Professional Documents
Culture Documents
Notices
DISCLAIMER: You may not copy, reproduce, translate, or reduce to any electronic medium or machinereadable form, in whole or in part, any documents, software, or les provided to you without prior written consent of IBM Corporation, except in the manner described in the documentation.While every reasonable precaution has been taken in the preparation of this manual, the author and publishers assume no responsibility for errors or omissions, nor for the uses made of the material contained herein and the decisions based on such use. Neither the author nor the publishers make any representations, warranties, or guarantees of any kind, either express or implied (including, without limitation, any warranties of merchantability, tness for a particular purpose, or title). Neither the author nor the publishers shall be liable for any indirect, special, incidental, or consequential damages arising out of the use or inability to use the contents of this book, and each of their total liability for monetary damages shall not exceed the total amount paid to such party for this book. TRADEMARK NOTICES The following terms are trademarks or service marks of International Business Machines Corporation in the United States, other countries, or both: DB2, Domino, Domino Designer, Domino.Doc, Everyplace, ibm.com, K-station, LearningSpace, Lotus, Lotus Discovery Server, Lotus Enterprise Integrator, Lotus Notes, Lotus Workow, Mobile Notes, Netnity, QuickPlace, Rational, Sametime, Tivoli, VisualAge, WebSphere, Workplace, Workplace Messaging, and WorkPlace Shell. Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc., in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Copyright 2009 IBM Corporation.
Lotus software, IBM Software Group One Rogers Street Cambridge, MA 02142
Under the copyright laws, neither the documentation nor the software may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form, in whole or in part, without the prior written consent of IBM, except in the manner described in the documentation or the applicable licensing agreement governing the use of the software. All rights reserved. Licensed Materials - Property of IBM US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corporation.
You must purchase one copy of the appropriate kit for each student and each instructor. For all other education products you must acquire one copy for each user or you must acquire a license for each copy provided to a user.
Table of Contents
IBM Lotus Domino 8.5 System Administration Operating Fundamentals Lesson 1: Introducing the IBM Lotus Domino 8.5 Environment
Topic A. Examining the IBM Lotus Domino 8.5 Architecture. . . . . . IBM Lotus Domino Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . Client and Server Architectural Components . . . . . . . . . . . . . . . Server Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lotus Domino Server Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Default Location Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Client Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview of Lotus Notes 8.5 Features . . . . . . . . . . . . . . . . . . . . . . Topic B. Investigating IBM Lotus Domino Applications. . . . . . . . . . The Object Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Components of Lotus Domino Applications . . . . . . . . . . . . . . . . . Database Types and Applications . . . . . . . . . . . . . . . . . . . . . . . . Composite Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Required Server Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Lotus Domino Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lotus Domino Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Single vs. Multiple Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic C. Exploring IBM Lotus Domino Server Functionality . . . . . . Categories of Lotus Domino Services . . . . . . . . . . . . . . . . . . . . . . Core Lotus Domino Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Server Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lotus Domino Advanced Services . . . . . . . . . . . . . . . . . . . . . . . . .
2 3 3 4 4 5 7 7 8 9 9 10 11 12 13 13 13 13 14 14 16 16
20 21 22 22 26 26
Topic C. Navigating in IBM Lotus Domino Administrator . . . . . . . . Lotus Domino Administrator Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . The Person Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tasks on the People & Groups Tab . . . . . . . . . . . . . . . . . . . . . . . . . Tasks on the Files Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tasks on the Server Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tasks on the Messaging Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lotus Domino Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tasks on the Replication Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tasks on the Conguration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic D. Setting Administration Preferences . . . . . . . . . . . . . . . . . . . . . Administration Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic E. Introducing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policy Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Settings Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28 28 29 29 29 30 30 30 30 31 31 34 34 36 36 36 36
Lesson 3: Examining IBM Lotus Notes and IBM Lotus Domino Security
Topic A. Identifying IBM Lotus Domino Security Components . . . . IBM Lotus Domino Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organizational Units. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organization Certiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic B. Designing a Hierarchical Naming Scheme . . . . . . . . . . . . . . . Hierarchical Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Components of a Hierarchical Name . . . . . . . . . . . . . . . . . . . . . . Hierarchical Naming Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organizational Unit Naming Recommendations. . . . . . . . . . . . . Separate Server OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Server Naming Recommendations . . . . . . . . . . . . . . . . . . . . . . . . Server Host Names and Common Names. . . . . . . . . . . . . . . . . . . User Naming Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . Planning a Hierarchical Naming Scheme . . . . . . . . . . . . . . . . . . . How to Design a Hierarchical Naming Scheme . . . . . . . . . . . . . .
40 41 41 42 42 44 45 45 46 47 48 49 50 50 51 51
Topic C. Authenticating with IBM Lotus Domino Servers . . . . . . . . Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Certicates and ID Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Certicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ID Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Components of an ID File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Common Certicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Certicates Are Used in Authentication . . . . . . . . . . . . . . . . The ID Vault Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to Create an ID Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic D. Controlling Access to Resources . . . . . . . . . . . . . . . . . . . . . . . Introduction to Lotus Domino Access Controls . . . . . . . . . . . . . . . Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Lotus Domino Controls Access . . . . . . . . . . . . . . . . . . . . . . . . Stages of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Using Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Best Practices for Creating Groups . . . . . . . . . . . . . . . . . . . . . . . . Topic E. Determining Database Access Levels . . . . . . . . . . . . . . . . . . . Access Control List Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic F. Determining Workstation Security Levels . . . . . . . . . . . . . . . . . Execution Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Execution Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54 55 56 56 56 57 57 59 60 60 62 63 63 64 64 65 68 70 70 72 72 75 75 75
78 79 79 80 81 82 83 83
Topic B. Designing a Mail Routing Topology . . . . . . . . . . . . . . . . . . . . . Mail Routing Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topology Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hub and Spoke Topology Considerations . . . . . . . . . . . . . . . . . . . How to Design a Mail Routing Topology . . . . . . . . . . . . . . . . . . . .
83 84 84 85 85
Topic C. Integrating Other IBM Products . . . . . . . . . . . . . . . . . . . . . . . IBM Lotus Sametime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IBM Lotus Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IBM Lotus Quickr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix A: The Worldwide Corporation Infrastructure Plan Appendix B: Certication and Exam Competencies Appendix C: Instructor Preparation Additional Instructor Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Course Description
Target Student
The target audience for this course is current network or mail system administrators who are new to the Lotus Domino 8.5 system administration, but have some experience using the Lotus Notes 8.5 client, and who need to acquire a foundational knowledge and working experience with the Lotus Domino 8.5 administration tools.
Course Prerequisites
The prerequisites for this course include previous experience as a network administrator or mail system administrator, and experience using the Lotus Notes 8.5 client.
Introduction
As a Review Tool
Some of the information covered in class may not be relevant to your environment immediately, but it may become important later on. For this reason, we encourage you to spend some time reviewing the topics and activities after the course. The course can also be used in preparation for Lotus certication exams.
As a Reference
The organization and layout of the book make it easy to use as a learning tool and as an after-class reference. You can use this book as a rst source for denitions of terms, background information on given topics, and summaries of procedures.
Course Objectives
After completing this course, you should be able to: Describe the structural components of the IBM Lotus Domino 8.5 environment. Perform basic IBM Lotus Domino 8.5 administration. Manage IBM Lotus Notes and IBM Lotus Domino security. Describe Lotus Domino mail routing and mail routing topologies. Describe Lotus Domino replication and replication topologies. Identify services and options that you can use to extend and enhance the functionality of the Lotus Domino environment.
ii
Introduction
Course Requirements
Hardware
Instructor Lotus Domino Server (Hub)
You will need one computer to install as the instructor Lotus Domino server.
If you plan to teach the Managing IBM Lotus Domino 8.5 Servers and Users course immediately following this class, you may choose to use that courses setup for IBM Lotus Domino 8.5 Systems Administration Operating Fundamentals. However, IBM Lotus Domino 8.5 Systems Administration Operating Fundamentals was not tested with the Managing IBM Lotus Domino 8 Servers and Users conguration, and you might nd minor discrepancies in the activities and demonstrations.
1 GB of RAM or more is recommended. A Pentium Class processor or higher. A Pentium 4, 2.6 GHz processor is recommended. An SVGA (or better) video card and monitor. Support for 256 colors, 1024 X 768 resolution. At least 1.5 GB free hard disk space. A mouse or other pointing device. A DVD drive or access to network le server for installation. A local network connection. Internet access (recommended).
Introduction
iii
Software
Primary Classroom Server
The following list identies the software requirements for the primary classroom server. Please note that proper licensing for all software is required and is the responsibility of the training organization. Microsoft Windows 2003 Server Standard or Enterprise Edition with Service Pack 2, Microsoft Windows 2003 Server x64 Edition, Microsoft Windows 2008 Standard or Enterprise Edition with Service Pack 2, Microsoft Windows Server 2008 x64 Standard Edition, Microsoft Windows Server 2008 x64 Enterprise Edition. Note: The Domino server should not run IIS nor Active Directory. IBM Lotus Domino 8.5 Server. TCP/IP using either Hosts le or DNS with server and domain names dened in the TCP/IP protocol conguration.
iv
Introduction
Class Setup
Preparing for an ILO Class Experience
Instead of a traditional classroom instructor-led class, you may be taking this course as an instructor-led online class. If you are participating in an online class experience, you should: Verify that you have the dial-in number for participants.
Instructor preparation information specic to ILO is provided in the Instructor Preparation Appendix.
If necessary, verify that you have the conference reference name or number and password, if required, to the conference. Verify that you have the appropriate support contact information:
Technical support: To help resolve connection issues. Content support: To answer questions about the materials presented in class. Process support: To assist with understanding how an ILO class is carried out and assure that participation is appropriate.
Test your ability to connect to the course with the equipment you plan to use during the course. This will allow you to:
Test connectivity to the providers server. Download any applications or plug-ins required. Become familiar with the online interface.
Note: Some training providers will schedule a separate test session prior to your course to allow you to test connectivity; otherwise, you should plan to do this just prior to the courses start time. Your training center will provide the necessary information and instructions to you prior to your class start date.
Introduction
Course Files
The rst table describes the required course les used in the course or provided as additional tools. Table 0-2: Required course conguration les
Title WWCorps directory /WWCorp certier ID le Hub/SVR/WWCorps ID le Doctor Notes user ID le Doctor Notes mail le Sample databases File name Names.nsf WWCorp.id hub.id Function Used to set up the classroom servers and administrators
dnotes.id dnotes.nsf
ideas.nsf policies.nsf
Lesson 1 show sample databases Lesson 4 demonstrate replication Classroom mail les
Mail les
mail.box
Contains mail for students to view Contains certication log for IDs in this course OU certication IDs
Certication Log
certlog.nsf
Organizational Unit
Classroom diagrams
vi
Introduction
2 3
6 7 8
Introduction
vii
2 3
2 3
viii
Introduction
The executable will copy the following les to the specied locations, creating the \lotus_ed\ directory and all necessary sub-directories, if required. These les will be present both on the instructor server and instructor client machines. Table 0-7: Supplied course les
Directory \D8L75
\D8L75Lotus\Domino\ Data
IDs: wwcorp.id hub.id dnotes.id East.id West.id Svr.id Databases: names.nsf policies.nsf certlog.nsf
mail.box ideas.nsf
\D8L75\Lotus\Domino\ Data\Mail
Introduction
ix
Step 1 2
Action Click StartAll ProgramsLotus ApplicationsLotus Domino Server. If necessary, click Start Domino as a regular application and then click OK. On the Welcome screen, click Next. Verify that Set up the rst server or a stand-alone server is selected, and then click Next.
3 4
Introduction
6 7
For the Domino domain name, type WWCorp and click Next. On the Specify an Administrator name and password screen, complete the following: a. Select I want to use an existing Administrator ID le. b. Click Browse and navigate to the DNotes.id le, and then click Select. Click Next. In the Enter Password dialog box, type passw0rd and click OK.
For Internet services, select Web Browsers (HTTP services) and Directory services (LDAP services), and click Next. Review the default enabled port drivers and host name. To change these settings: a. Click Customize. b. Disable all ports except TCP/IP. c. Enter the fully qualied Internet host name for the server: hub.wwcorp.com d. Click OK. Click Next.
10
On the Secure your Domino Server screen, accept the defaults and click Next. Review the information selected during this session. If all information is correct, click Setup. When setup completes, click Finish. Before starting the server, copy the supplied les to their target directories: Lotus\Domino\data: names.nsf, policies.nsf, certlog.nsf, mail.box, ideas.nsf Lotus\Domino\data\mail: DNotes.nsf and all other mail les
11
12 13
Introduction
xi
15
16
xii
Introduction
From the Preferences list, select Notes Ports, and clear all ports except TCPIP. Click OK to close Preferences. Click OK in the warning dialog box. Changes will take effect once Lotus Notes is restarted. Exit Lotus Notes.
10
Introduction
xiii
From the Preferences list, select Notes Ports, and clear all ports except for TCPIP. Click OK to close Preferences. Click OK in the warning dialog box. Changes will take effect once Lotus Notes is restarted. Exit Lotus Notes.
10 11
12
Course Icons
The following table explains the icons used in this course. Table 0-12: Course icons
Icon Description An activity is a student-centered learning process that allows students to learn by performing a task. Activities can be instructor-led or completed independently. Scenario information is used to introduce an activity problem or goal. Scenarios use ctitious people and organizations to present details, problem statements, and parameters that are used to complete the activity or lab exercise. Caution statements are included in the courseware to make students aware of potential negative consequences of an action, setting, or decision, that are not easily known. Tips and notes provide additional information, guidance, or a hint about a topic or task. An Instructor Note is a special comment to the instructor regarding delivery, classroom strategy, classroom tools, exceptions, and other special considerations. The Instructor Note is included in the Instructor Guide only.
xiv
Introduction
Introduction
xv
Topic A: Examining the IBM Lotus Domino 8.5 Architecture Topic B: Investigating IBM Lotus Domino Applications Topic C: Exploring IBM Lotus Domino Server Functionality
Introduction
IBM Lotus Notes and IBM Lotus Domino are an integrated messaging and Web application software platform that provides a scalable and secure infrastructure, with the exibility and openness needed for development and deployment of Web applications. As the system administrator, you need to understand the architecture and its key components before you can properly administer the environment. After completing this lesson, you should be able to: Identify the architecture and key components of the Lotus Notes and Lotus Domino environments. Dene IBM Lotus Domino applications. Describe the basic functions and processes of Lotus Domino servers.
Ask students to introduce themselves by answering the following questions: What is your name, company name, and current title? How is Lotus Domino used within your company? What personal goals do you hope to achieve by attending this class? Have you used Lotus Domino or Lotus Notes 8.5? Do you currently administer Lotus Domino?
A
Client and Server Architecture As you present this slide, consider providing an overview of what Lotus Domino is, including: Mail system PKI infrastructure Application server Document store or database Web server
A Lotus Notes and Lotus Domino environment consists of a combination of the following client and server components.
Function A Lotus Domino server is a computer that runs the Lotus Domino server program and stores Lotus Notes applications. A Lotus Domino server runs services that manipulate Lotus Notes data. Depending on what the request is and who the client is, the server can pull information from a variety of sources, including the object store, the OS le system, a relational database, composite applications, or via Web services.
Lotus Notes clients can access Lotus Domino data both on servers and locally, providing portable access to data. Web clients can access Lotus Domino data on the server to display in a browser. The iNotes Web client provides access to mobile clients.
Server Documents
When you register a server, the Server document is created. It contains many of the settings that dene how your server operates. Those settings are accessible through tabs within the Server document.
Demonstrate how a server identies and stores information specic to the machine. Use the information provided in the additional instructor notes.
Function Provides standard Lotus Domino application services and custom Lotus Domino applications for Lotus Notes and Web clients, as well as support for clusters. Note: This server does not include messaging services. Provides messaging services. Note: This server does not include application services.
Note: Each server type installed on a system requires a different server license.
Demonstrate how a client identies a server by showing a Location document. Use the information provided in the additional instructor notes. Optionally, demonstrate the Advanced tabUser ID to switch to the eld to show how an administrator can switch IDs easily.
Locations are a feature that connects you to applications on servers by providing a place to specify information such as the name of your mail server, whether you use a passthru server, or even which Lotus Notes ID to use. When the Lotus Notes client is installed, four Location documents are created by default that contain communication and location-specic settings: Home, Offline, Online, and Travel. During conguration, Lotus Notes populates these Location documents, as well as any necessary Connection or Account documents, based on information you supply. The following clients use these settings, which are accessible through tabs within a Location document: Lotus Notes
Client Types
Users who have mail les on a Lotus Domino server can use either the Lotus Notes client or an Internet client to access their mail: Lotus Notes clients: Use Lotus Notes protocols to send and access mail on a Lotus Domino server; a Lotus Notes client can also act as an Internet mail client.
Client Types
Internet clients: Access mail les through the Lotus Domino POP3, IMAP, or HTTP servers. POP3 and IMAP clients send mail using SMTP.
The following table describes the purpose of Lotus Notes clients and Internet mail clients.
Purpose
A rich-client interface for working with Lotus Notes applications and Internet data.
Internet Clients: IBM Lotus iNotes Provides Lotus Notes users with browser-based access to Lotus Notes mail and to Lotus Notes calendar and scheduling features. Lotus iNotes includes the following modes: FullProvides a full set of features including mail, calendar, notebook, contacts, and to do list. LiteOptimized for performance in bandwidth-constrained environments, and provides access to Mail and Contacts in a streamlined user interface. UltraliteDesigned for use on a mobile device and is initially supported on the Apple iPhone or iPod touch.
Web
Supports mail, Calendar, and custom Lotus Domino Web application access for Web browsers. Allows mail access to a POP3 compliant server. An example of a POP3 client is Microsoft Outlook. Supports mail access, including the folder structure, to an IMAP enabled server.
POP3
IMAP
As an administrator, you do not want to spend the money for additional technical support or to train users on the new Lotus Notes 8.5 user interface yet. You are not upgrading the servers on the back end to Lotus Domino 8.5 yet, so there is little reason to run the Standard client.
Supported by IBM Lotus Expeditor and IBM Lotus Eclipse platforms with Java-enabled, Eclipse, and SWT (Standard Widget Toolkit) capabilities, the J2EE Standard client provides a larger networking environment with increased functionality and innovation opportunities. The Standard client enables you to access applications on both Domino servers and IBM WebSphere Portal servers. With a fully redesigned user interface, the Standard client offers new and improved mail, calendar, contacts, and instant messaging functionality, while introducing you to engaging application and tool integration. The J2EE Standard client is the preferential conguration to support an all-inclusive new features and functionality upgrade from Lotus Notes 7 to Lotus Notes 8.5.
Lotus Notes 8.5 provides features to improve the core functionality of Lotus Notes. With the addition of innovative features, Lotus Notes 8.5 presents a dynamic end-user work environment, and represents an important transition in the way people communicate and collaborate. The following table describes some of the features of the Lotus Notes 8.5 environment.
Feature Infrastructure
Description Lotus Notes 8.5 presents a dynamic user work environment, and represents an important transition in the way people communicate and collaborate. It also elevates the team-based, electronic user experience by enriching the online community of collaboration, allowing you to improve efficiency, boost effectiveness, and expedite decision-making processes.
Calendar
Contacts
Components
B
The Object Store Components of Lotus Domino Applications Open the instructor mail le (DNotes.nsf) and use the interface to describe the components in the accompanying table.
Lotus Domino application element Documents (or data notes) Application Design (design notes) ACL entries
Description Contain data such as text, graphics, and various le attachments. Forms, views, agents, etc.
Security entries to control access to the contents of the Domino application. Information about the database itself. For example, the database title, replication history, etc.
Database header
Application extensions
Some applications have extensions other than NSF. The following table describes these applications.
Description Application that contains the user desktop settings. Application template used to create specic types of databases, such as mail databases.
Description Release 5 database that contains the users desktop settings. This extension is the same as NDK in Release 6 and higher. Database that retains Release 7 format. Database that retains Release 6 format. Database that retains Release 5 format. Database that retains Release 4 format.
Note: To retain the database format from a previous release, save the database with the appropriate extension (NS4, NS5, or NS6) prior to compacting the database on a Lotus Domino 8.5 server. Otherwise, compacting will upgrade the database to the Lotus Domino 8.5 format, only if Create_ R85_Databases=1 is set in Notes.ini.
Databases are used for a broad range of applications and solutions, as listed in the following table.
Type
Ask students for database examples from their implementations. Open some common database types, for example: an e-mail le, a discussion (policies. nsf), or a catalog (ideas. nsf).
Can be used for E-mail: Functional out of the box. Each user has a personal e-mail database. Group Calendar Management: Functional out of the box. Includes group scheduling functions and group calendars. Instant messaging: Lotus Sametime software integrated with Lotus Notes provides voice, video, and telephony services. Voice Integration: With independent vendor Lotus Domino-based voice services. Policies and Procedures: Part of a larger Human Resources package that may have been acquired from an independent developer. Product Catalog: Updated by selected personnel. Readable by all others.
Broadcast/ Reference
10
TeamRoom
Composite Applications
Composite Applications
A composite application is a collection of two or more distinct applications that address a business need for a specic group of users and can be accessed from one screen. Composite applications consist of different elements that allow users to implement related tasks without having to launch new windows or applications. The various parts of a composite application can interact with one another and exchange information. When views are updated or edited in one application, the corresponding views and information in the other applications are updated to reect the modications. There are two types of composite applications that are featured in Lotus Domino and Lotus Notes 8.5: A Lotus Notes composite application, which is stored on a Domino server and listed in a Domino Application catalog.
A portal composite application, which is stored on an IBM WebSphere Portal server and is listed in the WebSphere Portal catalog. Users can access this type of composite application using the Lotus Notes client or a Web browser.
For example, the IBM Lotus Notes 8.5 inbox is a fully functional composite application that integrates two or more elements into one user interface.
11
In addition to user application databases, there are several databases that support the conguration and proper functioning of the Lotus Domino environment.
Note: Required server database names are the same as in the previous release of Lotus Domino.
More information about the Lotus Domino Directory and the Administration Process is included later in the lesson.
The following table lists some of the crucial les stored on each server.
Function Directory of information about users, servers, groups, and custom entries. The documents contain detailed information about each user and server. The Directory is also a tool to manage the Lotus Domino system. For example, administrators create documents in the Lotus Domino Directory to connect servers for replication or mail routing, or to schedule server tasks, and other Lotus Domino settings and congurations. Tracks and records requests and processes to support automating administration tasks.
Administration Requests Certication Log Monitoring Conguration Lotus Domino server log le Monitoring Results Mail Router mailbox
Admin4
CertLog
Events4
Stores conguration records for statistics reporting and monitoring tools, and stores a listing of server messages. Stores information about performance, statistics, and activities on the Domino server.
Log
StatRep
Records information about the activity on one or more Domino servers. Stores mail from a user that is in route to another user.
Mail.box
12
The Lotus Domino Directory (Names.nsf) is the most important database in a Lotus Domino environment. The directory stores the information that allows Lotus Domino servers and clients to function properly. The Lotus Domino Directory is created during the rst server conguration and is stored on each new server in the environment.
Note: The Lotus Domino Directory was referenced differently in earlier releases. Administrators with experience using these earlier releases of Lotus Notes and Lotus Domino may use other terminology, including: Public Address Book (PAB) and Notes Address Book (NAB).
Show the students the Lotus Domino Directory database by demonstrating the following: 1. From the Lotus Notes client, open WWCorps directory on the server. 2. Show the views and types of documents listed in the table.
Information Who are the users? What are the Lotus Domino servers? How do servers connect to each other and exchange information? What user groups are available for mail distribution lists and access lists? How do servers perform special functions?
Group
Conguration
Lotus Domino uses specic structures and terms to dene the organization of the Lotus Domino environment. A domain is a collection of servers and users that share a single Lotus Domino Directory. The primary purpose for a domain is mail routing. The domain name is typically the company name.
13
C
Categories of Lotus Domino Services Tell students that Security, Messaging, and Replication services are discussed in detail in subsequent lessons.
Service Application
Description Provides the tools to create applications: The Lotus Domino Designer, a special client license that provides a design environment for building customized applications including Web applications. Lotus Notes templates, models for creating applications quickly and easily. The formula language, a scripting language developed for Lotus Notes. IBM LotusScript language, as well as support for Java , JavaScript, C++, and CORBA.
Connection
Enables the use of Lotus Domino with existing relational data sources. Provides the foundation for Lotus Domino: The application engine that runs all the scripts and puts together the completed dynamic page. Core services, such as directory, messaging, security, and replication that are the main server components of Lotus Domino. Protocols that describe how to communicate with the server.
Infrastructure
The core Lotus Domino services form the basis of a Lotus Domino infrastructure. Core Domino services include the services described in the following table.
14
Description A mechanism by which users and servers are categorized in a Lotus Domino environment. Tools and services that control access to servers and applications, including the authentication of users. Services, databases, and monitoring tools that support both Lotus Notes and Internet mail. A process of periodically updating replica databases on all servers regardless of location. Tools, services, and databases that support server maintenance and monitoring.
Security
Messaging
Replication
Maintenance
Server Tasks
Server Tasks
While reviewing the accompanying table, show the tasks currently running on the server. From Domino Administrator, click the Server tabStatus tabServer Tasks view. Point out that a task listed as Idle is still loaded, but not currently running.
The core services are provided using a number of Lotus Domino server tasks in conjunction with the key Lotus Domino server databases. A server task is a program provided with the Lotus Domino server that runs when loaded and activated. Server tasks serve various purposes. Some perform specic tasks, such as mail routing. Others run in the background to perform complex administration procedures, such as compacting databases and updating indexes. The following table lists some of the key server tasks and their default load times.
Description Automates a variety of administrative tasks. Manages and runs agents on a server. An agent performs a series of automated tasks according to a set schedule or at the request of a user. Compacts all databases on the server to reclaim space freed by the deletion of documents and attachments.
On server startup
Database Compactor
Based on a schedule
15
Event Monitor
As needed
HTTP Server
Replicator
On server startup (if enabled) On server startup (for mail servers) As needed
Router
Statistics (Stats)
A Lotus Notes and Lotus Domino environment can support many other applications and functionality by taking advantage of additional supplied services and expanded resources. Some of the additional services and products available for a Lotus Domino implementation are listed in the following table.
Examples Internet protocol support: LDAP - directories POP3 - mail clients IMAP - mail clients Clustering Partitions Lotus Domino Enterprise Connection Services (DECS) Lotus Domino Internet Inter-ORB Protocol (DIIOP)
16
Examples Lotus Domino Everyplace Domino Off-line Services (DOLS) Domino Universal Connection Services (DUCS) IBM Tivoli Analyzer for Lotus Domino
Complementary products
Note: Additional Lotus Domino services and products are covered in more detail later in this course.
17
Lesson Summary
In this lesson, you described the structural components of the IBM Lotus Domino 8.5 environment. As the system administrator, understanding the architecture and its key components can help you properly administer the Lotus Domino 8.5 environment.
18
Topic A: Starting IBM Lotus Domino Administrator Topic B: Using Online Help Topic C: Navigating in IBM Lotus Domino Administrator Topic D: Setting Administration Preferences Topic E: Introducing Policies
Introduction
By performing basic administrative tasks in IBM Lotus Domino Administrator, you should gain the hands-on experience you need to accomplish these tasks on the job in your own Lotus Domino environment. After completing this lesson, you should be able to: Identify the elements of the Lotus Domino Administrator interface. Use online help. Navigate in Lotus Domino Administration and perform basic Lotus Domino Administrator tasks. Set administration preferences in Lotus Domino Administrator. Describe policies.
20
A
Lotus Domino Administration Show the administration groups and roles used to control administrative access, including: People & Groups Groups LocalDomainAdmins. Server document Security tab. Domino Directory ACL, including roles. Web Administrator roles (ACL on WebAdmin.nsf). These controls will be discussed in more detail in another lesson.
Administer one or more servers Add/modify users, servers, and certiers Add/modify server conguration information
Description Allows administrators to make changes to the Lotus Domino environment, such as: Modify server settings. Set up server connections. Add new users, servers, and groups to the Lotus Domino environment. Monitor server activity.
Show examples of each of the following tools: Lotus Domino Administrator Web Administrator Server Console
Provides administrators with the majority of features available through the Lotus Domino Administrator using a Web browser.
21
The Lotus Domino Administrator is the main tool for performing administrative tasks in a Lotus Domino environment. The client is included with the server software and can be installed on any supported operating system.
The Lotus Domino Administrator interface is separated into panes to help administrators manage different resources. When you click one pane, the information in the other panes is dynamically updated. The following table lists and describes some of the components of the Lotus Domino Administrator interface.
Please visit http://www10.lotus.com/ldd/ dominowiki. nsf?OpenDatabase to locate videos and other informational items you can use to enhance the presentation of current concepts to the class, such as a guided tour of the Lotus Notes/Lotus Domino environment.
Description Contains buttons to act on documents displayed in the view. Contains icons to display a list of servers in the domains you administer and icons to start the Notes client and Domino Designer client, if installed. Displays a list of servers in a domain. Displays the servers in the domain, grouped in different views. Contain general administration tasks. Provides a logical grouping of administration tasks organized by tabs. Displays the results of the current task. Provides additional functions associated with the selected tab.
Bookmark bar
22
The following gure displays an example of the Lotus Domino Administrator interface and its components.
23
Scenario All Worldwide Corporation administrators will use the Lotus Domino Administrator client. As an administrator, you should be familiar with the Lotus Domino Administrator environment. Follow these steps to start Lotus Domino Administrator and select the Hub/ SVR/WWCorp server to administer.
Step 1. 2. Action Click StartAll ProgramsLotus ApplicationsLotus Notes 8.5. Log in with the user name assigned to you and the password passw0rd From the Lotus Notes client, click Open and then click Domino Administrator.
Note: Lotus Domino Administrator is accessible directly from the Lotus Applications program group. From Windows, click Start All ProgramsLotus ApplicationsLotus Domino Administrator 8.5.
3. 4. 5. 6. 7. 8.
Select the Dont show this again check box in the upper-right corner of the page and close the Welcome page. In the IBM Domino Administrator, click the Favorites icon. Click the Domain servers icon to display the Bookmark window for the WWCorp domain. Click the Pin icon to anchor the Bookmark window. Expand the All Servers section, and select the instructors server: Hub/ SVR/WWCorp. How do you know which server is currently active? The currently selected server name is listed under the tabs.
9.
24
25
B
Online Help Resources
Location Online
Internet
http://www-01.ibm.com/software/lotus/ - Support, news, and product information http://www.ibm.com/developerworks/lotus - Documentation, software downloads, and developer resources http://publib-b.boulder.ibm.com/redbooks.nsf/portals/Lotus IBM Redbooks
26
Scenario All Worldwide Corporation administrators will use Help. As an administrator, you should be familiar with Lotus Domino terms. This activity introduces you to online Help and allows you to make your rst connection to some of the terminology you will be learning during the course. Follow these steps to use the Help glossary or the Search for feature to dene basic Lotus Domino concepts and terms.
Step 1. 2. 3. Action From the Lotus Domino Administrator main menu, click HelpHelp Topics. Using the Search option, locate the answers to the following questions. Search for the article titled Domino domains. What is a domain? A Lotus Domino domain is a collection of servers and users that share common Lotus Domino directory information. 4. Search for the article titled Hierarchical naming for servers and users. What is hierarchical naming? A system of naming associated with Lotus Notes IDs that reects the relationship of names to the certiers in an organization. Hierarchical naming helps distinguish users with the same common name for added security and allows for decentralized management of certication. The format of a hierarchical name is: common name/organizational unit/ organization/country codefor example, Pam Tort/Fargo/Acme/ CA. 5. Search for the article titled How replication works. What is replication? The process of exchanging modications between replicas. Through replication, Lotus Notes makes all of the replicas essentially identical over time. 6. Search for the article titled User registration. What is a user ID? A le assigned to every user and server that uniquely identies them to Lotus Notes and Lotus Domino. It is similar in function to accessing a banks computer using an ATM card. 7. Close Help.
27
C
Lotus Domino Administrator Tabs
Contents People-related IBM Lotus Domino Directory items: person documents, groups, mail-in databases, policies, settings, and certicates. File interaction includes databases, templates, database links, and all other les in the servers data directory. Current server activity and tasks. This tab has ve subtabs: Status Analysis Monitoring Statistics Performance
Files
Server
Messaging
Mail-related information. This tab has two sub-tabs: Mail Tracking Center
Replication Conguration
Replication schedule, topology, and events. All documents used to congure the server, such as: Server documents Conguration Settings documents Messaging and Replication connections Web Conguration documents Directory Conguration documents Monitoring Conguration documents
28
A Person document describes an IBM Lotus Notes or non-Lotus Notes user in the Lotus Domino Directory. A Person document is created when you register a user via the user registration interface in Lotus Domino Administrator or when you use the Add Person action on the People & Groups tab in Lotus Domino Administrator.
Note: When you delete a user name, the associated Person document is also deleted.
Provide an overview of the People & Group tab. During the overview, point out the screen areas as referenced and explain a Person document and a group.
Groups
A group is a list of users and/or servers that have something in common. Each group must have an owner, who is usually an administrator or an application manager. Groups can be used to: Provide a group of users access to an application.
Groups
Deny a group of users access to a server or application. Send mail to a distribution list.
Users in the domain. Groups dened in the domain. Documents dening mail-in databases and resources for scheduling. Policies and settings documents used to streamline workstation setup. Certicates used for authentication. ID vaults.
29
View le information. View disk space information. Add, modify, and delete folder and database links. Perform database management tasks.
Issue commands to the Lotus Domino server. View server information to analyze and troubleshoot server performance. Monitor server tasks and statistics throughout the domain.
Demonstrate the features and options available on the Server tab, such as monitoring server tasks.
Monitor mail routing and issue commands to control mail routing. View mail routing topology maps. Track messages and generate reports on messages sent by users.
Demonstrate the features and options available on the Messaging tab, such as monitoring mail routing or tracking messages and generating reports.
Briey describe Lotus Domino replication. This should not be an indepth discussion. Defer questions regarding replication and domains, as they will be covered later.
30
View the replication schedule for a server. View Replication Events that have previously occurred. View Replication Topology maps.
Demonstrate the features and options available on the Conguration tab, such as the All Server Documents view, a Congurations Settings document to distinguish Server document settings, and a Connection document.
Messaging Replication Directory Web server Monitoring Conguration Cluster Offline Services Certicates Miscellaneous
Give examples of other domains: Other Lotus Domino domains within the organization. Another companys Lotus Domino domain. A non-Domino mail system or gateway. For example, Foreign SMTP or X.400 mail system.
Some items to remember when working on the Conguration tab include: Each server in the domain has a Server document that contains information about the server. Lotus Domino uses this information during server startup and for security.
Some server settings are stored in the Server document; others are stored in Conguration Settings documents. Lotus Domino uses this information during server startup. Information about how servers should establish connections is stored in Connection documents. Lotus Domino uses this information in determining how to connect to another server for replication and mail routing. Information about other domain connections is stored in Lotus Domain documents. Lotus Domino uses this information for replication and mail routing.
31
Scenario As an administrator, you should be familiar with recording current settings from the Lotus Domino Administrator client. From your Lotus Domino Administrator client, nd and record the following information.
1.
What is your Short name? Depends on user account, and can be located on the Person document.
2.
3.
What client platform are you using? Depends on classroom equipment; appears on Administration tab.
4.
5.
Of how many groups are you a member? (Hint: Use either the Manage Groups tool or an action button.) Depends on classroom conguration. Show the Find Group Member action button in the listing pane.
6.
What is the total number of mail users on the classroom server? Depends on classroom setup.
7.
32
9.
33
D
Administration Preferences
The type and order of le information displayed. The way in which Lotus Domino collects and displays server monitoring data. The defaults to use when registering users, servers, and certiers.
34
Scenario As an administrator, you should be familiar with setting administrative preferences in Lotus Domino Administrator. Follow these steps to set the default settings for administering servers from Lotus Domino Administrator.
Step 1. 2. 3. 4. 5. 6. 7. 8. Action Click FilePreferencesAdministration Preferences. For Basics, verify that the WWCorp domain is selected, and click Edit. Verify that the Domino Directory server is Hub/SVR/WWCorp. Verify that Do not change location is selected and click OK. Click Monitoring, and verify that Monitor servers From this computer is selected. In the Poll servers every x minutes eld, type 5 Select Automatically monitor servers at startup. Click OK to close the Administration Preferences dialog box.
35
E
Policies Policy Documents
Policy Documents
Each Policy document contains pointers to selected Settings documents. This combination of the Policy document and its Settings documents constitutes one policy. You create Policy documents in the Lotus Domino Directory to distribute standard settings and congurations across groups, departments, or entire organizations.
Settings Documents
Policies contain one of more of the following Settings documents:
Settings Documents
36
Lesson Summary
In this lesson, you performed basic administrative tasks in IBM Lotus Domino Administrator. Gaining the hands-on experience needed to accomplish tasks on the job will enable you to administer and support the Lotus Domino environment.
37
Topic A: Identifying IBM Lotus Domino Security Components Topic B: Designing a Hierarchical Naming Scheme Topic C: Authenticating with IBM Lotus Domino Servers Topic D: Controlling Access to Resources Topic E: Determining Database Access Levels Topic F: Determining Workstation Security Levels
Lesson 3 Examining IBM Lotus Notes and IBM Lotus Domino Security
Introduction
Security mechanisms must be in place to ensure proper access to Domino servers and server components. By dening IBM Lotus Notes and IBM Lotus Domino security, you should be able to effectively control access to a Lotus Notes and Lotus Domino environment. After completing this lesson, you should be able to: Identify components of the Lotus Domino security implementation. Design a hierarchical naming scheme. Locate and view certiers. Determine how Lotus Domino security mechanisms control server access levels and access to other resources. Determine database access levels. Determine workstation security levels.
40
A
Organizations
Organizations
A Lotus Domino organization denes the naming hierarchy for a Lotus Domino environment, which is used for security. The organization name can be the same as the domain name, or another name, such as a shortened version of the company name.
Note: Most companies will set up one organization and one domain. However, a company may create multiple organizations to separate different departments or divisions for security or administration purposes.
41
Organizational Units
Organizational Units
An organizational unit (OU) generally denes an organizations hierarchy as it relates to people. OUs are the next level down from the organization and usually represent geographical or departmental names.The following gure shows an example of an organizational unit.
Organization Certiers
Organization Certiers
The Lotus Domino organization certier is a special le created at the time the rst Lotus Domino server is set up in the company. It is the top of the hierarchy and is used to certify the resources in the entire infrastructure. Administrators can use the organization certier to register other certiers which, in turn, can be used to register users, servers, or other certiers.
User: Doctor Notes Server: Hub Other certiers to be discussed later in the lesson.
42
Scenario As an administrator, you should be familiar with Lotus Domino denitions and terms. The following terms and denitions are important Lotus Domino security concepts. Write the correct term or denition.
1.
Dene the term hierarchical naming. System of naming associated with Lotus Notes IDs that reects the relationship of names and certiers in an organization. Distinguishes users with the same common name.
2.
What term is dened as a collection of servers and users that share a single Lotus Domino Directory? Domain.
3.
Dene the term organization. An entity that authorizes users and servers to authenticate with one another. The primary purpose is security.
4.
Dene the term organizational unit (OU). Typically, a department or location within the organization.
5.
What term is dened as a central application in the Lotus Domino domain, which contains information about users and servers, and exists on every server in the domain? Lotus Domino Directory.
6.
Dene the term access control list (ACL). A list of application users (individual users, Lotus Domino servers, and groups of users and/or servers) created and updated by a database manager.
43
44
B
Hierarchical Naming Components of a Hierarchical Name
Description The persons full given (rst) and family (last) names, or the server name Typically, a department or location name Typically, a company name ISO standard two-letter abbreviation for the country and top-level location
Characters 80 maximum
Required Yes
Up to 32 per OU 3 to 64
No
Yes
0 or 2
No
Note: Since the country code is part of the fully distinguished name, each certier that uses a country code is a different certier, even though the organization name is the same.
45
For example, if Worldwide Corporation decides to use country codes, there could be three organization certier IDs as follows: /WWCorp/US
/WWCorp/CA /WWCorp/FR
Two users with the same name, Marcus Frank, work for Worldwide Corporation. One works for the Sales organization in the East regional office. The other is a member of the Human Resources department in the West regional office. The following gure shows how the two people with the same name are distinguished using hierarchical naming.
Figure 3-3: An example of hierarchical naming If the user happens to be in the same organizational hierarchy, a middle initial or an organizational unit unique to the user can be used.
46
Scenario As an administrator, you should be able to determine hierarchical names using the hierarchical naming example. To do this, refer to Figure 3-3 as you answer the following questions.
1.
What is the full hierarchical name for Marcus Frank in HR? Marcus Frank/HR/West/WWCorp.
2.
What is the full hierarchical name for Marcus Frank in Sales? Marcus Frank/Sales/East/WWCorp.
3.
What is the full hierarchical name for Pedro Lopes? Pedro Lopes/Mktg/East/WWCorp.
4.
5.
6.
What is the full hierarchical name for Gwen Carter? Gwen Carter/Services/East/WWCorp.
A hierarchical name can comprise up to four organizational units (OUs). The recommendation is to use the minimum required for unique naming.
47
Consider the options in the following table for creating organizational unit certiers when designing the hierarchical naming scheme.
Criteria Location
Description Each locale has a separate OU for local administration of servers and users. Use this as an alternative to using the country code name component. The site or country abbreviation easily identies the geographic location of the server or user. Each department has a separate OU, which keeps the Lotus Domino naming scheme directly in sync with the corporate organizational chart. Most often used to distinguish two users with the same name who work in the same department.
Department
Work groups
Note: Typically, a company would use the OU1 to indicate the users location, then use the OU2 for the department. Workgroups are typically used only to distinguish two users from the same region that are in the same department. Department or workgroup OUs are not recommended if users move between departments frequently.
Use short descriptive names. Do not include spaces. Create a separate OU for servers for administrative control. Use three or fewer levels of OUs in the hierarchical naming scheme.
Benet Crosscertication
Description If two organizations wanted servers to be cross-certied, but did not want users to be cross-certied, then having each organizations servers in a separate OU would allow the creation of a server OU to server OU cross certicate. Since the cross certicate would be server OU to server OU, no end user from either organization would be allowed to directly access servers in the other organization. However, the servers would be allowed to authenticate and replicate.
48
Be a short, descriptive name. Contain an abbreviation for the region where it resides. Not contain any spaces. Be easily expandable. Be easily recognizable for the tasks the server performs.
For example: Hub servers in the East might be named as follows: EastHub01, EastHub02, EastHub03, and so on.
Mail servers in the West might be named as follows: WestMail01, WestMail02, WestMail03, and so on.
Note: Planning server names is particularly important, as it is a time-consuming and difficult process to change a servers name. Carefully consider the guidelines when naming a server.
49
The servers common name can be the servers fully qualied Internet host name (for example, Hub). Consider the following factors in deciding which format is best for the company. Use the Internet host name in the Lotus Domino server common name if clients accessing the server are:
On the Internet. On a large distributed TCP/IP intranet. In foreign Lotus Domino domains on a TCP/IP intranet, and server address sharing between the domains is not practical.
Use the simple Lotus Domino server common name if clients accessing the server are:
Primarily in the same Lotus Domino domain or in a domain that will share server address information with the domain. Rely heavily on network protocols other than TCP/IP. Require special server naming conventions better suited to the company.
Typically, a users common name is the users given (rst) name and family (last) name. The users common name is used for Internal mail addressing and determines the users Internet address.
Note: Lotus Domino includes an administrative tool to change a users common name, or the users place in the hierarchy, for example, under the following circumstances:
50
It is extremely important to properly plan a naming scheme for any organization. The entire security structure is based on the information provided at the time of the rst server implementation. To plan a naming scheme for an organization, carefully consider: Organization name, which should be a short and easy name. Many organizations choose to use their Internet domain or company name.
Stress to students the importance of properly planning the naming scheme. It is an arduous and administratorintensive task to redo a hierarchy once Lotus Domino is deployed in the organization.
Organizational units:
Should provide an easy and simple method to organize user and server names. Multiple OU levels may be more difficult to manage. Can be used for providing unique names.
A strategy for distinguishing identical names in the same organizational hierarchy should be determined during the planning stages.
Choose a domain name. Choose an organization name. Decide whether or not to use country codes.
51
Determine organizational units based on the companys structure. Determine server naming conventions. Determine user naming conventions.
52
Scenario Worldwide Corporation has assigned you the task of designing a hierarchical naming scheme. As an administrator, rst you need to determine how to divide organizational units for Worldwide Corporation. To do this, answer the following questions.
1.
How should organizational units be divided: geographically, departmentally, workgroup, or by some other criteria? Geographically. Staff moves between geographic regions are less frequent, so would require less recertication.
2.
How many levels of organizational units are needed? One or two. Try to keep the hierarchy as simple as possible.
53
To create an organizational chart for Worldwides servers and users, use the following guidelines: Place the name of the organization in the top row.
Place the rst level of organizational unit in the next row. Place subsequent levels of organizational units, if any, below parent levels. Place servers in their own organizational units. Place users in the lowest level.
Use the following blank organizational chart as a guide. The number of levels and number of boxes in this chart are not indicative of the nal result.
54
C
Security Controls Present the concepts of authentication and access controls in the Lotus Domino environment using the bank card analogy. Details on certicates and ACLs are presented in the following sections.
Allow access to authorized users and servers. Block access for unidentied or specic users and servers.
Access controls
Authentication establishes trust between two entities. Once trust is established, access controls determine what information is available to the entity. An entity can be a server or a client.
A Personal Identication Number (PIN) identifying you as the owner of the card.
The PIN, along with the card, match the account information stored in the bank. Therefore, the bank trusts that you are the owner of the card. You are allowed access to the account. By using the bank card, you are also trusting that the bank will provide the correct access. This establishes two-way trust. Once you have gained access to the account, you are allowed access to specic information based on the type of account you have. The type of account determines the level of access. This is similar to access controls that can be set on entities such as servers, clients, or databases.
55
Authentication is controlled by certicates that identify and verify the entity connecting to the server. A certicate is a unique electronic stamp stored in an ID le that associates a name with a public key. An ID may have many certicates. A certier ID is a le that generates the electronic stamp to indicate a trusted relationship. Certier IDs result when entities, such as organizations and organizational units, are created during the registration process.
Note: The certier ID does not provide access to anything. It acts as an electronic stamp to validate other IDs. The certicate is the stamp left on the ID by the process of certication. The certicate uses an electronic signature from the certier to associate the user or servers name with the user or servers public key. For example, a certicate from /WWCorp issued to Inga Neste/Sales/WWCorp means that according to /WWCorp, Inga Neste/Sales/WWCorp has a specic public key that is stored in the certicate.
Point out that certicates are contained in Lotus Notes IDs. Tell students that additional information on public and private keys is included in the Extend Lotus Domino Software appendix.
Types of Certicates
The two types of certicates are:
Types of Certicates
Notes certicates: Stored in an IBM Lotus Notes or Lotus Domino ID le that associates a name with a public key. Certicates permit users and servers to access specic Lotus Domino servers. Internet (X.509) Certicates: Let a user access a server using SSL client authentication or send an S/MIME message. Internet certicates can be stored in the Lotus Notes ID.
Note: Certier IDs and certicates are created on the server. However, they should be moved to a very secure location, rather than left on the server. For example, copy the ID to a diskette and lock in a cabinet. Another approach would be to migrate the certier IDs to the Domino Directory
ID Files
ID Files
A Lotus Notes ID identies a user or server to Lotus Domino systems. The user and server registration process creates a unique ID.
Note: The password is used to encrypt the private key and optional encryption keys as well as to access the ID le.
56
There are several types of ID les used in the Lotus Domino environment:
The certier ID le allows an administrator to certify Lotus Notes users with hierarchical names. The certier ID le stamps server, user, and other certier IDs with its certicate. The user ID le is created by the administrator and contains information that Lotus Notes uses to identify a user. The le contains certicates and the name of the ID owner. The server ID le is created by the system administrators and stores IDs on the server.
Components of an ID File
Components of an ID File
An ID le contains information to identify the owner of the ID in order to determine access to resources in a domain. The following graphic illustrates the information each user or server ID contains.
Common Certicates
Common Certicates
In order to authenticate, each side (server and client or server and server) must have a common certicate. A common certicate is a certicate derived from the same Lotus Notes or Internet (X.509) certier, or one of its ancestors in the organizational hierarchy.
57
58
Server settings control required access to the server by specifying authentication levels. The following table explains the strong authentication methods used.
Authenticate
Dene the terms strong and simple authentication. Describe how authentication occurs for Lotus Notes and Web clients and for Strong, Simple, and No authentication (Anonymous).
In the Lotus Notes/Lotus Domino environment Between Lotus Domino and other applications using Internet protocols In the Lotus Notes/Domino environment and outside the Lotus Domino/ Notes environment Example: Internet e-mail to a Lotus Notes client
Lotus Notes and Internet (X.509) certicate (with S/MIME to sign Internet messages between different mail packages)
59
Simple: User name and password. Can be used for customers to access information about their own orders or shipments.
The ID vault feature in Lotus Domino Administrator 8.5 enables administrators to manage secured copies of Lotus Notes user IDs. Administrators congure policies to assign ID vaults for users. Once a policy has taken effect, the secured copies of user IDs are uploaded to a vault database. There are several advantages to using an ID vault: Lost or forgotten user passwords can be easily reset or recovered.
Corrupted user ID les can be automatically replaced with the copies in the ID vault. User IDs are automatically synchronized. User renames and user key rollovers are automated.
In Lotus Domino Administrator, click the Conguration tab. On the Tools menu, click ID VaultsCreate. The Create and Congure Notes ID Vault wizard will display. Click Next. In the Notes ID Vault name eld, enter the name of your choice. In the Notes ID Vault description eld, enter a description that can also be used as the Lotus Notes ID vault database title. Click Next. In the Password eld, enter a password of your choice. In the Verify eld, enter the password again. If you want to change the Vault ID le location from the default, click the Location button.
60
wish to change servers, click the Change button and select an alternate server from the list of available servers and click OK. To accept the default server, click Next.
12. Your user name should be listed in the The following administrators
can manage the Notes ID vault eld. To add or remove administrators, click the Add or Remove button, select additional administrators from the list of available users, and click OK. When creating the ID vault, only one administrator needs to be specied to complete creation. To accept the default administrator, simply click Next.
13. You are not required to specify an organization during creation. If you
wish to do so, click the Add or Remove button, select additional administrators from the list of available organizations, and click OK. To accept the default, click Next.
14. On the Specify names that are authorized to reset passwords page,
to accept the default selections, click Next. Use the Add or Add to All buttons to give additional users, groups, servers, and organizational units authorization.
15. On the How is this policy assigned page, you can leave the default I
will specify a Notes ID vault policy at another time selected to continue on to complete the wizard, or you can select to Create a new policy assigned to an organization, Create a new policy assigned to specic people or group, Create a new policy assigned to a home server, or Edit an existing policy. After selecting an option, click Next to continue.
16. Click Create Vault. 17. Click Done.
Vault ID le location and password: The location of the vault ID le and the password are required for vault administrators to create vault replicas or to delete the vault. Vault primary server: There can be only one primary server specied for the vault. Vault administrator: At least one vault administrator must be specied during vault creation.
61
The following lists information that can be provided during vault creation or after the vault has been created: Organizations that trust the vault for ID storage: This information is used to create Vault Trust Certicates in the Lotus Domino Directory. The Vault Trust Certicate is a cross-certicate issued to the vault, and it shows that the vault is trusted to store the IDs descended from the certier.
List of those authorized to reset the passwords of IDs in the ID vault: This information is used to create Password Reset Certicates in the Lotus Domino Directory. The Password Reset Certicate is a crosscerticate issued to individuals, organizations, or organizational units, and it indicates who can reset or change the passwords for IDs in a vault. List of user IDs assigned to the vault: This information is controlled through user policy conguration.
62
D
Introduction to Lotus Domino Access Controls Review that server security consists of authentication and access control. Authentication was described previously. This section covers access to servers and server resources (such as application) once authentication is established.
The Access Controls slide displays the levels of Lotus Domino access control. The slide can be used in conjunction with the information on this page to describe access control.
63
Roles
Roles
A role identies a set of users and/or servers. Roles apply only to the database in which they are created.
Lotus Domino uses roles and an access control list to control access to databases. The following table describes how Lotus Domino controls access.
Access to Server, including IBM Lotus Notes clients, Web clients, and other Lotus Domino servers
Is controlled by Server settings and restrictions Settings that allow and deny access to users, servers, Lotus Notes, and Web clients Restrictions that allow or deny access to server software and applications Groups
Lotus Domino le folders Run Java applets Run Lotus Domino agents (programs that perform specic tasks within a database, such as sending mail messages) Databases: Forms and views Documents Fields
File folder access controls and restrictions Server restrictions Server restrictions
Access control lists (ACLs) Groups Roles: Subsets of users or servers in an ACL This adds an additional level of access control over those already controlled by the ACL Encryption, for eld control
Web pages
64
The following graphic shows the stages of access control that can be set on specic Lotus Domino components.
Figure 3-7: Stages of access control The following table describes the access control stages.
Stage 1
Description Successful authentication extracts the name in the Person document (ID le). The name is then checked against the server, le, database, data, and eld access. Server access: Name is checked in Server Restrictions or Deny Access for access to the server. File access: Name or group is allowed access to the servers le folders. Database access: Name is checked for access to the database. Data access: Name is checked for view, form, read, and edit access to the document in the database. Field access: ID is checked for the appropriate encryption key to access the eld in the document.
4 5
65
Settings in the Server document determine who has access to specic components. For example: Administrators may have access to monitoring tools while users may not.
66
Scenario Worldwide Corporation has enabled some security mechanisms in the Lotus Domino environment. As an administrator, you need to be aware of what security mechanisms are currently in use.
Note: If you have questions regarding the settings, use the context sensitive Help. Wildcards can be used for a group of servers; for example: */SVR/WWCorp.
Follow these steps to complete the activity. Document the current Worldwide security settings and answer the questions.
Step 1. 2. 3. Action Click the Conguration tabServer sectionCurrent Server Document view. Click the Security tab. For the Administrators section, who are the authorized administrators? LocalDomainAdmins, LocalDomainServers, and DoctorNotes/ WWCorp. 4. In the Security Settings section, does the server allow Lotus Notes users to access anonymously? Yes 5. No
Scroll to the Server access section. Who can create new databases on the server? Blank = All.
6.
7.
Scroll to the Programmability Restrictions section. Who can run unrestricted methods and operations? Blank = No one.
8.
In the Programmability Restrictions section, who can sign agents to run on behalf of someone else? LocalDomainAdmins.
67
Use
Describe how groups are used to allow or deny access to the server. Discuss the settings the students recorded in the previous activity. Are the settings appropriate? Why?
Example LocalDomainAdmins: Allows administrators full access to the Lotus Domino Directory. LocalDomainServers: Allows servers access to Administration Requests.
Provide a group of users with access to a database. Provide a group of servers with permission to replicate a database. Deny a group of users access to a server or database.
Group of terminated employees: Restricts access of specic employees to sensitive corporate information.
Access Reader access to own documents only Reader access to documents of all subordinates
Policies
68
Group Types
Group Types
Group types are used to dene the purpose of the group and determine the views in the Lotus Domino Directory where the group name appears. For example, the group of terminated employees appears in the Deny List view, and access control groups appear in the Access Control view.
Static groups, including a predened set of members, are stored in the Domino Directory and can be used as mail addresses. Describe dynamic groups, such as */East/WWCorp. Tell students that these groups are used to include all entities in a particular organizational unit at the time of connection. They are not stored in the Domino Directory and cannot be used as mail addresses.
Using specic group types improves performance by reducing the size of view indexes in the Domino Directory. The following table describes the purpose of various group types.
Group type Multi-purpose Access Control List only Mail only Servers only Deny List only
Purpose Multiple uses; for example, mail, ACLs, and so on Adding to ACLs
Mailing list groups Server groups Terminated users or other users Note: Deny List groups appear in a different listing
69
The most effective way of allowing or denying access to a server is to create and maintain appropriate groups. To do this: Assign a group name that identies the content. For example:
The region in which the entries are located Global if it is a group that contains names that span the entire organization
Describe a nested group example. As an added security feature, administrators create two regional groups. The groups are: Deny Access East = Access denial for people in /East Deny Access West = Access denial for people in /West Before deleting a user from the Lotus Domino system, the local administrator adds the user to one of the groups. Each of the groups is included in the Deny All nested group. For each server restrictions setting, Deny All has No access in the server section. This ensures immediate denial to any WWCorp server. Show the students how to create an example of a nested group: 1. Click the People & Groups tab. 2. Click Tools GroupsManage.
70
Scenario Worldwide Corporation allows server and administration access using groups. As an administrator, you should be able to determine which groups have access to the server and which groups can administer the server. Follow these steps to determine which groups have access to the server and which groups can administer the server, and answer the questions.
Step 1. 2. 3. 4. Action Click the People & Groups tabDomino Directories section. Click WWCorps DirectoryGroups. Open the Administrator group (LocalDomainAdmins). Who are the members in the Administrators group (LocalDomainAdmins)? DoctorNotes/WWCorp, EastAdmins, and WestAdmins. 5. 6. Click Cancel to close the group. Who are the members of EastAdmins and WestAdmins? Admin East01/WWCorp, Admin East02/WWCorp, Admin East03/ WWCorp, Admin East04/WWCorp, Admin East05/WWCorp, Admin East06/WWCorp, Admin West01/WWCorp, Admin West02/ WWCorp, Admin West03/WWCorp, Admin West04/WWCorp, Admin West05/WWCorp, and Admin West06/WWCorp. 7. 8. Click the Conguration tab. In the Server section, click the Current Server Document view, and click the Security tab. After reviewing the Security tab in the Current Server Document, do any groups have administration capabilities on the server? LocalDomainAdmins, LocalDomainServers. 9. 10. Scroll to view the Server Access section. After reviewing the Server Access section, do any groups have access to the server? LocalDomainAdmins, LocalDomainServers.
71
E
Access Control List Levels Demonstrate the ACL settings: From the Files tab, select the Administration Requests database. Click Tools DatabaseManage ACL. Select each of the following entries to see what access each entry has: Default, Anonymous, or LocalDomainAdmins. Click OK to close the Manage ACL tool.
Level No Access
Server access No access to the database (except, optionally, to read or write public documents) Can push new documents, but can never pull documents. Note: This ACL level is not normally assigned to servers. Can replicate to receive (pull documents) only (not to send, or push, documents) Minimum access for servers to get data
Depositor
Can create documents in the database, but cannot read, edit, or delete documents, including those they create Can read documents, but cannot create, edit, or delete them
Reader
Author
Can create and read documents, and edit own documents if Authors elds are used Note: Designers can modify a database to allow users to edit their own documents. Can create, read, and edit all documents Can modify the database design, but cannot modify the ACL or delete the database
Can replicate new documents, but cannot modify documents Minimum access for servers to send data
Note: This ACL level is not normally assigned to servers. Can replicate all new and changed documents Can replicate all new and changed documents, and replicate design elements. Can also create full-text indexes. Can replicate ACL changes as well as all document and design changes
Editor
Designer
Manager
Can perform all operations on the database, including changing ACLs and deleting the database
72
Scenario Worldwide Corporation has an active Domino Directory structure in place. As an administrator, you should be able to identify which groups have access to the Lotus Domino Directory. Follow these steps to determine which groups have access to WWCorps directory and what type of access they have.
Step 1. 2. 3. 4. 5. Click the Files tab. Open WWCorps directory. In the About Domino Directory document, click Close this document to view the database. Click FileApplicationAccess Control. What are the server group names and their access? LocalDomainServers have Manager access and OtherDomainServers have Reader access. 6. What are the Person group names and their access? LocalDomainAdmins have Manager access. 7. What are the individually dened names and their access? Doctor Notes has Manager access. 8. 9. 10. Click Cancel. Close the WWCorps Directory database. Using available help information, dene a role. Database-specic groups created to simplify the maintenance of restricted elds, forms, and views. You can apply a role to Authors elds and Readers elds and read and create access lists in forms and views. Action
73
Students: 4. 5. 6. Exit Lotus Domino Administrator and Lotus Notes and re-open Domino Administrator. Open the Domino Directory and click the People & Groups tab. Can you access the server or the Domino Directory? Why are some not able to access the server or the Domino Directory? West## users should have access to the server as the WestAdmins group was not restricted access, but they will not be able to access the Domino Directory because they are not included in the ACL for the Domino Directory. East## users should not have access to the server because the EastAdmins group was restricted access, and because they no longer have access to the server, they will not be able to access the Domino Directory even though they were specically added to the ACL for the Domino Directory. Instructor: 7. Reverse the access changes made at the beginning of the activity and restart the server.
74
F
Execution Access The Execution Control List
Open the What Others DoUsing JavaScript panel in the User Security dialog box and briey describe the information and settings. Use Lotus Notes Template Development as an example.
75
Lesson Summary
In this lesson, you managed Lotus Notes and Lotus Domino security. Understanding the process of ensuring proper access to Domino servers with security mechanisms in place will allow you to effectively control access to a Lotus Notes and Lotus Domino environment.
76
Topic A: Introducing IBM Lotus Domino Messaging Topic B: Designing a Mail Routing Topology
Introduction
IBM Lotus Domino supports two mail transfer protocols: Lotus Dominos native routing protocol, NRPC (Notes Remote Procedure Calls), and the Internet standard, SMTP (Simple Message Transport Protocol).
Note: This lesson covers only intranet mail routing.
After completing this lesson, you should be able to: Describe Lotus Domino mail routing. Design a mail routing topology.
78
A
Lotus Notes Named Networks
Share a common Local Area Network (LAN) protocol. Can maintain a constant connection on the same LAN or bridged/routed Wide Area Network (WAN).
To reduce network traffic between regions: Regional administrators would instruct users to access applications on servers in their own region.
To enable communication between servers in other Lotus Notes Named Networks, congure Connection documents. Connection documents include specic connection information, such as server denitions, delivery schedule requirements, and message queue lengths. When routing mail between servers in separate NNNs, each mail server requires a Connection document.
Create a Connection document and show the following key elds: Basics (show the Source and Destination servers) Replication/Routing Routing section Schedule (show Enabled/Disabled and Connection times)
79
It is possible to use a combination of SMTP and NRPC within an organization. For example, Worldwide Corporation could route mail within the company intranet using Lotus Dominos native routing protocol, NRPC, and route mail to the Internet using the SMTP protocol. The following table denes the mail routing protocol options in Lotus Domino and the connection ports they use.
Protocol NRPC
Denition Notes Remote Procedure Calls. NRPC can be set up to route mail within a Lotus Domino domain and to route mail between Lotus Domino domains. Simple Messaging Transfer Protocol. SMTP is an industry standard Internet routing protocol which is native in Lotus Domino. Note: SMTP supports the TCP/IP protocol only.
Port 1352
SMTP
25
Note: NRPC uses port 1352 for server-to-server and server-to-client communications, not just mail transport.
For Internet communication. If Lotus Domino is being used for mail only. Sending document and database links via e-mail. Lotus Notes public key security. Mail-enabled workow applications.
80
Mail routing is one of the key features for many Lotus Domino implementations. The Lotus Domino mail les and tasks work together to provide a consistent and reliable messaging environment. The following table describes the key components of Lotus Domino messaging.
Use the table to introduce the names of the key mail routing components and where the key components reside (workstation or server).
Term Mail le
Denition The Lotus Domino application in which the user creates, sends, retrieves, and stores mail messages. A users mail server is the server where the users mail le resides and is specied in the Person document in the Domino Directory. The Mailer resides on the workstation and performs these tasks: Veries the existence and spelling of the name(s) if the recipient is listed in the Domino Directory. Converts the message to Multi-purpose Internet Mail Extensions (MIME), if necessary. Deposits the message in Mail.box on the senders mail server.
Mail server
Mailer
Domino Directory
The Lotus Domino application that stores information about the senders (and possibly recipients) mail server, mail le system, mail le name, mail address, and connections to other servers for transfer and delivery. A special database that resides on every server used for mail delivery. Mail is temporarily stored in Mail.box before the router delivers or transfers the mail. A server-based task that delivers and transfers mail. It checks the Lotus Domino Directory for connections to other servers and deposits mail in users mail les and other servers Mail.box.
Mail.box
Router
81
Settings for servers and users control how and when mail routes. The following table introduces some of the messaging settings available in Lotus Domino.
Using the Domino Directory, show examples of the following documents and settings: Connection document with mail routing information Server document with message settings Conguration Settings document with Inbound/Outbound SMTP controls Person document with mail storage settings (BasicsMail sectionIncoming mail)
Settings Server
Options Messaging settings Connection documents Domain documents Conguration documents, including: Inbound controls: SMTP controls for mail from the Internet Outbound controls: SMTP controls for mail to the Internet
User
Mail storage format Native MIME (Multi-purpose Internet Mail Extensions): Internet mail formats Notes Rich Text: Lotus Notes and Lotus Domino format
82
Mail routing occurs automatically between servers in the same NNN, using routing information in the Lotus Domino Directory. The following graphic shows how mail is routed.
Show the ow of a mail message. Reinforce the terms described on the previous pages. Explain that the router transfers messages automatically between servers in the same NNN and based on a schedule dened by a Connection document between servers in different NNNs. Show the Routing animation (Routing.exe). The animation shows routing of workow applications. It may help to give students a graphic representation of how routing works.
1. 2. 3. 4. 5. 6. 7. 8. 9.
User creates and sends a mail message from the workstation. Client Mailer program checks names in the directory Client Mailer puts mail in Mail.box in the users Location document. Router task on the home server polls Mail.box for new messages. .
Router checks directory for routing information and for addresses on the message and determines message route. Router transfers message to Mail.box on next destination server. Router task on destination server polls Mail.box for new messages. Router checks directory for routing information for addresses on the message. Router delivers mail to recipients Mail le.
Router optimizations have enhanced the routing capabilities in the Lotus Domino environment. Optimizations offer various advantages: Decreased amount of time taken for routing a message.
Decreased message backlogs in the Mail.box. Overall improvement in performance. Reduced latency. Prevent creation of extra copies of messages.
83
B
Mail Routing Topologies If students are unfamiliar with the terms, explain that peer-to-peer is sometimes called mesh. Mention that replication is discussed in detail later in the course.
Replication: Determines how to connect servers to exchange database changes. Mail routing: Determines how to connect servers to send mail.
Topology Types
A topology denes how mail servers are set up within an organization. The two basic types of topology are hub-and-spoke and peer to peer. In a peerto-peer topology, every server connects to every other server. It is most commonly used when connecting a small number of servers in a workgroup or department. In a hub-and-spoke topology, mail traffic passes between a central hub server and multiple spoke servers; no mail is exchanged directly among the spokes. A hub-and-spoke topology is suited to handling a high volume of mail across a large organization. The type of topology uses can vary depending on the size and type of the organization: Small rms (four or fewer servers): Use peer-to-peer mail routing, which quickly disseminates mail to all servers.
Topology Types
Show the connections between the hubs and then to the spokes.
Mid-size rms (four to six servers): May use a combination of peer-topeer and hub-and-spoke. Large organizations (six or more servers): Use hub-and-spoke mail routing.
Note: Implement hub-and-spoke topology for maximum efficiency with high volume mail traffic and to allow for easier expansion, such as adding servers or clustering servers.
84
Use hubs when there are six or more servers in the Domino domain. A hub machine requires considerable system resources (memory, disk space, and network protocols). Use a cluster for hubs to provide failover.
Designing a mail routing topology will assist you in ensuring that the servers in an IBM Lotus Notes and Lotus Domino environment are properly connected, and that they communicate the appropriate information.
85
The following are some guidelines for designing a mail routing topology.
Determine the number and server membership of Lotus Domino Named Networks based on the network protocols in use. Determine the appropriate topology type based on the size and type of the organization. For example, peer-to-peer, hub-and-spoke, end-toend, or hybrid. If using hub-and-spoke:
Determine the number of hubs and the appropriate system resources for each hub. Determine if clustering the hubs is necessary.
86
Scenario Worldwide Corporation administrators need to design a mail routing topology that supports the hardware conguration, network protocols in use, and types of Lotus Domino servers in place. The following table provides the Worldwide Corporation hardware conguration. As an administrator, you should be familiar with designing a mail routing topology. Follow these steps to design the topology and determine the possible connections.
Systems One large mainframe running Lotus Domino mail and other business applications System has additional capacity and network bandwidth
Eastern Region
Three departmental servers: One running only Lotus Domino mail Two running Lotus Domino mail and other applications
LAN connections among all servers Lotus Domino server with TCP/IP connectivity Network router connection to Corporate
Western Region
Three departmental servers: One running only Lotus Domino mail Two running Lotus Domino mail and other applications
LAN connections among all servers Lotus Domino server with TCP/IP connectivity Network router connection to Corporate
87
Step 1: One NNN would be sufficient if all systems are connected through high-speed lines. If the regional divisions are separated and must connect over a WAN, or if Worldwide wants to control mail routing schedules, three would be the most appropriate. Step 2: OUs are the best way to organize servers and users into more manageable groups.
88
Note: The written questions for this exercise are similar to the format used in the IBM Software Services for Lotus Certication exams.
Step 3: A Connection document provides the connection type and schedule for mail routing when servers do not reside in the same NNN. Verify that all students understand why this is the correct answer. Step 4: Answers can vary. If all systems have high-speed connections, a peer-to-peer would be appropriate. However, if the organization plans to grow, a hub-and-spoke topology might be best, consisting of: A main hub, which is the Corporate mail server. Two spoke servers, which are the regional mail servers.
Step 1.
Action Which of the following numbers of NNNs would be appropriate for Worldwides deployment? a) One b) None c) Two d) Three
2.
Which one of the following hierarchical naming levels would best organize the servers and users? a) Country b) Organizational unit c) ID d) ACL
3.
If there is more than one NNN, then which one of the following is the best mechanism to route mail from server to server? a) Program document b) No action required c) Connection document d) Congure a gateway
4.
If high-speed lines connect all of Worldwides systems, which one of the following would be the most appropriate mail routing topology? a) Mixed b) Peer-to-peer c) Ring d) Hub-and-spoke
5. 6. 7.
Circle and label the appropriate number of NNNs. Draw lines between servers in which mail will route automatically. Draw lines between servers to represent a Connection document to route mail on a schedule. Use arrows to indicate the direction in which mail will route. Draw as many lines as will be Connection documents.
89
Lesson Summary
In this lesson, you described mail transfer protocols supported by Lotus Domino. Understanding the NRPC and SMTP mail transfer protocols can help you administer mail routing for your organization.
90
Topic A: Introducing IBM Lotus Domino Replication Topic B: Designing a Replication Strategy
Introduction
The Lotus Domino Directory is the central database in the IBM Lotus Domino domain, and exists on every server in the domain. Likewise, there are other databases that Lotus Domino uses to function properly, such as the Certication Log and Administration Requests database, that need to be synchronized on all servers in the domain. A process called Domino Replication keeps the Domino Directory synchronized on all servers in the domain. Additionally, users in the Lotus Domino environment use databases to collaborate and exchange information. These databases can reside on geographically dispersed servers and also need to be synchronized so all users have access to the same information. After completing this lesson, you should be able to: Identify how replication works. Design a replication strategy.
In this lesson, students will see how Lotus Domino distributes information between databases on servers across the domain. They will have an opportunity to create a database replica, make changes, and synchronize those changes with other classroom replicas. Students will also discuss the planning aspects of designing a replication topology for the servers in the domain including scheduling considerations. Students will determine a replication strategy for Worldwide Corporation.
92
A
What is Lotus Domino Replication? Run the Replication animation (Replication. exe), which provides an excellent overview of replication. Show only the following topics at this time: What is Replication? How Does Replication Work? Even though replication and replicas are mentioned in the animation, students will need to fully understand some of the basic terms involved with replication. Dene the terms in the accompanying table.
93
Term Replicator
Follow these steps to show different replica IDs for a database copy. 1. Create a local database copy of the Marketing TeamRoom database. 2. Open Database Properties to show that the replica ID is different from the original database whose replica ID is shown on the student page.
Denition The Replicator is a server task that is loaded, but not initiated, at server startup. The Replicator pulls data from, or pushes data to, another server. The unique value assigned to a database when it is rst created. Replicas of the same database share the same replica ID. The Replicator looks for databases with the same replica ID to synchronize. tab in Database The replica ID is found on the Properties. Note: A database copy does not share the same replica ID as the original database. Only database replicas share the same replica ID.
Replica ID
The unique value assigned to a document when it is rst saved. The Replicator looks for documents with the same UNID to synchronize. tab in Document ProperThe UNID is found on the ties.
Replication History
A list of dates and times when two servers or a server and workstation successfully replicated. The Replicator uses Replication History to determine which documents are new, changed, or deleted since the last time the two databases replicated.
94
The following gure shows how replication works using a replication type called Pull-Pull, where both servers share the workload. East01 initiates Pull-Pull replication with West01. In this example, Pull-Pull is accomplished by conguring Pull Only replication on both servers.
Stress the following points: Dene target and source server in the rst Pull cycle. How the target and source servers switch during the reverse Pull.
Replication Tools
Replication Tools
Administrators use the following methods to initiate server-to-server replication: Connection document Used to schedule replication between two servers.
Emphasize that the servers Replicator task is not involved when a server replicates with a workstation.
95
Database Replicas
Database Replicas
IBM Lotus Domino makes it easy to collaborate with others by allowing users to work in database replicas that are located in geographically dispersed servers or on local workstations with Lotus Domino replication keeping those databases synchronized.
The following table describes how information in applications is kept updated on all servers during replication.
Stage
Use the accompanying table to describe how replication keeps information synchronized. This process describes Pull-Pull replication. Other replication types are introduced later in this lesson.
Description The Replicator compares its list of applications with the called servers list of applications to determine which application they have in common. Working on one application at a time, the initiating server builds a list of ACL, design, and document modications that have occurred since the last time these two servers replicated. The Replicator pulls (reads and writes) ACL and design and document changes, based on permissions set in each server, application, and document. Upon completion of replication with the rst application, the Replicator updates the replication history for that application and moves on to the next application in common. It repeats Stages 2 and 3. When the initiating server has replicated all application in common with the called server, the Replicator will tag the called servers Replicator to repeat the same process in the other direction.
96
Streaming Replication
Streaming replication is a feature that enables Lotus Domino users to replicate a number of documents and attachments. Smaller documents are replicated rst. So, even if the replication process is aborted, the target system will still have the smaller documents. Also, an aborted application can be reinitiated. Streaming replication allows users to start using the documents before replication is complete. It also reduces network traffic and latency.
Field-level replication is the process of copying only elds that have changed since the last time the two databases replicated. If the target document is unchanged, the Replicator uses eld-level replication by default and copies only the source documents changed elds to the target document. Field-level replication occurs automatically without any intervention from the administrator or database designer. The following gure shows that only the changed eld containing X is replicated.
Use the graphic to illustrate eld-level replication. Emphasize these points: Only the changed elds are copied when the target document is unchanged. This is the default behavior of the Replicator.
Replication time. Only elds that have changed are copied, instead of the entire document. Network traffic, provided large elds in the document have not changed. The number of replication conicts, when different elds on the same form have been edited on different servers.
The application designer can reduce replication time by designing applications with eld-level replication in mind. Large elds that will be edited frequently might be better broken up into many smaller elds.
97
There are any number of factors that may cause applications to not replicate as desired. Security settings may prevent a server from authenticating with another server or prevent access to the application to replicate the correct documents. As seen in the previous section, the replication schedule and selected replication type are critical to successful replication. The following table summarizes some of the factors that affect if and how data transfer occurs during replication of Lotus Domino applications. Consider these factors when setting up or troubleshooting replication issues. This is not an exhaustive list of factors that affect replication.
Run the Replication animation (Replication. exe) again. Show only the following topics at this time: Replication Options Factors Affecting Replication Replication Conicts
Potential problem Incorrect information in the Connection document can prevent replication. For example, an incorrect server name. Incorrect replication type can prevent bi-directional replication. If the initiating server is not allowed access to the called server, replication stops. Servers that do not have a certicate in common cannot authenticate, and replication will not occur. Applications that do not have the same replica ID cannot replicate. A database where replication has been temporarily disabled cannot replicate. If the called server does not have the appropriate application ACL access on the initiating server, some application elements might not replicate correctly.
Review the information in the accompanying table. Note that the factors described are not a complete list; they are intended to make students aware of the places and issues to check when setting up or troubleshooting replication problems. If time permits, you might want to discuss some other factors that affect replication, such as Readers elds.
Replication type
Authentication
Replica ID
Replication Settings
98
Scenario Worldwide employees need to work in a local replica of an application when they are out of the office and disconnected from the network. As an administrator, you should be able to create a local replica of an application from the server for remote employees to use while they are out of the office. Follow these steps to create a local replica of the Policies application from Hub/SVR/WWCorp, add a document, and replicate the changes to the server.
Step 1. 2. 3. 4. Action From Lotus Domino Administrator, click the Files tab. Open the Policies application from the list. Click FileReplicationNew Replica. Make the following selections:
Select Local from the list of servers. Accept the default path and le name. Expand Replica settings and if necessary, select Create Immediately. Click OK to create the replica.
5.
Create a document in the new local replica application. a. b. c. d. Open the local copy of Policies. Click New Main Topic. If a security alert displays, select Start trusting the signer to execute this action and click OK. Type a subject for the new document. Click Save & Close.
6. 7. 8. 9.
Click FileReplicationReplicate. In the Replicate Policies dialog box, click Replicate with options and click OK. Verify that Hub/SVR/WWCorp is in the with eld, and click OK twice. Open the Policies application on Hub/SVR/WWCorp to verify your document was added.
99
B
Types of Replication Topologies Describe the types of replication topologies, highlighting the advantages and disadvantages of each.
Topology Hub-and-spoke: One central server (hub) initiating mail routing and replication to spoke servers.
Advantages Easy to set up and add servers. Better security. Centralized management. Minimizes network traffic. Highly scalable allows for expansion and growth.
Disadvantages Hub server must be powerful. If no backup to the hub, replication and mail routing stop.
Peer-to-peer: Each server initiates connections to each other (also called Full Mesh).
Management of all connections is local. Easy to manage fewer servers. Decreased potential for replication problems.
Less centralized. Requires more Connection documents. Increases administration of replication schedules.
100
Disadvantages If one server in the sequence is down, replication throughout the domain stops. Replication from the source server to the destination server could take a signicant amount of time.
Information is kept up-to-date because databases are replicating between several servers.
Most complex to set up and manage. May require more disk space.
Hub-and-Spoke Topology
101
Peer-to-Peer Topology
Figure 5-2: Peer-to-peer topology The following gure illustrates the end-to-end topology.
End-to-End Topology
102
The following table describes server-to-server replication. The compound replication types available are given in the rst two entries of the table. The last two entries are simple replications. Together, the four types make any replication topology possible.
Make sure the students understand which servers Replicator is doing the work for each type of replication listed in the table.
Replication type
Description
Pull-Pull
Each servers Replicator does the work and pulls data from the other, writing changes in its own applications. The initiating servers Replicator pulls changes from the called server and then pushes data to the called server; only the initiating servers Replicator does the work, writing in both servers. The initiating servers Replicator does the work and pulls data from the called server. The initiating servers Replicator does the work and pushes data to the called server.
Pull-Push
The replication events get written to the Domino Server Log database (Log.nsf) as follows: After Pull-Pull replication, two Domino Log les get updated; each Replicator writes what data it pulled to its own servers Domino Log le. After Pull-Push replication, one Lotus Domino Log le gets updated; the only working Replicator writes what data it pulled or pushed to its own servers Lotus Domino Log le.
Pull Only
Push Only
103
Different mail and replication topologies may be required within the same organization due to special needs for either routing mail or replicating applications. The needs for both mail routing and application replication should be considered to ensure the most optimum topology.
Note: The same topology may be used for both mail routing and replication.
Open a Connection document, and show the elds for replication and mail routing on the Replication/Routing tab to emphasize that they are separate settings.
Designing a replication topology will assist you in ensuring that the servers in an IBM Lotus Notes and Lotus Domino environment are properly connected and that they communicate the appropriate information. The following are some guidelines for designing a replication topology.
Determine the appropriate topology type based on the size and type of the organization. For example, peer-to-peer, hub-and-spoke, end-toend, or hybrid. If using hub-and-spoke:
Determine the number of hubs and the appropriate system resources for each hub. Determine if clustering the hubs is necessary. Determine which servers will initiate replication (i.e., which replication types to use: Pull-Pull, Pull-Push, Pull Only, or Push Only). Determine if you will use server groups.
104
The corporate hub should control when and how replication occurs and handle the entire work load during each session. The hub should replicate with one server in each region, which will in turn replicate changes to all other servers in that region. All system databases required by Lotus Domino to function properly should be synchronized frequently as they are high priority databases. This includes the Domino Directory, Administration Requests database, and Certication Log. Users will need the information in employee databases updated several times each day. A complete replication session should occur regardless of the length of the connection.
105
1.
Draw lines on the following diagram showing how Worldwide Corporations servers will replicate. Indicate the replication type for each connection.
Review replication topology design.The following graphic shows the exercise solution for replication topology design.
One Connection document from East01 (West01) to a servers group (EastServers/WestServers) would handle replication to all servers in the East (West) region. The recommended replication schedule is every two hours for Domino Directory and every six hours for all other databases.
106
Lesson Summary
In this lesson, you described the Lotus Domino replication process and its functions. As an administrator, you need to understand how Lotus Domino uses replication to keep the Domino Directory, the Certication Log, the Administration Requests database, and user databases synchronized on all servers in the domain.
107
Topic A: Selecting Additional IBM Lotus Domino Services Topic B: Implementing IBM Lotus Domino Scalability Features Topic C: Integrating Other IBM Products
Introduction
An organization can extend the IBM Lotus Domino environment with various services, tools, and software products. These additions can enhance and expand the services available to the user community. After completing this lesson, you should be able to: Identify additional Lotus Domino services. Identify Lotus Domino scalability options. Identify other IBM server types that might be incorporated into a Lotus Domino environment.
This lesson introduces some of the software available to extend Lotus Domino functionality. Additional IBM products are described in the Extend Lotus Domino Software appendix.
110
A
Lotus Domino Standard Services Show the students the Web Administrator: 1. Open your Web browser. 2. Enter the URL for the Web Administrator. For example: http://servername/ webadmin.nsf Where servername is the name of the instructor server. 3. Briey show the interface to emphasize Lotus Domino Internet support and administration exibility.
Denition
Description Supports the Internet protocol used to transfer les from one computer to another for Web browser access. Allows connection to and from Internet standard directories. Supports users running POP standard clients for mail. Allows clients to retrieve mail from a host mail server also running the protocol. IMAP is similar to POP3 but has additional features.
LDAP
Lightweight Directory Access Protocol Post Office Protocol Version 3 Internet Mail Access Protocol
POP3
IMAP
DECS
Allows real-time backend connectivity between Lotus Domino and external systems to support application and application access to non-Lotus Domino information and data.
111
When using Lotus Domino connected to the Internet, there are additional options to secure the Lotus Domino servers and services available to the community. The following table describes some of the Internet security settings available with Lotus Domino.
Refer students to the following Lotus Domino Administrator 8.5 Help topics for additional information on Internet security: SSL security, SSL and S/MIME for clients, and Setting up an Internet certicate authority.
Description and benets Security protocol that provides communications privacy and authentication for Lotus Domino server tasks that operate over TCP/IP. SSL offers these security benets: Data is encrypted to and from clients, so privacy is ensured during transactions. An encoded message digest accompanies the data and detects any message tampering. The server certicate accompanies data to assure the client that the server identity is authentic. The client certicate accompanies data to assure the server that the client identity is authentic. Client authentication is optional and may not be a requirement for your organization.
S/MIME
A protocol used by clients to sign mail messages and send encrypted mail messages over the Internet to users of mail applications that also support the S/MIME protocol. S/MIME benets include: Encrypted mail messages cannot be read by unauthorized users while the message is in transit. Electronically signed messages show that the person who signed the message had access to the private key associated with the certicate stored in the signature.
112
113
B
Scalability Options
Description A Lotus Domino cluster is a group of two or more servers that provides users with constant access to data, balances the workload between servers, improves server performance, and maintains performance when you increase the size of the Lotus Domino environment. Enable running multiple instances of the Lotus Domino server on a single computer.
Partitions
Are on a high-speed LAN. Are on the same Lotus Domino Named Network. Are in the same Lotus Domino domain and share a Lotus Domino Directory. Run the TCP/IP network protocol. Contain application replicas. Use a dedicated network adapter for cluster-to-cluster traffic.
For more information on Lotus Domino clusters, refer to the Lotus Domino Administrator 8.5 Help topic Clusters.
114
Benets of Clustering
The following table lists some of the benets of using a cluster.
Benets of Clustering
Benet
Cluster replication is used to keep data current among the cluster members. Regular replication schedules are still required to maintain the Lotus Domino environment.
Description Automatic redirection of user requests to available servers. This failover capability provides consistent access to critical applications, even if one server is down for maintenance. User requests to heavily used servers are redirected to other cluster members. Administrators can: Add cluster members. Add application replicas. Reallocate users across the cluster.
Workload balancing
Scalability
Data synchronization
Cluster replication maintains current data across replicas. Software and hardware upgrades on one cluster member do not affect other members. Cluster member can act as server backup for critical data. Clustering does not take the place of backup. At least one server in the cluster must be backed up to tape, as well as other servers that contain unique les (such as logs).
Lotus Domino server partitioning software allows the creation of a maximum of six Lotus Domino servers on a single computer.
115
Partitions:
Are available with the Lotus Domino Enterprise server. Are supported on all Lotus Domino supported operating system platforms. Share Lotus Domino executables. Have unique:
Can be clustered.
Note: Lotus Domino partitions should not be confused with specic operating system partitions, which segment system hardware.
For more information on Lotus Domino partitions, refer to the Lotus Domino Administrator 8.5 Help topic Partitioned servers.
Benets of Partitions
Benets of Partitions
Partitioned servers optimize hardware usage. The following table lists some of the benets of using partitions.
Benet
See Additional Instructor Notes
Description Run multiple Lotus Domino servers on a single computer. Easier to administer a single server than multiple servers. More efficient use of hardware. For example, you can purchase a single, more powerful computer and run multiple Lotus Domino servers on the single machine.
Reduce hardware expenses Minimize the number of administered systems Maximize usage of highpowered systems
Add scalability
Running partitioned servers from the same domain on a multi-processor computer can improve performance because the computer simultaneously runs certain processes.
116
C
Lotus Sametime
Users can transfer les in an instant or scheduled meeting. Users can collaborate in real-time meetings using the Web Conferencing interface with advanced organizational collaboration that includes instant polls and reach out to a community of experts. Users can participate in broadcast style meetings where many users can tune to a meeting and watch it without interaction. A community of users to collaborate in real-time through presence and instant messaging server applications.
Note: Lotus Sametime is an integrated installation option and cannot be unchecked when installing the Lotus Notes 8.5 client.
IBM Lotus Connections is a social networking software application that enables organizations to collaborate with their employees, partners, and clients. It provides six services. The following table lists Lotus Connection services and their descriptions.
Description A portal that provides a customizable view of the social network. It consists of widgets of the other ve services. The placement of the widgets are customizable. The home page also has an advanced search box that enables users to locate people or information across the social network.
117
Communities
Blogs
Dogear
Activities
IBM Lotus Quickr is team collaboration software that enables team members to share content. It has six components. The following table lists the components with their descriptions.
Description A version control database of team documents. Team members can check in or check out documents or media les from the content library. Lotus Quickr and ECM can be combined to provide enterprise level collaboration. It enables the content to be accessible across an organization from tools such as Lotus Notes or Microsoft Office. Enable users to create specic work space for projects or teams. Collaboration tools such as blogs, wikis, discussion forums, or team calendars can be included in team places.
Team places
118
Templates
Personal le sharing
119
Lesson Summary
In this lesson, you identied services and options used to extend and enhance the functionality of the Lotus Domino environment. By using various services, tools, and software products to extend the IBM Lotus Domino environment, you can enhance and expand the services available to the community.
120
Follow-up
In this course, you were introduced to foundational concepts needed to perform basic administrative tasks in a Lotus Domino 8.5 infrastructure. In addition, that knowledge has prepared you to move forward and obtain the additional knowledge needed for building a Lotus Domino 8.5 infrastructure or managing the servers and users that make up a Lotus Domino 8.5 infrastructure.
Whats Next?
This course is the rst in a series of system administration courses. The material in IBM Lotus Domino 8.5 System Administration Operating Fundamentals provides foundational knowledge needed to administer a Lotus Domino 8.5 infrastructure. Once you have completed IBM Lotus Domino 8.5 System Administration Operating Fundamentals, you can take either Building the IBM Lotus Domino 8.5 Infrastructure or Managing IBM Lotus Domino 8.5 Servers and Users. The recommended next step in the series is the Building the IBM Lotus Domino 8.5 Infrastructure course.
121
Appendix
About This Appendix
Appendix
Appendix A The Worldwide Corporation Infrastructure Plan
Organization Structure
The structure of Worldwide Corporation is illustrated in the following gure.
Servers By Task
Worldwide Corporation will designate servers to specic tasks based on Information Groups. The following table lists the servers, associated tasks, and rationale behind the decision.
Tasks Routes mail and replication applications to and from other hub or spoke servers.
124
Rationale Use Lotus Domino server to provide employees with access to non-Lotus Domino mail les.
LDAP
Provides a central user record repository. Use IBM Lotus Sametime and IBM Lotus Quickr to service collaboration needs. Utilize IBM WebSphere Portal as a composite application interface.
Collaboration
Provide, instant messaging, web meeting, blogs, wikis, and audio/video needs.
Stores users mail and applications and routes mail across the intranet and Internet.
Provide easier administration. Minimize server processor load. Reduce network traffic. Provide predictable server performance and grouping of users. Allow user access to applications when mail server is down.
125
Appendix
Appendix A The Worldwide Corporation Infrastructure Plan Server type Application Tasks Stores applications.
Rationale Provide easier administration. Group applications by usage, replication needs, and/or security requirements. Allow tuning of server to optimize performance and response time independent of mail usage. Ease expansion by adding new application servers as usage and storage needs increase.
Web
Provides access to an application from the Internet or to the corporate intranet. Can use either: Lotus Domino Web server. Microsoft IIS.
Can place outside the rewall for Internet access. Provide employees with access to corporate information from a browser.
Servers By Location
Worldwide Corporation will have one Lotus Domino Domain (WWCorp) that includes all Worldwide Corporation offices. Worldwide Corporations Internet domain name has been registered as WWCorp.com.
Topology
Worldwide Corporation has selected a hub-and-spoke topology for ease of management and future expansion. There is one hub server and one or more spoke servers. Each site will be set up to run independently, although they will be connected to the corporate hub. Connection documents are required for replication to tell the corporate hub how and when to communicate with other servers and for spoke servers to connect to the corporate hub.
126
The hub server is the center of the infrastructure, which has high-speed links running to the offices. Each individual server is responsible for its own mail routing and replication events. The hub server is responsible for replication of the critical applications between all its spoke servers. The following gure illustrates the locations and types of servers.
127
Appendix
Appendix A The Worldwide Corporation Infrastructure Plan
System Administration
System administration is locally controlled by region, but monitored from the corporate office. Administration tasks are controlled by regional administrators. General policies and guidelines are maintained and distributed from the Corporate office. Implementation and design changes are carried out after business justications are submitted and approved. All Lotus Domino system administrators use the Lotus Domino Administrator and Web Administrator for all administration tasks. All other administrators use appropriate tools to complete their daily tasks.
Network Strategy
Worldwide Corporations strategy includes these components:
Incorporating TCP/IP as their primary network protocol. Providing high-bandwidth networking connections to all offices from headquarters. Incorporating Lotus Sametime and Lotus Quickr throughout the corporation as collaboration tools. Incorporating a WAS server to enhance internal and customer interaction.
Directory Strategy
There will be more than one Lotus Domino domain (WWCorp) for the entire Worldwide Corporation Lotus Domino environment. The model matches the physical layout of the Worldwide Corporation WAN. The rst congured server (the corporate hub) will have full administration rights over the entire domain. When incorporated, the LDAP TDI is used to provide user information. The Lotus Domino Directory will reside on the corporate hub server at headquarters, and replicate to each regional server. The corporate hub will create Directory Catalogs and replicate to regional servers for use by remote users. Remote users can keep a local replica of the Directory Catalog on the client for faster response time and timely encryption of messages. System administrators will periodically update the Directory Catalog and replicate once a day to servers.
128
Lotus Notes clients. Web browsers. Other e-mail and directory clients. Lotus Sametime client.
Replication Topology
A hub-and-spoke topology will be used for replication. This structure consists of a main hub with spoke servers. The corporate hub server will be the primary hub and share control of replication with regional servers.
Streaming replication
Connection documents are required for replication to tell the corporate hub how and when to communicate with other servers and for spoke servers to connect to the corporate hub. To take advantage of the new streaming replication feature in Lotus Domino 8, connections between hub servers will use the Pull/Pull replication strategy. Administrators will create Connection documents between the WWCorp Domain Hub and regional hub servers using the Pull:Pull strategy. This will take advantage of the speed of Streaming Replication. It is important to note that WWCorp employees are not expected to access these servers, so all hub servers can share the replication workload.
Note: Employees are not expected to access hub servers.
129
Appendix
Appendix A The Worldwide Corporation Infrastructure Plan
Notes Remote Procedure Call (NRPC) will route mail within the corporate intranet.
The following conguration provides for ease of conguration and optimum load balancing and failover: One Internet domain.
ISP as a relay host to Internet. The corporate mail server is enabled to route external mail using the SMTP protocol. All mail servers have Connection documents and route mail using NRPC internally.
130
The WWCorp Domain Hub will be congured to send and receive Internet mail. Administrators will use whitelists and blacklists to improve mail routing performance. In addition, Transfer and Delivery Reports will be used to notify users if their mail is unable to be delivered.
Mail Administrators
Administrators must perform the following tasks:
Store the Internet domain name in the Foreign SMTP and Global Domain documents. List the inbound mail servers in the Mail Exchange (MX) records in the Domain Name Service under the domains name. Only one is required. (Note that load balancing for multiple servers is dependent on the algorithm used by the client SMTP system to select a server from the MX records.) Congure complete address lookup or congure local part only lookup to identify each mail recipients mail server so that the router can make the nal delivery.
Mail clients
Initially, some mail users will have Lotus Notes mail les. In the future, some mail users may use other Internet mail client software. At that time, Worldwide Corporation will set up select Internet POP3 Messaging Servers for non-Lotus Notes mail clients to access mail les on the Lotus Domino server.
Mail quotas. Inbox cleanup. Mail journaling. Set options for Mail Recall. Set options for Out of Office agent. Reject inbound ambiguous names/deny mail to groups. Maximum message size for inbound and outbound message set to 10 megabytes. User restrictions, such as full-text indexing and other Policy Management enhancements.
131
Appendix
Appendix A The Worldwide Corporation Infrastructure Plan
132
Vale
Certier wwcorp.id sales.id operations.id hub.id west.id east.id svr.id There may be additional id les needed.
Organizational units are based on geographical regions and job role. The servers organizational unit will be used for better control of management and creation of servers. All organizational units and common names are descendants of the organization certier /WWCorp.
User naming
The following table provides user naming conventions.
Type Common name for Lotus Domino environment Internet mail addressing
Code
EAST01/SVR/WWCorp
West
WEST01/SVR/WWCorp
west01.wwcorp.com
133
Appendix
Appendix A The Worldwide Corporation Infrastructure Plan
Then ... Use the name Type##/SVR/WWCorp, where: Type is the server type, or region for example, East. ## is the server number of this type.
Use the standard department code that identies the location of the organizational unit. A new organizational unit for Sales might be: /Sales/WWCorp Certify under the regional organizational unit where the user works. A new user named Sara Jones in Sales would be: Sara Jones/Sales/WWCorp The corresponding Internet name would be: Sara_Jones@WWCorp.com
Management policy Corporate system administrators create the O certier. Corporate system administrators create the OU certiers. Access is limited to two administrators using multiple passwords. Store IDs in protected areas.
Corporate administrators keep copies of OU certiers. OU certiers are migrated to the CA process. Regional administrators use the CA process to register users and servers using these OU certiers. Store IDs in protected areas.
134
Management policy Corporate system administrators create all server IDs. Store IDs on the server. Use only for the server.
User IDs
Regional administrators create user IDs. Regional system administrators keep copies of IDs in a secure application on the hub server. Use a Certication Log application to track certication. All Certier IDs have multiple passwords and expiration dates of 20 years from date of creation. This is not recommended, but is used for classroom purposes. Store backups in a secure off-site location.
Using Lotus Domino as a Certicate Authority, administrators will create X.509 certicates using the Certicate Authority Application on a workstation and store the CA key ring on that workstation, not on the server. Do not distribute these les to other administrators in the organization. Store the certicates in a secure off-site location. Store in corporate user Lotus Notes ID les. Store in trusted LDAP directories (for customers).
135
Appendix
Appendix A The Worldwide Corporation Infrastructure Plan
Remote Access
Worldwide Corporation has determined specic Internet access for remote employees, vendors, resellers, and customers, based on their needs.
Internet access
The following Internet access will be used:
Authenticated access for employees Public access Web server for vendors, resellers, and customers, including controlled access to servers, applications, and data
136
Customers Anonymous access to catalog and public company information. Future: Username and password access to information about their own orders, for example, shipping information.
Remote users
Users at home offices that do not have direct connections to the WAN can use an Internet Server Provider (ISP) to access the Lotus Domino system through a local Firewall server. Remote users can connect to their mail server through the local Firewall servers.
Server types
The following table lists the server licenses that will be used for each of the server types.
137
Appendix
Appendix A The Worldwide Corporation Infrastructure Plan Server type Application and Web servers Server license Lotus Domino Utility Server Rationale To provide custom application applications for Lotus Notes and Web clients To provide the following services: Clustering Partitioning
Hub server
WAS
To provide the following services: Build and deploy application services Run services efficiently Secure applications and data
Path Domino
Description Client les will be installed for network distribution purposes. Lotus Domino system applications that are required for Lotus Domino to function properly. Critical applications that require frequent replication.
Domino\data
Domino\data\critical
Applications
Use the standard installation le paths whenever possible to ensure standardized training and ease of support and troubleshooting.
Note: Store Lotus Domino executables on a separate disk than Lotus Domino data for better performance.
138
These areas of the Lotus Domino le structure are accessible to only designated personnel for installation purposes. All other Lotus Domino data is protected by operating system security and is accessible to Lotus Domino administrators only.
Conguration documents
Every Worldwide Corporation server has its own Conguration document. This ensures that each server conguration can be modied separately and that there is a log of any changes made. The Lotus Domino conguration application will be used for server setup to streamline and automate setup. A Conguration document exists for each server type (for example, hub, mail, application) and is then distributed to other servers of the same type.
Recommended tasks The following are the recommended tasks: Mail Router
Mail servers
The following are the recommended tasks: Calendar Connector Schedule Manager HTTP for Web mail
Application servers
The following are the recommended tasks: Standard services only, no additional services
139
Appendix
Appendix A The Worldwide Corporation Infrastructure Plan Lotus Domino server type Hub servers Recommended tasks The following are the recommended tasks: HTTP, both mail and applications SMTP (Headquarters hub only)
Web servers
The following are the recommended tasks: HTTP for Web applications
The following are the recommended tasks: POP3 and SMTP IMAP LDAP NNTP
For example: HQAdmins or GlobalSales. Within groups, names are sorted in alphabetical order.
140
Description Denial for people whose family names begin with A-F. Denial for people whose family names begin with G-L. Denial for people whose family names begin with M-R. Denial for people whose family names begin with S-Z.
Before deleting a user from the Lotus Domino system, add the user to one of these groups. This will ensure immediate denial to any Worldwide Corporation server.
Note: This is subject to replication of the changes throughout the domain, which will take no longer than 60 minutes.
Requirement No application size quotas, unless archiving is needed for a particular course No database naming standards Standard directory structure, for example: \Domino\Data\Global\HR1 \Domino\Data\Global\Marketing \Domino\Data\Local\Marketing \Domino\Data\Local\Dev1 One group for all server administrators, for example: GlobalAdmins Groups for specic categories of employees, for example: GlobalSales
141
Appendix
Appendix A The Worldwide Corporation Infrastructure Plan Standard Groups at all sites
Requirement A group for each region, for example: EastAll (for all Worldwide Corporation employees in East) One group for administrators per region, for example: WestAdmins (for all server administrators in West)
Client licenses
Client licenses will be:
Lotus Notes Client for most users, all generic IDs, and any contractual or affiliate accounts. IBM Lotus Domino Designer for users who will create, modify, or design databases. Lotus Domino Administrator for system administrators.
Client deployment
Desktop, registration, and security policies will be used to set up users environments. For Internet mail, account documents will be created locally for each mail protocol. Mail will be stored in Notes Rich Text format. Worldwide Corporation will use policy documents to create and update Location and Connection documents on workstations for dial-up users to determine where and how to locate the servers.
142
Policy Certify all IDs using a Lotus Domino certicate. Users responsible for secure or encrypted information, such as pricing information to resellers, will hold an Internet (X.509) certicate. Stored on workstations for all users and encrypted locally. Copies are kept in a secure location by regional as well as corporate administrators.
Accept CA certicate as a trusted root. Store internal signed client certicates for access to secure information.
File storage
Client-based data les, such as IDs, Notes.ini, and *.dsk, will be stored on the workstation for all users and encrypted locally.
Procedure
Add an administrators workstation. Set up access to the Lotus Domino Directory. Add Lotus Domino servers. Add organizational units.
143
Appendix
Appendix A The Worldwide Corporation Infrastructure Plan Task 6 7 8 9 10 11 12 13 14 Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery. Procedure
15 16 17 18
144
Appendix
Appendix
Appendix B Certication and Exam Competencies
Place in certication
IBM Lotus Domino 8.5 System Administration Operating Fundamentals is listed as one of the preparation resources for the following exam: Exam 980 - IBM Lotus Notes Domino 8.5 System Administration Operating Fundamentals This exam is part of the path for IBM Certied System Administrator - Lotus Notes and Domino 8.5 certication. The complete path is described here: IBM Associate System Administrator - Lotus Notes and Domino 8.5 Exam 980 - IBM Lotus Notes Domino 8.5 System Administration Operating Fundamentals IBM Certied System Administrator - Lotus Notes and Domino 8.5 Successfully pass the following three exams:
Exam 980 - IBM Lotus Notes Domino 8.5 System Administration Operating Fundamentals Exam 981- IBM Lotus Notes Domino 8.5 Building the Infrastructure Exam 982 - IBM Lotus Domino 8.5 Managing Servers and Users
IBM Certied Advanced System Administrator - Lotus Notes and Domino 8.5 Exam information not yet available.
Step 1 2 3 4
Action Review the exam competencies. Get hands-on experience. Use the exam preparation page. Use all available resources.
146
The Exam Guides located on the IBM Software Services for Lotus Certication Web page at http://www.ibm.com/lotus/certication.
Direct application of the skills learned in this class cannot be replaced by any other single resource listed here.
Brief description Complete version includes certication titles and paths, sample questions, and registration information.
Where to nd resource Abbreviated version is available in the Exam Competencies Appendix included in this course. Complete version is available on the IBM Software Services for Lotus Certication Web page at http:// www.ibm.com/lotus/ certication.
147
Appendix
Appendix B Certication and Exam Competencies Resource Lotus authorized courses Brief description Offered at Education Centers for IBM Software (ECIS) and Lotus education locations worldwide. Where to nd resource A complete list of courses and education centers are on the IBM Software Services for Lotus Education Web page at http:// www.ibm.com/lotus/ education. Additional information is available at The Education Store on the IBM Software Services for Lotus Education Web page at http:// www.ibm.com/lotus/ education. Available from the IBM Software Services for Lotus Certication Web page at http:// www.ibm.com/lotus/ certication. See the individual exam preparation page for recommended online learning resources. Additional information available at http://www10.lotus.com/ldd/doc. Ordering information is available at http:// www.redbooks.ibm.com.
CBT programs
Practice tests
Available from a variety of vendors. Visit the individual exam preparation page to determine what practice tests are available for a specic exam. This includes online tutorials and other learning resources.
Online learning
Product Documentation
IBM Redbooks
Technical cookbooks that address topics that the reference manuals may not cover.
148
Preparing for the IBM Lotus Notes Domino 8.5 System Administration Operating Fundamentals exam
The following materials are available for the IBM Lotus Notes Domino 8.5 System Administration Operating Fundamentals exam: IBM Lotus Domino 8.5 System Administration Operating Fundamentals Course
CertFX Practice Test Notes, Domino, and Domino Designer 8.5 Release Notes Lotus Domino 8.5 Administrator Help
For the most up-to-date resource listing for this exam, visit the individual exam preparation page. Go to http://www.ibm.com/lotus/certication and select the exam name from the Select an exam drop-down menu. These individual pages will give you the most up to date list of resources available.
IBM Lotus Notes Domino 8.5 Administration Operating Fundamentals Exam Competencies
This section contains the exam competencies for the IBM Lotus Notes Domino 8.5 Administration Operating Fundamentals exam. The exam competencies are one tool for preparing for IBM Certied for Lotus Software exams. For more a complete listing of learning resources, refer to the Lotus Certication Web site available at www.lotus.com/certication.
149
Appendix
Appendix B Certication and Exam Competencies
Conguring client provisioning Conguring component update for composite applications Conguring Directory Services Conguring Directory Services/LDAP services Conguring Domino services Conguring Domino Web Access Conguring Ports Conguring Server Fast Restart Conguring User ID Recovery Creating an ID Vault Creating Dynamic Policies Creating Internet Site Documents Creating Policies Deploying a centrally managed Widget Catalog Identifying the architecture and key components of the Lotus Notes and Lotus Domino Environments Implementing Sametime for Domino Web Access (DWA) Implementing Domino Attachment and Object Service (DAOS) Implementing Domino Conguration Tuner Implementing Domino Roaming for Standard Clients Implementing Early Authentication Implementing Lotus iNotes enhancements Implementing Lotus Notes on Citrix Implementing Lotus Traveler Registration/Certiers Registration/Domains Registration/Groups Registration/Organizational Units Registration/Organizations Registration/Servers Registration/Users Understanding Installation Package Options Understanding Server Installation Order (platform independent) Understanding the Certication Log
150
Mail
The following competencies relate to mail.
Creating Domino (Notes) Named Networks Creating Mail Topologies Dening Mail Routing Protocols Dening supported message formats Implementing Mail Services/Domino Web Access (DWA) Implementing Mail Services/IMAP Implementing Mail Services/POP3 Issuing server commands Planning Mail Topologies
Dening directory terminology Examining Lotus Domino server functionality Managing les and disk space Monitoring server status Performing Basic Administrative Tasks Setting administrative preferences Starting Lotus Domino Administrator Understanding support for LDAP attributes Understanding the administration process Understanding the Domino Administrator UI Utilizing the Domino Administrator client Viewing mail routing status Viewing Person documents and groups Viewing replication events and topology Viewing server conguration documents
151
Appendix
Appendix B Certication and Exam Competencies
Managing Servers
The following competencies relate to managing servers.
Conguring new Domino Domain Monitoring options Conguring Send to IBM feature Conguring Web Administration Bookmarks Implementing Domino Domain Monitoring probes Understanding Domino Directory enhancements Understanding Domino server console commands Understanding streaming replication features Upgrading Domino Servers to version 8.5 Utilizing Administration Process (Adminp) features
Platform Support
The following competencies relate to platform support.
Dening Domino attributes Dening Domino attributes/Certier Documents Dening Domino attributes/Conguration Documents Dening Domino attributes/Connection Documents Dening Domino attributes/Group Documents Dening Domino attributes/Messaging Dening Domino attributes/Person Documents Dening Domino attributes/Program Documents Dening Domino attributes/Replication Dening Domino attributes/Server Documents Dening Domino attributes/Server Tasks Identifying Lotus Domino databases
152
Security
The following competencies are related to security.
Conguring Administrator Access rights Conguring the Access Control List (ACL) Conguring the Access Control List (ACL)/Enforce a Consistent Access Control List Conguring the Access Control List (ACL)/Maximum Internet name-andpassword Dening Security Fields Deploying xPages Security Implementing Shared Login Implementing the ID Vault Managing encryption key lengths Restricting Server Access Understanding changes in database encryption levels Understanding database Access Control Lists Understanding new Java Security standards Understanding Online Certicate Status Protocol (OCSP) Understanding password protection for Notes and Domino ID les Understanding public and private keys Understanding the Access Control Lists (ACL) Utilizing the Access Control List (ACL) log
153
Appendix
Preparation Checklist
Instructor Preparation
This appendix is provided to assist instructors in their preparation for leading instructor-led training in a classroom or online (ILT and ILO).
Read through the Instructor Guide. Perform all activities in the course. Perform all demonstrations and labs described in the Instructor Guide. Refer to the Instructor Lounge to gather useful teaching tips and techniques that other instructors have used to teach this course. Use the information in this section to nd additional resources to further your knowledge of the subject. Practice the classroom setup.
Appendix
Appendix C Instructor Preparation
Description You can discuss Lotus and related products with your peers, expand your understanding of these products, and create connections with others. Join our public discussion forums, where the Lotus community meets to talk about Lotus software. You are welcome to read all our forums. To participate in some forums, you need to complete our free registration form to get a developerWorks Lotus user name and password. (If you have previously registered on Notes.net/Lotus Developer Domain, that is the user name and password to use here.) Other forums require an IBM ID to participate. IBM Lotus Domino and Lotus Notes product information where you can nd system requirements, installation and conguration procedures, and information about managing your Lotus Domino servers and Lotus Notes clients.
156
Lotus Labs
http://www-10.lotus.com/ ldd/lotuslabs.nsf
Course Strategy
Approach
This courses uses the ctitious company Worldwide Corporation to provide scenarios for installing and setting up the infrastructure. The company uses a single domain with Lotus Notes mail internally and SMTP externally. To provide all students with a comprehensive hands-on experience, we have designed this course so that all students administer their own servers. To accommodate this, we instruct students to use the client and server software on the same machine. The Lotus Domino server and Lotus Notes client software support this conguration provided that the server and client software is installed in separate directories on the machine. While we recognize this is not an optimal or recommended conguration to deploy in a real world environment, we use this environment in the classroom to provide all students with the experience of administering their own servers.
Recommended Agendas
This course is a one-day instructor-led course with computer-based activities and labs. These tables are provided to help you plan your instructional agenda for each of the training days.
157
Appendix
Appendix C Instructor Preparation
Time 45 minutes 45 minutes 45 minutes 1 hour 45 minutes 45 minutes 45 minutes Lesson 1 Lesson 2 Lesson 3 Lunch Break Lesson 4 Lesson 5 Lesson 6
Lessons or Topics
Lessons or Topics
Virtual lab
158
Student workstations are installed in an eLab and accessed by students remotely. The lab workstation is available to students for the duration of the course and used to complete all lab activities and for independent practice.
In the classroom Instructor projects slides on the classroom monitor or projection screen. Instructor performs demonstrations and output is displayed on classroom monitor or projection screen. Students and instructor discuss topics.
In an online classroom Instructor displays slides in the online classroom interface. Instructor shares her desktop or application using the screen sharing features of the online classroom interface. Students and instructor use audio connection to discuss topics. Other tools to aid discussion include: Hand raise Chat window in Web conference Break out sessions for small group interaction
Application demonstration
Discussion
159
Appendix
Appendix C Instructor Preparation Course activity Guided practice In the classroom Instructors and students perform activities simultaneously. The instructors activities are displayed on the classroom monitor or projection screen. In an online classroom
The instructor chooses to: Convert the practice to demonstration and instruct students to practice the activity, after the session, using the instructions in the Student Guide.
Note: This option may be used only if the completion of the practice activity is not a prerequisite to subsequent course practice activities. If a live application is available for students, instruct students to perform the guided practice as unguided practice.
Students complete these independently on virtual lab machines. Generally, these activities may be completed after the live session. If the activity cannot be moved because it affects the ow of delivery, then the instructor may pause the live session to allow students to log in to their virtual accounts to complete the activities. Then students rejoin the live session. The instructor may be available to students during lab periods by phone, instant messaging, or using the virtual classroom chat feature.
160
Feedback
Instructors view body language to assess students interest, understanding, and to judge pacing of delivery. Instructors use this feedback to adjust the content or pacing, or to address an individual students questions.
Adjust the order of practice activities so that independent lab activities can be completed after the online sessions. Modify some activities so they are demonstrations rather than independent practice. This strategy is used when a practice activity is in the middle of a live session. Note: The completion of some course activities is required for subsequent activities to be completed. For example, students need to complete an activity to register a new user before they can complete an activity where they give that user access privileges. In these instances, you will need to identify the required activities and ensure they are completed as needed.
161
Appendix
Appendix C Instructor Preparation
The optimal length of an online session is two hours. You may, optionally, choose to deliver the course in full-day sessions, breaking for activities. You should schedule instructor office hours when students may reach you by phone for individual tutoring on topics as needed. You should allot more time for breaks than you would in a live classroom situation. Add time to the beginning of the online sessions to review lab activities. In the early sessions, when students are rst using the eLab environment, you will need this time to address any problems or observations students have about working in the virtual lab environment.
A virtual class may be attended by participants in multiple time zones. You need to be available during the times students are completing their lab activities. Although you will not be presenting lab activities, you need to schedule time for students to complete these. If your online class ends late in the day, you should not expect students to complete the lab activities by early the next day. The virtual lab, used by students to complete activities, may not be available to class participants during certain hours. Or, the lab may be unsupported during night time hours. Schedule time before the rst class session, to help students test their ability to connect to the Web meeting facilities.
162
In addition, you must manage the pacing and interaction within the course; monitor electronic and verbal hand raising; compose, send, and evaluate questions and answers; and ll time as you wait for applications to display. You will also need to manage other, unscheduled events. For example, applications may crash, displays may freeze, or you may unintentionally close a window. You may also need to help students manage their own display. For example, you may need to instruct a student on how to recover a oating course screen, scroll the display, or scale a windows image. All these events require your attention, and at rst, the online collaboration tools will require training and practice. We recommend that you attend e-learning facandilitation training for the e-learning tool being used for delivery and rehearse your class presentations demonstrations.
Displays each presentation page. Performs and narrates the interactive demonstrations. Responds to verbal questions. Manages the session pacing.
User Interface (UI) manager: This person manages the elements of the user interface. The UI manager:
Monitors the display on a separate machine to ensure that the facilitator narrative matches the refresh rate in the student browser. Monitors the participant list for raised hands. Answers students questions regarding the UI and any problems they may be having with it. This can be done in a separate chat window.
You should rehearse each session with your partner and clearly dene your roles and responsibilities regarding each element of the presentations and interactive demonstrations. Take a few minutes after each live session to review the things that did and did not work.
163
Appendix
Appendix C Instructor Preparation
Preparation checklist
After the course has been set up in the e-learning environment, you should:
Prepare your e-learning podium. Rehearse the presentation. Reserve audio conference services (do this if you will not use IP audio). Conduct a connection test with students. Review Preparing to Teach an e-Learning Session, in this section. Review Delivering an e-Learning Session, in this section.
Place a second computer next to your facilitator machine. Log on to this second machine as a student. Using the second student machine, you can monitor what the students are seeing, for example, how fast the refresh rate is. Use the fastest machine you can for interactive demonstrations. Waiting for a slow processor to perform your interactive demonstrations can be awkward. Invest in a high-quality telephone headset. Your students will be listening to you talk for hours at a time. Using a low-quality speakerphone or headset can be irritating to listeners. Turn off the ringer on your phone and disable call waiting. Disable voice paging on your phone, if you have this feature. Disable the intercom. Close the door (if you have one). Inform your colleagues and office neighbors of class dates and times.
164
Presentation materials: Display each slide and practice delivering the content as scripted in the Instructor Guide. Screen sharing demonstrations: As with any course, you should rehearse these demos to ensure that you can access the required applications and you can smoothly transition between the presentations and interactive demonstrations. Rehearsing interactive demonstrations: This course requires you to use the screen sharing feature to share demonstration media les. You should rehearse these interactive demonstrations several times. Rehearsing transitions: Several times during this course you are required to switch from presenting slides to using screen sharing.
A telephone conference: Students use their telephones to listen and participate in the session. A conference service is used to join all phone connections into a conference.
Information you provide Whether you use internal or vendor-provided conference services, you will need to provide the following information:
Estimated number of participants: It is always better to overestimate, just in case you have a few last-minute course registrants. Origin of calls: Calls that originate in another country or time zone may require different support or conguration on the part of the conference provider. You should identify this in advance. Contact name and number prior to the conference: If conference facility personnel need to conrm or modify arrangements, they will need to contact you.
165
Appendix
Appendix C Instructor Preparation
When you reserve the bridge facilities, you should conrm the following information. This information will be communicated to students prior to the rst class: Dial-in number for participants: This is the phone number that students will dial.
International dial-in number (if needed): Some conference providers will provide different dial-in numbers for international callers. Conference reference name or number: Some conference service providers connect callers to specic conferences. In these instances, the caller dials a central number and identies the desired conference using a predened conference number, title, or host (facilitator) name. The call is then connected to the appropriate conference. Password: Optionally, some providers may require a password for entrance into a restricted conference. Support resources: The conference provider may provide an additional phone number for participants to call if they are having problems connecting to the course.
Conduct a connection test There are several reasons why you should request that students test their ability to connect to the coursethe least of which is to troubleshoot problems prior to the rst class. To prepare students, you should:
Create a live session and schedule it to occur about one week prior to the session. Invite students to join the session so that they can:
Test their ability to connect to the session services. Download any applications and plug-ins. Get acquainted with the e-learning user interface.
166
Additional Considerations
Preparing students
While preparing the to lead the course, you provided a test connection session for students and tested your own equipment and network connections. However, you will still need to make time at the beginning of the class to troubleshoot any connection or presentation issues that arise. In addition, you should: Encourage students to test their virtual lab connections. Allot some time in the rst or second class session to review student questions regarding the lab environment. Students connect to remote facilities to complete the lab exercises. It is common for the lab machines to be available for the duration of a course. Although you cannot provide support during this entire time, you should establish the times when students can expect to receive support for their lab activities.
Help students distinguish the kind of help they need. There will be two types of help required:
Content help: Assistance completing the lab task, which includes help understanding the instructions and troubleshooting errors that may occur. Lab facility help: This includes help connecting to the lab and using credentials to log in to the student account.
Provide additional ILO class support information. Students in a distributed learning environment require several types of support, ensure they have the necessary information to gain each type of support:
Technical support: To help resolve connection issues. Content support: To answer questions about the materials presented in class. Process support: To assure them that their participation in class is appropriate.
Schedule office hours: Make yourself available by phone, e-mail, or chat to support students. Recommend that students plan to complete the lab exercises during those office hours, when you can provide assistance to them. Encourage students to help each other.
You can support this formally by setting up an online community using collaboration applications such as forums or wikis. You can encourage students to do this informally using shared contact information or, if students are co-located, they may choose to complete the lab activities together.
167
Appendix
Appendix C Instructor Preparation
Display the opening slide and dial into the conference services at least 15 minutes prior to the beginning of class. This will give students a chance to test their connections. Use the draw tools to enter the time at which the class will begin. Arrange your workspace.
Clear the clutter on your desk; leave ample room for your Facilitator Guide, notes, documentation, and so on. Close any unused applications. They use valuable system resources. Arrange the e-learning windows so that you can display all the required functions.
Keep students engaged. Two hours of watching a presentation can put even the most enthusiastic student to sleep. Add interaction where possible.
Survey your students, either verbally or by sending an electronic question. Ask them about the level and pacing of your presentation. As with classroom-based audiences, some students will have more advanced experience and will benet from less presentation and more demonstrations with verbal questions and answers. Others may require more remedial instruction. You may not know this unless you ask. Share the demonstration. When you share an application, as you do when you demonstrate, you may be able to pass control to vol-
168
unteers who can complete tasks. Sharing the demonstration adds more activity in the class and helps to engage students.
Pause for discussion. Ask your students to discuss the implications of a specic function or feature. Be aware that discussions take time and you may need to limit their scope and timing in order to stay within the session time.
Ask for volunteers. Be aware that some adult learners prefer to observe and are uncomfortable when called upon to answer a question or perform an exercise. If you initiate discussion or share an application, ask for volunteers to electronically raise their hands. Then, select from those students. Manage silence. It is ne to pause your presentation to catch your breath or to wait for a slide to load, but remember that students have no visual contact with you. If you are silent for too long, they may think they have lost their audio connection. If you nd that you are waiting a long time for an application to perform a function, ask for questions, initiate a short discussion, or review what you have done so far. Make your personality larger. As an effective instructor you use your personality and demonstrated passion for the content being delivered to engage students in learning. You will need to nd a way to communicate these things in the virtual environment without the aid of facial and body language.
Use the pointer tools to show bulleted list items. If you distribute student materials, refer to the pages often. Move your cursor slowly and deliberately. Note: It is helpful to change the cursor style on your system so it is easy for students to identify it from their own.
Do not use shortcut keys to initiate functionality, unless it is part of the instructions. Students cannot follow you when you press CTRL+C, but they can follow you if you click EditCopy. Close demonstrations when they are complete. Start new demonstrations from a neutral screen.
169
Appendix
Appendix C Instructor Preparation
If you have not registered, visit the Education Zone located at http:// www.lotus.com/educationzone and follow the instructions to register for the certied community. After registering, you will be able to access the CLI Private Site using your user name and password.
Course Evaluation
At the end of the course, lead students to connect to the course evaluation Web page to complete an evaluation survey. Explain the importance of student feedback as a tool to help IBM improve course design and content and you to improve your presentation. Tell students that the survey is anonymous; they will not be required to provide their name or contact information, but can do so if they wish.
170
Lesson 1 page 4
To demonstrate how a server identies and store information specic to the machine, open the Server document and point out the information in the following table.
Tab Basics
Description Denes the servers Lotus Domino name Compares this network name to the name Lotus Domino knows What the server is used for Who manages the server Who can use the server Where the server is located on the network
Lesson 1 page 5
To demonstrate how a client identies a server by showing a Location document, open the Notes client Location document and point out the information in the accompanying table.
Tab Basics
Description How you connect to the server. How to choose the set of server connection information. Where the client goes to nd information and the user mail le. Which server to use for user name, server name, and other information (usually the home/mail server). How the client connects to the network.
Location name
Servers
Home/mail server
Ports
Mail le location
Where your mail le can be found. The directory where the le exists. What set of Lotus Domino mail servers (domain) you are part of.
Mail le
Lesson 3 page 53
Example of completed organizational chart.
172
Lesson 4 page 89
This model is the most efficient method and allows for easier expansion, such as adding new servers and clustering existing servers. The corporate Hub server is the main hub and takes overall control of mail and replication. There are Connection documents from the main hub to the regional mail servers. The regional mail servers can then act as hubs if additional mail servers are added. The Connection documents enable communication between two or more servers in the regional NNNs. The Connection document species how and when information exchange occurs.
Partitions are particularly effective when the servers are in different domains. For example, on one computer administrators can dedicate multiple domains to multiple customers or set up multiple Web sites. In most cases, partitioning servers from the same domain uses more computer resources and disk space than combining the servers into a single server. This is because the Lotus Domino executable les are loaded for each partitioned server, and each Lotus Domino server must have its own copy of the Lotus Domino Directory and other administrative applications. Refer students to the Lotus Domino Administrator 8.5 Help topic Partitioned servers for additional information and recommendations.
173
Glossary
access control list (ACL) determines access to a given database, and the type of access allowed. access controls Determine what information is available to the entity. application A solution to a particular business problem that may contain one or more databases and other components, such as JavaScripts. authentication Establishes trust between two entities. certicate A unique electronic stamp stored in an ID le that associates a name with a public key. certier ID A le that generates the electronic stamp to indicate a trusted relationship. cluster A group of two or more servers that provides users with constant access to data, balances the workload between servers, improves server performance, and maintains performance when you increase the size of the Lotus Domino environment. common certicate A certicate derived from the same Lotus Notes or Internet (X.509) certier, or one of its ancestors in the organizational hierarchy. composite application A collection of two or more distinct applications that address a business need for a specic group of users, and can be accessed from one screen.
Copyright IBM Corporation 2009.
domain A collection of servers and users that share a single Lotus Domino Directory. ECL (Execution Control List) Denes workstation security for the Lotus Notes client. eld-level replication The process of copying only elds that have changed since the last time the two databases replicated. group types Used to dene the purpose of the group and determine the views in the Lotus Domino Directory where the group name appears. group A list of users and/or servers that have something in common. Each group must have an owner, who is usually an administrator or an application manager. hierarchical naming Associates names with the certiers in an organization. Location document A feature that connects you to applications on servers by providing a place to specify information such as the name of your mail server, whether you use a passthru server, or even which Lotus Notes ID to use. Lotus Domino Directory A database that stores information that allows Lotus Domino servers and clients to function properly. Lotus Domino Enterprise Server Includes the functionality of both the Lotus Domino Utility and Domino Messaging Servers, including support for clusters. Lotus Domino Messaging Server Provides messaging services. It does not include application services. Lotus Domino replication A process of exchanging modications between two database replicas so that the same database may be updated and shared by many users in different locations accessing different servers. Lotus Domino server A computer that runs the Lotus Domino server program, stores Lotus Notes databases, and runs services that manipulate Lotus Notes data.
176
Lotus Domino Utility Server Provides standard Lotus Domino application services and custom Lotus Domino applications for Lotus Notes and Web clients, as well as support for clusters. It does not include messaging services. Lotus Notes and Lotus Domino A client and server environment that provides services to allow an organization to perform tasks to store, communicate, and exchange information. Lotus Notes client A computer that can access Lotus Domino data both on servers and locally, providing portable access to data. Lotus Notes ID Identies a user or server to Lotus Domino systems. mail routing topology Establishes which servers are connected and how they communicate specic information. Object Store A place where all Notes data resides in the form of an NSF application. organization certier A special le created at the time the rst Domino server is set up in the company. organization Denes the naming hierarchy for a Lotus Domino environment, which is used for security. OU (organizational unit) Denes an organizations hierarchy as it relates to people. Person document Describes a Lotus Notes or non-Lotus Notes user in the Lotus Domino Directory. policy The Policy document and its associated Settings documents. replica A special copy of a database. replication The process of synchronizing documents from the same databases on different workstations or servers over time.
177
Replicator A server task that is loaded, but not initiated, at server startup. role Identies a set of users and/or servers. Server document Created when you register a server; it contains many of the settings that dene how your server operates. server task A program provided with the Lotus Domino server that runs when loaded and activated. T.120 A family of open standards that contain a series of communications and application protocols and services that provide support for real-time, multipoint communication. Web client A computer that can access Lotus Domino data on the server to display in a browser.
178
Index
A
access control list, 63 access control options, 63 anonymous, 60 authentication access controls, 55
F
Features of Lotus Notes 8.5, 7 eld-level replication, 97 File tab tasks, 30
G
group, 29 group types, 69
C
certicate, 56 certier ID, 56 clients Lotus Notes, 5 Internet mail cluster, 114 common certicate, 57 Composite application, 11 Conguration tab views, 31
H
hierarchical name, 45
I
IBM Lotus Notes ID vault creation, 61 IBM Lotus Notes and IBM Lotus Domino, 3 ID le types, 57 Internet (X.509) certicates, 56
D
Database and Applications Types, 10 deny list, 69 domain, 13 Domino standard services, 111
L
Location document, 5 Lotus Domino Directory, 13 Lotus Domino Enterprise Server, 4 Lotus Domino Messaging Server, 4 Lotus Domino partitions, 116
E
execution access, 75 Execution Control List (ECL), 75
Index
Domino replication, 30 Domino server, 3 Domino Service Categories, 14 Domino Utility Server, 4 Notes client, 3 Notes ID, 56
R
replicas, 93 replication, 93 Replication tab tasks, 31 Replicator, 93 required server applications, 12 role, 64
M
mail routing topology, 84 Messaging tab tasks, 30
S
Server document, 4 server host names common names, 50 server task, 15 settings document, 36 simple, 60
N
Notes certicates, 56
O
Object Store, 9 organization, 41, 42 organization certier, 42 organizational unit, 42 Also See: organization
W
Web client, 3
P
person document, 29
180