent are listed below.
Linux requirements
v Linux native TCP/IP.
v An extensible Master SNMP Agent that supports the SMUX protocol (RFC 1227), such as UCD-SNMP
4.1 or later (4.2.3 or later is strongly recommended), or NET-SNMP 5.0 or later. UCD-SNMP and
NET-SNMP are distributed by http://www.net-snmp.org and must be built to include SMUX support
by first running their source configure script with ″--with-mib-modules=smux″ as an argument. A
suitable version of the NET-SNMP 5.0.7 Master Agent is included with Domino for Linux.
Solaris requirements
v Solaris® native TCP/IP.
v An extensible Master SNMP Agent that supports the SMUX protocol (RFC 1227), such as UCD-SNMP
4.1 or later (4.2.3 or later is strongly recommended), or NET-SNMP 5.0 or later. UCD-SNMP and
NET-SNMP are distributed by http://www.net-snmp.org and must be built to include SMUX support
by first running their source configure script with ″--with-mib-modules=smux″ as an argument. A
suitable version of the NET-SNMP 5.0.7 Master Agent is included with Domino for Solaris.
Note: Prior versions of Domino have included the PEER Networks Master SNMP Agent for Solaris.
You can continue using the PEER Networks Master SNMP Agent with this version of Domino, but it is
no longer distributed or supported.
z/OS requirements
v See the most recent Lotus Domino z/OS Installation Guide for current requirements.
Note: Before configuring the Domino SNMP Agent on a partitioned server, see the topic Special
considerations for partitioned servers.
1. Perform the platform-specific procedure:
v Windows
v AIX
v Linux
v Solaris
v OS/390
2. Complete the configuration.
If you want to use the Domino SNMP Agent on only one of your partitions, then configure it on that
partition just as you would on any server. Do not configure it on any other partitions. With this option,
you will get full functionality and control for one server partition. It is not necessary to configure the
LNSNMP.INI as described below.
If you want to use the Domino SNMP Agent for out-of-band control on multiple partitions, configure it
on each partition. With this option, you can control servers individually and receive SNMP traps for each
partition, but you lose the ability to query certain branches of the lnInfo branch of the MIB, including all
Domino server statistics. It’s also not possible to use SNMP to start a server that hasn’t otherwise been
started since SNMP was itself started. If you don’t need to use SNMP to start partitions, it is not
necessary to configure the LNSNMP.INI as described below.
If you want to manage multiple partitions and always be able to start their servers using SNMP, then it’s
necessary to configure those partitions into LNSNMP.INI as described below. Configuring LNSNMP.INI
also causes the virtual rows in the MIB’s lnServerTable to be allocated in the order specified in
LNSNMP.INI instead of in the order that the partitions are started. The MIB’s lnServerTable contains a
virtual row for each partition, so having prior knowledge about which row will represent a particular
partition could simplify certain management functions.
The Windows operating system limits all SNMP traps to using one IP address. On UNIX, each partition
needs a separate DNS entry in order to distinguish each trap origin. On the client side, while traps from
partitions will be received, not all SNMP consoles can associate traps from partitions to map objects. In
particular, due to a limitation of WINSNMP, which is used with OpenView Professional Suite, it cannot
assign traps to Domino icons.
Note: By adding a server to LNSNMP.INI you’re implicitly allowing SNMP to start that server if asked to
do so. The server may then disallow further SNMP initiated starts once its own configuration options
become known. This situation becomes possible each time the Domino SNMP Agent is started because
the Domino SNMP Agent does not retain server configuration information when it is stopped.
1. Create a file called LNSNMP.INI in the appropriate directory depending on platform:
v Windows: Windows System directory
v AIX, Linux or Solaris: /opt/lotus
v zOS (OS/390): /opt/lotus
Note: These are the recommended directories. However, LNSNMP.INI can be in any path in the
PATH environment variable that you like.
2. Edit the file and include one line for each server partition with the following format:
Server=<Data_Directory>;<Server_Name>;<Domino_Partition_Number>
Data_Directory: The directory that is the server’s Domino data directory for a given partition
Server_Name: The name of your Server
Domino_Partition_Number: This value is arbitrary because Domino no longer uses numbers to
uniquely identify partitions. However, for historical reasons, a value must still be present.
For example, if you have a UNIX server with two partitions and data directories of
/home/domino/venus and /home/domino/saturn, your LNSNMP.INI file should look like this:
Server=/home/domino/venus;Venus Server;1
Server=/home/domino/saturn;Saturn Server;2
Troubleshooting
If LNSNMP does not start properly, then check that the LNSNMP.INI file is correct. LNSNMP will always
attempt to reference the LNSNMP.INI file.
Note: Before using the Domino SNMP Agent, make sure TCP/IP and SNMP are properly installed and
configured on the server. Also, make sure that the Domino executable and the Domino data directories
are in your search path.
Tip: If you need to add the Windows SNMP Service to your system, be prepared to reinstall any
Windows service packs immediately after adding the Windows SNMP Service.
Tip: The Windows SNMP Service is configured by double-clicking the Network icon in the Control
Panel, then selecting the Services tab, then selecting SNMP Service, and then clicking the Properties
button. You will want to configure appropriate trap destinations and community names for your remote
management infrastructure.
Note: The Domino SNMP Agent is configured as a Windows Service and is set up to run automatically.
This means that once the Domino SNMP Agent is configured, it is virtually always running, even when
Domino is not. If you later upgrade Domino you should stop the LNSNMP and Windows SNMP Services
before beginning the upgrade process.
1. Stop the LNSNMP and SNMP services. Enter these commands:
net stop lnsnmp
net stop snmp
2. Configure the Lotus Domino SNMP Agent as a service. Enter this command:
lnsnmp -Sc
3. Start the SNMP and LNSNMP services. Enter these commands:
net start snmp
net start lnsnmp
You have completed the Windows-specific portion of the Domino SNMP Agent configuration. You should
now follow the instructions found in Completing the Configuration of the Domino SNMP Agent.
Note: Before using the Domino SNMP Agent, make sure TCP/IP and SNMP are properly installed and
configured on the server. Also, make sure that the Domino executable and the Domino data directories
are in your search path.
Tip: The trap destinations and community names for AIX are configured in the /etc/snmpd.conf file.
You will want to configure appropriate trap destinations and community names for your remote
management infrastructure. Remember to keep the view identifiers unique for each trap destination.
Note: All the following commands should be executed as the root user.
1. Stop the LNSNMP process. Enter this command:
lnsnmp.sh stop
2. Stop the SNMPD subsystem. Enter this command:
stopsrc -s snmpd
3. Configure SNMPD to accept LNSNMP as an SMUX peer. Add the following line to
/etc/snmpd.peers:
"Lotus Notes Agent" 1.3.6.1.4.1.334.72 "NotesPasswd"
4. Configure SNMPD to accept an SMUX association from LNSNMP. Add the following line to
/etc/snmpd.conf or /etc/snmpdv3.conf, depending on whether your system uses the SNMPv1 or
SNMPv3 master agent:
smux 1.3.6.1.4.1.334.72 NotesPasswd
5. Start the SNMPD subsystem. Enter this command:
startsrc -s snmpd
6. Start the LNSNMP process. Enter this command:
lnsnmp.sh start
7. Create a link to the LNSNMP script. Enter this command, changing the Domino executable path if
necessary:
ln -f -s /opt/ibm/lotus/notes/latest/ibmpow/lnsnmp.sh /etc/lnsnmp.rc
8. Arrange for LNSNMP to be restarted after a reboot. Add the following line to the end of
/etc/rc.tcpip:
/etc/lnsnmp.rc start
You have completed the AIX-specific portion of the Domino SNMP Agent configuration. You should now
follow the instructions found in Completing the Configuration of the Domino SNMP Agent.
Note: Before using the Domino SNMP Agent, make sure TCP/IP and SNMP are properly installed and
configured on the server. To use the NET-SNMP Master Agent provided, refer to Using NET-SNMP with
the Domino SNMP Agent. Otherwise, verify that your Master SNMP Agent supports the SMUX protocol,
per RFC 1227. Ensure that the Domino executable and the Domino data directories are in your search
path.
Tip: If you are using the NET-SNMP Master Agent provided, the trap destinations and community
names are configured in the /etc/net-snmpd.conf file. Otherwise, refer to the documentation for the
master agent technology you are using. Configure appropriate trap destinations and community names
for your remote management infrastructure.
Note: The Domino SNMP Agent is set up to run automatically. This means that once the Domino SNMP
Agent is configured, it is virtually always running, even when Domino is not. If you later upgrade
Domino, stop the LNSNMP process before beginning the upgrade process.
You have completed the Linux-specific portion of the Domino SNMP Agent configuration. Follow the
instructions found in Completing the Configuration of the Domino SNMP Agent.
Note: Before using the Domino SNMP Agent, ensure that TCP/IP and SNMP are properly installed and
configured on the server. To use the NET-SNMP Master Agent provided, refer to Using NET-SNMP with
the Domino SNMP Agent. Otherwise, verify that your Master SNMP Agent supports the SMUX protocol,
per RFC 1227. Ensure that the Domino executable and the Domino data directories are in your search
path.
Tip: If you are using the NET-SNMP Master Agent provided, the trap destinations and community
names are configured in the /etc/net-snmpd.conf file. Otherwise, refer to the documentation for the
master agent technology you are using. Configure appropriate trap destinations and community names
for your remote management infrastructure.
Note: The Domino SNMP Agent is set up to run automatically. Once the Domino SNMP Agent is
configured, it is virtually always running, even when Domino is not. If you later upgrade Domino, stop
the LNSNMP process, before beginning the upgrade process.
You have completed the Solaris-specific portion of the Domino SNMP Agent configuration. Follow the
instructions found in Completing the Configuration of the Domino SNMP Agent.
Before using the Domino SNMP Agent, ensure that TCP/IP and SNMP are properly installed and
configured on the LPAR. Also, verify that the Domino executable and the Domino data directories are in
your search path. We only support community-based security (SNMPv1 / SNMPv2 formats).
If you do not have SNMP configured on your LPAR, see the following IBM documentation to configure
SNMP:
v z/OS Communications Server: IP Configuration Guide, SC31-8775
v z/OS Communications Server: IP Configuration Reference, SC31-8776
The SNMP agent and subagents record trace information via the z/OS UNIX System Services syslog
daemon using the daemon facility. If you are using SNMP, set up the syslog daemon. For detailed
information regarding syslogd and specifying the daemon facility in the /etc/syslog.conf configuration
file, see the z/OS Communications Server manuals listed above.
To verify that SNMP is configured correctly, enter the following command from within Unix System
Services:
osnmp -h <host name> walk system
If the output from the osnmp command does not resemble the sample output, SNMP is not correctly
configured. Verify that you have SNMP configured correctly by reviewing the z/OS Communications
Server manuals prior to continuing. You need to be aware of the following when setting up SNMP for
Domino:
1. If you include a SACONFIG statement in your TCP/IP profile, verify that the statement in your
profile is similar to the following example:
SACONFIG ENABLED COMMUNITY public AGENT 161 SETSENABLED
You can replace public with any password you prefer. If you choose to change the password, and you
use a password in /etc/pw.src, verify that you have also changed that password.
2. Verify that port 161 is reserved in your TCP/IP profile.
PORT
161 UDP OMVS ; SNMP Agent
3. Verify the procedure OSNMPD is configured correctly and that it starts after every IPL.
Note: Before setting up the OSNMPD procedure, review the ″ z/OS Communications Server: IP
Configuration Guide″ which contains important information about data set naming and search
sequences.
The following is an example of an OSNMPD EXEC card:
//OSNMPD EXEC PGM=EZASNMPD,REGION=4096K,TIME=NOLIMIT,
// PARM=(’POSIX(ON) ALL31(ON)’,
// ’ENVAR("RESOLVER_CONFIG=/etc/resolv.conf"’,
// ’"OSNMPD_DATA=/etc/osnmpd.data")’,
// ’/-d 0’)
4. Mibs.data, osnmpd.data, pw.src and snmptrap.dest are not required for running the Domino SNMP
agent. However, if you choose to use these members, they must be set up correctly. Verify that these
members in /etc have Read access for user, group and other.
(rwxr - - r -)
If mibs.data and osnmpd.data are not in /etc, or if they are from a previous level, you can obtain the
current level from TCPIP samples located in /usr/lpp/tcpip/samples.
Note: Ensure that osnmp.conf is not located in /etc, because it is reserved for user-based security.
Tip: Trap destinations are defined in the SNMPTRAP.DEST dataset. Configure appropriate trap
destinations and community names for your remote management infrastructure.
5. If you are using /etc/pw.src or /etc/snmpd.conf, verify that they have the correct hostname as well
as the IP address for the Domino server. Hostnames are case-sensitive. Enter the following command
from within Unix System Services to obtain the correct host name for your system.
hostname
Note: Automatic start of the Domino SNMP Agent is not supported on z/OS.
2. When lnsnmp is started, verify that SNMP is aware of the Domino MIB by entering the following
commands:
osnmp -h <host name> walk system
The output should include this line:
1.3.6.1.2.1.1.9.1.3.3 = Lotus Domino SNMP Agent
osnmp getnext 1.3.6.1.4.1.334.72
The following should be displayed:
1.3.6.1.4.1.334.72.2.1.0 = 2
The value returned should have an OID number that starts with 1.3.6.1.4.1.334.72. This confirms that the
SNMP Agent is receiving the request, forwarding it to lsnmp, and that lsnmp is returning a valid value.
If you do not see the appropriate responses shown above, or if the getnext response is for an OID outside
of the Lotus Domino MIB, additional debugging is required. Start an SNMP Agent trace at level 255.
To determine whether there are additional things to check for and to obtain information about setting up
an SNMP Agent trace, see informational APAR II13477.
For more information, see the topics Creating a statistic event generator and Creating an event handler.
Note: If the server ID is password protected, the Domino SNMP Agent cannot be used to remotely
restart a Domino server. SNMP cannot pass a password parameter to the server.
Note: It may not be possible for SNMP to start a server until that server has identified itself to the
Domino SNMP Agent. To prevent this situation, include information about the server in the lnsnmp.ini
file.
The Allow Server Start and Allow Server Stop configuration options are in the SNMP tab of the server
Configuration Settings document.
To initiate a server start or server stop, the remote management console must set the lnServerTblSetState
MIB object. In the case of a non-partitioned server, the lnNotesServerSetState MIB object can also be used.
For a partitioned server, all running partitions must configured to allow a system reboot. If one running
partition is configured to not allow a system reboot, then the reboot is not performed.
The Allow System Reboot configuration option is on the SNMP tab of the server Configuration Settings
document.
To initiate a system reboot, the remote management console must set the lnRemoteReboot MIB object.
Microsoft Windows
To stop the Lotus Domino SNMP Agent service, enter this command:
net stop lnsnmp
To start the Lotus Domino SNMP Agent service, enter this command:
net start lnsnmp
IBM AIX
To stop the lnsnmp process, enter this command as root:
/etc/lnsnmp.rc stop
Linux
To stop the lnsnmp process, enter this command as root:
/etc/init.d/lnsnmp stop
Solaris
To stop the lnsnmp process, enter this command as root:
/etc/init.d/lnsnmp stop
z/OS
To start the lnsnmp process, from an OpenEdition command line, enter this command as a uid=0 user:
lnsnmp.sh start
Follow the instructions below to use the NET-SNMPD provided with Domino.
Note: Before using NET-SNMPD, disable any existing Master SNMP Agent. For information on disabling
an existing Master SNMP Agent, see your Master SNMP Agent’s documentation.
You have completed the installation of NET-SNMPD on Linux. Configure and start NET-SNMPD as
explained below.
You have completed the installation of NET-SNMPD on Solaris. Configure and start NET-SNMPD as
explained below.
Configuring NET-SNMPD
Update the /etc/net-snmpd.conf file with appropriate trap destinations and community names for your
remote management infrastructure. Trap destinations are set using the trapsink directive. Community
names are set using the rocommunity and rwcommunity directives.
To stop NET-SNMPD, log on as the root user and enter this command:
/etc/net-snmpd.sh stop
For Domino, the NET-SNMP 5.0.7 package was configured and built with the following options:
--enable-shared=no
--with-default-snmp-version=3
--with-logfile=/var/log/snmpd.log
--with-mib-modules=smux
--with-openssl=no
--with-persistent-directory=/var/net-snmp
--with-sys-contact=Unknown
--with-sys-location=Unknown
Note: If you use the NET-SNMPD provided with Domino, you do not need to create or configure your
own NET-SNMP Master Agent. Both have been done for you.
Note: The Domino MIB is actually used by the Domino server, specifically the QuerySet add-in task, so a
copy of the Domino MIB must remain in the Domino executable directory.
If you are running multiple versions of the Domino SNMP Agent in your network, for instance, because
of migration, your management stations should use the MIB corresponding to the latest installed version
of the Domino SNMP Agent.
0=1,FirstEntry,2,LOG,MAP,BELL,NONE,NONE,NONE,X0,$5
2=3,1,7,LOG,MAP,NOBELL,NONE,NONE,NONE,X2,$5
3=4,2,8,LOG,MAP,NOBELL,NONE,NONE,NONE,X3,$5
4=5,3,1,LOG,MAP,NOBELL,NONE,NONE,NONE,X4,$5
5=11,4,3,LOG,MAP,NOBELL,NONE,NONE,NONE,X5,$5
The third field after the equals sign controls the OpenView severity (see section ″Trap Definition Entry″ in
the OpenView Programmer’s Guide):
4 - Unknown
11 - Unmanaged
2 - Informational
9 - Disabled
3 - Normal
10 - Marginal
1 - Warning
8 - Minor
7 - Major
0 - Critical
Removing traps
To remove these traps, log in as root, and run:
removetrap -n "Notes"
Upon completion, you receive the message ″Enterprise has been removed.″
Each can respond to MIB requests. You can test them together or sequentially to determine which pieces
are responding. You should use the community name configured into your Master SNMP Agent.
Test the:
v Base system MIB variable, for example, iso.org.dod.internet.mgmt.mib-2.system.sysDescr
(.1.3.6.1.2.1.1.1.0), to determine if the platform’s SNMP Agent is working and to find out which version
of the platform-specific Master SNMP Agent is running.
If this fails, you can (ICMP) ping the server to determine if TCP/IP is responding. If TCP/IP is
running, check the community name used by the server’s Master SNMP Agent. If you cannot verify the
community name, try the ″public″ community name.
Refer to your SNMP management software documentation for specific instructions.
v MIB variable to determine if the Domino SNMP Agent is working, for example,
iso.org.dod.internet.private.enterprises.lotus.notes.mpaInfo.lnMainProxyAgentVersion
(.1.3.6.1.4.1.334.72.100.1.0), which indicates the version of the Domino SNMP Agent.
QuerySet sends a ″heartbeat″ to the Domino SNMP Agent every few seconds. If the Domino SNMP
Agent is not running, you will receive the following message for each failed heartbeat at the Domino
server console:
Lotus Domino SNMP Agent is not available.
The message stops if you start the agent or tell the QuerySet Handler to quit running.
v MIB variable to determine if the QuerySet Handler is working, for example,
iso.org.dod.internet.private.enterprises.lotus.notes.lnInfo.lnQSBuildNumber (.1.3.6.1.4.1.334.72.1.5.0),
which indicates the version of the QuerySet Handler.
If the other variables are successful, but the QuerySet Handler is not responding, verify that the task is
running using the Show Tasks command on the Domino console. You can perform this test remotely if
you are authorized, or you can open a database, such as the Domino Directory, with the Notes client to
verify the server is running.
The Server Health Monitor extends the usefulness of traditional performance troubleshooting by
automatically calculating health statistics, comparing those statistics to predefined thresholds, and
reporting on overall server health. If the server health rating is Warning or Critical, a health report, which
is stored in the Health Monitoring database (DOMMON.NSF), suggests short-term and long-term
recommendations for tuning the server and returning its performance status to Healthy.
The Server Health Monitor is incorporated into the Domino server monitor, which is part of the Domino
Administration client. All health statistics generated by the Server Health Monitor are local to the
Domino Administration client.
For each server being monitored, the Server Health Monitor reports a health rating for the server and for
all enabled individual server components -- namely, CPU, disk, memory, and network utilization; NRPC
name lookup; mail delivery latency; and server, HTTP, LDAP, and IMAP response.
The health rating of each server and server component is based on a collection of indices. Health ratings,
such as healthy, warning, or critical, are assigned, based on these index values. Each index has a
calculated value between 0 and 100. These values are based on server health monitoring assessment
algorithms and rules. Each index has two related thresholds: a warning threshold and a critical threshold.
When the index value is less than both thresholds, the server or server component is rated Healthy. When
the index value is greater than the warning threshold, the server or server component is rated Warning.
When the index value is higher than the critical threshold, the server performance is judged to be Critical
and requires immediate attention.
The Server Health Monitor includes threshold values for each index on these platforms: AIX, IBM eServer
iSeries (OS400), IBM eServer zSeries (Z/OS), Linux Intel, Solaris/Sparc and Windows 2000. You can
modify the thresholds to customize server assessment for each platform. You reduce or increase the
thresholds to make the algorithms more or less sensitive.
Health Monitoring reports on each server area for which data can be retrieved. If no data is available,
nothing is reported for that component. You can customize this behavior by specifying which servers you
want to monitor. You can exclude any component from the health report, which is useful for filtering out
known situations about which you don’t want to be constantly reminded.
If you use the Server Health Monitor, the Current Reports view of the Health Monitoring database
(DOMMON.NSF) displays a health rating for each monitored server and server component.
1209
Table of Server Health Monitor statistics
The Server Health Monitor reports a statistic for the overall server and for individual components. Each
statistic corresponds to a rating. Occasionally, the Server Health Monitor assigns the rating of Unknown.
This happens when the Domino Administration client workstation performs at 100 percent of its CPU
capacity for an extended period of time. If this happens you may need to make some adjustments to
improve the performance of the Server Health Monitor.
Server Health reports are stored in the Health Monitoring database (DOMMON.NSF).
For information on how to improve the performance of the Server Health Monitor, see the topic
″Improving the performance of the Server Health Monitor,″ later in this chapter.
Health.Overall.Value <
Health.Overall.Threshold.Warning
Health.Overall.Threshold.Warning < = Warning One or more server components are
Health.Overall.Value approaching unacceptable levels of poor
performance.
and
Health.Overall.Value <
Health.Overall.Threshold.Critical
Health.Overall.Threshold.Critical <= Critical One or more server components are
Health.Overall.Value failing to perform acceptably.
and
Health.Overall.Value <= 97
98 = Health.Overall.Value Critical One or more server tasks issued a fatal
error message.
99 = Health.Overall.Value Critical One or more tasks are not responding.
100 = Health.Overall.Value Server Down The server is not responding.
Health.*.Value< Health.*.Threshold.Critical
Health.*.Threshold.Critical <= Health.*.Value and Critical The component is failing to perform
acceptably.
Health.*.Value <= 97
98 = Health.*.Value Fatal The task associated with the component
issued a fatal error message.
99 = Health.*.Value Not Responding The task associated with the component is
not responding.
Server ratings
Rating Description
Never Seen The server has never been seen running during the current server monitor session.
Healthy The server is performing within acceptable tolerances.
Warning One or more server components are approaching unacceptable levels of poor
performance.
Critical The server is experiencing one or more of these critical problems:
v One or more server components are failing to perform acceptably
v One or more tasks on the server have issued a fatal error
v One or more tasks on the server are not responding
Server Down The server is not responding; therefore, it isn’t responding to requests for statistics.
Component ratings
Rating Description
Healthy The server component appears to be running correctly.
Warning The server component is approaching unacceptable levels of poor performance.
Critical The server component is failing to perform acceptably.
Fatal The task related to this component has issued a fatal error.
Not Responding The task related to this component is not responding.
Before you start the Server Health Monitor: The Server Health Monitor does not require any specific
Domino server configuration, but you can generate more accurate reports by following these guidelines:
v Enable platform statistics on the server. Platform statistics are enabled, by default, in Domino. Follow
the specific instructions for your platform. You may need to perform additional steps to ensure that
platform statistics are working and are fully enabled on your platform.
v Make sure you have at least View-only Administrator rights for every server you want to monitor.
v Use a TCP server event generator as a self probe to create Quality of Service (QOS) statistics.
For information on setting up platform statistics and using TCP Server Event Generators, see the
chapter ″Monitoring the Domino Server.″
Occasionally, you may want to exclude a component manually. For example, if you know that a
particular server has a disk I/O bottleneck, exclude the Disk Utilization component so that it doesn’t
adversely affect the server’s overall health rating.
Server components that are selecting components manually display a pencil icon next to the server name.
If there is no pencil icon, the components are being selected automatically.
For more information on creating event generators and event handlers, see the chapter ″Monitoring the
Domino Server.″
Tip: If you are not sure what the polling value is, click Monitoring and locate the value for ″Poll
servers every <n> minutes (1-60 mins).″
Keep these considerations in mind if you decide to modify threshold values. First, have a strategy in
mind before you change the them. Your strategy should address your system performance needs and
reflect your philosophy toward managing servers. Second, if you change threshold values remember that
you have done so. Changing any system configuration parameters or adjusting user workload behavior
might also have a future impact on these settings. And finally, remember that changing threshold values
inappropriately may result in health values that do not accurately reflect server capacity and availability.
If you get results that seem inaccurate, restore the default threshold values.
If you later decide to restore the default threshold values, perform Steps 1 through 5 above and then click
Restore Defaults.
HEALTH_REPORT_PURGE_AFTER_N_DAYS=n
By default, when you start the Domino server monitor, it begins monitoring servers in the last profile that
was selected when you shut down the Domino server monitor. The servers in each subsequent profile
that you monitor, are added to those servers previously monitored. If you monitor several different
profiles in a single session, the number of servers monitored may be quite lengthy, which may impact the
performance of the Server Health Monitor. To clear the list of servers monitored, stop and then start the
Domino server monitor.
You can also customize which profiles to monitor upon startup, by specifying profiles you want to
monitor in the background, no matter which profile was monitored when you shut down the Domino
server monitor.
You can perform the following tasks when you work with monitoring profiles:
v Creating monitoring profiles in the Domino server monitor
v Modify a system profile
v Specify monitoring profiles to monitor when you start the Domino server monitor
For more information on creating and modifying server profiles, and specifying which profiles to monitor
when you start the Domino server monitor, see the chapter ″Monitoring the Domino Server.″
For example, if the Memory Utilization component receives a Warning rating, the short-term solution
may be to check the server for unnecessary processes that have been loaded. The long-term
recommendation may be to add memory or to check the server’s page-file allocation.
Note: A red exclamation mark next to a server indicates a configuration issue. Read the server health
report for information on configuration issues.
To exclude a server from a monitoring profile: Use this procedure when you do not want to see the
continued output of the server health rating for the server, but you want to continue listing the health
report for the server in the Health Monitoring database.
1. From the Domino Administrator, click the Server - Monitoring tab.
2. Select the server you want to remove and right-click. From the menu, choose ″Remove Server.″
3. Click the Stop button.
The next time you press the Start button, the server will no longer be monitored. However, it will
continue to be listed in the current health report view.
To exclude a server from generating Health Reports: Use this procedure when you do not want to
monitor the server and do not want to continue receiving health reports on it in the Health Monitoring
database.
1. Perform the steps listed above to exclude temporarily the server from the server monitor view.
2. From the Domino Administrator, click the Files tab.
3. Open the Health Monitoring database (dommon.nsf), and open the Configuration - Server
Components view.
4. Delete the Health Monitoring Server Configuration document for the server being excluded.
5. Open the Health Reports - Current Reports view and delete the current health report and all the
response documents for the server.
6. (Optional) Open the Health Reports - Historical Reports view and delete the historical health reports
and the associated response documents for the server.
For more information on enabling statistic reports, see the topic ″Setting up the Server Health Monitor,″
earlier in this chapter.
You can chart real-time and historical performance of Server Health statistics. Real-time health statistics
are gathered by the Statistic Collector server task in the Domino Administrator and are stored in memory,
for use when charting real-time statistics. Historical health statistics are created from the historical
statistics information stored in the local Monitoring Results database (STATREP.NSF).
You can also create statistic profiles to monitor groups of servers and associated statistics routinely. There
is a limit of 25 statistics in each statistic profile.
You can perform the following tasks when charting server health statistics:
v Create statistics profiles
v Modify statistic profiles
v Display statistic charts
For information on creating statistic profiles and charting statistics, see the chapter ″Monitoring the
Domino Server.″
Domino domain monitoring (DDM) provides one location in the Domino Administrator client that you
can use to view the overall status of multiple servers across one or more domains, and then use the
information provided by DDM to quickly resolve problems. DDM requires a Domino 7 server.
DDM uses configurable probes to gather information across multiple servers and then consolidates and
reports that information on specially-designated collection servers in the Domino Domain Monitor
database (DDM.NSF). A probe is a discrete check, or set of checks, configured to run against one or more
servers, databases, and services. The probe returns status and server health information to DDM.NSF.
Probes run according to a default schedule, a schedule that you specify, or on an as-needed basis as
determined by the probe and the events on the server.
1219
To gather and report information across multiple servers and domains, DDM uses a collection hierarchy
consisting of servers that collect information from other servers, and node servers from which the
information is collected. All event information is stored and consolidated in the Domino Domain Monitor
that you can view. You specify the collection hierarchy, that is, which servers are collection servers and
which are node servers. A collection hierarchy can be multi-tiered with collection servers collecting from
other collection servers, but that is not required for DDM to run. As with the DDM probes, the collection
hierarchy is easy to create and modify in a configuration user interface in the Monitoring Configuration
database (EVENTS4.NSF).
Note: If the Domino Directory design has not been upgraded to Domino 7, the servers that display when
creating or maintaining probes may include non-Domino 7 servers from the domain. Be certain to specify
Domino 7 servers when setting up or maintaining probes.
DDM probes
Domino has a default set of DDM Probe documents that are shipped with the product. These documents
contain the following information about the DDM probes:
v A general description of the probe, including its purpose and intended use.
v Probe type and probe subtype, for example, messaging is a probe type and one of its associated probe
subtypes is router process state. This combination of probe type and probe subtype creates a mail
router status probe.
v Configurable specifics on what the probe monitors and how it should report, for example, thresholds
for events it generates.
v Configurable probe targets, that is, which servers, database, etc., that the probe runs against.
v Where applicable, configurable scheduling information.
Probe configuration information is set and stored in individual Probe documents stored in the Monitoring
Configuration database (EVENTS4.NSF). You can create multiple probes for each feature area and
individually configure each probe to run selective checks against specific servers and/or databases at
specific times.
You can use the default Probe documents with their default settings to get you ″up and running″ with
DDM or you can configure probes to run in a manner that is specifically tailored to your organization by
creating new Probe documents in which you define and customize your own probes. To use the probes
that are defined with the default Probe documents, enable those probes in DDM.
For more information about enabling DDM probes, see the topic Enabling and disabling DDM probes.
Example:
v A Web Best Practices probe is set to run weekly, every Tuesday at 3:45 A.M. The ″How should missed
probes be handled″ field is set to ″Run missed probe at startup″.
v You change the schedule or you reset the ″How should missed probes be handled″ value for the probe.
The change is made on one server, but the change has not yet replicated to all servers in the domain.
v You launch a server. The probe runs according to the original schedule because the updated schedule is
not recognized until the schedule change has replicated to all servers in the domain.
You can schedule probes to run daily, weekly, on a specific day during the month, or at almost any other
time. You also specify the repeat interval for the probe. You can schedule probes to run on individual
servers or on groups of servers.
Set up the probe schedule on the Schedule tab of the Probe document when creating or editing a probe.
If the DDM database (DDM.NSF) contains unusual Event documents, or documents that were generated
or updated at unexpected times, determine whether a schedule change was made to the Probe document
for the probe that generated the Event documents. A probe schedule change may have generated
unexpected Event documents.
Application probes monitor server-based scheduled agents that the Agent Manager runs and server-based
Web agents that the Domino HTTP process runs. On a daily basis, each application probe identifies the
100 most problematic agents in each probe subtype.
The Application Code -- Long running agent probe, which identifies potential run-away agents, generates
a ranked list of agents that have run the longest. The list of 100 daily problems is restarted each day at
midnight for HTTP probes and at a cache refresh time for Agent Manager probes, as specified in the
Server document. The minimum configuration for scheduled agents run by the Agent Manager is five
minutes, which corresponds to the polling interval. The minimum configuration for We agents run by the
HTTP process is one minute, which corresponds to the polling interval. The polling interval is not
configurable. When the probe is enabled, all agents are monitored.
The Application Code -- Agents ranked by memory usage probe tracks memory use of LotusScript and
Java agents. The ranking for the same agent may differ when the agent runs in Agent Manager as
compared to when it runs in HTTP. If HTTP is configured to run concurrent agents, the memory is
shared by concurrently-executing agents. Therefore, the threshold for rankings depends, in part, on the
current server setting for the maximum number of HTTP active threads, whether the Web agents are
configured to be executed concurrently, and on the memory used by the agent. When the probe is
enabled, all agents are monitored.
Note: HTTP probes (Web agent probes) are not available for AIX, Linux and Linux on zSeries.
Another type of probe does not require any configuration on your part, is always running, and identifies
several error conditions. This probe does not limit its error reporting to 100 errors. It monitors the
following conditions:
v Agent security errors
v Disabled agents for the design update task
v Agents that terminate abnormally when the maximum time to run is exceeded
v Full-text search operations performed on databases that are not full-text indexed
This table contains the names and descriptions of the Application Code probes that you can define. For
information about configuring the Application Code probes, see the topic Creating Application Code
probes.
Field Action
Probe Subtype Choose one:
v Agents behind schedule
v Agents ranked by CPU usage
v Agents ranked by memory usage
v Long running agents
Probe Description Type a short description of the probe.
Which servers should run this probe? Choose one:
v All servers in the domain -- The probe monitors all
servers in the domain.
v Special target servers -- Specify the type of servers that
will run the probe, such as POP3 servers or the
administration server for the Domino Directory.
v Only the following servers -- Specify the servers on
which the probe will run.
Which process should be probed? Choose one:
v Agent Manager -- Monitors scheduled agents that the
Agent Manager runs.
v HTTP -- Monitors agents that are invoked from a Web
browser.
If Memory utilization is greater than Enable or disable event generators.
Before you configure a Database -- Compact probe or Database -- Design probe, make sure that you are
familiar with the Compact task and with updating database designs.
When configuring the Database -- Error Monitoring probe, use the Errors to ignore field to specify errors
that the probe should ignore. This probe provides visibility to unusual NSF and NIF errors on local
servers. When this probe is enabled, and an error is encountered, the error code is checked against an
″Errors to ignore″ list. If the error code is on the list, no further action is taken. If the error is not on the
list, a DDM event is generated. The event identifies the operation that failed, the issuing server, the
database name, and the specific error code. DDM automatically appends information that pertains to the
error code, such as the probable cause and corrective action, if any.
This table contains the names and descriptions of the Database probes that you can define. For
information about configuring the Database probes, see the topic Creating Database probes.
Field Action
Probe Subtype Choose one:
v Error Monitoring
v Scheduled Checks
Probe Description Enter a short description of the probe.
Which server(s) should run this probe? Choose one:
v All servers in the domain -- Runs the probe on all
servers in the domain.
v Special target servers -- Specify the type of servers to
run the probe, such as POP3 servers or the
administration server for the Domino Directory.
v Only the following servers -- Specify the servers on
which the Database probe will run.
7. If you are creating a Database -- Scheduled Checks probe, complete these fields on the Schedule tab.
(For all other probes, continue with Step 8.)
Field Action
How often should this probe run? Choose one:
v Run multiple times per day -- The probe runs more
than once each day. Causes the ″Defined schedule″
field to display.
v Daily -- The probe runs once each day. Use the field
″On which days should this probe run″ to specify the
days on which the probe is run.
v Weekly -- The probe runs once each week. Use the
field ″On which day of the week should this probe
run?″ to specify the day on which the probe is run.
v Monthly -- The probe runs once each month. Use the
″On which day of the month should this probe run″
field to specify when the probe should run.
Defined schedule Specify the number of minutes that should pass between
each run of the probe.
Should this probe run twenty-four hours per day, seven Choose one:
days per week? v Yes -- The probe runs continuously.
v No -- The probe runs according to a schedule that you
define.
On which days should this probe run? Choose the days on which the probe runs.
On which day of the week should this probe run? Choose the day on which the probe runs.
During which hours of the day should this probe run? Specify the probe starting time in the From field, and the
probe ending time in the To field.
Directory Probes
A directory probe monitors whether LDAP is configured and running correctly on Domino servers and
reports on the use and overall health of the domain’s directories.
The Directory -- Directory Availability probe monitors the primary Domino Directory, remote primary
Domino Directory (configuration-only databases), local server-based condensed directory catalogs,
cascaded local directories, secondary Notes directories, and secondary LDAP directories.
The algorithm used in the Directory -- LDAP View Update Algorithm probe can be temporarily
overridden by the LDAPBatchAdds NOTES.INI setting.
This table contains the names and descriptions of the Directory probes that you can define. For
information about configuring the Directory probes, see the topic Creating Directory probes.
Field Action
Probe Subtype Choose one:
v Directory Availability
v Directory Catalog Aggregation Schedule
v Directory Catalog Creation
v Directory Indexer Process State
v LDAP Process State
v LDAP Search Response
v LDAP TCP Port Health
v LDAP View Update Algorithm
v NAMELookup Search Response
v Secondary LDAP Search Response
Probe Description Type a short description of the probe.
Severity Choose the severity that will generate an event.
Which server(s) should run this probe? Choose one:
v All servers in the domain -- Runs the probe on all
servers in the domain.
v Special target servers -- Specify the type of servers to
run the probe, such as POP3 servers or the
administration server for the Domino Directory.
v Only the following servers -- Specify the servers on
which the Directory probe will run.
Which server(s) should be probed? Choose one:
v All servers in the domain -- Probes all servers in the
domain.
v Only the following servers: -- Probes the servers that
you specify.
8. Complete the following fields on the Schedule tab for Directory Availability, Directory Catalog
Aggregation Schedule, Directory Indexer Process State, LDAP Process State, and LDAP TCP Port
Health probe subtypes.
Field Action
How often should this probe run? Choose one:
v Run multiple times per day -- After you choose this
option, complete the ″Defined schedule″ field.
v Daily -- After you choose this option, complete the
″On which days should this probe run″ field.
v Weekly -- After you choose this option, complete the
″On which day of the week should this probe run″
field.
v Monthly -- After you choose this option, complete the
″On which day of the month should this probe run″
field.
Defined schedule Specify the number of minutes between each run of the
probe.
Messaging probes
The messaging probes collect data about messaging configuration, the messaging infrastructure, and
message routing.
This table contains the names and descriptions of the Messaging probes that you can define. For
information about configuring the Messaging probes, see the topic Creating Messaging probes.
Note: When the Messaging -- Mail Flow Statistic Check probe is running, if the MAIL.BOX file contains
an excessive number of mail messages, the performance of the mail router is impacted. A ″slack
percentage″ is created. The slack percentage is the number of messages by which the router can fall
behind in processing before a fatal event is generated.
1. From the Domino Administrator, click the Files tab.
2. Open the Monitoring Configuration database (EVENTS4.NSF).
3. Choose DDM Configuration.
4. Choose any DDM probe view, and then click New DDM Probe.
5. Choose Messaging.
6. Complete these fields and then click Save and Close. The actual fields and tabs that are available to be
completed depends on the probe that you choose.
Field Action
Probe Subtype Choose one:
v SMTP TCP Port Health
v Message Retrieval TCP Port Health
v Router Process State
v SMTP Process State
v Message Retrieval Process State
v NRPC Routing Status
v Transfer Queue Check
v Mail Flow Statistic Check
v Mail Reflector
v Mail DSN
Probe Description Type a short description of the probe.
Severity Choose the severity level of the events that will be
generated by the probe.
Note: This field does not apply to the Mail Flow Statistic
Check probe subtype.
Which server(s) should run this probe? Choose one:
v All servers in the domain -- Runs the probe on all
servers in the domain.
v Special target servers -- Specify the type of servers to
run the probe, such as POP3 servers or the
administration server for the Domino Directory.
v Only the following servers -- Specify the servers on
which the Messaging probe will run.
Database(s) to attempt to open? Specify the names of the databases that the probe tries to
open.
Field Action
How often should this probe run? Choose one:
v Run multiple times per day -- The probe runs more
than once each day. Causes the ″Defined schedule″
field to display.
v Daily -- The probe runs once each day. Use the ″On
which days should this probe run″ field to specify the
days on which the probe is run.
v Weekly -- The probe runs once each week. Use the
″On which day of the week should this probe run?″
field to specify the day on which the probe is run.
v Monthly -- The probe runs once each month. Use the
″On which day of the month should this probe run″
field to specify when the probe should run.
Defined schedule Specify the number of minutes or seconds between each
run of the probe.
Should this probe run twenty-four hours per day, seven Choose one:
days per week? v Yes -- The probe runs continuously.
v No -- The probe runs according to a schedule that you
specify. Complete the ″On which days should this
probe run″ field.
On which days should this probe run? Choose the days on which to run the probe.
On which day of the week should this probe run? Choose the day of the week on which to run the probe.
On which day of the month should this probe run? Enter the day of the month on which to run the probe.
For example, enter 15 to run the probe on the 15th day
of the month.
During which hours of the day should this probe run? Specify the start time in the From field, and the end time
in the To field.
At what time should this probe run? Choose the time that you want the probe to run.
How should missed probes be handled? Choose one:
v Ignore missed probe -- The missed probe is not run or
rescheduled.
v Run missed probe at startup -- The next time that the
server starts, the missed probe runs.
v Run missed probe at next time range -- The missed
probe reschedules itself once. For example, if a probe
scheduled to run every Tuesday at 5:00 AM fails to
run, the probe reschedules itself to run on Wednesday
at 5:00 AM. After that, the probe returns to its regular
schedule.
This table contains the names and descriptions of the Operating System probes that you can define. For
information about configuring the Operating System probes, see the topic Creating Operating System
probes.
Field Action
Probe Subtype Choose one:
v CPU
v Disk
v Memory
v Network
Probe Description Type a short description of the probe.
Which server(s) should run this probe Choose one:
v All servers in the domain -- Runs the probe on all
servers in the domain.
v Special target servers -- Specify the type of servers to
run the probe, such as POP3 servers or the
administration server for the Domino Directory.
v Only the following servers -- Specify the servers on
which the Operating System probe will run.
Which operating systems should be monitored? Choose one or more operating systems to be monitored by
the CPU probe subtype. For each operating system that
you choose, provide this information:
v The processor utilization percent information and the
severity level detail on the corresponding tab.
v For AIX and Solaris, also complete the processor queue
length fields.
Replication probes
The replication probe checks server replication. To configure the replication probe, specify the target
servers to be probed. Target servers are those servers that replicate with the probe server. For example, if
Use the Replication - Replication Check probe to filter out replication of databases that do not require
replication, and to closely monitor replication of those databases that require frequent replication. Critical
system databases, such as NAMES.NSF, EVENTS4.NSF, and ADMIN4.NSF which are used across servers
and that are required to be up-to-date, can be monitored more often than less-important databases. You
can also define a lower tolerance for conditions that create events on system-critical databases than you
would define for conditions that create events on non-critical databases.
Replication on selected servers and databases is monitored according to the schedule specified in the
Probe document.
When you run the Replication -- Errors probe, replication occurs as it typically would, but events are
reported to DDM. This probe may also report some conditions that are not errors, but that are not desired
behavior. For example, this probe may report Replication Note Errors when the replication is successful
but some notes are not replicated. If the destination database does not have the source database in its
ACL, and there have been changes to the source database, the notes in the source database which are
new or updated are not replicated to the destination server because of the ACL. The replication probe
will report this and include a document link to the notes that did not replicate. The Replication -- Errors
probe may also report replication conflicts in DDM and include a document link to the conflict
document. This is not a true error condition for replication but it may not be desired behavior; therefore,
it is reported.
The Replication -- Replication Check probe takes null replication into consideration. Null replication
occurs when a database is up-to-date and no replication is required, but the replication is attempted. Null
replication is not reported in the DDM database. Previously, Domino had similar functionality but it took
into account only those replications which resulted in the replication history being updated (only
successful replications and databases which were not up-to-date). In DDM, the replication check probe
takes into account a replication attempt where the files are up-to-date. Including up-to-date replications
removes many of the false reports indicating that replication on a database has not occurred.
Note: In hub-and-spoke topologies, replication is typically one-way only. Do not monitor replication in a
direction in which replication is disabled.
This table contains the names and descriptions of the Replication probes that you can define. For
information about configuring the Replication probes, see the topic Creating Replication probes.
Security probes
Create a security probe to assess the overall security of servers and databases in a domain. When a
security probe finds a problematic database or server configuration, it generates an event. Do not set the
severity levels for the Security -- Configuration probe; severity is assigned during runtime. The severity
level is calculated during runtime based on the number of potential problems found. Severity level is a
percentage-based score that is calculated for each Server document and Server Configuration document
that is probed. The percentage breakdown and matching severity level is as follows:
The Best Practices probe reports on the first 25 Person documents that do not comply with the probe
configuration settings. You can use the NOTES.INI setting
DDM_SECPROBE_PERSONDOC_LIMIT=<NumberOfPersonDocsReported> to report on a maximum of
250 Person documents, or you can set it to report on less than the default 25 Person documents. The
minimum setting is 0 (zero), in which case, no Person documents are reported but a summary report is
generated indicating the number of Person documents that do not comply with the probe specification.
The probe stops reporting at 25, or at a number of Person documents that you specify, but the probe
continues to review the remaining Person documents.
This table contains the names and descriptions of the Security probes that you can define. For
information about configuring the Security probes, see the topic Creating Security probes.
Field Action
Probe Subtype Choose one:
v Best Practices
v Configuration
v Database ACL
v Database Review
v Review
Probe Description Type a description of the new probe.
Field Action
Which server should run this probe? Specify the server that will run this probe.
Field Action
Which server should be used as the guideline server? Specify the name of the server to use as the ″good″
server against which other Server documents are
verified.
Which server settings should be compared to the Choose the settings you want to compare to those in the
guideline server settings?. Server document for the server being probed. Check as
many settings as apply.
Generate an event when any of the entries listed have Complete this field for as many access levels as
access greater than ″access level.″ necessary. Specify the people, groups, and servers that
apply to each specific access level.
Which server settings should be validated? Specify the individual server settings to validate against
a set of ″good″ settings.
Review all ACL members whose privileges are equal to Specify the ACL privilege level from which the probe
or greater than should begin checking ACL member privileges.
Beginning with the ACL privilege you select, all member
privileges at that level and above are reviewed by the
security probe.
Review the following database properties Specify the database properties to be reviewed by the
security probe.
Review agents defined as Specify one or both of these agents to be reviewed by the
security probe:
v Restricted
v Unrestricted
Field Action
How often should this probe run? Choose one:
v Run multiple times per day -- The probe runs more
than once each day. Causes the ″Defined schedule″
field to display.
v Daily -- The probe runs once each day. Use the ″On
which days should this probe run″ field to specify the
days on which the probe is run.
v Weekly -- The probe runs once each week. Use the
″On which day of the week should this probe run?″
field to specify the day on which the probe is run.
v Monthly -- The probe runs once each month. Use the
″On which day of the month should this probe run″
field to specify when the probe should run.
Defined schedule Specify the number of minutes between each run of the
probe.
Should this probe run twenty-four hours per day, seven Choose one:
days per week? v Yes -- Run the probe continuously.
v No -- The probe runs on the days and at the times that
you specify. After you choose this option, complete the
″On which days should this probe run″ field.
On which days should this probe run? Choose the days on which to run the probe.
On which day of the week should this probe run? Specify the day of the week on which to run this probe.
On which day of the month should this probe run? Enter the day of the month on which to run this probe.
For example, enter 15 to run the probe on the 15th day
of the month.
During which hours of the day should this probe run? Specify the start time in the From field, and the end time
in the To field. The probe will run during those hours.
At what time should this probe run Specify the time that you want the probe to run.
How should missed probes be handled? Choose one:
v Ignore missed probe -- The missed probe is not run or
rescheduled.
v Run missed probe at startup -- The next time that the
server starts, the missed probe runs.
v Run missed probe at next time range -- The missed
probe reschedules itself once. For example, if a probe
scheduled to run every Tuesday at 5:00 AM fails to
run, the probe reschedules itself to run on Wednesday
at 5:00 AM. After that, the probe returns to its regular
schedule.
After you select administration requests in the Probe document, run the administration request as you
would any administration request.
For more information about running administration requests, see the topic Forcing an administration
process request to run.
This table contains the names and descriptions of the Server probes that you can define. For information
about configuring the Server probes, see the topic Creating Server probes.
Field Action
Probe Subtype Choose Administration
Probe Description Type a description of the new probe.
Which servers should run this probe? Choose one:
v All servers in the domain -- Runs the probe on all
servers in the domain.
v Special target servers -- Specify the type of servers to
run the probe, such as POP3 servers or the
administration server for the Domino Directory.
v Only the following servers -- Specify the servers on
which the Server probe will run.
7. From the list provided, choose the administration requests that are to be reported in DDM when the
request fails to run on the servers you selected.
Web probes
There are two Web probes, the Web -- Configuration probe and the Web -- Best Practices probe. Both
probes provide results in the form of a Domino Event document in the DDM database. Use this
document to verify the accuracy of the Web server configuration and to compare other servers’
configurations against that of a known good server.
The Web -- Configuration probe provides feedback related to the Web settings associated with a Web
server or list of Web servers. This feedback is based on the most recent Web profile as specified in the
Probe document. The probe reviews Web server configuration values on specified servers against a set of
predefined values. If the values differ, the probe attempts to make a recommendation by suggesting
The Web -- Best Practices probe monitors HTTP-specific fields in the domain that are compared to a
recommended value. The HTTP specific fields are in the Server document, the Internet Site document (if
one exists), and the Web Server Configuration document (if one exists). A detail document is generated
outlining the fields that do not match the recommended value, and providing information on how to
resolve any issues. For example, suggestions for improving a server’s configuration could include
corrections to server functionality, server performance, or server security. The Web probes help you
improve overall security and Web server performance.
The severity of an event generated by the Web probes is determined using a percentage formula; you
cannot determine the severity of a Web probe event. A Web probe severity score is calculated during
runtime based on the number of potential problems that are found. The Web probe severity percentage
score is calculated for each event that is logged to DDM. This table shows the detail.
This table contains the names and descriptions of the Web probes that you can define. For information
about configuring the Web probes, see the topic Creating Web probes.
Field Action
Probe Subtype Choose one:
v Best Practices
v Configuration
Note: To enable or disable a probe from the New Probe document, click Enable Probe or Disable Probe.
Setting TEC information: In this procedure you enter the TEC server IP address and port number.
Obtain that information from the TEC server administrator.
1. From the Domino Administrator, click Configuration.
2. Choose Server - Configurations.
3. Select the Server Configuration document you are modifying and click Edit Configuration.
4. On the Basics tab - Tivoli Enterprise Console Settings section, click Enable logging to Tivoli Enterprise
Console.
5. Enter the IP Address of the TEC server.
6. Enter the port number to listen to. The default is 5529.
7. Click Save and Close.
Installing the DDM OS probe definitions on the TEC server: When you install Domino 7, five text
files with a .baroc file name extension are installed in the rmeval subdirectory of the Domino data
directory.
For more information about installing and loading BAROC files, see the Tivoli Enterprise Console (TEC)
documentation.
You use the Monitoring Configuration database (EVENTS4.NSF) to create and manage the DDM server
collection hierarchy. The first time that you click the DDM server collection hierarchy view in the
Monitoring Configuration database, a message indicates that no server collection hierarchies exist. You
can create a server collection hierarchy, or you can exit the view. To create a DDM server collection
hierarchy, specify one or more collection servers. A collection server collects the probe results that are
generated when probes are run against monitored databases and servers. To use a DDM server collection
hierarchy, you must specify at least one collection server that collects from other servers.
There are many ways to design a DDM server collection hierarchy. For example, you can set it up to
represent an existing Domino server topology, for example, hub and spoke servers. Or, you can set it up
to ensure that the administrator receives only information that is pertinent to the servers he or she
maintains.
Data roll-up
Each Domino 7 server writes its probe results to a local replica of the DDM database. Each collection
server’s DDM database contains that server’s probe results, and the probe results from every server from
which it collects data.
The DDM collection hierarchy provides the DDM reporting rollup capability, allowing you to open DDM
on a collection server and see all events for that server and its subordinate servers. Without the DDM
collection hierarchy, you must open DDM.NSF on each server on which DDM is running to see events for
that server.
DDM data roll-up propagates the probe results up the DDM server collection hierarchy. Data roll-up is
accomplished using Domino’s selective replication to transport the data. The replication formulas are
created automatically when you define your DDM server collection hierarchy. Each selective replication
formula is specific to each server in the Domino Domain Monitor replica. When fully populated, the
selective replication formula references the collection server and all of its monitored servers. The selective
replication formula filters out all documents from servers that are not members of the collecting server’s
hierarchy.
The collected probe results in the DDM database are replicated when one of these occurs:
v A collection server is notified about the change in an event state -- When a collection server receives
notification that one of its monitored servers has an event state change, the collection server replicates
the monitored server’s DDM database. When a replication triggered by an event state change is
complete and the collection server is a monitored by another collection server, it notifies its collection
server of the state change. The state change is then replicated up the server collection hierarchy.
v The collection interval time has been exceeded -- The periodic collection interval is five minutes and is
not modifiable. Collection servers monitor replication for each server being monitored. Every five
minutes, each collection server uses Pull replication to obtain updates from the DDM database on each
of their monitored servers.
You must create a DDM server collection hierarchy to initiate data roll-up.
CAUTION:
Review which servers are included in the server collection hierarchy prior to retiring a server from the
domain. If you plan to retire a server, remove it from the hierarchy, and then retire the server. Failure
to remove the server causes problems with data roll-up after the server is retired.
In this example, three collection servers collect from six non-collection servers running DDM.
v Collection Server 2 (CS2) collects and reports information about itself and non-collection servers S1 and
S2.
v CS3 collects and reports information about itself and non-collection servers S4, S5 and S6.
v CS1 collects and reports information about every server shown, since it collects and reports information
from CS2 (and its servers S1 and S2), CS3 (and its servers S4, S5 and S6) and the non-collection server
S3.
The information reported exists in the DDM.NSF database on each server that is running DDM probes or
collecting DDM information or both, and that contains information about the server it is on and the
servers below it in the collection hierarchy. For example, DDM.NSF on CS2 would contain information
about itself and servers S1 and S2. To view just the information for CS2 and the servers from which it is
collecting, open DDM.NSF on the CS2 server. In this example, opening DDM.NSF on CS1 would reveal
DDM event information about this entire domain.
If you choose to define your own server collection hierarchy, you can specify the subordinate servers
from which the collecting server collects DDM probe results.
For more information about adding subordinate servers to server collection hierarchy, see the topic
Adding subordinate servers to the DDM server collection hierarchy.
Field Action
How would you like to configure the server collection Choose one:
hierarchy? v One server will collect from all servers in the domain --
The server collection hierarchy will have only one
collection server that you specify.
v Define the hierarchy -- The server collection hierarchy
will consist of as many collection and monitoring servers
as you specify.
Choose the collecting server Choose a collecting server from the list.
Enter a short description to identify the hierarchy (i.e., Enter a description of the hierarchy. This description is
Mail Servers) used to identify the hierarchy you are creating.
Note: If the Domino Directory template design is not Domino 7, a message appears stating that you are
not running the correct template design and the server list may include servers that do not support
DDM.
1. From the Domino Administrator, click Files.
2. Select and then open the Monitoring Configuration database.
3. Choose Server Collection Hierarchy.
4. Select the server collection hierarchy for which you want to choose a different collection server.
5. Click Change Collection Server.
6. Select a new collection server from the list. The server list only includes Domino 7 servers, because
Domino 7 supports DDM.
7. Choose File - Close to exit.
Note: If you select a server collection hierarchy and that hierarchy is displayed, you cannot delete the
selected server collection hierarchy unless it is the only server collection hierarchy in the domain.
1. From the Domino Administrator, click Files.
2. Select and then open the Monitoring Configuration database (EVENTS4.NSF).
3. Choose Server Collection Hierarchy.
4. Click Delete Server Collection Hierarchy, and then select one or more hierarchies to delete.
5. Click OK.
Use this procedure to remove one or more servers from a server collection hierarchy.
1. From the Domino Administrator, click Files.
2. Select and then open the Monitoring Configuration database (EVENTS4.NSF).
3. Choose Server Collection Hierarchy. Verify that the selected hierarchy is the one with which you want
to work. If it is not the correct server collection hierarchy, choose another.
4. Click the name of the server that you want to remove from the server collection hierarchy. Depending
on the selected server’s place in the hierarchy, one or both of these options are available. Choose one:
v Remove subordinate servers from <Server Name.>
v Remove <Server Name> from the server collection hierarchy.
5. Click OK.
Use the Domino Domain Monitor database to view DDM events, review probable causes and possible
solutions for reported DDM events, assign DDM events to an administrator for resolution, and to open a
link to the appropriate database from which you can resolve a reported event. DDM contains two classes
of event information, enhanced events and simple events. Enhanced events include events generated by a
DDM Probe configuration document, events generated by a Domino event generator, or any other event
with specific target information appearing in the DDM event report. A target can be a server, a database,
From the Domino Domain Monitor database, you can select an event and view detailed information
about an event. Then you can use the Probable cause and possible solution tab to view information about
the cause of the event, and, in some cases, use a database link to access the appropriate database from
which you can resolve the event. Some DDM Event documents include a Details tab that displays
additional details about the event and a Correlation tab that contains links to other DDM Event
documents that may be related to the open DDM Event document.
The first time that a Domino 7 server starts, the Domino Domain Monitor database (DDM.NSF) is created
from the DDM.NTF template. This database contains DDM event information for the server on which it
resides. If the server is a collection server, the database also contains information from the servers from
which it collects data. Each time a problem is detected, a DDM event is generated -- based on the probe
type, probe subtype, and severity that you specify in the DDM Probe document when you create or
modify a probe.
For information about event generators, see the topic Event generators.
Note: Recent events consist of all Open events and all Closed events that had a status of Open during
the previous 7 days.
Event messages often, include two statements -- a problem statement followed by a reason statement. For
example,:
Unable to replicate with server server name: Server not responding.
The problem statement is the first statement and the reason statement is the second statement. (In this
example, the two statements are separated by a colon, but messages comprised of one statement can also
have colons.) Each statement has its own type and severity. ″Unable to replicate with server server name″
has the message type and the severity of Replication/Failure, and ″Server not responding″ has the
message type and severity of Resource/Failure. Messages that are comprised of two statements generate
two events. There is no definitive way to determine whether a message is comprised of one statement or
of two, but when a message statement follows the pattern of problem statement followed by a reason
statement, two events are usually generated.
To view an event message that was generated by a pre-Domino 7 event generator, open the Monitoring
Configuration database (EVENTS4.NSF), and then open the view Advanced -- Message by Text to view
how that event message is categorized in DDM. The information on the Basics panel shows the name of
the new Event Type and the Old Event Type. In Domino 7 in DDM, there are 9 event types and in
pre-Domino 7, there are 22 event types. You use the information on the Basics panel to see how the old
event types are incorporated into the new event types. For example, this event message has Server as the
Event Type and Mail as the Old Event Type
Compacting <database name>
Every time that a probe runs, event documents are updated. If the severity of an event changes, the
event’s state automatically changes accordingly. The event state is determined by the event severity.
Events with a severity of normal are closed; events with a severity of non-normal are open. An event’s
state can automatically change many times between Open and Closed. Permanently Closed events are
never automatically opened or pended. When you assign an event state of Permanently Closed to an
event, that state is maintained as a fixed state unless you manually change the state back to Open or
Closed. Permanently Closed is a stable category for resolved problems, obsolete problems, or problems
that you simply want to ignore.
After you review or assign an event, you can manually assign it a state of Open, Closed, or Permanently
Closed.
Note: To change an event’s state, you must have a minimum of Author access with the role Change State
in the ACL for DDM.NSF. The Change State button does not display if you do not have the required
access.
The Document Change History section of the Event documents records details about assignment and
state changes so that you can determine what has changed, when the change occurred, and who initiated
the change.
Note: To assign or reassign an event to an administrator, you must have a minimum of Author access
with the role Assign Events in the ACL for DDM.NSF. If you lack the required access, the Assign Events
and Reassign Events buttons do not display.
You can look at the Event Change History section of the Event documents to see previous event change
activity.
When you finish assigning events to administrators, you can verify that you have assigned all events
correctly by opening the By Assignment view. You can also look at the entries in the Event Change
History section of an Event document to see assignment activity. Every Event document also displays the
event state and assignment at the top of the document.
Note: To assign an event to an administrator, or to reassign events that are owned by another
administrator, you must have a minimum of Editor access with the role Assign Events in the ACL for
DDM.NSF. To assign one of your own events to another administrator, you must have Author access with
the role Assign Events. The Assign Events button does not display if you do not have the required access.
Author access is required to add comments to your own events; Editor access is required to add
comments to another administrator’s events.
You can look at the Event Change History section of the Event documents to see previous event state
change activity.
Note: To change an event state for one of your own events, you must have a minimum of Author access
with the role Change State in the ACL for DDM.NSF. To change the state of any event documents,
regardless of owner, you must have Editor access with the Change State role in the database ACL. Author
access is required to add comments to your own events; Editor access is required to add comments to
events owned by another administrator.
1. From the Domino Administrator, click the Files tab.
2. Open the Domino Domain Monitor database (DDM.NSF).
3. Select the event whose state you are changing. You can open the event but it is not necessary that you
do so.
4. Click Change State and then choose the new state. Enter comments as necessary. Comments are
added to the Document Change History section of the Event document.
5. Click OK.
To adjust the individual probe configurations to limit which severity levels are reported in the DDM
database, open the Probe document for a particular probe and adjust the settings on the Specifics tab of
the Probe document.
Event documents in the DDM database are correlated, that is, grouped into similar categories whenever
possible. You can view correlated events by clicking the Correlated Events tab in the Probe document for
any event that is correlated. Those events that do not have related events are not correlated and the
Correlated Events tab does not display.
Events are correlated across servers by opening the DDM database on the collection servers, and then
correlating the events.
Note: You must have Author access with the role Assign Events in the ACL for DDM.NSF to assign your
own events to another administrator. You must have Editor access with the role Assign Events to reassign
any event documents, regardless of the event’s owner. The Reassign Events button does not display if
Resolving an event
When you open an Event document in the Domino Domain Monitor database, you can review the
Probable Cause and Possible Solution statements. In many cases, there is a Choose Solution button that
you can use to automatically implement a particular solution to resolve an event. When you click Choose
Solution, and there are multiple possible solutions that can be automated, a list of automated solutions
appears. This list may contain all possible solutions or it may contain a subset of possible solutions --
only those that can be automated. It is important to consider all possible solutions, whether automated or
not automated.
If only one automated solution is available, when you click Choose Solution, that solution is
implemented.
1. From the Domino Administrator, click Files.
2. Open the Domino Domain Monitor database (DDM.NSF).
3. Choose the view that you want to open.
4. Open the Event document for the event that you want to resolve.
5. Review the Probable Cause and Possible Solution statements, and then click Choose Solution.
6. Select the automated solution that you want to implement, and then click OK.
The automated solution is initiated. For example, if a database does not have a full-text index, a
full-text index may be created. Or, if a change needs to made to a Server document, that Server
document is opened and you can make the necessary change.
How resolved problems are handled: Probes decide when their DDM events should be cleared, and for
the most part clear them individually.
Use the Domino Domain Monitor to view, resolve and close current problems. You also have the option
of viewing recent events. Use the Recent Events tab to view detailed information including fields that
indicate the event’s worst status in the past 24 hours, week, and month. These views are updated daily as
needed.
If the field IBM Lotus Sametime Server on the Location document - Server tab, contains a Sametime
server name, the option Show Admin List is visible in the DDM user interface. If the IBM Lotus
Sametime Server field is blank, the Show Administrators feature is not operational. The list of
1252 Lotus Domino Administrator 7 Help
administrator names that displays is derived from the fields ″Full Access Administrators″ and
″Administrators″ on the Security tab of the Server document.
Note: If the fields ″Full Access Administrators″ and ″Administrators″ on the Security tab of the Server
document are updated, the Sametime list in the DDM user interface is not automatically updated. To
refresh the list, restart the Event task on the Domino server.
To hide the list of administrator with whom you can initiate a chat, when the list is expanded, click Hide
Administrators.
The IBM Lotus instant messaging pane in DDM.NSF on a collecting server contains an option allowing
you to specify which server’s list of administrators you want to access. On all other servers, that is,
non-collecting servers, the IBM Lotus instant messaging pane displays the Administrator list for that
server only. The collecting server contains the rolled-up data from other servers in the domain.
Note: If the Domino Directory design has not been upgraded to Domino 7, the servers that display when
creating or maintaining filters may include non-Domino 7 servers from the domain. Be careful to specify
Domino 7 (or more recent) servers when setting up or maintaining filters.
See these procedures for information on creating and managing DDM filters:
v Filtering DDM events
v Modifying a DDM filter
v Deleting a DDM filter
Use this procedure to create a filter, assign the filter to one or more servers and to specify event types,
event classes, and severity levels to log. You can apply the filter both to enhanced and simple events, or
only to simple events. When assigning a filter to a specific server, you can specify one server or you can
use a wild card character to designate all servers in a particular organization. For example, enter */Sales
to assign a filter to all servers in the Sales organization. New DDM filters are applied to new events that
are generated after the Filter document is saved.
1. From the Domino Administrator, click the Files tab.
2. Open the Monitoring Configuration database (EVENTS4.NSF).
3. Choose DDM Configuration - DDM Filters.
4. Click New DDM Filter.
Field Action
Description Type a description of the filter you are creating. The
description that you specify displays as a means of
identifying this filter from other filters on the list of DDM
filters in the Monitoring Configuration database. You can
enter a maximum of 125 characters for the filter
description.
Event Filter Choose one:
v Apply filter to enhanced and simple events -- Applies
the DDM filter to both enhanced events and simple
events.
v Only apply filter to simple events -- Applies the DDM
filter to simple events only.
Event types and severities to log Choose one:
v Log All Event Types -- Reports all event types to DDM.
If you choose this option, then specify the severities to
report.
v Log Selected Event Types -- Specify the event types that
are to be reported to DDM as well as the corresponding
severities for each event type.
Servers on which the filter will be applied Choose one:
v All servers in the domain -- Applies the new DDM
filter to all servers in the domain.
v Special target servers -- Specify the types of servers to
which the filter will be applied, such as POP3 servers or
the administration server for the Domino Directory.
v Only the following servers -- Choose this option to
specify by name, the servers to which the new DDM
filter will apply.
Transaction logging
Domino supports transaction logging for servers that run Domino 5 and later, and for databases that are
in a Domino 5 or later on-disk structure.
Transaction logging captures all the changes made to a database and writes them to a transaction log. The
logged transactions are then written to disk in a batch, either when resources are available or when
scheduled.
A transaction is a related series of changes made to a database on a server. For example, opening a new
document, adding text, and saving the document is one transaction. In this case, the transaction consists
of three separate implicit API calls: NotesOpen, NoteUpdate, and NoteClose.
A transaction log is a record of changes made to Notes databases. The transaction log consists of log
extents and the log control file (NLOGCTRL.LFH). A log extent is one of the log files into which the
transaction logs are written. It has the form Sxxxxxxx.TXN, where x character represents a seven-digit
number that is unique to that server. Domino fills each extent sequentially before writing data to a new
one. The records are secured using a proprietary byte-stream format. Each server has only one transaction
log that captures all the changes to databases that are enabled for transaction logging.
To use all the features of transaction logging for backups and backup recovery, you need a third-party
backup utility that uses the backup and recovery methods of the Domino C API Toolkit (Release 5 or
later). For example, in the case of a media recovery, a database backup is taken with the third-party
utility, while logging keeps track of updates to the database. When the database is then lost, the backup
is brought up to current state by going through the transaction log and applying any updates which have
happened to that databases since the database backup was taken.
Note that restart recovery does not require a third-party utility. In this case, logging goes on while
updates are happening. When the server crashes then restarts, any updates which would have otherwise
been lost are written to the database. This significantly reduces lost data and database corruption because
of server crashes, and reduces overall restart time since the consistency check of databases is not
required.
1255
Understanding the database instance ID (DBIID)
When you enable transaction logging, Domino assigns a unique database instance ID (DBIID) to each
Domino database. When Domino records a transaction in the log, it includes this DBIID. During recovery,
Domino uses the DBIID to match transactions to databases.
Some database maintenance activities, such as using the Compact command with options, cause Domino
to reconstruct the database in such a way that old transaction log records are no longer valid. When this
happens, a new DBIID is assigned to the database. From that point on, all new transactions recorded in
the log for that database use the new DBIID. After a database is assigned a new DBIID, take a new full
backup of the database. The new full backup captures the database in its current state with the new
DBIID. Then, if you have to restore the database, Domino needs only the new transactions that contain
the new DBIID.
The administrator enables transaction logging for all the databases on the servers. The administrator
chooses the Archived logging style so that there is plenty of room for the transaction logs; uses a
separate, mirrored device for safe and speedy storage of the transaction logs; and installs a backup utility
to recover from media failures and any resulting corrupted databases.
The administrator backs up the transaction logs daily. This procedure doesn’t take long because the
administrator is backing up only the changes, rather than doing a full backup of all the databases on the
server.
When the server crashes, it’s down, but not for long. As the administrator restarts the server, it replays all
the changes from the transaction logs to the databases. The server is soon back in business.
A few days later, there’s a media failure. The administrator restores the corrupted databases from the
most recent weekly backup and replays the changes.
The employees who use the databases do not notice any difference in how they do their work. They
might notice, however, that servers are up and running more often and that there is less down time.
What happens between the time when the transaction is posted to the log file and when the database is
updated on the disk? Databases are cached in memory while they are open. The writes to the database
happen to the in-memory copy of the database. They are then immediately sent to the transaction logs.
Later, the memory-cached version of the database is posted to disk, updating the databases. Since the
transaction log is sequential, there is no seek time, and only enough information is written to the logs to
redo (or undo if necessary) the operation. In many cases, this is less information than the database write
to disk.
With circular logging, Domino reuses a fixed amount of disk space (up to 4GB) for transaction logs. After
the disk space is used up, Domino starts overwriting old transactions, starting with the oldest. When the
space fills up, perform a backup on the databases. You may need to do daily backups to capture database
changes before they are overwritten, depending on the server activity level. Use circular logging if the
size of the log needed between full database backup intervals is less than 4GB.
Linear logging is like circular logging, except it allows more than 4GB. Use linear logging if the size of
the log needed between full database backup intervals is greater than 4GB, and you are not using archive
media.
Archived logging creates log files as needed. It simplifies backup and restoration, and provides online
and partial backups. The log files are not overwritten until you archive them. With archived logging, you
must have a backup utility to back up the filled log extents so that they are ready if needed. If you do
not have a backup utility, the server continues to create log extents, fills up the disk space, and then
panics.
Field Action
Transactional Logging* Choose one:
v Enabled -- To start transaction logging
v Disabled (default) -- To not use transaction logging
Log path* Enter the path name location of the transaction log.
For best results, use a separate mirrored device, such as a RAID (Redundant Array
of Independent Disks) level 0 or 1 device with a dedicated controller. This provides
better performance and data integrity than using the default path (\LOGDIR) in
the Domino data directory.
Note: If the device is used solely for storing the transaction log, set the ″Use all
available space on log device″ field to Yes.
Use all available space on log For circular and linear logging only. Choose one:
device v Yes -- To use all available space on the device for the transaction log. Choose Yes
if you use a separate device dedicated to storing the log.
v No -- To use the default or specified value in the ″Maximum log space″ field.
Maximum log space For circular and linear logging only. The maximum size, in MB, for the transaction
log. Default is 192MB. Maximum is 4096MB (4GB).
Note: When Domino is configured to run with DB2, a minimum log file size of 192
MB is required.
Allocate a separate disk with at least 1024MB (1GB) of disk space for the
transaction log.
Domino formats at least 3 and up to 64 log files, depending on the maximum log
space you allocate.
Automatic fixup of corrupt Choose one:
databases v Enabled (default) -- To run the Fixup task automatically if a database is
corrupted and Domino cannot use the transaction log to recover it. Domino
assigns a new DBIID and notifies the administrator that a new database backup
is required.
v Disabled -- To not run the Fixup task automatically. Domino notifies the
administrator to run the Fixup task with the -J parameter on corrupted logged
databases.
Runtime/Restart performance This field controls how often Domino records a recovery checkpoint in the
transaction log. This affects server performance as databases may be flushed from
the cache to disk.
Choose one:
v Standard (default and recommended) -- To record checkpoints regularly.
v Favor runtime -- To record fewer checkpoints. This option requires fewer system
resources and improves server run-time performance but causes more of the log
to be applied during restart.
v Favor restart recovery time -- To record more checkpoints. This option improves
restart recovery time because fewer transactions are required for recovery.
* If you change this field, you must restart the server so that the change takes effect..
** If you change this field, Domino assigns a new DBIID to each database. You must restart the server
and perform another full backup.
Field Issue
Transactional Logging Consider carefully before you disable transaction logging. If you do not use
transaction logging, you should back up your databases daily. You will also need
Fixup to recover from media failure. When you restart the server, Domino runs
restart recovery a final time to ensure that all databases are consistent. Then it
disables transaction logging.
Log path If you edit the log path, save this document, then you must stop the server and
use the operating system to move the existing log files to the new path.
Use all available space on log If you change only this field, you do not need to restart the server. As Domino
device logs the transactions, the changes take effect.
Logging style If you change the logging style, you must perform a full backup of all databases
because Domino assigns new DBIIDs to all the databases.
View logging
View logging provides a way to maintain consistent views in failure conditions and allows media
recovery to update those views. View logging is transaction logging support for Notes views and folders.
All updates to Notes views or folders are recorded in the transaction log for recovery purposes.
To enable view logging, you use Domino Designer. In Designer, open a view or folder, select the
Advanced tab, and check ″Logging - Include updates in transaction log.″
Note: If you enable view logging in a template, all databases created from that template and all
databases whose designs are replaced from that template have those views logged.
When you restart a server after a system failure, Domino automatically restores the affected databases.
For information on recovering after a media failure, see the documentation included with your backup
utility.
Domino records crash information in the data directory. When the server restarts, Domino checks to see if
it is restarting after a crash. If it is, an e-mail is sent automatically to the person or group in the ″Mail
Fault Notification to″ field. The e-mail contains the time of the crash, the server name, and, if available,
the FAULT_RECOVERY.ATT file, which includes additional failure information from an optional cleanup
script.
The fault-recovery system is initialized before the Domino Directory can be read. During this
initialization, fault-recovery settings are read from the NOTES.INI file, and then later read from the
Domino Directory and saved back to the NOTES.INI file. Any changes to the Domino Directory or the
NOTES.INI file become effective when the Domino server is restarted. To disable the reading of the
Domino Directory, and subsequent update to the NOTES.INI file, use the NOTES.INI setting
FaultRecoveryFromIni=1.
UNIX systems primarily use message queues. Therefore, it is important to configure the operating system
so that sufficient message queue resources are available. If you are using multiple Domino server
partitions, each partition requires a complete set of resources. Consult your operating system
documentation for additional details on configuring message queue parameters.
Field Action
Run This Script After Enter the entire script name, including any extensions.
Server Fault/Crash
Do not try to enable NSD from this field. You can enable NSD in the field ″Run NSD to
collect diagnostic information.″
Note: Directory separators (slashes) in the file name portion are converted for the
operating system, but slashes in optional arguments are not converted.
Run NSD To Collect Enable this field to activate NSD when there is a fault or crash.
Diagnostic Information
Cleanup Script/NSD Enter the number of seconds for the cleanup script to run. Default is 300 seconds (5
Maximum Execution minutes). Maximum is 1800 seconds.
Time
Maximum Fault Limits Enter the number of restarts allowed during a specified time limit -- for example, 3
crashes within 5 minutes. If the number of crashes exceeds the time limit, the server exits
without restarting.
Mail Fault Notification Enter a user or group name. When the server restarts, Domino checks if it is restarting
to after a crash and sends e-mail to the person or group.
A Fault Reports database is created by default during first server setup in the domain. Optionally, you
can set up additional Fault Reports databases -- for example, you may want to separate the data from
client and server crashes. You would then specify different Fault Reports databases on various Server
Configuration and Desktop Setting documents. However, it is not necessary that you do so.
For information about the automatic collection of data, see the topic ″Collecting diagnostic information
after a server or client crash″ in this chapter.
For information about using the desktop policy settings document when setting up automatic data
collection, see the chapter ″Using Policies.″
When you create a new Fault Reports database, the administration process generates an administration
process request that automatically creates the mail-in database document for you.
Note: The file name defaults to LNDFR.NSF. If you attempt to create another database with this
name, an error message is generated.
6. Enter the database title.
Fault Analyzer is a server add-in task that processes all new crashes as they are delivered to the
Automatic Data Collection mail-in database. For each new crash, the fault analyzer task searches the
database containing the Fault Report documents and determines whether the stack matches a crash that
has already been seen by a user or server at that customer site. The Automatic Data Collection database
lists all Fault Reports, as well as Response documents for any duplicate occurrences of the same crash
and indicates whether the duplicate occurrence is an exact match or a partial match of the original crash.
The duplicate occurrences response documents are the Exact Match Fault Report and the Partial Match
Fault Report documents. The Partial Match Fault Report document also includes a ″percentage match″
that indicates the percentage of the report that matches the original Fault Report for the crash.
Use the fields on the Diagnostics tab of the Server Configuration Settings document to specify whether
the Fault Analyzer task is enabled on a server. When fault analyzer is enabled, at server startup, Domino
reads the Server Configuration Settings documents and desktop policy documents in the local Domino
Directory. If any document has a Fault Reports database specified, Domino determines whether the
database resides on the local server and if so, Domino adds it to its list of databases to monitor. Every 10
seconds the process determines whether the data modified time of any of the its monitored databases has
changed and if so, fault analyzer scans for new unprocessed documents to try to match.
An occurrence count and unique ID count are updated in the parent Fault Report document for the crash.
The occurrence count is the total number of times a crash has occurred; the unique ID count is the
number of clients and servers on which that problem has been reported.
The Administrator section of the Fault Report document contains a Resolved field that you can use to
mark a crash as resolved for all versions of clients and servers reporting to the database, or resolved for
specific versions that you identify by release level, for example, Domino Notes 6.5.1 or by hot fix
numbers, for example, 652HF10.
When a fault is marked as resolved, all clients and servers that crashed with the same signature and that
are at a version level for a fault that is to be resolved are not be marked as a duplicate. Instead, the Fault
Report document is kept as a parent document. Resolved documents have a check mark displayed next
to them in the views.
For information on creating a new mail-in database, see the chapter ″Rolling Out Databases.″
The following files that were previously stored in the Domino data directory are now stored in the
diagnostics directory, IBM_TECHNICAL_SUPPORT, located beneath the Notes/Domino data directory:
v nsd output
v memcheck output
v core files
v memory dump files (created in the format memory_<platform>_<machine name>_<date>@<time>.dmp
instead of memory.dmp)
To prevent the diagnostic files from becoming quite large and using a significant amount of disk space,
you can specify the number of days that these files can be stored before they are deleted by the automatic
diagnostic collection tool.
When setting up automatic diagnostic collection for clients, you can designate whether this feature is
invisible to users or whether users should be prompted to designate whether they want to send a
diagnostic report to the mail-in database. If you designate that the user is not to be prompted, this feature
is transparent to the user. The process then runs in the background after the user restarts the client and
enters their password. If you designate that the user should be prompted to specify whether to report the
crash, the user can also designate whether to view the report before it is sent.
To write the status bar messages to an external file, use the NOTES.INI setting Debug_Outfile=<path to
file> with the NOTES.INI setting LOGSTATUSBAR=1. For example,
LOGSTATUSBAR=1
Debug_Outfile=c:\temp\StatusBarLogging.txt
Use the information that is written to the log file to assist you when troubleshooting problems.
For more information about the NOTES.INI variables used to enable logging of status bar messages, see
the topic NOTES.INI Settings.
For information on creating a desktop policy settings document, see the chapter ″Using Policies.″
Field Action
Mail-in Database for diagnostic reports Click in this field, and then select the mail-in database to
which you want the diagnostic report for server crashes
mailed. Click OK.
Maximum size of diagnostic message including Enter the maximum size of the entire message that
attachments (in MB) automatic diagnostic data collection will create, including
all attachments -- NSD, console output, user defined
files, and so forth.
Field Action
Run Fault Analyzer on Fault databases on this server Choose one:
v Yes -- Enables the Fault Analyzer task on this server.
v No -- Disables the Fault Analyzer task on this server.
Choose one:
v Yes -- Aattachments are removed from the response
document to save space in the database
v No -- Attachments are saved with the response
document.
Note: You can disable the NSD command by using the NOTES.INI setting
Disable_SaveNSDConfig=value.
Periodically review the size of the IBM_TECHNICAL_SUPPORT database to prevent it from using
excessive disk space. By default, Domino stores a maximum of ten of each file type. Use the NOTES.INI
setting MAX_CONFIG_FILES to change the number of files saved for each type of document .If you
reduce the number of files that can be stored, the appropriate number of each type of file is deleted. The
NOTES.INI setting is checked each time the server starts, or whenever there is a configuration change. To
modify only the number of NSD files saved in IBM_TECHNICAL_SUPPORT database, use the
To disable the automatic collection of data from the Domino server, use the NOTES.INI setting
DISABLE_SAVESERVERCONFIG.
To enable or disable only the collection of NSD information, use the NOTES.INI setting
DISABLE_SAVENSDCONFIG.
This table shows when NSD is enabled and when the NOTES.INI settings are honored:
If you are troubleshooting a system problem, you may want to record additional information in the log
file. The log file becomes large quickly when you set a higher logging level for purposes of analyzing a
system problem. For example, if you are troubleshooting a mail routing problem, you can set the logging
level to verbose. When you do, the log file will contain a large amount of information regarding that
activity. If you set a high logging level during troubleshooting, remember to reset the logging level after
you solve the problem.
For more information on NOTES.INI settings, see the appendix ″NOTES.INI File.″ For more information
on setting additional logging levels, see the topic ″Recording additional information in the log file,″ later
in this chapter.
1269
For more information on the Domino Web server log, see the topic ″Viewing the Domino Web server log
(DOMLOG.NSF)″ later in this chapter.
Tip: You can also view the search results from the Server - Analysis tab using the tool Analyze - View
Log Document. This tool gives you more details about the messages in the current log document and
allows you to sort the messages in several different ways. Doing this makes it easier find the information
you are looking for and to see patterns of server activity.
Some advanced queries can be made on Domino 6 or more recent servers only, and then only if the Event
task is running on them.
When you perform a log analysis, the search results display automatically and are also saved in the
Search Results view of the log file (log.nsf). They include the following types of information:
v Status of the event, displayed as an icon
v Type of event
v Severity of the event
v Time the event occurred
v A description of the event
Note: You can select more than one when specifying search criteria. For example, you can select more
than one event type, then you must select one of these options:
v The results must match one of the criteria -- select this option if the results must match the selected
criteria, such as event type, or event severity.
v The results can match one of the criteria -- select this option if results that do not match the
selected criteria can be included in the log search as well.
Start and End Time -- Select the times you want to search.
Select one:
v Use above time range in any time zone -- Use this setting when you do not need to
vary the search start and end parameters.
v Convert time range to server’s time zone -- Use this setting if you are searching the log
file for a server in a different time zone.
Any time -- Use this setting if you do not want to limit the log search by date or time.
Event Type Select the type of event for which you want to search.
Event Severity Select the type of severity for which you want to search.
Add-in Name Select the add-in name for which you want to search.
Add Add-in Name -- Enter the name of an add-in task if you do not find it on the list.
Error Code Click in the column to the left of a message to select the error message for which you
want to search.
Event Text Do any of the following to refine your text.
v Look for -- Choose one of these:
exact phrase
v Enter -- Enter the words or phrases for which you want to search.
v Must Contain the Words -- Enter the words that the log search must contain to be
successful.
v Must Not Contain the Words -- Enter the words or phrases that would make a search
result invalid.
Queries Select Existing Query -- Choose any predefined query.
Save query on exit -- Select this option if you want to save your query criteria.
Query Formula -- Displays the new or selected query for your verification.
4. When you click OK, the Log Analysis Results are displayed and a copy of the results is stored in the
Search Results view of the log file.
Tip: Search strings can be any length containing any type of character and the search is not case
sensitive.
Tip: You can also view the search results from the Server - Analysis tab using the tool Analyze - View
Search Results, which gives you additional sorting abilities when viewing the results.
The Results database is based on the LOGA4.NTF template. It shows the date and time of events, their
source (event or console message), and the text of messages. The view doesn’t display times for server
console messages.
If you are using a Lotus Domino Administrator 6 client to analyze a Domino 6 server log file, you can
still create a Results database and save the results to this database. To do so, open the document from the
Search Results view in LOG.NSF, then use the File - Save As menu to save it to the desired location.
The Domino Web server log (DOMLOG.NSF) logs all Domino Web server activity and tracks this
information about each HTTP request:
v Date and time the request was made
v User’s IP address (or the DNS address if DNS lookup is enabled in the Server document)
v User’s name (if the user supplied a name and password to access the server)
v Status code the server returns to the browser to indicate its success or failure in generating the request
v Length of the information, in bytes, sent from the server to the browser
v Type of data accessed by the user -- for example, text/html or image/gif
v HTTP request sent to the server from the browser
v Type of browser used to access the server
v Internal and Common Gateway Interface (CGI) program errors
v URL the user visited to gain access to a page on this site
v Server’s IP address or DNS name
v Amount of time, in milliseconds, to process the request
v Cookies sent from the browser
v Translated URL (the full path of the actual server resource, if available)
Field Enter
URLs URL paths to exclude -- for example, *.gif or /anydir/*
Methods HTTP methods -- for example POST or DELETE
MIME types MIME types to exclude -- for example, image (for all images) or image/gif (for
.gif images)
User agents Strings that are part of user agent (browser) strings to exclude requests from a
particular user agent.
v To exclude Microsoft Internet Explorer, enter MSIE*
Return codes HTTP response status codes to exclude -- for example, 300 or 400
Hosts and domains Browser client DNS names or IP addresses to exclude -- for example, 130.333.*
or *.edu
Note: To enter DNS names in this field, you must first enable the DNS Lookup
setting in the HTTP Server section of the Server document. Otherwise, you can
enter only IP addresses in this field. Enabling this setting will impact
performance.
6. Save the document and then restart the HTTP task so that the changes take effect.
Note: You can log to both text files and a database. These options are not mutually exclusive.
The most commonly used Access log format is Extended Common, which logs all Web server information
into a single text file.
Optionally, you can choose Common for the Access log file format; however, the Common format is an
older log file format and is available primarily for legacy information. If you choose the Common format
for your Access file, it contains a subset of the server request information, with the requesting agent and
referer information stored in separate Agent and Referer log files. It is difficult to match the entries in
these different log files because a referer is not always sent with every request, so the number of referer
entries may not match the number of requests.
Common
1. Client DNS name or IP address if DNS name is not available
2. Host header from request, or server IP address if Host header is not available
3. Remote user if available
4. Request time stamp
5. Http request line
6. Http response status code
Extended Common
1. Client DNS name or IP address if DNS name is not available
2. Host header from request, or server IP address if Host header is not available
3. Remote user if available
4. Request time stamp
5. Http request line
6. Http response status code
7. Request content length if available, otherwise shows ″-″
8. Referring URL if available, otherwise shows ″-″
9. User agent if available, otherwise shows ″-″
10. Amount of time, in milliseconds, to process the request
11. Value of the cookie header
12. Translated URL, (the full path of the actual server resource, if available)
Agent v User agent if available, otherwise shows ″-″
Referer v URL the user visited to gain access to a page on this site
Some information may increase the size of the log file without providing meaningful information --
requests for graphics or icons, for example, so you may want to exclude that type of information from the
log.
Field Enter
Access log format Choose one:
v Common -- To log information in three separate log files
v Extended Common -- To log information in one file
Note: Although you have the option of logging to three separate files, most
third-party log-analysis tools require a single text file.
Time format Choose one to record the time of requests:
v LocalTime (default) -- To use the time zone currently set on the server
v GMT-- To use Greenwich Mean Time
Log file duration Choose one to determine how often a new log file is created:
Note: The prefixes used in the file names are chosen in the Log File Names section of
the Server document.
v Daily (default) -- To create a new log file each day, starting at midnight. Daily log
files use the file naming convention:
Example: The access log file for May 29, 2001 is access-log29051998.log
v Weekly -- To create a new log file each week, starting on Sunday at midnight.
Weekly log files use the file naming convention:
Example: The access log for the week of May 24, 2001 is access-log__212001.log.
v Monthly -- To create a new log file each month, starting at midnight on the first
day of the month. Monthly log files use the file naming convention:
Field Enter
Directory for log files The directory to store the log files; if this field is blank, Domino stores the log files in
the data directory
Access log The prefix to use when creating the Access log file. The default is access. Do not enter
a file extension.
Agent log The prefix to use when creating the Agent log file. The default is agent.
Note: If you chose the Extended Common format, you will not have an agent log;
this information will be included in the access log.
7. (Optional) Under ″Exclude From Logging,″ complete these fields to exclude certain types of
information from the log file:
Field Action
URLs Enter URL paths to exclude -- for example, *.gif or /anydir/*
Methods Enter HTTP methods -- for example, POST or DELETE
MIME types Enter MIME types to exclude -- for example, image (for all images) or image/gif
(for .gif images)
User agents Enter strings that are part of user agent (browser) strings to exclude requests from
a particular user agent.
v To exclude Microsoft Internet Explorer, enter MSIE*
Return codes Enter HTTP response status codes to exclude -- for example, 300 or 400
Hosts and domains Enter browser client DNS names or IP addresses to exclude -- for example,
130.333.* or *.edu
Note: To enter DNS names, you must first enable the DNS Lookup setting in the
HTTP Server section of the Server document. Otherwise, you can enter only IP
addresses. Enabling this setting impacts performance.
Activity Logging
You use activity logging to collect information about the activity in your enterprise. You can use this
information to charge users for the amount they use your system, monitor usage, conduct resource
planning, and determine if clustering would improve the efficiency of your system.
Domino writes the activity logging information in the Domino log file (LOG.NSF). To create activity
logging reports, you write a Notes API program to access the information in the log file. You can also
view the activity logging information by using Activity Analysis.
In a hosted environment, enable activity logging on all of your ASP servers, that is, the servers used to
house and maintain your hosted organizations.
Note: Activity logging records in the log file are hidden. The records you can see in the log file do not
contain as much detail as activity logging records and are not updated as often as activity logging
records. You can view activity logging information by running Activity Analysis.
You use the Domino Administrator to specify which types of activity to log. This table describes the types
of activity you can log.
1279
Activity logging records
The records in the log file keep track of all activity generated. Domino creates different types of records
for each type of activity. For some types of activity, Domino creates multiple records during a session; for
other types of activity, Domino creates a single record.
Checkpoint records: For types of activity that could require long sessions to complete, Domino
generates an Open or Authorization record when a session begins. This record indicates that a session is
open and shows the time at which the session began. During the session, Domino generates Checkpoint
records, which log all activity that has occurred so far during the session. Checkpoint records ensure that
activity is logged even if a server stops functioning before a session ends. When a session ends, Domino
generates a Close record, which consolidates all the activity for the entire session.
Domino creates Checkpoint records for the following types of activity: IMAP, Notes session, Notes
database, Notes passthru, POP3, and SMTP. The Checkpoint records are cumulative; each one contains all
of the activity that was logged to that point during the open session.
By default, Domino creates a Checkpoint record the first time there is activity after a 15 minute waiting
period, and every 15 minutes when there is activity thereafter. This waiting period is called the
checkpoint interval. Domino generates a Checkpoint record the first time activity occurs after the
checkpoint interval has completed. For example, if several transactions occur during the first 10 minutes
of the checkpoint interval but no more activity occurs until minute 21, Domino generates the Checkpoint
record in minute 21. For each type of activity for which there is an open session, Domino creates only one
Checkpoint record per period, no matter how much activity occurs. To change the duration of the
checkpoint interval, you can change the ″Checkpoint interval″ setting on the Activity Logging tab of the
Configuration Settings document.
To determine how long to make the checkpoint interval, consider three factors: the need to record
information, the need to preserve storage space, and the need for quick performance. The longer you
make the checkpoint interval, the more activity data that could be lost if the server crashes before
Domino writes the Checkpoint records. The shorter you make the checkpoint interval, the more
Checkpoint records that could be created, requiring more storage space. In addition, if you set a short
checkpoint interval, system performance could be affected if there is a lot of activity.
Note: For types of activity that generate multiple activity logging records, the record type is indicated in
the EventType field in the record.
Domino does not generate activity logging records for agents that run on a Web server, for agents that
you run manually from a client, or for agents that are scheduled to run locally on a client.
For information about restricting who can run agents on a server, see the chapter ″Controlling Access to
Domino Servers.″
HTTP activity logging records include such information as the name of the Web server, the name of the
user accessing the Web server, the HTTP request, the URL the user clicked, the number of bytes returned
There are three types of activity logging records for IMAP sessions:
v Authorization records, which log when an authenticated IMAP session begins. Authorization is logged
after any of the following occur: a successful Login command; a successful Auth command; a
successful Greeting command, if the client is preauthorized.
v Checkpoint records, which log activity that occurs when an IMAP session has been open for a specified
length of time
v Close records, which consolidate IMAP information into a single record when an IMAP session ends
This table shows the types of LDAP requests and some of the information that Domino logs for each type
of request. Domino does not generate Checkpoint records for LDAP requests.
You can customize the LDAP service configuration to limit the amount of data collected in the Values
fields in Add and Modify records.
There are five types of activity logging records for mail activity:
For each mail message, at least two types of records are logged -- a Deposit record and at least one of the
other types of records, depending on the disposition of the attempted delivery.
Domino logs updates to messages in MAIL.BOX as new deposits. For example, if you change the address
on a message in MAIL.BOX so that it routes correctly, that message is logged as a new deposit.
If a message is split because the recipient list is too large, a separate record is generated for each copy of
the message. Each of these records contains the same MessageID and Originator.
There are three types of activity logging records for session activity:
This table contains a few examples of the types of activities that generate each type of session record.
There are five types of activity logging records for database activity:
v Open records, which log when a database opens
v Checkpoint records, which log activity that occurs when a database has been open for a specified
length of time
v Close records, which consolidate all log information for a database session into a single record when a
database closes
v CloseEnd records, which consolidate database information at the end of a Notes session (when the
client logs off of the server)
v MailDeposit records, which log when a mail message that does not contain an attachment is deposited
into MAIL.BOX. (Mail messages that contain attachments generate Open records, Close records, and
possibly Checkpoint records.)
This table contains a few examples of the types of activities that generate each type of database record.
* When Domino closes databases after determining that replication is not necessary, it generates a Close
record that contains 0 (zero) in the Duration field.
CloseEnd records log the total activity in a database during a Notes session. Each time a user opens and
closes a database during a session, Domino creates separate database Open and Close records. When the
user closes the Notes session, Domino generates a CloseEnd record for each database that was open
during the session. The CloseEnd record consolidates the total activity in the database during the entire
Notes session. Therefore, if you open and close a database several times during a Notes session, Domino
generates multiple Open and Close records for that database, but only one CloseEnd record.
There are three types of activity logging records for passthru connections:
v Open records, which log when a passthru connection begins
v Checkpoint records, which log activity that occurs when a passthru session has been open for a
specified length of time
v Close records, which consolidate information into a single record when a passthru session ends, such
as when a client logs off or disconnects from the passthru server
There are three types of activity logging records for POP3 activity:
v Authorization records, which log when a user is authenticated and a session begins
v Checkpoint records, which log activity that occurs when a POP3 session has been open for a specified
length of time
v Close records, which consolidate POP3 information into a single record when a POP3 session ends
When a client initiates replication with a server, Domino logs the activity as session activity, not as
replication activity. In addition, using the Cluster Replicator does not generate activity logging records for
replication.
There are three types of activity logging records for SMTP sessions:
v Open records, which log when an SMTP session begins
v Checkpoint records, which log activity that occurs when an SMTP session has been open for a specified
length of time
v Close records, which consolidate SMTP information into a single record when an SMTP session ends
Domino generates some of these records, such as Notes session Checkpoint records and Notes database
Checkpoint records, only if the activity occurs after the checkpoint interval has elapsed during the
session.
Limiting the amount of attribute information logged for LDAP Add and LDAP
Modify activity
Since it is possible for LDAP Add and LDAP Modify operations to add or modify many attribute values,
by default activity logging stops logging attribute information in a record when the amount logged
reaches 4096 bytes in that record. To specify a different amount of attribute information to log:
View Description
Agent For agent activity, shows the user, date, database, agent name, and run time
All Shows the activity type and timestamp of all activity logging records
HTTP For HTTP activity, shows the target server, user name, date, HTTP request, time of the request,
and the length of the content
IMAP For IMAP activity, shows the organization name, server name, user name, timestamp, bytes sent
and received, and the duration
LDAP Add For LDAP Add activity, shows the organization name, user name, timestamp, name of the
added object (entry), number of bytes received, and any error messages
LDAP All For all LDAP activity, shows the organization name, type of activity, user name, and the
timestamp
LDAP Delete For LDAP Delete activity, shows the organization name, user name, timestamp, name of the
deleted object (entry), number of entries deleted, and any error messages
LDAP Modify For LDAP Modify activity, shows the organization name, user name, timestamp, name of the
modified object (entry), number of bytes received, and any error messages
LDAP ModifyDN For LDAP ModifyDN activity, shows the organization name, user name, timestamp, name of the
modified object (entry), the new RDN, the new superior, and any error messages
LDAP Search For LDAP Search activity, shows the organization name, user name, timestamp, base object,
filter, bytes sent, and the search time
Mail Deposited For mail deposited into MAIL.BOX, shows the server name, who the message was from and to,
when the message was deposited, the message ID, and the action taken upon the message
(depositing the mail into MAIL.BOX)
Mail Processed For messages processed in MAIL.BOX, such as mail transferred to other servers and mail
delivered to users, shows the server name, who the message was from and to, when the
message was deposited, the message ID, and the action taken upon the message
Notes Database For Notes database activity, shows the organization name, server name, user name, database
name, timestamp, number of bytes sent and received, number of documents read and written,
and the total number of transactions
Notes Passthru For Notes passthru activity, shows the date, duration of the connection, and the number of bytes
sent and received by the client and by the target server
Note: In addition to containing the results of running activity analysis, the Log Analysis database may
contain the results of running log analysis, especially if you run log analysis using a version of Domino
earlier than Lotus Domino 6.
Database maintenance
To keep a specific database in good working order, perform these tasks regularly.
Task Frequency
Monitor replication, if a database replicates Daily
Check for and consolidate replication or save conflicts Daily, for large active databases; weekly for other
databases
Monitor database activity Weekly
Monitor database size Weekly
For information on monitoring database replication and database activity, see topics in this chapter. For
information on monitoring database size, see the chapter ″Improving Database Performance.″
In addition, if you’re a server administrator, perform the following tasks regularly to maintain all
databases on a server.
Task Frequency
Run the Updall task to update all views and full-text Daily. Occurs by default daily at 2 AM.
indexes
Run the Designer task to keep databases that inherit design Daily. Occurs by default daily at 1 AM.
from master templates in sync with the master templates
Run the Compact task Weekly or monthly with the -B argument and in
conjunction with a certified backup utility.
Monitor the database cache Occasionally
For information on running the Updall and Designer tasks, see the topic ″Synchronizing databases with
master templates″ later in this chapter For information on running the Compact task and monitoring the
database cache, see the chapter ″Improving Database Performance.″
1289
To display the Files tab
1. From the Domino Administrator, select a server in the Server pane on the left. To expand the pane,
click the Servers icon.
2. Click the Files tab.
The Files tab can display files only in the data folder and in any folders within the data folder.
Method Description
Replication history Records each successful replication session for a database. Useful for
determining at a glance if a replication is occurring.
Replication Events view of the log file Shows details about replication events between servers. Useful for
(LOG.NSF) determining the cause of replication failure and for verifying that the
expected number of replication updates occurred.
Replication monitor Notifies you when replication of a database hasn’t occurred within a
specified time period. A server administrator creates replication
monitors as a part of configuring the Event Monitor task.
Database Analysis tool Lets you collect replication history, replication events from the log file,
and other information specific to a database into a results database
that you can analyze.
In addition to ensuring that a database is replicating, you should routinely check for and consolidate
replication and save conflicts.
Domino uses the replication history to determine which documents to scan for changes during the next
replication. For example, if a database successfully replicated with the HR-E/East/Acme server 24 hours
ago, Domino replicates only those documents that were added, modified, or deleted in the replica on
HR-E/East/Acme within the last 24 hours.
Before replication starts between two databases, Domino checks the replication history of both databases
to make sure that they agree. If they don’t, Domino scans each document created or modified since the
date specified in the ″Only replicate incoming documents saved or modified after″ setting on the Other
panel of the Replication Settings dialog box.
If a database doesn’t replicate successfully, Domino doesn’t update the replication history.
Clearing the replication history: If you have Manager access to a database, you can clear the database
replication history if you think the database doesn’t contain all the documents it should or if the database
replication history is not synchronized with that of other replicas. Clear the replication history only as a
last resort to solve replication problems. If you clear the history, during the next replication, Domino
scans each document created or modified since the data specified in the ″Only replicate incoming
documents saved or modified after″ setting on the Other panel of the Replication Settings dialog box.
Scanning all these documents can be time-consuming, especially over dial-up connections. If you clear the
″Only replicate incoming documents saved or modified after″ setting, Domino scans all documents in the
database.
Within a server cluster, the Cluster Replicator stores replication history information in memory and
updates the replication history about once an hour.
For information on viewing cluster replication data, see the book Administering Domino Clusters. For more
information on the ″Only replicate incoming documents saved or modified after″ setting, see the chapter
″Creating Replicas and Scheduling Replication.″
Tip: To copy the entire replication history to the Clipboard, click Copy.
Replication conflicts: A replication conflict occurs when two or more users edit the same document and
save the changes in different replicas between replications. These rules determine how Domino saves the
edit sessions:
v The document edited and saved the most times becomes the main document; other documents become
Replication or Save Conflict documents.
v If all of the documents are edited and saved the same number of times, the document saved most
recently becomes the main document, and the others become Replication or Save Conflict documents
v If a document is edited in one replica but it is deleted in another replica, the deletion takes precedence,
unless the edited document is edited more than once or the editing occurs after the deletion.
Save conflicts: A save conflict occurs when two or more users open and edit the same document at the
same time on the same server, even if they’re editing different fields. When this situation occurs, the first
document saved becomes the main document. Before the second document is saved, a dialog box
indicates that the user is about to save a conflict document and if the user saves the document, it
becomes a Replication or Save Conflict document.
Note: ACL and design changes never result in replication or save conflicts; the most recent change
always prevails.
Preventing replication or save conflicts: The following techniques reduce or eliminate replication or
save conflicts. The first four are techniques that a database designer uses:
v Select the Form property ″Merge replication conflicts″ to automatically merge conflicts into one
document if no fields conflict. This applies to replication conflicts only and not to save conflicts.
v Specify a Form property for versioning so that edited documents automatically become new
documents.
v Lock documents in a database.
v Use LotusScript to write a custom conflict handler.
The last three are techniques that a system administrator or database manager can use:
v Assign users Author access or lower in the database ACL to prevent users from editing other users’
documents.
v Keep the number of replicas to a minimum.
v If the database property ″Limit entries in $Revisions fields″ is set to a value greater than 0, increase the
limit by specifying a greater value than the existing one or specify -1 to remove the limit.
For more information on the database property ″Limit entries in $Revisions fields,″ see the chapter
″Improving Database Performance.″
Consolidating replication or save conflicts: Regularly look for and consolidate replication or save
conflicts. To consolidate a conflict, merge information into one document and remove the other
document. Conflicts are easiest to consolidate immediately after they occur, since the conflict document is
still closely synchronized with the information in the main document. It’s important to consolidate
replication or save conflicts quickly, so users access the correct information.
Tip: To locate replication or save conflicts, create a view that displays only conflict documents. Then, to
see a conflict document in context with its main document, select the Replication or Save Conflict
document in the view that displays conflicts, hold down the CTRL key, and switch to the view that
shows the main document.
To consolidate replication or save conflicts, you can save the main document or save the Replication or
Save Conflict document
If a database or view is inactive, consider deleting the database or view to free disk space on the server.
Information provided Database Activity Log entry User Activity dialog box
Shows total number of times user and Yes Yes
servers accessed, read, and wrote to a
database in past 24 hours, past week, past
month, and since the creation of the
database*
Shows inactive views (indicated by the size Yes No
0)
Shows names of users and servers who read No Yes
and wrote documents, sorted by date*
Tip: In addition to viewing activity statistics reported by Statlog, you can evaluate database activity by
creating a view that sorts documents by date. You can also create File Monitor documents as part of
Event Monitor configuration. File Monitors report user activity for specific databases.
For information on creating views, see the book Application Development with Domino Designer. For
information on monitoring database activity within a server cluster, see the book Administering Domino
Clusters.
Statlog always reports activity information to the log file, but to save disk space, you can prevent it from
automatically reporting to User Activity dialog boxes.
Note: The Statlog task also reports database size statistics in the Database - Sizes view of the log file.
For information on monitoring database activity using the Database Analysis tool, see the topic ″Database
analysis,″ later in this chapter.
Tip: If you don’t have access to the Domino Administrator, select the log file database and choose File -
Database - Open.
To prevent Statlog from automatically recording activity in User Activity dialog boxes, add
No_Force_Activity_Logging=1 to the NOTES.INI file. Then, you can enable activity recording per
database, as needed. Because recording activity in the User Activity dialog box adds 64K to the size of
each database, disabling automatic activity recording saves disk space on the server.
Note: If you use No_Force_Activity_Logging, Statlog still reports activity to the log file (LOG.NSF).
Enable activity recording in a single database’s User Activity dialog box: Even if the server
administrator uses the No_Force_Activity_Logging setting in the NOTES.INI file to disable automatic
activity recording in databases, you can enable recording for a single database.
1. Make sure that you have Designer or Manager access in the database ACL.
2. Open the database and choose File - Database - Properties.
3. Click the i tab, and then click User Detail.
4. Select Record Activity to enable activity recording.
5. (Optional) Select ″Activity is Confidential″ to allow only users with at least Designer access in the
database ACL to view the activity.
6. Click OK.
Disable activity recording in a single database’s User Activity dialog box: Use the above procedure,
but deselect Record Activity in Step 4. Disabling activity recording also removes any existing activity
statistics in the User Activity dialog box.
Note: Replicating unread marks in high-activity user databases other than mail databases is not
recommended due to the performance impact.
Enabling or disabling replication for one database directly from the client
If you are enabling or disabling replication of unread marks for one database, you can do so directly
from the client. Open the database for which you are enabling or disabling replication of unread marks.
Choose Files - Database - Properties. Click the tab furthest to the right on the Properties dialog box.
Choose one of the ″Replicate Unread Marks″ settings to enable or disable replication of unread marks.
A full-text index is an index of the text in a database. To perform advanced searches for text in a
database, users need an up-to-date full-text index that reflects the latest content of a database.
Update: Update is loaded at server startup by default and runs continually, checking its work queue for
views and folders that require updating. The indexer uses modest system resources by waiting five
seconds between each database update operation that is performs.
The Update task uses a separate thread for full-text indexing which makes view updates more timely
than in releases prior to Domino 7.
Update maintains two queues of work -- an immediate queue and a deferrred queue. Other server
components, such as the router and replicator, post requests to the updater when changes are made to
databases. Some requests are posted as deferred and some as immediate.
This table lists how full-text index updates are performed according the update frequency:
When a view or folder change is recorded in the queue, Update waits approximately 15 minutes before
updating all view indexes in the database so that the update can include any other database changes
made during the 15-minute period. After updating view indexes in a database, it then updates all
databases that have full-text search indexes set for immediate or hourly updates.
When Update encounters a corrupted view index or full-text index, it rebuilds the view index or full-text
index in an attempt to correct the problem. Update deletes the view index or full-text index and rebuilds
it.
To improve view-indexing performance, you can run multiple Update tasks if your server has adequate
CPU power.
Managing the update task and its use of system resources: The indexer is able to keep up with the
update rate in the server’s default configuration if the server has a low update rate, that is, if few
changes are made to databases on the server. If a server has a high update rate due to heavy application
database use, a large number of mail users, or a large volume of mail, the default resource usage
configuration can cause the updater queues to become large. To determine whether the updater queues
are large, examine the queue length statistics that are available in Lotus Domino 7. If you determine that
the update queues are too large, determine a methodology for performing updates on that server. Long
queues typically indicate that views and full-text indexes are not up-to-date.
Here are some sample scenarios and practices that you may want to use as well as the steps to
implement them.
v Scenario one -- The queues are usually short, unless a full-text index starts for a large update volume
database. When this occurs, the view updating requests wait for the full-text index. This causes the
queues to increase until the full-text indexing is complete. To use slightly more system resources to
keep the queues short, perform view updates and full-text index updates in separate threads. To do so,
enter this variable, UPDATE_FULLTEXT_THREAD=1, in your server’s NOTES.INI file.
v Scenario two -- The queues grow slowly over time and become too long because the Updater task is
not getting sufficient system resources to keep the queues short. To use additional resources to keep the
queues short, set a delay between each Update operation. To set the delay, enter these variables,
UPDATE_IDLE_TIME (and FTUPDATE_IDLE_TIME if two threads are used) in the server’s
NOTES.INI file. By default, the delay is 5 seconds. To allow the Update task to use additional system
resources, set the delay to less than 5 seconds. Finer precision may be required on a large server. In
that case, you can set the delay in milliseconds (Domino 7 only) by adding these variables,
UPDATE_IDLE_TIME_MS (and FTUPDATE_IDLE_TIME_MS if two threads are used), to the server’s
NOTES.INI file.
v Scenario -- Servers that have high update rates often require too many system resources to keep the
queues small. In this case, you can decide not to perform view updates at all, and just allow view
opens to perform the updates automatically. Disable the view updates by adding this variable,
UPDATE_DISABLE_VIEWS=1, to the server’s NOTES.INI file. Another option is to limit the number of
immediate updates for full-text databases. You change the update frequency for databases to hourly,
daily, or to a specific schedule. You can also delete extraneous full-text indexes.
To allow frequent full-text indexing on only a small number of databases, and to prevent other
databases from being full-text indexed, disable full -text indexing in the Updater and then add
Program documents to schedule Updall to run, for example, every half hour (30 minutes). To disable
full-text indexing in the Updater, enter this variable, UPDATE_DISABLE_FULLTEXT=1, in the server’s
NOTES.INI file.
You can prevent performing any updates at all, and just allow view opens to perform the view updates
automatically. To prevent updates, edit the NOTES.INI variable by remoinge the update string.
If a system has adequate system resources to perform updates, you can run multiple Update tasks. To
do so, edit the variable, ServerTasks, in the NOTES.INI file and add a second Update task.
You can adjust the controls that determine whether a modified view is actually updated or not. The
database and view must still be opened, but if these thresholds are not reached, the view is not
updated.
Like Update, Updall rebuilds all corrupted view indexes and full-text search indexes that it encounters.
By default Updall is included in the NOTES.INI setting ServerTasksAt2, so it runs daily at 2 AM.
Running Updall daily helps save disk space by purging deletion stubs and discarding unused view
indexes. It also ensures that all full-text search indexes that are set for daily updates are updated.
Note: When views are being rebuilt - either through the Designer or Updall tasks - all new server
sessions that are attempted once the rebuild process has started are locked out. Therefore, it is
recommended that changes to master templates, as well as complete view rebuilds, be scheduled for late
at night, when users are far less likely to require access to the server.
The following table compares the characteristics of Update and Updall. For Updall, the table describes
default characteristics. For information on options you can use to modify some of these characteristics,
see the topic ″Updall options″ later in this chapter.
Updall options
You can use any of these methods to run Updall on a server:
v Task - Start tool in the Domino Administrator -- Use this method if you don’t want to use
command-line options.
v Load Updall console command -- Use this method if you’re comfortable using command-line options
or if you want to run Updall directly at the server console when there is no Domino Administrator
running on the server machine.
v Program document that runs Updall -- Use this method to schedule Updall to run at particular times.
When you use these methods, you can include options that control what Updall updates. For example,
you can update all views and not update any full-text search indexes.
The following tables describe the options you can use with Updall. The first column describes the option
names as they appear in the Task - Start tool. The second column lists the equivalent command-line
options that you use when you use a console command to run Updall and when you schedule Updall to
run in a Program document.
Use this syntax when you use the Load updall console command:
Load updall databasepath options
For example:
Load updall SALES.NSF -F
For information on Updall behavior when you don’t specify options, see the topic ″Indexer tasks: Update
and Updall,″ earlier in this chapter.
v Index all databases databasepath ″Only this database″ updates only the specified database.
To update a database in the Domino data folder, enter the
v Index only this database or For more information file name, for example, SALES.NSF. To update databases
folder on databasepath, see in a folder within the data folder, specify the database
the topic ″Using a path relative to the data folder, for example,
console command″ DOC\README.NSF.
later in this chapter.
″Index all databases″ (or no database path) updates all
databases on the server.
Update this view only database -T viewtitle Updates a specific view in a database. Use, for example,
with -R to solve corruption problems.
Note: -T cannot be used with .IND (indirect) files.
The following table illustrates how you can use databasepath to specify databases, folders, and subfolders.
SALES\USER1.NSF
SALES\NEW
Using a Program document: Use a Program document to schedule Updall to run with options at a regular
time. Note that by default Updall is included in the NOTES.INI setting ServerTasksAt2, so it runs daily at
2 AM on all databases without options.
For more information on Program documents, see the appendix ″Server Tasks.″
1. From the Domino Administrator, click the Configuration tab.
2. Next to ″Use Directory on,″ select the server with the replica of the Domino Directory that you want
to modify.
3. Expand Server - Programs and then click Add Program.
4. Complete these fields on the Basics tab:
Field Enter
Program name Updall
Command line Command line options. Don’t specify ″load″ before the options.
Server to run on Server on which to run Updall
Comments Optional comments
For more information on the available command-line options, see the topic ″Updall options,″ earlier in
this chapter.
5. Complete these fields on the Schedule tab:
Field Enter
Enabled/disabled Enabled
Run at times Times to run Updall each day
Repeat interval of How soon to run Updall again after it completes
Days of week The days to run Updall
Using the Task - Start tool: Use the Task - Start tool to run multiple Update tasks without having to
shut down and restart the server. If you eventually shut down the server, you must repeat this procedure
when you restart it.
Each time you enter this command, the server loads another Update task.
1. From the Domino Administrator, select the server on which to run Update.
2. Click the Server - Status tab.
3. In the Tools pane on the right, click Task - Start.
4. Select ″Update.″ Do not select ″Update all.″
5. Click Start Task.
Tip: You can also enter the following command at the console:
Load update
Depending on the amount of memory available during rebuilding, the space required in the temporary
folder for each view being rebuilt is approximately two times the size of the largest view or two times the
size of all the data in documents, whichever value is greater. It is recommended that you change the
location of the temporary files to a different drive from the Domino data folder. Putting the temporary
To change the temporary folder used for view rebuilds, add the setting View_Rebuild_Dir to the server’s
NOTES.INI file and specify a new location. For example, add:
View_Rebuild_Dir=D:\REBUILD
If Domino estimates that there’s not enough space available in the temporary folder to rebuild a specific
view, Domino uses a slower method to rebuild the view and logs this message to the Miscellaneous
Events view of the log file (LOG.NSF):
Warning: unable to use optimized view rebuild for view due to
insufficient disk space at directory. Estimate may need
x million bytes for this view. Using standard rebuild instead.
You can add the following setting to the NOTES.INI file to disable optimized view rebuilding. However,
do this only as a last resort if you’ve specified a view rebuild folder and you still see the preceding
message for many views. If you see the message for just a few views, don’t disable view rebuilding.
Disable_View_Rebuild_Opt=1
For a server’s Designer task to update databases, you must create a replica of the master template on
each server that stores databases that inherit from the master template.
After updating database designs, the Designer task also reloads the LDAP schema on a Domino server
that runs the LDAP service.
You can run the Designer task against a specific database or folder.
For more information on master templates, see the book Application Development with Domino Designer.
You can run the Designer task by using one of the following methods.
The following table describes the command line options you can use with the Designer task.
The following messages indicate that Domino has rebuilt, is in the process of rebuilding, or was unable to
rebuild damaged views:
v Page format is incorrect
v Invalid CNO vector - position == 0
v Container integrity has been lost - rebuild
For information on using the log file, see the chapter ″Using Log Files.″
Using Fixup
When you restart a server, the server quickly searches for any unlogged databases that were modified but
improperly closed because of a server failure, power failure, hardware failure, and so on. A few minutes
after server startup is complete, the Fixup task then runs on these databases to attempt to fix any
inconsistencies that resulted from partially written operations caused by a failure. When users attempt to
access one of these databases and Fixup hasn’t yet run on the database, the users see the message ″This
database cannot be opened because a consistency check of it is in progress.″ A similar Fixup process
occurs when you restart a Lotus Notes client.
Multiple Fixup tasks run simultaneously at server startup to reduce the time required to fix databases.
The number of Fixup tasks that Domino runs by default at startup is equal to two times the number of
processors available on the server. Although this default behavior should be adequate in most
circumstances, you can edit the NOTES.INI file to include the Fixup_Tasks setting. The actual number of
tasks run is the smaller of the configured number of tasks that can run and the number of databases that
require fixing. For example, if you set Fixup_Tasks to 4 but only one database requires fixing, then only
one Fixup task runs.
Keep in mind that after you set up transaction logging, Fixup is not needed or used to bring databases
back to a consistent state.
Ways to run Fixup manually: Use Domino Administrator to use any of these methods to run Fixup
manually to fix a corrupted database. With each of these methods, you can customize how Fixup runs.
v Run Fixup using the Fixup tool in the Files tab -- Use this method to run Fixup on one or a few
databases; you can easily select the databases and you don’t have to use command-line options, but
you can’t use the Domino Administrator until Fixup finishes.
v Run Fixup using the Task - Start tool -- Use this method to run Fixup on all databases; you can
continue to use the Domino Administrator while Fixup runs and you don’t have to use command-line
options.
Fixup options
Fixup options in Fixup tool and
Task - Start tool Command-line equivalent Description
v Fixup all databases databasepath ″Fixup only this database or folder″ runs Fixup
only on a specified database or all databases in a
v Fixup only this database or
specified folder. To run Fixup on a database in the
folder
Domino data folder, enter the file name, for
example SALES.NSF. To run Fixup on a database
or databases in folders within the data folder,
enter the path relative to the data folder. For
example, to run Fixup on all databases in the
DATA\SALES folder, specify SALES.
For information on transaction logging, see the chapter ″Transaction Logging and Recovery.″
Using the Task - Start tool: Use this method primarily to run Fixup on all unlogged databases on a server.
1. From the Domino Administrator, select the server on which to run Fixup.
2. Click the Server - Status tab.
3. In the task panel on the right, click Task - Start.
4. Select Fixup.
5. Do one of the following:
v To specify options to control how Fixup runs, Click ″Select advanced options,″ click Start Task,
select options to customize how Fixup runs, then click OK.
v To run Fixup without options, deselect ″Select advanced options″ and then click Start Task.
For information on the options available, see the topic ″Fixup options″ earlier in this chapter.
The following table illustrates how you can use databasepath to specify databases, folders, and subfolders.
SALES\USER1.NSF
SALES\NEW
Using a Program document: Use a Program document if you want to schedule Fixup to run at a regular
time.
For more information on Program documents, see the appendix ″Server Tasks.″
1. From the Domino Administrator, click the Configuration tab.
2. Next to ″Use Directory on″ select the server with the replica of the Domino Directory that you want
to modify.
3. Select Server - Programs and then click Add Program.
4. On the Basics tab, complete these fields:
Field Enter
Program name Fixup
Command line Command line options. Don’t specify ″load″ before the options.
Server to run on Server on which to run Fixup
Comments Optional comments
For more information on the available command-line options, see the topic ″Fixup options″ earlier in
this chapter.
5. On the Schedule tab, complete these fields:
Field Enter
Enabled/disabled Enabled
Run at times Times to run Fixup each day
Repeat interval of How soon to run Fixup again after it completes
Using the Fixup tool: Use this method to run Fixup on one or a few databases.
1. From the Domino Administrator, select the server that stores the databases you want to run Fixup on.
If the Domino Administrator does not run on a server, you can select local to run Fixup on databases
stored on the client.
2. Click the Files tab.
3. Select the databases on which to run Fixup.
4. In the Tools panel at the right, select Database - Fixup.
5. (Optional) Select options to control how Fixup runs.
For information on the options available, see the topic ″Fixup options″ earlier in this chapter.
6. Click OK.
Moving databases
It may be necessary to move a database from one server to another -- for example, to distribute databases
evenly among servers. If there are replicas of the database, the server to which you move the database
should have the appropriate Connection documents to replicate the database to other servers that store
replicas. If you’re moving a database to a server in a cluster, replication between the server and other
servers in the cluster that have replicas of the database occurs without Connection documents.
Keep in mind that within a cluster, the Cluster Manager distributes workloads and provides failover to
database replicas if one cluster server becomes disabled. Before moving a database in a cluster, you
should analyze the cluster workload to be sure it will remain balanced after you move the database. Only
the person who administers the cluster should perform the move.
For more information on clusters, see the book Administering Domino Clusters.
For information on moving mail files, see the chapter ″Setting Up and Managing Notes Users.″
1. Make sure the source and destination servers are running the Administration Process.
2. Make sure that you have Create Database access in the Server document of the destination server
and at least Manager with ″Delete documents″ access in the ACL of the databases on the source
server.
3. Make sure that the source server (or another server that replicates with the source server and has a
replica of the database) has Create Replica access in the ACL of the destination server.
4. Make sure the destination server has at least Reader access in the ACL of the replica on the source
server.
For information on specifying server access in an ACL, see the chapter ″Creating Replicas and
Scheduling Replication.″ For information on using a Server document to set ″Create replica
databases″ access, see the chapter ″Controlling Access to Domino Servers.″
Moving databases by dragging them to a destination server: Rather than choosing Database - Move,
you can drag databases to a destination server. When you use this method, you must store all databases
in one preexisting folder on the destination server. This method also uses the Administration Process to
automate moving the database. You can’t use this method to move a database to another Domino
domain.
1. From the Domino Administrator, click the Files tab.
2. In the files pane, select one or more databases to move.
3. Press Ctrl and drag the selected databases to a destination server in the server pane on the left.
4. In the dialog box that appears, select ″Move database,″ select a folder on the destination server in
which to store the database(s), then click OK.
For information on moving mail files, see the chapter ″Setting Up and Managing Notes Users.″
1. Make sure that you have Create Replica access in the Server document of the destination server.
2. Make sure you have Manager with ″Delete documents″ access in the ACL of the original database.
3. Choose File - Replication - New Replica to create a replica of the database on the destination server.
4. Make a note of the file name and path of the original database. You’ll include this information when
you notify users of the move.
When the load convert task is used without a switch, folders are created for all categories within the
database. The load convert task looks for a $inbox, if there is no $Inbox, it processes the categories as
views.
Enter the load convert -d task from the Domino server command line as follows:
load convert -d databasename * newtemplatename
v Where databasename * is the name of the database you are converting (includes all documents in that
database).
v Where newtemplatename is the name of the template that creates the type of database to which you
are converting the non-mail database.
Deleting databases
To keep a server performing efficiently and to free disk space, delete databases that are no longer active.
To delete databases from a cluster server, you use the Cluster database tool in the Domino Administrator.
To delete databases on non-cluster servers, select the databases and delete them manually, or use the
Delete database tool in the Domino Administrator to have the Administration Process deletes replicas of
the database.
Within a cluster of servers, you create a number of replicas for each database to ensure user access to an
updated replica even if a particular cluster server becomes unavailable. You can mark a cluster replica for
deletion while users are working with the replica. Domino then prevents new users from accessing the
marked replica and deletes the database after all current users exit the database. Before deleting the
database, Domino replicates any changes to other replicas in the cluster.
For more information on clusters, see the book Administering Domino Clusters.
Deleting a non-cluster database and its replicas using the Administration Process
1. Make sure you have Manager access in the database ACL.
2. From the Domino Administrator, select the server that stores the database you want to delete.
3. Click the Files tab.
4. Select the database to delete.
5. Click Database - Delete
6. (Optional) Select ″Also delete replicas of this database on all other servers″ if you want the
Administration Process to delete other replicas.
7. Click OK.
Database analysis
You can perform a database analysis to collect information about one or more databases from a variety of
sources -- the replication history, the User Activity dialog box, and the log file (LOG.NSF) -- and view it
in a single ″results″ database. You can perform a database analysis only if you have access to the Domino
Administrator.
Analysis documents
Each analysis document in the results database contains fields that describe a particular event.
Field Describes
Date Date of the event
Time Time of event
Source of Event Information The analyzed database or its replicas or the log file (LOG.NSF)
Source Database Name of a database containing documents that were read
For database replication events, name of server that stores the database from
which information was pulled
Destination Name of a database on which documents were updated
For more information on modifying ACLs, see the chapter ″Controlling User Access to Domino
Databases.″
If the name of the former administrator is included in any groups, delete the former administrator’s name
from the Group document(s), if appropriate. Add the name of the new administrator.
1. From the Domino Administrator, select the Configuration tab.
2. Click Server, and then select one:
v Current Server Document -- to change the administrator name for the current server.
v All Server Documents -- and then select the server document you want to change.
3. Click ″Edit Server.″
4. Click the Administration tab.
5. In the Administrator field, type the administrator’s name or click the arrow and complete the
following fields as necessary in the Select Names dialog box:
Field Action
Choose address book Select the address book and choose a name from the list.
Click one of the following:
v Add -- to add the name to the Names list.
v Details -- to view address details from the Person
document
Find names starting with (Optional) Enter a user name, last name followed by first
name, to search for a name if you are unsure of the
spelling or the complete name.
Add name not in list Enter a user name and then click Add to add the name
to the Names list without selecting it from an address
book.
Names (Optional) Do one:
v Select a name and then click Remove to remove the
selected name from the Administrator field.
v Don’t select any names. Click Remove all to remove all
names from the Administrator field.
Select a name and click to copy a name from the open
address book to the local address book.
6. Click OK, and then click ″Save & Close″ in the Server document.
7. Use the Replicate server command at the console to force replication of the Domino Directory and
disseminate the change quickly.
1319
For more information on the Replicate command, see the appendix ″Server Commands.″
Note: Users’ Location documents can be automatically updated with the name of your new indexing
server if you include the new server in your desktop policy settings.
Decommissioning a server
You use the Decommission Server Analysis tool when you are consolidating existing servers and/or
permanently removing a server from service. Whether you are combining two servers into one server or
renaming a server, the result is the same -- the old server name is replaced with the new server name.
The analysis tool can help you avoid a loss of service for your Domino server and can be used to help
build a foundation for a decommission ″to do″ checklist. The role of the Server Analysis Tool is to
compare the responsibility of the source server to that of the target server and to report differences that
could cause a possible loss of service.
When you run the Decommission Server Analysis tool, you create a Results database containing detailed
information comparing the source server and the target server. The source server is the server being
removed from service, and the target server is the server taking the place of the source server. The source
and the target servers must be Domino servers that have hierarchical names and that are in the same
domain.
Inconsistencies between the source and target servers are marked in the Results database to alert you to
the administrative tasks you may need to do before you can decommission the server. Each comparison
that the Decommission Server Analysis tool makes is somewhat individual. Relationships between
analysis items are not determined by this tool; therefore, you need to review each report and make your
own comparisons before taking any action. Perform comparisons between only two servers at a time. You
do not need to resolve all differences before you decommission a server.
Field Enter
Source server Name of the server being decommissioned
Target server Name of the server that will replace the server being decommissioned
5. Click OK.
When the analysis is complete, the Results database opens to the Reports view. This can take up to
several minutes depending on network traffic and the number of databases on both the source and
target servers.
Note: You can create multiple reports in the same database or in different databases and then use these
reports to verify that differences between the two servers are remedied and cannot be seen by the system
when you run the Decommission Server Analysis tool. You can re-run the reports as many times as you
wish.
Icon Explanation
A difference was found when doing the comparisons and may require the
attention of an administrator.
An error was encountered when performing or trying to perform a
comparison.
No icon No attention is required because the fields being compared are either
equivalent or the source’s values are a complete subset of the target’s
values.
Click a document to open it and view the actual report that was generated. A sample report is shown
here:
Report comparisons
The following types of field comparisons are done between the two Server documents and the
Configuration documents:
A file name comparison for all databases that do not have replicas on the
target is done. Any database on the source that has a name conflict with a
different database with the same name on the target is listed.
For more information on the Administration Process, see the chapter ″Setting Up the Administration
Process.″
1. To delete a server name, you must have:
v At least Author with Delete documents role and the ServerModifier privilege, or Editor access to
the Domino Directory.
2. From the Domino Administrator, click the Configuration tab.
3. Click Server - All Server Documents.
4. Select the server name you are deleting and click Delete Server.
5. Do one of these:
v Click the check box ″Delete servers from Domino Directory immediately″ to immediately remove
the server name from the Domino Directory, and post Administration Requests to remove the
server name from ACLs, Names fields, and other locations.
v Leave the check box ″Delete servers from Domino Directory immediately″ not selected, to create
Administration Requests to remove the server name from the Domino Directory, ACLs, Names
fields, and all other locations.
6. Click OK.
For information on removing a server from service and replacing it with another server, see the topic
″Decommissioning a server″ in this chapter.
Recertifying a server ID
Follow this procedure to use the original certifier to recertify a server ID that has a certificate that is
about to expire.
1. To recertify a server ID, you must have:
v Author with Create documents access and the ServerModifier role, or Editor access to the Domino
Directory
v At least Author with Create documents access to the Certification Log
2. From the Domino Administrator, click the Configuration tab, and then click Server - All Server
Documents.
3. Select the server you are recertifying.
4. Choose Actions - Recertify Selected Servers.
5. Choose one:
v Click Supply certifier ID and password -- if you want to use a certifier ID and password instead of
the new server-based certification authority (CA). To change to a different certifier ID, click
Certifier ID, select the new ID, enter the password, and then click OK.
v Use the CA Process -- Click to use the Domino server-based certification authority (CA) to
recertify the server ID. Choose a CA-configured certifier from the list.
6. Accept the default certificate expiration date (two years from the current date), or enter a different
date.
7. (Optional) Enter a date in the field ″Only renew certificates that will expire before″ if you want to
limit which server IDs can be recertified.
8. (Optional) Click the check box ″Inspect each entry before submitting request″ if you want to view
the server ID before finalizing the recertification.
9. Click OK.
10. Select one of the following:
v OK -- to submit the recertification.
Note: You can use the @Certificate function to create a custom view of specific IDs for recertification
based on the ID name, issuer of the certificate, and expiration date. If you create a custom view, be sure
to include the Recertify Servers or an equivalent action in the Actions menu of the view.
For more information on the @Certificate function, see the Domino Designer Programming Guide.
Activity Trends
Domino server resource utilization can be separated into two types, system activity and user activity.
System activity, which includes the level of processor, disk, memory, and network consumption that
Domino generates to keep the server running, is a fixed amount of activity, as long as systems are healthy
and performing smoothly. Domino servers typically use a modest percentage of their resources to run.
The remaining server capacity is used to support user activity, which varies with the usefulness of the
data on the server.
Activity Logging servers account for their time precisely, recording user activity by person, database, and
access protocol. When summarized and averaged, or trended over time, activity logging of trended
statistics provides a way to measure and compare workloads across servers. You can use this information
to identify the most active users and databases on each server. Using the Domino Change Manager, you
can automate the creation and execution of workload redistribution plans to load a new server,
decommission an old one, or balance workloads across unevenly burdened servers.
Activity Trends is part of the Domino Administrator. Activity Trends collects and stores activity statistics
as current observations and historical trends. The activity statistics relate to the server, databases, users,
and connections of users to databases. You can explore the collected data to see how database workload
is distributed across servers. Using the data, Activity Trends recommends a resource-balancing plan.
Then, working with the Domino Change Manager, which is a part of the Domino server, Activity Trends
provides a workflow that facilitates implementing the recommended changes.
Domino uses the collected data to determine the load on the server. Then, using resource-balancing
functionality, the Analyzer applies trends analysis and statistics to intelligent algorithms that can provide
computer-aided load balancing on a set of servers or simplify the server decommissioning process.
The Domino Change Manager provides workflow capability that creates resource-balancing plans and
implements database moves.The Domino Change Control database (DOMCHANGE.NSF) and Domino
Change Manager are part of the Domino server core functionality.
1329
Setting up Activity Trends
The basic setup for Activity Trends includes these tasks:
1. For each server for which you want to collect activity logging information and analyze activity trends,
enable activity logging and activity trends in the Configuration Settings document.
2. To set up resource balancing, do the following:
a. Load the Domino Change Manager administration task on one server in the domain.
b. Define a set of server profile options that specify the locations, goals, and behavior of resource
balancing.
Then you specify how to collect the Activity Trends and create the Activity Trends database
(ACTIVITY.NSF), which is stored, by default, in the Domino data directory.
Field Action
Enabled logging types Select the server tasks to use to produce activity logging data.
For Activity Trends, enable all tasks except Domino.MAIL. At a minimum, you must
enable Domino.Notes.Session and Domino.Notes.Database.
Checkpoint interval Enter the number of minutes to wait between the creation of checkpoint records. The
default is 15 minutes.
Log Checkpoint at Check Yes to log ongoing session activity at midnight. This is required for Activity
Midnight Trends.
5. Click the Activity Trends tab, and complete the following fields on the Basics tab:
Field Action
Enable activity trends collector Click yes to run the Activity Trends Collector.
6. Under Activity Trends Data Profile Options, keep the ″Use defaults″ field enabled. If you choose not
to use the defaults, complete these fields.
Field Action
Trends cardinal interval Enter the number of recent observations you want to use.
The default is 10.
7. Click the Retention tab. Keep the ″Use defaults″ field enabled. Documents are overwritten after the
retention period expires. The defaults are:
v Server history -- 366 days
v Server observations --15 days
v Database observations -- 10 days
v User observations -- 10 days
v Connection observations -- 10 days
v Inactive database trends -- 10 days
v Inactive user trends -- 28 days
v Inactive connection trends -- 28 days
v Run log -- 20 days
8. Click the Proxy Data tab, and enter the names of the databases containing activity data to search.
9. Click Save and Close.
For detailed information on checkpoint records, see the chapter, ″Setting Up Activity Logging.″
Consequently, the newest observations are weighted most heavily, and older observations are weighted
exponentially less and less in the new computed trend. Keep in mind that increasing the cardinal interval
increases the number of recent observations that are heavily weighted, and decreasing the cardinal
interval decreases the number.
Proxy data
By default, the server from which you are running Activity Trends will find the local Activity Trends
database (ACTIVITY.NSF). However, you may replicate Activity Trends databases that contain data you
want to access. You use proxy data to include the names of other Activity Trends databases that contain
trends data from other servers.
In a server profile, you collect servers from the same domain into a named group. Then when you
perform resource balancing or use charting to review performance, you have easy access to those servers.
After you create a server profile, you can select a statistics profile to view the statistics for the selected
server profile.
When you perform resource balancing, the server profile can include one or more phantom servers.
Phantom servers do not physically exist, but you can use them in ″what if″ scenarios to evaluate how
adding servers might alleviate load problems. Phantom servers are not visible when viewing activity
trends, in either the Latest or Historical views, because there is no activity trends data for phantom
servers.
Activity Trends analysis includes default statistics that differ depending on the view you are in. The
Users view, for example, has only one default statistic, while the Server view has two. You can create
statistics profiles that contain an unlimited number of Domino system statistics. Then you can use any
statistic profile with any server profile.
To create an additional server profile: Use this procedure to clear the current server profile and create a
new one.
1. In the ″Server profile″ area, click the document icon, and choose New.
2. Click the green plus sign, and complete Steps 4 through 7 in the above procedure.
To create an additional server profile: Use this procedure to clear the current server profile and create a
new one.
1. In the ″Server profile″ area, click the document icon, and choose New.
2. Click the green plus sign, and complete Steps 4 through 7 in the above procedure.
Tip: To select more than one statistic, position the cursor in the column to the left of the list and click
next to each statistic to add, or drag the mouse to select a large group of statistics.
5. Click the document icon, and do one:
v Click Save As, and enter a new profile name.
v Click Save to update the existing profile.
You can also ″drill down″ for more information on any user or database statistic in the Latest Folder
view. For example, to see which databases a user is accessing, select a user from the Latest Folder - User
view and double-click the user’s name; the Connection view displays a chart of that user’s database use.
For information about setting charting display options, see the topic ″Setting charting options for resource
balancing″ later in this chapter.
In addition to balancing the resources of existing servers, you can create phantom servers to use for
future planning. Each phantom server represents a new server that can be loaded with databases. Then
you can evaluate the effect of adding a new server before you incur the expense of additional hardware.
Server roles
The role you assign to a server affects the resource-balancing results.
v Source Only -- These servers cannot have any databases moved to them.
v Destination Only -- These servers cannot have any databases removed from them. A phantom server is
a Destination Only server and cannot be changed.
v Any -- These servers can have databases moved to or from them.
You can open the Server Profile Options dialog box from the Activity Trends menu or by clicking the
Server Profile Options button.
To specify locations:
1. From the Domino Administrator, click the Server - Performance tab.
2. Select the Activity Trends - Resource Balancing view.
3. Choose Resource Balancing - Options to open the Server Profile Options dialog box.
4. Click General.
5. Under Activity Data Search Order, choose one or both:
v Search Local Activity Databases -- To search the Activity databases (ACTIVITY.NSF) on each server
on which Activity Trends is enabled.
v Search Activity Data Proxy Servers -- To use servers that contain activity data copied or replicated
from another server. Enter the name of the servers that have the proxy data. Activity Trends
Collector proxy data options are configured in the Configuration Settings document in the Domino
Directory.
6. Under Activity Trends Data Cache for the field ″Enable caching of activity data,″ do one:
v Check Yes (default) -- To cache Activity Trends data. When data is cached, if the data for a server
has already been retrieved (even though the server may not appear in any of the server lists), the
cached data is used.
v Uncheck Yes -- To gather Activity Trends data every time a new server is added. Data from servers
that are removed is discarded immediately, and new data is retrieved.
7. For the field ″Cache expiration time out,″ enter the number of minutes that data remains cached after
the server’s data is first retrieved. The default is 360 minutes.
8. Choose one of the following to set location defaults. These defaults apply only to items on the current
tab.
v Use Defaults -- To revert to previously stored custom defaults.
v Save as Defaults -- To save a custom set of defaults and override the system defaults.
v Reset Defaults -- To revert to the system defaults.
You can open the Server Profile Options dialog box from the Activity Trends or Resource Balancing
menus, or by clicking the Server Profile Options button:
5. Under Resource Balancing Display Options, check Yes to enable these options for Resource Balancing
view. The default is unchecked.
v Show actual values on Y-axis when displaying non-normalized data
v Show chart using 3D effect
6. Under Latest Activity Display Options, do the following to set the appearance of for the Activity
Trends - Latest folder views:
a. For the field ″Maximum X-axis items that can be displayed″ enter the number of items that can be
shown in the horizontal position on the chart. The default is 1000.
b. Check Yes to enable these display options. The default is unchecked:
Show database titles on X-axis
Show actual values on Y-axis when displaying single data type (such as bytes, transactions,
milliseconds)
Show chart using 3D effect
7. Under Historical Activity Display Options, check Yes to enable these options for the Activity Trends -
Historical folder views. The default is unchecked.
v Show actual values on Y-axis
v Show chart using 3D effect
8. Choose one of the following to set Charting defaults:
v Use Defaults -- To revert to previously saved custom defaults.
v Save as Defaults -- To save a custom set of defaults and override the system defaults.
v Reset Defaults -- To revert to the system defaults.
The second factor in resource balancing is tolerance. When you specify tolerance, you indicate the level of
accuracy you want for the resource. A low value typically generates more moves (it is less tolerant when
the values are lower), but produces a better distribution of the resources that are closer to the targeted
accuracy. A higher tolerance value creates fewer moves, but does not distribute the activity as evenly. You
set tolerance values for both the Primary and Secondary Goals, however the primary tolerance is much
more important than the secondary tolerance in determining the number of moves.
Finally, you specify whether to use trended data or data collected from one observation period. You also
choose when to gather the data.
The resulting resource chart may show heavy activity on some servers and light activity on others. You
can choose to balance the activity across the servers so that no single server shows a high incidence of
activity. You can balance resources based on a primary and a secondary goal. Unless you have specific
requirements in mind, the recommended primary and secondary goals are Notes Transactions and Disk
Space, respectively.
Because the primary goal is given more weight than the secondary goal, set the resolution of the most
troublesome resource area as the primary goal. For example, if you suspect that some servers have
available disk space, while others have almost none, choose the statistic Disk Space as the primary goal.
You can open the Server Profile Options dialog box from the Resource Balancing menu, or by clicking the
Server Profile Options button.
1. From the Domino Administrator, click the Server - Performance tab.
2. Select the Activity Trends - Resource Balancing view.
3. Choose Resource Balancing - Options to open the Server Profile Options dialog box.
4. Expand the Balancing section, and then click Goals.
Field Action
Statistic Name Select a statistic from the list. The default is Notes Transactions.
Tolerance Enter a percentage. The default is 10%.
Analyze Choose one:
v Trended Data (default) -- To analyze the resource balance based on trended
data.
v Last Observation Data -- To analyze the resource balance based on the data
that was gathered during the most recent observation time.
Over period Choose one:
v Complete Day (24 hours) -- To analyze data gathered during a 24-hour
period.
v Prime Shift Only (default) -- To analyze data gathered during the prime shift
hours.
Note: The prime shift hours are defined on the Activity Logging tab of the
Configuration Settings document.
For more information on defining prime shift hours, see the topic ″Setting up Activity Trends″ earlier
in this chapter.
6. Click Secondary Goal, and repeat Step 5 to specify the values for the secondary goal. Goals that were
selected as Primary goals will not appear in the list of available statistics for secondary goals.
7. (Optional for secondary goal only) Enable ″Other options″ if any tolerance value is acceptable as a
solution for resource balancing.
8. Choose one of the following to set defaults for goals. You can set these defaults on either the Primary
or Secondary Goal tab.
v Use Defaults -- To revert to previously saved custom defaults.
v Save as Defaults -- To save a custom set of defaults and override the system defaults.
v Reset Defaults -- To revert to the system defaults.
You pin databases in one of two ways. You can list databases you do not want to move, or you can list
only the databases that you do want to move. After you define a pin list, you can save it as a pin list
profile.
Tip: You can also pin individual databases from the Available Databases list in the Server - Performance
tab, in the Resource Balancing view of the Domino Administrator.
By default, all databases are associated with all servers. The server name can be specified as part of the
entry. Use a colon to specify the server part. For example, Acme/East:mail/*.nsf applies to all mail/*.nsf
databases on the server Acme.
When you select servers to balance resources, you should be aware that Activity Trends does not
recognize that servers are in a cluster. If you include servers from different clusters or some servers that
are in a cluster and some servers that are not in a cluster, Activity Trends may suggest moving a database
out of a cluster in order to balance the resources. To prevent this, you can create a separate server profile
for each cluster and one for nonclustered servers, or you can pin databases that you want to exclude
from resource balancing.
You also specify the location of the Domino Change Control database (DOMCHANGE.NSF). By default,
Activity Trends automatically selects a server. However, you must specify the Domino Change manager
server in the Configuration Settings document. Use the default unless you want to use a local replica or
are working remotely and want to use a server that has a replica of the Domino Change Control
database.
Resource balancing attempts to balance the bins among the servers as well as the total for the servers.
This is important because heavily utilized databases (databases with a high number of transactions) also
have the greatest variance. That is, their usage is more likely to vary from the mean more frequently. This
means that when there is a spike in activity, the spike will be a big spike, and the dip will be a big dip.
Dividing the databases into bins separates the few databases that account for a large amount of activity,
from the large amount of databases that account for little activity. For example, out of 100 databases on a
Balancing according to the bins, ensures that the spread of heavily used and lightly used databases are
evenly distributed across the servers. This results in more predictable usage patterns, increased
availability, and more efficient use of resources.
Deciding the exact percentages for each of the bins depends on how your organization uses their
databases and the type of server being balanced (mail server versus application server). For mail servers
in most organizations you may want to increase the size of the light bin and decrease the size of your
heavy bin, while for application servers the mix may be different.
For more information about charting bin activity and how the values are calculated, see the topic
″Understanding current and projected profile charts,″ later in this chapter.
You also specify how Activity Trends analyzes the server resource capacities. By default, server capacities
are determined relative to other servers in the list. For example a server that has a capacity of x1
transactions has half the transactional capability (CPU) of a server at x2. You could, however balance
resources based on actual values (such as the number of transactions per day, or the total amount of disk
space available). Using the example above, you would specify the servers as having a capacity of 10,000
and 20,000 transactions. However, if you choose to balance resources based on actual values, you have to
know that the servers involved can actually handle the capacities specified.
Another way in which you indicate server resource capabilities, is to specify how the server volume is
determined. You can either use server volume and file system information when resource balancing, or
ignore volume information and treat all space as flat. The default is to use the volume information, which
uses the different physical volumes and their sizes that comprise the space available to Domino, rather
than just the total amount of space on the server. Volume balancing is recommended. This may produce
plans in which a database moves to a different server and has a different destination path because of
space requirements on a particular volume on the destination server.
To create a proposal
1. From the Domino Administrator, click the Server - Performance tab.
2. Under Activity Trends, click Resource Balancing.
3. Choose a server profile.
4. Click the ″Available Databases″ tab to display the list of databases that can be moved.
5. (Optional) To change the databases that are available for moving, select a database and click Pin or
Unpin.
6. Make sure that each server in the top frame has an arrow next to its name. If there is a red (x) instead
of an arrow, the server is not reporting its trended data. You must remove the server or make it a
phantom server; otherwise, the Analyze button will be disabled and you will not be able to create a
proposal.
7. Check the server properties to make sure that the capacity of each server is weighted correctly.
For information on editing server properties, see the topic ″Editing server properties for resource
balancing″ later in this chapter.
8. Click Analyze.
9. When the analysis is complete, view the Recommended Plan and Project Profile.
Evaluate the changes that are proposed during resource balancing. If you are not satisfied with the
proposed changes, change the mix of servers or databases or adjust the specified tolerance level in the
Server Profile Options dialog box. If you are happy with the proposal, then you are ready to submit the
plan to the Domino Change Manager.
For each goal specified in the Server Profile Options dialog box, Activity Trends displays the following
information that you use to evaluate whether a server is a candidate for resource balancing:
If you do not like the distribution of activity or servers based on this evaluation, you can edit the server
properties to change the server role. Likewise, you can alter some of the options selected in the Server
Profile Options dialog box. If you have not set server profile options, you can edit the server properties to
change some of the option defaults, and then analyze again using the new server values.
For more information on editing server properties, see the topic ″Editing server properties for resource
balancing″ later in this chapter.
The charts use light, medium, and heavy bins to show the distribution of user activity. Each bin
represents a group of databases and their metric values. These bins reflect the ″bin sizes″ values specified
in the Server Profile Options dialog box. View the distribution of activity before it is balanced (Current
Profile), and then view it again to determine if your goals have been met. Resources that are not well
balanced show a disproportionate amount of activity in the heavy bin. After resource balancing has been
applied, the recommended distribution in bins should be relatively even across the servers, if your goals
were achieved. The higher the accuracy of resource balancing, the more evenly activity is distributed.
Example
The following chart shows database transactions on each server. The overall height of the bar represents
the sum (total) of the database transactions. The three bins represent the light, medium, and heavy modal
distribution of the database metric -- in this case, transaction. In this example, heavy is the first 30% of
databases; middle is the next 40%; and light is the top 30%, all adding up to 100%.
When you group these transactions based on the bin sizes designated in the Server Profile Options (30%
light, 40% medium, and 30% heavy), the transactions are distributed as follows:
Light = 5,5,10,10,15,25,50,75,100,120,125,140,150 (14 databases account for 855 transactions; 865 is the
target)
Middle = 250,300,310 (3 databases account for 860 transactions; 1154 is the target)
Heavy = 350,400,420 (3 databases account for 1170 transactions; 866 is the target).
In addition, you can assign a weight to each server’s capacity. For example, assume you have one server
with 1.5GB of RAM and a 60GB hard drive and have a second server with 3GB of RAM and a 120GB
hard drive. You can enter the capacity of the first server as 1 and the second server as 2, giving it twice
the weight.
If you set a capacity (or target) of zero for source-only or any-role servers, resource balancing tries to
move all unpinned databases on the server. This is useful when decommissioning servers and moving
their contents to new servers.
If a server’s data cannot be obtained, you can treat the server as a phantom server and then change it
back to a real server when data becomes available. After changing it back, press F9 to refresh and read
the data from the server.
For more information about goals, see the topic ″Primary and secondary goals for
resource balancing.″
Capacity Select this option to balance resources for the selected goal, based on server capacity.
Enter the number of resource units. The default is 1.
Target Select this option to balance resources based on achieving a target goal. Enter a target
value for the goal you selected.
To filter servers:
1. From the Domino Administrator, click the Server - Performance tab and open the Resource Balancing
view.
2. Click the Filter button on the Available Databases tab.
3. In the Servers field choose one:
v All Servers
v Selected Servers
4. Check or uncheck one or more:
v Hide System Databases (default is checked)
v Hide Master Pin Databases (default is checked)
v Hide Databases appearing in Plan (default is unchecked)
After you submit a plan, you track the status of the plan in the Domino Change Control database
(DOMCHANGE.NSF). To access the Domino Change Manager from the Domino Administrator, choose
Server - Analysis, then expand the Domino Change Control view and choose ″Plans - by Status.″
During the execution of the ″Maintain Trends Database Record″ request, the administration requests that
typically require your approval are automatically approved because the plan has been approved. You do
not have to manually approve requests in the Administration Requests database (admin4.nsf).
For more information on the Maintain Trends Database Records Administration Process request, see the
appendix ″Administration Process Requests.″
Tip: To display full help text for this task, append -? or -help to the command.
You set these options in the Configuration Settings document for the domain. This Configuration Settings
document applies the settings as the default settings for all servers and uses the * [All Servers] as the
group or server name.
Field Action
Domain Change Server Choose the server that stores the Domino Change Control database
(DOMCHANGE.NSF).
Database file name Enter the name of the Domino Change Manager. The default name is
DOMCHANGE.NSF in server/data directory. If the database is not in the default
directory, enter a full path name.
Max. concurrent Enter the maximum number of messages that can be executed at the same time. The
messages default is 5. The recommended number is between 1 and 10.
Max. concurrent plans Enter the maximum number of plans that can be executed at the same time. The default
is 5. The recommended number is between 1 and 10.
Max. concurrent Enter the maximum number of demands (for example, database moves) that can be
demands simultaneously processed. The default is 40. This number should be equal to or larger
than the ″Max. concurrent plans″ number.
Option Action
quit Stops the Change Manager and all plug-ins.
stop Stops the Change Manager and all plug-ins. Same as Quit.
exit Stops the Change Manager and all plug-ins. Same as Quit.
help Refers you to documentation.
? Refers you to documentation. Same as Help.
restart Stops and then restarts the Change Manager and all plug-in subsystems.
start plug-in Starts the plug-in. Currently, Control, Monitor, and RoboAdmin are the defined
plug-ins.
stop plug-in Stops the plug-in. Currently, Control, Monitor, and RoboAdmin are the defined
plug-ins.
Note: Alternatively, you can also use the forms plug-in stop, plug-in quit and
plug-in kill.
restart plug-in Stops and then starts the plug-in. Currently, Control, Monitor, and RoboAdmin
are the defined plug-ins.
Note: Alternatively, you can also use the form plug-in restart.
plug-in command Attempts to issue the command to the named plug-in, if it exists and is
running.
For more information on using Domino server commands, see the appendix ″Server Commands.″
Change Admin
A Change Administrator has the authority to change the settings in any plan or plan element, such as a
constraint or variable. In addition, a Change Administrator can alter and add some elements used to
create a plan. Specifically, a Change Administrator can edit, create, and delete constraints and constraint
sets, approval profiles, keywords, and resources.
A Change Administrator must commit a plan to be executed. All plans (including move requests created
in the Administration Process database) execute with the authority of the Change Administrator who
committed the plan. For that reason, the Change Administrator must also have Create Replica access on
each destination server. A Change Administrator automatically has the Plan Reader role.
System Admin
The System Admin role is distinct from the Change Admin role, which does not automatically include the
role of System Admin. Each of these roles is independent but not mutually exclusive in terms of the
access that the role grants. As with a Change Administrator, a System Administrator can edit, create, and
delete keywords, resources, interfaces, functions, domain configurations, and plug-Ins. Because users with
the System Admin role can make powerful and potentially catastrophic changes, assign the role only to
users or groups of users who have an in-depth understanding the Domino Change Manager. In addition,
all control documents (Interface and Function Definitions, Domain Configurations and Plug-ins) must be
signed by either the Change Manager server or a user who has the System Admin role. When the
database is first created, all control documents are signed by the server. This is to ensure the security of
the Change Manager system and the Domino Server.
Plan Creator
This role designates users and groups of users who can create plans.
Plan Reader
This role allows users and groups of users to read all plans. By default a Change Administrator can read
all plans and does not explicitly need this role. Authors and Requesters of plans do not need this role to
read their own plans.
Assign the Plan Creator role only to those people or groups in an organization that can create plans. Plan
Creators only create plans, they cannot commit them.
Assign the Plan Reader role to people and groups that will be allowed to read plans only. This role
assumes that the people and groups reading the plans are not Authors or Requesters.
Make sure that the Change Administrators and servers in the LocalDomainServers group have Create
Replica access rights.
Note: When load balancing, you don’t have to approve the deletion of the mail database on the source
server. This is handled by the Domino Change Manager.
Resource-balancing plans
The purpose of a resource-balancing plan is to move databases according to the set of criteria defined in
the Server Profile Options. The plan is based on the analysis and proposal created during data
exploration in Activity Trends. When a plan is first submitted to the Domino Change Manager, the plan
has draft status. By default, the person who submits the plan to the Domino Change Manager is the
author and has the Plan Creator role.
After the plan is submitted, it follows a prescribed course of submissions and approvals until the final
plan is activated and then completed. The flowchart below shows the progression of a resource balancing
plan from its original draft state through its completed, archived state.
Promoting a plan from one state to another, such as from drafted to prepared, can be made from within
the plan document or from the Change Control database (DOMCHANGE.NSF).
You can determine whether the database moves and database move sequences are executed sequentially
or concurrently or any combination of the two. By default, all are moved concurrently. Using the Acme
Move Plan example, the Domino Change Manager attempts to perform all three database move
sequences at the same time. Within each database move sequence, the Domino Change Manager attempts
to move all databases at the same time.
Each plan can have an associated approval profile that lists the names of persons or groups who must
approve the plan document. If there is no approval profile, you can list the names of approvers in the
plan document. If you assign a group as an approver, any one of the group members can approve the
plan.
For more information on creating an approval profile, see the topic ″Creating a resource balancing plan
approval profile″ later in this chapter. For more information about demand sets, see the topic
″Understanding demand set moves″ later in this chapter.
The Resource Balancing plan document is a dynamic document that provides the current status of the
plan and keeps a history of plan modifications, including the author and date of each modification.
Whether you make any changes to the plan document, it must be moved to its next state, which is the
prepared state. In its draft state the plan can be edited by its author.
Field Action
Name Enter a unique name for the plan.
Categories (Optional) Select a category or enter a new category name.
Description (Optional) Enter a description of the plan.
Field Action
Approval profile Do one:
v Click ″Choose Profile″ and select the approval profile from
the list.
v Click ″Clear Profile″ to remove the assigned profile.
Require approval from Enter the names of users or groups to add to the approval list.
9. Click the Notifications tab. This tab lists, by role, those who will be notified at each stage of the plan.
Add or remove the selection of any role as needed. Check Others, and then select from the list to
add users to the notification list.
10. (Optional) Click the Variables tab. The default variable is Execution time, and the value is
unspecified. To specify an execution time at which the Administration Process executes the plan, you
must edit the variable.
For information on editing variables see the topic ″Editing and creating resource balancing plan
variables″ later in this chapter.
11. Click the Constraints tab to view and edit the constraints that will apply to the moves executed by
this plan. By default, no constraints are assigned automatically.
v Referenced constraints -- Lists the constraints that apply to this plan. Click Edit to add or remove
one of the constraints.
v Ad-hoc constraints -- Click New to create a new constraint.
For information on creating constraints see the topic ″Creating constraints in the Domino Change
Manager″ later in this chapter.
12. When you finish changing the draft plan, click Apply.
13. Click Change Control to promote this plan from draft state to prepared state, and then click OK.
Changes to the Approval Profile document are tracked for you and listed in the Creation and
Modifications section.
Field Action
Name (unique) Enter a unique name for the profile.
Description (Optional) Enter a description.
Field Action
Owner By default, the owner is the person who creates this document.
Administrators Enter the names of users who can edit this document.
Prevent deletion Choose one:
v No (default) -- To allow a Change Administrator to delete the plan.
v Yes -- To prevent anyone except a Change Administrator from deleting the
plan.
Prevent design refresh Choose one:
v No -- To allow the upgrade of all template documents during a version
upgrade.
v Yes (default) -- To prevent edited template documents from being
overwritten during a version upgrade. This will not affect any documents
that the user creates -- it will only affect documents that match those from
the template’s copy.
7. Click OK.
You use the following resource balancing plan documents to provide the following information:
v Constraints -- Specify when moves can be made.
v Variables -- Assign a common name that has a referenced value.
v Notification messages -- Create custom notification messages that are sent whenever the plan status
changes.
Field Action
Name Enter a name. This name appears in the Setup view.
Unique name Enter a unique name. This is the name of the document you are defining.
Description Enter a description of the constraint.
Note: To edit a constraint, select a constraint and edit the fields listed in Steps 5 through 7. When you
edit a constraint, you can also edit the arguments for assigned variables.
Field Action
Name Enter a name. This name appears in the Setup view.
Unique name Enter a unique name. This is the name of the document
you are defining.
Description Enter a description of the constraint.
For example, you can define a plan variable called ExecutionTime. Then you can specify the value (in
time) that you want a plan to be executed. You define a variable at a higher level (usually within a plan)
and then reference it within a demand. When the value of a variable changes, all demands and plans that
reference that variable automatically use the new value.
If you have the Change Administrator role, you can add, delete, or modify local variables that are
referenced by function arguments and other variables.
To edit a variable:
1. You must have the role Change Admin role.
2. From the Domino Administrator, click the Server - Analysis tab.
3. Open the Domino Change Control view, and then select the Plans - by Status view.
4. Open a plan in edit mode, and then select Variables tab.
5. Click Edit.
6. In the Edit Variables dialog box, select a variable from the list, and then click edit.
7. Select a Type:
v Text
v Number
v Time
v Boolean
8. For the field Special, do one:
v Choose Simple value, and then enter a Text value.
v Choose Formula, and then click Keywords and Variables and copy a text formula.
v Chose Unspecified to leave the value undefined.
See the Notes.net column, ″Performance Perspectives″ for detailed information about performance issues.
For more information on improving network performance see the chapter ″Setting up the Domino
Network.″ For more information on database performance properties, see the chapter ″Improving
Database Performance.″
Activity Trends
Activity Trends, part of the Domino Administrator, collects and stores activity statistics as current
observations and historical trends. The activity statistics relate to the server, databases, users, and
connections of users to databases. You can explore the collected data to see how database workload is
distributed across servers. Using the data, Activity Trends recommends a resource-balancing plan. Then,
working with the Domino Change Manager, which is part of the Domino server, Activity Trends provides
a workflow that facilitates implementing the recommended changes.
For more information about using Activity Trends to improve server performance and capacity, see the
chapter ″Activity Trends.″
Domino Server.Load
Using Domino Server.Load, you run a script (a simulated workload) in your own environment to obtain
server capacity and response metrics. You can run a built-in script or create a custom script. Domino
Server.Load includes real-time control of the test environment and variables, such as the number of
simulated users. Using Domino Server.Load, you can evaluate the capacity of your servers and evaluate
1361
the requirements for additional CPU, memory, or disk storage upgrades. Server.Load can also be used to
determine the effect of changes to the machine, such as upgrading a device drive, an OS service pack, or
a Domino maintenance release.
Domino Server.Load is included as part of the Administrator client. For details about setting up and
working with Server.Load, see the chapter ″Using Server.Load.″
NotesBench
NotesBench is a collection of benchmarks (workloads) that simulate the behavior of workstation-to-server
or server-to-server operations. Vendors and other organizations use NotesBench to evaluate the
performance of various Domino and Notes platforms and configurations.
Using NotesBench, hardware vendors and business partners generate benchmark information, which they
can distribute to their customers. In turn, customers can use the benchmark information to evaluate
vendors, select configurations, and plan resource budgets.
To use NotesBench for testing, you must be a member of the NotesBench Consortium, which is an
independent, nonprofit organization dedicated to providing Domino and Notes performance information
to customers. The consortium requires that each member run the NotesBench tests in the same manner
and allows tests to be audited.
To view published data and test results, go to the NotesBench Web site at www.notesbench.org.
For more information about using Activity Trends to improve server performance and capacity, see the
chapter ″Activity Trends.″
Make sure your server memory matches the number of users you want to support. Most NotesBench
vendors use 300K to 400K per active user. They also set their NSF_BUFFER_POOL_SIZE to the maximum
for their memory configuration. This setting isn’t necessary, because the Domino server initially obtains a
third of available memory and grows only if necessary (depending on the load). You should use
published physical memory configurations as a ceiling for memory configuration decisions.
1. Make I/O subsystem improvements. For example you can:
v Move from EISA-based systems (such as, controllers) to PCI-based systems
v Exchange EISA/PCI boards for PCI-only boards (this way, lower speed EISA devices won’t decrease
the I/O throughput)
v Use stripping to balance the load across all drives in the array. Use hardware RAID, such as RAID
0+1, to improve performance and availability.
Server_Availability_Threshold
This setting specifies the acceptable level (a percentage) of system resources available to a server. By
setting this value for each server in a cluster, you determine how the workload is distributed among
cluster members. The default is 0, which indicates a fully available state (workload balancing is disabled).
A value of 100 indicates the server is busy; the Cluster Manager then tries to redirect user requests to
more available cluster members.
Server_MaxUsers
This setting sets the maximum number of users that are allowed to access a server. When this number is
reached, the server state becomes ″MaxUsers,″ and the server stops accepting new Database Open
requests. The default is 0 (unlimited access to server by user). By setting a maximum number of users
allowed on the server, you can prevent server performance from degrading because of demand overload.
Server_Session_Timeout
This setting specifies the number of minutes of inactivity after which the server automatically terminates
network and mobile connections. The minimum recommended setting is 15 minutes. If you specify a
lower time, the server must reopen database server sessions too frequently, which slows server
performance. For best performance, the recommended time is 45 minutes.
ServerTasks
This setting controls the tasks that the server runs. These tasks start automatically at server startup and
continue until the server is shut down. Improve performance by removing tasks that aren’t appropriate to
the server. Do not remove the Update task from a server. If you do so, the Domino Directory will not
update.
Translog_Status
This setting enables transaction logging for all Release 5 and later databases on the server. Default is 0
(transaction logging disabled). Set this to 1 to enable transaction logging. Transaction logging improves
the availability and reliability of the server.
Note: You must upgrade databases to Domino Release 5 or later format before they can use transaction
logging.
For more information about monitoring Domino servers, see the chapters ″Monitoring the Domino
Server″ and ″Using Log Files.″
Optimizing performance
If one partitioned server uses significant system resources, consider moving that server to a different
computer. If partitioned servers causes slow disk access, consider moving the Domino data directories of
the partitioned servers to separate disk drives.
Another way to limit access to a server is to limit the number of users who can use a partitioned server
at one time. To do this, you can use the Server_MaxUsers setting in the NOTES.INI file. When the server
reaches the number of users you specify, Domino denies additional user requests for access to the server.
For additional information about these NOTES.INI settings, see the appendix ″NOTES.INI File.″
AMgr_DocUpdateAgentMinInterval
This setting specifies the minimum elapsed time, in minutes, between executions of the same document
update-triggered agent. This lets you control the time interval between executions of a given agent.
Note: Setting this and other Agent Manager variables to zero does not completely eliminate the delay; a
built-in delay will always exist.
AMgr_DocUpdateEventDelay
This setting specifies the delay time, in minutes, the Agent Manager schedules a document
update-triggered agent after a document update event. The default is 5 minutes. The delay time ensures
the agent runs no more often than the specified interval, regardless of how frequently document update
events occur. When the agent executes, it will also process all additional events (if any) that occurred
during the interval. A longer interval results in the agent running less often, thus reducing demand for
server time. If document update events are infrequent, however, you can reduce the delay to ensure the
agent runs soon after the event occurs.
AMgr_NewMailAgentMinInterval
This setting specifies the minimum elapsed time, in minutes, between execution of the same new
mail-triggered agent. The default is 0 (no interval between executions). Similar to
AMgr_DocUpdateAgentMinInterval, entering an interval can result in the agent running less frequently.
AMgr_NewMailEventDelay
This setting specifies the time (in minutes) that the Agent Manager delays before scheduling a new
mail-triggered agent after new mail is delivered. The default is 1 minute. Similar to
AMgr_DocUpdateEventDelay, the delay time ensures the agent runs no more often than the specified
interval. When the agent executes, it will also process all additional events (if any) that occurred during
the interval. A longer interval results in the agent running less often, thus reducing demand for server
time. If document update events are infrequent, however, you can reduce the delay to ensure the agent
runs soon after the event occurs.
DominoAsynchronizeAgents
This setting specifies whether Web agents triggered by browser clients can run at the same time
(asynchronously). The default is zero (only one agent can run at a time). Set this to 1 to allow multiple
agents to run simultaneously. This can result in faster execution of agents. However, a high number of
agents executing at the same time can slow overall system performance. Open the Server document you
want to change, and click the Internet Protocols - Domino Web Engine tab. In the Web Agents section,
enable or disable the ″Run Web agents concurrently?″ option. For ″Web agent time-out (in seconds),″ the
default is 0 (no time-outs).
Scheduling an agent to run immediately means that it will execute as soon as possible. If there are many
agents ahead of it, it may not be executed right away.
For more information, see the topic ″Controlling how often Agent Manager runs agents,″ earlier in this
chapter.
v AMgr_NewMailEventDelay
v AMgr_DocUpdateEventDelay
v AMgr_DocUpdateAgentMinInterval
v AMgr_NewMailAgentMinInterval
An Agent Executive runs each concurrent agent. To see a snapshot of the Agent Manager status,
including the number of Agent Executives currently running, enter the command tell amgr status at the
server console. To see a list of scheduled agents, enter the command tell amgr schedule at the server
console.
Domino reads several documents during server initialization. These documents are the Server document,
Server Configuration document, All Server Configuration document, and the Group Server Configuration
document. Domino also checks the views of these documents for changes every five minutes. If
modifications have been made, Domino reads and saves the modified documents. When Domino reads a
document, a filename is constructed based on the document’s modification time and date and the server
name. There is a default prefix assigned to each of the server and configuration documents:
v Server document -- serverdoc
v Configuration Settings (Specific Server) document -- configspecific
v Configuration Settings (All Servers) document -- configall
v Configuration Settings (Server Group) document -- configgroup
For example, if a Server document is modified on August 2, 2004, at 4:05 PM, on a server named Sales,
the file name assigned to the document is serverdoc_sales_2004_08_02@16_05_20.dxl. The file is stored in
the diagnostic directory, IBM_TECHNICAL_SUPPORT located in Domino’s data directory. If
Domino/Data is the data directory, the path is
C:/Domino/Data/IBM_TECHNICAL_SUPPORT/serverdoc_sales_2004_08_02@16_05_20.dxl.
NSF_Buffer_Pool_Size
This NOTES.INI setting sets the size of the NSF buffer pool, a section of memory used for buffering I/O
transfers between the NSF and NIF subsystems and disk storage. The number of server partitions, users,
size and number of views, and number of databases all affect how you should set the buffer pool
specification. The default value (determined automatically by the server) is usually sufficient, but if
Database Statistics indicate more memory is needed, increase the value a few megabytes at a time. You
can use a performance monitor to find out if a larger value is causing too much swapping or paging.
(NSF_Buffer_Pool_Size sets the buffer pool size in bytes; NSF_Buffer_Pool_Size_MB sets the size in
megabytes.)
NSF_DbCache_Maxentries
This NOTES.INI setting sets the maximum number of databases stored in the database cache (if enabled).
For short intervals, Domino stores up to 1.5 times the number entered for this setting. Increasing the
maximum number of databases improves performance but requires more memory.
Improving performance for users accessing the Web using the Web Navigator
There are several ways to improve performance:
v Speed up your access to Web pages by speeding up your server connection to the Internet. Contact
your Internet Service Provider to find out what options you have.
v Improve database performance by managing your database with the Purge and Refresh agents or any
other agents you may create for the database.
v Manage the number of users retrieving pages in the Web Navigator database by setting the maximum
number of concurrent retrievals (the number of Web pages the server retrieves at the same time). The
default maximum number of concurrent retrievals is 25. The number of concurrent retrievals that your
server allows depends on your specific system environment.
Note: To display LockWaits and AvgWait values, you must temporarily add the setting
COLLECT_DB_LOCK_WAITS=1 to the server’s NOTES.INI file. Because this setting consumes server
resources, remove it after you view Show DBS statistics.
You set the number of mail.boxes in the Configuration Settings document on the Router/SMTP -
Restrictions and Controls - Basics tab. Under Router/SMTP Basics, enter a value for ″Number of
mailboxes.″
For more information on creating multiple MAIL.BOX databases, see the chapter ″Customizing the
Domino Mail System.″
For more information on IMAP settings, see the chapter ″Setting Up the IMAP Service.″
MinNewMailPoll
This setting determines how often workstations can contact the server to see if new mail has arrived for
the user. This setting overrides the user’s selection in the Mail Setup dialog box. You can increase the
mail polling interval if there are a large number of mail users on your server and you want to prevent
frequent polling from affecting server performance.
NoMsgCache
This setting disables per-user message caching by the IMAP task. This can improve capacity (number of
users) on a server by reducing memory consumption. However, response time for some user operations
may be slower.
POP3_Config_Update_Interval
This setting determines how often (per minute) the Domino server that runs the POP3 service updates its
configuration information. The default is 2 minutes.
NSF_Buffer_Pool_Size_MB
Many machines that run UNIX have very large amounts of physical RAM. Use the parameters
NSF_Buffer_Pool_Size_MB or PercentSysAvailable Resources to control how much memory Domino is
allowed to use. Each Domino instance on a UNIX machine can reference a maximum of 4GB of RAM.
For more information on controlling logging, see the chapter ″Using Log Files.″
For information on designing applications, see the book Application Development with Domino Designer.
This setting applies only when using Notes to view databases; Web browser settings control the display
of images to Web browser users.
Tip: Users also can specify ″Load images: On request″ in the Advanced section of a Location document
to display images only when users click them. For more information, see Lotus Notes 7 Help.
1371
Setting unread mark options
Note: Access these database properties by choosing File - Database - Properties and then clicking the
details tab. (The icon on this tab is a beanie.)
The Database dialog box contains a set of Unread Mark Options that you can use to maintain or not
maintain unread marks, and to specify if unread marks with replicate to other servers. If you select the
database property, Don’t maintain unread marks, unread marks are not maintained for the database and
the replicate unread marks settings are disabled. If you do not select the database property, Don’t
maintain unread marks, the replicate unread marks settings are enabled. You can do one of the following:
v Choose Never -- Unread marks are never replicated
v Choose Clustered servers only -- Unread marks are replicated for databases residing on servers that are
cluster mates of the current server.
v Choose All Servers -- Unread marks are replicated for databases on all servers.
Note: Designing views that don’t display unread marks doesn’t improve database performance because
they are still maintained but not displayed.
If you select or deselect the ″Don’t maintain unread marks″ property, you must compact the database so
that the setting takes effect. Compacting in this case makes a temporary copy of the database, so your
system must have the disk space to make the copy.
Tip: You can also run the Compact server task with the -u or -U option to enable or disable this property
and then compact.
For information about enabling replication of unread marks, see the chapter ″Maintaining Databases.″
This property only works for views that use Form= as part of the selection criteria. There’s a slight
performance cost to maintaining the table/form association; however, when updating small views in
large databases, the benefits offset the cost.
Tip: You can also run the Compact server task with the -F or -f option to enable or disable this property
and then compact.
To prevent the overwriting of deleted data, select the Advanced database property ″Don’t overwrite free
space.″
By default, the database property ″Maintain LastAccessed property″ is not selected, meaning the
″Accessed (In this file)″ property isn’t updated when the last document access was a read, only when the
last access was a document modification. Change the default behavior by selecting ″Maintain
LastAccessed property.″
You should select ″Maintain LastAccessed property″ if you use the document archiving tool, available in
the Database Properties box, to delete documents based on days of inactivity.
To improve database performance, disable the response hierarchy information in databases that don’t use
these @functions by selecting the Advanced database property ″Don’t support specialized response
hierarchy.″
Disabling the response hierarchy information has no effect on views and replication formulas that display
information hierarchically without using @AllChildren and @AllDescendants.
If you select or deselect the ″Don’t support specialized response hierarchy″ property, you must compact
the database so that the setting takes effect. Compacting in this case makes a temporary copy of the
database, so your system must have the disk space to make the copy.
For a database without this option selected, all the field names in a database when concatenated cannot
exceed 64 kilobytes, which results in a database limit of approximately 3000 fields.
Note: The attachments in existing databases are not automatically compressed with the LZ1 algorithm
when you choose the LZ1 algorithm. Files that are attached after the LZ1 algorithm option is enabled are
compressed using the LZ1 algorithm. You can distinguish which compression algorithm is in use by
checking the $File field in the document properties.
For more information on the LZ1 algorithm, see the book Application Development with Domino Designer or
the Domino Designer 7 Help.
By default, the $Revisions field stores a history of up to 500 edit sessions, each of which requires 8 bytes
of disk space. Over time, $Revisions fields can grow large, taking up disk space and slowing view
updates and replication. To conserve disk space and improve database performance, use the Advanced
database property ″Limit entries in $Revisions fields″ to specify the number of entries that the $Revisions
field can contain. When the $Revisions field reaches this limit, the oldest entry is removed to make room
for the newest entry.
Consider limiting the entries in $Revisions fields on a database with all of the following characteristics:
A suggested upper limit is 10 entries in the $Revisions field. If you set the limit lower than 10, you run
the risk of increased replication or save conflicts.
Make sure you fully understand these database properties before changing their settings.
1. Make sure you have Designer or Manager access in the database ACL.
2. Do one of the following:
v Open a database and choose File - Database - Properties.
v As you create a new database, click the Advanced button.
3. Select or deselect properties listed in the table below.
4. After you select any of these properties, compact the database for the property to take effect:
v Don’t maintain unread marks
v Document table bitmap optimization
v Don’t support specialized response hierarchy
Tip: You can use the Compact task with specific options to enable or disable the above three
properties and then compact the database.
Improves
To optimize database Reduces
Property Tab performance/size performance? database size?
Allow use of stored forms in this Basics Deselect option Yes Yes
database
Display images after loading Basics Select option Yes No
Don’t maintain unread marks Advanced Select option Yes Yes
Document table bitmap optimization Advanced Select option Yes No
Don’t overwrite free space Advanced Select option Yes No
Maintain LastAccessed property Advanced Deselect option Yes No
Don’t support specialized response Advanced Select the option Yes Slightly
hierarchy
Don’t allow headline monitoring Advanced Select the option Prevents No
performance
degradation
Limit entries in $UpdatedBy fields Advanced Select the option and Yes Yes
specify the number of
entries $UpdatedBy
fields can contain
Soft deletions
In some databases, deleting a document permanently removes it from the database. In other databases,
such as the Notes mail file database, deleting a document moves it into a Trash folder and stores it in a
state of ″soft deletion.″ From this folder, users can restore deleted documents by dragging them from the
Trash folder into another folder or by selecting Restore.
Deleted documents are not permanently removed until a specified expiration time or until the user
empties the Trash folder. By default, soft deletions are enabled for mail databases created from the
Domino 7 mail template (MAIL7.NTF). The default expiration time is 48 hours. You can turn soft
deletions on or off for any database and specify how long to retain soft deletions before removing them
from the database.
To display soft-deleted documents in other types of databases, you must create a view to list the
documents and provide users with an action programmed to un-delete documents and restore them to
the database.
For information on creating views to display soft-deletions, see the book Application Development with
Domino Designer.
Because deleted documents are not removed immediately from a database that has soft deletions enabled,
space in the database is not reclaimed as quickly as in a database that does not use soft deletions. If space
consideration is an issue, consider disabling soft deletions.
The database cache is available to the first process that starts on a machine and to any processes spawned
from it. If you run the Domino Administrator and the Domino server on the same machine -- a
configuration that is not recommended -- start the server before you start the Domino Administrator. If
you start the Domino Administrator first, it owns the cache and prevents the Domino server from using it
effectively.
To change this limit, add the NSF_DbCache_Maxentries setting to the NOTES.INI file or increase physical
memory. Increasing the database cache size improves system performance but requires additional
memory. The minimum number of databases allowed in the cache at one time is 25; the maximum is
2,000.
The actual number of databases allowed in the cache is 1.5 times the maximum allowed. This buffer
increases the chance that when a user opens a database from the cache, Domino can return the database
to the cache when the user closes it.
For information on statistics reporting, see the chapter ″Monitoring the Domino Server.″ For more
information on server commands, see the appendix ″Server Commands.″
Statistic Description
Database.DbCache.CurrentEntries Number of databases currently in the cache. If this number
frequently approaches the value of
Database.DbCache.MaxEntries, increase the number of
databases the cache can hold.
Database.DbCache.HighWaterMark Maximum number of databases in the cache during this
running of the server program. This number may be
artificially high because of startup activity, so it may not be a
genuine indicator of cache performance.
Database.DbCache.Hits The number of times an ″InitialDbOpen″ is satisfied by
finding the database in the cache. A high ″hits-to-opens″ ratio
indicates that the database cache is working effectively. If the
ratio is low, increase the number of databases the cache can
hold.
Where value is the maximum number of databases allowed in the database cache at one time.
To show databases in the cache: Enter this command at the server console to display the names of the
databases currently in the cache:
dbcache show
To close databases in the cache: Enter this command at the server console to close all databases in the
cache:
dbcache flush
To disable the cache: By default, the database cache is enabled on a server. To disable the cache, add the
following NOTES.INI file setting:
NSF_DbCache_Disable=1
Database Percent of
Monitoring method size View size Quotas used space**
Domino Administrator Files tab Yes No Yes No
Database - Sizes view of the log file (LOG.NSF) or logs in Yes Yes No Yes
the view
Logs in Miscellaneous Events view of the log file (LOG.NSF) No No Messages No
relating to
File statistic reports in the Statistics database Yes No No Yes
Compacting databases
When documents and attachments are deleted from a database, Domino tries to reuse the unused space,
rather than immediately reduce the file size. Sometimes Domino won’t be able to reuse the space or,
because of fragmentation, can’t reuse the space effectively until you compact the database.
Styles of compacting
There are three styles of compacting:
v In-place compacting with space recovery
v In-place compacting with space recovery and reduction in file size
v Copy-style compacting
When you run Compact without specifying options, Domino uses this style of compacting on all
databases enabled for transaction logging. Domino also uses this style of compacting when you use the -b
option (case sensitive) when compacting any database.
When you run Compact without specifying options, Domino uses this style of compacting on databases
that aren’t enabled for transaction logging. Domino also uses this style of compacting when you use the
-B option. To optimize disk space, it’s recommended that you run Compact using the -B option on all
databases once a week or once a month.
Copy-style compacting
Copy-style compacting creates copies of databases and then deletes the original databases after
compacting completes, so extra disk space is required to make the database copies. This style of
compacting essentially creates a new database with a new database ID. If you use copy-style compacting
on logged databases (using the -c option), compacting assigns new DBIIDs, so if you use a certified
backup utility, you should perform full backups of databases shortly after compacting completes. When
you use copy-style compacting, users and servers can’t edit databases during compacting, and they can
only read databases if the -L option is used.
Domino uses copy-style compacting by default when you use an option with Compact to enable a
database property that requires a structural change to a database or when you run Compact on a
database that has a structural change pending that was initiated from the Database Properties box.
Enabling or disabling the database properties ″Document table bitmap optimization″ and ″Don’t support
specialized response hierarchy″ require structural database changes.
In place, space
In place, space recovery with file
Characteristics recovery size reduction Copy-style
Databases that use it when compact runs Logged databases with Unlogged databases Databases with
without options no pending structural with no pending pending structural
changes structural changes changes
Databases you can use it on Current release Current release Current release (need
-c)
Relative speed Fastest Medium Slowest
Users can read databases during Yes Yes No (unless -L option
compacting used)
Users can edit databases during Yes Yes No
compacting
Reduction in file size No Yes Yes
Extra disk space required No No Yes
Domino enforces the following upper limit when trying to rename a copy-style compacted database:
Num_Compact_Rename_Retries x Compact_Retry_Rename_Wait <= 60 minutes
Note: The Database - Sizes view of the log file (LOG.NSF), the File Statistic reports generated by the
Statistics Collector server task, and the Info tab (i tab) of the Database Properties box, all report the
percentage of used space in a database. These are often not accurate indicators of used space; therefore,
you shouldn’t use them.
Compact - Basics
Option Command-line equivalent Description
Compact only this database or database path To compact a database in the Domino data
folder folder, enter the file name, for example
Specify any additional options SALES.NSF. To compact databases in a folder
(To specify databases to compact after the database path. within the data folder, specify the database
using the Files tab, select the path relative to the data folder. For example, to
databases in the files pane.) compact all databases in the folder
DATA\SALES, specify SALES.
For more information on database path, see the topic ″Running Compact using a console command″ later
in this chapter.
Compact - Options
Option Command-line equivalent Description
Compact database only if unused -S percent Compacts all databases with a specified percent
space is greater than x percent of unused space. For example, if you specify
10, databases with 10% or more recorded
unused space are compacted. Note that the
unused space calculation is not always a
reliable measure of unused space.
Discard any built view indexes -D Discards built view indexes. Use this option to
compact databases just before you store them
on tape, for example. Does copy-style
compacting.
Keep or revert database to -R Compacts databases without converting to the
previous format current release file format of the server that
stores the databases or reverts databases in the
current release file format to the previous
release file format. For example, on Domino 6
and more recent servers, this option compacts
Domino 5 databases without converting them
to the Domino 6 file format and converts
Domino 6 databases to the Domino 5 file
format. This option uses copy-style compacting.
Compact - Advanced
Option* Command-line equivalent Description
Document table bitmap -f Disables ″Document table bitmap optimization″
optimization: Off database property. Does copy-style compacting.
Document table bitmap -F Enables ″Document table bitmap optimization″
optimization: On database property. Does copy-style compacting.
Don’t support specialized response -h Disables ″Don’t support specialized response
hierarchy: Off hierarchy″ database property; in other words,
support specialized response hierarchy. Does
copy-style compacting.
Don’t support specialized response -H Enables ″Don’t support specialized response
hierarchy: On hierarchy″ database property; in other words,
do not support specialized response hierarchy.
Does copy-style compacting.
Enable transaction logging: Off -t Disables transaction logging.
Enable transaction logging: On -T Enables transaction logging. Use Compact - T
when a database is open or closed. If you use
Compact - T on a database that is closed,
logging is enabled but the Compact is not
logged until the database is opened; therefore,
logging is not available until you reopen the
database.
Don’t maintain unread marks: Off -u Disables ″Don’t maintain unread marks″
database property; in other words, maintain
unread marks.
* Select ″Set advanced properties″ before you enable or disable any of these properties.
Compact - Archive
When you use the document archiving tool to archive and delete documents in a database, you can use
the following Compact options to archive documents if the database is located on a server and you’ve
chosen the advanced archiving option ″Automatically on server.″
*The Compact tool in the Files tab of the Domino Administrator provides only the option ″Archive
database;″ this option archives and then compacts.
The following table illustrates how you can use databasepath to specify databases, folders, and subfolders.
SALES\USER1.NSF
SALES\NEW
For more information on Program documents, see the appendix ″Server Tasks.″
1. From the Domino Administrator, click the Configuration tab.
2. Next to ″Use Directory on,″ select the server with the replica of the Domino Directory you want to
modify.
3. Expand Server - Programs and then click Add Program.
4. On the Basics tab, complete these fields:
Field Enter
Program name Compact
Command line Command line options. Don’t specify ″load″ before the options.
Server to run on Server on which to run Compact
Comment Optional comments
Field Enter
Enabled/disabled Enabled
Run at times Times to run Compact each day
Repeat interval of How soon to run Compact again after it completes
Days of week The days to run Compact
In conjunction with setting a quota, you can specify that when a database reaches a certain size threshold,
this warning message appears in the Miscellaneous Events view of the log file: ″Warning, database has
exceeded its size warning threshold.″ For example, if the quota is 50MB, you might specify that the
warning appear when the database size reaches 45MB so you can take steps to reduce the size of the
database or move it to a server that has more disk space available.
Note: You can set quotas on user mail files, but, by default, when a mail file exceeds its quota, the
Router continues to deliver mail to it, and users can update existing mail views. This ensures that users
can continue to receive and read all mail sent to them. The quota is enforced only for other means of
increasing the size of the mail file -- for example, when a mail file reaches its quota, users can’t manually
add documents or views to it. However, you can customize routing to strictly enforce quotas on mail
files.
For more information on customizing mail, see the chapter ″Customizing the Domino Mail System.″
* Deletion stubs are markers that remain from deleted documents so that the documents are deleted in
other replicas of the database.
In addition to these methods, you can also create an API program that deletes documents.
For information on the ″Remove documents not modified in the last x days″ setting, see the chapter
″Creating Replicas and Scheduling Replication.″
Note: Don’t customize an archive database used by the document archiving tool.
The following procedure describes creating an agent using simple actions. You can also create agents
using Notes formulas, LotusScript, or Java.
When you run the agent, if Domino cannot copy all specified documents to an archive database -- for
example, if there is not enough disk space on the target folder -- the agent stops.
For more information on agents, see the chapter ″Agents.″ For more information on Notes formulas,
LotusScript, and Java see Domino Designer Programming Guide, Volumes 1 through 4.
An agent that archives documents according to field status: These selections create an agent that
weekly copies all documents with a Status field set to ″Closed″ from the active database to an archive
database with the file name ARCHIVE.NSF. Then the agent deletes the archived documents from the
active database.
Condition: by Field
For a database without this option selected, all the field names in a database when concatenated cannot
exceed 64K, which results in a database limit of approximately 3000 fields.
Server.Load
Server.Load is a capacity-planning tool that you use to run tests, also called ″scripts″ and ″workloads,″
against a targeted Domino server to measure server capacity and response metrics.
Server.Load supports any platform that is supported by the Domino Administrator client. The client runs
the Server.Load tests and generates the transactions that are presented to the server. A typical Server.Load
configuration has one or more client systems driving the server under test (SUT). Each client running
Server.Load generates a simulated user load of Notes transactions against the SUT, which reports server
statistics back to the client. If you configure multiple clients, you set up and run the test from each client
system.
You can run built-in scripts, create custom scripts from a library of commands, or submit commands
manually. For example, run the built-in R5 Simple Mail Routing script to simulate users on a Notes client
reading and sending mail. Or create a custom script to create and open a Notes mail database and
populate it with messages. To test or execute individual commands, you can use the manual command
line mode to delete documents from a database or issue remote server commands.
Using Server.Load, you have real-time control of the test environment and variables. Prior to running a
test, you can change test parameters, stop conditions, and existing script variables. You can also monitor
real-time server metrics. While the script is running, the Metrics window displays an immediate
characterization of server performance by updating metrics on a per-minute basis.
Server.Load agents
Server.Load includes a set of agents in the file NAMAGENT.NSF, which is initially installed in the data
directory on the Domino Administrator client. The first agent in this list -- Create NotesBench Mail
Person Documents -- is used to set up Person documents for the workloads and set the HTTP password.
The rest of the agents are used to repair and change the workload setup.
To use the agents, you must use Domino Designer to add them to the Domino Directory on the SUT.
v Create NotesBench Mail Person Documents
v Refresh All Documents
v Set HTTPPassword to ″NotesBench″
v Set Message Storage Format = MIME
v Set Message Storage Format = No Preference
v Set Message Storage Format = Notes
v Update ACL of MailDBs to include Owner (mail1, mail2, ...)
Prompt Default
Starting value to create mail users 1.00
Number of users to create 1000.00
1391
Prompt Default
Number of Mailn.NSF files to create 1000.00
Starting Mailn.NSF file 1.00
Location for mail databases mail\
Mail domain Default is read from the server’s mail domain
Mail server directory is on Name of the server that stores the Domino Directory
Message storage format 2 (MIME)
Mail system 1 (NOTES)
Internet host name Host name of the server that stores the Domino
Directory
If you have trouble connecting with HTTP-based workloads and the Person documents do not display
any encrypted passwords, use the Set HTTPPassword to ″NotesBench″ agent to reset the password in all
Person documents.
When you change to a different workload, you must remake all of the mail files, but you can use one of
these agents to change the mail type in the Person documents without having to recreate all of the Person
documents:
v Set Message Storage Format = MIME
v Set Message Storage Format = No Preference
v Set Message Storage Format = Notes
v Update ACL of MailDBs to include Owner (mail1, mail2, ...) -- Use this agent for a workload that has
authentication on.
For more information on script commands, see the appendix ″Server.Load Command Language.″
Note: If the server runs Windows, you can also use the Windows Performance Monitor to measure
performance.
Database statistics
Statistic Description
Database.BufferPool.Reads Number of database buffer pool reads.
Database.BufferPool.Used Number of bytes allocated in the buffer control pool.
Database.BufferPool.Writes Number of database buffer pool writes.
Database.DbCache.CurrentEntries Number of entries in the database cache.
Database.DbCache.HighWaterMark High water mark of the database cache.
Database.DbCache.Hits Number of hits to the database cache.
Database.DbCache.InitialDbOpens Number of database opens done by the database cache.
System statistics
Statistic Description
Disc.c.Free (bytes) Free disk space in bytes on drive ’n’. When disk space is low,
compact, delete, or move databases. If problem persists, consider a
larger hard disk.
Disc.c.Size (bytes) Total size in bytes of drive ’n’.
Server.Trans.PerMinute Number of transactions that took place in the last minute. Useful to
monitor server use. If this number is consistently higher than that
of other servers and performance is a problem, redistribute the
server load to other servers.
Server.Users Number of users with sessions open on the server. Useful to
monitor overall server use. If this number is consistently higher
than that of other servers and performance is a problem,
redistribute the server load to other servers.
Mail statistics
Statistic Description
Mail.AverageDeliverTime Average delivery time of messages in seconds
Mail.AverageServerHops Average number of server hops for a delivered message.
Mail.AverageSizeDelivered Average size of message delivered, in K.
Mail.Dead Number of undeliverable messages in MAIL.BOX. Useful for
detecting problems with the Router. Check the server MAIL.BOX to
view the dead mail messages and determine the problem.
Mail.Delivered Number of messages received by the Router.
Mail.MaximumDeliverTime Slowest delivery time of messages in seconds.
Mail.MinimumServerHops Least number of server hops for a delivered message.
Mail.MaximumSizeDelivered Largest message delivered, in K.
Mail.MinimumDeliverTime Slowest delivery time of messages in seconds.
Mail.MaximumServerHops Most number of server hops for a delivered message.
Mail.MinimumSizeDelivered Smallest message delivered, in K.
Mail.TotalFailures Total number of mail failures.
Mail.TotalRouted Total number of recipients that mail has routed to since the server
started.
Mail.Waiting Number of outgoing mail messages waiting to be either delivered
locally or transferred in MAIL.BOX. Useful for detecting problems
with the mail Router.
Mail.WaitingRecipients Number of recipients awaiting either local delivery or transfer.
Network statistics
Statistic Description
NET.TCPIP.BytesReceived Amount of data received from client to server using TCP/IP
protocol.
Statistic Description
Avg. Trans (Per Thread) The average number of transactions per thread.
Min. Trans (Per Thread) The minimum number of transactions per thread.
Max. Trans (Per Thread) The maximum number of transactions per thread.
Total Trans (All Threads) The total number of transactions per thread.
Running Threads The total number of all threads currently running.
Agg. Replications The aggregate number of replications that occurred.
Avg. Rsp. Time (ms) The average NRPC response time. This is the average response across all threads
and is the best overall value to track general server response curves.
Note: This value is not applicable to the Web Mail script
Running time (min) The total running time.
Tip: The Output monitor displays real-time test results, command-by-command, as the test runs. You can
see up to 64KB of data in the Output monitor.
For information on installing the Domino server, see the chapter ″Installing and Setting Up Domino
Servers.″ For information on installing the Domino Administration client, see the chapter ″Setting Up and
Using Domino Administration Tools.″
To set up a SUT
1. Make sure that:
v The Domino server is installed and operational
v The server has adequate RAM, approximately 512KB per simulated user (thread) across all clients
used in the test
2. Make sure that you have Administrator access, Create database access, and access to run unrestricted
LotusScript and Java agents.
3. Make sure that the Server, Replicator, Router, and Update tasks are running on the Domino server.
Run additional tasks as required for individual tests.
4. Enable performance monitoring on the Domino server by issuing the Show Perf command.
5. Use Domino Designer to copy the file NAMAGENT.NSF to the Domino Directory. This file contains
agents that you use to set up and change workloads.
To set up a client
If you use multiple clients in a test, they all must have the identical hardware setup, and you must
complete the following procedure on each.
1. Make sure that:
v The Domino Administration client and Server.Load are installed and operational
v The client has access to the templates to use in the test
v The client has adequate RAM -- approximately 512KB per simulated user (thread)
2. Do the following to edit the Location document:
a. Choose File - Mobile - Edit Current Location.
b. Click the Mail tab, and complete these fields:
Field Action
Mail file location Choose On server
Mailfile Enter the path to the mail file -- for example
mail\mailfile.nsf
c. Click the Servers tab, and in the home/mail server section, enter the name of the SUT.
Note: If you edit the MailServer script variable before you run a test, you change the location of
the mail server for only that run. The next time you run Server.Load, the mail server listed in the
Location document is used.
d. Click Save and Close.
3. Make sure that you use a Notes ID that has administration access to the SUT.
4. Do the following to verify the connection to the SUT:
a. Start the Domino Administration client and verify that the Home/Mail Server field in the Location
document contains the fully distinguished SUT name -- for example, MailServer1/Acme.
b. Verify connectivity by running a trace from the client to the server. Select File - Preferences User
Preferences Ports.
c. Verify that the correct communication port is enabled, and click Trace.
d. Enter the name of the SUT in the Destination field and run the trace to verify that the client can
use the desired protocol to trace to the server.
e. If you cannot connect over TCP/IP, verify that TCP/IP has been enabled on the Domino server
and that the port is enabled in the Server document.
f. Verify that the port has been enabled at the operating system level.
g. Verify that TCP/IP is properly installed and enabled on the client and that you can use the ping
utility to access the Domino server by name -- for example, acme.iris.com -- and by IP address.
5. Disable all screen savers.
Built-in scripts
The following table describes the scripts that are built into Server.Load.
Script Description
Idle workload Establishes the upper boundary of the number of sessions that a Domino server can
support. You can use the metric derived from this script to help you set up other
tests.
Cluster Mail workload The Cluster Mail workload executes Notes transactions that model a cluster for
mail users at sites relying on a two-way Domino cluster for messaging.
R5 IMAP Workload Runs Notes transactions that model a server for mail users at sites that rely on
IMAP for communication. This test stresses the IMAP protocol by receiving
messages and exercises SMTP and LDAP by sending SMTP messages to recipients
and performing LDAP lookups on them. You use the IMAP Initialization Workload
script to initialize the SUT.
R5 Simple Mail Routing Simulates one or more Notes mail users performing basic mail operations such as
opening mail files, reading and categorizing documents, sending calendar and
schedule items, and composing multiple mail messages to multiple recipients. You
use the NRPC Mail Initialization Workload script to initialize the SUT.
R5iNotes Workload The R5iNotes test represents an active user sending, retrieving, and deleting mail
from a browser. An average user runs this script four times an hour. Each time the
script runs, it checks and retrieves mail messages. Additionally, on each
NthIteration, which is one time in six for this workload, the user sends a mail
message to NumMessageRecipients other users on the server. The user schedules
an appointment, sends invitations to NumMessageRecipients other users, and
responds to one invitation that it finds in its own inbox.
R6 Mail workload The R6Mail workload models an active user on a client reading and sending mail,
using the calendar and scheduling features to schedule an appointment, send an
invitation, and send an RSVP to an invitation. An average user will run this script
four times per hour.
R6iNotes Workload The R6iNotes test represents an active user sending, retrieving, and deleting mail
from a browser. An average user runs this script four times an hour. Each time the
script runs, it checks and retrieves mail messages. Additionally, on each
NthIteration, which is one time in six for this workload, the user sends a mail
message to NumMessageRecipients other users on the server. The user schedules
an appointment, sends invitations to NumMessageRecipients other users, and
responds to one invitation that it finds in its own inbox.
R6IMAP workload The R6IMAP workload executes Domino transactions that model a server for mail
users at sites that rely on IMAP mail for communication. Not only does this test
stress the IMAP protocol by receiving mail messages, but also exercises SMTP and
LDAP by sending SMTP messages to a number of recipients and performing LDAP
lookups on those recipients.
R5 Shared Database Simulates one or more active users performing database operations on the same
Discussion database. The script includes performing view operations, navigating
unread documents, adding users to the database, and updating documents.
SMTP and POP3 Workload Runs Notes transactions that model a server for mail users at sites that rely on
SMTP and POP3 mail for communication. You use the SMTP and POP3
Initialization Workload script to initialize the SUT.
Web Idle Workload Simulates users connecting to the default page or home page on a Domino Web
server.
Web Mail Workload Runs transactions that model a server for Web Mail users. The test simulates a Web
browser user sending, retrieving, and deleting Notes mail. You use the Web Mail
Initialization Workload script to initialize the SUT.
Workload Data Collection While a workload runs, the Workload Data Collection script, SHSTAT.SCR, collects
the data that is generated by the workload. This is a custom script.
The iNotes Initialization workload creates a set of mail databases on the server and
populates them with mail. The mail databases are populated with the number of
notes (messages) specified in the NOTES.INI variable NumMailNotesPerUser.
NRPC Mail Initialization The NRPC Mail Initialization workload prepares for the R5 Simple Mail Routing
workload workload and the R6 Mail Routing workload. The NRPC Mail Initialization
workload creates the mail databases for the R5 Simple Mail Routing workload and
the R6 Mail Routing workload.
SMTP and POP3 Initialization The SMTP and POP3 Initialization workload prepares for the SMTP and POP3
workload workload by creating the mail databases for the SMTP and POP3 workload.
Web Mail Initialization the Web Mail Initialization workload prepares for the Web Mail workload by
workload creating the mail databases for the Web Mail workload.
Custom scripts
You can use the Server.Load command language to build a script from scratch, copy a built-in script and
modify it, or use a sample script. Then by modifying only test parameters and script variables, you can
further customize the script without changing the actual script code. Script variables are environmental
values that are referenced through the NOTES.INI file. Test parameters control the number and creation
of simulated users, or threads; the number of times the test runs for each user; and the test duration. If
you create a script from scratch, you can test each line of code by entering it in the command line. In
addition, using the command line, you can issue remote server console commands.
NotesBench
A related performance tool, NotesBench is a collection of benchmarks, or workloads, for evaluating the
performance of Domino servers. To learn more about NotesBench, go to http://www.notesbench.org.
4. Simulate the behavior of actual users by providing pauses between commands in your script. Use the
built-in scripts as a reference point.
5. Be aware of both ramp-up and steady state. Ramp-up state occurs after all threads run at least one
iteration of the script. Steady state represents the server’s true, sustainable performance with
reproducible results. Steady state occurs when the number of Notes users on the server is equal to the
total simulated users across all clients.
Field Action
Max No. of Users Enter the number of simulated users. Default is 1. Maximum
value for this setting is 1500.
Note: To verify that a script is running properly, run the test
the first time with only one simulated user.
The client should not run at anything higher than 75% to 85%
CPU. If the client is running at 100%, reduce the number of
users.
Script Loop Count Enter the number of times the script runs per simulated user.
Default is 1.
Note: For information about completing the fields on the Lotus Server.Load dialog box, see the
information that pertains to the workload you are configuring in this section of the documentation.
Server.Load workloads
v Cluster Mail workload
v R5IMAP workload
v R6IMAP workload
v R5iNotes workload
v R6iNotes workload
v Idle workload
The Cluster Mail Initialization test automatically creates and sets up the mail databases and establishes
the settings listed below:
v Database ACL settings
– Default user is provided with Manager access
– Anonymous user is provided with Manager access
v Owner set = mail#
Prerequisites:
v The appropriate mail templates must exist on the driver.
v Two clustered servers are required for this test -- a primary server and a second server to test mail file
failover performance when the primary server is unavailable.
Using the ″Create NotesBench Mail Person Documents″ Agent: Use the ″Create NotesBench Mail
Person Documents″ agent to create Person documents. It is stored in NAMAGENT.NSF.
1. Use the ″Create NotesBench Mail Person Documents″ NAMAGENT.NSF agent on any platform to
create Person documents that use the mail*.nsf files (created by Mail Initialization) on the SUT as the
users’ mail files. Copy NAMAGENT.NSF to the Domino Directory and run it from there. See the
Using this Database Document in NAMAGENT.NSF for more information about using the agents.
2. Replicate the Domino Directory with newly created users to the second test server.
Variable Action
MailServer Enter the canonical name of the mail server -- for example,
CN=MailServer1/O=Acme.
nb_dbdir Enter a database directory relative to the Notes data directory.
Recommended value is mail\.
MailTemplate Enter the name of the mail file template.
NumMailNotesPerUser Enter the number of notes used to populate the mail file when the
mail file is created. Recommended value is 100.
NormalMessageSize Enter the size of the body of the message. Recommended value is
10000.
ClusterServer2 Enter the canonical name of the second mail server -- for example,
CN=MailServer2/O=Acme.
The Cluster Mail workload script models an active user sending and reading mail on a client. It contains
an average of eight minutes of waiting; therefore, an average user executes this script no more than seven
times per hour. For each iteration of the script, there are five documents read, two documents added, two
documents deleted, one view-scrolling operation, one database opened and closed, one view opened and
closed, and some miscellaneous operations. One message is sent to the recipients approximately every 90
minutes.
Messages that each driver user sends are delivered to mail users in the cluster. The updates are then
cluster-replicated to all replica copies of the users’ database. The ClusterMail test models reading,
submitting, delivering, and retrieving messages. As such, the mail users must have a corresponding
$Person entry in the Domino Directories on clients and servers in order to receive mail. Run the agent,
″Create NotesBench Mail Person Documents,″ to create these entries.
Since simulated users are connecting to the cluster, instead of to a specific server, they generate their mail
from the server they are currently failed-over to. Each iteration of the script provides an opportunity for
the user to fail-over to a different node depending on the availability of specific node resources.
See Administering Domino Clusters for options in setting cluster operations, such as number of nodes, node
availability, threshold values, and Single Copy Object Store usage.
The resulting capacity metric for a cluster under test is the maximum number of users that can be
supported before the average user response time becomes unacceptable.
Test Initialization: Complete the following steps to prepare for running the test:
1. Perform all the required ″setup″ procedures that apply to your configuration for this test, including
setting up the NOTES.INI file and the destination servers.
2. On the SUT, start the Domino server. The router, replicator, and update server processes must be
started. You can run additional server programs at your discretion.
3. Run the workload Cluster Mail Initialization to create replicas on the clustered server defined by
[ClusterServer2] in the test driver’s NOTES.INI file. The tester determines how many, and on which
node, replicas should be placed.
NOTES.INI settings on the test driver for the ClusterMail test: Enter the following values in each
child’s NOTES.INI file.
Variable Setting
Message storage format 2 (MIME)
Mail system 6 (POP3/IMAP)
Variable Action
MailServer Enter the canonical name of the mail server -- for example, CN=MailServer1/O=Acme.
MailTemplate Enter the name of the mail file template -- for example, MAIL6.NTF.
nb_dbdir Enter the directory used to store mail files, relative to the data directory.
NormalMessageSize Enter the size of the body of the message. Recommended value is 10000.
MessageLineSize Enter the number of characters per line. Recommended value is 80.
RecipientDomain Enter the name of the domain containing the intended recipients -- for example,
acme.com.
SMTPHost Enter the fully qualified domain name of the Domino server that is running the SMTP
Listener task -- for example, server1.acme.com
ClientHost Enter the fully qualified domain name of the client -- for example, client1.acme.com
NumMailNotesPerUser Enter the number of documents to populate the mail file when it is created.
Recommended value is 100.
R5IMAP workload
The R5IMAP workload models an active IMAP mail user logging in once, then receiving and sending
mail. The script contains an average of 15 minutes of waiting, so an average user will execute this test no
more than four times an hour. For each iteration of the script, IMAP mail messages are retrieved, one
SMTP message is sent, and a number of LDAP lookup requests are executed based on the value of the
NumMessageRecipients script variable. The SMTP messages sent by each test user are delivered to the
mail databases of other test users on the SUT.
The resulting capacity metric for an IMAP server is the maximum number of users that can be supported
before the average user response time becomes unacceptable.
Hardware considerations: The following hard disk requirements apply to the SUT and, during some
tests, to the destination systems that receive mail from the SUT:
The growth rate of each database is a function of the ratio of the number of users
and recipients sending and receiving mail.
Command Description
Show Task Show either the Database Server task (Notes clients) or
IMAP task (IMAP users).
Show Stat IMAP Monitor message counters
Show Stat Mail Monitor message counters
Show Stat SMTP Monitor SMTP statistics
Show Stat LDAP Monitor LDAP statistics
2. Use an IMAP client, such as Outlook, to verify that the IMAP and SMTP server tasks are set up
correctly.
3. To minimize environment troubleshooting, put IP information -- for example, host information -- in
the \etc\hosts file or its equivalent on the SUT and driver directories.
4. From the SUT console, enter this command to display additional routing information:
Set Config Log_MailRouting=40
Variable Action
R5IMAPBreak Enter one of these:
v 1 -- To prevent the script from quitting if errors occur
v 0 -- To force the script to quit if errors occur
10. (Optional) Click the Stop Conditions tab to set a stop condition.
For more information, see the topic ″Setting a Server.Load stop condition″ earlier in this chapter.
11. Click Execute.
12. (Optional) Select metrics to monitor.
For more information, see the topic ″Monitoring Server.Load metrics″ earlier in this chapter.
13. (Optional) In the ″Server to receive console commands″ field, enter the name of the SUT.
14. Click Start Test.
The R6IMAP Initialization workload automatically creates and sets up the mail databases and establishes
the settings listed below:
v Database ACL settings
– Default user is provided with Manager access
– Anonymous user is provided with Manager access
v Owner set = mail#
The MAILINIT workload opens a mail database on the server, populates the mail database, opens a
discussion database, and then populates the discussion database with a number of notes scaled to the
SUT.
Prerequisites:
v The mail template, MAIL6.NTF, must exist on the driver.
v All user passwords must be set to NotesBench because authenticated users are required.
R6IMAP workload
The R6IMAP workload executes Domino transactions that model a server for mail users at sites that rely
on IMAP mail for communication. Not only does this test stress the IMAP protocol by receiving mail
messages, but also exercises SMTP and LDAP by sending SMTP messages to a number of recipients and
performing LDAP lookups on those recipients.
The R6IMAP workload models an active user retrieving and sending mail. An average user executes this
script no more than four times per hour. For each iteration of the script, there is a retrieval of IMAP mail
messages, one SMTP message sent, and ’n’ LDAP lookup requests based on the variable,
NumMessageRecipients. In sending messages, each user sends a mail message to NumMessageRecipients
not more than once every 15 minutes.
The SMTP messages sent by each driver user are delivered to the mail databases of other driver users on
the SUT.
Note: The R6IMAP workload makes use of the SMTP and LDAP protocols in addition to IMAP.
System information: A Notes client can run 1500 user threads per 512 MB driver. With less memory, the
number of threads must be decreased. You can experiment to see what the CPU and memory usage is on
your particular drivers for a given number of threads.
The number of users that can be supported by a server is limited by memory. On UNIX it is 4 GBs.
On an 8way Intel® Xeon(TM), Microsoft Windows server the resource limitation is often memory. The
maximum memory that the server can use is approximately 2.3GBs.
Domino SSL in the Server.Load R6IMAP workload: The Secure Socket Layer (SSL) is enabled for the
R6IMAP workload. Add the NOTES.INI setting, NB_SSL_OPTION=USE_SSL, to the client driver’s
NOTES.INI file to enable SSL. For example,
NB_SSL_OPTION=USE_SSL
Time Requirements: The time required to run this test is six hours, minimum, after steady state verified.
The capacity metric for an SMTP/IMAP server is the maximum number of users that can be supported
before the average user-response time becomes unacceptable.
Requirements:
Test Initialization:
1. Perform all the required ″setup″ procedures that apply to your configuration for this test, including
setting up the NOTES.INI file and the destination servers.
2. Run the R6IMAP Initialization workload to initialize and convert to IMAP mail files.
For information about the R6IMAP Initialization workload, see the topic ″R6IMAP Initialization
workload″ in this chapter.
For information about the IMAP service, see the chapter ″Setting Up the IMAP Service.″
Creating mail databases: Use the R6IMAP initialization workload to initialize the first database for
Domino 6 or use the IMAPINIT workload for Domino R5. Make sure that the latest MAIL6.NTF
(MAIL5.NTF for R5) is copied to the test driver before you create the first database and that the mail
template NOTES.INI setting is set on the child.
After you create your first mail database, open the database by performing a File - Open from the Notes
client or by using Microsoft Outlook®. Opening the database initializes several database fields and uses
less memory per user during the test.
NOTES.INI settings for the test driver for the R6IMAP workload: The following is an example of the
NOTES.INI settings for the test driver:
NormalMessageSize=10000
MailRecipientPercentUser=50
MailRecipientPercentVolume=50
MailRecipientBeginNumber=1
MailRecipientEndNumber=2000
NthIteration=6
ClientHost=hostname_of_the_client
SMTPHost=hostname_of_your_SMTP_server_under_test
LDAPHost=hostname_of_your_LDAP_server_under_test
IMAPHost=hostname_of_your_IMAP_server_under_test
RecipientDomain=name_of_your_domain
MessageLineSize=100
NumMailNotesPerUser=100
NumMessageRecipients=3
view_rebuild_dir=l:\temp\
Debug_Outfile=g:\server_debug\server_grigsby2k.txt
Server_Show_Performance=1
ServerTasks=Router,IMAP,LDAP
IMAP_Session_Timeout=60
Log_mailrouting=20. Set to 20 for minimal logging, or to 10 for no logging (minimizes logging while
testing). Set to 40 to display additional routing information on the console; for example, to verify that
messages are being routed by the Router and MTA tasks.
Note: The MailRecipientPercentUser and the Mail RecipientPercentVolume settings impact each other. If
MailRecipientPercentUser=20 and Mail RecipientPercentVolume=80, 80 percent of the messages are
addressed to 20 percent of the users.
Field Setting
Routing Tasks Select Mail Routing.
SMTP listener task Enable this setting.
Fully-qualified Internet host name For example, servername.iris.com
Field Setting
SMTP used when sending message outside of the local Enable this setting.
Internet domain
SMTP allowed within the local Internet domain Select ″All messages″
Servers within the local Notes domain are reachable via Select ″Always″
SMTP over TCPIP
SMTP allowed within the local Internet domain Select ″MIME messages only″
Note: Clear the memory on the client (reboot) before the start of this test.
Client Setup: Use the Lotus Notes 6 client for best results.
The iNotes Initialization workload creates a set of mail databases on the server and populates them with
mail. The mail databases are populated with the number of notes (messages) specified in the NOTES.INI
variable NumMailNotesPerUser.
The iNotesInit test automatically creates and sets up the mail databases for the R5iNotes and R6iNotes
workloads and establishes the settings listed below:
v Database ACL settings
– Default user is provided with Manager access
– Anonymous user is provided with Manager access
v Owner set = mail#
Using the ″Create NotesBench Mail Persons Documents″ Agent: The agent that you can use to create
Person documents is in NAMAGENT.NSF.
1. Use the ″Create NotesBench Mail Person Documents″ NAMAGENT.NSF agent on any platform to
create Person documents that use the mail*.nsf files (created by iNotes Initialization) on the SUT as
the users’ mail files. Copy NAMAGENT.NSF to the Domino Directory and run it from there. See the
Using this Database document for more information about the agents in NAMAGENT.NSF.
R5iNotes workload
Domino Web Access (iNotes Web Access) is our next generation Web client for Web-based access to
Domino messaging and Personal Information Management (PIM) capabilities.
The R5iNotes workload represents an active user sending, retrieving, and deleting mail from a browser.
An average user runs this script four times an hour. Each time the script runs, it checks and retrieves
mail messages. Additionally, on each NthIteration, which is one time in six for this workload, the user
sends a mail message to NumMessageRecipients other users on the server. The user schedules an
appointment, sends invitations to NumMessageRecipients other users, and responds to one invitation that
it finds in its own inbox.
NOTES.INI settings for the Notes client driver for the R5iNotes workload: Select the Script Variables
pane and then complete these fields:
The number of documents deleted is dependent on the value set for the
variable MaxDocToDelete.
httphost The TCP/IP address or Hostname of the Domino Web Server.
NormalMessageSize Size of the body of the message. The recommended value is 10000.
Domain Notes Mail Domain Name of the Domino Server. For example, Acme.
Note: This value must match the value in the Mail Domain field of the
Location document on the client.
Server document settings for the R5iNotes workload: The Server document in the SUT’s Domino
Directory requires these settings:
v On the Basics tab in R5, or the Security tab in Lotus Domino 6 or more recent, enter the name of the
administrator in the ″Administrator″ field.
v On the Basics tab in R5 or the Internet Protocols tab in Domino 6 or more recent, in the field ″Optimize
HTTP performance based on the following primary activity″ choose Advanced (Custom Settings). This
field allows you to view/modify the number of HTTP threads and is usually set during installation.
The optimum setting for the number of HTTP threads requires some experimentation. On a large
machine, begin with the value of 100, then adjust up or down, accordingly.
v For Lotus Domino 6 or more recent, on the Internet Protocols - HTTP tab, locate the Timeouts section.
In the field ″HTTP Persistent Connections″ choose Disable.
NOTES.INI settings for the SUT: Open the NOTES.INI file on the SUT, and verify that HTTP is
included in the Server Tasks. To display additional data on the console, in the NOTES.INI file, use the
setting Log_MailRouting=40.
Access Rights settings: Open the ACL for the Domino Directory and ensure that the person designated
as administrator in the Server document is also designated Manager.
R6iNotes workload
Domino Web Access (iNotes Web Access) is our next generation Web client for Web-based access to
Domino messaging and Personal Information Management (PIM) capabilities.
The R6iNotes test represents an active user sending, retrieving, and deleting mail from a browser. An
average user runs this script four times an hour. Each time the script runs, it checks and retrieves mail
messages. Additionally, on each NthIteration, which is one time in six for this workload, the user sends a
mail message to NumMessageRecipients other users on the server. The user schedules an appointment,
sends invitations to NumMessageRecipients other users, and responds to one invitation that it finds in its
own inbox.
The console does not display Web users because they do not update the same counters as Notes clients.
Notes clients use the Database Server task, and Web users use the HTTP task. Use the show task
command to display each task at the server console.
To determine if mail is being delivered to the server, use this command at the console:
show stat Domino.Requests.*
If authentication errors appear at the console, check that the password in the HTTP field of the Person
document in the Domino Directory on the SUT is set to NotesBench. If necessary, edit the Person
document in the Domino Directory. Use the agent ″Set HTTP Password to ’NotesBench’.″
Ensure that the mail template is compatible with the Domino release you are running. For Domino
Release 6, use the template iNotes6.NTF. In the NOTES.INI file of the test driver, enter Set
MailTemplate=iNotes6.NTF.
To display routing information on the console, include Log_MailRouting=40 in the NOTES.INI file on the
SUT.
Server document settings for the R6iNotes test: In the Server document, use these settings:
v In the ″Administrator″ field on the Basics tab, enter the administrator’s name, that is, the name of the
user that has been defined as the administrator. If you do not include the administrator’s user name,
any server commands issued by Probe are rejected.
v On the Internet Protocols - HTTP tab, set ″HTTP Persistent connections″ to ″Disabled.″
v On the Internet Protocols - HTTP tab (R5 Basics section), set the field ″Optimize HTTP performance
based on the following primary activity″ to Advanced (Custom Settings). This setting allows you to
view/modify the number of HTTP threads and is usually set during installation.
NOTES.INI settings for the R6iNotes test SUT: Check these NOTES.INI file settings:
v Verify that the Server Tasks setting in the NOTES.INI file on the SUT includes HTTP.
v The optimum setting for the number of HTTP threads requires some experimentation. Start with a
value of 100 on a large machine and adjust this up or down until you obtain the best results.
Authentication:
v By default, R6iNotes assumes that user authentication is required. For authenticated users, ACLs for all
mail databases and the Domino Directory must specify Manager access for the - Default - user. In the
NOTES.INI file of the test drivers and Probe, use the WebAuthenticationOff=0 (or not defined) setting.
v On the Agent Restrictions section of the Server document - Security tab, set the values of the following
properties to * (wildcard character).
– Run restricted LotusScript/Java agents
– Run unrestricted LotusScript/Java agents
v This allows anonymous users to run restricted Lotus Script/Java agents and run unrestricted Lotus
Script/Java agents.
Variable Setting
Message storage format 0 (NOTES)
Mail system 1 (NOTES)
4. In the Test Type field, choose Built-In, and then choose NRPC Mail Initialization Workload from the
list.
5. Click the Test Parameters tab, and do the following:
a. For ″Thread Creation Interval,″ enter the rate, in seconds, at which simulated users are created.
The recommended value is 3 to 5 seconds.
b. If you are running the test on multiple clients, increment the value of the Starting Thread No.
parameter when you run the test on each client.
6. Click the Script Variables tab, and enter these values:
Variable Action
MailServer Enter the canonical name of the mail server -- for example, CN=MailServer1/O=Acme.
nb_dbdir Enter a database directory relative to the Notes data directory. Recommended value is
mail\.
7. In the ″Build Recipient List using Name and Address Book″ field, enter the name of the SUT and its
Domino Directory in the format servername/org!!dominodirectory.NSF -- for example,
Server1/Acme!!NAMES.NSF.
8. Verify that no errors occur while creating mail files on the client and SUT. If a mail file is not
created, the test script creates the mail file during the first test iteration, a process that adds
overhead on the server back end. As a rule, CPU on the client and SUT should not exceed 75%, and
the percentage of disk time on the server’s data directory should not be a factor.
9. (Optional) Click the Stop Conditions tab to set a stop condition.
For more information, see the topic ″Setting a Server.Load stop condition″ earlier in this chapter.
10. Click Execute.
11. (Optional) Select metrics to monitor.
For more information, see the topic ″Monitoring Server.Load metrics″ earlier in this chapter.
12. (Optional) In the ″Server to receive console commands″ field, enter the name of the SUT.
13. Click Start Test.
14. Verify that the correct number of test mail files were created in the data directory. Each mail file is
named MAILn.NSF, where n is a number.
15. Complete the procedure to run the R5 Simple Mail Routing workload or the R6 Mail Routing
workload.
For information about running the R5 Simple Mail Routing workload and the R6 Mail Routing
workload, see the topics ″R5 simple Mail Routing workload″ and ″R6 Mail Routing workload″ in this
chapter.
For each iteration of the script, five documents are read, two documents are updated, two documents are
deleted, one view is opened and closed, one view-scroll is performed, one database is opened and closed,
and several other operations are performed. One message is sent to each active user approximately every
96 minutes; the same frequency is used for appointments and invitations.
Because mail routing and delivery are performed on the SUT, locate the destination addresses and the
active users’ mail files on the SUT.
The resulting capacity metric for a mail-only server is the maximum number of users that can be
supported before the average user response time becomes unacceptable.
Hardware considerations: The following hard disk requirements apply to the SUT and, during some
tests, to the destination systems that receive mail from the SUT:
The R5 Simple Mail Routing test requires at least one client and the SUT. If you use multiple client
systems, identical hardware configurations are recommended.
Variable Action
MailServer Enter the canonical name of the mail server -- for example, CN=MailServer1/O=Acme.
nb_dbdir Enter a database directory relative to the Notes data directory. Recommended value is
mail\.
MailTemplate Enter the name of the mail file template.
NBTestReset Enter one of these to control how to handle existing documents at the start of the test:
v 1 -- To delete existing documents
v 0 -- To ignore existing documents
Note: The number of documents deleted is dependent on the value set for the variable
MaxDocToDelete.
MaxDocToDelete Enter the number of documents to delete when the test starts. After deleting
documents, the initial document count is reset.
NumMailNotesPerUser Number of notes used to populate the mail file when the mail file is created
(recommended value 100)
NormalMessageSize Enter the size of the body of the message. Recommended value is 10000.
NumMessageRecipients Enter the number of recipients for each message. Recommended value is 3.
NthIteration Enter the frequency for how often a message is sent. Instead of the message being sent
on every script iteration, the message is sent once per n iterations of the script.
Recommended value is 6.
ScriptIterationLimit Enter the number of times the outer loop of the test script runs. Recommended value
is 1. This value must match the value in the Script Loop Count field on the Test
Parameters tab.
The resulting capacity metric for a mail-only server is the maximum number of users that can be
supported before the average user response time becomes unacceptable.
Requirements:
v System under test (SUT)
Test Initialization: If you have not already created mail databases, do so before running the test. Use the
NRPC Mail Initialization workload to create the mail files.
For information on the NRPC Mail Initialization workload, see the topic ″NRPC Mail Initialization
workload″ in this chapter.
NOTES.INI Settings for the test driver for R6Mail: The following is an example of the NOTES.INI
settings for the test driver:
NormalMessageSize=10000
MailServer=server/domain
MailTemplate=mail6.ntf
NthIteration=6
NumMessageRecipients=3
NumMailNotesPeruser=100
(optional)
NBTestReset=1
MaxDocToDelete=1000000
Mail_Number_Of_MailBoxes=2
Max_Users=10100
NSF_DBcache_Maxentries=10100
Server_Pool_Tasks=100
Server_Max_Concurrent_Trans=1000
MAILLOGTOEVENTSONLY=1
LOG_SESSIONS=0
LOG_MAILROUTING=10
SERVER_SHOW_PERFORMANCE=1
MAILUSERPROCESSES=0
No_Force_Activity_Logging=1
Server document settings for the R6 Mail Routing test: Be sure that the Basics tab of the Server
document uses these settings:
v Routing tasks: Mail Routing, SMTP Mail Routing
v SMTP listener task: Enabled
v Fully Qualified Internet host name: servername.company.com
Variable Action
MailServer Enter the canonical name of the mail server -- for example,
CN=MailServer1/O=Acme.
Variable Setting
Message storage format 2 (MIME)
Mail system 6 (POP3/IMAP)
Variable Action
MailServer Enter the canonical name of the mail server -- for
example, CN=MailServer1/O=Acme.
nb_dbdir Enter a database directory relative to the Notes data
directory. Recommended value is mail\.
MailTemplate Enter the name of the mail file template.
6. Click the Test Parameters tab. If you are running the test on multiple clients, increment the value of
the Starting Thread No. parameter when you run the test on each client.
7. (Optional) Click the Stop Conditions tab to set a stop condition.
For more information, see the topic ″Setting a Server.Load stop condition″ earlier in this chapter.
8. Click Execute.
9. (Optional) Select metrics to monitor.
For more information, see the topic ″Monitoring Server.Load metrics″ earlier in this chapter.
10. (Optional) In the ″Server to receive console commands″ field, enter the name of the SUT.
11. Click Start Test.
12. Verify that the correct number of test mail files were created in the data directory. Each mail file is
named MAILn.NSF, where n is a number.
13. Complete the procedure to run the SMTP and POP3 workload.
For more information about running the SMTP and POP3 workload, see the topic ″SMTP and POP3
workload″ later in this chapter.
During each iteration, the script checks for and retrieves POP3 messages. When sending messages, each
user sends a mail message to NumMessageRecipients not more than once every 20 minutes. Twenty
percent of the users receive eighty percent of the send mail messages. The SMTP messages sent by each
user are delivered to the mail databases of other users on the SUT.
The resulting capacity metric for an SMTP/POP3 server is the maximum number of users that can be
supported before the average user response time becomes unacceptable.
To read the code in the test script, see the appendix ″Server.Load Scripts.″
Hardware considerations: The following hard disk requirements apply to the SUT and, during some
tests, to the destination systems that receive mail from the SUT:
Variable Action
NormalMessageSize Enter the size of the body of the message. Recommended value is 10000.
MessageLineSize Enter the number of characters per line. Recommended value is 80.
NumMessageRecipients Enter the number of recipients for each message. Recommended value is 3.
SMTPHost Enter the fully qualified domain name of the Domino server that is running the
SMTP Listener task -- for example, server1.acme.com
RecipientDomain Enter the name of the domain containing the intended recipients -- for example,
acme.com.
ClientHost Enter the fully qualified domain name of the client -- for example,
client1.acme.com
NthIteration Enter the frequency for how often a message is sent. Instead of the message being
sent on every script iteration, the message is sent once per n iterations of the
script. Recommended value is 6.
POP3Host Enter the fully qualified domain name of the Domino server running the POP3
task, in the format system.domainname -- for example, Server2.acme.com.
Idle workload
The Idle workload establishes an upper limit of the number of sessions that a Domino server can
support. The test only establishes sessions between a client and server; no Notes transactions are carried
out. No resources other than those required to start a session are used.
The resulting capacity metric is the maximum number of user sessions that can exist concurrently. You
can use this metric to help set up and configure the test environment.
To read the code in the test script, see the appendix ″Server.Load Scripts.″
Variable Action
MailServer Enter the canonical name of the mail server -- for
example, CN=MailServer1/O=Acme
MaxSessions Enter the thread capacity of the client. The maximum is
1500.
5. Click the Test Parameters tab. If you are running the test on multiple clients, increment the value of
the Starting Thread No. parameter when you run the test on each client.
6. (Optional) Click the Stop Conditions tab to set a stop condition.
For more information, see the topic ″Setting a Server.Load stop condition″ earlier in this chapter.
7. Click Execute.
8. (Optional) Select metrics to monitor.
For more information, see the topic ″Monitoring Server.Load metrics″ earlier in this chapter.
9. (Optional) In the ″Server to receive console commands″ field, enter the name of the SUT.
10. Click Start Test.
Hardware considerations: The following hard disk requirements apply to the SUT and, during some
tests, to the destination systems that receive mail from the SUT.
Variable Action
MailServer Enter the canonical name of the mail server -- for example, CN=MailServer1/O=Acme
DiscussionDB Enter the name of the test discussion database
DiscTemplate Enter the name of the template used for the discussion database
NBTestReset Enter one to control how to handle existing documents at the start of the test:
v 1 -- To delete existing documents
v 0 -- To ignore existing documents
Note: The number of documents deleted is dependent on the value set for the
variable MaxDocToDelete.
MaxDocToDelete Enter the number of documents to delete when the test starts. After deleting
documents, the initial document count is reset.
NumMailNotesPerUser Enter the number of documents to create for each user to populate the database
initially.
DiscDbAddDocRate Enter the number of documents to add for each user.
The resulting capacity metric for a Web Idle server is the maximum number of users that can be
supported before the average user response time becomes unacceptable.
Variable Setting
Message storage format 2 (MIME)
Mail system 0 (SMTP/POP3)
Variable Action
NBTestReset Enter one of these to control how to handle existing documents at the start of the
test:
v 1 -- To delete existing documents
v 0 -- To ignore existing documents
Note: The number of documents deleted is dependent on the value set for the
variable MaxDocToDelete.
MailServer Enter the canonical name of the mail server -- for example,
CN=MailServer1/O=Acme.
HTTPHost Enter the TCP/IP address or host name of the Domino Web server
nb_dbdir Enter a database directory relative to the Notes data directory. Recommended value
is mail\.
MailTemplate Enter the name of the mail file template.
NormalMessageSize Enter the size of the body of the message. Recommended value is 10000.
6. Verify that the client and server experience no errors while creating mail files. If a mail file has not
been created, the test script creates the mail file during the first test iteration, but this adds overhead
on the server back end. As a rule, CPU on the client and SUT should not exceed 75%, and the
percentage of Disk Time on the Domino Server Data directory should not be a factor.
7. Click the Test Parameters tab. If you are running the test on multiple clients, increment the value of
the Starting Thread No. parameter when you run the test on each client.
8. Set a Server.Load stop condition.
For more information, see the topic ″Setting a Server.Load stop condition″ earlier in this chapter.
9. Click Execute.
10. (Optional) Select metrics to monitor.
For more information, see the topic ″Monitoring Server.Load metrics″ earlier in this chapter.
11. (Optional) In the ″Server to receive console commands″ field, enter the name of the SUT.
12. Click Start Test.
13. Verify that the correct number of test mail files were created in the data directory. Each mail file is
named MAILn.NSF, where n is a number.
14. Complete the procedure to run the Web Mail workload.
For more information about running the Web Mail workload, see the topic ″Web Mail workload″ in
this chapter.
The resulting capacity metric for a Web Mail server is the maximum number of users that can be
supported before the average user response time becomes unacceptable.
To read the code in the test script, see the appendix ″Server.Load Scripts.″
Hardware considerations: The following hard disk requirements apply to the SUT and, during some
tests, to the destination systems that receive mail from the SUT:
The growth rate of each database is a function of the ratio of the number of users
and recipients sending and receiving mail.
Command Description
Show Tasks Show either the Database Server task (Notes clients) or
HTTP task (Web users).
Show Stat Mail Monitor message counters
Show Stat Domino.Requests.* Monitor message counters
2. If authentication errors occur on the Domino server console, verify the password in the HTTP field of
the respective user’s Person document in the SUT’s Domino Directory; edit the Domino Directory if
necessary.
3. From the SUT console, enter this command to display additional routing information:
Set Config Log_MailRouting=40
4. Check that the database properties for the mail database:
v Web access: Use JavaScript when generating pages -- Must be checked.
v Allow soft deletions -- Must not be checked.
5. In the Server document on the Internet Protocols - HTTP tab, complete these fields:
Field Action
Optimize performance based on the following primary Choose Advanced (Custom Settings) to view and modify
activity the number of HTTP threads.
Number Active Threads Specify one active thread for every 10 Web Mail users.
6. Make sure that the administrator has Manager access to the Domino Directory.
7. Authentication
v By default, WebMail assumes user authentication is required.
v For authenticated users, Anonymous must have No Access and -Default- must have Manager
access. Use the WebAuthenticationOff=0 setting in the client’s NOTES.INI file.
v To run WebMail without authentication, Anonymous must have Manager access in the ACL of all
mail databases and the Domino Directory. Use the WebAuthenticationOff=0 setting in the client’s
NOTES.INI file.
v To run Web Mail with authentication, use the WebAuthenticationOff=0 setting in the NOTES.INI
file and run the Update ACL of MailDBs to include Owner (mail1, mail2, ...) agent on the SUT.
Variable Action
HTTPHost Enter the TCP/IP address or host name of the Domino
Web server
nb_dbdir Enter a database directory relative to the Notes data
directory. Recommended value is mail\.
WebPreferencesOff Make sure this is set to Off. If it’s On, the script sets the
mail database to be its own owner.
6. Click the Test Parameters tab. If you are running the test on multiple clients, increment the value of
the Starting Thread No. parameter when you run the test on each client.
7. (Optional) Click the Stop Conditions tab to set a stop condition.
For more information, see the topic ″Setting a Server.Load stop condition″ earlier in this chapter.
8. Click Execute.
9. (Optional) Select metrics to monitor.
For more information, see the topic ″Monitoring Server.Load metrics″ earlier in this chapter.
10. (Optional) In the ″Server to receive console commands″ field, enter the name of the SUT.
11. Click Start Test.
Run the Workload Data Rollup Collection and Workload Data Rollup scripts on a system other than the
one that contains the test drivers that put the load on the SUT.
Note: The drivers that create the test load are referred to as ″regular″ test drivers in this document.
Note: This setting is not needed on the regular test drivers because the path to the Results directory
is specified using the Server.Load parameter ″Store the Metrics to this file.″
6. Click Execute to access the Metrics window.
7. Set the ″Store the Metrics to this file″ field to point to the ResN file in the results directory for each
regular test driver:
v Z:\Res1 -- for test driver 1
v Z:\Res2 -- for test driver 2
Note: Each results (metrics) file from the regular test drivers must have a unique numbered name
along and a ResultsDirectory path as shown above.
8. Set the ″Server to Receive Console Commands″ field in the Metrics window to blank on the Data
Collection Driver for the workload data collection and workload data rollup scripts. Server.Load does
not need to authenticate with a server for these scripts.
The Workload Data Collection script: Run the Workload Data collection script template as-is or
customize it for your specific use. You can add or remove groups of statistics to be collected from the
SUT as needed.
Beginloop
Console [Mailserver] sh stat platform
Console [Mailserver] sh stat server.*
Console [Mailserver] sh stat server.version.*
Console [Mailserver] sh stat server.time.start
Console [Mailserver] sh stat domino
Console [Mailserver] sh stat database
Console [Mailserver] sh stat disk
Console [Mailserver] sh stat mail
Console [Mailserver] sh stat mem
Console [Mailserver] sh stat NET
Console [Mailserver] platform time 10
Pause 60000
Rewind
Note: You can obtain a copy of this script, from the Using This Database document in nameagent.nsf.
Detach the script to a directory.
Using the Workload Data Rollup script to roll up collected data: Use the Workload Data Rollup script
to roll up collected data after you run the Workload Data Collection script.
For instructions about running the Workload Data Rollup script, see the topic Running the Workload
Data Rollup script.
Set these NOTES.INI settings on the driver running the Workload Data Rollup script:
Generating output of per-command response times in Server.Load: You can use the NOTES.INI setting,
NB_Collect_Response_Times, to enable output of per-command response time. Add
NB_Collect_Response_Times=1 to the NOTES.INI file on the test driver. The resulting file is added to the
Results Directory and is assigned a file name RespTime_OutFile#, where # represents the driver number.
Use NB_Collect_Response_Times with the ResultsDirectory NOTES.INI setting. For example, the
NOTES.INI would contain these settings:
NB_Collect_Response_Times=1
RESULTSDIRECTORY=Z:\
The setting is for general use with all workloads and custom scripts. To disable response data collecting,
enter the NOTES.INI setting with a value of zero. For example,
NB_Collect_Response_Times=0
The data rollup output resides in the datafile NB_Domstat.csv containing the averaged client data, and
any relevant SH STAT data.
This file can be viewed using any text editor or spreadsheet program.
For information on performance-related issues, see the chapter ″Improving Server Performance.″
Troubleshooting
This section describes how to find and solve server problems.
v Troubleshooting the Domino system
v Troubleshooting tools
Troubleshooting tools
Domino provides several tools to help you troubleshoot problems. Most of the tools are available through
the Domino Administrator. The table below summarizes the available tools and indicates how each is
useful.
If you haven’t solved your problem after reading through the section that applies to the problem, you
may want to search the IBM Lotus Support Services Web site or call IBM Lotus Support Services directly
for help with troubleshooting your problem.
Tool Problems that the tool resolves How to access the tool
Server log file (LOG.NSF) All problems From the Server - Analysis tab in the
Domino Administrator
Domino Web server log file Web server problems From the Server - Analysis tab in the
(DOMLOG.NSF) Domino Administrator
Server’s MAIL.BOX Mail routing problems From the Messaging - Mail tab in the
Domino Administrator
Mail trace Mail routing problems From the Messaging - Mail tab in the
Domino Administrator
ISpy Slow mail; server problems Configured in the Monitoring Configuration
database on the Configuration tab in the
Domino Administrator
Mail reports Mail user activity From the Messaging - Mail tab in the
Domino Administrator
Mail tracking Lost mail From the Messaging - Tracking Center tab
in the Domino Administrator
Mail routing status Undelivered mail From the Messaging - Mail tab in the
Domino Administrator
Mail routing topology maps Mail routing problems between servers From the Messaging - Mail tab in the
Domino Administrator
Mail routing events view in Undelivered mail From the Messaging - Mail tab in the
the log file (LOG.NSF) Domino Administrator
Shared Mail view in the log Disk space usage From the Messaging - Mail tab in the
file (LOG.NSF) Domino Administrator
Network trace Connection problems In User Preferences. Choose File -
Preferences - User Preferences
1431
Tool Problems that the tool resolves How to access the tool
TCP/IP connection logging Connection problems Server console on a server with the setting
Log_Connections=1 added to its NOTES.INI
file
Replication events in the log Replication problems for a particular From the Replication tab in the Domino
file (LOG.NSF) server Administrator
Replication history Replication problems with a specific Under Database Properties. Choose File -
database Database - Properties; or choose File -
Replication - History
Replication schedule Replication problems for a particular From the Replication tab in the Domino
server Administrator
Replication topology maps Replication problems between servers From the Replication tab in the Domino
Administrator
Monitoring Configuration Server statistics and events you Configured from the Configuration tab of
specifically monitor the Domino Administrator; view statistics
from the Server - Analysis tab in the
Domino Administrator
Database analysis Database problems From the Files tab in the Domino
Administrator
Administration Requests Administration Process errors From the Servers - Analysis tab in the
database Domino Administrator
Server commands Various From the Servers - Status tab in the Domino
Administrator
When you call IBM Lotus Support Services, you should have the following available to you:
1. The computer on which the problem occurred.
2. Any other people who are involved in troubleshooting the problem -- for example, server
administrators, database managers, network managers. You might want these people available when
you speak with a support representative.
3. Any pertinent information you gathered from troubleshooting the problem yourself prior to
contacting support.
4. If you have ScreenCam®, the movie or event that documents the problem.
5. If the problem involves the network, print out the PROTOCOL.INI, CONFIG.SYS, and STARTUP.CMD
files. Print out the network file directory, so that you can compare network file dates.
6. In addition, depending on the problem, be prepared to provide some of this information:
Domino provides a collection of tools that you can use for general troubleshooting. The IBM IBM Lotus
Support Services team provides additional troubleshooting assistance. These topics describe the available
troubleshooting tools and how to contact IBM Lotus Support Services:
v Table of troubleshooting tools
v Searching the IBM Lotus Support Services Web site (www.ibm.com/software/lotus/support/)
v Contacting Lotus Support Services
You can also search for solutions to common problems on the IBM IBM Lotus Support Services Web site
at www.ibm.com/software/lotus/support.
Administration Process -- Problems and error messages: These errors may appear in the Certification
Log or at the server console. Some of these messages require that you correct a particular condition, while
others are only status messages.
Administration Process: retrying a request that could not be performed previously because another process was
modifying the document.: This message indicates that in processing separate requests, two threads of the
Administration Process simultaneously attempted to modify a document in the Domino Directory. As a
result, the Administration Process is retrying one of the requests. This is a status message; no action is
required.
Administration Process: Unable to access transfer context information.: This message indicates that the
Administration Process can’t access global information that is required to execute a specific task. Restart
the Administration Process, or, if necessary, restart the server.
Administration Process: Unable to create entry thread.: This message appears when the Administration
Process can’t create a thread to use to run Administration Process tasks. Restart the Administration
Process, or, if necessary, restart the server.
No Address book is present on this server; the Admin Process cannot continue without one.: This message
appears if you start the Administration Process on a server that doesn’t store a replica of the Domino
Directory. Create a replica of the Domino Directory on the server, and then start the Administration
Process again.
Removing viewname view notes in the Address Book.: This message appears when the Administration
Process deletes obsolete monitoring configuration documents from the Domino Directory. This is a status
message; no action is required.
Reporter: Could not locate view viewname.: This message appears when the Administration Process can’t
find obsolete monitoring documents in the Domino Directory. This is a status message; no action is
required.
The Administration Process cannot delete the database databasename at this time because it is in use by someone
else; will try again at time.: This message appears as the result of a Delete Unlinked Mail File request. The
message indicates that the Administration Process is retrying a request to delete a mail that was initially
unavailable because someone was accessing it. This is a status message; no action is required.
The Administration Process could not change or delete the name from the document because another process was
modifying it.: This message indicates that, in processing separate delete or rename requests, two threads
of the Administration Process attempted to modify the same document in a database. As a result, only
one request was processed, and the Administration Process is retrying the other. This is a status message;
no action is required.
The Administration Process does not have enough memory to compute the formulas required for request
processing.: This message indicates that there is currently inadequate memory for the Administration
Process. To correct this, restart the server.
The Administration Process is retrying a name change or deletion from the document.: This message appears as
the result of a rename or delete request. It indicates that the Administration Process is retrying a request
to rename or delete a name from a document that was initially unavailable because someone was
accessing the document. This is a status message; no action is required.
The certificate contained in the note was not issued by the selected certifier.: This message appears if you
choose Actions - Recertify Person or Actions - Recertify Server but you don’t select the original certifier. If
you don’t specify the original certifier when you choose this action, you can submit the request, but it
isn’t posted in the Administration Requests database. To correct this, choose the action again, and select
the original certifier.
The replica of the database moved by the Administration Process has not been initialized by the replicator.: This
message appears as the result of a Monitor Moved Replica request. It indicates that the Administration
Process is waiting for the replicator to initialize the replica at its new location before it deletes the
original. This is a status message; no action is required.
The selected certifier isn’t an ancestor of the entity to be updated.: This message appears if you attempt to
choose Actions - Request Move to new Certifier to move a person to a different hierarchy, but you don’t
select the original certifier. If you don’t specify the original certifier, you can submit the request, but it
isn’t posted in the Administration Requests database. To correct this, choose Request Move to New
Certifier again, and select the original certifier.
The selected certifier isn’t the target certifier in the move request.: This message appears if you choose
″Actions - Complete move for selected entries″ to attempt to complete moving user names to a different
hierarchy and the target certifier isn’t the one you specified when you originally chose Actions - Rename
Person - Request Move to New Certifier. If the target certifier you specified when completing the move is
How to troubleshoot the Administration Process: A variety of error conditions can prevent the
Administration Process from working properly. For example, errors can occur when there isn’t enough
memory for the Administration Process; when you rename, delete, or recertify a user; or when you move
a user to a different hierarchy. Use these steps to troubleshoot the Administration Process:
1. Start the Administration Process on a server that does not store a replica of the Domino Directory.
2. Ensure that the Administration Process is set up correctly.
For more information, see the chapter ″Setting Up the Administration Process.″
3. If the Administration Process worked successfully in the past but isn’t working as expected now, try
to isolate what might have changed since it last worked successfully.
4. Check for these conditions and correct them if necessary:
a. The Administration Process (the AdminP task) must be running on all servers. To check this, enter
the Show Tasks command at the server console. Enable AdminP on any servers where it isn’t
already running.
b. An Administration Server must be specified for the Domino Directory. The administration server
for the Domino Directory is designated as such during first server setup in the domain.
c. Make sure that you specific an administration server for all databases. Each database must have an
administration server specified before a request can be made to the Administration Process.
d. The Domino Directory (NAMES.NSF) and the Administration Requests database (ADMIN4.NSF)
must replicate properly between the affected servers. These databases must replicate correctly
between the administration server of the Domino Directory and the servers where the databases
receiving the updates reside.
e. Each request in the Administration Requests database should have a corresponding response
document that shows that the Administration Process has completed the request. Correct any
errors indicated by a response document.
f. The Certifier documents must have the correct public key; the public key must match the key in
each CERT.ID.
For more information about correcting errors in the Administration Requests database, or for any
other information regarding the administration process, see the chapter ″Setting Up the
Administration Process.″
Output data incomplete when running Administrator client on a remote console: There are two
situations in which data can be lost when you attempt to view output data using the Administrator client
from the Domino server remote live console. The displayed data appears incomplete because a portion of
the data is lost. Data can be lost in the following situations:
v The console output is buffered in a ring buffer as it is generated. When the remote live console
background thread fetches data, it may not fetch the data quickly enough. The ring buffer then loses
data.
v When the remote live console background thread fetches data, it posts the data to a network
asynchronous write -- itself a ring queue. If the asynchronous write queue entry is overwritten, data is
lost.
Statistic Explanation
server.RemoteConsole.AsyncQueueOverrun Number of times that the asynchronous queue request
was lost.
server.RemoteConsole.BufferOverrun Number of times that data was lost because more
console output was generated than was sent over the
wire.
You can also search for solutions to common problems on the IBM Lotus Support Services Web site at
www.ibm.com/software/lotus/support/.
Tools for troubleshooting Agent Manager and agents: Whenever an agent won’t run, check the Agent
Log to see when the agent last ran and whether it completed. For additional information, check the
server console or the Miscellaneous events in the log file (LOG.NSF) for messages from the Agent
Manager.
Log file: To enable agent logging in the log file (LOG.NSF), edit the NOTES.INI file to include the
Log_AgentManager setting, which specifies whether or not the start of agent execution is recorded in the
log file and displayed on the server console. It’s important to monitor the server console or log for
information from the Agent Manager because error and warning messages generated by the Agent
Manager on behalf of the agent, as well as output -- for example, print statements -- generated by a
background agent, appear on the console and in the Miscellaneous events view of the log (LOG.NSF).
For more information on the Log_AgentManager setting, see the appendix ″NOTES.INI File.″
The Agent Log: The Agent Log is a view in a database that shows the last time an agent ran and
describes if the agent completed or not.
1. In the database, choose View - Agents.
2. In the Design view that lists all the agents, choose the agent.
3. Choose Agent - Log.
For more information on the Agent Log, see the book Application Development with Domino Designer.
Agent manager and agents -- Problems and error messages: These topics present suggestions for
troubleshooting certain problems you may encounter with the Agent Manager and/or agents:
v Agent Manager isn’t working as expected
v An agent isn’t running as expected
v An agent doesn’t run to completion
Agent Manager isn’t working as expected: The Agent Manager may work or may not work efficiently.
1. The Agent Manager may not be scheduled to run. If the Agent Manager isn’t running, check the
″Start time/End time″ fields on the Server Tasks - Agent Manager tab in the Server document. Any
time not specified in these fields represents downtime. If necessary, adjust the times in these settings.
2. The demand for the Agent Manager may be too high. If the Agent Manager takes too long to run
agents, reschedule agents to run at night when system demand is usually low.
If the server runs Domino 4.6 or earlier, you can increase the ″Max % busy before delay″ field in the
Server document. Domino 5 and higher does not support this field.
Note: If you allocate more resources to the Agent Manager, fewer will be available to run other server
tasks.
An agent isn’t running as expected: In addition to the possibility that there are errors in the agent code,
an agent may fail to run properly because the agent has insufficient access or because the agent is not set
to run on the given server.
1. Insufficient access in the database ACL can prevent an agent from running properly. For example, a
user may design an agent that copies selected documents from database A to database B. If the user --
and by extension, the agent -- doesn’t have Author access in the ACL of database B, the agent runs,
but it is not allowed to copy the documents. To determine if this problem exists, examine the Agent
Log for access errors after the agent runs unsuccessfully.
2. If an agent won’t run on a particular server, check the Agent Restrictions on the Security tab of the
Server document. This section contains the ″Run personal agents,″ ″Run restricted LotusScript/Java
agents,″ and ″Run unrestricted LotusScript/Java agents″ fields that specify who has access to run
agents on the server. Although a user who has the appropriate access in the database ACL may be
able to create an agent on the server, without the appropriate access in the Server document, the user
can’t run the agent.
You should also check the Server Access section on the Security tab of the Server document. This
section contains the ″Only allow server access to users listed in this Directory,″ ″Access server,″ and
″Not access server″ fields, which allow and deny access to the server. Because an agent inherits the
access privileges of the person who creates it, the agent can’t run on a server for which its creator
does not have access.
3. Scheduling conflicts may prevent an agent from running. In the Server document, click the Server
Tasks - Agent Manager tab and check the ″Daytime Parameters Start time/End time″ and ″Nighttime
Parameters Start time/End time″ fields. Any time not specified in these fields represents downtime; if
a user creates a scheduled agent and specifies that it run during the server’s Agent Manager
downtime, the agent will not run. Compare these fields in the Server document to the time the agent
is scheduled to run. If a conflict exists, change the Agent Manager schedule on the server, or ask the
user to reschedule the agent.
4. If a LotusScript or Java agent terminates before completing its tasks, check the ″Max LotusScript/Java
execution time″ fields in the Server document. If a complex agent requires more time than is
scheduled, the Agent Manager terminates the agent before completion.
Ask the user to reschedule the agent to run at night, when the default maximum execution time is
longer; or increase the value of the ″Max LotusScript/Java execution time″ field in the Server
document, as needed. If neither of these solutions is practical, ask the user to rewrite the agent as
several smaller agents.
An agent doesn’t run to completion: When an agent doesn’t finish running, check the log file
(LOG.NSF), the server console, and the Agent Log for error messages.
An agent isn’t running at the expected times: If the agent is running, but not at or near the expected
times, the server may be busy with other tasks. To gather information about when the agent last ran and
if it completed successfully, check the agent log. Then check for these conditions and correct them, if
necessary.
1. Scheduling conflicts may prevent an agent from running. In the Server document, click the Server
Tasks - Agent Manager tab, and check the ″Daytime Parameters Start time/End time″ and ″Nighttime
Parameters Start time/End time″ fields. If the values in these fields don’t account for a portion of the
day, the Agent Manager will not run during that period. For example, if the daytime parameters are 8
AM and 5 PM and the nighttime parameters are 8 PM and 8 AM, Agent Manager will not run any
agents between 5 PM and 8 PM.
2. The NOTES.INI settings may be incorrect. Check these Agent Manager settings in the server’s
NOTES.INI file:
v Amgr_DocUpdateAgentMinInterval
v Amgr_DocUpdateEventDelay
v Amgr_NewMailAgentMinInterval
v Amgr_NewMailEventDelay
3. Edit the NOTES.INI file to include the Log_AgentManager setting and set it to 1. You can also enable
this setting in the Configuration Settings document in the Domino Directory.
4. For servers running Domino 4.6 or earlier, the ″Max % busy before delay″ setting may have been
exceeded. The ″Max % busy before delay″ setting on the Server Tasks - Agent Manager tab of the
Server document controls the maximum percent of time the Agent Manager spends running agents. If
the percentage of time is exceeded, a delay occurs before Agent Manager runs the next agent. After
the percentage falls below the threshold, Agent Manager resumes running agents.
For more information on NOTES.INI settings, see the appendix ″NOTES.INI File.″
The Escrow agent isn’t working: The Escrow agent won’t work if:
v There is no Person document containing the phrase Escrow Agent in the User name field.
v More than one Person document contains the phrase Escrow Agent in the User name field.
v The Escrow agent attempts to send encrypted mail to a recipient whose Person document doesn’t
contain a public key.
Users can’t create agents: If a user can’t create agents in a particular database, check the database ACL
to see if the user has the access level required to create agents in that database. To create personal agents,
a user must have at least Reader access to the database in which the agent will be created. To create
shared agents, a user must have at least Designer access.
Clusters - Troubleshooting
These topics include information about error messages and other problems that may arise when using a
cluster.
v Some database changes are not replicating quickly to other servers
v Client requests do not fail over for certain databases even though the replicas are listed in the Cluster
Database Directory
Chapter 66. Troubleshooting 1439
v Although you marked a database Out of Service, users can still open it
v The Cluster Database Directory includes two copies of the database documents for all the databases on
a particular server
v The value of the Replica.Cluster.Retry.Waiting statistic is greater than zero
v ″Cluster Replicator was unable to configure using Cluster Database Directory cldbdir.nsf: File does not
exist″
v ″Cluster Replicator was unable to configure using Cluster Database Directory cldbdir.nsf: Invalid
replica ID for cluster database directory. If cluster name changed, delete cluster database directory and
restart cldbdir task.″
v Private folders do not replicate from one clustered database to another
v ″HTTP Server Initialization error. Could not bind port 80. Port may be in use.″
v The Server Web Navigator does not fail over
v Clients receive the message ″Server Not Responding″ instead of failing over
Some database changes are not replicating quickly to other servers.: Use the following checklist to
troubleshoot problems related to slow replication between servers in a cluster. Check that the following
conditions exist:
v The Cluster Replicator is started on the server where the modified database is located. You can check
this on the Servers - Status tab of the Domino Administrator or by sending the following command
from the server console:
show tasks
v The modified database and its replicas on other servers are listed in all the Cluster Database
Directories.
v All replicas of the modified databases have the same Replica ID. To check this, open the Databases by
Replica ID view in the Cluster Database Directory.
v The Cluster Replicator is not encountering errors when it attempts to replicate to other servers in the
cluster. Check the Replica.Cluster.Failed and Replica.Cluster.Retry.Waiting statistics to see if error
conditions exist. Also, examine the Replication Events log documents generated by the Cluster
Replicator.
v The Cluster Replicator is able to keep up with the current server replication workload. Check the
Replica.Cluster.WorkQueueDepth and Replica.Cluster.SecondsOnQueue statistics to determine if there
is a backlog of replication requests. If so, consider starting an additional Cluster Replicator.
v Cluster replication is enabled for all replicas of the database. Open the Cluster Database Directory, and
check the left column for the letter ″X.″ Databases with the letter ″X″ in the left column have cluster
replication disabled.
v CLREPL_OBEYS_QUOTAS is set to 0 (zero) if you used this setting in the Configurations Settings
document or in the NOTES.INI file. When this setting is set to 1, cluster replication obeys the database
size quotas that were set by the database administrator. The Cluster Replicator will not push changes
to a replica if the changes would result in the replica exceeding its size quota. If
CLREPL_OBEYS_QUOTAS is set to 0 or is not present at all, the Cluster Replicator ignores database
size quotas.
Client requests do not fail over for certain databases even though the replicas are listed in the Cluster
Database Directory: When there are two or more replicas of a database on a server, the Cluster Manager
uses failover by path, not failover by replica ID. To ensure that client requests fail over correctly, do not
include multiple replicas of a database on the same server; or if you do, create the replicas using the
same names and paths as the replicas to which you want to fail over.
Although I marked a database Out of Service, users can still open it: The database that users can open
may be a replica on a non-cluster server. Marking databases ″out of service,″ ″in service,″ or ″pending
delete″ works only for databases that are in a cluster. In addition, new replicas of the databases do not
inherit these attributes, even in a cluster.
To avoid creating duplicate documents, replicate the Cluster Database Directory from another server to
the server on which the Cluster Database Directory was deleted before you restart the server.
The value of the Replica.Cluster.Retry.Waiting statistic is greater than zero: This statistic indicates that
the Cluster Replicator could not complete some replications, and these replications are waiting to be
retried. To see why the replications were not successful, force the Cluster Replicator to generate a
Replication Event Log document, which includes information about all the cluster replications waiting to
be retried. To force the Cluster Replicator to log this information, send the following command from the
server console:
tell clrepl log
To view the error conditions, examine each of the Log documents generated by this command (one for
each server being replicated to), and then correct the errors. You can sometimes correct the problem by
restarting a server that is currently unreachable. When the errors are corrected, cluster replication
succeeds, and the Replica.Cluster.Retry.Waiting statistic becomes zero.
″Cluster Replicator was unable to configure using Cluster Database Directory cldbdir.nsf: File does
not exist″: This message can occur for the following reasons:
v The Cluster Replicator cannot find the Cluster Database Directory.
This often occurs when you first add a server to a cluster and the Cluster Replicator starts before the
Cluster Database Directory Manager has created the server’s Cluster Database Directory. If this is the
cause of the problem, it will resolve itself.
v The Cluster Database Directory has been deleted.
Replicate the Cluster Database Directory from a different cluster server.
″Cluster Replicator was unable to configure using Cluster Database Directory cldbdir.nsf: Invalid
replica ID for cluster database directory. If cluster name changed, delete cluster database directory and
restart cldbdir task.″: The ClReplD field in the Server document In the Domino Directory does not
match the replica ID of the Cluster Database Directory. To fix this, you can delete the Cluster Database
Directory from this server and then replicate it from a different cluster server. If this doesn’t correct the
problem, remove the server from the cluster and add it to the cluster again.
Private folders do not replicate from one clustered database to another: Check the access control list
(ACL) of the databases to be sure that the User type of the servers is ″Server″ or ″Server group.″
″HTTP Server Initialization error. Could not bind port 80. Port may be in use.″: This message can
occur if you have conflicting IP addresses or port numbers when you attempt to start the Domino Web
server on a server that is running the ICM. The most likely cause is that the ICM and HTTP task are both
attempting to use the same IP address and TCP/IP port.
Check the Server document to ensure that the ICM and the HTTP server have been assigned different
TCP/IP port numbers or that the ICM is configured to use a different IP address than the HTTP server. If
the ICM and HTTP server are both using port 80, but on different IP addresses, make sure that you have
chosen ″Enabled″ in the ″Bind to host name″ field on the Internet Protocols - HTTP tab in the Server
document.
This problem often occurs because the Web task creates the Web database when it first starts, if this
database doesn’t already exist. Therefore, it is a good idea to start the Web task on one cluster server
only, and then replicate the Web database to the other cluster servers before you start the Web task on
those servers.
Clients receive the message ″Server Not Responding″ instead of failing over: If a server becomes
unavailable while a database is open, failover does not occur. The user should reopen the database.
Reopening the database causes failover to occur if a replica exists on an available server in the cluster. If
the user was editing a document when the server became unavailable, the user can copy the document to
the replica.
″Server Not Responding″ can also appear when a user tries to send and save a message when the user’s
mail server is unavailable. The message is sent successfully because the mail router fails over. (The user
can see that the message was sent successfully by clicking the status history list in the status bar.)
However, saving a message or document does not cause failover. To save the message, the user can
reopen the database, which causes failover if a replica mail database exists on an available server. The
user can then copy the sent message to the replica.
Some of the recommended solutions involve changing the database design. You should always test
design changes on a template or a copy of the database before applying them to the production copy.
For more information on transaction logging, see the chapter ″Transaction Logging and Recovery.″
Users cannot access the database: Users may not be able to access databases for the following reasons:
The server storing the database is temporarily down: Check with the Domino administrator and tell
users when the database is expected to be available again.
Users don’t have the appropriate access: Check the database access control list (ACL) to make sure
users have the necessary access to the database. Check with the Domino administrator to ensure users
have access to the Domino server that stores the database.
For more information on user access, see the chapter ″Controlling User Access to Domino Databases.″ For
more information on server access, see the chapter ″Controlling Access to Domino Servers.″
Use a Domino 6-compliant backup program so users can access databases on a server that is being
backed up. Users can make changes to databases as a backup occurs because Domino provides a
point-in-time image of the database, beginning with the time the database backup starts.
The server is continuously updating a full-text index: If a database is large and active, database
performance can be slow if the server updates a full-text index too frequently. Change the full-text index
update frequency if necessary.
For more information on update frequency, see the chapter ″Setting Up and Managing Full-text Indexes.″
Users experience a delay when accessing the database: Users may experience a delay when accessing
databases for the following reasons:
The database is heavily used: View the user activity to see if the database is heavily used. This option
is on the Information tab of the Database Properties box. Check the server to see if its hardware and
memory are powerful enough to support the user activity for the database. If the server is not powerful
enough, you may need to upgrade hardware or memory on the server. You can also create an additional
replica of the database so all users are not always using the same one. If disk contention is a problem,
move the database to a less heavily used disk. For more information on the Database Properties box, see
Lotus Notes 6 Help.
There are too many views: If the database contains many views, consider consolidating some of them. You
can consolidate views by creating alternative collations in the same view, rather than using separate
views. Or, you can purge or delete view indexes. Database performance can suffer when a database
contains many views.
For information on managing view indexes, see the chapter ″Maintaining Databases.″ For more
information on improving view performance, see the book Application Development with Domino Designer.
View indexes are being refreshed too frequently: If the database is heavily used or contains many
documents, refresh view indexes less frequently, if possible.
For information on views, see the book Application Development with Domino Designer.
Unread mark processing may cause delays: Unread mark processing may cause delays after the database is
opened. It also creates disk contention, which slows down every operation on the database. Delays occur
as the unread marks in a database are updated while the database is opening. Disabling unread marks on
the database eliminates the delay.
For information on disabling unread marks, see the chapter ″Improving Database Performance.″
The database design is complex: A complex database design can cause performance problems. Work with
the designer to redesign or minimize performance problems.
For information on designing applications, see the book Application Development with Domino Designer.
Database performance properties are not being used: If feasible, set database properties to improve database
performance.
For information on setting database properties, see the chapter ″Improving Database Performance.″
For more information on managing the database cache, see the chapter ″Improving Database
Performance.″
Resolving conflicts when names are assigned to more than one access level: It’s possible to assign
users or servers more than one level of access to a database. The following table describes access level
conflicts and resolutions.
For more information on creating access lists that refine access to specific design elements, see the book
Application Development with Domino Designer.
Using Groups and Roles to determine what controls user access: You can use the Groups and Roles
dialog box to troubleshoot database access problems. However, use this feature only on databases that
have the option ″Enforce a consistent Access Control List across all replicas of this database″ selected.
Otherwise, Notes does not display information in the Groups and Roles dialog box.
For example, if a group from the database ACL that you think has a user’s name does not appear in the
Groups and Roles dialog box, then this indicates that:
v The user name is missing from the group or spelled incorrectly
v A role that you thought was assigned to a user is not assigned
For more information on Groups and Roles, user access, and the ″Enforce a consistent ACL″ option, see
the chapter ″Controlling User Access to Domino Databases.″
Using Find Note to analyze a document reported in the log file: You can use the Find Note dialog box
in the Domino Administrator to analyze a document reported in the log file. If the log file reports a
problem with a document, you can display the properties for the document to help you to troubleshoot
the problem. The document can be in a single database or in a database replica. For example, you can use
Find Note to review the document properties for a document that cannot replicate.
1. Copy the hexadecimal Note ID (for example, NT201B2) of the reported document from the log file to
the Clipboard. Or write down the Note ID. You may also troubleshoot using the UNID, the universal
Note ID, a unique identifier used to locate the same document across database replicas.
2. In the Server list, select the server that stores the database containing the reported document.
3. Use the Files tab to select the database that stores the reported document.
4. Choose Tools - Database - Find Note.
5. Select one:
v by Note ID
v by Universal Note ID (UNID)
Tools and methods for troubleshooting the Domino and DB2 configuration: Use these tools and
methods to troubleshoot your Domino and DB2 configuration:
v Running the Extract and Reload NSFDB2 Tool
v Verifying DB2 parameters
v Verifying that the DB2 server is running
Running the Extract and Reload NSFDB2 Tool: Use the Extract/Reload Tools when Domino is unable to
recognize DB2 databases. For example, run the extract tool when DB2 database corruption causes a server
crash, the Domino server does not recognize the DB2 databases and you want to determine the cause of
the problem. After using the extract tool to extract files, you can send the files to the Support
organization to determine the cause of the problem.
Running the tool to export tables for support: Complete these steps to extract the files to send to Support.
The Support organization can then use those files to determine the cause of the problem and to advise of
a solution for resolving the problem.
1. Run the scripts to extract the data.
2. Zip or compress the extracted files and send the archive to Support.
Support can unzip or decompress the archive and then review the log that is produced during the extract
operation to obtain information needed to reload the files. They can then run the reload script to access
the data and analyze it.
Manually exporting tables for Support: You can perform this operation manually, but we recommend you
run the scripts.
In this procedure, you export tables from a DB2-enabled Domino server. The Support organization can
then create an identical configuration when they import the tables to a destination Domino server with
DB2 enabled.
Note: Assume that the NSF database requiring attention is contained in the DB2 database DOMINO, is
named TEST.NSF and has a schema named TEST. The schema for the DOMINO DB2 database is named
DSCHEMA.
v DB2MAP
v NIFCTL
v NIFDATA
v NSFNOTE
v NSFOBJECT
v NSFOBJNAM
v NSFSLOT
v PROPERTIES
Where schema=TEST
v CATALOG
Where nsfschema=TEST
Importing tables to a destination server: Import the tables to a Domino server with DB2 enabled. Assume
that there is no database named TEST on this destination server. The schema for the DB2 database named
DOMINO is DSCHEMA, the schema for the NSF database to be imported is TEST and the tablespace is
also named TEST. The metadata listed in the table is needed to create the configuration on the destination
server.
Setting Enter
Name TEST
Type Regular
Space management System
Page size 32Kb
Buffer pool DOMINO
Dropped table recovery Enable
Add container in this directory Add a container in directory <Drive>:\<Domino server data
directory> called TEST.DB2
Verifying DB2 parameters: You can review DB2 parameters from the Domino server console, the DB2
command line processor, the server’s NOTES.INI file, and the Server document. To modify the DB2
parameters, edit the parameters in the Server document.
For information on modifying DB2 parameters in the Server documents, see the topic Setting and
modifying DB2 values in the Server document.
Viewing DB2 parameters from the Domino server console: From the Domino server console, view your
current DB2 parameters using this command
Sh config db*
Note: You cannot modify DB2 parameters using the sh config db* command. To modify DB2 parameters,
use the DB2 tab on the Server document.
Viewing DB2 parameters from the DB2 Command Line Processor: You can also view the DB2 parameters in
the Domino server’s NOTES.INI file or in the Server document. To modify the DB2 parameters, edit the
parameters in the Server document. For information on modifying DB2 parameters in the Server
documents, see the topic ″Setting DB2 values in the Server document.″
To verify DB2 parameters from the DB2 server, open the CLP and enter this command:
list db directory
Verifying that the DB2 server is running: Use this procedure to verify that the DB2 server is running.
1. Choose Start - Programs - IBM DB2 - Command Line Tools - Command Line Processor.
2. In the Command Line Processor (CLP) window, enter this command:
db2start
Resolving problems with user accounts and passwords on Domino with DB2:
v Password or account problems with OS account used to start DB2 services
v Problem with DB2 account used by Domino to communicate with DB2
v Cannot access DB2 enabled Notes database when working with DAVs
Password or account problems with OS account used to start DB2 services: If the user account that starts the
DB2 services is disabled on Microsoft Windows or if the password has expired, DB2 services will not
start when you reboot the computer and the Domino server displays errors because it cannot connect to
the DB2 server.
1. Start/restart the Domino server. The Domino server will start because the OS Account is not used
during Domino server server start up.
2. Reboot the Microsoft Windows computer that is running DB2 so that the DB2 service restarts.
Problems will be encountered when you attempt to restart the DB2 services.
When restarting the service without rebooting the computer, this error message displays.
Could not start the DB2 - DB0 service on Local Machine. Error 1069: The service did not start due to a logon failure.
When rebooting the computer running Microsoft Windows, the following errors are recorded in the
events log (EVENTS4.NSF)
®
Lotus Domino Server, Build V70_04212005NP, April 21, 2005
Copyright (c) IBM Corporation 1987, 2005. All Rights Reserved.
04/25/2005 11:15:02 AM A RM error occurred.: An error occurred accessing the db2 datasource.
DB2 CONNECTION ERROR: Domino unable to connect to DB2 database ’dominol’ as user ’mdnadmin’...
[IBM][CLI Driver] SQL1032N No start database manager command was issued. SQLSTATE=57019
The Microsoft Windows Event Properties/Logs contain these error messages for DB2 services:
The DB2 - DB2-0 service failed to start due to the following error:
The service did not start due to a logon failure.
The DB2DAS - DB2DAS00 service failed to start due to the following error:
The service did not start due to a logon failure.
Password or account problem with DB2 account used by Domino to communicate with DB2: If the user account
that the Domino server uses to authenticate with DB2 on Microsoft Windows is disabled, or the password
expires, the Domino server starts but is not able to connect to the DB2 database.
Cannot access DB2 enabled Notes database when working with DAVs: When using DAVs, if users encounter
problems while attempting to access a DB2 enabled Notes database, make sure that the ACL entry for
each user is identical to the first entry in the ″User Name″ field in that user’s Person document in the
Domino Directory on the Domino server.
DB2 Error Messges -- Troubleshooting: You may encounter one or more of these errors when using
Domino and DB2.
Note: Several of the messages that display on the user interface may use the term NSFDB2. An NSFDB2
is a DB2 enabled Notes database.
v Database cannot be created
v ICL must be an NSF not a DB2-backed database
v NSFDB2 databases require Domino 6.X or more recent
v Resolving error ″An RM error occurred. Unable to initialize DB2 services″
v Resolving error ″SQL30020N with Reason Code ″0x124C″(″0214″)″
v Resolving error ″SQL0956C Not enough storage is available in the application heap to process the
statement″
v Resolving error 0803N
v Resolving error ″failed to extend tablespace″
v Resolving errors when using SELECT
v Resolving error caused by starting DB2-enabled server twice
v Entry not found in index error message when creating a response document
v Creating a service dependency for Domino and DB2
v Use caution when deleting DB2 objects
v Domino does not connect to its DB2 database or has difficulty connecting
Resolving errors when using SELECT: If you are performing a SELECT statement using a DB2 Command
Line Processor (CLP) window, and you see any of the following errors, complete the procedure in this
topic.
SQL0443N Routine "ISREADER" (specific name "") has returned an error SQLSTATE with diagnostic text "The server is not re
If you use DB2 Access Views (DAVs) and if your environment’s configuration does not allow you to ping
your Domino server by name, edit the DB2 Access server’s Connection document after all related setup
steps are complete. To edit the DB2 Access Connection document, complete one of the procedures below.
1. (Recommended method) Complete the procedure Editing the DB2 Access server Connection
document.
2. In the field, Optional network address, enter the IP address of the DB2-enabled Domino server. Do
not enter the server name itself.
Or
1. From the Domino Administrator, click the Files tab.
2. Open the file, NAMES.NSF, for your DB2 Access server.
3. Open the DB2 Access server’s Connection document.
4. In the field, Optional network address, enter the IP address of the DB2-enabled Domino server. Do
not enter the server name itself.
Chapter 66. Troubleshooting 1449
5. Save the document.
Resolving error ″An RM error occurred. Unable to initialize DB2 services″: You may need to increase the DB2
MAXAPPLS configuration parameter if you do any of the following:
v Run multiple server add-in tasks such as LDAP, POP3, or CA.
v Add additional replicators or routers.
v Frequently run tasks such as replication or indexing from the server console.
If the error message ″An RM error occurred. Unable to initialize DB2 services″ displays after performing
any of the actions listed above, modify the value assigned to the DB2 configuration parameter,
MAXAPPLS.
When determining the value to set for MAXAPPLS, use these guidelines:
v Count each Server thread as one DB2 application. Use the Server document -- Basics tab -- Number of
active threads: field. The default is 40 for Win32.
v Count each HTTP thread as one DB2 application. Use the Server document -- Internet Protocols --
HTTP tab, Number of active threads: field. If enabled, the default for Win32 is 40.
v Other Server add-in tasks generally count as 2 DB2 applications. Some tasks have multiple threads.
v Finally, add 10 for other uses, for example, the DB2 Control Center or ″DB2 - CLP″ sessions.
In this procedure, you reset two DB2 configuration parameters, MAXAPPLS and MAXAGENTS.
1. Choose Start - Programs - IBM DB2 - Command Line Tools - Command Line Processor.
2. In the Command Line Processor (CLP) window, enter this command:
db2 update db cfg for <database name> using MAXAPPLS 100
3. Reset the DB2 configuration parameter MAXAGENTS to approximately 3 times the value of
MAXAPPLS, by entering the following in the CLP window:
db2 update dbm cfg for <database name> using MAXAGENTS 400
Resolving error ″SQL30020N with Reason Code ″0x124C″(″0214″)″: To resolve this error:
"SQL30020N with Reason Code "0x124C"("0214")"[Execution failed because of a Distributed Protocol Error ...]
Resolving error ″SQL0956C Not enough storage is available in the application heap to process the statement″:
Domino acts as a client of DB2; therefore, DB2 must be configured to support the client demand placed
on it.
Depending on your configuration, you may need to adjust the DB2 database setting for DBHEAP. If you
encounter the error message ″SQL0956C Not enough storage is available in the application heap to
process the statement″ adjust the DBHEAP parameter to a greater value.
Resolving error 0803N: If a Domino Web Access client is trying to access an NSF file on a Domino server
that uses DB2 storage, some views and folders may be inaccessible to that client if they contain DBCS
characters, especially GB18030. The Domino server console displays this error:
SQL0803N
One or more values in the INSERT statement, UPDATE
statement, or foreign key update caused by a DELETE
statement are not valid because the primary key, unique
constraint or unique index identified by "1" constrains
Resolving error ″failed to extend tablespace″: Each Notes database is represented by several DB2 tables
stored in a DB2 tablespace.
When you enable a Domino server for DB2, you can specify the directory paths where DB2 creates
container files for the DB2 tablespaces. For example, you may see an entry similar to this in the Domino
server’s NOTES.INI file, or on the DB2 tab of the Server document in NAMES.NSF:
DB2DIRECTORY=H:\db2#I:\db2
It is possible for a physical drive to become full. For example, we will assume drive H in the sample
NOTES.INI and DB2 tab entry above is full. When a physical drive is full, the following error displays in
the Domino server console:
Failed to extend tablespace. DB2 NSF failure.: 5 - [IBM][CLI Dri - [DB2/NT] SQL0968C The file system is full. SQLSTAT
Resolving the problem: To resolve this problem, do the following in DB2 using either the DB2 Control
Center or DB2 Command Line Processor:
1. Create a container file on a drive other than the drive that is full.
2. Remove the container file from the drive that is full.
3. After container rebalancing completes, move the new container file to the drive from which you
removed the full container file.
For instructions on how to create a container file and how to remove a full container file, see the DB2
Information Center http://publib.boulder.ibm.com/infocenter/db2help/index.jsp.
Drive H is full.
1. Create a new container file on Drive I. Add 100MB (1GB) to drive I, as follows:
v Connect to Domino
v ALTER TABLESPACE USER1 ADD ( FILE ’I:\db2\5.DB2NSF’ 64000 )
v CONNECT RESET
2. After container rebalancing occurs, drop the new container file on drive H.
v Connect to Domino
v ALTER TABLESPACE USER1 DROP ( FILE ’h:\db2\5.DB2NSF’ )
v CONNECT RESET
Resolving error caused by starting DB2-enabled server twice: If you start the DB2-enabled server twice by
doing any of the following, an error message is generated.
v Starting the DB2 server when it is already running
v Clicking the shortcut icon too quickly and causing the server to start twice
Note: The error is not written to the server console; therefore, you must check the log file to see the error
message.
When the server is started twice, the log file, NSERVER.LOG, contains error messages similar to the
following:
[1098:0002-04C4] A RM error occurred
[1098:0002-04C4] DB2 Connection preallocation complete, availableCount=0
[1098:0002-04C4] 03/26/2004 10:58:01 PM Unable to initialize DB2 services. DB2-based nsfs will be unusable.
[1098:0002-04C4] Server exiting:: Partition d.org3.lotus.domino.data is already in use.
Resolving this error: To resolve this error, shut down and then restart the DB2 server.
1. Shut down the Domino server.
2. From the DB2 Command Line Processor (CLP), stop the DB2 server by entering this command:
db2stop force
3. Restart the DB2 server by entering this command:
db2start
4. Start the Domino server.
Entry not found in index error message when creating a response document: If you attempt to add a new
Response document to an existing Response-to-Response document at the View level or if the document
was open and you selected New Response to Main document, the following error message appears:
Entry not found in Index.
Database cannot be created: There are situations in which Domino with DB2 is unable to create the DB2
enabled Notes database. DB2 returns an error message indicating that the DB2 enabled Notes database
cannot be created. For example,
v If you are using a version of Notes/Domino released prior to Domino 6.0, DB2 cannot create the DB2
enabled Notes database. The following error is generated: NSFDB2 Databases require Notes/Domino
6.0 or later database versions.
v DB2 services are not available. May generate the following error: Domino server is not DB2-enabled or
DB2 services were unable to initialize when the server started up.
ICL must be an NSF not a DB2-backed database: The Internet Certifier List (ICL) must be an NSF, not a DB2
database. If the ICL is created as a DB2 database, the following error appears:
CA Process: Error initializing certifier context (CN=OAca/O=ibm) from ICL db IDStorage form: Error accessing IDStorage docu
Create the ICL prior to running the DB2 Server Enablement Tool and verify that NSF is selected in the
″DB Default Creation″ field on the DB2 tab of the Server document. To prevent the CA Process from
failing, the ICL must be created prior to running the DB2 Server Enablement Tool, and it must have a
database default creation type of NSF.
Creating a service dependency for Domino and DB2: If you are using a local configuration with
Domino and DB2 running on the same computer, you may want to create a service dependency in
Microsoft Windows. Creating a service dependency between Domino and DB2 ensures that when Domino
is configured to run as a service, the Domino service only starts after the DB2 service starts for that DB2
instance. This service dependency applies only to a local configuration of Domino and DB2. Before
creating the service dependency, read all of the information in this topic.
You need to be aware of the following information when creating the service dependency:
v The Registry subkeys for services are located in the following path. These subkeys control how services
are loaded.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lotus Domino Server (Data)\
v Create a new value named Depend on Service and then enter REG_MULTI_SZ as the data type.
v In the Data dialog box enter the name of the service exactly as the name of the service appears in the
registry under the Services key. When the computer starts, it uses this entry to verify that the service or
services listed in this value are started before attempting to start the dependent service.
v After creating the dependency, shut down and restart your system. The service manager process loads
the dependency list when the system restarts.
http://www.microsoft.com/windows2000/techinfo/reskit/en-
us/default.asp?url=/windows2000/techinfo/reskit/en-us/regentry/46710.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;193888
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-
us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/46710.asp
Use caution when deleting DB2 objects: Use caution when deleting any DB2 objects such as tables,
views, or UDFs (User Design Functions) from DB2 because deleting DB2 objects causes Notes NSF to
become corrupt and not function.
NSFDB2 databases require Domino 6.X or more recent: You must have Server Administrator rights to
perform the following database tasks for databases with ODS version ODS41. The database will have a
file name extension of NS5 for ODS version ODS41 and will be stored in NSF format on a DB2-enabled
Domino server.
v Create a database replica of a database
v Copy a database
v Create a new database with an NS5 file name extension on a DB2-enabled Domino server.
Compact database options are enabled for Domino and DB2: Several Compact options are
implemented for Domino and DB2 configurations. When the -B option is applied to a DB2 enabled Notes
database, it reclaims disk space through tablespace reduction. This is accomplished by a series of table
and index reorganizations in DB2, which attempt to lower the tablespace’s high water mark (HWM) so
that the tablespace can be reduced in size. The effect of the DB2 table and index reorganizations is more
significant if you run compact when Domino is not running. Space reclamation in DB2 is entirely
different than that which a Domino administrator is accustomed to. Performing compact -B on a DB2
enabled Notes database does not guarantee that any space can be reclaimed.
Running compact -B on a directory results in a single set of table and index reorganizations because
several DB2 enabled Notes databases can exist in a set of tables within a tablespace. The table and index
reorganizations for data in a DB2 enabled Notes database are deferred until compact is finished with
regular NSF processing.
Note: The Compact -b option does not have any impact on a DB2 enabled Notes database.
The Domino administrator should be familiar with the DB2 Database Analysis and Reporting Tool
(db2dart.) Db2dart is a DB2 utility that displays tablespace usage information, including what needs to be
done to best lower the HWM of a tablespace so that the tablespace can be reduced in size.
NSFDB2 created with Domino 7 beta 1 may not work correctly with more recent Domino beta
releases: If DB2 services are down, all DB2-enabled Notes databases (NSFDB2 databases) that were
created using the beta 1 release of Domino 7 and DB2 display in the Domino Administrator client with
NSF icons, not DB2-enabled Notes databases icons. The DB2 enabled Notes database size is also incorrect.
You can also check the file, DB2DIAG.LOG, in the instance in which DB2 is installed. By default, DB2 is
installed in c:\Program Files\IBM\SQLLIB, and the default instance name is DB2. If you used all of the
defaults, check this path: c:\Program Files\IBM\SQLLIB\DB2\db2diag.log.
If DB2 is remote but is installed on a computer running Microsoft Windows, enter the ″net user″
command on the computer on which DB2 is installed.
Spell check character set should match server OS: The Domino Web Access spell check functionality
will not work properly, unless the Domino server operating system character set is the same as the text
being checked. If this is not the case, the spell check engine may not correctly interpret some characters.
Text in some fields displays too small in localized versions: In some localized versions of Domino Web
Access on Mozilla Firefox on Linux, text in some of the fields, such as Search or cc: may appear too
small. This happens if the browser character encoding is set to Unicode (UTF-8) or Western (ISO-8859-1,
for example). Users can customize the browser Character Encoding set to the required language (View -
Character Encoding - Customize List).
Pop-up blockers prevent windows from opening: Pop-up blockers may prevent new windows from
launching, which makes Domino Web Access unusable. For example, users cannot create a new message
or calendar entry because they pop-up blocker prevents the new message or calendar entry form from
opening. Pop-up blockers are enabled by default on some browsers. To resolve this issue, users can either
disable pop-up blocking altogether, or add allowed sites, such as *.ibm.com, for example.
Users cannot open doc links on servers other than mail server: To allow users to open attached doc
links for documents that reside on servers other than the mail server, you must enable the field ″redirect
to resolve external links″ in the Server document or the Internet Site document (if configured). You must
also replicate the server’s catalog.nsf with that of the external server.
For information on finding links with the Redirect URL command, see the Chapter ″Setting up the
Domino Web Server″ in the Lotus Domino Administrator Help.
Attachments larger than 10MB are not allowed: By default Domino Web Access allows a maximum
attachment size of 50,000K (50MB), which you can increase by setting the ″Maximum attachment size
(kb)″ field in the Domino server Configuration Settings document on the Domino Web Access tab.
However, attachment size is based on two parameters that default to a 10,000K (10MB) limit independent
of this setting. So even though Domino Web Access allows for a larger attachment, the following two
settings must be increased to a value larger than the Domino Web Access maximum attachment setting
for users to be able to add attachments larger than 10MB.
In the Server or Web Site document, set these settings higher than the Domino Web Access ″Maximum
attachment size″ field:
v In the Server document -- Internet Protocols - HTTP - Maximum Size of Request
v In the Server or Web Site document -- Internet Protocols - Domino Web Engine - Maximum Post data
You can also search for solutions to common problems on the IBM Lotus Support Services Web site at
www.ibm.com/software/lotus/support/.
Directory assistance -- Troubleshooting: These topics describe problems you may encounter with
directory assistance.
v Internet user authentication using a secondary Domino Directory or Extended Directory Catalog fails.
v Internet user authentication using an LDAP directory fails.
v Database authorization using groups in a secondary directory fails.
v Searches in a secondary Domino Directory configured in directory assistance fail.
v ″Directory assistance could not access Public Address Book on Server x, error is Server Not
Responding″.
Tip: To record at the server console detailed information about specific Web user authentication sessions
to help troubleshoot Web user authentication problems, use the NOTES.INI setting
WebAuth_Verbose_Trace.
Internet user authentication using a secondary Domino Directory or Extended Directory Catalog fails: To
authenticate Internet users registered in a secondary Domino Directory, make sure you complete these
steps:
1. Select ″Notes as the ″Domain Type″ in the Directory Assistance document.
2. Set ″Trusted for credentials″ to Yes for at least one naming rule in the Directory Assistance document.
The rule or rules should correspond to the names of the Internet users you want to authenticate.
3. Enter the secondary directory’s Domino domain in the ″Domain Name″ field. Do not enter: the name
of a condensed Directory Catalog, the name of the server’s primary domain, or a domain name that is
used in another Directory Assistance document. If you created the secondary directory manually and
it’s not associated with a Domino domain, make up a unique domain name.
4. If you use name-and-password authentication, and you choose the authentication option ″Fewer name
variations with higher security,″ make sure users provide either their hierarchical names or common
names for authentication rather than first names, last names, or short names only.
For more information on this server authentication option, see the chapter ″Setting Up
Name-and-Password and Anonymous Access to Domino Servers.″
5. If you include groups of users in database ACLs on the server that authenticates, store those groups
in the server’s primary Domino Directory and/or in one directory enabled for ″Group authorization″
in the directory assistance database.
Internet user authentication using an LDAP directory fails: To authenticate Internet users registered in a
remote LDAP directory, make sure you complete these steps:
1. Select LDAP as the ″Domain Type″ in the Directory Assistance document.
2. Specify a ″Domain Name″ that is not the Domino domain of the servers that use directory assistance
and that is not used in another Directory Assistance document.
3. (Recommended) Enter ″1″ as the search order.
4. Set ″Trusted for credentials″ to Yes for at least one naming rule in the Directory Assistance document
that corresponds to the names of the users to authenticate.
5. If the remote LDAP server requires a base DN, enter it in the field, ″Base DN for search.″
Database authorization using groups in a secondary directory fails: To search a secondary directory -- Domino
or LDAP -- for the members of groups listed in database ACLs, make sure you complete these steps:
1. Specify a ″Domain Name″ that is not the Domino domain of the servers that use directory assistance
and that is not used in another Directory Assistance document.
2. Set the ″Group Authorization″ field to ″Yes;″ enable this option in only one Directory Assistance
document.
3. Set ″Trusted for credentials″ to yes for at least one naming rule that represents the names within the
groups to search.
4. If the directory is a Microsoft Active Directory, choose ″Active Directory″ in the ″Type of search filter
to use″ field of the Directory Assistance document.
5. If the directory is a remote LDAP directory, when you add the name of a hierarchical group from an
LDAP directory to a Notes database ACL, use the LDAP format for the name, but use forward slashes
as delimiters (/) rather than commas (,). If the name of the LDAP directory group is not hierarchical,
in a Notes database ACL enter the value for the group name without the associated LDAP attribute.
For example, if the name of the LDAP directory group is cn=managers,ou=groups,o=acme, in the
database ACL enter cn=managers/ou=groups/o=acme. If the name of the group is cn=managers, in
the database ACL enter managers.
6. Select ″Notes clients/Internet Authentication/Authorization″ in the ″Make this domain available to″
field.
7. If the directory is a remote LDAP directory and you’ve enabled ″Channel encryption,″ make sure
you’ve configured SSL correctly.
8. If the directory is on a remote LDAP directory server that doesn’t allow anonymous connections,
make sure you’ve entered a user name and password in the ″Optional Authentication Credential″
section of the Directory Assistance document.
9. If the members of groups on a remote LDAP directory server change, stop and restart the Domino
server that connects to the LDAP server. This ensures that the Domino server flushes its group cache
and retrieves the most up-to-date group information.
Searches in a secondary Domino Directory configured in directory assistance fail: Make sure the domain
specified in the Domain Name field of the Directory Assistance document for the secondary directory is
different from the primary Domino Directory and any other directories configured in directory assistance.
If the Domain Name specified for the secondary Domino Directory is not unique, searches of the
secondary directory fail, and you see the message ″User xxx not found in any Name and Address Book.″
If the secondary directory is not associated with a Domino domain, be sure to enter a unique Domain
Name that is different from the primary domain of the servers that store the secondary directory.
Don’t enter the name of a condensed Directory Catalog in a Directory Assistance document.
This message may also appear when a server that uses directory assistance attempts to look up a name in
a secondary Domino Directory that is on an unavailable server. As a failover mechanism, you can specify
more than one replica of a secondary directory for directory assistance to use.
Directory catalogs -- Troubleshooting: These topics describe problems you may encounter with
directory catalogs:
v Names are missing from the directory catalog.
v Users can’t use type-ahead addressing to look up names in a condensed Directory Catalog.
v Domino isn’t searching a directory catalog on a server.
v Internet user name-and-password authentication using a condensed Directory Catalog fails.
v LDAP searches of a condensed Directory Catalog aren’t working.
v A directory catalog is not full-text indexed or the full-text index is corrupted.
v The User Setup Profile doesn’t push Mobile Directory Catalogs to users
v The Router is finding the same name in multiple directories even though ″Exhaustive lookup″ is
disabled..
v Users can’t do full-text searches of a condensed Directory Catalog.
Names are missing from the directory catalog: If names appear to be missing from the directory catalog, take
these steps to troubleshoot the problem.
If the ″Remove duplicate users″ option is enabled, see if someone has deleted a duplicate entry from one of the full
Domino directories: If the ″Remove duplicate users″ option is enabled, the Dircat task doesn’t add into the
directory catalog all entries associated with an identical hierarchical name. Instead, the task adds an entry
from the first directory in which it encounters the name. Dircat searches directories in the order that
they’re specified in the ″Directories to include″ configuration field.
If someone removes a duplicate entry from the full Domino Directory that has already been the entry
used in the directory catalog, that name is removed from the catalog. For example, if the Acme East and
the Acme West directories both contain an entry with the name, Phyllis Spera/Acme, if ″Remove
To correct the problem, make a minor change to the remaining entry -- in the above example, the entry in
Acme West. This change causes Dircat to add the entry to the directory catalog the next time it runs. You
can also correct the problem by clicking the ″Clear History″ button in the directory catalog Configuration
document, although this approach rebuilds the entire directory catalog.
Verify that the User Name fields have values: If there’s no value in the User Name (FullName) field in a
Person document, the Dircat task won’t build the entry in the directory catalog. Notes registration adds
values to User Name fields automatically, but if you created Person entries without using the Notes
registration program, check that the entries have values in this field.
Use Log_Dircat=1: If the above steps don’t solve the problem, add the NOTES.INI setting Log_Dircat=1,
which logs information about the Dircat task in the log file (LOG.NSF). Use the logged information to
help troubleshoot the problem.
For more information on the log file, see the chapter ″Using Log Files.″ For more information on the
NOTES.INI file, see the appendix ″NOTES.INI File.″
Users can’t use type-ahead addressing to look up names in a condensed Directory Catalog: Type-ahead
addressing looks up a name in a condensed Directory Catalog only if the order in which the user types
the name corresponds to the ″Sort by″ format configured for the directory catalog. For example, if the
configured ″Sort by″ format is ″Distinguished name,″ type-ahead looks up the name in a directory catalog
only when a user types the first name before the last name. Or, if the ″Sort by″ format is set to ″Last
name,″ type-ahead looks up the name in a directory catalog only when a user types the last name before
the first name.
Domino isn’t searching a directory catalog on a server: To search an Extended Directory Catalog that is not
integrated into its primary Domino Directory, a server must be set up to use a directory assistance
database that contains a Directory Assistance document for the directory catalog.
To search a condensed Directory Catalog, a server must store a local replica of the directory catalog. In
addition, you must specify the file name for this replica in either the Directory Profile or in the Basics
section of the Server document in the server’s primary Domino Directory.
For more information on directory catalogs, see the chapter ″Setting Up Directory Catalogs.″
Internet user name-and-password authentication using a condensed Directory Catalog fails: If you’re having
difficulty setting up a server to use a condensed Directory Catalog to look up names and passwords to
authenticate Internet users, take these steps to troubleshoot the problem.
Note: These steps do not apply to authentication using an Extended Directory Catalog.
1. Test that authentication using directory assistance alone is working.
v Temporarily disable the directory catalog. Remove the directory catalog file name from the server’s
primary Domino Directory. Remove the directory catalog file name from the Directory Profile and
from the Basics tab of the Server document; the file name is probably stored in only one of these
locations but if it is in both locations, remove the name from both.
v Restart the appropriate Internet protocol server task. For example, for a Web server, restart the
HTTP task.
v Verify that the server can authenticate to each secondary Domino Directory configured in the
directory assistance database that you want to use for authentication. If authentication fails, go to
step 2. If authentication is successful, go to step 3.
LDAP searches of a condensed Directory Catalog aren’t working: If the LDAP service isn’t searching a local
condensed Directory Catalog as expected, make sure the directory catalog has a functioning, full-text
index. The LDAP service always use the directory catalog full-text index to process searches. The LDAP
service can return the error ″LDAP error ’DSA is unwilling to perform’ (0x35)″ when attempting to search
a directory catalog that is not full text indexed. If necessary, delete and then re-create the full-text index.
A condensed Directory Catalog is not full-text indexed or the full-text index is corrupted: When you first create
a condensed Directory Catalog, you must manually create a full-text index for it; you are prompted to
create the index when you create the database. When you replicate the directory catalog however,
Domino automatically creates the full-text index on the replica. If you create a copy rather than a replica,
you must manually create the full-text index on the copy.
User Setup Profile doesn’t push Mobile Directory Catalogs to users: To use a User Setup Profile to set up
mobile directory catalogs on Notes clients, you must paste a database link of a replica of the directory
catalog in the ″Mobile directory catalogs″ field of the User Setup Profile. The Notes clients don’t receive a
replica of the mobile directory catalog until the User Setup Profile replicates to the users’ mail servers
and the users authenticate with the mail servers.
Router is finding the same name in multiple directories even though the ″Exhaustive lookup″ setting is disabled:
By default, the Router configuration option ″Exhaustive lookup″ -- available on the Router/SMTP - Basics
tab of a Configuration Settings document -- is disabled. If you keep this default setting, once the Router
finds a name, it doesn’t continue its search to other secondary Domino directories. Disabling exhaustive
lookups is a way to improve Router performance .
By design, disabling ″Exhaustive lookup″ does not apply to a directory catalog. The Router always
searches the primary Domino Directory and the entire server directory catalog, even if the exhaustive
lookup setting is disabled. This is intended behavior since the Router can use the directory catalog to, in
effect, quickly search multiple secondary directories rather than having to take the performance hit of
searching these directories individually. These exhaustive lookups allow the Router to ensure there are no
duplicate recipient names that might prevent the message from getting to the right person.
The Router returns a delivery failure when it finds a name associated with more than one directory entry
and the entries do not have the same Mail server, Mail file, or Domains specified. To avoid such delivery
failures when duplicate entries actually represent the same person (for example, when someone’s name
and directory location within the organization have changed but you want to allow people to address
mail using the original name), make the entries in the Mail server, Mail file, and Domain fields identical
for each entry.
Users can’t do full-text searches of a condensed Directory Catalog: A condensed Directory Catalog doesn’t
support direct full-text searches by users, only indirect full-text searches via LDAP, mail addressing, and
so on.
LDAP service -- Troubleshooting: These topics describe problems you may encounter with the LDAP
service:
v Name and password authentication fails for LDAP clients connecting to the LDAP service
v LDAP searches are slow
v Anonymous LDAP users can’t search certain fields
v ″LDAP Server: Initialization failure: The full text index needs to be rebuilt″
v LDAP searches don’t return a cn attribute
v LDAP error ″Insufficient Access″ returned on an LDAP Add operation
v LDAP clients can’t connect to the server over SSL when the server uses a self-signed Domino server
certificate
v ″LDAP Schema: Failed exporting″ error
Name and password authentication fails for LDAP clients connecting to the LDAP service: To authenticate
using name-and-password security some LDAP clients, for example Microsoft Internet Explorer and
Notes clients with LDAP accounts, first do an anonymous search to retrieve the distinguished names
used for the authentication, so that users don’t have to specify the distinguished names themselves. To
enable such clients to authenticate using names and passwords, you must enable anonymous access, as
well as name and password authentication, for the LDAP service port the clients use to connect. You
For information on anonymous access and the LDAP service, see the chapter ″Setting Up the LDAP
Service.″
LDAP searches are slow: If LDAP searches are slow, do the following on the replica of the primary
Domino Directory. If you extend LDAP searches to secondary Domino Directories, also do the following
on each replica of the secondary directory.
1. Create a full-text index for the directory.
2. If you’ve created a full-text index for the directory and performance is still slow, consider editing the
value of these LDAP configuration fields:
v ″Maximum number of entries returned″ limits the number of entries that the LDAP server can
return. By default there is no limit, but you might set a limit of 100 entries, for example.
v ″Timeout″ limits the amount of time that LDAP searches can take. By default, there is no limit, but
you might set a limit of 60 seconds, for example.
v ″Minimum characters for wildcard search″ increases the number of characters that users must enter
before the first wildcard in a substring search filter. The default is 1. Don’t specify 0 unless the
directory is very small; specifying 0 can result in slow searches.
For more information on improving LDAP service performance, see the chapter ″Setting Up the LDAP
Service.″
Anonymous LDAP users can’t search certain fields: Make sure you’ve enabled the fields for anonymous
access, using the domain Configuration Settings document or the database ACL/extended ACL. Keep in
mind that you configure fields for anonymous access separately for the LDAP service’s primary Domino
Directory and for each secondary Domino directory the LDAP service serves.
For more information on anonymous LDAP search access, see the chapter ″Setting Up the LDAP Service.″
″LDAP Server: Initialization failure: The full text index needs to be rebuilt″: If the LDAP service setting
″Automatically Full Text Index Domino Directory″ is set to Yes in a domain Configuration Settings
document, this message can appear on a server running the LDAP service if the full-text index for the
primary Domino Directory is corrupted and requires rebuilding. The LDAP service shuts down after
displaying the message. To correct the problem:
1. Use the Exit or Quit command to shut down the Domino server.
2. At the operating system prompt, issue one of the following commands from the Domino program
directory to run the updall task and rebuild the directory full-text index:
v On UNIX type: updall directory.nsf -X
where directory.nsf is the file name of the primary Domino Directory.
3. Restart the server.
LDAP searches don’t return a cn attribute: If you add a Person document to the Domino Directory without
using Notes registration, and you enter a hierarchical name in the FullName (User name) field, the
leftmost part of the distinguished name does not automatically become the cn (common name) attribute
value. You must add the common name as a second value in the FullName field to define a cn attribute
for the entry.
This is also true for groups and servers. if you add a Group or Server document to the Domino Directory
without using Notes registration, you must add the common name as a second value in the ListName or
ServerName fields
Person documents created through Notes registration automatically have a second value added to the
FullName field to define the cn attribute.
Chapter 66. Troubleshooting 1461
LDAP error ″Insufficient Access″ returned on an LDAP Add operation: If you see this error in response to an
LDAP Add operation, do the following:
1. Verify that the option ″Allow LDAP users write is set to ″Yes″ in the LDAP section of the
Configuration Settings document for that Domino Directory.
2. Verify that the LDAP user has the necessary access in the Domino Directory database ACL and
extended ACL, if an extended ACL is used.
3. If the LDAP user has Author access in the ACL, verify that the LDAP user has the proper Creator
Role ([UserCreator], [GroupCreator], [ServerCreator] for the type of entry being added.
4. Verify that Form Properties are correctly set to allow the LDAP user to create documents with the
form used to add the entry.
LDAP clients can’t connect to the LDAP service over SSL when the server uses a self-signed Domino server
certificate: If the server that runs the LDAP service uses a self-signed Domino certificate, non-Notes
LDAP clients can only perform LDAP searches over SSL if they first connect to the Domino server over
SSL using a different protocol (for example HTTPS or IMAP). The client software then presents a warning
dialog stating that the server’s self-signed certificate is not issued by a trusted Certificate Authority and
gives the users the option to accept the certificate. The users must accept the certificate before they can
perform LDAP searches over SSL.
″LDAP Schema: Failed exporting″ error: If you use the tell ldap exportschema command when the Domino
LDAP Schema database (SCHEMA.NSF) is open, schema exporting fails and the LDAP service returns
this error. Close the database before using this command.
LDAP service and remote search operations: Additional steps may be required to guarantee that a Domino
LDAP service running on one Domino server can successfully search another server’s Domino Directory.
When extended access is enabled for the remote directory, or when the search request comes from an
authenticated LDAP client, in order to do the remote search, the database ACL on the remote directory
must grant the server that receives the LDAP request at least Reader access, defined through a ″Server″
or ″Server group″ entry. By default, the LocalDomainServers and OtherDomainServers groups have the
required access in the Domino Directory ACL, so no special configuration is required for the normal case
where both servers are in the same domain.
Extended ACL -- Troubleshooting: These topics describes situations you may encounter when using
extended ACLs:
v The access specified for subject is different than the subject’s actual access.
v The Target box doesn’t show documents.
v I can’t change a subject’s access to a target.
v Notes and Web users are getting unexpected results when accessing the directory
v ″Extended access controls are enabled in this domain. You must modify the Domino Directory on a
version 6 or later Domino server.″
v Allowing users to see column values when extended ACLs are used
v LDAP service and remote search operations
v Maximum Internet name and password settings with Extended Access
v NAMELookups to remote directories with Extended Access warnings
The access specified for subject is different than the subject’s actual access: The access you see set for a subject
at an extended ACL target may not reflect the actual, effective access the subject has. For example, there
may be access set for another subject that takes precedence. Or the database ACL may not actually allow
the access that has been set for the subject in the extended ACL. Click Effective Access in the ″Extended
access at target″ dialog box to find out more about what is controlling a particular user’s access to an
extended ACL target.
Documents show under a target category only if there names are defined through a FullName, ListName,
or ServerName field. Access set at the / (root) controls access to documents that don’t use FullName,
ListName, or ServerName fields.
I can’t change a subject’s access to a target: To modify a subject’s privileges to a selected target, you must
have Manager access in the directory database ACL, or Editor access and the Administer privilege to the
selected target. If you do not have the required access, a subject’s privileges are grayed out.
In addition, if Show All is selected next to ″People, Servers, Groups″ in the ″Extended access at: target″
dialog box, the list of subjects includes those whose privileges to the selected target are inherited from a
higher target with the scope ″This container and all descendants″ selected. When you select such a
subject, the subject’s privileges are grayed out. In this case you can change the subject’s privileges at the
higher target and have the current target inherit the changes. Or you can add the subject to the current
target with new privileges that override the inherited privileges at the current target.
Notes and Web users are getting unexpected results when accessing the directory: If you are controlling the
access of Notes and Web users, be aware of the following issues. These issues do not apply to access
through other means, such as access through LDAP operations or through the Notes applications, except
where indicated.
v If you deny a Notes or Web user access to a field in a document, when the user opens the document,
the document does not show the field and the text (TRUNCATED) shows in the tab of the document.
In addition, the user is unable to edit the document, even if the user has write access to the fields in it.
v If you deny a Notes or Web user access to a field in a document that a view uses to sort the document,
the name of the document is blank in the view. The user can still select the document to open it.
v To delete a document, a Notes or Web user must be able to see the document in a view. To see a
document requires Browse access to the document.
v To create a document, a Notes or Web user or a Notes application must have Create access to the
document as well as Write access to the fields to which the user/application will add values.
″Extended access controls are enabled in this domain. You must modify the Domino Directory on a version 6 or
later Domino server.″: This message indicates that you have attempted to modify a Domino Directory or
Extended Directory on a server running a previous release and the directory has the Extended Access
feature enabled. When Extended Access is enabled, changes to a replica of the directory on a server
running a previous release cannot replicate to a Lotus Domino 6 server, and so you should make the
changes to a replica on a Lotus Domino 6 server instead.
Allowing users to see column values when extended ACLs are used: If you use an extended ACL to prevent
users from reading a field in documents, and if a column formula in a view uses the field, the user will
not see values in the column. To allow a user to see values in a view column when extended ACLs are
used, make sure the user has read access to all of the fields used in the column formula.
Maximum Internet name and password settings with Extended Access: The default database ACL setting on a
Domino Directory for ″Maximum Internet Name & Password″ is Editor. When Extended Access is
enabled, this setting affects authenticated LDAP searches. If an entry in the database ACL is set higher
than Editor access (for example, Manager), that user’s access to the database will be lowered to Editor
when authenticating with their Internet password.
In order for authenticated LDAP searches for entries with Manager access to override Extended Access
restrictions, set ″Maximum Internet Name & Password″ to Manager by selecting File -> Database ->
Access Control -> Advanced.
When a Domino server tries to access a remote Domino Directory that has Extended Access enabled
through Directory Assistance, the remote server must know about this directory being accessed. In other
words, the directory indicated in Directory Assistance on the first server must either be the Primary
Directory on the remote Domino server (typically names.nsf), or a local secondary directory configured
through Directory Assistance on that same remote server.
If you attempt to access the remote directory without the remote server knowing of the remote directory,
the first attempt will generate the following message on the first Domino server:
WARNING: NAMELookups from this server to the remote Domino Directory is prohibited.
This additional security requirement applies only when there are remote Domino Directories with
Extended ACLs enabled. Correct this error by creating a Directory Assistance document
for the remote server.
on
You can also search for solutions to common problems on the IBM Lotus Support Services Web site at
www.ibm.com/software/lotus/support/.
Delivery Failure Reports: Users should always try to resend a memo for which they receive a Delivery
Failure Report. To help users troubleshoot delivery failure, ask them to use Steps 1 - 3 below to send you
a copy of their mail database. Sending you a copy of their mail database preserves the field properties of
the reports, which you analyze as a means of troubleshooting.
1. The user creates a new mail database on the workstation. From the menu, choose File - Database -
New. Be sure to use the current (MAIL6.NTF) mail template.
2. The user copies a Delivery Failure Report from the original mail file and pastes it into the new
database.
3. The user attaches the new mail database to a mail message and sends it to you.
4. You open the mail database attached to the mail message and select a Delivery Failure Report.
The Delivery Failure Report identifies the reason the delivery failed and the routing path over which
the message was sent. Use this information to further investigate the problem.
Mail trace: To troubleshoot mail routing or test mail connections, trace a mail delivery to test whether a
message can be successfully delivered without actually sending a test message.
1. From the Domino Administrator, click the Messaging - Mail tab.
2. If necessary, click Tools to display the tool bar.
3. From the tool bar, click Messaging - Send Mail Trace.
Field Enter
To The mail address of a particular user
Subject The subject of the trace
Send delivery report from Choose one:
v Each router on path to receive a delivery report from each router on the path
v Last router only to receive a delivery report from the last router only
Mail routing topology maps: Mail routing topology maps are useful to track mail routing problems
between servers.
1. From the Domino Administrator, click the Messaging - Mail tab.
2. Choose one:
v Mail routing topology by connections
v Mail routing topology by named networks
Undelivered mail: From the Domino Administrator, click the Messaging - Mail tab, then select Mail
routing status. You can also check for undelivered mail in the mail routing events view in the log file
(LOG.NSF).
Mail routing event generators: Using a mail routing event generator, you can test and gather statistics on
mail routes.
For more information on probes, see the chapter ″Monitoring the Domino Server.″
Mail routing -- Problems and error messages: These topics describe common problems and errors
related to sending and/or receiving mail:
v User can’t receive any mail, including mail sent by users whose mail files are on the same server
v ″File is in use by another process″
v ″NAMES.NSF does not contain a required view″
v ″No route found to Domain x from Server y″
v ″Router: Possibly no DOMAIN set...″
v ″Server Error: File Does Not Exist″
v ″User name is not unique″
v ″User not listed in the Public Address Book″
v Users unexpectedly required to include @domainname after each address
User can’t receive any mail, including mail sent by users whose mail files are on the same server: If a
user can’t receive any mail, including mail sent by other users whose mail files are on the same mail
server, check the Mail Routing Events view of the workstation’s log file for deliveries. Also, check the
MAIL.BOX file on the user’s workstation to see if mail is being trapped there. Modify the
Log_MailRouting setting in the NOTES.INI file to log more detailed mail routing information on the
console and in the log file.
″File is in use by another process″: If the recipient’s mail file or the MAIL.BOX file on the sending or
receiving server is being backed up, Domino generates the message ″File is in use by another process.″
Wait for the backup to complete, and then resend the message.
″NAMES.NSF does not contain a required view″ appears when sending mail to users on the same mail
server: If all users on the same mail server can’t send or receive mail and they receive the message
″NAMES.NSF does not contain a required view,″ you need to update the design of the Domino Directory.
For more information on updating the design of the Domino Directory, see the appendix ″Customizing
the Domino Directory.″
″No route found to Domain x from Server y″: If users can’t send mail to another domain and receive a
message such as ″No route found to Domain x from Server y,″ make sure that each domain’s Domino
Directory has a Connection document from one of its servers to a server in the other domain. If a
Connection document doesn’t exist, create one. If there is a Connection document, make sure the
information contained in it is correct.
″Router: Possibly no DOMAIN set; use SET CONFIG DOMAIN=name to set it; or replace the Name
and Address Book design.″: If this message appears on console and then the Router shuts down, the
Server document may contain errors. In the Server document, verify that the domain is set, and that the
ServerKeyFileName (or KeyFileName) both refer to the server ID for that server. If necessary, make
corrections to the Server document. Also check that the Location document that you’re using refers to the
correct server ID. If necessary, edit the Location document so that it refers to the correct server ID.
″Server Error: File Does Not Exist″: This message occurs when a user tries to read a message that is
linked to an active shared mail file that has been improperly moved to a different directory, partition, or
hard drive.
For information on creating and enabling a shared mail database, see the chapter ″Setting Up Shared
Mail.″
″User name is not unique″ in a Delivery Failure Report: Check the Domino Directory for multiple
occurrences of the recipient’s name. There may be more than one Person document for a user, or a user
and a group may have the same name.
″User not listed in the Public Address Book″ appears with returned mail: If the recipient’s name is
misspelled, mail is returned to the sender, along with the message ″User not listed in the Public Address
Book.″ If the domain name is misspelled, mail is returned with the message ″No route found to domain
name from server name.″ Check the Domino Directory for the correct spelling of the names, and resend the
document.
Users unexpectedly required to include @domainname after each address: If users report that they
can’t send mail to another domain unless they include @domainname after each address, configure
directory assistance and directory catalogs to include the directories from the other domains.
How to troubleshoot mail routing: When dead or pending mail indicates a problem with mail routing
or when users have problems sending or receiving mail, use these tips to gather information, identify the
problem, and then correct it.
1. Analyze any Delivery Failure Reports.
2. Trace the mail delivery route.
3. Check the Domino Directory for errors that affect mail.
4. Check the sender’s and/or recipient’s workstation(s) for errors that affect mail.
5. Checking the server for errors that affect mail.
6. Check the shared mail setup.
Checking the Domino Directory for errors that affect mail: The Domino Directory is the source of
many conditions that prevent mail from routing properly. Check for these conditions and correct them, if
necessary.
Checking the sender’s and/or recipient’s workstation for errors that affect mail: Check for these
conditions and correct them, if necessary.
1. Check the User Preferences (File - Preferences - User Preferences). Check the settings for Mail -- for
example, the Mail Program field may be set to None, which disables all mail for the user. Check the
settings under ports; the port(s) necessary to send mail may be disabled. For more information on
User Preferences, see Lotus Notes 6 Help.
2. Check the user’s Personal Address Book for a missing view. If a view is missing, replace the design of
the Personal Address Book. Choose File - Database - Replace Design, and specify the Personal
Address Book template, PERNAMES.NTF, not the Domino Directory template, PUBNAMES.NTF.
Replacing the design deletes any nonstandard private views but does not affect the data.
For more information on Location documents and on specifying a mail server and a mail file, see Lotus
Notes 6 Help.
Checking the server for errors that affect mail: Check for these conditions and correct them, if
necessary.
1. Verify that the sending and receiving servers have a certificate in common.
a. From the Domino Administrator, click the People & Groups tab.
b. From the tool bar, click Certification - ID file.
c. Choose the appropriate server ID file, and click Open.
d. Click Certificates to display the certificates held by the server.
e. Repeat for the second server.
f. Recertify one or both server IDs, as necessary.
2. Make sure there’s enough memory and disk space on the recipient’s mail server. Add memory to the
server, and/or increase the disk space for swapping. Add disk space to the server.
3. Check for a corrupt mail file. On rare occasions a recipient’s mail file may become corrupted. Do one
of these:
v Run the Fixup task. Use this task if the database is in Domino 5 or higher format and you’re not
using transaction logging, or if the database is in Domino 4 format.
v Run the Fixup task with the -J option. Use this task if the database is in Domino 5 or higher format
and you are using transaction logging. If you use a backup utility certified for Domino 5 and you
run Fixup -J, perform a full backup of the database as soon as Fixup finishes.
4. Check for a missing or incorrect Domain setting in the NOTES.INI file. At server startup, the Router
sends the message ″Mail Router started for domain x″ to the console and to the log file. To see if the
NOTES.INI file on the sender’s and recipient’s mail server includes a Domain setting, enter this
command at the console:
Show Configuration Domain
Then verify that the domain name is correctly spelled. To add the Domain setting or correct the
spelling of the domain name, enter this command at the console:
Set Configuration Domain = DomainName
where DomainName is the name of the mail server’s Notes domain.
5. Check for a corrupt MAIL.BOX on the server. Do one of these:
v Run the Fixup task. Use this task if the database is in Domino 5 or higher format and if you’re not
using transaction logging, or if the database is in Domino 4 format.
v Run the Fixup task with the -J option. Use this task if the database is in Domino 5 or higher format
and you are using transaction logging. If you use a backup utility certified for Domino 5 and you
run Fixup -J, perform a full backup of the database as soon as Fixup finishes.
If the corruption still persists, shut down the server and rename MAIL.BOX -- for example, rename it
to BADMAIL.BOX. Then restart the server to generate a new MAIL.BOX file, and copy any
uncorrupted documents from BADMAIL.BOX to MAIL.BOX.
Checking the shared mail setup: Check for these conditions and correct them, if necessary.
1. Verify that shared mail is enabled. To determine if a mail file or individual mail files in a directory
use shared mail, enter this command at the console:
Load Object Info USERMAIL.NSF
where USERMAIL.NSF is the name of a user’s mail file or the name of a directory that contains mail
files.
If you enter a directory name, the information that appears describes each mail file in the directory.
2. Check for a corrupt shared mail file. If you suspect the shared mail file is corrupt, you can restore the
file.
3. Verify that there’s enough disk space available for the shared mail file. If there isn’t, you can purge
obsolete message from a shared mail file.
4. Make sure the user’s mail file hasn’t been unlinked from the shared mail file. If necessary, relink the
mail file.
For more information about shared mail, see the chapter ″Setting Up Shared Mail.″
You can also search for solutions to common problems on the IBM Lotus Support Services Web site at
www.ibm.com/software/lotus/support/.
Meeting and resource scheduling -- Problems and error messages: These topics describe problems and
errors that occur with scheduling meetings or resources:
v Free time information isn’t available
v ″No resource/room found for time and/or capacity requirements″
v ″Can’t Find User in Name and Address Book″
v ″Cannot perform this action locally″
Free time information isn’t available: If, while scheduling a meeting, a user can’t look up free time for
a particular invitee because the invitee’s schedule is grayed out in the Free Time dialog box or if no
users’ free time information can be accessed and the message ″No scheduling information for the
requested users could be found at this time″ appears, use these tips to troubleshoot the problem.
1. Check that the invitee’s name is spelled correctly on the meeting invitation. If the invitee belongs to a
different domain, be sure to specify the invitee’s full hierarchical name, including the domain name.
2. Check that Domino 4.5 or higher is installed on the invitee’s mail server.
3. Make sure that the mail server is running. Free-time lookups fail if Domino cannot access the free
time database on the invitee’s mail server because the server is unavailable. If the server isn’t running,
the user can still complete invitation processing, including sending and receiving meeting-related
messages. Also, lookups for other invitees with free time databases on other servers still work.
4. Check that the Schedule Manager task is running on the mail server.
5. Check that the invitee saved his or her Calendar Profile after upgrading the design to the Domino 4.5
or higher mail template.
″Can’t Find User in Name and Address Book″: If this message appears, the entry used in the
$BusyName field in a calendar entry for the Note ID reported in the log doesn’t exist in the Domino
Directory. This situation typically arises when a user leaves the company and the Domino Directory no
longer contains a Person document for the user. To resolve this error, find the document associated with
the NoteID, and delete the document.
To find the note ID and the document associated with it, see the topic ″Troubleshooting Schedule
Manager errors reported in the log″ later in this chapter.
″Cannot perform this action locally″: This message appears when you try to create a Site Profile in the
Resource Reservation database locally on the server. To avoid this message, when you open the Resource
Reservation database, specify the actual server, instead of ″Local.″
″No resource/room found for time and/or capacity requirements″: The message ″No resource/room
found for time and/or capacity requirements″ may appear when a user creates a reservation in the
Resource Reservation database. This message indicates that the Site Profile name for that particular
resource includes a comma -- for example, Acme, East. Re-create the Site Profile name without the comma
-- for example, Acme East.
Troubleshooting Schedule Manager errors reported in the log: Schedule Manager errors in the log
(LOG.NSF) report information about databases that may have a mismatch among the entry used in the
$BusyName field in a calendar entry, the name listed in BUSYTIME.NSF, and the name in the Domino
Directory. Use this procedure to determine a mismatch.
1. Open the database reported in the log.
2. Choose Create - View.
3. In the View Name field, enter a name for the view -- for example, NoteID.
4. In the View Type field, select Shared.
5. In the ″Select a location for the new view″ field, select where you want the view to appear.
6. Click OK.
7. Choose View - Design.
8. Under Recent Databases, click Views.
9. Double-click the new view that you created. If you placed the view under an existing view, the new
view’s name will include the name of the parent view -- for example, Inbox\NoteID.
10. Select the first column in the view, and choose Create - Insert new column.
11. Choose Design - Column Properties.
12. In the Title field, enter a name for the column -- for example, NoteID -- and press ENTER.
13. In the formula pane, for Display, select Formula.
14. Delete anything that currently appears in the Formula pane and enter the formula:
@NoteID
15. Click the check mark in the formula pane to accept the new formula.
16. Press ESCAPE, and click Yes to save the design.
17. Press ESCAPE to close the Designer.
You can also search for solutions to common problems on the IBM Lotus Support Services Web site at
www.ibm.com/software/lotus/support/.
Logging modem I/O: To record modem phone call information in the log (LOG.NSF), you must enable
logging. Recording modem calls is useful when you troubleshoot modem connections.
1. Choose File - Preferences - User Preferences and select Ports.
2. Select the port for which you want to log call information.
3. Choose COM Options, and then choose Log modem I/O.
4. Click OK twice.
Reading the message in the log file for a long setup string: When you customize a modem command file, you
may include long setup strings. If a long setup string contains an error, it may be difficult to determine
which command or parameter caused the problem.
To isolate the problematic command or parameter, split the setup string in half, and enter a new
Setup=AT command on the line immediately following the first half of the setup string. Try to make the
connection again, and then check the log to determine which half of the setup string is causes the error.
Continue splitting the setup string in half until you locate the command or parameter that causes the
problem.
How to troubleshoot modems and remote connections: A server or workstation may not be able to
connect properly through a dialup modem connection to another server or workstation. As a result, there
may be problems transferring information -- for example, mail might not route between two servers
connected by a modem. Use these tips to troubleshoot both sides of the modem connection:
1. Restart the modem and the remote server or workstation. Doing this usually helps when the modem
is behaves erratically -- for example, if the modem dials invalid phone numbers, refuses legitimate
modem commands, flashes the LEDs in irregular patterns, or displays other unusual behavior.
2. Make sure that the modem is the correct type and model for the server or workstation. If you think
the hardware is damaged, replace the damaged part with one that you know is working. Make one
change at time so that you can evaluate the effect.
Modems and remote connections -- Problems and error messages: These topics provide suggestions for
troubleshooting problems you may encounter with modems and remote connections:
v Data isn’t transferring between two servers using a null modem
v The dialup server cycles through port speeds without initializing the modem
v Valid commands in the modem command file are ignored
Data isn’t transferring between two servers using a null modem: If you connect two servers with a
null modem cable and the servers make a connection but data does not transfer between them, try these
tips to solve the problem:
1. Replace the modem cable or port with one that you know works correctly.
2. Change the port speeds. Choose File - Preferences - User Preferences and select Ports. Select the port
you want to modify, and then select COM Options. Select a port speed that matches the port speed of
the other modem.
The dialup server cycles through port speeds without initializing the modem: If the log (LOG.NSF)
indicates that the server continuously cycles through port speeds without initializing the modem, the
server isn’t able to connect to or synchronize with the modem. Try these tips to solve the problem:
1. Turn the modem on and off to reset it.
2. Check the cable connection from the server to the modem. Make sure that the cable is attached to the
correct port and isn’t damaged.
Valid commands in the modem command file are ignored: You may notice this problem if you check
the log and find that OK responses are missing after one or more valid commands. Try these tips to solve
the problem:
1. Make sure letters in the AT commands in the modem command file are either all uppercase or all
lowercase. Many modems do not recognize mixed-case commands.
2. Make sure that commands in a long setup string do not exceed the character limit for the modem.
Use the Setup=AT command at the beginning of each line to split the setup strings into smaller
sections.
Platform statistics are not fully initialized: Platform statistics take a few minutes to initialize upon
Domino server startup. If you issue a Show Stat Platform command before initialization, you get the
following message:
Platform not in statistics table
Wait a few minutes and then issue the Show Stat Platform command again.
Setting up platform statistics on Windows 2000 systems: On Windows 2000 systems, your server must
be configured properly to collect network or Logical Disk statistics. Using software RAID is not
recommended. To set up your system for platform statistic collection:
1. Enable Logical Disk counters using the diskperf command:
The probable cause for this message is that platform statistics detected that the Network Interface Object
was not enabled. Enable the SNMP service.
The probable cause is that platform statistics detected that the logical disk counters were not enabled.
Enable logical disk counters.
When the statistics are ready to be displayed, the system displays the following message, where n is the
number of current transactions or users.
n Transactions/Minute, n Users
Upon Domino startup, the path to the nnotes.dll is not set or is set incorrectly. Multiple installations of
Domino may exist on the system and an earlier installation of Domino is being invoked. Make sure that
nnotes.dll is set to this path:
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\notestat\\Performance\\Library
Perfmon, the performance monitoring package was incorrectly installed when the system was upgraded.
Reinstall the Win2K server.
Note: If you need additional information regarding enabling the SNMP server, refer to your Windows
2000 System Administration Reference Guide.
System configuration issue for platform statistics on Windows 2000 systems: On Windows 2000, an
error may occur when loading certain performance dlls. If they do not function properly or take too long
to pass data, the operating system automatically adds a value to the following Performance registry
subkey where TypeOfPerfService may be PerfProc, PerfOS, or NoteStat:
HKEY_LOCAL_MACHINE\SYSTEM\Services\CurrentControlSet\<TypeOfPerfService>\Performance.
When the error occurs, the value for the variable ″Disable Performance Counters″ is set to 1, which
disables performance counters for statistics such as CPU utilization
If these statistic counters cannot be located, you may get the following error message, printed to both the
event log and the console:
Platform Stats: _PSHandleDefaultCmd() Unable to set up default counters error =..."
Although the system may have set the ″Disable Performance Counters″ variable under a period of
extreme stress on the system, once it has been set, this variable continues to disable all performance
counters relating to its.dll, until it is manually set back to zero or deleted.
To reset the default counters, search the registry for the phrase ″Disable Performance Counters.″ If it
occurs under PerfOS, PerfDisk, PerfProc or PerfNet, manually set it back to zero or delete the entire
variable.
If a user installed, set up, and created Connection documents for a network dialup connection, but the
user can’t connect to it, check for these conditions and correct them, if necessary.
1. Make sure the workstation and/or server has been set up with the remote access client software. If
the software hasn’t been set up, users will get the message ″Error initializing remote LAN service.″
Install the network dialup client software on the server and/or workstation, and then try connecting.
2. Make sure the remote server is accessible. If the modem is busy or the server is unavailable, the
server can’t answer calls.
3. Make sure that the user has the necessary privilege to use a network dialup connection to dial into
the server. If necessary, modify the user’s privileges. Also, make sure that the user is using the correct
user ID password.
4. Trace the connection to the server. Check the resulting information for indications that the Connection
document isn’t properly configured. For example, common mistakes in the Connection document
include not listing the current location or failing to enable the specified port(s).
Note: Information from a trace is recorded in the Miscellaneous Events view of the log. In the Trace
Connections Log Options field, you can set the level of detail to record. For maximum information,
choose Full Trace Information.
5. Use the dialing method provided by the network dialup client to make the network dialup
connection. If the connection fails, check for the correct configuration and check the modem for
problems.
6. If the connection is successful, while the connection is still active, switch to the Notes workstation or
Domino server and attempt to connect to the destination server. At this point, the workstation or
server should be connected to the LAN. You can temporarily set the Usage priority field of the
network dialup Connection document to Low to force the connection over the LAN before using the
Connection document.
7. If the previous step succeeds, drop the connection, switch to the Notes workstation, and choose File -
Mobile - Call Server to call the remote access server. If you previously set the Usage priority field of
the network dialup Connection document to Low, reset the priority to Normal.
8. Make sure you’re using the correct Connection document. Then, make sure the information in the
Connection document is correct.
After a successful modem connection, cannot establish session with server: The server is down.
RAS is currently using the port that the Notes Direct Dialup connection is attempting to call on the
destination server.
Modem does not respond: The modem is not turned on or is not connected.
COM device is in use: You try to access a server using Notes Direct Dialup and your server has RAS
running and only one COM port.
You cannot create a RAS connection: RAS is not configured and/or started on the destination server.
Error messages: This section lists common error messages displayed on the server console or at the
Notes client, and provides information on what caused the error and how to recover from it.
Modem command files contains illegal character: You selected the wrong modem.
Select the correct modem file from the COM options - Modem type drop down box.
The selected modem command file only allows speeds as high as XXX: The configured modem speed
exceeds the supported speed.
Check the maximum modem speed for your modem and configure it in the COM options - Maximum
Port Speed.
Excessive Port or CRC errors on the last connection. Try enabling hardware flow control on the port or
reducing the maximum speed settings: The configured modem speed exceeds the supported speed.
Reduce modem speed on the machine with Port and/or CRC errors.
Communications port unit number is not within valid range.: You have too many ports configured.
Set the valid number of ports on your system. Notes and Domino accept up to 64 ports.
Check the phone line. Make sure that line is active and plugged into the modem properly.
If you are in Europe, make sure that you have disabled ″wait for dial tone before dialing″ in the COM
options box.
Testing network connections using the ping utility: After you establish an Internet connection, you
should ensure that the connection works properly. Run this test before you actually connect the Domino
server to the Internet.
If you have a direct connection to the Internet, the easiest way to test the connection is to use the ping
utility, which asks another computer if it is running and confirms that the protocol software can respond.
If you connect to the Internet through a proxy server, try to use the ping utility on your proxy to test the
network connection.
To use the ping utility, type ping at the CONSOLE prompt, followed by the domain name. For example,
type:
ping xyz.com
If successful, the ping utility returns a message in a format similar to the following:
64 bytes from 130.000.00.00: 1cmp_seq=4, time=0, ms
Tracing a network connection: To test a connection to a server, use the Trace command, which provides
detailed information about each step in a server connection. Using the results of a trace command, you
can troubleshoot network connection problems.
When you attempt to connect to a server, network trace information automatically appears on the status
bar of a Notes workstation or on the server console, depending on where you initiated the connection
attempt. You can use the NOTES.INI Console_LogLevel setting to control the level of detail that messages
on the status bar contain.
For more information about the Trace command, see the appendix ″Server Commands.″
Troubleshooting TCP/IP problems for NRPC: These topics describe how to troubleshoot problems with
TCP/IP:
v Tools for troubleshooting TCP/IP
v Common TCP/IP error messages on Domino servers
v Common TCP/IP error messages on Notes clients or Domino servers
v How to troubleshoot a TCP/IP problem
v TCP/IP frame types
If you can’t solve your problem, record all of THE FOLLOWING INFORMATION (gathered as you
performed the steps in the preceding topics) before contacting IBM Lotus Support Services
(www.ibm.com/software/lotus/support/):
1. Exact quoted error messages
2. TCP stack name and version number (or operating system and version if the TCP/IP stack is included
in the operating system)
3. IP configuration information
4. IP address and host name of Domino server
5. Server document
6. Host file
7. Tracert information (with number of hops)
8. Ping packet size
Connection logging: When connection logging is enabled on a server, the server console displays the name
of the Notes network port for TCP/IP, the IP address of the requesting system, and the IP address of the
destination server for each connection.
To enable connection logging, add the following setting in the server’s NOTES.INI file:
Log_Connections=1
TCP/IP error messages -- Server only: These sections describe common error messages on a Domino server
offering NRPC services over TCP/IP.
Error on Listen function: The requested TCP/IP port is in use on this system.: This message could indicate one
of the following problems:
v UNIX systems. You have failed to assign different IP addresses to each partition on a Domino
partitioned server, or you have failed to follow the port mapping setup instructions properly, and you
attempt to start the additional partition. You may need to stop the server currently running, so that the
new server you are setting up can finish accessing the setup server for its copy of the Domino
Directory.
Note: Failing to configure partitions properly on Windows systems does not generate an error on
startup, but will generate operational problems.
v Windows 2000 and XP systems. It is possible for an application or system service to be assigned an
ephemeral port number as its local port number that conflicts with the Domino listening port. Restart
the system so that the process using TCP port number 1352 can release it.
When a system running TCP/IP makes each outbound connection, the TCP software automatically
selects a local port number and assigns it to the connection. This is required in the TCP architecture so
that the server can return packets to the client. This same port number cannot be used by any other
outbound or listening socket until it is freed. Port numbers in the range 1 - 1024 are called reserved
ports because they are reserved for well-known system services. The TCP software never uses reserved
ports when it must select a client-side port number at random. Rather, it selects at random a number
from a range above 1024 called the ephemeral port range. The Internet authority uses the low-end
range above 1024 to assign port numbers to registered applications such as Lotus Notes/Domino’s
NRPC services, which use 1352. Microsoft uses the ephemeral port range of 1024 - 5000. Therefore,
when a server on a Windows system makes an outbound connection, the ephemeral port number
chosen might be 1352. When this happens and Domino is started, the NRPC port fails to bind. Often,
on startup, servers on Windows systems make outbound connections to the NetBIOS session service
well-known port and keep these connections active until the system is restarted. This is the cause of
the problem.
Note: Most UNIX systems use an ephemeral port range that is at the top-end of the range of ports,
such as 45000 - 65000, so that there is not likely to be a conflict between the ephemeral port number
chosen and registered port numbers.
To determine if this is the cause of the problem, run Netstat -n -a. If what you see is similar to one of
the following examples, the system is using port number 1352 and the Domino server cannot start. To
solve this problem, restart the system.
Example 1: Netstat -n -a output of the Domino server active on the local system using port 1352 as a
server
Proto Local Address Foreign Address State
TCP 10.20.4.137:1352 0.0.0.0:0 LISTENING
Example 2: Netstat -n -a output of the local system accessing an external system using port 1352
ephemerally
Proto Local Address Foreign Address State
TCP 10.20.4.137:1352 10.30.10.1:139 ESTABLISHED
To prevent future ephemeral bind conflicts on Windows systems, use the following instructions to add a
registry value that forces TCP to skip port 1352 when it selects an ephemeral port number:
Run Regedt32 (not Regedit -- Regedit does not support the data type required for the value) and enter
the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value Name: ReservedPorts
Data Type: REG_MULTI_SZ
Value: 1352-1352
Tip: To protect additional ports, you can enter a range (such as 1025 - 1050) or multiple ranges separated
by spaces.
Insufficient TCP sockets are available. Consult your vendor’s TCP/IP documentation to increase the
maximum number of sockets.: You have reached a TCP/IP socket limitation. To see how many active
TCP/IP sessions the server system has open, use Netatat with the -n switch (to disable reverse DNS
lookups) and output the listing to a file. Import the listing to a spreadsheet and count the total number of
connections. Then break the connections down by their state (Established, Time_Wait, Close_Wait,
Fin_Waitn). You should be able to support more than 2,000 concurrent connections. If not, review your
operating system and TCP/IP stack settings with the operating system and TCP/IP stack vendor. If you
have a large number of Close_Wait sessions, you may have network-level problems. If you have a
buildup of Time_Wait sessions with HTTP services, review your TCP/IP stack’s settings to see if the stack
offers a setting to time out Time_Wait sessions sooner.
As a temporary solution or if you can’t make any alterations to the system or TCP/IP stack, you can limit
the number of NRPC sessions the server will support concurrently, but there will be a performance cost
for doing so. To limit the number of concurrent NRPC sessions, do one of the following:
v Edit the portname_MaxSessions setting in the NOTES.INI file to limit the number of sessions that can
run on this port.
v Edit the Server_MaxSessions setting in the NOTES.INI file to limit the total number of active sessions
the server can have.
Listener task for port <portname> is suspending for 20 seconds due to listen errors.: See the message ″Error on
Listen function″ earlier in this topic.
The remote TCP/IP host is not running the Domino server, or the server is busy.: The server is
currently not running, or the server can’t accept another TCP/IP connection or Domain session. Start the
server, or verify that it is running. Check the server to determine if its workload is unacceptably heavy.
The TCP/IP protocol stack reported that it ran out of memory. Consult your network documentation to
increase configured memory, or reduce Notes connections by limiting clients (see
SERVER_MAXSESSIONS parameter in Notes Admin Guide).: This error can occur when your server
system’s resources are not correctly sized for the number of inbound and outbound connections or when
events push the server into resource starvation.
v If system memory appears to be low, increase it.
v If you are using Windows NT, you may be encountering a page file limit. Both Domino and the
TCP/IP stack use shared memory. If the page file is not large enough or the number of pages exceeds
what the operating system can provide, this error appears. Upgrade the operating system to Windows
2000 with Service Pack 2.
v If inbound client and server connections or the server’s own outbound connections seem to be
experiencing network stability problems, verify the health of the network by using Netstat with the -n
switch (to disable reverse DNS lookups) and output the listing to a file. Import the listing to a
spreadsheet and count the total number of connections. Then break the connections down by their state
(Established, Time_Wait, Close_Wait, Fin_Waitn). You should be able to support more than 2,000
concurrent connections. If not, review your operating system and TCP/IP stack settings with the
operating system and TCP/IP stack vendor. If you have a large number of Close_Wait sessions, you
may have network-level problems. If you have a buildup of Time_Wait sessions with HTTP services,
review your TCP/IP stack’s settings to see if the stack offers a setting to time out Time_Wait sessions
sooner.
As a temporary solution or if you can’t make any alterations to the system or TCP/IP stack, you can limit
the number of NRPC sessions the server will support concurrently, but there will be a performance cost
for doing so. To limit the number of concurrent NRPC sessions, do one of the following:
Unable to locate the Domain server’s TCP/IP host. The TCP/IP domain name server may be down.:
Use the ″ping’ command to verify that DNS is running.
Unexpected TCP error. See the Notes log file on this system for error code.: Look in the log file to see
the reported error code or codes. KnowledgeBase lists many of the error codes. If you find an error code
that isn’t in KnowledgeBase, report it to IBM Lotus Support Services.
TCP/IP error messages -- Client or server: These sections describe common error messages on a Notes client
or Domino server using NRPC services over TCP/IP.
Network operation did not complete in the specified amount of time.: The connection pathway between the
client or server system and the target server was unable to sustain the session. This happens when a
system is accessing a remote server over a slow or very congested WAN. Possible solutions to this
problem are:
v Instead of users’ accessing server-based mail or application files on the remote server, have them
replicate the database files to their local systems.
v Review your server-to-server replication and mail routing architecture across the WAN. It is best to use
a hub-and-spoke design, and use Connection documents in Domino to connect the servers, mirroring
the hub-and-spoke architecture. Use Notes name networks (NNNs) only at each isolated local site and
then use Connection documents to interconnect the sites from the hub location.
If this error occurs over a LAN, you may be experiencing frame and/or packet sizing problems because
you have a mixed-topology network or because your network routers’ routing tables are converging. In
these cases, the network pathway to or from the target Domino server cannot forward the TCP/IP packet
stream.
If you are using a remote VPN connection across the Internet, with some VPN client software you can
encounter packet sizing issues on the Notes client or Domino server and/or with the firewall system’s
VPN services.
The connection has timed out.: The establishment of the connection took longer than the expected default
of 5 seconds. This can happen when the connection is over a dial-on-demand ISDN modem connection,
remote bridge, or router. From the Port Setup dialog box, increase the TCP/IP connection-time-out
interval. On a normal LAN, it is best to enter a value of no greater than 10 seconds, as the client or server
won’t retry the connection until the timer has expired.
To access the Port Setup dialog on a Notes client, use File - Preferences - User Preferences and click Ports.
To access this dialog box for a Domino server, use the Domino Administrator’s Configuration tab and
select Server - Setup Ports from the Tools pane.
Once in the Port Setup dialog box, select the TCP/IP port and click the port name Options button.
The server is not responding. Possible explanation.: Variations of this error can occur when name-to-address
resolution has completed on the local system, but the server would not respond to that address. The
causes of this error include:
v The Notes Name Service cache in the current Location document contains a numeric IP address that it
originally obtained from the Server document (Net Address field) of the target Domino server, and the
Server document has since been updated with a new IP address. Using only host names in the Net
Address field makes this error less likely to occur, as host names usually don’t change.
To resolve problems associated with this error, follow all the steps in the topic ″How to troubleshoot
TCP/IP problems in NRPC″ later in this chapter. To resolve problems involving advanced TCP/IP
configurations (more than one enabled port), see the chapter ″Setting Up the Domino Network.″
The Remote server is not a known TCP/IP host.: This message appears if the translation from server
name to TCP/IP address fails. Follow these steps to troubleshoot the problem:
1. Verify that the server name is correct.
2. If you use a local hosts file for name resolution, enter the server’s IP address and host name in the
hosts file. If the server name does not match the TCP/IP host name, which is also known as the fully
qualified domain name, enter the server name as an alias for the host name. For example, for the
Domino server Red/Sales/Acme, enter:
130.103.40.1 red.acme.com red
Note: Verify that the ordering of the name lookup services is ″Host″ first and ″DNS″ second;
otherwise, the hosts file entries may not be used when you expect them to be (excluding the NetBIOS
Name Service).
3. If you use the Network Information Service (NIS) for name resolution, ask the UNIX system
administrator responsible for the NIS domain to register the server’s IP address and host name. If the
server name does not match the TCP/IP host name, request that the server name be registered as an
alias for the host name.
4. If you’re using DNS for name resolution, ask the administrator responsible for the DNS domain to
register the server’s IP address and host name. If the server name does not match the TCP/IP host
name, request that the server name be registered as an alias (CNAME) for the host name and place
the host name in the TCP/IP port’s Net Address field in the Server document. For example, for a
Domino server named Sales/Boston/Acme with a host name of app01 for the A record, the CNAME
record would be sales. The Net Address field contains either the simple host name, app01, or the
FQDN, app01.acme.com. In the case of port mapping, each port-mapped server’s common name is
added as a CNAME to the A record for the base port-mapping server.
For more information on DNS resolves, see the topic ″Checking TCP/IP name resolution in NRPC″
later in this chapter, as well as the chapter ″Setting Up the Domino Network.″
How to troubleshoot TCP/IP problems in NRPC: To troubleshoot a network problem when using NRPC
services over TCP/IP, do the following in the order shown:
1. Check connectivity.
2. Check name resolution.
3. Check network layout (large LAN or WAN issues).
Checking NRPC connectivity in TCP/IP: Notes connectivity relies on TCP/IP communication. The first step
in troubleshooting TCP/IP is to verify basic TCP/IP configuration and connectivity.
Use the PING executable to verify IP-level connectivity. The PING command is available in all Windows
and UNIX environments.
1. From the server, ping the server itself by numeric IP address.
For example, at a DOS prompt, type:
PING 131.103.50.159
and press ENTER.
This step confirms the following:
v TCP/IP is installed and configured with a correct address.
v If any other computer has the same IP address. A computer’s IP address must be unique on a
network segment; that is, only one computer on a network segment can have a particular IP
address.
If this fails, TCP/IP is not set up properly on the local machine. Contact the site’s network
administrators for technical assistance.
2. From the server, ping the destination computer (the Notes workstation) by numeric IP address. This
indicates if the path to the remote host is clear and whether you can communicate with IP through
network routers. If this fails, continue to Step 3.
Tip: To obtain the IP address of a Notes workstation, from the workstation use the commands shown
in the table in Step 6.
3. From the workstation, ping the workstation by its own numeric IP address. If this fails, continue to
Step 4.
4. Ping the server from the server itself by its DNS fully qualified domain name (FQDN) to verify that it
was added to the network correctly; then ping the server from the workstation by FQDN.
For example, type:
PING iodine.lotus.com
5. Ping the server by DNS alias name from the server itself to verify it was added to the network
correctly. Then ping the server from the workstation. Ideally the server host alias names all should be
the same as the Domino server names. Sometimes the server’s FQDN may differ from the Domino
server’s. That is when the alias name is used, being the same as the Domino server’s name.
For example, type:
PING Iodine
If you reach this point and the connection is failing between workstation and server, try creating a
Connection document in the Personal Address Book of the workstation. This document contains the
numeric IP address of the destination server. It is best to resolve IP addresses by DNS or hosts files
and not by Connection documents.
Note: WINSOCK.DLL is the Windows Sockets interface provided with TCP/IP network software for
Microsoft Windows. If you’re using an incorrect (or incorrectly placed) version of WINSOCK.DLL,
Notes may exhibit problems related to WINSOCK.
6. If pinging by numeric address succeeds, but pinging by the alias name fails, the problem’s source is in
name resolution and not in physical network connectivity. The following table list the commands you
use (depending on the operating environment the server or workstation uses) to gather the following
information about the system’s IP configuration:
v IP address
v Host name
v If present, the default gateway
Checking TCP/IP name resolution in NRPC: If checking connectivity using an IP address appears to work,
you need to check name-to-IP-address resolution. Name-to-IP address resolution within an organization’s
private network space usually takes one of two forms: locally stored hosts files or the Domain Name
System (DNS). WINS Name Resolution or LMHOSTS resolution are not supported by Lotus
Notes/Domino.
1. Check for illegal characters in the hosts file.
v Make sure there are no illegal characters (such as a space or a letter) in the numeric IP address;
only numbers should appear. Each section of a dotted decimal numeric IP address should be no
longer than three numbers, and there should be four sections to an address (for example,
19.99.21.217).
v Make sure there are no illegal characters in the Names fields; only alphabetic characters, numbers
and dashes (-) should appear. Spaces are not allowed. Underscores (_) are mapped as spaces within
Notes, and should be avoided.
v Some IP stacks will not accept underscore characters.
v Make sure there is only one correctly named hosts file being used. Rename any other hosts files on
the computer (except the current one).
v Note any recent changes made to the hosts file. Confirm that the information in the hosts file is
correct. The target machines that a computer may contact must be defined in the local hosts file.
2. Look at the Server document and determine if the first part of the server’s fully qualified domain
name (FQDN) in the TCP/IP port’s Net Address field is the same as the server’s common name. For
example:
FQDN = mailhub1.lotus.com Server common name = Mailhub1
If this is not the case, a name resolution alias is required in the hosts file or DNS table.
Note: If the first part of the FQDN is the same as the server common name, the problem may be
within DNS. For more information, see the vendor’s documentation for the DNS server.
3. If the Server document has changed recently, restart the server in order for the changes to take effect.
Checking a TCP/IP network pathway: If checking name resolution did not solve the problem, check each
network pathway. Be sure to record the information you gather.
Using the Trace Route utility: Use the TRACERT command to determine what network pathway lies
between the source and destination systems. This command determines the route from one host to
another through the network, and displays an ordered list of the routers in the path with the IP addresses
of the near-side interface of the routers.
Note: A dedicated Trace Route utility may not be available on all platforms, and your firewalls are most
likely blocking the ICMP sub-protocol of IP. Consult the site administrator to see if there is an equivalent
for your platform.
For example, the results of the TRACERT command might look like this:
C:\>tracert paran -d
Tracing route to santa.north.com [118.111.90.204]
1 10 ms 10 ms 10 ms elves.north.com [118.111.200.211]
2 <10 ms 10 ms <10 ms rdeer.north.com [118.111.29.2]
3 <10 ms 10 ms 10 ms santa.north.com [118.111.90.204]
Trace complete.
In this example, there are two IP routers between the workstation and the server (three, minus the first
one which reported itself, leaving two).
Checking the Maximum Transmission Unit (MTU): Each end-node system and router port on the network
has the ability to control the size of the TCP/IP packet. Each NIC (port) can have its MTU set to a
different value, and each topology has a different default value. The network administrator can increase
or decrease this setting to meet the requirements of the network. MTU traffic issues are handled at the
TCP/IP level and not within Notes workstations or Domino servers.
If any of the following situations exist, suspect an MTU problem, and contact your network
administrator:
v There is a mixture of Ethernet and Token-Ring or FDDI network topologies on the LAN/WAN.
v There are routers between the source and destination of traffic that could be set up with an incorrect
MTU size.
v You are using VPN services across the Internet.
v ATM is being used with emulation [LANE].
TCP/IP frame types: Most UNIX, AS/400, or S/390 systems offer both frame types for 802.3 (Ethernet) to
Ethernet V2 (DIX) and SNAP by default. You can remove the SNAP frame support if you have a routed
network with Token-Ring or FDDI topologies where the router will translate the frame types (free up
non-needed resources).
With Windows-based TCP/IP protocol services, the default frame type for 802.3 (Ethernet) network
topology is v2 DIX and for Token-Ring and FDDI it is SNAP over LLC.
* If the bridge or router offers frame translation, other combinations may be possible.
Note: If using a NetWare server as a TCP/IP router, make sure that the NetWare and Domino server
systems are using the same common frame type for TCP/IP and that only one frame type is being used
to support the TCP/IP protocol in a flat or bridged network.
You can also search for solutions to common problems on the IBM Lotus Support Services Web site at
www.ibm.com/software/lotus/support/.
″Server exiting: partition number xx is already in use″: This message appears when you try to start
more than one server in a partition. To correct this, stop all processes associated with the partition. If that
fails, restart the system.
″Server not responding″ connecting to a partitioned server: This message may appear if a partitioned
server uses TCP/IP port mapping.
1. If the destination server is sharing a network interface card with a port-mapping server, check that the
port-mapping server is running. Domino can’t establish a connection to a server sharing the
port-mapping server’s IP address unless the port-mapping server can redirect the traffic to the port
the destination server is listening on.
2. Make sure that the port-mapping information in the NOTES.INI file is in the correct order. In the
port-mapping server’s NOTES.INI file, there are entries that reference the other partitioned servers on
the computer. If the lines containing the port-mapping information are out-of-order, Domino displays
the message ″Server not responding″ or ″Server’s name changed.″ Edit the port-mapping server’s
NOTES.INI file, and make sure that the partitioned servers are listed in numerical order, as in this
example:
TCPIP_PortMapping00=
TCPIP_PortMapping01=
TCPIP_PortMapping02=
TCPIP_PortMapping03=
After modifying the NOTES.INI, stop and restart the server so that the changes take effect.
Tip: To record connection problems in the log, set the Log Options field (in the Trace Connections dialog
from the Domino Administrator) to Full Trace Information.
1. Verify that the passthru server is running Domino 4.x or higher. The destination server can run Notes
3 or Domino 4.x or higher.
2. Check the Server document to ensure that the server is enabled for passthru. The ″Route through
field″ on the Security tab in the Server document restricts who may use a server as a passthru server.
By default, this field is blank, which prevents use of the server as a passthru server. You can also
create a new passthru Connection document that names a different server that allows passthru to the
destination server.
You can also use the ″Access this server″ field in the Server document to restrict who can use passthru
to access a server. If this field is blank on the destination server, the server does not allow passthru
access. Only the users, groups, and servers explicitly named in this field have passthru access. Note
that this field does not restrict general access to the server, which is controlled by fields on the
Security tab of the Server document.
3. Make sure that the Connection document is properly configured. Check the log for the message
″Unable to find any path to ServerName,″ which indicates that there may not be enough information in
the Domino Directory to determine how to reach the destination server or that the information in the
Domino Directory is incorrect -- for example, server names might be misspelled.
For more information on setting up and tracing connections, see the topic ″Tracing a network
connection″ earlier in this chapter, as well as the chapter ″Setting Up Server-to-Server Connections.″
Administrator client on the remote live console -- output data appears incomplete: There are two
situations in which data can be lost when you attempt to view output data using the Administrator client
from the Domino server remote live console. The displayed data appears incomplete because a portion of
the data is lost. Data can be lost in the following situations:
v The console output is buffered in a ring buffer as it is generated. When the remote live console
background thread fetches data, it may not fetch the data quickly enough. The ring buffer then loses
data.
v When the remote live console background thread fetches data, it posts the data to a network
asynchronous write -- itself a ring queue. If the asynchronous write queue entry is overwritten, data is
lost.
Statistic Explanation
server.RemoteConsole.AsyncQueueOverrun Number of times that the asynchronous queue request
was lost.
server.RemoteConsole.BufferOverrun Number of times that data was lost because more
console output was generated than was sent over the
wire.
Replication -- Troubleshooting
These topics describe how to troubleshoot replication.
v Tools for troubleshooting replication describes tools you can use for troubleshooting replication
problems.
v Replication - Problems and error messages describes problems and errors that users or Domino servers
may experience during replication.
You can also search for solutions to common problems on the IBM Lotus Support Services Web site at
www.ibm.com/software/lotus/support/.
Tools for troubleshooting replication: Database access control list problems, server crashes, protocol
problems, and incorrectly configured Connection documents are common causes of replication errors. Use
these tools to troubleshoot replication.
Cluster replication: The log file (LOG.NSF) provides helpful information for troubleshooting replication
problems within a cluster.
Log file: To access the log, from the Domino Administrator, click the Servers - Analysis tab and select
the log file for the server you want to check. Then check for replication problems in these views:
v Miscellaneous events
v Phone calls
v Replication events
Tip: You can also check replication events from the Replication tab in the Domino Administrator.
Edit the NOTES.INI file to include the Log_Replication setting, which allows you to display detailed
replication information in the log.
Note that you can edit the NOTES.INI file to include the Repl_Error_Tolerance setting, which increases
the number of identical replication errors between two databases that a server tolerates before it
terminates replication. The default tolerance is 2 errors. The higher the value, the more often messages
such as ″Out of disk space″ appear.
If you run the Event task on a server, you can set up an Event Monitor document to report replication
problems. You can also create a Replication Monitor document that notifies you if a specific database fails
to replicate within a certain time. To view events from the Domino Administrator, click the Server -
Analysis tab, click Statistics - Events, and then view the desired report.
Replication schedules: You can see a graphical representation of the replication schedules of the servers in
your Domino system. To view replication schedules, from the Domino Administrator, click the
Replication tab.
For more information on viewing replication schedules, see the chapter ″Creating Replicas and
Scheduling Replication.″
Replication topology maps: Create a replication topology map to display the replication topology and
identify connections between servers. To view replication topology maps, from the Domino
Administrator, click the Replication tab. You must load the Topology maps task before you can view a
replication topology map.
For more information on viewing replication topology maps, see the chapter ″Creating Replicas and
Scheduling Replication.″
Replication -- Problems and error messages: These topics describe how to troubleshoot replication
problems.
v Replication isn’t occurring between two servers
v Scheduled replication isn’t occurring between two servers
v One database isn’t replicating between two servers
v Database replica does not contain all the documents it should
v Database replica is not receiving design changes
v Changes to the database title do not replicate
v Database replicas are different sizes
v The database stops replicating and the option Enforce a consistent ACL is selected
v The database replica has not received ACL changes
v The new replica contains the ACL of the source server but you did not copy the ACL
v You see the message ″Database is not fully initialized yet″
v Deletions are not replicating
v Unexpected deletions occur in a replica
v Deleted documents reappear
Replication isn’t occurring between two servers: When two servers can’t replicate any of the databases
between them, these messages may appear in the log:
v ″Unable to replicate with server x: Server Not Responding″
v ″Unable to replicate with server x: The Notes server is not a known TCP/IP Host″
v ″Unable to replicate with server x: Your address book does not contain any cross certificates capable of
authenticating the server″
v ″Unable to replicate with server x: The server’s address book does not contain any cross certificates
capable of authenticating you″
v ″Unable to replicate with server x: You are not authorized to use the server or remote server″
One database isn’t replicating between two servers: When replication occurs correctly between two
servers but one database doesn’t replicate correctly, these symptoms might occur:
v The message ″Unable to replicate xxx.nsf″ appears in the log file.
v Users report that documents are different on each replica.
Database replica does not contain all the documents it should: If none of the following explanations
apply, try clearing the replication history. Clear replication history using the File - Replication - History
dialog box in the Notes client.
For more information on replication history, see the chapter ″Maintaining Databases.″
Replicas are different sizes: If changes made to one replica have not yet replicated, the content of replicas
may be different until replication occurs.
The source server has insufficient access: The source server access in a destination replica ACL determines
what the destination replica can receive from the source server. Give the source server higher access in
the destination replica ACL if necessary. The following message in the server log file (LOG.NSF) indicates
insufficient server access:
Access control is set to not allow replication
For more information on the log file, see the chapter ″Using Log Files.″
There is no destination server in an access list: Access lists allow only a subset of people and servers in
the ACL to access documents. If such access lists exist, add the destination server to them in the source
server replica. If the access list uses a role to define access, add the destination server to the role on the
source server replica.
For more information on server access, see the chapter ″Creating Replicas and Scheduling Replication.″
An intermediate server has insufficient access: If replication between a source and destination server
occurs through an intermediate server, make sure the source and destination server replica ACLs give the
intermediate server high enough access to replicate all changes.
For more information on server access, see the chapter ″Creating Replicas and Scheduling Replication.″
Replication settings are filtering documents: Some replication settings act as filters that screen out
documents and features. Check the replication settings.
For more information on replication settings, see the chapter ″Creating Replicas and Scheduling
Replication.″
The server is out of disk space: Check to see if the database is a Domino 4 database and has exceeded
the maximum database size. Ask your Domino administrator to resolve disk space problems and if
necessary, consider moving a replica to another server or deleting databases on the server.
Older documents weren’t replicated to a new replica: When the replica was created, the date specified for the
replication setting option ″Only replicate incoming documents saved or modified after″ is later than it
should have been. This option is on the Other panel of the File - Replication - Settings dialog box in the
Notes client. Create a new replica with an earlier date specified.
Changes to the database title do not replicate: If the replication setting ″Do not send changes in
database title & catalog info to other replicas″ is set on the source server replica, the title won’t replicate.
Deselect this setting to replicate a database title. This setting is on the Send panel in the File - Replication
- Settings dialog box in the Notes client.
For more information on this replication setting, see the chapter ″Creating Replicas and Scheduling
Replication.″
Database replicas are different sizes: Database replicas may be different sizes for the following reasons:
Replication settings: Some replication settings cause one replica to receive only a subset of documents
and features from another replica.
Access control list: The ACL prevents a replica from receiving all documents or design elements from a
source replica.
Read ACLs or reader names fields: A destination server isn’t included in a Read ACL or Reader Names
field and therefore doesn’t receive all documents from a source server replica.
View indexes: A view is used in one replica but not in another, and the replica containing the unused
view is smaller because no index is built for the unused view.
Personal agents, views, or folders: These features used on one replica, but not another, can cause a size
disparity between the replicas.
Deletions are not replicated: Check these replication settings in File - Replication - Settings in the Notes
client:
v On the Advanced panel, the Deletions option under ″Replicate incoming″ is not selected.
v On the Send panel, the ″Do not send deletions made in this replica to other replicas″ option is selected.
Unused space: One replica has been compacted while another has not been compacted.
The database stops replicating and the option Enforce a consistent ACL is selected: If a user changes a
local or remote server database replica’s ACL when the ″Enforce a consistent access control list across all
replicas of this database″ option is selected, the database stops replicating. This option is found on the
Advanced panel of the Access Control List dialog box. The message in the log file is:
Replication cannot proceed because cannot maintain uniform access control list on replicas
The database replica has not received ACL changes: To receive ACL changes from a source server, the
database replica on the destination server must give the source server Manager access and the source
server must give the destination server at least Reader access.
For more information on server access, see the chapter ″Creating Replicas and Scheduling Replication.″
The new replica contains the ACL of the source server but you did not copy the ACL: A replica stub
is an empty replica that has not yet been populated with documents. When you select File - Replication -
New Replica, Notes creates a replica stub and populates it with documents, either immediately or at the
next scheduled replication, depending on the option you select.
For more information on server access, see the chapter ″Creating Replicas and Scheduling Replication.″
The server times are not synchronized: If you create a complete replica immediately (rather than
creating a replica stub) and the time on the source server is later than the time on the destination server,
the new replica contains the ACL from the source server.
A replica stub on a workstation hasn’t been manually replicated: If users create replica stubs on their
workstations and don’t populate them with documents according to a schedule, they must manually
replicate to populate the database replica with documents.
The server storing the replica stub doesn’t have adequate access to pull information: If you rely on
scheduled replication to populate a replica stub, the server storing the replica stub must have at least
Reader access in the source server replica ACL to pull the documents from the source server.
For more information on server access, see the chapter ″Creating Replicas and Scheduling Replication.″
An appropriate Connection document between two servers isn’t in place: If you rely on scheduled
replication to populate a replica stub on a server with documents from a replica on another server, a
correctly-configured Connection document must exist between the two servers storing the replica and the
replica stub. Confirm with your Domino administrator that an appropriate Connection document exists.
Replication is disabled: Notes cannot populate a replica stub if replication is disabled on the source or
destination server replica. To check if replication is disabled for the database, see if the ″Temporarily
disable replication″ option is deselected. This option is found on the Other panel of File - Replication -
Settings in the Notes client.
Servers don’t have adequate access to the database: To receive document deletions, the ACL on a
destination server replica must give the source server Editor access or higher and have the access level
privilege ″Delete documents″ selected.
A replication setting is preventing deletions from replicating: Check these replication settings in File -
Replication - Settings in the Notes client:
v On the Send panel, the option ″Do not send deletions made in this replica to other replicas.″ A source
server doesn’t send deletions to another replica if this setting is selected.
v On the Advanced panel, the Deletions option under ″Replicate incoming.″ A replica doesn’t receive
deletions if this setting is not selected.
Unexpected deletions occur in a replica: Check these replication settings in File - Replication - Settings
in the Notes client:
v On the Advanced panel, deselect ″Replicate incoming: Deletions″ to prevent a database from receiving
deletions made in other replicas.
v On the Other panel, select ″Do not send deletions made in this replica to other replicas″ to prevent a
database from sending deletions
Unexpected deletions may also occur for any of the following reasons:
There is a new replication formula in place: A new replication formula overrides previous formulas
and removes documents that don’t match the formula.
A purge interval prevents replication of deletions: When a document is deleted, it leaves behind a
deletion stub. When the database replicates, Notes uses the deletion stub to identify and delete the same
document in the replica.
To save disk space, Notes purges deletion stubs that remain from document deletions according to the
replication setting ″Remove documents not modified in the last [ ] days.″ If Notes purges the deletion
stubs before they have a chance to replicate, deleted documents can reappear after the next replication.
This option is on the Space Saver panel of the File - Replication - Settings dialog box in the Notes client.
Using NOTES.INI settings to troubleshoot roaming user configurations: You can use two NOTES.INI
settings to collect information when troubleshooting a roaming user problem. After setting up a roaming
user or upgrading a Notes user to a status of roaming user, add these two NOTES.INI variables to the
NOTES.INI file on the Notes client. The Notes client will generate debug codes to the file specified in the
Debug_Outfile setting. You can then provide this information to Support to assist you in resolving
problems.
debug_outfile=path to a file
debug_roaming=1
Problems when you create or modify a certifier: If you have problems creating or modifying a
server-based CA -- for example, the CA process doesn’t load when you issue the command Tell Load CA
or returns an error -- check the following:
v The administrator’s location document must point to the server on which the CA process is running.
v The mail file location on the Mail tab of the administrator’s location document must point to the server
on which the CA process is running.
v The administrator’s public key must be in the Domino Directory for the server specified in the location
document.
v CA administrators must have at least Editor access to the master Domino Directory for the domain.
To see the results of any CA process operation immediately, at the server console type:
tell adminp process all
Then
tell ca refresh
Then
tell ca stat
to see if the changes have been processed. You may need to repeat the process more than once.
For more information about configuring and using a server-based CA, see the chapter ″Setting Up a
Domino Server-Based Certification Authority.″
You can also search for solutions to common problems on the IBM Lotus Support Services Web site at
www.ibm.com/software/lotus/support/.
The administrator can’t enter commands at the server: If an administrator can’t run the workstation
program on the server, run stand-alone server programs, or use the Load, Tell, or Set Configuration
commands, the console has been password-protected.
Use the Set Secure command at the console or use the Domino Administrator to clear the password.
For information on using the Set Secure command, see the appendix ″Server Commands.″
Users can’t see a new server in the list of servers: If users can’t see a new server when they try to add,
create, copy, or replicate a database, make sure that the Domino Directory contains a Server document for
the new server and that the information in the document is accurate and correctly spelled. If no Server
document exists, create one and then make sure that the new Server document replicates to all servers in
the domain. If a Server document exists and contains accurate information for the new server, check the
log file on both the user’s home server and the inaccessible server to see if there are network problems.
″Server not responding″: The message ″Server not responding″ may appear when you install a client or
try to open any database on a particular server.
1. Check that the Domino server and the network are running.
Note: If full trace logging is enabled in the NOTES.INI file, the log file records detailed information
about failed attempts to connect to a remote server. The PassThru_LogLevel is typically set 0 to
minimize unnecessary logging.
4. If you’re using NetBIOS, make sure it’s configured properly and that it’s running on the workstation
or server. The workstation and the server must use the same version of NetBIOS, and the server must
be enabled for sufficient NetBIOS sessions.
Also, filters might prevent broadcast traffic from Notes from crossing a bridge or router. Bridges and
routers are often configured to suppress broadcast traffic by default, and NetBIOS uses broadcasts to
communicate on networks.
″You are not authorized to access the server″ or similar problems: When users or servers get a ″not
authorized to access the server″ message, try these tips to identify and then fix the problem.
1. Check the Domino Directory .
2. Check the server ID.
3. Check that the user has the proper certification to access the server.
4. Check for network or hardware problems.
Checking the Domino Directory for errors that affect server access: Many conditions that prevent
proper access to servers can be traced to the Domino Directory.
1. Verify that these fields in the Server document contain the correct information and spelling. For each
change you make, be sure to save the Server document before attempting to access the server again.
Checking the server ID for a problem that affects server access: When the message ″You are not
authorized to access that server″ appears, the problem can sometimes be the server ID.
1. Check for a damaged server ID. If a server ID is damaged, the Domino server may start, but users
won’t be able to access it. Also, the message ″Server Error: Damaged ID″ appears when you start the
Domino server.
If the server ID was recently recertified, the ID may have been damaged if the Domino server wasn’t
shut down before the server ID was recertified or merged.
If you suspect that the server ID is damaged, you can replace the server ID with a new ID.
2. Verify that the server has all of the required certificates.
a. From the Domino Administrator, click the People and Groups tab.
b. From the tool bar, click Certification - ID file.
c. Choose the appropriate server ID file and click Open.
d. Click Certificates to display the certificates held by the server.
e. Recertify the server ID, if necessary.
Replacing the server ID: If you suspect that the server ID is damaged, replace it with a backup of the
ID. If you don’t have a backup of the server ID available, create a new server ID. Be sure to use the same
name on the new ID as you used on the old ID.
1. Shut down the Domino server.
2. Rename the old server ID -- for example, Server.OLD. You must rename the ID to force the ID file to a
new location on the hard disk.
3. Copy the backup (or new) server ID to the correct location on hard drive. ID files are typically located
in the Notes\Data directory.
4. Restart the server.
You can also search for solutions to common problems on the IBM Lotus Support Services Web site at
www.ibm.com/software/lotus/support/.
How to troubleshoot server crashes: The most common causes of server crashes are the following:
v Low or depleted system resources
v High server workload
v Software problems
v Network problems
v Changes to network or operating system environments
v Changes in hardware configuration -- for example, upgraded NICs -- or software configuration
Use these steps to troubleshoot a server crash. If, after completing these steps, you haven’t resolved the
problem, consult your technical support representative.
1. Collect system information:
v Domino server version
v Operating system version (SYSLEVEL information if the operating system is OS/2, by typing
SYSLEVEL at an OS/2 prompt).
v Network type and version; network protocol(s) and version(s) (including file dates)
Note: If a crash doesn’t produce an NSD log file, the server may be out of disk space or memory.
8. Restart the server.
9. Check the Miscellaneous Events view in the log. Record all entries that occurred immediately before
and after the crash. To do this, double-click the appropriate entry to open it. In particular, look for an
NSF file in the entry, which may indicate where the crash occurred. If a particular database appears
to have caused the crash, check the replication history of that database for additional information.
10. Collect these configuration files:
v NOTES.INI -- All platforms
v Windows diagnostics file
Server crashes -- Problems and error messages: These topics describe problems and errors that may
cause a server crash:
v Corrupt database causes a server to crash
v Corrupt view causes a server to crash
v Server crashes while updating a database index
v The Router task causes the server to crash
v Domino OS/2 server crashes
Corrupt database causes a server to crash: If an ″Unable to copy database,″ ″Unable to copy document,″
or similar message appears in the Miscellaneous Events view of the log, a database is corrupted. Do one
of the following to correct the problem:
v Run the Fixup task. Use this task if the database is in Domino 5 or higher format and if you’re not
using transaction logging, or if the database is in Domino 4 format.
Note: The Fixup task can take a significant amount of time to run on a large database or on the entire
server.
For more information on using Fixup to repair corrupted databases, see the chapter ″Maintaining
Databases.″
Corrupt view causes a server to crash: If a server crash seems related to a corrupt database view, run
the Updall task on the database with the -r option:
Load updall databasename -r
Note: The Updall task can take a significant amount of time to run on a large database. It will also take a
significant amount of time if you run Updall without specifying the database name, which forces the task
to run on all databases on the server.
Server crashes while updating a database index: If a server crashes while updating a database index,
do the following:
1. Run the Updall task on the database with the -r option to fix a damaged database index:
Load updall databasename -r
Note: The Updall task can take a significant amount of time to run on a large database. It will also
take a significant amount of time if you run Updall without specifying the database name, which
forces the task to run on all databases on the server.
2. If Updall does not fix the problem, use this procedure:
a. Make a replica of the corrupted database. Be sure to give the replica a new file name.
b. Delete the original corrupted database.
c. Use the original database file name to rename the new replica.
d. Restart the server.
The Router task causes the server to crash: In many cases, a crash occurs while a particular task is
running. You can often determine the task from the crash screen or from the NSD log file. If the crash is
related to the Router task, there could be a problem with MAIL.BOX.
1. Rename MAIL.BOX.
2. Restart the server. The server will automatically create a new MAIL.BOX.
3. Copy and paste the messages from the old MAIL.BOX to the new MAIL.BOX.
Domino OS/2 server crashes: If an OS/2 server crashes, a message resembling the following appears:
Trap 000C Internal Processing error at Location #nnn:nnn
Trap 000D CS=nnnn IP=nn xxxxx
CSLIM = nnnn
Crashed network drivers or an OS/2 problem may cause this error. Record the addresses and report them
to your network administrator. Then restart the server.
Codes that display when an OS/2 server crashes: When an OS/2 server crashes, the console displays an error
code. Record the code.
all addresses.
C/12 Stack exception There is a software problem. Ignore this code if it follows a code D/13.
D/13 General protection There is a software problem or a corrupted database.
F/15 Coprocessor error There is a bad coprocessor chip.
NSD log files: NSD log files can help determine the cause of a server or workstation crash. A program
called NSD (nsd.exe for W32 platforms, nsd.sh for Unix platforms) creates these files in the Domino data
directory (for a server) or in the Notes data directory (for a workstation). The files contain information
about the tasks which were running when it crashed as well as general system information.
Deleted server not removed from Health Monitoring view: When a Domino server is deleted from the
domain using the Configuration - All Server Documents view - Delete Server action, all references to the
server are removed from the views in the Domino Administrator Client, with one exception:
Configuration - Health Monitoring - Server Components view. The deleted server remains listed in this
view under the category: ″The Domain of the following servers has not yet been determined but will be
determined″. In addition, if you manually delete the server document in this view, it will return.
To permanently remove the deleted server from the Configuration - Health Monitoring - Server
Components view, perform the following steps:
1. From the Domino Administrator, open the Server - Monitoring view.
2. Select Administration - Refresh Server List menu item. Refresh the list for the domain from which the
server was deleted. The deleted server no longer appears in this view.
3. From the same view, click Stop to disable the Domino Administrator Server Monitor.
4. From the Configuration - Health Monitoring - Server Components view, delete the Server Component
document for the deleted server.
Server.Load -- Troubleshooting
The dynamic link library NNOTES.DLL could not be found in the specified path: Check to see if
SLOAD.EXE was copied to the Notes program directory. Copying SLOAD.EXE to the Notes program
directory should resolve the issue.
″Error detected on ’changeto’: ’No such port known’ (0x0A25)″: This message appears when you use a
custom script. Enable the port by choosing File - Preferences - User Preferences and selecting Ports.
″Error in NIFFindView″ messages: Adding documents to a folder that does not exist returns the
following:
Error in NIFFindView
add 10 -f $ABC
Error in NIFFindView: 0x0404--Entry not found in index
’add’ summary: Added 10 notes
Although it states that 10 notes (documents) were added, no documents were actually added. Create a
folder before adding documents.
″Error in NSFItemAppend: 0x013B--Memory allocation request exceeded 65,000 bytes″: This message
appears when you attempt to add a document containing a non-summary text item that is larger than
65KB. Do not create non-summary items that exceed 64KB.
″Cannot create greater than 512 sessions, sessions count reduced to 512.″: The value supplied for
Server_MaxSessions was greater than the limit of 512 for the NT platform. The session count will be
reduced to 512, and the built-in Idle Workload will continue to open 512 sessions to the Domino server.
Smart Upgrade Tracking Reports are not being created: If you are having problems with Smart
Upgrade, verify that you have enabled Smart Upgrade Tracking.
For information about enabling Smart Upgrade Tracking, see the chapter ″Upgrading Notes Clients.″
If you are not seeing any Smart Upgrade Tracking reports add the following NOTES.INI variables to the
NOTES.INI file on the server that you are using to run Smart Upgrade. If Smart Upgrade fails, you can
use the information that is generated and stored by these NOTES.INI settings to provide Support with
information that they can use to resolve any Smart Upgrade problems you may be having.
v Debug_Outfile --Specifies the file name to which to send all console output, so that it can be sent to
IBM Support for analyis.
v Debug_ThreadID -- Prepends all console output with the Process ID and Thread ID of the thread that
generated the output.
If the information that is generated after setting the Debug_Smart_Upgrade NOTES.INI setting indicates
that a kit is not available for the user, check the Smart Upgrade database to determine whether a kit has
been configured. If a kit has been configured but the user is not being notified, use the USER.ID of the
Notes Client user and open the Smart Upgrade database to determine if that user can access the kit. If
not, add the user to the Allowed Users and Server field on the Administration tab of the Smart Upgrade
Kit document.
For more information about these NOTES.INI variables, see the Appendix ″NOTES.INI File.″
Using the Smart Upgrade Log file for troubleshooting: When a Smart Upgrade attempt is made from
the Notes Client using the File - Tools - Notes Smart Upgrade menu option or when Smart Upgrade is
initiate due to automatic prompting that occurs in the Notes Client, a Smart Upgrade Tracking file is
generated in the following directory for that Smart Upgrade session.
datadirectory\IBM_TECHNICAL_SUPPORT\SmartUpgrade
When the file is created is named SmartUpgrade.log, but when the Smart Upgrade session is complete,
the file is copied to new log file with a new file name. The information in this file is useful when
troubleshooting Smart Upgrade problems. This file is also used by the Smart Upgrade Tracking feature
when the feature is enabled. The file name is composed of several variables as shown:
SmartUpgrade_ADMIN1450_2005_07_05@13_21_08.log
Where
v SmartUpgrade is the first component of the new file name
v ADMIN1450 is the OS machine name and is added after SmartUpgrade_
v 2005_07_05@13_21_08 are the date and time, respectively.
v The file name extension .log is appended to file name.
The SmartUpgrade.log file is then truncated to zero (0) length until the next Smart Upgrade session.
Invalid transaction log path: If Domino cannot access the transaction log path, the server console
displays error messages indicating: the invalid log path, databases requiring media recovery or Fixup,
and a panic.
1. Check the log path to make sure it exists.
2. Check that the server has write access to the log path.
3. If the log path is correct and the device is good, restart the server. The problem should be fixed and
you do not need to continue to step 4.
4. If log path is correct but the device is bad, replace the device on the log path, or edit the
TRANSLOG_Path setting in NOTES.INI to point to a different log path.
Note: If you edit the TRANSLOG_Path setting when you restart the server, be sure to make the same
edit to the ″Log path″ field in the Server document. Otherwise, Domino reverts to the old path upon
the next server restart.
5. Restart the server. Domino creates new log files and a control file, and assigns new DBIIDs to all
Domino 5 or higher databases.
Transaction log damaged or corrupted: If the transaction log appears to be damaged or corrupted, the
server console displays error messages indicating: the log is damaged, databases requiring media
recovery or Fixup, and a panic.
The error may occur because of a failed read from or write to the transaction log.
1. Restart the server to correct the error. If the damaged log error does not appear again, the log is not
damaged.
2. Stop the server again so it shuts down cleanly.
3. Perform full database backups.
4. Restart the server.
If you continue to received the damaged log error, the active transaction log is damaged or
corrupted.
5. Delete the transaction log files and the control file.
6. Restart the server. Domino creates new log files and a control file and assigns new DBIIDs to all
Domino 5 or higher databases.
7. If ″Automatic fixup of corrupt databases″ is set to Yes in the Server document, the Fixup task runs
on the databases that require media recovery or Fixup. Otherwise, you must run the Fixup task
manually.
8. Perform full database backups.
If the error occurred during media recovery, an archived log file may be corrupted.
9. Restart the server to correct the problem, and then stop the server so it shuts down cleanly.
10. While the server is down, use the third-party backup utility to perform media recovery. If the
archived log still cannot be used, allow database backups to be restored without the transactions in
the corrupted log.
11. Perform full database backups.
12. Restart the server.
You can also search for solutions to common problems on the IBM Lotus Support Services Web site at
www.ibm.com/software/lotus/support/.
Web server -- Problems and error messages: These topics describe how to troubleshoot some common
Web server problems and errors:
v Users can’t see a list of files on a Web server or access a database
v Users can’t access a Domino Web server via the Internet
v Users are prompted multiple times for their name and password
v The browser displays ″Error 403 - Directory Browsing error - Access forbidden″
For example, if your server name is www.acme.com, then www.acme.com is the top-level realm and
www.acme.com/doc, www.acme.com/hr, and www.acme.com/marketing are the lower-level realms. If a
user authenticates with the server when accessing the home page for www.acme.com, then the user is
authenticated for www.acme.com and all lower-level realms.
However, if the user accesses www.acme.com/doc first, enters a name and password and is
authenticated, and then accesses www.acme.com/hr, Domino prompts the user for credentials again. This
second prompt occurs because the browser examines the list of realms for which Domino has successfully
authenticated the user and finds www.acme.com/doc in the browser realm list. Since www.acme.com/hr
is not a subdirectory of www.acme.com/doc, Domino requires the user to enter credentials again.
To prevent users from being prompted multiple times for their names and passwords, direct them to
access and authenticate with the highest level realm that they need to access. This way, Domino asks
users for their credentials only once during the browser session.
If a Web site includes a link to a site on another server and that site requires authentication, users will be
prompted again for their credentials.
Users can’t access a Domino Web server via the Internet: A firewall server often prevents users from
accessing a Domino Web server via the Internet. If you have a direct Internet connection, you can ping
the Domino server to see if you can access it. If you can ping the server but still can’t access it, telnet to
the server on port 1352 (see your telnet documentation for details on how to do this). If connecting with
telnet fails, the firewall server may be blocking the TCP port.
Users can’t see a list of files on a Web server or access a database: When users try to use the
OpenServer command to display a list of files on a Web server and the message ″Database browsing not
allowed″ appears, make sure the option ″Allow HTTP clients to browser databases″ is enabled in Server
document for that server.
If users try to access a database and the message ″Unauthorized exception″ appears, make sure they have
the appropriate access in the database ACL.
Browser receives error message ″Single Sign-on not Configured″ when accessing an SSO enabled
server: Verify that a Web SSO Configuration document exists for either a Web Site or for the Server
document and is enabled in the Session Authentication field. If using Web Site documents, the Web SSO
Configuration documents appear in the Internet Sites view for the specified web site. Otherwise, the Web
SSO Configuration documents appear in the Web Configurations view. You should also verify that the
Web SSO Configuration document is encrypted for the server to which the browser is connecting, by
checking the document to see that the server is listed in the participating server field.
If the Server document’s public key does not match the public key in the server ID file, then the
decryption of the Web SSO document will fail. This could happen if the ID file was created multiple
times and didn’t update the Server document correctly. Usually there is an error on the server console
indicating that the public key does not match the server ID. If this happens, then SSO fails because the
document could be encrypted with a public key for which the server does not possess the corresponding
private key necessary for decryption. The way to correct this is to copy the public key out of the server
ID, paste it into the Server document, and then recreate the Web SSO document.
The NOTES.INI variable WebSess_Verbose_Trace should be used for troubleshooting both single server
and multi-server (as in single sign-on) session-based authentication problems. Setting
WebSess_Verbose_Trace=1 enables a Domino Web server to record, at the server console, detailed
information about specific Web session-based authentication sessions, such as unauthorized,
unauthenticated, or session expiration information.
After you correct the problem, make sure to disable this setting -- remove it or set it to 0 -- because using
it slows Web server performance.
″Error 403 - Directory Browsing error -- Access forbidden″: Check the Server document for an entry in
the Home URL or Default Home page fields. To display a home page on the Web server, one or both of
these fields must contain an entry.
Web Navigator - Problems and error messages: These topics describe how to troubleshoot some
common Web Navigator problems and errors:
v Users can’t send mail to the Internet from a mailto URL
v ″TCP/IP host unknown″ and ″Remote system not responding″.
v ″URL Access Denied″ message trying to open certain Web pages.
v ″The Web Navigator Retrieval process is not running″ trying to open a Web page.
Users can’t send mail to the Internet from a mailto URL: For users to send e-mail to the Internet, you
must set up mail routing to the Internet.
″TCP/IP host unknown″ and ″Remote system not responding″: Messages such as ″TCP/IP host
unknown″ and ″Remote system not responding″ usually indicate problems with the TCP/IP setup. If you
have a direct Internet connection and are able to use the IP address to ping the remote host successfully,
the Web Navigator may not be running. If you use host names instead of actual IP addresses in
Connection documents, there may be a problem with name resolution. To fix this problem, check the
hosts file to verify that your domain name system (DNS) can resolve the name to the IP address. If you
do not have a DNS, add the entry to the server’s local hosts file, which maps host names to IP addresses.
The hosts file is usually located in the same directory as the protocol software. It has a format similar to:
If the host name is the Domino server’s common name, then the hosts file or DNS will require an alias
link as shown here:
IP Fully
IP Host Qualified IP Alias name
Domino server name name Domain Name entry IP Address Comment
Red/Marketing/Acme ruby ruby.usa.com red within the host 123.3.12.212 #Red server
file or red CNAME
ruby for the DNS
″URL Access Denied″ message trying to open certain Web pages: If users try to open a Web page and
a ″URL Access Denied″ message appears, check the ″Internet Site Access Control″ section under Server
Tasks - Web Retriever in the Server document for the Web Navigator server to see if you prevented access
to that Internet server.
″The Web Navigator Retrieval process is not running″: When users try to open a Web page within the
database, they will get this message if:
v The Web task stopped running or hasn’t been started on that server. To resolve this problem, start the
Web task on the server the runs the Web Navigator.
v The server specified in the InterNotes field in either their current Location document or the Server
document for their mail server is not a server running the Web task. To resolve this problem, specify
the correct server name.
Web Administrator -- Problems and error messages: These topics describe how to troubleshoot some
common Web Administrator problems and errors:
v Unable to log in to the Web Administrator
v New policies do not appear as an option when registering users
Unable to log in to the Web Administrator: Make sure you have the proper access level and roles in
the ACL for the Web Administrator database.
For information on access to the Web Administrator, see the chapter ″Setting Up and Using Domino
Administration Tools.″
When you start the Web Administrator, Domino asks you for your name and Internet password, which
are stored in your Person document. You must enter that name and password to access the database. If
the Internet Access security setting in the Server document is set to ″less name variations, more security.″
You may need to re-create the database. The Web Administrator must be created and configured by the
HTTP server to work properly. Do not attempt to use File - Database - Replace Design or Refresh Design.
To re-create the database: Domino creates the Web Administrator database the first time that the HTTP task
runs on a server. Keep in mind that deleting the database deletes existing administrator preferences.
1. Enter this command at the console:
tell http quit
2. Delete WEBADMIN.NSF.
3. Enter this command at the console:
load http
Note: Do not try to refresh the database from the File menu using File - Database - Replace Design or
Refresh Design.
New policies do not appear as an option when registering users: If a policy that has been recently
created does not appear as an option during user registration, reload the Web Administrator so that the
new policy is available.
Task Frequency
Back up the server Daily, weekly, monthly
Monitor mail routing Daily
Run Fixup to fix any corrupted databases * At server startup and as needed
Monitor shared mail database (MAILOBJ.NSF) Daily
Monitor Administration Requests database Weekly
(ADMIN4.NSF)
Monitor databases that need maintenance Weekly
Monitor replication Daily
Monitor modem communications Daily
Monitor memory Monthly
Monitor disk space Daily, weekly, monthly
Monitor server load Monthly
Monitor server performance Monthly
Monitor Web server requests Monthly
Monitor server first domino servers Daily
* If the database is in Domino 5 or later format and you are not using transaction logging, you can use
the Fixup task to repair the corrupted database. If the database is in Domino 5 or later format and you
are using transaction logging, you cannot run the Fixup task on that database, because the Fixup task
interferes with the way transaction logging keeps track of databases. Instead, you must restore the
corrupted database from a backup. You can run the Fixup task on databases that are in Domino 4.x and
earlier format.
For information on transaction logging, see the chapter ″Transaction Logging and Recovery.″
Guidelines for backing up a Domino server: Back up all Domino server data files including databases,
template files, the NOTES.INI file, and ID files. Following your company’s standardized backup
Note: This appendix also contains a separate list of Domino and DB2 server commands, that is, server
commands that used only in a configuration consisting of Domino with DB2.
Command Description
Broadcast Sends a message to specified users or to all users of this server.
Dbcache Disable Disables the database cache when you need exclusive access to a file in it.
Dbcache Flush Closes all databases that are currently open in the database cache.
Dbcache Show Displays the names of the databases currently in the cache.
Drop Closes one or more server sessions.
Exit Stops the server. This command is identical to Quit.
Help Displays a list of server commands with a brief description, arguments (if any), and the
proper syntax for each.
Load Loads and runs a specified server task or program on the server.
Platform Controls the platform statistics data at the console.
Pull Forces a one-way replication from the specified server to your server.
Push Forces a one-way replication from your server to specified server.
Quit Stops the server. This command is identical to the Exit server command.
Replicate Forces replication between two servers (the server where you enter this command and the
server you specify).
Restart Port Disables transactions (or messages) on the specified port and then re-enables the port after
a brief delay.
Restart Server Stops the server and then restarts the server after a brief delay.
Restart Task Shuts down and then restarts a specified server task.
Route Initiates mail routing with a specific server.
Save Saves a specified note in dxl format to the data directory.
Set Configuration Adds or changes a setting in the NOTES.INI file.
Set Rules Reloads the server’s mail rules.
Set SCOS Activates or deactivates a shared mail database.
Set Secure Password-protects the console.
Set Statistics Resets a statistic that is cumulative.
Show Agents Displays the name of agents in the database you specify.
Show AI Displays the history of the expansion factor and the availability index (AI). Suggests a
good value for the NOTES.INI variable Server_Transinfo_Range=.
Show Allports Displays the configuration for all enabled and disabled ports on the server.
Show Cluster Displays the local server’s cluster name cache.
1511
Command Description
Show Configuration Displays the current value for a NOTES.INI setting.
Show Directory Lists all database files in the data directory and identifies multiple replicas of a database.
When used with the argument, -unread, shows detail on whether databases have
replication of unread marks set.
Show Diskspace Displays the amount of space, in bytes, available on the disk drive (Windows) or file
system (UNIX).
Show Heartbeat Indicates whether the server is responding.
Show Memory Used for OS/2.
Show Monitors Reports the amount of memory being used by monitors.
Show Opendatabases Displays a list of open databases on the server and detail information for the databases.
Show Performance Displays the per minute user/transaction values when the Domino Server is running.
Show Port Displays traffic and error statistics, and resources used on the network adapter card or
communications port.
Show Schedule Shows the next time that a server task will run. Includes these arguments:
Show SCOS Displays information about shared mail databases and reloads the shared mail
configuration.
Show Server Shows server status information.
Show Stat Displays Domino server statistics for one or more of the following: disk space, memory,
mail, replication, and network activity.
Show Stat Platform Displays individual and cumulative platform statistics for all servers including one or
more of the following: logical disk, paging file, memory, individual network, process, and
system.
Show Tasks Displays the server name, the Domino program directory path, and the status of the active
server tasks.
Show Transactions For each type of transaction, displays the total number of NRPC transactions, the
minimum and maximum duration of the transaction, the total time to perform all
transactions, and the average time to perform the transaction.
Show Users Displays a list of all users who have established sessions with the server.
Show Xdir Provides information about each directory a server uses for name resolution.
Start Consolelog Enables console logging.
Start Port Enables transactions (or messages) on the specified port.
Stop Consolelog Disables console logging.
Stop Port Disables transactions (or messages) on the specified port.
Sucache refresh Forces a dynamic reloading of the Smart Upgrade configuration information, displays the
state of the Domino server’s Smart Upgrade cache information, and displays Smart
Upgrade statistics gathered when the Domino server was restarted.
Sucache show Displays the current state of the Domino server’s Smart Upgrade cache as well as some
statistics gathered since the Domino server was restarted.
Tell Issues a command to a server program or task.
Trace Tests a connection to a server.
Broadcast
Syntax: Broadcast ″message″ [usernames or database]
Examples:
Broadcast ″Server ACME will be down in 10 minutes″ -- Sends a warning message about impending
maintenance on server ACME to all users on this server.
Broadcast ″(!) Server ACME will be down in 10 minutes″ -- Sends the same warning message as shown in
the example above, but this message displays in the center of the user’s screen. Note that parentheses ()
are entered as part of the command string.
Field Action
Broadcast a Choose one:
message to v ″Selected user″ to send the message to the users you selected in the middle pane of the Server -
Status tab.
v ″All connected users″ to send the message to all users with active sessions on the Domino server.
v ″All users of a database″ to send the message to all users of a particular database. Enter the
directory string for the database in the field.
Broadcast this v Enter the text of the message you want to send.
Message
Show as Click this check box to display the broadcast message in a dialog box on the users’ workstation.
dialog box on
users’
workstation
Dbcache Disable
Syntax: Dbcache disable
Description: The database cache keeps databases open. Use this command to disable the database cache
when you need exclusive access to a file that might be in the database cache. For example, to run an
application such as a virus checker or backup software, disable the cache. To re-enable the dbcache,
restart the server.
For more information on the database cache, see the chapter ″Improving Database Performance.″
Dbcache Flush
Syntax: Dbcache flush
Description: Closes all databases that are currently open in the database cache. Use this command before
maintaining databases to flush databases from the cache.
Dbcache Show
Syntax: Dbcache show
Description: Displays the names of the databases currently in the cache. use this command to see if the
database cache has a database open. Applications that cannot get exclusive access to a database may fail
if the database is in the database cache.
For more information on the database cache, see the chapter ″Improving Database Performance.″
Drop
Syntax: Drop username
Description: Closes one or more server sessions. To visually confirm which sessions are dropped, you
must enter the Log_Sessions=1 setting in the server’s NOTES.INI file.
Examples:
Drop ″Sandy″ -- Closes the current session running under the user name Sandy.
Drop ″Lee″ ″Fran″ -- Closes the sessions running under the user names Lee and Fran.
Exit
Syntax: Exit
Before you use Exit to stop the server, use the Broadcast server command to warn users so they can
finish their current tasks before you stop the server.
If you stop a server while it’s replicating databases or routing mail, these tasks resume at the next
scheduled interval after you restart the server. Replication or mail routing continues until the databases
are fully replicated and until the complete mail message is transferred or returned to sender.
Tip: You can also stop the server from the Domino Administrator. From the Domino Administrator, click
the Server - Status tab, and then click Server - Shutdown.
Help
Syntax: Help
Load
Syntax: Load programname
Description: Loads and starts a specified server task or program on the server. You can start a server
add-in program or one that takes a command line for additional data, such as a backup program. The
program you run must be on the server’s search path.
Use the Load command to run a program until it completes or, if the program runs continually, until you
stop the server. Where applicable, you can include arguments that determine how the program runs.
Note: Most server commands support the arguments ″-?″ and ″/?″ to display online help. For example,
you could enter one of these to obtain help for the server command Load Compact:
Load Compact -?
Load Compact /?
Examples:
Load Object Info OBJECT.NSF -- Loads and runs the Shared Mail Manager and passes along arguments
that execute the Info task.
Platform
Syntax: Platform <main argument> [<optional arguments>]
Description: Controls the platform statistic feature at the console. Platform statistics that are affected by
the reset command are:
v Fixed -- These statistic values do not change. They include information such as number of disks, or an
assigned name. For example, in the statistic Platform.LogicalDisk.<identifying number>.PctUtil, the
identifying number is a variable that identifies the disk. This information does not change when a
platform reset command is issued.
v Primary -- These are the individual statistic metrics on which secondary statistics are derived. For
example, a total paging file utilization statistic (Platform.PagingFile.TotalPctUtil) forms the basis for the
secondary average and peak statistics values (Platform.PagingFile.TotalPctUtil.Avg and
Platform.PagingFile.TotalPctUtil.Peak).
v Secondary -- Statistic values that are a combination of, or are derived from primary statistics.
Arguments Description
Time [<sampling period>] Used with an optional argument, changes the sampling period to the specified
value in minutes. If not used, displays the current sampling rate. Default is 1
minute.
Reset Resets the value of primary statistics to zero, and gathers new set of metrics.
Reset Interval Enable Resets all values each time a new sampling period begins. Uses the sampling
period defined using the Time argument.
Reset Interval Disable Disables the Reset Interval Enable command.
Pause Pauses the collection and update of performance data.
Resume Resumes the collection and update of performance data.
For more information on monitoring platform statistics, see the chapter ″Monitoring the Domino Server.″
Examples:
Use Platform Time <n> to start a new performance data monitoring session with a sampling period of n
minutes. This means that the statistic value can change every n minutes. For example:
platform time 5
Use the Platform Reset command so that prior existing values are not used in calculating minimum,
average, or maximum values. You may want to use this command when platform statistics have been
accumulating overnight and you want to clear out the accumulation. For example:
platform reset
Use the Platform Reset Interval Enable command to reset all values each time you begin a new sampling
period. For example:
Platform Reset Interval Enable
Pull
Syntax: Pull servername [databasename]
Description: Forces a one-way replication from the specified server to your server. You can also replicate
a single database from the specified server to your server by including the database name on the
command line. The initiating server receives data from the named server, but doesn’t request that the
other server pull data from it. This forces a server to replicate immediately with the initiating server,
overriding any replication scheduled in the Domino Directory. Enter the server’s full hierarchical name, if
applicable.
You can pull changes immediately if an important database, such as the Domino Directory, has changed
or if a database on your server is corrupted or has been deleted.
If the server is currently replicating, Domino queues the Pull server command until the current task
completes.
1516 Lotus Domino Administrator 7 Help
To check the status of the Replicator before using Pull, enter this command at the console:
Show Tasks
Examples:
Pull Marketing\Acme NAMES.NSF -- Forces one-way replication of the NAMES.NSF file from the server
Marketing.
Push
Syntax: Push servername [databasename]
Description: Forces a one-way replication from your server to the specified server. You can also replicate
a single database from your server to the specified server by including the database name on the
command line. The initiating server sends data to the named server, but doesn’t request data in return.
This forces a server to replicate immediately with the initiating server, overriding any replication
scheduled in the Domino Directory. Specify the server’s full hierarchical name, if applicable.
In effect, the Push server command is the functional opposite of the Pull server command .
Examples:
Push Marketing\Acme NAMES.NSF -- Forces one-way replication of the NAMES.NSF file to the server
Marketing.
Quit
Syntax: Quit
Description: Stops the server. This command is identical to the Server - Shutdown command. However,
the Quit server command differs from the Tell server command, which you use to stop a particular server
task without stopping the server.
If you stop a server while it’s replicating databases or routing mail, these tasks resume at the next
scheduled interval after you restart the server. Replication or mail routing continues until the databases
are fully replicated and until the complete mail message is transferred or returned to the sender.
Before you use the Quit server command to stop the server, use the Broadcast server command to warn
users to finish their current tasks before you stop the server.
Tip: You can also stop the server from the Domino Administrator. From the Domino Administrator, click
the Server - Status tab. From the tool bar, click Servers - Shutdown.
Replicate
Syntax: Replicate servername [databasename]
Description: Forces replication between two servers (the server where you enter this command and the
server you specify). Use the server’s full hierarchical name. If the server name is more than one word,
enclose the entire name in quotes. To force replication of a particular database that the servers have in
common, specify the database name after the server name. The initiating server (where you’re currently
working) first pulls changes from the other server, and then gives the other server the opportunity to pull
changes from it. You can use this command to distribute changes quickly or to troubleshoot a replication
or communication problem.
Note: The existing replication schedule between the servers determines how the second server responds
to this command. If this replication falls within the timeframe that the second server replicates with the
initiating server (based on calling schedules and the repeat interval), the second server pulls changes.
Otherwise, it waits for the next scheduled replication time.
If the server is already replicating when you issue the command, Domino queues the command until the
current replication ends. To check the status of the Replicator, enter this command at the console:
Show Tasks
To force replication in only one direction, use the Pull or Push server commands.
Examples:
Replicate Marketing\Acme -- Initiates replication between your server and the Marketing/Acme server.
The server console displays messages indicating when replication begins.
Replicate Marketing\Acme NAMES.NSF -- Initiates replication of NAMES.NSF between your server and
the Marketing\Acme.
Restart Port
Syntax: Restart Port portname
Description: Disables transactions (or messages) on the specified port and then re-enables the port after a
brief delay. The command lets you stop and start a port without stopping the Domino server.
When you are supporting Internet servers that rely on TCP/IP, you can restart the TCP/IP port and the
Internet ports enter a waiting state. The Internet ports suspend and keep checking for the TCP/IP port.
You will see the following when using restart port TCPIP:
>restart port tcpip
06/28/2002 12:34:08 PM LDAP Server: Listener failure: Request failed because the requested port is inactive
06/28/2002 12:34:08 PM LDAP Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted
06/28/2002 12:34:11 PM POP3 Server: Listener failure: Request failed because the requested port is inactive
06/28/2002 12:34:11 PM POP3 Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted
06/28/2002 12:34:11 PM SMTP Server: Listener failure: Request failed because the requested port is inactive
06/28/2002 12:34:11 PM IMAP Server: Listener failure: Request failed because the requested port is inactive
06/28/2002 12:34:11 PM SMTP Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted
06/28/2002 12:34:11 PM IMAP Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted
06/28/2002 12:34:28 PM LDAP Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted
06/28/2002 12:34:29 PM Port TCPIP was successfully disabled
06/28/2002 12:34:31 PM POP3 Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted
To see a list of ports you can restart, issue the console command Show Configuration.
Example:
Restart Port TCP -- Disables and re-enables the port named TCP.
Restart Server
Syntax: Restart Server
Description: Stops the server and then restarts the server after a brief delay.
If you stop a server while it’s replicating databases or routing mail, these tasks resume at the next
scheduled interval after you restart the server. Replication or mail routing continues until the databases
are fully replicated and until the complete mail message is transferred or returned to the sender.
Before you use Restart Server to stop the server, use the Broadcast server command to warn users to
finish their current tasks before you stop the server.
Tip: You can also use the Domino Administrator to restart the server. From the Domino Administrator,
click the Server - Status tab and use the tool Server - Restart.
Restart Task
Syntax: Restart Task taskname
Example: The following command shuts down and restarts the LDAP task:
Restart Task LDAP
Tip: You can also use the Domino Administrator to restart a task. From the Domino Administrator, click
the Server - Status tab and use the tool Task - Restart.
Route
Syntax: Route servername
Description: Initiates mail routing with a specific server. The Route command overrides any mail routing
schedules that you create in the Connection documents in the Domino Directory. Use the Route command
for servers that are configured for Pull, Pull Push, Push, or Push Wait routing in the Connection
document. Use the server’s full hierarchical name, if applicable. If the server name is more than one
word, enclose the entire name in quotes. To route to all pending destinations, use Route *.
Use the Route command to troubleshoot mail problems and to send mail to or request mail from a server
immediately.
If no mail is queued for routing, Domino ignores the Route command. Use the Tell Router Show
command to check for messages pending for local delivery or to check for messages held because a mail
file is over quota. To check which servers have mail queued, use this command at the console:
Tell Router show
Examples:
Route [$LocalDelivery] -- Overrides the next scheduled retry time and attempts local delivery
immediately.
Save
Syntax: Save noteid <noteid in hexadecimal format>
Description: Exports a document (noteid) from the Domino Directory (NAMES.NSF) to dxl format and
saves the dxl file to the Domino data directory.
Where
v 22D6 is the noteid
v sname represents the server name
v 2002_06_23 represents the date
v 16_22 represents the time
Set Configuration
Syntax: Set Configuration setting
Tip: You can also use the Domino Administrator to add or change many settings in the NOTES.INI file
using the Configuration Settings document.
Example:
Set Configuration Names = Names,Westnames -- Sets the NOTES.INI Names setting to specify that
Domino search both the Names and the Westnames Domino Directories.
For more information about using the Configuration Settings document to set NOTES.INI settings, see the
appendix ″NOTES.INI File.″
Set Rules
Syntax: Set Rules
Description: Reloads the server’s mail rules, enabling new rules to take effect immediately.
Set SCOS
Syntax: Set SCOS Databasename [Active | Inactive]
Description: Activates or deactivates a shared mail database. The Shared Mail tab of the Server document
lets you specify the delivery status and availability for all shared mail databases in the directory. Using
the Set SCOS command, you can change the availability of an individual shared mail database.
Prevents new messages from being deposited in the shared mail database SM000004.NSF. Users still have
access to previously-delivered messages in the database.
Set Secure
Syntax: Set Secure currentpassword
After you password-protect the console, you can not use the Load, Tell, Exit, Quit, and Set Configuration
server commands or other programs that aren’t run automatically through Program documents in the
Domino Directory or through the NOTES.INI file. Console security remains in effect until you clear the
password by entering a second Set Secure command with the same password.
Even if the console is password-protected, keep the server physically secure to prevent breaches of
security at the operating system level.
Examples:
Set Secure abracadabra -- Password-protects the console if no password is currently in effect. In this case,
the new password is ″abracadabra.″
Set Secure abracadabra sesame -- Changes the existing password ″abracadabra″ to ″sesame.″
Set Secure abracadabra -- If the console is already protected by a password -- in this case ″abracadabra″ --
entering a second Set Secure command with the same password clears the password.
Field Enter
Console Password The password you want to set
Verify The same password, again
Field Enter
Password The new password you want to set
Verify The same, new password, again
Set Statistics
Syntax: Set Statistics statisticname
Description: Resets a statistic that is cumulative. Statisticname is a required parameter that names the
statistic to be reset. You can’t use wildcards (*) with this argument.
For more information on monitoring statistics, see the chapter ″Monitoring the Domino Server.″
Example:
Show Agents
Syntax: Show Agents database name [-v]
Description: The Show Agents server command shows all agents available in the database. The verbose
mode ([-v]) shows all agents and script libraries in the database as well as detail information on both.
Examples:
Show AI
Use this command after running a server under load.
Syntax: Show AI
Description: The Show Availability Index server command shows the history of the expansion factor and
the availability index. It also shows a suggested value for the NOTES.INI variable.
Server_Transinfo_Range.
Example:
Show AI
Show Allports
Syntax: Show Allports
Description: Displays the configuration for all enabled and disabled ports on the server.
Example:
Show Cluster
Syntax: Show Cluster
Description: Displays the local server’s cluster name cache, which includes a list of all cluster members
and their status, based on information received during the server’s cluster probes.
Example:
This example displays the cluster name cache of the Mars server, which is in the Planets cluster, which is
in the Solarsys domain.
Show Cluster
Cluster Information
Cluster name: planets/solarsys, Server name: mars/solarsys
Server cluster probe timeout: 1 minute(s)
Server cluster probe count: 2604
Server cluster probe port: NetBEUI
Server availability threshold: 10
Server availability index: 98 (state: AVAILABLE)
Server availability default minimum transaction time: 3000
Cluster members (2)...
server: mars/solarsys, availability index: 98
server: saturn/solarsys, availability index: BUSY
Show Configuration
Syntax: Show Configuration setting
Examples:
Show Configuration * -- Displays all the configuration information for the server
Show Configuration ???? -- Displays any variable that is exactly 4 characters long
Show Directory
Syntax:
Show Directory
Description: Lists all database files (for example, NSF and NTF) in the data directory and specifies
whether the data directory contains multiple replicas of a database. This command works only for the
data directory; you can’t specify another directory.
Tip: From the Domino Administrator, click the Files tab to view a list of all database files in the data
directory.
Arguments:
-unread -- Shows the database name; software version; modification time; status of unread marks
replication (off or on); and whether unread marks replicated to all servers, never replicated, replicated to
clustered servers, or if the software version does not support replicating unread marks. Sample output is
shown here:
DbName Version Logged ---Modified Time---- Unread Marks Replicate Unread Marks
You can also use the Show Directory command to check which databases have transactional logging
enabled.
Show Diskspace
Syntax: Show Diskspace location
Description: Displays the amount of space, in bytes, available on the disk drive (Windows), or file system
(UNIX). If you do not specify a location, Domino displays the space available on the disk or file system
containing the Domino program directory. If available disk space is low -- for example, under 10MB --
free up disk space by deleting documents, databases, and other files that you don’t need.
Note: The Domino server starts before drives are mapped. Therefore, when you use the command, the
drives aren’t visible. To see the mapped drivers, stop and restart the Domino server or put the Domino
server in the Startup group.
Domino makes calls to the network ″redirector″ on the system it’s on.
Tip: You can also display the amount of available space by using the Domino Administrator. From the
Domino Administrator, click the Files tab. If necessary, click Tools, and then from the tool bar, click Disk
Information.
Examples:
How you enter the Show Diskspace command depends on the server’s operating system.
On a Windows 2000/2003 server, enter this command to display available space on Drive C:
Show Diskspace C
On a UNIX server, enter this command to display available space in the /USR directory of a file system:
Show Diskspace /USR
On a UNIX server, enter this command to display available space in the current directory:
Show Diskspace
Show Heartbeat
Syntax: Show Heartbeat
Description:
The Show Heartbeat server command indicates whether the server is responding.
Example:
Show Heartbeat
Show Memory
Syntax: Show Memory
Examples:
Show Monitors
Syntax: Show Monitors
Description: The Show Monitors console command reports the amount of memory being used by
monitors.
When system mail rules or headlines are used on a Domino server, the server keeps in memory the list of
databases affected so that when a note is updated, databases which must react to note updates can
quickly be found and the action taken. By default, if the action involves a programmatic check, such as a
system mail rule, the code to perform that check is cached as well. On a server with many monitors, the
memory required to cache the code to perform the monitoring may be so large that normal server
operations are affected.
Show Opendatabases
Syntax: Show Opendatabases
Description: The Show Opendatabases server command displays a list of the open databases on the
server as well as the statistics shown in the example below.
Show Performance
Syntax: Show Performance
Description: Displays the per minute user/transaction values when the Domino Server is running. To
stop showing performance, enter Show Performance a second time.
Show Port
Syntax: Show Port portname
Tip: To check port status from the Notes workstation program, choose File - Preferences - Notes
Preferences - Ports. Highlight the port and select Show Status. To check the port status from the Domino
Administrator, click the Server - Status tab, and then click Servers - Port Information. Highlight the port,
and select Show Status.
Example:
Show Port LAN0tcpip -- Displays the status of LAN0tcpip. As information appears, press PAUSE to stop
the scrolling, and press ENTER to resume scrolling. Note that using PAUSE at the console stops server
operation. Users can’t access the server until you resume the display.
Show Schedule
Syntax:
Description: Shows the next time that a server task runs. Output includes the type of task and the time it
next runs. If you enter a location as an argument, the workstation replication schedule for that
destination appears.
Arguments:
-DDM -- Shows the Domino Domain Monitoring (DDM) probes that are scheduled to run
-Replication -- Shows the next scheduled replication time and the replication type
Examples:
Show Schedule Fixup -- Shows when the Fixup task is scheduled to run next
Show SCOS
Syntax: Show SCOS [All]
Examples:
SHOW SCOS -- Displays summary information about the configured shared mail directories.
Sample output:
Shared mail: Enabled for delivery and transfer
Directory Availability Requested Actual Max Size
c:\lotus\domino\data\scos1
open for delivery 5 5 2048
c:\lotus\domino\data\shared
open for delivery 3 6 9000
Totals 8 11 11048
SHOW SCOS ALL -- Displays information about each shared mail database within a configured directory,
as well as summary information about each shared mail directory.
Sample output:
Directory: c:\lotus\domino\data\scos1 - open for delivery
Number of delivery databases requested: 5.
Number of databases: 5
Maximum Directory Size: 2048 MB
Database Availability State Size
sm000001.nsf Active Enabled 14.68 MB
sm000002.nsf Active Enabled 0.37 MB
sm000003.nsf Active Enabled 0.37 MB
sm000004.nsf Active Enabled 0.37 MB
sm000005.nsf Active Enabled 14.68 MB
Total Database Disk Size in Directory: 30.50 MB
Total Database Disk Available in Directory: 2017.50 MB
Total Database Internal Free Space for Directory: 0.33 MB
Show Server
Syntax: Show Server
Description: Shows server status information including the server name, data directory on the server,
time elapsed since server startup, transaction statistics, and the status of shared, pending, and dead mail.
Tip: To view server information from the Domino Administrator, open the Domain bookmark in the
bookmark bar on the left, right click on a server, and then choose Server Properties.
Output Description
Server name Name you gave to the server during the setup procedure.
Server directory Directory where the Domino data files are stored.
Elapsed time Days, hours, minutes, and seconds since the server was started.
Transactions Total number of times the server was used since the server started. Transactions include:
opening a database, closing a database, writing to a database, routing mail to a database,
and reading from a database.
Show Stat
Syntax: Show Stat statisticname
Description: Used without the optional statisticname argument, displays a list of server statistics for disk
space, memory, mail, replication, and network activity. To display a single statistic, enter the name of the
statistic as the optional argument. To display only a subset of statistics, add a group of statistics as an
optional argument by using an asterisk (*) as a wildcard.
You can enter this command at the server console to display statistics for the local server or at the remote
server console to display statistics for a remote server.
For more information on statistics, see the chapter ″Monitoring the Domino Server.″
Tip: To view server statistics from the Domino Administrator, click the Server - Statistics tab.
Examples:
Show Stat Database -- Displays statistics for all statistics of the type Database.x.x
For a list of statistics, see the Advanced - Names & Messages - Statistic Names view of the Monitoring
Configuration database (EVENTS4.NSF).
Description: Used without the optional statisticgroup argument, displays a list of platform statistics for
logical disk, paging file, memory, network activity, processes running, and system activity. To display
only a subset of statistics, add a group of statistics as an optional argument by using one of the qualifiers.
You can enter this command at the server console to display statistics for the local server or at the remote
For more information on platform statistics, see the chapter ″Monitoring the Domino Server.″
Examples:
Show Stat platform.logicaldisk.* -- Displays all the platform statistics in the logical disk group
To display a single statistic, enter the name of the statistic as the optional argument instead of the
wildcard (*).
For a list of all platform statistics, see the Advanced - Names & Messages - Platform Statistic Names view
of the Monitoring Configuration database (EVENTS4.NSF).
Show Tasks
Syntax: Show Tasks
Description: Displays the tasks on the server, and describes the activity of the task. Idle tasks are
indicated.
Example: Show Tasks displays the task activity or idle, such as the following sample output.
Agent Manager Executive ’1’: Idle
HTTP Server Listen for connect requests on TCP Port:80
SMTP Server Control task
Schedule Manager Idle
LDAP Server Control task
Directory Indexer Idle
Tip: You can also use the Domino Administrator to view a list of active tasks. From the Domino
Administrator, click the Server - Status tab.
Show Transactions
Syntax: Show Transactions
Description: When the Domino Server is running, displays the following for each type of transaction: the
total number of NRPC transactions (Count), the minimal duration of the transaction (Min), the maximum
duration of the transaction (Max), the total time to perform all transactions (Total), and the average time
to perform the transaction (Avg). All times are reported in milliseconds. This command identifies
transactions that require excessive amounts of time.
Show Users
Syntax: Show Users
Tip: You can also use the Domino Administrator to view the status of active users. From the Domino
Administrator, click Server - Status. Then select Database Users. A list of users displays in the middle
panel.
Example:
Show Xdir
Syntax: Show Xdir
Description: Provides information about each directory a server last used for name resolution. The
output displays the following columns of information.
DomainName The DomainName columns displays the name of the domain in which a directory resides.
If a directory is configured in the directory assistance database, the ″Domain Name″ field in the Directory
Assistance document for the directory determines the directory’s domain name.
DirectoryType
The DirectoryType column shows the type of directory. A directory can be one of these types:
v Primary -- Primary Domino Directory stored locally
v Configuration -- Configuration Directory stored locally
v Remote Primary -- Primary Domino Directory stored remotely used by a server with a Configuration
Directory
v Secondary -- Extended Directory Catalog, secondary Domino Directory, or remote LDAP directory
configured in the directory assistance database.
The DirectoryType column also shows the type of domain a directory is within (Notes or LDAP). If a
directory is a remote LDAP directory configured in the directory assistance database, the directory type is
″LDAP.″ Any Domino Directory or Extended Directory Catalog is the directory type ″Notes.″
ClientProtocol
The ClientProtocol column displays the client protocol, Notes and/or LDAP, for which the directory is
enabled. For a directory configured in a directory assistance database, the value of the ″Make this domain
available to″ field in the Directory Assistance document for the directory determines what appears in this
column.
This column always shows ″Notes″ for a Configuration Directory. Usually a Primary or Remote Primary
directory show ″Notes & LDAP″ as the client protocols. An exception is if the primary directory is
configured through directory assistance and is disabled for LDAP clients; in this case only ″Notes″ shows
as the enabled client protocol.
Note: If a server uses a condensed Directory Catalog, Show Xdir also displays the text ″Directory Catalog
’filename″ in use,″ where filename is the file name of the local directory catalog.
Start Consolelog
Syntax: Start Consolelog
Example:
Start Consolelog
The Start Consolelog and the Stop Consolelog server commands enable and disable console logging just
as the NOTES.INI variable CONSOLE_LOG_ENABLED does. The difference between the server console
commands and the NOTES.INI settings is that the console commands are in effect for the current server
session only, whereas the NOTES.INI settings are ″permanent″ and take effect each time the server is
started.
Description: Enables transactions (or messages) on the specified port. Use this command after you
disable the port with the Stop Port command.
Example:
Stop Consolelog
Syntax: Stop Consolelog
Example:
Stop Consolelog
The Start Consolelog and the Stop Consolelog server commands enable and disable console logging just
as the NOTES.INI variable CONSOLE_LOG_ENABLED does. The difference between the server console
commands and the NOTES.INI settings is that the console commands are in effect for the current server
session only, whereas the NOTES.INI settings are ″permanent″ and take effect each time the server is
started.
Stop Port
Syntax: Stop Port portname
Description: Disables transactions (or messages) on the specified port. This command allows you to make
changes to the port that take effect immediately without stopping the Domino server. When you’re
finished making changes to the port, use the Start Port command to re-enable it. To see a list of ports you
can disable, issue the console command Show Configuration.
Example:
Sucache refresh
Syntax: Sucache refresh
Description: Forces a dynamic reloading of the Smart Upgrade configuration information, displays the
state of the Domino server’s Smart Upgrade cache information, and displays Smart Upgrade statistics
gathered when the Domino server was restarted. For example, the following is an example of the output
that is generated by the sucache refresh command:
Server.SmartUpgrade.Database = smupdate.nsf
Server.SmartUpgrade.Database.ReplicaID = 006D4604:85256B83
Server.SmartUpgrade.Governor = Enabled
Server.SmartUpgrade.Users.Allowed = 3
Server.SmartUpgrade.Users.Current = 0
Server.SmartUpgrade.Users.Maximum = 10
Server.SmartUpgrade.Users.Peak = 1
The Server.SmartUpgrade.Users.Rejected is the number of Smart Upgrade attempts that were rejected on
this Domino server because the server was already at the maximum concurrent number allowed in the
configuration.
Sucache show
Syntax: Sucache show
Description: Displays the current state of the Domino server’s Smart Upgrade cache as well as some
statistics gathered since the Domino server was restarted. For example, the following is an example of the
output that is generated by the sucache show command:
Server.SmartUpgrade.Database = smupdate.nsf
Server.SmartUpgrade.Database.ReplicaID = 006D4604:85256B83
Server.SmartUpgrade.Governor = Not Enabled
Server.SmartUpgrade.Users.Allowed = 3
Server.SmartUpgrade.Users.Current = 0
Server.SmartUpgrade.Users.Peak = 1
6 statistics found
Tell
Syntax: Tell serverprogram
Description: Issues a command to a server program or task. The command is especially useful for
stopping a server task without stopping the server.
Note: Most server commands support the arguments ″-?″ and ″/?″ to display online help. For example,
you could enter one of these to obtain help for the server command Tell Amgr:
Tell Amgr -?
Tell Amgr /?
Example:
Tell Router Quit -- Stops only the Router task. All other tasks on the server continue to run.
Command Result
Tell Adminp Process All Processes all new and modified immediate, interval, daily, and delayed
requests.
Trigger types:
Command Result
tell ca quit Stops CA process.
tell ca stat Displays summary information for the certifiers using the CA process; this includes the
certifier’s number, its hierarchical name, certifier type (Notes or Internet), whether it is
active, and name of the ICL database.
tell ca show queue Display a list of pending certificate requests, revocation requests, and configuration
certifier number modification requests for a specific certifier, using its number from the results of the ″tell ca
status″ command. You can also use * to show this information for all certifiers that are
using the CA process.
tell ca activate certifier Activate a certifier if the certifier is created with ″Require password to activate certifier,″ or
number password use this for any certifier that has been deactivated. Activation is enabled during CA setup
and creation. Activate a specific certifier by entering its number from the results of the ’tell
ca status’ command. Or you can actually unlock all server ID/password-protected certifiers
at one time with this command, if you specify ″*″ for the certifier number. The CA process
then prompts you for the password for each certifier.
tell ca deactivate Deactivate a certifier. You will need to activate it again in order for it to process any
certifier number request. Use * to deactivate everything, or deactivate a specific certifier by entering its
number from the results of the ’tell ca status’ command.
tell ca lock idfile Lock all certifiers that were set up with a lock ID, as specified during CA setup.
tell ca unlock idfile Unlock all certifiers using the ID and password that comprise the lock ID. The lock ID is
password specified during CA setup.
tell ca CRL issue Issue a non-regular (immediate) CRL for a specific certifier, where certifier number is the
certifier number number of the certifier specified in the results of the ″tell ca status″ command.
tell ca CRL push Push a certifier’s latest regularly scheduled CRL to the Domino Directory, where certifier
certifier number number is the number of the certifier specified in the results of the ″tell ca status″
command.
Option Action
quit Stops the Change Manager and all plug-ins.
stop Stops the Change Manager and all plug-ins. Same as Quit.
exit Stops the Change Manager and all plug-ins. Same as Quit.
help Refers you to documentation.
? Refers you to documentation. Same as Help.
restart Stops and then restarts the Change Manager and all plug-in subsystems.
start plug-in Starts the plug-in. Currently, Control and Monitor are the defined plug-ins.
stop plug-in Stops the plug-in. Currently, Control and Monitor are the defined plug-ins.
Note: Alternatively, you can also use the forms plug-in stop, plug-in quit and
plug-in kill.
restart plug-in Stops and then starts the plug-in. Currently, Control and Monitor are the
defined plug-ins.
Note: Alternatively, you can also use the form plug-in restart.
plug-in command Attempts to issue the command to the named plug-in, if it exists and is
running.
reset Resets the internal lookup caches.
control process Requests the ″PlanControl″ (control) plug-in to process and check all plans.
The log includes information about all cluster replications waiting for retry. Use this
command when the Replica.Cluster.Retry.Waiting statistic is non-zero, indicating that some
replications could not be completed and are awaiting a retry.
After you correct the errors -- for example, by restarting the server that was unavailable --
the Cluster Replicator will succeed on its next retry and the Replica.Cluster.Retry.Waiting
statistic will return to zero.
Disabling the Clrepl task on one server only prevents replication from that server to other
servers; it doesn’t prevent replication to the server from other cluster servers.
Command Result
Tell DIIOP Dump Config Provide a list of the configuration data that DIIOP is using from the Domino
Directory. Using dump the configuration is written to the file diiopcfg.txt in the
server’s data directory.
Tell DIIOP Show Config Provide a list of the configuration data that DIIOP is using from the Domino
Directory. Using show the configuration is displayed on the server console.
Tell DIIOP Log=n This command determines the amount of information the DIIOP will log about it’s
operation. Valid values for n are as follows:
The setting of this command is saved in the NOTES.INI variable DIIOPLogLevel. Any
change that is made to the DIIOP log level will be used the next time the server is
restarted.
Tell DIIOP Refresh Use this command to reload the configuration data that DIIOP is using from the
Domino Directory and from notes.ini. By default DIIOP incorporates changes from the
Domino Directory every 3 minutes or as often as specified in the NOTES.INI
parameter:
DIIOPConfigUpdateInterval
The Refresh command will force DIIOP to look for changes in the configuration and
apply them immediately.
Tell DIIOP Show Users Show all the current active users known to the DIIOP task. This list is similar to the
server console command ″show tasks″ but it includes more information. Appending
Or ″D″ to this tell command the list of current users will also include the databases the
user has open and along with a count of objects that are in use.
Tell DIIOP Show Users D
Example:
perf/user1.nsf
Command Result
Tell Dircat Pause The Dircat task finishes aggregating the directory catalog it is currently processing, and
then goes idle. Use this command before shutting down a server that is in the middle of
Dircat processing.
Tell Dircat Resume Resumes a Dircat task that is paused.
Command Result
Tell LDAP Quit Stops the LDAP task on a server.
Tell LDAP ReloadSchema When run on the Domino Directory administration server, the schema daemon
updates the LDAP service in-memory schema with any new schema changes
defined with Domino Directory forms or with the Domino LDAP Schema
database. The schema daemon then publishes the updated schema into the
Schema database, and then replicates the Schema database to others servers in
the domain that run the LDAP service.
When run on a subordinate server in the domain that runs the LDAP service,
the schema daemon replicates the Schema database from the administration
server, if it detects changes on the administration server replica. The schema
daemon then loads the updated schema now published in its local Schema
database into memory.
Tell LDAP Showconfig Shows:
v LDAP service settings from the LDAP tab of the Configuration Settings
document.
v LDAP service port settings
v Status of LDAP Activity Logging (enabled or disabled.)
Tell LDAP Showconfig Debug Shows current NOTES.INI settings related to the LDAP service, as well as the
information shown by Tell LDAP Showconfig.
Tell LDAP VerifyDIT Verifies that each component of a distinguished name in a directory that is
visible through Notes has an entry in the directory that represents the
component as an object class. If the LDAP service finds a component of a
distinguished name without a corresponding object class entry, it creates an
appropriate entry for the object class in the hidden view ($LDAPRDNHIER).
Creating such entries ensures that LDAP clients can successfully use an object
class in a search filter to search for any entry in the directory.
Command Result
Tell Router Delivery Stats Shows Router delivery statistics.
CAUTION:
If the Tell Router Update Config command is initiated on an R5 server,
it loads shared mail. The Tell Router U portion of the command loads
shared mail on R5 servers.
Tell Router Quit Stops the Router task on a server.
Command Result
Tell Sched Stats Displays totals of reservations and appointments in the free time database.
Tell Sched Show username Displays the specified user’s schedule on the server console. Use this
command to investigate problems in the free time database.
Tell Sched Validate Immediately validates a free time database on a server.
Validation occurs by default at 2 AM; however, you can use this command to
force it to occur sooner. Another way to force validation is to stop and restart
the Schedule Manager.
Validation can take some time. You must issue this command at all servers
where mail files have been removed and/or added to ensure that old free
time information is removed and new free time information is added to the
free time database on the server.
Don’t use this command when you add a new user. The Administration
process creates Person documents for users in the Domino Directory before
creating their mail file on their mail server. Schedule Manager watches for
database creations and automatically picks up new users’ mail files.
This command is faster than using the Tell Sched Validate command because
it allows you to validate individual users, rather than validating all of the
data on a server.
Tell Sched Quit Stops the Schedule Manager task on a server.
Command Result
Tell SMTP Update Config By default, whenever you restart the SMTP service, and
at two-minute intervals thereafter, the SMTP service
automatically checks the NOTES.INI file, Configuration
Settings document, and Server document to see if any
settings have changes. If the service detects that settings
have changed, it rebuilds its internal configuration to
incorporate the changes.
Command Result
Tell Web Help Lists all the Web Navigator server console commands.
Tell Web Refresh Refreshes all the Web Navigator global settings. Use this command if you edit the
Administration document while the Web server task is running.
Tell Web Quit Stops all running copies of the Web Navigator.
This command produces the same results as stopping and restarting the Web
Server. However, this Tell command is faster than stopping and restarting
because when you use the Tell command, the HTTP server task remains in
memory. All outstanding HTTP requests are processed before the HTTP task
restarts, however no HTTP requests are processed during restart.
If the authentication cookie originates from the current server, displays the
user name, IP address, and session expiration time for that web server. If the
authentication cookie does not originate on the current server, does not display
session information for users.
After a user logs out, this command continues to display the cookie as valid on
the server. The session is still valid even though the user has ended the
session.
Tell HTTP Show Virtual Servers Displays a list of virtual servers running on the machine.
Tell HTTP Quit Stops the Web Server task.
Trace
Syntax: Trace servername
Description: Use the Trace command to test a connection to a server. This command shows detailed
information about each server hop and is useful in troubleshooting network connection problems. This
command works the same way as ″Trace connections,″ when you choose File - Preferences - Notes
Preferences in the Notes client.
When you attempt to connect to a server, network trace information automatically appears on the status
bar of a Notes workstation or on the server console, depending on where you initiated the connection
attempt. You can use the NOTES.INI Console_LogLevel setting to control the level of detail that messages
on the status bar contain. Trace information is recorded in the log file (LOG.NSF).
For more information on tracing connections, see the chapter ″Setting up Server-to-Server Connections.″
For more information on the Console_LogLevel setting, see the appendix ″NOTES.INI File.″
DB2 Access
Syntax
DB2 Access Remove
Description
Runs the DB2 Access server tool and initiates the action indicated by the argument that is used with it.
Test -- Tests the DB2 Access server’s field parameters in the Server document and all DB2 Access server
settings from the NOTES.INI file. If all fields and settings are correct, it tests the connection between the
DB2 Access server and the Domino server, verifies whether the DB2 functions and properties exist,
determines whether the DB2 Access server Connection document is valid, and attempts to open the
Domino Directory on the DB2 Access Server. If the DB2 Access Test tool locates any problems, the
information is returned to the Domino server console or to the Domino Administrator client.
Remove -- Disables the DB2 Access server from a DB2 server. The DB2 Access Remove command
removes the following:
v DB2 Access Views
v DB2 Access server name from the DB2 tab of the Domino server’s Server document
v DB2 Access settings from the Domino server’s NOTES.INI file.
DB2 Catalog
Syntax
DB2 catalog active
Description
The DB2 Catalog console command displays a list of entries in the Domino server’s CATALOG table. The
entries that are listed reflect the argument used with the DB2 Catalog command. For example, DB2
Catalog Active lists all entries that have not been marked for deletion.
Arguments
Active -- Lists all entities that have not been marked for deletion.
Deleted -- Lists all deleted entities in the Domino server’s CATALOG table.
Filepath (relative to data directory file path) -- Displays DB2 entity information for the specified DB2
enabled Notes database. The DB2 enabled Notes database must be an active database, that is, it cannot be
marked for deletion.
DB2 Group
Syntax
DB2 Group
DB2 group renameclass <Old Class Name> <New Class Name>. [-xml]
Arguments
Move -- The database will be copied to the specified group. Supply the selected DB2 enabled Notes
database name and destination group. To copy a database to a new DB2 group, enter the DB2 enabled
Notes database name only, without a destination group name. The status will be returned as to the status
of the posting of the move.
Renameclass -- Renames the class name to the desired text. All groups associated with an old class name
are associated with the new class name. The maximum class name size is 32 bytes.
Setclass -- Sets the class name to the desired text. The maximum class name size is 32 bytes.
Setstate -- Locks or unlocks a DB2 group that is not yet associated with its maximum number of
DB2-enabled Notes databases. Groups that are associated with the maximum number of DB2-enabled
Notes databases, are locked automatically and cannot be unlocked.
Examples
DB2 group move test.nsf Grp00002
GRP00002 is locked
Description
The DB2 group information command provides detail, such as the class that a DB2 group is associated
with, DB2 group names, group size, lock/unlock status, path, and size of each DB2 enabled Notes
database in the DB2 group.
Examples
CLASS Support
DB2 Info
Syntax
DB2 info
Description
Example
For example, if you enter the DB2 INFO command from an AIX configuration, the output from the
command would resemble this sample output:
DB2 Server: Enabled
DB2 Server: Connected
DB2 Server Name: serverone.ibm.com
DB2 Port Number: 50000
DB2 Directory:
DB2 Instance: aixnode
DB2 Database: DOMINO
DB2 Schema: DOMINO
Schema Version: 14
DB2 Access Server: humacc
DB2 Access Path: /local1/domudf
The DB2 INFO command produces a list containing the following information:
Not Enabled
DB2 Server The DB2 server’s name or IP address. Local Server document
Host name
DB2 Port Number Number specific to the remote DB2 Port number Server document
server.
Blank
DB2 instance Instance name used by Domino Varies Server document
DB2 Node Name Node name used by Domino to access Varies Server document
DB2 on a remote DB2 server
DB2 Database DB2 database where Domino databases Varies Server document
are stored
DB2 Directory Where DB2 creates data related to DB2 Varies Server document
tables used to store Domino databases
DB2 Schema Version DB2 schema version used when Varies Server document
creating or upgrading Domino system
tables in DB2.
Default Domino Default storage type for Domino DB2 Server document
Database Storage databases.
Type NSF
DB2 Access Server Used to store Domino Access tables for Varies Server document
Name access by DB2 applications.
DB2 Access Server Path used to store Access Server files. Varies Server document
path
DB2 Code Page DB2 database code page. Varies Server document
DB2 Locale Db2 database locale. Varies Server document
Connected to DB2 Whether or not Domino is connected to Yes Domino/DB2 Run-time
a DB2 server.
No
Connect Pool Count Domino’s DB2 (XA) transaction pool Varies Domino Run-time
count.
DB2 Service Status List of DB2 services and whether they Operating System
have been started.
(Local configuration only.)
DB2 Purge
Syntax
Description
schemaName -- The schemaName argument forces all DB2 entities associated with schemaName to be
purged. The purge is immediate.
Note: This will only work if the DB2 enabled Notes database using schemaName had been marked for
deletion (see DB2 CATALOG DELETED).
DB2 Reconnect
Syntax
DB2 reconnect
Description
Reconnects the database to DB2.
For more information on the log file, see the chapter ″Using Log Files.″
There is a server console available directly at a server. There are also remote consoles available through
the Domino Administrator and the Web Administrator. The types of commands you can send to a server
using a remote console depends on the level of administrator access you have in the Server document.
For more information on restricting administrator access to a server, see the chapter ″Controlling Access
to Domino Servers.″ For information on setting console attributes for a remote console, see the chapter
″Monitoring the Domino Server.″
Some tabs in the Domino Administrator and Web Administrator automatically display information you
would normally see as the result of entering a server command at a console. For example, when you click
the Server - Status tab, and click Server Tasks you see the equivalent of the Show Tasks command. In
addition, several tabs have tool bars that let you enter a command via a dialog box. For example, you can
enter Tell commands from the tool bar on the Server - Status tab.
where filename.ext is the name of the file to which you want to save output. Enter a space after the server
command but not after the redirection symbol (>). For example, this command writes the output of the
Show Tasks command to the file TASKS.OUT in the Notes directory:
Show Tasks > TASKS.OUT
To store output in a file outside the data directory, specify the complete path to the file.
Note: On a UNIX server, log into the server account, change to the server’s Notes directory, and enter
server.
2. Press ENTER to display the console prompt (>).
3. Enter a server command.
If a command parameter contains a space, enclose it in quotation marks -- for example:
Pull "Acme Server"
Tip: To save time and space at the command line, enter the abbreviation for the server command. You
can also press the Up arrow to display a command that you previously entered.
4. (Optional) Use these key combinations, as necessary:
v Press CTRL+Q or PAUSE to stop the screen display and suspend access to the server and events in
process.
v Press CTRL+R to resume display and access to the server.
v Press CTRL+R (or ENTER) to restore a command line. For example, you might restore a command
line if an on-screen event splits it or if it disappears while you’re typing.
For information on the Server Controller and Domino Console, see the chapter ″Setting Up and Using
Domino Administration Tools.″
To send a shell command to a Controller from a remote console, use the prefix $, for example:
$Dir c:\tmp
If you are sending several shell or Controller commands, you can change to Shell or Controller command
mode in a remote console by entering the appropriate prefix in the Command box and pressing enter.
Then you do not have to specify the prefix each time you send a command. To exit the specified
command mode, enter the prefix again.
For example, to enter the Controller command mode, enter # in the Command box. When you are done
sending Controller commands, enter # again to exit Controller command mode.
#Disable user1,user2
Enable username(s) Enables an administrator’s connection that you previously
disabled using the Disable User command. To enable more
than one administrator’s connection, specify multiple names,
separated by commas, for example:
#Enable user1,user2
Kill Domino Stops the processes on a server that is not responding
Quit Stops the Domino server and the Server Controller
Refresh Admins Refreshes the Controller’s information about administrators
from the Domino Directory
Restart Domino Stops the processes on a server that is not responding and then
restarts the server
Set ControllerLogExpiration=days Specifies the number of days worth of log files to keep on the
server. Default is 7 days. Change takes effect at midnight or
when you restart the Server Controller.
Set ControllerLogFileName=path filename Specifies the name and path of log files created on a server. By
default, log files are stored in the server’s data directory with
filenames that begin with the text dcntrlr, followed by the
creation date, a sequence number and the file extension .log or
.meta. You can specify a different path, and can specify text to
replace the dcntrlr portion of the log file names.
Appendix A