Databases are not replicating between two servers (one server has 100 documents and other has

90)
To identify the replication issue
1. Replica id
2. Replication history in database properties (it shows the last successful replication)
3. Log.nsf or replication logs
4. Connections documents
5. Database ACL - server rights for replication.
6. Check sufficient disk space
7. Document and field level access (this is useful when document count mismatches)
8. Monitoring result *statrep.nsf)
9. " Jobschduled.njf " this file used for scheduled replication and can be corrupt.

Configuring Domino to send and receive mail over SMTP

Setting up a Domino server as an SMTP server consists of enabling two separate tasks: a listener task and a
routing task. Enabling the SMTP Listener allows a server to receive mail over SMTP. Enabling SMTP routing lets
the Domino Router send mail to other servers using SMTP. You enable SMTP routing to destinations within the
local Internet domain separately from SMTP routing to external destinations. It's also possible to enable SMTP
routing on a server without enabling the Listener task, and vice-versa. For example, to support POP3 and IMAP
clients, which use SMTP to send mail, you must have at least one internal server running the SMTP Listener task.
However, the server does not have to use SMTP when transferring messages it receives over SMTP to the next
hop on the routing path. After the server has accepted a message over SMTP, it can use Notes routing to transfer
the message to other servers. By default, Domino uses Notes routing only and is not configured for SMTP routing.
To have Domino use SMTP to send and receive mail, do the following:
Prepare your system for sending messages to the Internet by testing your Internet connection and verif ying that
DNS is set up properly
Enable the SMTP Listener task in the Server document of server you want to receive mail over SMTP
Enable SMTP routing within the local Internet domain so that servers can send mail over SMTP
Enable SMTP to be used to send messages outside the local Internet domain.
Specify the relay host, if any, to be used when sending mail outside the local Internet domain.
Configure a relay host for SMTP servers that do not have direct access to the Internet.
Set up inbound and outbound mail restrictions to protect against misuse of the mail infrastructure.
To allow POP3 or IMAP users who connect to Domino from an external network to send mail to external Internet
domains, specify exceptions to inbound relay enforcement for authenticated users.
If you intend to allow users to access mail from POP3 or IMAP mail clients, you must install and enable these
access protocols on users' mail servers. By default, Domino supports only Notes client access.

Transaction logging:-
Transactional logs are binary file where transactions are written. The transactional log file has a .txn file extension
and 64 MB in size. Transaction logging captures all the changes made to a database and writes them to a
transaction log. The logged transactions are then written to disk. Transaction logging is available for Domino
servers running release 5 or later. Database changes are sent to a transaction log and then written later to the
target database. (i.e.: committed to disk)
Transaction logging offers benefits for the following system activities:
Backup throughput is increased because transaction logs back up quicker than normal databases.
Disaster recovery is more complete since data stored in the transaction log can be supplemented to the full
system recovery and so the data is not lost
Database views are stored in the log file so database views may not need to be rebuilt.
Types:-
1) Linear - 4 GB space. Same
2) Circular - can use more than 4 GB space.
3) Archived

DBIID:-Database Instance ID and it is assigned at the First time transaction loggings occur.

1
Type of roles in names.nsf (public address book).

Group creator.
Group modifier.
Net creator.
Net modifier.
Policy creator.
Policy modifier.
Policy reader.
Server creator.
Server modifier.
User creator.
User modifier.

Like author access with user creator role for registering the person, without editor access you can do the same
work. So this is the combination of role and access level.

Domino maintenance task on 5 files

Admin4.nsf, Names.nsf, certlog.nsf, catalog.nsf, log.nsf
nfixup -F names.nsf
nupdall -R names.nsf
ncompact -B names.nsf

Replication:-
Pull-Pull (both server included)—Bi-directional.
Pull – Push (default)-only source server included—Bi-directional.
Pull only –only source server ---Uni directional.
Push only –only source server included --Uni directional.
Command: - Push server name [database name]
Replication issues an NSF search request against the source replica and it returns several pieces of information
including a list of OIDs of all the documents that have been created or modified since the last replication.
OID: - is a combination of three components.
UNID:-unique 16 byte identifier that never changes.
Sequence No: - indicates how many times the document has been modified.
Time Stamps: - indicates the last time the document was modified.
Notes can keep databases synchronized through replication, which can occur between two Domino servers or
between Notes workstations and a Domino server. Domino system administrators manage several replication
tasks on the Domino server as a part of their job. Notes client user replicates databases to the Notes client that
will be used when disconnected from the server.

Database Replicas and Copies

You can make two types of copies from a database: an ordinary copy and a replica copy. In an ordinary copy, the
original database remains intact and the copy of it reflects the moment in time when the copy is made. From that
point forward, the two databases (the original and the copy) are distinct from one another; changes to each are
made independently of one another and will never be shared between the two. Replica databases, on the other
hand, can share changes made to them. A replica copy is made of an original database and maintains a
relationship with the original database; these are referred to as replica copies. Between two replica databases,
the replication process operates at the document level. During replication, Notes compares one database to
another, determines any incremental changes by checking which documents are new, which have been modified,
and which have been deleted in each, and then it sends and receives document additions, updates, and deletions
between the databases. When document updates are sent (or received), Notes only copies data from fields
whose values have changed. All documents are not copied each time a change is made; only incremental
changes are transferred. This is called field-level replication, and it makes Notes replication efficient and fast.

2
Replication operates within the security model of Notes and Domino. If, as a user of a database, you only have
the ability to read documents in a server-based replica, you will only be able to receive new and updated data
from the server to your local replica. Any changes made on your end cannot go to the server because you have
only read-access privileges.
Streaming replication: - It allows the replicator task to send multiple changes in one request and to replicate
smaller document first. It used when replication type is PULL-PULL or PULL only.
Replication between two servers require connection document on either server where as mail routing requires
connection document on both servers.
Replica id:-a unique number that is generated when a database is first created. When you make a replica of the
databases the replica inherits the replica id. Author access required for replication.
Benefits of replication –
1. Security
2. Reduced communication cost
3. Improved performance
4. Can replicate subset of data
5. Replication on the basis of ACL

In server documentsserver task -> maximum execution time, increase it if Agent is stops in the middle

DST
Specifies that a server or a workstation observes daylight savings time. Belongs to Uncategorized Usage
DST=value (Default 1)
0 - Do not observe daylight savings time
1 - Observe daylight savings time
When you select this option, the created/modified time for documents created or modified from the first Sunday in
April through the last Sunday in October are time-stamped one hour later than the server's system time. This
option lets you adjust for daylight savings time without changing the actual system time.
On a workstation, Daylight savings time field is in the Basics tab in the advanced tab in the Location document; on
a server, Daylight savings time field is in the Server document.

Show server command:-

3
Tell router config all:-

Using the Configuration Document to implement outbound SMTP failover

You must configure the Lotus Domino server for outbound SMTP failover. In the Configuration Document -->
Router/SMTP panel --> Basics panel "Relay host for messages leaving the local internet domain," contain multiple
hostnames/IP addresses - Use a semi-colon to separate hostname entries or IP addresses to achieve failover.
Example: host1.acme.com;host2.acme.com
Result: The router will attempt an SMTP transfer to host1.acme.com. If host1.acme.com is down or not
responding, the routers will failover to host2.acme.com as observed below:
09/13/2006 11:01:46 AM Router: No messages transferred to host1.acme.com; host2.acme.com (host
host1.acme.com) via SMTP: The server is not responding. The server may be down or you may be experiencing
network problems. Contact your system administrator if this problem persists.
09/13/2006 11:01:46 AM SMTPClient: Attempting to Connect: Host host2.acme.com, Port 25, SSL Port 0,
Connecting Domain vec.lotus.com
09/13/2006 11:01:46 AM SMTPClient: Connection successful
A Domino server is configured to send SMTP messages outside the local Internet domain via a Send mail relay
server. A secondary Send mail server is set up to provide failover in the event the primary relay is down. Creating
a failover SMTP Connection document that references the secondary Send mail host does not appear to work.
When the primary relay host is unresponsive, the dynamic cost is set to "1," and the message is queued in
MAIL.BOX, pending the next scheduled retry interval.
One method used for failover is entering a Fully Qualified Host Name (FQHN) in the "Relay host for messages
leaving the local internet domain" field (in the Configuration document's Routing/SMTP, and Basics tabs), and
configuring DNS so that there are two IP addresses mapped to this FQHN.
Domino SMTP outbound failover utilizes MX records in DNS. In the environment described above, set the "SMTP
MTA relay host" field in an SMTP Connection document's Basics tab to the FQHN of the relay server (such as
SMTP.ACME.COM). Then create multiple MX records for this host in DNS, and manipulate their preferences in
DNS to configure failover functionality.

4
SMTP server problem: - mails were getting stuck in the server. Around 10000 mails at gateway server.
Just SMTP quit, and load it again.

Routing cost: - Notes routing assigns a routing cost to each connection and uses these costs to select the most
efficient way to route mail from one server to another. The Router computes and stores information about these
costs in its routing tables. If there is more than one possible route for mail to travel between the source server and
the destination server for the message, the Router uses routing cost information in the tables to calculate the
least-cost route for the message. The Router uses information in Server, Domain, and Connection documents to
create the routing tables. A LAN connection has low cost; a dialup modem connection has high cost. By default,
each LAN Connection has a cost of 1, while each dialup modem connection has a cost of 5.
Note – Do not edit/change routing cost if servers are in same NNN
How the Router chooses a route:
It calculates and selects the least-cost route. If the least-cost route fails -- for example, if there is no answer or if
the network times out – the Router increases the cost of the initial route by 1. For example, if a LAN connection
between Server A and Server B initially has a cost of 1 but the connection fails during an attempted transfer, the
Router increases the cost of that LAN connection between Server A and Server B to 2. The next time the Router
tries to transfer mail between servers; it again looks for the least-cost route between those servers. If there is an
alternate route that is equal in cost and requires fewer hops, the Router selects that alternate route. For example,
if there are two paths between Server A and Server B, Each with a total cost of 4, the Router examines the
number of hops in each path. If one route requires three hops but the other requires only two hops, the Router
uses the path that requires two hops because the costs are equal.

There are two servers (A & B) in a cluster. If one server goes down, then all the users will be routed to other
server B. When the first server comes up then how you will pass these users on first server.
Set stat config restricted = 0 for disable
Set stat config restricted = 1 for enable
Set stat config restricted = 2 for permanently enable.

How many ways you can change the notes.ini?

1. By configuration documents (configuration settings>>Notes.ini settings.) 2. Set config command (set
configuration parameters)

How can we schedule the compact task on server?

By program documents

How you will see the program documents on console?

Show schedule- it will show the replication and mail routing configuration document + replication topology.

How to make a group not to be shown to a particular user or user could not type the name of the group at the TO
field in the new memo?
Remove the user name from the reader field of the group. Change document properties and remove the person
name from the reader field.
5
Whenever a particular user attempts to authenticate with the server, they receive the following warning:
"Warning: The public key for <user name> found in the directory names.nsf on server <server name> does not
match the one used during authentication."
Cause the public key in the user's ID file does not match up with the public key in the user's Person Document in
the Domino Directory. You can copy the public key from the ID file and paste it into the "Notes Certified Public
Key" field on the 'Certificates\Notes Certificates' tab of the Person document.
To copy a Certified Public Key from a Notes ID file using the Notes client, perform the following steps from the
Admin client:
1. From the Domino Administrator, click the Configuration tab.
2. From the Tools pane, click Certification - ID properties.
3. Select and open the ID file to be examined, enter the password (Person ID, Server ID or Certificate ID).
4. From the ID Properties window, select Your Identity, then select Your Certificates.
5. Select the Other Actions button and select Mail / Copy Certificates (Public Key)
6. Click the Copy Certificate button. (Remote user selects Mail Certificate. It copies the entire public key to the
clipboard.)
7. Paste the public key into the associated Person document in the People view of the admin client.
Have the end user select the following options to mail the administrator a copy of their public key:
File -> Security -> User Security -> Your identity -> Your Certificates -> Other Actions -> Mail, copy certificate
(public key). -> Mail Certificate -> fill out "To" -> Send

Calendar and Scheduling

The calendar and scheduling features allow users to check the free time of other users, schedule meetings with
them, and reserve resources. (Calconn task), and the Free Time system (a combination of Sched, Calconn, and
nnotes tasks).When you install Domino on a server (any server except a directory server), the Sched and Calconn
tasks are automatically added to the server’s NOTES.INI file. When you start the server for the first time, the
Schedule Manager creates a Free Time database (BUSYTIME.NSF for non-clustered mail servers and
CLUBUSY.NSF for clustered mail servers). task used are calconn (this used to connect to other server to retrieve
free time info) and sched (this is used for connecting and retrieving free time info from local server, - both tasks
required and compulsory for proper functioning, busytime.nsf database created automatically when first time you
load scheduler task, in case of cluster busytime.nsf converts to clubusy.nsf. Each server contains a database that
includes scheduling information for all users who use that server as their mail server. This database is named
BUSYTIME.NSF and is known as the Free Time database. Every server in the cluster contains a replica of this
database. When you add a server to the cluster, the Schedule Manager deletes the BUSYTIME.NSF database on
that server and creates the CLUBUSY.NSF database, which then replicates with the other servers in the cluster.
Double room booking problem:-
Shutdown server, delete busytime.nsf,
Tell Calcon q, sche…
Then make a new copy

Mails are coming from server in the server name only, why these mails come on server mail.box, (senders and
recipient’s name only of server name)?
This is because of event generator, and mail sent by server ids.

What is administration server, can you make one more admin server? If main admin server goes down then how
would you make other server as admin server? Where can we do these settings?
Setting multiple administration servers, called extended administration servers, for the Domino Directory to
provide for less centralized, more regional, directory management.
Complete these instructions to set up an extended administration server.
1. From the Domino Administrator, click the Files tab and then open the Domino Directory (NAMES.NSF).
2. Choose Files - Database - Access Control.
3. Click Advanced and select Enable Extended Access.
4. Click Basics and click Extended Access.
5. In the Names list, select the namespace (an organization or one or more organizational units) for which you are

6
assigning an administration server.
6. Select the server that you are designating as an administration server.
7. Choose one of these "Access applies to" settings:
This entry only -- to assign the selected administration server to the selected namespace only. Namespaces that
are subordinate to the selected namespace are not affected by this selection.
This entry and all descendants -- to assign the selected administration server to the selected namespace and to
all subordinate namespaces.
8. In the Access field, in the Allow column, click Administer.
9. Click OK.
10. Click Yes.

What will happen if you change replication settings from 90 days to 30days, deletions stubs will delete after
10days 30/3=10days
Remove documents not modified in the last x days: The number of days specified here, known as the purge
interval, controls when Domino purges deletion stubs from a database. Deletion stubs are markers that remain
from deleted documents so that Domino knows to delete documents in other replicas of the database. Because
deletion stubs take up disk space, Domino regularly removes deletion stubs that are at least as old as the value
specified. It checks for deletion stubs that require removal at 1/3 of the purge interval. For example, assuming the
default value, 90 days, when a user opens a database, Domino checks if it has been at least 30 days since it
removed deletion stubs, and if so it removes any deletion stubs that are at least 90 days old. The Updall task,
which runs by default at 2:00 AM, also removes deletion stubs. You can shorten the purge interval, if you want,
but be sure to replicate more frequently than the purge interval; otherwise, deleted documents can be replicated
back to the replica. Optionally, you can select the check box to remove documents in the replica that haven’t
changed within the purge interval. If you select the check box, when Domino removes deletion stubs it also
removes documents that haven’t changed within the specified number of days. These documents are purged,
meaning no deletion stubs remain for the documents, so the documents aren’t deleted in other replicas. The ″Only
Replicate Incoming Documents Saved or Modified After: date″ setting prevents the purged documents from
reappearing through replication.

Clustering requirements
All servers in a cluster must run one of the following: the Lotus Domino 6 Enterprise server, the Lotus Domino 6
Utility server, the Domino Release 5 or Domino Release 4.62 Enterprise server, or the Domino Release 4.6 or
Domino Release 4.5 Advanced Services server.
All servers in a cluster must be connected using a high-speed local area network (LAN) or a high-speed wide area
network (WAN). You can also set up a private LAN for cluster traffic.
All servers in a cluster must use TCP/IP and be on the same Notes named network
All servers in a cluster must be in the same Domino domain and share a common Domino Directory.
You must specify an administration server for the Domino Directory in the domain that contains the cluster. If you
do not specify an administration server, the Administration Process cannot change cluster membership. The
administration server does not have to be a member of a cluster.
Each server in the cluster must have a hierarchical server ID. If any servers have flat IDs, you must convert them
to hierarchical IDs to use them in a cluster. A server can be a member of only one cluster at a time. Each server
must have adequate disk space to function as a cluster member. Because clusters usually require more database
replicas, servers in clusters require more disk space than unclustered servers. Each server must have adequate
processing power and memory capacity. In general, clustered servers require more computer power than
unclustered servers.
clusta4.ntf--A Cluster Analysis database contains documents that record the results of Cluster Analysis tests. By
default, Domino writes the analysis results to the Cluster Analysis database on the Server
Number of cluster members -- Checks the number of servers in the cluster
Consistent domain membership -- Checks that all servers are members of the same domain
Consistent protocols -- Checks those servers are running consistent protocols
Required server tasks -- Checks that the required cluster tasks are running
Database Replicas exist within cluster -- Checks databases for replicas in the cluster
Consistent ACLs -- Checks that access control lists are consistent among replicas

7
Disabled Replication -- Checks databases for disabled cluster replication
Consistent replication formulas -- Checks for inconsistent replication formulas among replicas

Cluster local workstation file—cluster.ncf

When a user tries to send a message after the user’s mail server has become unavailable if a user is composing
a message when the mail server becomes unavailable, the user can still send the message. The delivery fails
over to another cluster server, where Notes deposits the message in the outgoing mailbox. Saving the message
doesn’t fail over; however, this message is not saved in the Sent folder.
Planning a cluster also includes the following:

termining the number and placement of replicas in a cluster

hether to use fault recovery in a cluster

After the cluster is up and running, you can further balance the workload by setting a maximum number of users
for each server and setting the availability threshold.
For a mail file in cluster, put one line for mail cluster failover Notes.ini settings line: - Mailclusterfailover=1

Components of cluster:-
1. Cluster manager.
2. Cluster database directory: - contains database name, server path, and replica id.
3. Cluster database directory manager: - it replicates information of add or delete of database.
4. Cluster administrator: - when you add a server in a cluster, administrator starts the cluster tasks. (cldbdir,clrepl)
5. Cluster replicator (clrepl)

A Domino cluster is a group of two or more servers that provides users with constant access to data, balances the
workload between servers, improves server performance, and maintains performance when you increase the size
of your enterprise. The servers in a cluster contain replicas of databases that you want to be readily available to
users at all times. If a user tries to access a database on a cluster server that is not available, Domino opens a
replica of that database on a different cluster server, if a replica is available. Domino continuously synchronizes
databases so that whichever replica a user opens, the information is always the same. IBM Lotus Notes clients
can access all Domino cluster servers. HTTP clients (Internet browsers) can access only Domino Web servers in
a Domino cluster.

Problems that may occur can be related to authentication, database replication, or failover in the event of a server
outage. When troubleshooting clustering problem, follow these steps.
1. Make sure that the Cluster Replicator task is running on all of the servers in the cluster.
2. Ensure that the database exists on all servers in the cluster and that the replica ID's are same.
3. Check the log files to see if errors are occurring related to the replication task. Check to see if there is an
excessive amount of replication requests queued that may hit at a server performance issue.
4. Examine the cluster Database Directory and make sure that the databases are enabled for replication.
5. Make sure there is only one copy of the database on each cluster.
6. Verify that the ACL's in the database are set correctly to allow servers to communicate. The User Type for
servers must be set to server or server group.
7. Check the server documents on all servers in the cluster and make sure that each server is assigned a valid,
unique IP address and that all IP addresses related to the cluster Manager are defined properly.
8. Verify that all servers in the cluster are running.

NSD: - notes system diagnostics NSD file normally generated when server gets crashed. In R5 it was RIP file. It
is simple text file that has a lot of information about the server crash.
Three things you have to keep in mind:

8
When was the server crash?
What made it to crash?
What was running at the time of server crash?
1) Is the domino reporting any error messages to the console or log file?
2) What is exact syntax of error message.
3) Where is the error message being generated in domino or client.
4) When did this problem first appear.
5) Have you implemented any changes before the problem started appearing?
NOTES.INI settings --- to troubleshoot performance and crash issues.
Debug_threadid =1 log each process and thread id for each server operation.
Debug_show_timeout =1 turns on semaphore timeout messages to the console, and creates a semaphore text
file called semdebug.txt.
Debug_capture_timeout =10 time stamps each semaphore timeout message.
Console_log_enabled=1 enables domino console logging.
Fault recovery for server crashes: - when the server crashes, it shuts itself down and then restarts automatically,
without any administrator interventions. Sends “Mail fault notifications” mails to admin.
FATAL_THREAD_FAILURE:-
Failure: - shows the downtime info of server.
Fatal – what made a server crash?
Thread: - info about the tasks running at the server crash or by which task server got crashed
Open NSD, search Panic key word
For example if server crashed due to server. exe
You will find like FATAL THREAD 11/51 [ nSERVER:0cd0: 2148]
Where 0cd0 is process id and 2148 is physical ID
After that search for TLS Mapping keyword.
open databases
system information
or environmental information
stack info helps to see the problem at that time
mem check helps to diagnose memory info
open NSD file in notepad and search for "fatal" string ("panic" on UNIX platform in vi editor)
In this case we found [nServer:0cd0:2148]. We know for sure that server crashed on nserver which is server
thread itself, try to identify something more i.e., the database which has caused the crash.
We now have to find out corresponding virtual thread.
Now you have to search for "TLS Mapping" in nsd file. In notepad press F3 key 3 times to go to following text in
NSD (This is called process table)
Look for the line that has process id and Physical thread like below :-
[ nSERVER:0cd0: 2148] [ nSERVER:0cd0: 128] [ nSERVER:0cd0: 17]
In this case the virtual thread id is 128
Now go back to the top of the NSD and then search for the string "open databases" in nsd file.
(This is called open database table)
Look for the process id that we found earlier and the Virtual Thread id i.e., 0cd0 and 128 like below:-
G:\Lotus\Domino\Data\mail1.box
By: [ nSERVER:0cd0: 128] DBH= 740, User=CN=GKR011N/OU=KR/O=Gillette
From the above text we have identified that server crashed on mail1.box

If server is not getting up then there are four databases we can check:-
admin4
log.nsf
names.nsf
mail.box
Because every time the server starts it checks these files if any of these is corrupt then the server will not start. If
the server is still not started then delete the entire tasks from notes.ini and start the server. And load the tasks
manually one by one.

9
If an agent is not running for a database then how can you find it? How and when it was stopped?
Tell amgr sceh
The agent manager log activity. -- Log agent manager

How can you hide the documents, if design replace is happening?

4th security tab in properties of document- Who CAN READ THIS DOCUMENT- all Readers and above option.
Remove others, so that others will not be able to read the mails.

How to find roaming and non roaming profiles in the address book---
field Roaming User="0" for normal without roaming profiles
field Roaming User="1" fully enabled roaming for the users
field Roaming User="2" in progress roaming for the users.

How to create directory catalog & directory assistance:-

Create a new database just go to file>> database>>> new
Create a database choosing dircat5.ntf template.
Then go to create configuration after opening that file.
Include the directory names. E.g. Names1.nsf, names2.nsf etc.
Then choose the fields also for making it more compact.
Directory Assistance: with DA50.ntf
The Directory Assistance database is used to configure the Directory Assistance feature. If your organization
includes multiple domains, you can set up directory assistance to enable users to browse and select names from
Public Directories outside of their domain, for example when they address mail, define database access control
lists (ACL), or complete a NAMES field in documents. When users send mail to recipients in another domain,
directory assistance also allows Notes to resolve the names before sending the memo.
Create the Directory Assistance database from the DA50.NTF template. In the Directory Assistance database you
define naming rules that associate naming hierarchies with each domain--this allows Notes to search only Public
Directories of domains associated with those naming hierarchies when resolving the name of a recipient from
another domain. You also use the Directory Assistance database to point to one or more strategically-located
replicas of each domain's Public Directory. You then create a replica of the Directory Assistance database on all
servers in each domain.

What is LDAP?
Lightweight Directory Access Protocol. it is referred as X.500, It is a organizes directory entries in a hierarchical
name space capable of supporting large amounts of information and specifies that communication between the
directory client and the directory server uses the directory access protocol(DAP). However as an application layer,
the DAP requires the entire OSI protocol stack to operate. For supporting OSI protocol stack requires more
resources. There LDAP desired. LDAP requires the lighter weight and more popular TCP/IP protocol stack than
OSI protocol stack. So LDAP is communication protocol, which defines the transport and format of messages
used by a client to access data. LDAP doesn’t define the directory service itself. LDAP uses TCP/IP to allow
clients to access directory information. it can be used by the browser clients to retrieve addresses. it will return the
names in SMTP form rather than notes form. LDAP directories can be implemented in many different ways. IBM
implements cross platform LDAP directories using db2 and lotus domino.

Notes.ini file you can modify by these ways:-

Direct changes into the notes.ini file.
Through configuration documents on notes.ini settings tab
Assigning Notes.INI settings through user policies

Notes.ini settings/ Parameters:-

SERVER_MAXUSERS – for how many users can use a database, and how many users can access the server

10
SERVER_RESTRICTED -

How mail work in lotus notes:- setting up and configuring mail routing :-
By default NRPC (notes remote procedure call) to transfer mail between servers. A user creates a mail in the mail
database. When the user sends a workstation task called MAILER transfers the messages to MAIL.BOX
database on user’s server. The router task polls MAIL.BOX and asks two questions about the messages waiting
to be routed.
1. Where this message should be delivered- to which recipients on which servers?
2. How this message should be delivered- which route and connections should be used?
The location of the recipient’s mail database determines how the message is dispatched by the router. A
recipient’s mail database can be stored in any of the following locations.
ON the same server as the sender’s mail database.
On a different server in the same DNN.
On the ports
ON a server in a different DNN within the local domino domain.
On a server in an external Domino Domain.
When user sends a mail NRPC (Notes protocols) to deposit the message into the MAIL.BOX database on the
user's Domino mail server. The Router finds the message in MAIL.BOX and determines where to send the
message for each recipient. The Router checks its routing table to calculate the next "hop" for the message on the
path to its recipients and determines the appropriate protocol -- either SMTP or Notes routing -- to transfer the
message. Using SMTP routing, the Router connects to the destination server -- the recipient's mail server, a relay
host, a smart host, or one of the servers in the recipient's Internet domain --and transfers the message. Using
Notes routing, the Router moves the message to the MAIL.BOX database on the server that is the next hop in the
path to the recipient's mail server. The Router on that server transfers the message to the next hop, until the
message is deposited in the MAIL.BOX database on the recipient's home server. The Router on the recipient's
server finds the Message (in MAIL.BOX on a Domino server) and delivers it to the recipient's mail file.

Enforcing a consistent ACL:-

You can ensure that an ACL remains identical on all database replicas on servers by selecting the enforce a
consistent access control list setting on the advance tab of ACL.

Mail routing troubleshooting:

Request delivery failure report from the user
Mail trace
Check domino directory and ensure routing is enabled
Verify connection documents are configured properly
Make sure Mail.box is not corrupted
Check the disk space of the server
Examine the log to see if the error is occurring
Run tell router show to determine the mail is backed up on the server and last error message logged.
Incorrect recipient name

Mail Routing issues:

11
Step1: Get a copy of delivery failure report from the sender
Step 2: Send a mail trace to that address
Step 3: Mail routing topology maps
Mail routing topology maps are useful to track mail routing problems between servers.
From the Domino Administrator, click the Messaging - Mail tab. Choose one:
Mail routing topology by connections
Mail routing topology by named networks
Undelivered mail
From the Domino Administrator, click the Messaging - Mail tab, then select Mail routing status. You can also
check for undelivered mail in the mail routing events view in the log file (LOG.NSF).

What are the conditions for DNN?

Constant link
Same protocol
Same domino directory

What are the parameters you can set in notes.ini?

A) Server tasks
B) Time
C) Data folder information

What is ODS? Which console command you use to upgrade the ODS version?
On Disk Structure, Compact –r command

How will you convert the entire mail file in to an ntf file?
Load convert –R mail\*.nsf templatename.ntf

How to check the connectivity between 2 servers in different domain?

Trace command and it works in the same domain and different domain provided you are able to resolve the Ip of
the server and other server allows port 1352 access. Or else ping or telnet to port 25

What is home server?

The server which is specified as your mail server in your Person Document

What is the role of firewall in lotus?

Restricting access to ports such as SMTP, HTTP, NRPC etc., also used to reverse proxy the server

What is NAT?
It means Network Address Translation.

What is the registration server?

A server which registers new users, server, OU and Organization and initially stores these document in the
Domino directory until the next replication occurs.

What is the administration server?

An Administration server controls how the Administration process does its work. It stores the requested work in
the administration request database and then processes them accordingly to their status. By default first server in
the domino domain is the Admin server for the Domino directory which maintains its ACL, performs deletion,
name change and replicate to the other server in the DNN.

How will you access the admin client, if you forgot the administrator password?
By using server id

Access Control List (ACL):-

12
Manager Access:-delete database, encrypt, modify, and performance task by lower access levels
Designer: - create full text index search. Modify [fields, forms, views, public agents].
Editor:-create, edit, read documents (editor can change other person documents also) (own documents and other
person’s documents).
Author:-create edit, read (own document).
Reader:-read documents, but cannot create or edit document.
Depositor:-create documents
No access: - none.

User type in the ACL:-

1. Unspecified.
2. Person
3. Server
4. Mixed group.
5. Person group
6. Server group.

MTC – Mail tracker collector task read special mail tracker log files produced by router.
MTSTORE.NSF—Mail tracker store database.
Reports.NSF—Reports database to generate and store mail usage reports.
Program documents—to run tasks at scheduled intervals.

Server types:-
1. Domino utility server –provide application services only.
2. Domino messaging server—that provides messaging services.
3. Domino enterprise server – Provides both messaging and application services.

Lotus recommends that passwords of the certifier ids be at least of nine characters.

Connection document; - contains the settings to schedule replication between servers & mail routing.

– used for encryption

-- for decryption

To run an agent (out of office) minimum rights for user is Editor in R6, with author access on admin4.NSF.
(Because user default rights on admin4.NSF is author access). agent is designer,
as well as ACL rights to create lotus script/java agents on server.
access: - for ACL changes
Access: - For design changes.
Access: - For document changes.

: - CTRL+SHIFT+F9 To rebuild or update all the views if UPDALL task fails.

XACL - can restrict or refine a user's access to the database, but it can’t be used to increase the ACL level

Pass thru server: -An intermediate server that helps a client /workstation to connect with group of servers.

Domino uses id file to identify users and to control access to servers. Id file contains:-
1. Owner’s name
2. A permanent license number
3. At least one note certificate from a certifier id. (an electronic stamp added to a user id or server id ).
4. Private Key.

13
5. Internet certificates (optional for client only).
6. One or more encrypted key created and distributed by users to allow other users to encrypt and decrypt fields
in a document.
7, a password if the owner of the id creates one
8. Issued and expiry details.
9. Id file can store up to eight passwords through id properties.

Types of administrator:-
1. Full access administrator.
2. Administrator.
3. Database administrator.
4. Full remote control administrator.
5. View only administrator.
6. System administrator.
7. Restricted system administrator.

Roaming user: - for roaming user three files are required

1. Names.NSF
2. Bookmark.NSF
3. Journal.NSF

By default server task

1. Database server—n service.
2. Admin process –nadminp
3. Schedule manager ---nsched
4. Agent manager---namgr
5. Router [mail router] ----nrouter.
6. Calendar connector---ncalcon.
7. Replicators’---database replicator—nreplica.
8. Directory indexer—ntfrs.exe.
9. Indexer –update process—n update
10. Event monitor – nevent

Difference between view and folder:-

View: - views display specific documents with similar criteria in database.
E.g. mail database has sent view it displays documents that you sent.
Folders:-folder displays documents. Folders let you organize and display documents as you want

Types of event generators: - 6 types (DDMSTT)

1. Database:-to monitor ACL changes, replication unused space, user inactivity.
2. Domino server
3. Mail
4. Statistics; - monitor free space
5. Task status: - for all tasks – adminp, agent manager
6. TCP server.

Replication conflicts and save conflicts: -

A replication conflict occurs when two or more users edit the same document and save the changes in the
different replicas between replications.
A save conflict occur when two or more users open and edit the same document at the same time on the same
server, even they are editing the different fields.

What are different types of administrators?

Full access administrator -- gets all rights and privileges of all administration access levels listed.

14
Administrator-gets all rights and privileges of database administrator and full-console administrator (but not
system administrator).
Full console administrator—gets rights and privileges of view-only console administrator (but not system
administrator)
System administrator -- gets rights and privileges of restricted system administrator

If user forgot his password how will recover the password?

If you have recovery information set up for your user ID on your server the recovery password is randomly
generated and unique to each recoverable ID file and administrator, when you first log in to Notes and the
Password dialog box appears, do not enter your password. Just click OK. Click "Recover Password" in the
"Wrong password" dialog box. Select the user ID file to recover in the "Choose ID File to Recover" dialog box.
Enter the password(s) given to you by your administrator(s) in the "Enter Passwords" dialog box, and repeat until
you have entered all of the passwords, and you are prompted to enter a new password for your user ID. Enter a
new password for your ID, and confirm the password when prompted.

What are the basic router commands?

Tell Router Delivery Stats-- it will Shows you Router delivery statistics.
Tell Router COMPACT--COMPACTs MAIL.BOX and cleans up open Router queues. You can use this command
to COMPACT MAIL.BOX at any time. If more than one MAIL.BOX is configured for the server, each MAIL.BOX
database will be compacted in sequence. By default, MAIL.BOX is automatically compacted at 4 AM.
Tell Router Show Queues--Shows mail held in transfer queue in the server and mail held in the delivery queue
Tell Router Exit or Tell Router Quit--Stops the Router task on a server.
Tell Router Update Config--Updates the server's routing tables to immediately modify how messages are routed.
This removes the 5 minute delay before a Router configuration change takes effect

What is a parameter of notes.ini?

There are a number of parameters in Lotus Domino's notes.ini configuration file that affect.
For example, these are the server task entries in notes.ini:
Server Tasks=Update, Replica, Router, AMgr, AdminP, CalConn, Sched
ServerTasksAt1=Catalog, Design
ServerTasksAt2=UPDALL
ServerTasksAt3=Object Info -Full
ServerTasksAt5=Statlog

What is ECL and can we implement the ECL from server side.
An ECL is used to set up workstation data security. It lets you control which formulas and scripts created by
another user can run on your workstation. Workstation ECL is updated/Implemented from Server Admin's ECL by
creating a Security policy document.

Types of policies : 1.Organizational 2. Explicit

One group which is already exists, if we want to deploy the explicit policy on them what is the step.
Select group-Tools pane-assign policy. (An Explicit policy always overrides the Organizational policy.)

How we take the lotus server backup?

Backup files: All ID files (Servers/Users), All Database (Data folder->NSF+NTF)

What is the administration process?

The Admin process is a program which automates many routine administrative tasks such as Name management
task (Rename/delete user and group), Mail file management task (Delete/Move mail file, ACL changes, enabling
agents), and Replica management task (Create/Move/Delete replicas).
How do administration process works in background?
Adminp works in background with the help of different components like AdminP server Task (Starts by default on
all server starts), Administrator client (Domino/Web) (Different Tools), Domino Directory (It provides set of

15
instructions with AdminP For instance, when a user is renamed, the certificate information is changed. This is
stored in a Person document in the Domino Directory. When the renaming process is in progress, this is indicated
in the Person document under the Change Request field), Certification Logs Database (Certlog.NSF database
created when server installed it works assigning new certificates), Admin4.NSF and administrator.
I have a staff member who keeps getting an error every time she opens mail "error message: The public key that
is being used does not match the one that was certified."
The error message comes when the public key of the user id file is different than the one in PAB. Hence go to file-
tools –user id-more options and copy your public key to the PAB.

What if a mail.box gets corrupted? How will you solve it without shutting down the domino server?
When a mail.box gets corrupted, usually we can stop the router and then work with fixup and COMPACT
commands, still if the problem persists, we need to stop the server and take the backup of the mail.box and delete
it from the original destination and then start the server. A new mail.box will be created.

Encryption works for the mail security.

Encrypted mails not going – may be because of the antivirus or firewall.

A replica stub is an empty replica that has not yet been populated with documents. When you select File ->
Replication -> New Replica, or if you use the Admin client to create a replica, a replica stub is created

Domino & windows clustering. Active and passive clustering.

Can you have an Apache server handle Domino URLs on a different box?
This one-liner in your Apache httpd.conf file allows you to run both the Apache Web server and Domino on the
same system - and have all your requests (be it for html or nsfs) received on port 80.
The Apache server should run on port 80, and the Domino server on some other port (10080 in this code
example)
#Redirect all nsfs to Domino HTTP Server on port 10080
RedirectMatch /(.*).(nsf)(.*) http://localhost:10080/$1.$2$3

The Notes ID is required to install the full client and to access the servers. It is one of the security features of
Lotus Notes. Use a Java program to add and delete certificates from a Notes ID file, as well as cross certify a
SAFE.ID with a given certifier. Lotus uses a proprietary PKIX architecture for the Notes.ID files

From the Domino Administrator, click the Configuration tab.

2. From the Tools pane, click Registration - Server.
3. From the Domino Administrator, do one of the following:
To use the CA process, click Server, and then select a server that has the Domino Directory that contains the
Certificate Authority records and the copy of the Administration Requests database (ADMIN4.NSF) that will be
updated with the request for the new certificate. Then click "Use the CA Process," select a CA-configured certifier
from the list, and click OK.
To provide the certifier ID, select the registration server. Then click "Certifier ID" and locate the certifier ID file.
Click OK, enter the password for the certifier ID, and click OK.
To recover from loss of or damage to, an ID file, recommend to your users that they keep backup copies of their
ID files in a secure place -- for example, on a disk stored in a locked area. Losing or damaging an ID file or
forgetting a password has serious consequences. Without an ID, users cannot access servers or read messages
and other data that they encrypted with the lost ID. To prevent problems that occur when users lose or damage ID
files or forgets passwords, set up Domino to recover ID files.
You can only use the ID recovery process to recover user ID files. You cannot recover certifier ID files. Ideally,
you should designate several administrators who will act as a group to recover IDs and passwords. Although you
can designate a single administrator to manage ID recovery, you should consider having two or more
administrators work together to recover ID files. Designating a group of administrators helps to prevent a breach
of security by one administrator who has access to all ID files. When you designate a group of administrators, you

16
can specify that only a subset of them be present during the actual ID recovery. For example, if you designate five
administrators for ID recovery but require only three administrators to unlock the ID file, any three of the five can
unlock the ID file. Designating a group of administrators and requiring only a subset also prevents problems that
occur if one administrator is unavailable or leaves the company. Before you can recover ID files, an administrator
who has access to the certifier ID file must specify recovery information, and the ID files themselves must be
made recoverable. There are three ways to do this:
At registration, administrators create the ID file with a certifier ID that contains recovery information.
Administrators export recovery information from the certifier ID file and have the user accept it.
(Only for Domino 6 servers and higher) Administrators change recovery information using a Domino 7
Administrator client. Subsequently, recovery information is added automatically to users' Notes IDs when users
authenticate to their home server.

Domino stores ID recovery information in the certifier ID file. The information stored includes the names of
administrators who are allowed to recover IDs, the address of the mail or mail-in database where users send an
encrypted backup copy of their ID files, and the number of administrators required to unlock an ID file. The mail or
mail-in database contains documents that store attachments of the encrypted backup ID files. These files are
encrypted using a random key and cannot be used with Notes until they are recovered.
An encrypted backup copy of the ID file is required to recover a lost or corrupted ID file. Recovering an ID file for
which the password has been forgotten is a bit easier. If the original ID file contains recovery information,
administrators can recover the ID file, even if an encrypted backup ID file doesn't exist.
You can set up ID recovery for user IDs at any time. If you do so before you register users, ID recovery
information is automatically added to user IDs the first time that users authenticate with their home servers. If you
set up ID recovery information after you have registered Notes users, recovery information is automatically added
to the user IDs the next time users authenticate with their home servers.
For each administrator, the user's ID file contains a recovery password that is randomly generated and encrypted
with the administrator's public key. The password is unique for each administrator and user.
In Domino 7, you can select the number of characters, or password length, for recovery passwords, which helps
determine password strength, or likelihood to be compromised. A password length that is less than 16 is
calculated using both alphanumeric characters and hexadecimals. Sixteen-character length passwords are
generated using hexadecimals only. While password strength is important, as a strong password is less likely to
be compromised, so is usability. A long and complex password can be difficult to use, so administrators also have
the ability to choose a shorter password length.
In addition, administrators can now configure a custom message to help walk users through ID recovery.
To recover an ID, users and administrators do the following:
1. A user contacts each designated administrator to obtain the administrator's recovery password.
2. The administrator obtains the recovery password by decrypting the recovery password stored in the user's ID
file using the administrator's private key.
3. The administrator then gives the recovery password to the user.
4. The user repeats Steps 1 through 3 until the minimum number of administrators to unlock the ID file is reached.
5. After the file is unlocked, the user must enter a new password to secure the ID file.
The same ID file can be recovered again using the same recovery passwords. However, you should urge users to
refresh the recovery information and create a new backup by re-accepting the recovery information after they
recover their ID files.
When users acquire a new public key, accept a name change, or accept or create a document encryption key,
Domino automatically sends updated encrypted backup ID files to the centralized database. In the case of a
server-based certificate authority, the recovery database will be updated once the user has connected to the
server. Recertifying a user does not generate an encrypted copy of the ID file to be sent to the recovery database,
as a user's Person Document already contains the updated public key.
If a user has been renamed by or moved to a different certifier that contains recovery information that is older than
that of the user's previous certifier, the new certifier's recovery information will not be accepted into the user's ID
file. Before using the new certifier, its recovery information must be updated so that it is more recent than the
previous certifier's recovery information. To do this, the administrator should modify the new certifier's recovery
information in some way and save it. This updates the recovery information for that certifier with a new timestamp,

17
and ensures that users who are subsequently renamed with or moved to the updated certifier will have the correct
recovery information propagated to their user IDs. The administrator can then undo the change, if desired.
To help prevent unauthorized users from recovering IDs without the authorized user's knowledge, make sure that
password verification is enabled for users and servers. If password verification is enabled, the authorized user is
aware of the change because the user cannot access servers using the legitimate ID. When the unauthorized
user recovered the ID file, that user was forced to make a password change.
As an extra precaution, after recovering IDs, ask users to re-accept the recovery information and then change the
public key on their ID files. Re-accepting recovery information changes recovery password information in the ID
file. As of Domino 6, re-accepting recovery information happens automatically when the user accesses a
database on the home server. Changing the public key changes the public and private keys stored in the ID file.
ID recovery logging
Important information about client ID recovery activities is automatically logged to the local log.nsf file so that this
information is available to administrators for troubleshooting purposes.
The following ID recovery information will be logged locally.
Date and time when recovery information is accepted into the ID file
Instances when recovery information is rejected or fails to be accepted in the ID file.
Events that require a new backup to be mailed to the ID recovery database
Emailing the recovery ID to the recovery database (successes and failures)

Which task is used for delivering the mails to non domino directories?
Directory assistance

Notes security
User Authentication: This is a process in which Notes client and domino server use to validate each other when a
client tries to access the domino server
Server Security: This controls the access the domino server, server access is controlled by a server access list on
the domino server
Database Security: This controls the access to the database on the domino server

What is stored in a Notes ID?

The Owner's name - A user ID File may also contain one alternative name
A Permanent license number- This number indicates that the owner is legal and specifies whether the owner has
a North American or International license to run Domino or Notes.
At least one Notes certificate from the certifier ID - which is a Digital signature added to a user ID or Server ID.
This generates from the private key of the certifier ID.
A Private key- Notes uses private key to sign messages sent by the owner of the private key and to decrypt
messages sent to its owner.
Internet certificates (optional) - An Internet certificate is used to secure SSL connections and encrypt and sign
S/MIME mail messages.
One or more secret encryption keys (optional) - Encryption keys are created and distributed by users to allow
other users to encrypt and decrypt fields in a document.

Difference between North American and international certifiers

All Notes IDs contain two public/private key pairs. Prior to 5.0.4, key lengths were restricted for the purposes of
encrypting data, but not for authentication or signing. Anything over 512-bit RSA key and 56-bit symmetric key
was considered strong encryption and was not allowed for export by the U.S. Government. Customers were
required to order and choose among kits of different cryptographic strengths. With the relaxation of US
government regulations on the export of cryptography, the Domino server and the Domino Administrator, Domino
Designer, and Lotus Notes client products have consolidated all previous encryption strengths -- North American,
International, and France -- into one strong encryption level resulting in a single "Global" release of the products.
The Global release adopts the encryption characteristics previously known as North American. Strong encryption
in Global products can be used worldwide, except in countries whose import laws prohibit it, or except in those
countries to which the export of goods and services is prohibited by the U.S. government. Customers are no
longer required to order Notes software according to cryptographic strength.

18
Global Domain Doc, Foreign domain doc, Foreign SMTP Domino Doc

Domains are defined by creating Domain documents. Multiple documents types are available based on the
requirements needed to route mail. The Following types of documents are available.

Adjacent domain document- this document is used to route mail between servers that are not in the same Notes
named network.

Nonadjacent domain document- This document serves three functions:

Supplies next-hop routing information to route mail
Prohibits mail from routing to the domain
Provides Calendar server synchronization between two domains

Foreign Domain Document-This document is used for connections between external applications. A typical
application used is a fax or pager gateway.

Foreign SMTP Domain Document-This document is used to route Internet mail when the server does not have
explicit DNS access.

Global Domain document- this document is used to route mail to Internet domains. Configuration information
regarding message conversion rules are defined in the document.

Replication Types:
Four Different types of replication exist. The type you choose affects the direction of replication as well as which
of the servers performs the work of the replication.
Pull Pull: Replication is bidirectional, whereby the source server initiates replication and pulls documents from the
target server. The source server then signals the target server's Replica task to pull documents in the opposite
direction. Both servers are involved in the replication.
Pull Push (Default): Replication is bidirectional, whereby the source servers replica task performs all of the work,
pushing and pulling documents to and from the target server. The target server's Replica task is never engaged.
Pull Only: Replication is one-way, whereby the source server pulls documents from the target.
Push Only: Replication is one-way, whereby the source server pushes documents to the target.

Router types in connection doc

There are four options in the router type:
Pull: This type of router can route in one direction, pulls from source server.
Push: This type of router can route in one direction, Pushes from the source server.
Pull Push: This Type of router can trigger two-way routing; router on the originating server pushes mail to the
destination server and then triggers the destination server to route mail back again.
Push Wait: This Type of router can trigger two-way routing; the source server first pushes to the target server and
then waits to receive a connection from the target. (Used in servers with dialup connections.)

Partitioned servers advantages and explanation

In partition server Environment, all Partitions share the same domino program directory and each partition has its
own Domino data directory & notes.ini
Using Domino server partitioning, you can run multiple instances of the Domino server on a single computer. By
doing so, you reduce hardware expenses and minimize the number of computers to administer because, instead
of purchasing multiple small computers to run Domino servers that might not take advantage of the resources
available to them, you can purchase a single, more powerful computer and run multiple instances of the Domino
server on that single machine.
On a Domino partitioned server, all partitions share the same Domino program directory, and thus share one set
of Domino executable files. However, each partition has its own Domino data directory and NOTES.INI file; thus
each has its own copy of the Domino Directory and other administrative databases.

19
If one partition shuts down, the others continue to run. If a partition encounters a fatal error, Domino's fault
recovery feature restarts only that partition, not the entire computer.
Partitioned servers can provide the scalability you need while also providing security. As your system grows, you
can migrate users from a partition to a separate server. A partitioned server can also be a member of a cluster if
you require high availability of databases. Security for a partitioned server is the same as for a single server.
When you set up a partitioned server, you must run the same version of Domino on each partition. However, if the
server runs on UNIX®, there is an alternative means to run multiple instances of Domino on the server: on UNIX,
you can run different versions of Domino on a single computer, each version with its own program directory. You
can even run multiple instances of each version by installing it as a Domino partitioned server.

Web server: Realm doc, Web site doc, Web agents, SSO, Gzip etc
Web Server: A Domino server is considered to be a web server when it is running the HTTP task. the HTTP task
can be started automatically by adding it to the Server Tasks= line in the server's Notes.ini file, or by issuing the
Load HTTP Command at the server console.

Sign, encryption, public key, private key concepts

For all types of encryption except network port encryption, Domino uses public and private keys so that data
encrypted by one of the keys can be decrypted only by the other. The public and private keys are mathematically
related and uniquely identify the user. Both are stored in the ID file. Within the ID file, the public key is stored in a
certificate, but the private key is stored separately from the certificate. The certificate containing the public key is
also stored in the Domino Directory, and available to other users.
Domino uses two types of public and private keys -- Notes and Internet. You use the Notes public key to encrypt
fields, documents, databases, and messages sent to other Notes users, while the Notes private key is used for
decryption. Similarly, you use the Internet public key for S/MIME encryption and the Internet private key for
S/MIME decryption. For both Notes and Internet key pairs, electronic signatures are created with private keys and
verified with public keys. When you register a user, Domino automatically creates a Notes certificate, which
contains the user's public keys, and adds it to the ID file and the Domino Directory. The private key is created and
stored in the ID file. You can also create Internet public and private keys after user registration. Domino stores
Internet certificates, which contain public keys, in the ID file and also in the Domino Directory. The Internet private
key is stored in the ID file, separately from the certificate. To create Notes public and private keys, Domino uses
the dual-key RSA Cryptosystem and the RC2 and RC4 algorithms for encryption. To create the Internet public
key, Domino uses the x.509 certificate format, which is an industry-standard format that many applications,
including Domino, understand. Both the Notes client and Domino server support 1024-bit RSA key and 128-bit
symmetric key for S/MIME and SSL. The Notes proprietary protocols use a 630-bit key for key exchange, and a
64-bit symmetric key.

ACL levels and privileges

Every database includes an access control list (ACL), which Notes uses to determine the level of access users
and servers have to a database. Levels assigned to users determine the tasks that users can perform on a
database. Levels assigned to servers determine what information within the database the servers can replicate.
Only someone with Manager Access can modify the ACL. The Designer and Manager of the database can
coordinate to create one or more roles to refine access to particular views, forms, sections, or fields of a
database. ACLs apply only to databases stored on servers, not databases stored locally. If you make a change to
a local database and replicate the database up to the server, replication honors the level of access you have in
the ACL on the server. For example, if you have Reader access to a database on a server and you add new
documents to your local replica of the database, your new documents will not get added to the database when
you replicate the local replica up to the server again. Reader access does not allow you to create new documents.
However, it is possible for database designers to enforce a consistent ACL across all replicas of a database, so
even local databases would honor the ACL.
Access levels for a database

Access level Allows users to Assign to

Manager Delete the database Two people who are responsible for the
Encrypt the database database. If one person is absent, the
20
 Modify replication settings other can manage the database.
Modify the database ACL
Perform all tasks allowed by lower access levels
Designer Create a full-text search index A database designer and/or the person
Modify all database design elements (fields, responsible for future design updates.
forms, views, public agents, the database icon,
Using This Database document, and About This
Database document)
Perform all tasks allowed by lower access levels
Editor Create documents Any user allowed to create and edit
Edit all documents, including those created by documents in a database.
others
Read all documents unless there is a Readers
field in the form (you can't edit a document if
you can't read it)
Author Create documents Users who need to contribute documents
Note Author access, Edit the documents where there is an Authors to a database.
by default, does not field in the document and the user is specified in When possible, use Author access rather
include the access the Authors field than Editor access to reduce Replication
level option "Create Read all documents unless there is a Readers or Save Conflicts.
documents." When field in the form
you assign Author
access to a user or
server, you must also
specify the "Create
documents" access
level privilege.
Reader Read documents Users who only need to read documents
Note Reader access in a database, but not create or edit
lets you read all documents.
documents unless
there is a Readers
field in the form. Then
you can read a
document only if your
name is listed in the
Readers field on the
form.
Depositor Create documents Users who only need to contribute
documents, but who do not need to read
or edit their own or other users'
documents. For example, use Depositor
access for a ballot box application.
No Access None, with the exception of options to "Read Terminated users, who do not need
public documents" and "Write public access to the database, or users who
documents" have access on a special basis. Also,
users who do not need access but are
part of a group that does have access.
Should be assigned as the default
access to prevent most users from
accessing a confidential database.

21
Additional privileges in the access control list
Optional privilege
Create documents
Delete documents
Create private agents
Create personal folders/views
Create shared folders/views
Create Lotus Script/Java agents
Read public documents
Write public documents
22
When to select/deselect it
Select this option for all users with Author access.
Deselect this option to prevent Authors from adding any more documents.
They can continue to read and edit documents they've already created.
Deselect this option if you don't want a user to delete documents, no matter
what the access level. Authors can delete only documents they create. If the
document contains an Authors field, Authors can delete documents only if
their name, a group, or a role that contains their name appears in the Authors
field.
A user can run agents that perform tasks allowed by the user's assigned
access level in the ACL only. Private agents on server databases take up disk
space and processing time on the server, so you may want to deselect this
option to prevent users from creating private agents.
Note Whether or not a user can run agents depends on the access set by the
Domino administrator in the Agents Restrictions section of the Server
document in the Domino Directory. If you select "Create LotusScript/Java
agents" for a name in the ACL, the Server document controls whether or not
the user can run the agent on the server.
Personal folders and views created on a server are more secure than those
created locally, and they are available on multiple servers. Administrative
agents can operate only on folders and views stored on a server.
Deselect this option to prevent users from creating folders and views on a
server, which saves disk space on the server. They can still create folders and
views locally.
Deselect this option to maintain tighter control over database design.
Otherwise, a user assigned this privilege can create folders and views that are
visible to others.
Lotus Script and Java agents on server databases can take up significant
server processing time, so you may want to restrict which users can run them.
Note Whether or not a user can run agents depends on the access set by the
Domino administrator in the Agents Restrictions section of the Server
document in the Domino Directory. If you select "Create Lotus Script/Java
agents" for a name in the ACL, the Server document controls whether or not
the user can run the agent on the server.
Select this option to allow users to read documents or see views and folders
designated as "Available to Public Access users," an option in the Security tab
of the Forms, Views, and Folders Properties dialog boxes. This option lets you
give users with No Access or Depositor access the ability to view specific
documents, forms, views, and folders without giving them Reader access. In
addition, documents that you want available to public access users must
contain a field called $PublicAccess. The $PublicAccess field should be a text
field, and its value should be equal to one.
For information about how this privilege applies to mail templates and for
information on creating forms, views, and agents, see Lotus Domino Designer
6 Help.
Select this option to allow users to create and modify documents with forms
designated as "Available to Public Access users" in the Security tab of the
Form Properties dialog box. This option lets you give users create and edit
access to specific documents without giving them Author access, or an
 equivalent role, and gives users access to create documents from any form in
a database.
Replicate or copy documents Select this privilege to allow users to replicate or copy the database, or
documents from the database, locally or to the clipboard.

How to troubleshoot the Partitioning problems

Only one server can be running per partition. If an error occurs stating that a partition is already in use, verify that
a server process is not already running on the server. A server reboot may be required to correct this issue.
Verify that the server is running in the event that users are receiving an error that the server is unreachable.
If a port-mapping server is sharing the same network card as the destination server, make sure that the server is
running.
Verify that information in the notes.ini file related to port-mapping is set up correctly.
Verify that all the information related to the communications set up for the server is correct in the Domino
Directory.

What is Update, Updall, Fixup, Compact?

Update
The Purpose of Update is to update a database's view indexes. Update runs automatically when the server is
started and continues to run while the server is up. Update waits about 15 minutes before processing the
database so that all changes in the database are finished processing. When the views are updated, it then
searches the domain for databases set for immediate or scheduled hourly index update. When Update finds a
corrupted view or Full-text index, it rebuilds the full-text index and solves the issue.

Update (a, b, c) Where:

a -- Number of documents to be updated. If 'a' is not specified, one document is updated.
b -- New size of the summary item "Subject" (optional; default is ""). If 'b' is not specified, the length of the
summary data is a uniform random number between 1 and 100 bytes.
c -- Length of non-summary item "Body" (optional; defaults to ""). If 'c' is not specified, the length of the non-
summary data is a uniform random number between 100 and 300 bytes.

Updall
Updall is used to rebuild corrupted views and full-text index searches, as Update does, and has various options
that can be defined when launched by using a software switch. Updall is executed by default at 2:00 a.m. and,
unlike Update, can be run manually. Deletion stubs are removed, and views that haven't been used for 45 days
are deleted unless they are protected by the database designer. Setting the parameter
Default_Index_Lifetime_Days in the Notes.ini file enables an administrator to determine when Updall removed
unused views.

Load updall SALES.NSF -F

You can specify multiple options -- for example:
Load updall -F –M
Option in Task - Start tool
Index all databases
Index only this database or
folder
Command-line Description
option
Database path "Only this database" updates only the specified
database. To update a database in the Domino
data folder, enter the file name, for example,
SALES.NSF. To update databases in a folder
within the data folder, specify the database path
relative to the data folder, for example,
DOC\README.NSF.
"Index all databases" (or no database path)
updates all databases on the server.

23
Update this view only database -T view Updates a specific view in a database. Use, for
title example, with -R to solve corruption problems.

Updall - Update options

Option in Task - Start tool Command-line Description
option
Update: All built views -V Updates built views and does not update full-text
indexes.
Update: Full text indexes -F Updates full-text indexes and does not update
views.
Update: Full text indexes: -H Updates full-text indexes assigned "Immediate" as
Only those with frequency an update frequency.
set to: Immediate

Update: Full text indexes: -M Updates full-text indexes assigned "Immediate" or

Only those with frequency "Hourly" as an update frequency.
set to: Immediate or Hourly

Update: Full text indexes: -L Updates full-text indexes assigned "Immediate,"

Only those with frequency "Hourly," or "Daily" as an update frequency.
set to: Immediate or Hourly
or Daily

Updall - Rebuild options

Option in Task - Start tool Command-line Description

Rebuild: Full-text indexes
only
Rebuild: All used views
Rebuild: Full-text indexes database -C
and additionally: All unused
views
option
-X Rebuilds full-text indexes and does not rebuild
views. Use to rebuild full-text indexes that are
corrupted.
-R Rebuilds all used views. Using this option is
resource-intensive, so use it as a last resort to
solve corruption problems with a specific
database.
Rebuilds unused views and a full-text index in a
database. Requires you to specify a database.

Updall - Search Site options

Option in Task - Start tool Command-line option Description

Update database -A Incrementally updates search-site database

configurations: Incremental configurations for search site databases.

Update database -B Does a full update of search-site database

configurations: Full configurations for search site databases.
Fixup
Fixup is used to repair database that were open when a server failure occurred. Fixup runs automatically when
the server starts, but it can also be run from the Domino Console, when necessary. Databases are checked for
data errors generated when a write command to the database was issued and a failure occurred causing a
corruption in the database. When Fixup is running on a database, user access is denied until the job completes.
Fixup should be run if Updall does not fix the database errors.
24
Fixup options in Fixup tool and
Task - Start tool
Fixup all databases
Fixup only this database or
folder
Report all processed databases
to log file
Scan only since last fixup
Scan all documents
Perform quick fixup
Exclude views (faster)
Don't purge corrupted
documents
Optimize user unread lists
25
Command-line equivalent Description
Database path "Fixup only this database or folder" runs
Fixup only on a specified database or all
databases in a specified folder. To run
Fixup on a database in the Domino data
folder, enter the file name, for example
SALES.NSF. To run Fixup on a
database or databases in folders within
the data folder, enter the path relative to
the data folder. For example, to run
Fixup on all databases in the
DATA\SALES folder, specify SALES.
"Fixup all databases" or no command
line database path runs Fixup on all
databases on the server.
Note To specify databases or folders to
run on using the Fixup tool select the
database(s) or folder(s).
-L Reports to the log file every database
that Fixup opens and checks for
corruption. Without this argument, Fixup
logs only actual problems encountered.
-I When you run Fixup on a specific
database, Fixup checks only documents
modified since Fixup last ran. Without
this option, Fixup checks all documents.
-F When you run Fixup on all databases,
Fixup checks all documents in the
databases. Without this option, Fixup
checks only documents modified since it
last ran.
Note To specify this option using the
Fixup tool; deselect "Scan only since
last fixup."
-Q Checks documents more quickly but
less thoroughly. Without this option,
Fixup checks documents thoroughly.
-V Prevents Fixup from running on views.
This option reduces the time it takes
Fixup to run. Use if view corruption isn't
a problem.
-N Prevents Fixup from purging corrupted
documents so that the next time Fixup
runs or the next time a user opens the
database, Fixup must check the
database again. Use this option to
salvage data in documents if the
corruption is minor or if there are no
replicas of the database.
-U Reverts ID tables in a database to the
previous release format. Don't select

Fixup transaction-logged
databases
Fixup open databases
Don't fixup open databases
Verify only
Fixup subdirectories
Don't fixup subdirectories
this option unless Customer Support
recommends doing so.
-J Runs on databases that are enabled for
transaction logging. Without this option,
Fixup generally doesn't run on logged
databases.
If you are using a certified backup utility,
it's important that you schedule a full
backup of the database as soon after
Fixup finishes as possible.
-O If you run Fixup on open databases,
Fixup takes the databases offline to
perform the fixup.
This is the default if you run Fixup and
specify a database name. Without this
option, when you do not specify
database names, Fixup does not run on
open databases.
-Z Applies only to running Fixup on a single
database. When a database isn't taken
offline and is in use, then Fixup is not
run.
This is the default when Fixup is run on
multiple databases.
-C Verifies the integrity of the database and
reports errors. Does not modify the
database (for example, does not purge
corrupted documents).
-Y Runs Fixup on databases in subfolders
(subdirectories).
-y Does not run Fixup on databases in
subfolders (subdirectories).

Compact
Compact can be used to recover space in a database after documents are deleted. Deleting documents from a
Domino database does not actually decrease the size of the database. A deletion stub is created and the
document is removed permanently when compact is run, and the size of the DB is then reduced. Three types of
compacting are available.
In-place compacting with space recovery
In-place compacting with space recovery and reduction in file size
Copy-style compacting

In-place compacting with space recovery

Unused space is recovered, but the physical size of the DB remains the same. Unlike with Update and Updall,
access to the DB is not denied while the compact task is running. When Compact is launched without switches or
with a -b switch, in-place compacting with space recovery is the type of compacting used. The DBIID, or database
instance ID used to identify the database, remains the same. In-place compacting is used for databases that have
the system configured to run transaction logging.

In-place compacting with space recovery and reduction in file size

This style of compacting reduces the file size of databases as well as recovers unused space in databases. This
style of compacting is somewhat slower than in-place compacting with space recovery only. This style of
compacting assigns new DBIIDs to databases, so if you use it on logged databases and you use a certified

26
backup utility, perform full backups of the databases shortly after compacting is complete. This style of
compacting allows users and servers to continue to access and edit databases during compacting.
When you run Compact without specifying options, Domino uses this style of compacting on databases that aren't
enabled for transaction logging. Domino also uses this style of compacting when you use the -B option. To
optimize disk space, it's recommended that you run Compact using the -B option
Copy-style compacting
A Copy is created, and when the compact is complete, the original database is deleted. Because of this, there
needs to be sufficient disk space available to make the copy of the database, or any error will occur and the
compact will not work. During this type of compacting, a new database is created and a new DBIID is assigned.
Because a new database is actually being created, this option locks out all users and servers from editing the
database. Access using this version of compact for read only can be enabled if the -L switch is used at the time it
is run.
Compact should be run on all databases at the least weekly, if possible, but it should be run at a minimum of
once a month using the format compact -B to minimize the amount of disk space. If Fixup does not correct a
database problem, running compact with the switch of -c can attempt to correct the problem.
Characteristics In place, space In place, space Copy-style
recovery recovery with file size
reduction
Databases that use it when Logged databases Unlogged databases Databases with pending
compact runs without with no pending with no pending structural changes
options structural changes structural changes
Databases you can use it Current release Current release Current release (need -c)
on
Relative speed Fastest Medium Slowest
Users can read databases Yes Yes No (unless -L option
during compacting used)
Users can edit databases Yes Yes No
during compacting
Reduction in file size No Yes Yes
Extra disk space required No No Yes
Compact options Compact - Basics
Option Command-line equivalent Description
Compact only this database or database path To compact a database in the Domino
folder Specify any additional data folder, enter the file name, for
(To specify databases to options after the database example SALES.NSF. To compact
compact using the Files tab, path. databases in a folder within the data
select the databases in the files folder, specify the database path relative
pane.) to the data folder. For example, to
compact all databases in the folder
DATA\SALES, specify SALES.
If you choose "Compact all databases"
(or don't specify a database path at the
command line) Compact compacts all
databases in the data folder and in
folders within the data folder.

Compact - Options
Option Command-line equivalent Description

27
Compact database only if unused -S percent
space is greater than x percent
Discard any built view indexes
Keep or revert database to
previous format
Compact - Style
Option
In-place (recommended)
In-place with file size reduction
Copy-style
Copy-style: Allow access while
compacting
28
Compacts all databases with a specified
percent of unused space. For example, if
you specify 10, databases with 10% or
more recorded unused space are
compacted. Note that the unused space
calculation is not always a reliable
measure of unused space.
-D Discards built view indexes. Use this
option to compact databases just before
you store them on tape, for example. Does
copy-style compacting.
-R Compacts databases without converting to
the current release file format of the server
that stores the databases or reverts
databases in the current release file format
to the previous release file format. For
example, on Domino 6 servers, this option
compacts Domino 5 databases without
converting them to the Domino 6 file
format and converts Domino 6 databases
to the Domino 5 file format. This option
uses copy-style compacting.
Command-line equivalent Description
-b Uses in-place compacting and recovers
unused space without reducing the file
size, unless there's a pending structural
change to a database, in which case copy-
style compacting occurs. This is the
recommended method of compacting.
-B Uses in-place compacting, recovers
unused space and reduces file size,
unless there's a pending structural change
in which case copy-style compacting
occurs. If you use transaction logging, do
full database backups after compacting
completes.
-c Uses copy-style compacting. Use this
option, for example, to solve database
corruption problems.
-L Enables users to continue to access
databases during compacting. If a user
edits a database during compacting,
compacting is canceled. This is useful only
when copy-style compacting is done.
Copy-style: Ignore errors and
proceed
Compact – Advanced ( not available through the Compact tool in the Files tab of the Domino administrator
Option*
Document table bitmap
optimization: Off
Document table bitmap
optimization: On
Don't support specialized
response hierarchy: Off
-i Enables compacting to continue even if it
encounters errors such as document
corruption. Only used for copy-style
compacting.
Command-line equivalent Description
-f Disables "Document table bitmap
optimization" database property. Does
copy-style compacting.
-F Enables "Document table bitmap
optimization" database property. Does
copy-style compacting.
-h Disables "Don't support specialized
response hierarchy" database property; in
other words, support specialized response
hierarchy. Does copy-style compacting.

Don't support specialized -H Enables "Don't support specialized

response hierarchy: On response hierarchy" database property; in
other words, do not support specialized
response hierarchy. Does copy-style
compacting.

Enable transaction logging: Off -t Disables transaction logging.

Enable transaction logging: On -T Enables transaction logging. Use

Compact - T when a database is open or
closed. If you use Compact - T on a
database that is closed, logging is enabled
but the Compact is not logged until the
database is opened; therefore, logging is
not available until you reopen the
database.
Don't maintain unread marks: Off -u Disables "Don't maintain unread marks"
database property; in other words,
maintain unread marks.
Don't maintain unread marks: On -U Enables "Don't maintain unread marks"
database property; in other words, do not
maintain unread marks.
* Select "Set advanced properties" before you enable or disable any of these properties.
Compact - Archive
When you use the document archiving tool to archive and delete documents in a database, you can use the
following Compact options to archive documents if the database is located on a server and you've chosen the
advanced archiving option "Automatically on server."
Option* Command-line equivalent Description
Archive only -A Archives and deletes documents from a
database without compacting the database.

Archive and then compact -a Archives and deletes documents from a

database and then compacts the database.

Delete and then archive -j Deletes documents from a database and then
compacts the database.

29
What is the maximum number of databases accepted in the DB cache?
Total it can cache up to 121 databases.

How to run Compact, Updall, and Fixup on different database at a time?

Open a Notepad and type all the files which have to be processed in each line.
And save that file with extension as .ind

We can give multiples passwords only for the Cert.id

If the Server_Restricted =2 in the notes.ini file then, only administrator can Access the server not others.

By default User.ID files Expires 2 years and Server.ID & Cert.ID Expires 100 Years

Kit Type=2 in the notes.ini file then, that notes.ini file is for the server. Kit Type=1, for the client.

Limitation of the Organization Unit is 4 levels. But IBM recommended keeping only two Organization Units.

If we register one Organization Unit, it creates one ID file for OU & a Certifier Document in Domino Directory.

When we Register User, then Domino Creates an ID file for the User, User Personal Document &Mail Database

By Default User Password is stored in the User ID file.

User is moving from one server to other Server in Different Domain, then AdminP not involved in the Process,
Only if the User is moving from one Server to other Server with same Domain then AdminP Process the Request

Local Domino Server Group is created by default when we install the Additional Server.

Server Console Security can implement thought the command Set Secure <password>

If Administrator is forgot the console password, then just remove set secure line in the notes.ini file.

By default nobody will have Full Access Administrator access

If User is included in the Server Access Group & Not Access server Group, then the user can’t access the server.

By default Administrator Has the Right to create the Template.

By default all users having the Author access to the Domino Directory.

Public Documents means even the no access users can see and edit the created Documents.

Lotus uses the Secrete key encryption for Filed level security.

LDTWS Lotus Domino Toolkit for Web Sphere Studio

Server Console Commands:

Show Serverit shows the dead mails & pending mails.
Tell Router Update configRouters will be reloaded the routing table.
Tell AdminP Process alladministor process the all pending requests.
Load Fixup <Database name>it fixes up the particular database.
Load Compact <Database Name> It compact the that particular database
Tell Router CompactIt Compact the Mail. Box
Tell Router Show Queueit will show the mail held in transfer queues to specific servers.

30
Show Clusterit shows local server's cluster name cache, which includes a list of all cluster members and their
status, based on information received during the server’s cluster probes.
Replicators=number of tasks, this setting you have to specify in the server notes.ini file.
Restart Port portname, using this command you can restart the TCPIP port & other ports.
Start Port portname, using this command you can start the port. Like TCPIP
Stop Port portname, using this command you can stop the port.
Show Open databaseIt will shows the current open databases
Show Server It will Shows the server Information.
Show Allports It will show the all ports Information on the Server.
Show Users It will shows the Users will are in open sections.
Show Memory It will show the memory Information on the server.
Show Time it shows the Current time on the server.
Broadcast “Message” It will broadcast the message to every open section user.
Dbcache Show It will show the Cache files information on server.
Dbcache Flush Clear the Cache on the server.
Show Diskspace It will show the Disk Space information on the server.

Changing a TCP or SSL port number

By default, all NRPC connections use TCP port 1352. Because the Internet Assigned Number Authority (IANA)
assigned Lotus Domino this port number, non-Domino applications do not usually compete for this port. Do not
change the default NRPC port unless:
You can use a NAT or PAT firewall system to redirect a remote system's connection attempt.
You are using Domino port mapping.
You create a Connection document that contains the reassigned port number.

To change the default NRPC port number, use the NOTES.INI setting TCPIP portname_TCPIP Address and
enter a value available on the system that runs the Domino server. TCP ports with numbers less than 5000 are
reserved for application vendors. You may use any number from 1024 through 5000, as long as you don't install a
new application that requires that number.

Default ports for Internet services

You may occasionally need to change the number of the TCP or SSL port assigned to an Internet service. Lotus
Domino uses these default ports for Internet services:
Service Default TCP port Default SSL port
POP3 110<nozeros> 995 <nozeros>
IMAP 143 <nozeros> 993 <nozeros>
LDAP 389 <nozeros> 636 <nozeros>
SMTP inbound 25 <nozeros> 465 <nozeros>
SMTP outbound 25 <nozeros> 465 <nozeros>
HTTP 80 <nozeros> 443 <nozeros>
IIOP 63148 <nozeros> 63149 <nozeros>
Server Controller N/A 2050<nozeros>

When we install the First Domino server the following are created automatically
Cert.id--This is Organization Certifier & saved in the Domino Directory
Server.id
Admin.id
A Mail Database is created for the Administrator
A personal document is created for the Administrator in domino directory.
A server Document is created.
A Domino Directory is created for server.
A configuration Document is created for Domino Directory
Log.nsf
Certlog.nsf

31
Admin4.nsf
These above 3 databases are required to run AdminP

Preventing users from viewing ADMIN4.NSF in a hosted environment

By default, access to the Administration Requests database (ADMIN4.NSF) is set to "Author" for hosted
organization administrators and for -Default-. With this level of access, anyone with a Notes ID at a hosted
organization can open ADMIN4.NSF with a Notes client and view user activity in the database. This is a security
risk. To prevent users at a hosted organization site from accessing ADMIN4.NSF, do the following:
1. Open ADMIN4.NSF and select File - Database - Properties.
2. Select the i Tab and click User Detail.
3. In the User Activity interface, select the check box "Activity is confidential."
4. Click OK. Click X to close out of Properties.

The Domino server log (LOG.NSF)

Every Domino server has this log file that reports all server activity and provides detailed information about
databases and users on the server. The log file is created automatically when you start a server for the first time.

General User Registration is of 4 types

Basic RegistrationUser Name & Password is mandatory
Advanced Registration
Text File Registrationlast Name & Passwords are mandatory
MigrationMigration tool must be installed during the Domino Administrator Software.

Policy Setting Documents are 4 Types

Registration Policy
Security Policy
Desktop Policy
Setup Policy
Mail Archive Policy

Registration  If a policy including registration policy settings is in place before you register Notes users, these
settings set default user registration values including user password, Internet address format, roaming user
designation, and mail.
Setup  If a policy including setup policy settings is in place before you set up a new Notes client, these settings
are used during the initial Notes client setup to populate the user's Location document. Setup settings include
Internet browser and proxy settings, applet security settings, and desktop and user preferences.
Desktop  Use desktop policy settings control and update the user's desktop environment or to reinforce setup
policy settings. For example, if a change is made to any of the policy settings, the next time users authenticate
with their home server, the desktop policy settings restore the default settings or distribute new settings specified
in the desktop policy settings document.
Mail archiving  Use archive policy settings to control mail archiving. Archives settings control where archiving is
performed and specify archive criteria.
Security  Use security settings to set up administration ECLs and define password-management options,
including the synchronization of Internet and Notes passwords.
“If user is already registered, then we can apply only Archive Policy & Security Policy & Setup Policy”
“Policy are Introduced in the Domino R6 Version”
Groups
Groups can be used for three purposes
Mailing
Server Security
Database Security

Groups are 5 Types in Lotus Domino

Multipurpose

32
Mail Only
ACL only
Server Group
Deny List Group
Multi-purpose  Used for a group that has multiple purposes -- mail, ACLs, and so on. (Default)
Access Control List only  Used for server and database access authentication only.
Mail only  Used for mailing list groups
Servers only  Used in Connection documents and in the Domino Administration client's domain bookmarks for
grouping.
Deny List only  Used to control access to servers. Typically used to prevent terminated employees from
accessing servers, but this type of group can be used to prevent any user from accessing particular servers. The
Administration Process cannot delete any member of the group.

Encryption
Domino uses the two types of Encryption Techniques
RSA Encryption
Dual Key Encryption
Encryption protects data from unauthorized access. For all types of encryption except network port encryption,
Domino uses public and private keys .so that data encrypted by one of the keys can be decrypted only by the
other. The public and private keys are mathematically related and uniquely identify the user. Both are stored in
the ID file. Within the ID file, the public key is stored in a certificate, but the private key is stored separately from
the certificate. The certificate containing the public key is also stored in the Domino Directory, where it is available
to other users.

To create Notes public and private keys, Domino uses the dual-key RSA Cryptosystem and the RC2 and RC4
algorithms for encryption. To create the Internet public key, Domino uses the x.509 certificate format, which is an
industry-standard format that many applications, including Domino, understand.
Both the Notes client and Domino server support 1024-bit RSA key and 128-bit symmetric key for S/MIME and
SSL. The Notes proprietary protocols use a 630-bit key for key exchange, and a 64-bit symmetric key.

Example of clustering two servers for mail and applications

If you have only two servers in your cluster, you can set them up in one of two ways: You can use one of the
servers as the primary server for user access and use the second server as a backup and failover server, or you
can equally divide the workload between the two servers and have them fail over to each other. Dividing the
workload typically ensures better performance when both servers are running. When one server is not available,
performance is the same in both scenarios because one server must process the entire workload of both servers.
The following figure shows a cluster with two servers with the workload divided between the servers.

33
Adding a Cluster Server

You will be prompted by verification prompt. Select Yes.

You will prompted to create a New Cluster the 1st time you create a cluster. Click OK

Next, you'll be prompted to provide a name for your cluster. For this example we have selected to name the
cluster "MailCluster1".

Select "Yes" to the "....request immediately or via Admin Process" dialog.

You will receive the following prompt when successful.

We need to setup another Domino server on the same cluster in order for failover to function. Select another
Domino server and step through the same steps as shown above. The only exception, is when prompted for the
name of the cluster DO NOT select *Create New Cluster, select the down arrow key and select the cluster which
was created in the steps above. (MailCluster1)

34
The Domino server will add a couple of services to both of the domino servers

How failover works

A cluster's ability to redirect requests from one server to another is called failover. When a user tries to access a
database on a server that is unavailable or in heavy use, Domino directs the user to a replica of the database on
another server in the cluster.

Changing the mail routing failover setting

To change the default mail routing failover setting, make the following change in the Configuration Settings
document for every server in the cluster and every server in the domain that can route mail.
1. From the Domino Administrator or the Web Administrator, click the Configuration tab.
2. In the Task pane, expand Messaging.
3. Click Configurations.
4. Do one of the following:
From the Domino Administrator, select the Configuration document for the server or server group you want, and
click Edit Configuration.
From the Web Administrator, open the Configuration document for the server or server group you want, and click
Edit Server Configuration.
If you do not have a Configuration document for the server or server group you want, create one by clicking Add
Configuration.
5. Click the Router/SMTP - Advanced - Controls tab.
6. In the Cluster failover field, choose one of the following:
Disabled
Enabled for last hop only (the default)
Enabled for all transfers in this domain
7. Save and close the Configuration document.
Note This setting affects delivery to a client but does not affect sending a message from a client when the mail
server is unavailable. If a user sends a message when the mail server is unavailable, the delivery fails over to
another server in the cluster, and the router on that server sends the message.

Fault recovery in a cluster

Fault recovery is the ability of a Domino server to clean up and restart itself after a failure. Fault recovery works
well in a Domino cluster. If there is no Domino server to fail over to, fault recovery still ensures that users will have
constant access to their data. Even if users fail over to another cluster server, fault recovery increases availability
35
because the failed server becomes available again. In addition, depending on the workload balancing parameters
you've set, some users will fail back to the original server when they open new DB’s.
If you are using an operating system cluster in conjunction with a Domino cluster, the decision about whether or
not to use fault recovery depends on how you configured the operating system cluster. If you configured the
operating system cluster to fail over on a hardware failure only, fault recovery works well. Fault recovery restarts
Domino on its current server, and no operating system fail over occurs.
If you configured your operating system cluster to fail over on both hardware and software failures, you don't need
fault recovery because the operating system cluster will restart Domino on another server in the cluster. In fact,
you should disable fault recovery so you won't have Domino restarting itself while the operating system cluster is
also restarting it. This can lead to problems.
By default, fault recovery is disabled. You enable it in the Server document.
1. From the Domino Administrator or the Web Administrator, click the Configuration tab.
2. In the Task pane, expand Server, and click All Server Documents.
3. In the Results pane, select the Server document you want, click Edit Server, and click the Basics tab.
4. In Fault Recovery section, choose "Enabled" in "Automatically Restart Server after Fault/Crash" field.

Creating mail database replicas in a cluster during user registration from the Domino Administrator
1. Click the People & Groups tab.
2. In the Tools pane, expand People, and then click Register.
3. In the "Choose a Certifier" dialog box, choose a certifier and click OK.
4. In the Register Person -- New Entry dialog box, select Advanced, and then click the Mail tab.
5. In the Mail system field, choose Lotus Notes.
6. Click Mail Server, and choose a cluster server as the Mail server.
7. Click Mail File Replicas.
8. Select "Create mail database replica(s)." A list is displayed of mail servers in the same cluster.
9. Do one of the following:
To create a replica of the mail database on all of the cluster servers, skip this step.
To change the list of servers to receive a replica, use the Remove and the Add Server(s) button.
10. (Optional) Select "Create mail replica(s) in background."
11. Click OK, and then complete any other fields you want on the Mail tab.
12. (Optional) If you want to set up the user for roaming in a cluster
13. Complete the rest of the user registration the way you normally would.

Enabling single sign-on and basic authentication

This procedure creates single sign-on cookies for your server that can be used successfully on other participating
servers. To enable single sign-on and basic authentication for a Web Site
1. In the Domino Administrator, click Configuration - Web - Internet Sites.
2. Open the Web Site document for which you want to enable single sign-on.
3. Click Domino Web Engine.
4. In Session authentication, select "Multiple Servers (SSO)."
5. In the Web SSO Configuration field, select the Web SSO Configuration for Web Sites from the drop-down list.
6. Click Security. For both TCP and SSL authentication, enable Name & Password.
7. Save and close the Web Site document.
8. At the server console, start the HTTP process by typing:
load HTTP
If the HTTP process is already running, type: tell HTTP restart
If something is wrong with the configuration, the browser will receive an Error 500 message stating that single
sign-on is not configured.
To enable single sign-on and basic authentication in the Server document
1. Open the Server document.
2. Click Ports>Internet Ports>Web, enable Name-and-password authentication for the Web (HTTP/HTTPS) port
3. Click Internet Protocols>Domino Web Engine, and select Multiple Servers in the Session authentication field.
Note: The "Idle session timeout" and "Maximum active sessions" fields will be disabled.
4. In the Web SSO Configuration field, select the Web SSO Configuration for this server from the drop-down list.

36
5. Save and close the Server document

Mail journaling
Mail journaling enables administrators to capture a copy of specified messages that the Router processes by the
Domino system. Journaling can capture all messages handled by the Router or only messages that meet specific
defined criteria. When mail journaling is enabled, Domino examines messages as they pass through MAIL.BOX
and saves copies of selected messages to a Domino Mail Journaling database (MAILJRN.NSF) for later retrieval
and review. Mail journaling works in conjunction with mail rules, so that you create a journaling rule to specify the
criteria for which messages to journal. For example, you can journal messages sent to or from specific people,
groups, or domains. Before depositing messages in the Mail Journaling database, the Router encrypts them to
ensure that only authorized persons can examine them. Journaling does not disrupt the normal routing of a
message. After the Router copies a message to the Mail Journaling database, it continues to dispatch the
message to its intended recipient.
Domino mail journaling differs from message archiving. Journaling works dynamically, making a copy of each
message as it passes through MAIL.BOX to its destination and placing the copy in the Mail Journaling database.
A copy of the message is retained, even if the recipient, or an agent acting on the recipient's mail file, deletes it
immediately upon delivery. Archiving is used to reduce the size of an active mail file database by deleting
messages from one location and moving them to an offline database, usually in another location, for long-term
storage. Archiving acts on messages that have already been delivered. Journaling is performed automatically by
the server; while archiving is a manual operation, performed by end users on their own mail files. End users can
search for and retrieve messages from a mail file archive, but only an authorized administrator can examine a
Mail Journaling database.

There are two steps to configure journaling:

Setting up the Mail Journaling database
Specifying which messages to journal

By default, mail journaling is not enabled. You enable journaling from the Configuration Settings document. To set
up the Mail Journaling database, you specify where to store journaled messages and then set options for
managing the security and size of the database. After you enable journaling, Domino automatically creates the
Mail Journaling database in the specified location.
To set up the Mail Journaling database
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers where you want to journal mail, and
click Edit Configuration.
5. Click the Router/SMTP - Advanced - Journaling tab.
6. Complete the following fields, and then click Save & Close:
Specifying messages to journal
After you enable journaling, set mail rules on the Configuration Settings document to specify which messages to
journal. If you specify all documents and a message is returned as undeliverable, Domino journals the delivery
failure report as well as the original message. When Domino journals a message, it sets a journal flag on the
message before transferring it to the next server on the route. This ensures that servers later in the routing path
do not journal the message again. When the Router on the destination mail server delivers the message to the
user's mail file it removes the flag so to that the user remains unaware that the message was been journaled.
Field Description
Specifies whether the server supports mail journaling. Choose one: Enabled - Domino
supports mail journaling on the servers governed by this document. To journal mail, create a
Journaling server mail rule with the action "Journal this message."
Disabled - (default) Mail journaling is not supported on the servers governed by this
document.

37
 Specifies the names of Notes message fields that Domino does not encrypt when adding
messages to the Mail Journaling database. Encrypted fields cannot be displayed in a view.
List any fields you want to display in a view. By default, the following fields are not encrypted:
Field encryption
Form, From, Principal, and Posted Date.
exclusion list
Note When using a mail-in database for journaling, Domino does not automatically encrypt
messages added to the database. To encrypt messages in a mail-in database use the Mail-
in database document to specify encryption of incoming messages.

Specifies the location of the Mail Journaling database. Choose one:

Copy to local database - (default) The Router copies each journaled message to a database
on the local server. If it does not already exist, Domino creates a local Mail Journaling
database on the server. If the Configuration Settings document applies to multiple servers,
Domino creates a unique Mail Journaling database on each server.
Send to mail-in database - The Router copies each journaled message and sends it to a
Method specified mail-in database. The specified database must already exist and must have a Mail-
in database document in the Domino Directory. The mail-in database used for journaling may
be on any Domino server, including the local server. Specify the mail file where journaled
messages are to be sent in the Mail Destination field. When using a mail-in database for
journaling, be sure to encrypt messages when adding them to the database. To encrypt
messages sent to a mail-in database, enable encryption on the Administration tab of the
Mail-in database document.

If you specified "Copy to local database" as the journaling method specify the file name you
Database name want Domino to use when it creates the Mail Journaling database. The default name is
MAILJRN.NSF.

If you specified "Send to mail-in database" as the journaling method, use this field to enter
the name of the mail-in database to which the Router forwards messages to be journaled.
Mail destination Click the down-arrow to select the name of the mail-in database from the Domino Directory.
Note You must create the mail-in database beforehand; Domino does not automatically
create mail-in databases for journaling.

If you specified "Copy to local database" as the journaling method, enter the fully qualified
Notes Name of the user whose certified public key Domino uses to encrypt messages added
Encrypt on behalf to the database. To ensure privacy, consider creating a special user ID for reviewing
of user journaled messages, and protect the ID with multiple passwords. To encrypt messages sent
to a mail-in database, enable encryption on the Administration tab of the Mail-in database
document.

38
 For local Mail Journaling databases, the entry in this field specifies how Domino controls the
size of the Mail Journaling database. When the database management method in effect calls
for Domino to create a new Mail Journaling database, on the day that it creates the new
database, it does so at approximately 12:00 AM. Choose one of the following methods:
Periodic Rollover - (default) When the current Mail journaling database reaches the age
specified in the Periodicity field, Domino renames the existing Mail Journaling database and
Database creates a new Mail Journaling database with the original name.
Management - Note - Domino does not automatically control the size of the Mail Journaling database. If you
Method do not use one of the available methods for controlling database size automatically, be sure
to monitor the database size and use appropriate tools to archive the journal data.
Purge/Compact - Domino deletes documents from the database after the number of days
specified in the Data Retention field and then compacts the database.
Size Rollover - When the current database reaches the size specified in the Maximum size
field, Domino renames the database and creates a new Mail Journaling database with the
original name.
If you specified Periodic Rollover in the preceding field, Domino displays this field for
Periodicity
specifying the length, in days, of the rollover interval. The default value is 1 day.
If you specified Purge/Compact in the Database Management-Method field, Domino displays
Data Retention this field for specifying the time, in days, that a message remains in the Mail Journaling
database before being deleted.
If you specified Size Rollover in the Database Management-Method field, Domino displays
Maximum size this field for specifying a size limit, in megabytes (MB), for the Mail journaling database. After
the database reaches the specified size, Domino renames it and creates a new one.
Starting and stopping the ISpy task
Create a TCP server event generator to verify the availability of the services on Internet ports on one or more
servers. A TCP server event generator uses the ISpy task to send a probe to test whether the server is
responding on a port. By default, the ISpy task monitors all enabled Internet ports (TCP services) on the server on
which it is running. You must start the ISpy task before you can create server and mail routing event generators.
The ISpy task does not start automatically. Use any of these methods to start and stop the ISpy task.
To do this Perform this task
Start the ISpy task
automatically Edit the ServerTasks setting in the NOTES.INI file to include runjava ISpy.
when the server starts
Start the ISpy task manually Enter the command load runjava ISpy at the console.
Enter either the command tell runjava ISpy unload or tell runjava quit at the
Stop the ISpy task
console.
On servers running the ISpy task, this task sends mail probes in the form of trace messages to test mail
connectivity approximately every five minutes. Under normal use, the ISpy task automatically deletes these
probes from the ISpy mail-in database and the only trace of them are entries in the Routing events view of the
server log file and on the server console. However, if you enable a journaling rule on these servers and specify
the condition "All documents," the Mail Journaling database will capture each trace message that the ISpy task
sends. To prevent the Mail Journaling database from filling up with these entries, configure a rule exception for
messages where the sender includes "ISpy."

39