Professional Documents
Culture Documents
90)
To identify the replication issue
1. Replica id
2. Replication history in database properties (it shows the last successful replication)
3. Log.nsf or replication logs
4. Connections documents
5. Database ACL - server rights for replication.
6. Check sufficient disk space
7. Document and field level access (this is useful when document count mismatches)
8. Monitoring result *statrep.nsf)
9. " Jobschduled.njf " this file used for scheduled replication and can be corrupt.
Transaction logging:-
Transactional logs are binary file where transactions are written. The transactional log file has a .txn file extension
and 64 MB in size. Transaction logging captures all the changes made to a database and writes them to a
transaction log. The logged transactions are then written to disk. Transaction logging is available for Domino
servers running release 5 or later. Database changes are sent to a transaction log and then written later to the
target database. (i.e.: committed to disk)
Transaction logging offers benefits for the following system activities:
Backup throughput is increased because transaction logs back up quicker than normal databases.
Disaster recovery is more complete since data stored in the transaction log can be supplemented to the full
system recovery and so the data is not lost
Database views are stored in the log file so database views may not need to be rebuilt.
Types:-
1) Linear - 4 GB space. Same
2) Circular - can use more than 4 GB space.
3) Archived
DBIID:-Database Instance ID and it is assigned at the First time transaction loggings occur.
1
Type of roles in names.nsf (public address book).
Group creator.
Group modifier.
Net creator.
Net modifier.
Policy creator.
Policy modifier.
Policy reader.
Server creator.
Server modifier.
User creator.
User modifier.
Like author access with user creator role for registering the person, without editor access you can do the same
work. So this is the combination of role and access level.
Replication:-
Pull-Pull (both server included)—Bi-directional.
Pull – Push (default)-only source server included—Bi-directional.
Pull only –only source server ---Uni directional.
Push only –only source server included --Uni directional.
Command: - Push server name [database name]
Replication issues an NSF search request against the source replica and it returns several pieces of information
including a list of OIDs of all the documents that have been created or modified since the last replication.
OID: - is a combination of three components.
UNID:-unique 16 byte identifier that never changes.
Sequence No: - indicates how many times the document has been modified.
Time Stamps: - indicates the last time the document was modified.
Notes can keep databases synchronized through replication, which can occur between two Domino servers or
between Notes workstations and a Domino server. Domino system administrators manage several replication
tasks on the Domino server as a part of their job. Notes client user replicates databases to the Notes client that
will be used when disconnected from the server.
2
Replication operates within the security model of Notes and Domino. If, as a user of a database, you only have
the ability to read documents in a server-based replica, you will only be able to receive new and updated data
from the server to your local replica. Any changes made on your end cannot go to the server because you have
only read-access privileges.
Streaming replication: - It allows the replicator task to send multiple changes in one request and to replicate
smaller document first. It used when replication type is PULL-PULL or PULL only.
Replication between two servers require connection document on either server where as mail routing requires
connection document on both servers.
Replica id:-a unique number that is generated when a database is first created. When you make a replica of the
databases the replica inherits the replica id. Author access required for replication.
Benefits of replication –
1. Security
2. Reduced communication cost
3. Improved performance
4. Can replicate subset of data
5. Replication on the basis of ACL
In server documentsserver task -> maximum execution time, increase it if Agent is stops in the middle
DST
Specifies that a server or a workstation observes daylight savings time. Belongs to Uncategorized Usage
DST=value (Default 1)
0 - Do not observe daylight savings time
1 - Observe daylight savings time
When you select this option, the created/modified time for documents created or modified from the first Sunday in
April through the last Sunday in October are time-stamped one hour later than the server's system time. This
option lets you adjust for daylight savings time without changing the actual system time.
On a workstation, Daylight savings time field is in the Basics tab in the advanced tab in the Location document; on
a server, Daylight savings time field is in the Server document.
3
Tell router config all:-
4
SMTP server problem: - mails were getting stuck in the server. Around 10000 mails at gateway server.
Just SMTP quit, and load it again.
Routing cost: - Notes routing assigns a routing cost to each connection and uses these costs to select the most
efficient way to route mail from one server to another. The Router computes and stores information about these
costs in its routing tables. If there is more than one possible route for mail to travel between the source server and
the destination server for the message, the Router uses routing cost information in the tables to calculate the
least-cost route for the message. The Router uses information in Server, Domain, and Connection documents to
create the routing tables. A LAN connection has low cost; a dialup modem connection has high cost. By default,
each LAN Connection has a cost of 1, while each dialup modem connection has a cost of 5.
Note – Do not edit/change routing cost if servers are in same NNN
How the Router chooses a route:
It calculates and selects the least-cost route. If the least-cost route fails -- for example, if there is no answer or if
the network times out – the Router increases the cost of the initial route by 1. For example, if a LAN connection
between Server A and Server B initially has a cost of 1 but the connection fails during an attempted transfer, the
Router increases the cost of that LAN connection between Server A and Server B to 2. The next time the Router
tries to transfer mail between servers; it again looks for the least-cost route between those servers. If there is an
alternate route that is equal in cost and requires fewer hops, the Router selects that alternate route. For example,
if there are two paths between Server A and Server B, Each with a total cost of 4, the Router examines the
number of hops in each path. If one route requires three hops but the other requires only two hops, the Router
uses the path that requires two hops because the costs are equal.
There are two servers (A & B) in a cluster. If one server goes down, then all the users will be routed to other
server B. When the first server comes up then how you will pass these users on first server.
Set stat config restricted = 0 for disable
Set stat config restricted = 1 for enable
Set stat config restricted = 2 for permanently enable.
How to make a group not to be shown to a particular user or user could not type the name of the group at the TO
field in the new memo?
Remove the user name from the reader field of the group. Change document properties and remove the person
name from the reader field.
5
Whenever a particular user attempts to authenticate with the server, they receive the following warning:
"Warning: The public key for <user name> found in the directory names.nsf on server <server name> does not
match the one used during authentication."
Cause the public key in the user's ID file does not match up with the public key in the user's Person Document in
the Domino Directory. You can copy the public key from the ID file and paste it into the "Notes Certified Public
Key" field on the 'Certificates\Notes Certificates' tab of the Person document.
To copy a Certified Public Key from a Notes ID file using the Notes client, perform the following steps from the
Admin client:
1. From the Domino Administrator, click the Configuration tab.
2. From the Tools pane, click Certification - ID properties.
3. Select and open the ID file to be examined, enter the password (Person ID, Server ID or Certificate ID).
4. From the ID Properties window, select Your Identity, then select Your Certificates.
5. Select the Other Actions button and select Mail / Copy Certificates (Public Key)
6. Click the Copy Certificate button. (Remote user selects Mail Certificate. It copies the entire public key to the
clipboard.)
7. Paste the public key into the associated Person document in the People view of the admin client.
Have the end user select the following options to mail the administrator a copy of their public key:
File -> Security -> User Security -> Your identity -> Your Certificates -> Other Actions -> Mail, copy certificate
(public key). -> Mail Certificate -> fill out "To" -> Send
Mails are coming from server in the server name only, why these mails come on server mail.box, (senders and
recipient’s name only of server name)?
This is because of event generator, and mail sent by server ids.
What is administration server, can you make one more admin server? If main admin server goes down then how
would you make other server as admin server? Where can we do these settings?
Setting multiple administration servers, called extended administration servers, for the Domino Directory to
provide for less centralized, more regional, directory management.
Complete these instructions to set up an extended administration server.
1. From the Domino Administrator, click the Files tab and then open the Domino Directory (NAMES.NSF).
2. Choose Files - Database - Access Control.
3. Click Advanced and select Enable Extended Access.
4. Click Basics and click Extended Access.
5. In the Names list, select the namespace (an organization or one or more organizational units) for which you are
6
assigning an administration server.
6. Select the server that you are designating as an administration server.
7. Choose one of these "Access applies to" settings:
This entry only -- to assign the selected administration server to the selected namespace only. Namespaces that
are subordinate to the selected namespace are not affected by this selection.
This entry and all descendants -- to assign the selected administration server to the selected namespace and to
all subordinate namespaces.
8. In the Access field, in the Allow column, click Administer.
9. Click OK.
10. Click Yes.
What will happen if you change replication settings from 90 days to 30days, deletions stubs will delete after
10days 30/3=10days
Remove documents not modified in the last x days: The number of days specified here, known as the purge
interval, controls when Domino purges deletion stubs from a database. Deletion stubs are markers that remain
from deleted documents so that Domino knows to delete documents in other replicas of the database. Because
deletion stubs take up disk space, Domino regularly removes deletion stubs that are at least as old as the value
specified. It checks for deletion stubs that require removal at 1/3 of the purge interval. For example, assuming the
default value, 90 days, when a user opens a database, Domino checks if it has been at least 30 days since it
removed deletion stubs, and if so it removes any deletion stubs that are at least 90 days old. The Updall task,
which runs by default at 2:00 AM, also removes deletion stubs. You can shorten the purge interval, if you want,
but be sure to replicate more frequently than the purge interval; otherwise, deleted documents can be replicated
back to the replica. Optionally, you can select the check box to remove documents in the replica that haven’t
changed within the purge interval. If you select the check box, when Domino removes deletion stubs it also
removes documents that haven’t changed within the specified number of days. These documents are purged,
meaning no deletion stubs remain for the documents, so the documents aren’t deleted in other replicas. The ″Only
Replicate Incoming Documents Saved or Modified After: date″ setting prevents the purged documents from
reappearing through replication.
Clustering requirements
All servers in a cluster must run one of the following: the Lotus Domino 6 Enterprise server, the Lotus Domino 6
Utility server, the Domino Release 5 or Domino Release 4.62 Enterprise server, or the Domino Release 4.6 or
Domino Release 4.5 Advanced Services server.
All servers in a cluster must be connected using a high-speed local area network (LAN) or a high-speed wide area
network (WAN). You can also set up a private LAN for cluster traffic.
All servers in a cluster must use TCP/IP and be on the same Notes named network
All servers in a cluster must be in the same Domino domain and share a common Domino Directory.
You must specify an administration server for the Domino Directory in the domain that contains the cluster. If you
do not specify an administration server, the Administration Process cannot change cluster membership. The
administration server does not have to be a member of a cluster.
Each server in the cluster must have a hierarchical server ID. If any servers have flat IDs, you must convert them
to hierarchical IDs to use them in a cluster. A server can be a member of only one cluster at a time. Each server
must have adequate disk space to function as a cluster member. Because clusters usually require more database
replicas, servers in clusters require more disk space than unclustered servers. Each server must have adequate
processing power and memory capacity. In general, clustered servers require more computer power than
unclustered servers.
clusta4.ntf--A Cluster Analysis database contains documents that record the results of Cluster Analysis tests. By
default, Domino writes the analysis results to the Cluster Analysis database on the Server
Number of cluster members -- Checks the number of servers in the cluster
Consistent domain membership -- Checks that all servers are members of the same domain
Consistent protocols -- Checks those servers are running consistent protocols
Required server tasks -- Checks that the required cluster tasks are running
Database Replicas exist within cluster -- Checks databases for replicas in the cluster
Consistent ACLs -- Checks that access control lists are consistent among replicas
7
Disabled Replication -- Checks databases for disabled cluster replication
Consistent replication formulas -- Checks for inconsistent replication formulas among replicas
When a user tries to send a message after the user’s mail server has become unavailable if a user is composing
a message when the mail server becomes unavailable, the user can still send the message. The delivery fails
over to another cluster server, where Notes deposits the message in the outgoing mailbox. Saving the message
doesn’t fail over; however, this message is not saved in the Sent folder.
Planning a cluster also includes the following:
After the cluster is up and running, you can further balance the workload by setting a maximum number of users
for each server and setting the availability threshold.
For a mail file in cluster, put one line for mail cluster failover Notes.ini settings line: - Mailclusterfailover=1
Components of cluster:-
1. Cluster manager.
2. Cluster database directory: - contains database name, server path, and replica id.
3. Cluster database directory manager: - it replicates information of add or delete of database.
4. Cluster administrator: - when you add a server in a cluster, administrator starts the cluster tasks. (cldbdir,clrepl)
5. Cluster replicator (clrepl)
A Domino cluster is a group of two or more servers that provides users with constant access to data, balances the
workload between servers, improves server performance, and maintains performance when you increase the size
of your enterprise. The servers in a cluster contain replicas of databases that you want to be readily available to
users at all times. If a user tries to access a database on a cluster server that is not available, Domino opens a
replica of that database on a different cluster server, if a replica is available. Domino continuously synchronizes
databases so that whichever replica a user opens, the information is always the same. IBM Lotus Notes clients
can access all Domino cluster servers. HTTP clients (Internet browsers) can access only Domino Web servers in
a Domino cluster.
Problems that may occur can be related to authentication, database replication, or failover in the event of a server
outage. When troubleshooting clustering problem, follow these steps.
1. Make sure that the Cluster Replicator task is running on all of the servers in the cluster.
2. Ensure that the database exists on all servers in the cluster and that the replica ID's are same.
3. Check the log files to see if errors are occurring related to the replication task. Check to see if there is an
excessive amount of replication requests queued that may hit at a server performance issue.
4. Examine the cluster Database Directory and make sure that the databases are enabled for replication.
5. Make sure there is only one copy of the database on each cluster.
6. Verify that the ACL's in the database are set correctly to allow servers to communicate. The User Type for
servers must be set to server or server group.
7. Check the server documents on all servers in the cluster and make sure that each server is assigned a valid,
unique IP address and that all IP addresses related to the cluster Manager are defined properly.
8. Verify that all servers in the cluster are running.
NSD: - notes system diagnostics NSD file normally generated when server gets crashed. In R5 it was RIP file. It
is simple text file that has a lot of information about the server crash.
Three things you have to keep in mind:
8
When was the server crash?
What made it to crash?
What was running at the time of server crash?
1) Is the domino reporting any error messages to the console or log file?
2) What is exact syntax of error message.
3) Where is the error message being generated in domino or client.
4) When did this problem first appear.
5) Have you implemented any changes before the problem started appearing?
NOTES.INI settings --- to troubleshoot performance and crash issues.
Debug_threadid =1 log each process and thread id for each server operation.
Debug_show_timeout =1 turns on semaphore timeout messages to the console, and creates a semaphore text
file called semdebug.txt.
Debug_capture_timeout =10 time stamps each semaphore timeout message.
Console_log_enabled=1 enables domino console logging.
Fault recovery for server crashes: - when the server crashes, it shuts itself down and then restarts automatically,
without any administrator interventions. Sends “Mail fault notifications” mails to admin.
FATAL_THREAD_FAILURE:-
Failure: - shows the downtime info of server.
Fatal – what made a server crash?
Thread: - info about the tasks running at the server crash or by which task server got crashed
Open NSD, search Panic key word
For example if server crashed due to server. exe
You will find like FATAL THREAD 11/51 [ nSERVER:0cd0: 2148]
Where 0cd0 is process id and 2148 is physical ID
After that search for TLS Mapping keyword.
open databases
system information
or environmental information
stack info helps to see the problem at that time
mem check helps to diagnose memory info
open NSD file in notepad and search for "fatal" string ("panic" on UNIX platform in vi editor)
In this case we found [nServer:0cd0:2148]. We know for sure that server crashed on nserver which is server
thread itself, try to identify something more i.e., the database which has caused the crash.
We now have to find out corresponding virtual thread.
Now you have to search for "TLS Mapping" in nsd file. In notepad press F3 key 3 times to go to following text in
NSD (This is called process table)
Look for the line that has process id and Physical thread like below :-
[ nSERVER:0cd0: 2148] [ nSERVER:0cd0: 128] [ nSERVER:0cd0: 17]
In this case the virtual thread id is 128
Now go back to the top of the NSD and then search for the string "open databases" in nsd file.
(This is called open database table)
Look for the process id that we found earlier and the Virtual Thread id i.e., 0cd0 and 128 like below:-
G:\Lotus\Domino\Data\mail1.box
By: [ nSERVER:0cd0: 128] DBH= 740, User=CN=GKR011N/OU=KR/O=Gillette
From the above text we have identified that server crashed on mail1.box
If server is not getting up then there are four databases we can check:-
admin4
log.nsf
names.nsf
mail.box
Because every time the server starts it checks these files if any of these is corrupt then the server will not start. If
the server is still not started then delete the entire tasks from notes.ini and start the server. And load the tasks
manually one by one.
9
If an agent is not running for a database then how can you find it? How and when it was stopped?
Tell amgr sceh
The agent manager log activity. -- Log agent manager
How to find roaming and non roaming profiles in the address book---
field Roaming User="0" for normal without roaming profiles
field Roaming User="1" fully enabled roaming for the users
field Roaming User="2" in progress roaming for the users.
What is LDAP?
Lightweight Directory Access Protocol. it is referred as X.500, It is a organizes directory entries in a hierarchical
name space capable of supporting large amounts of information and specifies that communication between the
directory client and the directory server uses the directory access protocol(DAP). However as an application layer,
the DAP requires the entire OSI protocol stack to operate. For supporting OSI protocol stack requires more
resources. There LDAP desired. LDAP requires the lighter weight and more popular TCP/IP protocol stack than
OSI protocol stack. So LDAP is communication protocol, which defines the transport and format of messages
used by a client to access data. LDAP doesn’t define the directory service itself. LDAP uses TCP/IP to allow
clients to access directory information. it can be used by the browser clients to retrieve addresses. it will return the
names in SMTP form rather than notes form. LDAP directories can be implemented in many different ways. IBM
implements cross platform LDAP directories using db2 and lotus domino.
10
SERVER_RESTRICTED -
How mail work in lotus notes:- setting up and configuring mail routing :-
By default NRPC (notes remote procedure call) to transfer mail between servers. A user creates a mail in the mail
database. When the user sends a workstation task called MAILER transfers the messages to MAIL.BOX
database on user’s server. The router task polls MAIL.BOX and asks two questions about the messages waiting
to be routed.
1. Where this message should be delivered- to which recipients on which servers?
2. How this message should be delivered- which route and connections should be used?
The location of the recipient’s mail database determines how the message is dispatched by the router. A
recipient’s mail database can be stored in any of the following locations.
ON the same server as the sender’s mail database.
On a different server in the same DNN.
On the ports
ON a server in a different DNN within the local domino domain.
On a server in an external Domino Domain.
When user sends a mail NRPC (Notes protocols) to deposit the message into the MAIL.BOX database on the
user's Domino mail server. The Router finds the message in MAIL.BOX and determines where to send the
message for each recipient. The Router checks its routing table to calculate the next "hop" for the message on the
path to its recipients and determines the appropriate protocol -- either SMTP or Notes routing -- to transfer the
message. Using SMTP routing, the Router connects to the destination server -- the recipient's mail server, a relay
host, a smart host, or one of the servers in the recipient's Internet domain --and transfers the message. Using
Notes routing, the Router moves the message to the MAIL.BOX database on the server that is the next hop in the
path to the recipient's mail server. The Router on that server transfers the message to the next hop, until the
message is deposited in the MAIL.BOX database on the recipient's home server. The Router on the recipient's
server finds the Message (in MAIL.BOX on a Domino server) and delivers it to the recipient's mail file.
What is ODS? Which console command you use to upgrade the ODS version?
On Disk Structure, Compact –r command
How will you convert the entire mail file in to an ntf file?
Load convert –R mail\*.nsf templatename.ntf
What is NAT?
It means Network Address Translation.
How will you access the admin client, if you forgot the administrator password?
By using server id
12
Manager Access:-delete database, encrypt, modify, and performance task by lower access levels
Designer: - create full text index search. Modify [fields, forms, views, public agents].
Editor:-create, edit, read documents (editor can change other person documents also) (own documents and other
person’s documents).
Author:-create edit, read (own document).
Reader:-read documents, but cannot create or edit document.
Depositor:-create documents
No access: - none.
MTC – Mail tracker collector task read special mail tracker log files produced by router.
MTSTORE.NSF—Mail tracker store database.
Reports.NSF—Reports database to generate and store mail usage reports.
Program documents—to run tasks at scheduled intervals.
Server types:-
1. Domino utility server –provide application services only.
2. Domino messaging server—that provides messaging services.
3. Domino enterprise server – Provides both messaging and application services.
Lotus recommends that passwords of the certifier ids be at least of nine characters.
Connection document; - contains the settings to schedule replication between servers & mail routing.
To run an agent (out of office) minimum rights for user is Editor in R6, with author access on admin4.NSF.
(Because user default rights on admin4.NSF is author access). agent is designer,
as well as ACL rights to create lotus script/java agents on server.
access: - for ACL changes
Access: - For design changes.
Access: - For document changes.
XACL - can restrict or refine a user's access to the database, but it can’t be used to increase the ACL level
Pass thru server: -An intermediate server that helps a client /workstation to connect with group of servers.
Domino uses id file to identify users and to control access to servers. Id file contains:-
1. Owner’s name
2. A permanent license number
3. At least one note certificate from a certifier id. (an electronic stamp added to a user id or server id ).
4. Private Key.
13
5. Internet certificates (optional for client only).
6. One or more encrypted key created and distributed by users to allow other users to encrypt and decrypt fields
in a document.
7, a password if the owner of the id creates one
8. Issued and expiry details.
9. Id file can store up to eight passwords through id properties.
Types of administrator:-
1. Full access administrator.
2. Administrator.
3. Database administrator.
4. Full remote control administrator.
5. View only administrator.
6. System administrator.
7. Restricted system administrator.
14
Administrator-gets all rights and privileges of database administrator and full-console administrator (but not
system administrator).
Full console administrator—gets rights and privileges of view-only console administrator (but not system
administrator)
System administrator -- gets rights and privileges of restricted system administrator
What is ECL and can we implement the ECL from server side.
An ECL is used to set up workstation data security. It lets you control which formulas and scripts created by
another user can run on your workstation. Workstation ECL is updated/Implemented from Server Admin's ECL by
creating a Security policy document.
One group which is already exists, if we want to deploy the explicit policy on them what is the step.
Select group-Tools pane-assign policy. (An Explicit policy always overrides the Organizational policy.)
15
instructions with AdminP For instance, when a user is renamed, the certificate information is changed. This is
stored in a Person document in the Domino Directory. When the renaming process is in progress, this is indicated
in the Person document under the Change Request field), Certification Logs Database (Certlog.NSF database
created when server installed it works assigning new certificates), Admin4.NSF and administrator.
I have a staff member who keeps getting an error every time she opens mail "error message: The public key that
is being used does not match the one that was certified."
The error message comes when the public key of the user id file is different than the one in PAB. Hence go to file-
tools –user id-more options and copy your public key to the PAB.
What if a mail.box gets corrupted? How will you solve it without shutting down the domino server?
When a mail.box gets corrupted, usually we can stop the router and then work with fixup and COMPACT
commands, still if the problem persists, we need to stop the server and take the backup of the mail.box and delete
it from the original destination and then start the server. A new mail.box will be created.
A replica stub is an empty replica that has not yet been populated with documents. When you select File ->
Replication -> New Replica, or if you use the Admin client to create a replica, a replica stub is created
Can you have an Apache server handle Domino URLs on a different box?
This one-liner in your Apache httpd.conf file allows you to run both the Apache Web server and Domino on the
same system - and have all your requests (be it for html or nsfs) received on port 80.
The Apache server should run on port 80, and the Domino server on some other port (10080 in this code
example)
#Redirect all nsfs to Domino HTTP Server on port 10080
RedirectMatch /(.*).(nsf)(.*) http://localhost:10080/$1.$2$3
The Notes ID is required to install the full client and to access the servers. It is one of the security features of
Lotus Notes. Use a Java program to add and delete certificates from a Notes ID file, as well as cross certify a
SAFE.ID with a given certifier. Lotus uses a proprietary PKIX architecture for the Notes.ID files
16
can specify that only a subset of them be present during the actual ID recovery. For example, if you designate five
administrators for ID recovery but require only three administrators to unlock the ID file, any three of the five can
unlock the ID file. Designating a group of administrators and requiring only a subset also prevents problems that
occur if one administrator is unavailable or leaves the company. Before you can recover ID files, an administrator
who has access to the certifier ID file must specify recovery information, and the ID files themselves must be
made recoverable. There are three ways to do this:
At registration, administrators create the ID file with a certifier ID that contains recovery information.
Administrators export recovery information from the certifier ID file and have the user accept it.
(Only for Domino 6 servers and higher) Administrators change recovery information using a Domino 7
Administrator client. Subsequently, recovery information is added automatically to users' Notes IDs when users
authenticate to their home server.
Domino stores ID recovery information in the certifier ID file. The information stored includes the names of
administrators who are allowed to recover IDs, the address of the mail or mail-in database where users send an
encrypted backup copy of their ID files, and the number of administrators required to unlock an ID file. The mail or
mail-in database contains documents that store attachments of the encrypted backup ID files. These files are
encrypted using a random key and cannot be used with Notes until they are recovered.
An encrypted backup copy of the ID file is required to recover a lost or corrupted ID file. Recovering an ID file for
which the password has been forgotten is a bit easier. If the original ID file contains recovery information,
administrators can recover the ID file, even if an encrypted backup ID file doesn't exist.
You can set up ID recovery for user IDs at any time. If you do so before you register users, ID recovery
information is automatically added to user IDs the first time that users authenticate with their home servers. If you
set up ID recovery information after you have registered Notes users, recovery information is automatically added
to the user IDs the next time users authenticate with their home servers.
For each administrator, the user's ID file contains a recovery password that is randomly generated and encrypted
with the administrator's public key. The password is unique for each administrator and user.
In Domino 7, you can select the number of characters, or password length, for recovery passwords, which helps
determine password strength, or likelihood to be compromised. A password length that is less than 16 is
calculated using both alphanumeric characters and hexadecimals. Sixteen-character length passwords are
generated using hexadecimals only. While password strength is important, as a strong password is less likely to
be compromised, so is usability. A long and complex password can be difficult to use, so administrators also have
the ability to choose a shorter password length.
In addition, administrators can now configure a custom message to help walk users through ID recovery.
To recover an ID, users and administrators do the following:
1. A user contacts each designated administrator to obtain the administrator's recovery password.
2. The administrator obtains the recovery password by decrypting the recovery password stored in the user's ID
file using the administrator's private key.
3. The administrator then gives the recovery password to the user.
4. The user repeats Steps 1 through 3 until the minimum number of administrators to unlock the ID file is reached.
5. After the file is unlocked, the user must enter a new password to secure the ID file.
The same ID file can be recovered again using the same recovery passwords. However, you should urge users to
refresh the recovery information and create a new backup by re-accepting the recovery information after they
recover their ID files.
When users acquire a new public key, accept a name change, or accept or create a document encryption key,
Domino automatically sends updated encrypted backup ID files to the centralized database. In the case of a
server-based certificate authority, the recovery database will be updated once the user has connected to the
server. Recertifying a user does not generate an encrypted copy of the ID file to be sent to the recovery database,
as a user's Person Document already contains the updated public key.
If a user has been renamed by or moved to a different certifier that contains recovery information that is older than
that of the user's previous certifier, the new certifier's recovery information will not be accepted into the user's ID
file. Before using the new certifier, its recovery information must be updated so that it is more recent than the
previous certifier's recovery information. To do this, the administrator should modify the new certifier's recovery
information in some way and save it. This updates the recovery information for that certifier with a new timestamp,
17
and ensures that users who are subsequently renamed with or moved to the updated certifier will have the correct
recovery information propagated to their user IDs. The administrator can then undo the change, if desired.
To help prevent unauthorized users from recovering IDs without the authorized user's knowledge, make sure that
password verification is enabled for users and servers. If password verification is enabled, the authorized user is
aware of the change because the user cannot access servers using the legitimate ID. When the unauthorized
user recovered the ID file, that user was forced to make a password change.
As an extra precaution, after recovering IDs, ask users to re-accept the recovery information and then change the
public key on their ID files. Re-accepting recovery information changes recovery password information in the ID
file. As of Domino 6, re-accepting recovery information happens automatically when the user accesses a
database on the home server. Changing the public key changes the public and private keys stored in the ID file.
ID recovery logging
Important information about client ID recovery activities is automatically logged to the local log.nsf file so that this
information is available to administrators for troubleshooting purposes.
The following ID recovery information will be logged locally.
Date and time when recovery information is accepted into the ID file
Instances when recovery information is rejected or fails to be accepted in the ID file.
Events that require a new backup to be mailed to the ID recovery database
Emailing the recovery ID to the recovery database (successes and failures)
Which task is used for delivering the mails to non domino directories?
Directory assistance
Notes security
User Authentication: This is a process in which Notes client and domino server use to validate each other when a
client tries to access the domino server
Server Security: This controls the access the domino server, server access is controlled by a server access list on
the domino server
Database Security: This controls the access to the database on the domino server
18
Global Domain Doc, Foreign domain doc, Foreign SMTP Domino Doc
Domains are defined by creating Domain documents. Multiple documents types are available based on the
requirements needed to route mail. The Following types of documents are available.
Adjacent domain document- this document is used to route mail between servers that are not in the same Notes
named network.
Foreign Domain Document-This document is used for connections between external applications. A typical
application used is a fax or pager gateway.
Foreign SMTP Domain Document-This document is used to route Internet mail when the server does not have
explicit DNS access.
Global Domain document- this document is used to route mail to Internet domains. Configuration information
regarding message conversion rules are defined in the document.
Replication Types:
Four Different types of replication exist. The type you choose affects the direction of replication as well as which
of the servers performs the work of the replication.
Pull Pull: Replication is bidirectional, whereby the source server initiates replication and pulls documents from the
target server. The source server then signals the target server's Replica task to pull documents in the opposite
direction. Both servers are involved in the replication.
Pull Push (Default): Replication is bidirectional, whereby the source servers replica task performs all of the work,
pushing and pulling documents to and from the target server. The target server's Replica task is never engaged.
Pull Only: Replication is one-way, whereby the source server pulls documents from the target.
Push Only: Replication is one-way, whereby the source server pushes documents to the target.
19
If one partition shuts down, the others continue to run. If a partition encounters a fatal error, Domino's fault
recovery feature restarts only that partition, not the entire computer.
Partitioned servers can provide the scalability you need while also providing security. As your system grows, you
can migrate users from a partition to a separate server. A partitioned server can also be a member of a cluster if
you require high availability of databases. Security for a partitioned server is the same as for a single server.
When you set up a partitioned server, you must run the same version of Domino on each partition. However, if the
server runs on UNIX®, there is an alternative means to run multiple instances of Domino on the server: on UNIX,
you can run different versions of Domino on a single computer, each version with its own program directory. You
can even run multiple instances of each version by installing it as a Domino partitioned server.
Web server: Realm doc, Web site doc, Web agents, SSO, Gzip etc
Web Server: A Domino server is considered to be a web server when it is running the HTTP task. the HTTP task
can be started automatically by adding it to the Server Tasks= line in the server's Notes.ini file, or by issuing the
Load HTTP Command at the server console.
21
Additional privileges in the access control list
22
equivalent role, and gives users access to create documents from any form in
a database.
Replicate or copy documents Select this privilege to allow users to replicate or copy the database, or
documents from the database, locally or to the clipboard.
Updall
Updall is used to rebuild corrupted views and full-text index searches, as Update does, and has various options
that can be defined when launched by using a software switch. Updall is executed by default at 2:00 a.m. and,
unlike Update, can be run manually. Deletion stubs are removed, and views that haven't been used for 45 days
are deleted unless they are protected by the database designer. Setting the parameter
Default_Index_Lifetime_Days in the Notes.ini file enables an administrator to determine when Updall removed
unused views.
23
Update this view only database -T view Updates a specific view in a database. Use, for
title example, with -R to solve corruption problems.
Compact
Compact can be used to recover space in a database after documents are deleted. Deleting documents from a
Domino database does not actually decrease the size of the database. A deletion stub is created and the
document is removed permanently when compact is run, and the size of the DB is then reduced. Three types of
compacting are available.
In-place compacting with space recovery
In-place compacting with space recovery and reduction in file size
Copy-style compacting
26
backup utility, perform full backups of the databases shortly after compacting is complete. This style of
compacting allows users and servers to continue to access and edit databases during compacting.
When you run Compact without specifying options, Domino uses this style of compacting on databases that aren't
enabled for transaction logging. Domino also uses this style of compacting when you use the -B option. To
optimize disk space, it's recommended that you run Compact using the -B option
Copy-style compacting
A Copy is created, and when the compact is complete, the original database is deleted. Because of this, there
needs to be sufficient disk space available to make the copy of the database, or any error will occur and the
compact will not work. During this type of compacting, a new database is created and a new DBIID is assigned.
Because a new database is actually being created, this option locks out all users and servers from editing the
database. Access using this version of compact for read only can be enabled if the -L switch is used at the time it
is run.
Compact should be run on all databases at the least weekly, if possible, but it should be run at a minimum of
once a month using the format compact -B to minimize the amount of disk space. If Fixup does not correct a
database problem, running compact with the switch of -c can attempt to correct the problem.
Characteristics In place, space In place, space Copy-style
recovery recovery with file size
reduction
Databases that use it when Logged databases Unlogged databases Databases with pending
compact runs without with no pending with no pending structural changes
options structural changes structural changes
Databases you can use it Current release Current release Current release (need -c)
on
Relative speed Fastest Medium Slowest
Users can read databases Yes Yes No (unless -L option
during compacting used)
Users can edit databases Yes Yes No
during compacting
Reduction in file size No Yes Yes
Extra disk space required No No Yes
Compact options Compact - Basics
Option Command-line equivalent Description
Compact only this database or database path To compact a database in the Domino
folder Specify any additional data folder, enter the file name, for
(To specify databases to options after the database example SALES.NSF. To compact
compact using the Files tab, path. databases in a folder within the data
select the databases in the files folder, specify the database path relative
pane.) to the data folder. For example, to
compact all databases in the folder
DATA\SALES, specify SALES.
If you choose "Compact all databases"
(or don't specify a database path at the
command line) Compact compacts all
databases in the data folder and in
folders within the data folder.
Compact - Options
Option Command-line equivalent Description
27
Compact database only if unused -S percent Compacts all databases with a specified
space is greater than x percent percent of unused space. For example, if
you specify 10, databases with 10% or
more recorded unused space are
compacted. Note that the unused space
calculation is not always a reliable
measure of unused space.
Discard any built view indexes -D Discards built view indexes. Use this
option to compact databases just before
you store them on tape, for example. Does
copy-style compacting.
Compact - Style
Option Command-line equivalent Description
In-place (recommended) -b Uses in-place compacting and recovers
unused space without reducing the file
size, unless there's a pending structural
change to a database, in which case copy-
style compacting occurs. This is the
recommended method of compacting.
28
Copy-style: Ignore errors and -i Enables compacting to continue even if it
proceed encounters errors such as document
corruption. Only used for copy-style
compacting.
Compact – Advanced ( not available through the Compact tool in the Files tab of the Domino administrator
Option* Command-line equivalent Description
Document table bitmap -f Disables "Document table bitmap
optimization: Off optimization" database property. Does
copy-style compacting.
Document table bitmap -F Enables "Document table bitmap
optimization: On optimization" database property. Does
copy-style compacting.
Don't support specialized -h Disables "Don't support specialized
response hierarchy: Off response hierarchy" database property; in
other words, support specialized response
hierarchy. Does copy-style compacting.
Delete and then archive -j Deletes documents from a database and then
compacts the database.
29
What is the maximum number of databases accepted in the DB cache?
Total it can cache up to 121 databases.
If the Server_Restricted =2 in the notes.ini file then, only administrator can Access the server not others.
By default User.ID files Expires 2 years and Server.ID & Cert.ID Expires 100 Years
Kit Type=2 in the notes.ini file then, that notes.ini file is for the server. Kit Type=1, for the client.
Limitation of the Organization Unit is 4 levels. But IBM recommended keeping only two Organization Units.
If we register one Organization Unit, it creates one ID file for OU & a Certifier Document in Domino Directory.
When we Register User, then Domino Creates an ID file for the User, User Personal Document &Mail Database
User is moving from one server to other Server in Different Domain, then AdminP not involved in the Process,
Only if the User is moving from one Server to other Server with same Domain then AdminP Process the Request
Local Domino Server Group is created by default when we install the Additional Server.
Server Console Security can implement thought the command Set Secure <password>
If Administrator is forgot the console password, then just remove set secure line in the notes.ini file.
If User is included in the Server Access Group & Not Access server Group, then the user can’t access the server.
By default all users having the Author access to the Domino Directory.
Public Documents means even the no access users can see and edit the created Documents.
Lotus uses the Secrete key encryption for Filed level security.
30
Show Clusterit shows local server's cluster name cache, which includes a list of all cluster members and their
status, based on information received during the server’s cluster probes.
Replicators=number of tasks, this setting you have to specify in the server notes.ini file.
Restart Port portname, using this command you can restart the TCPIP port & other ports.
Start Port portname, using this command you can start the port. Like TCPIP
Stop Port portname, using this command you can stop the port.
Show Open databaseIt will shows the current open databases
Show Server It will Shows the server Information.
Show Allports It will show the all ports Information on the Server.
Show Users It will shows the Users will are in open sections.
Show Memory It will show the memory Information on the server.
Show Time it shows the Current time on the server.
Broadcast “Message” It will broadcast the message to every open section user.
Dbcache Show It will show the Cache files information on server.
Dbcache Flush Clear the Cache on the server.
Show Diskspace It will show the Disk Space information on the server.
To change the default NRPC port number, use the NOTES.INI setting TCPIP portname_TCPIP Address and
enter a value available on the system that runs the Domino server. TCP ports with numbers less than 5000 are
reserved for application vendors. You may use any number from 1024 through 5000, as long as you don't install a
new application that requires that number.
When we install the First Domino server the following are created automatically
Cert.id--This is Organization Certifier & saved in the Domino Directory
Server.id
Admin.id
A Mail Database is created for the Administrator
A personal document is created for the Administrator in domino directory.
A server Document is created.
A Domino Directory is created for server.
A configuration Document is created for Domino Directory
Log.nsf
Certlog.nsf
31
Admin4.nsf
These above 3 databases are required to run AdminP
Registration If a policy including registration policy settings is in place before you register Notes users, these
settings set default user registration values including user password, Internet address format, roaming user
designation, and mail.
Setup If a policy including setup policy settings is in place before you set up a new Notes client, these settings
are used during the initial Notes client setup to populate the user's Location document. Setup settings include
Internet browser and proxy settings, applet security settings, and desktop and user preferences.
Desktop Use desktop policy settings control and update the user's desktop environment or to reinforce setup
policy settings. For example, if a change is made to any of the policy settings, the next time users authenticate
with their home server, the desktop policy settings restore the default settings or distribute new settings specified
in the desktop policy settings document.
Mail archiving Use archive policy settings to control mail archiving. Archives settings control where archiving is
performed and specify archive criteria.
Security Use security settings to set up administration ECLs and define password-management options,
including the synchronization of Internet and Notes passwords.
“If user is already registered, then we can apply only Archive Policy & Security Policy & Setup Policy”
“Policy are Introduced in the Domino R6 Version”
Groups
Groups can be used for three purposes
Mailing
Server Security
Database Security
32
Mail Only
ACL only
Server Group
Deny List Group
Multi-purpose Used for a group that has multiple purposes -- mail, ACLs, and so on. (Default)
Access Control List only Used for server and database access authentication only.
Mail only Used for mailing list groups
Servers only Used in Connection documents and in the Domino Administration client's domain bookmarks for
grouping.
Deny List only Used to control access to servers. Typically used to prevent terminated employees from
accessing servers, but this type of group can be used to prevent any user from accessing particular servers. The
Administration Process cannot delete any member of the group.
Encryption
Domino uses the two types of Encryption Techniques
RSA Encryption
Dual Key Encryption
Encryption protects data from unauthorized access. For all types of encryption except network port encryption,
Domino uses public and private keys .so that data encrypted by one of the keys can be decrypted only by the
other. The public and private keys are mathematically related and uniquely identify the user. Both are stored in
the ID file. Within the ID file, the public key is stored in a certificate, but the private key is stored separately from
the certificate. The certificate containing the public key is also stored in the Domino Directory, where it is available
to other users.
To create Notes public and private keys, Domino uses the dual-key RSA Cryptosystem and the RC2 and RC4
algorithms for encryption. To create the Internet public key, Domino uses the x.509 certificate format, which is an
industry-standard format that many applications, including Domino, understand.
Both the Notes client and Domino server support 1024-bit RSA key and 128-bit symmetric key for S/MIME and
SSL. The Notes proprietary protocols use a 630-bit key for key exchange, and a 64-bit symmetric key.
33
Adding a Cluster Server
Next, you'll be prompted to provide a name for your cluster. For this example we have selected to name the
cluster "MailCluster1".
We need to setup another Domino server on the same cluster in order for failover to function. Select another
Domino server and step through the same steps as shown above. The only exception, is when prompted for the
name of the cluster DO NOT select *Create New Cluster, select the down arrow key and select the cluster which
was created in the steps above. (MailCluster1)
34
The Domino server will add a couple of services to both of the domino servers
Creating mail database replicas in a cluster during user registration from the Domino Administrator
1. Click the People & Groups tab.
2. In the Tools pane, expand People, and then click Register.
3. In the "Choose a Certifier" dialog box, choose a certifier and click OK.
4. In the Register Person -- New Entry dialog box, select Advanced, and then click the Mail tab.
5. In the Mail system field, choose Lotus Notes.
6. Click Mail Server, and choose a cluster server as the Mail server.
7. Click Mail File Replicas.
8. Select "Create mail database replica(s)." A list is displayed of mail servers in the same cluster.
9. Do one of the following:
To create a replica of the mail database on all of the cluster servers, skip this step.
To change the list of servers to receive a replica, use the Remove and the Add Server(s) button.
10. (Optional) Select "Create mail replica(s) in background."
11. Click OK, and then complete any other fields you want on the Mail tab.
12. (Optional) If you want to set up the user for roaming in a cluster
13. Complete the rest of the user registration the way you normally would.
36
5. Save and close the Server document
Mail journaling
Mail journaling enables administrators to capture a copy of specified messages that the Router processes by the
Domino system. Journaling can capture all messages handled by the Router or only messages that meet specific
defined criteria. When mail journaling is enabled, Domino examines messages as they pass through MAIL.BOX
and saves copies of selected messages to a Domino Mail Journaling database (MAILJRN.NSF) for later retrieval
and review. Mail journaling works in conjunction with mail rules, so that you create a journaling rule to specify the
criteria for which messages to journal. For example, you can journal messages sent to or from specific people,
groups, or domains. Before depositing messages in the Mail Journaling database, the Router encrypts them to
ensure that only authorized persons can examine them. Journaling does not disrupt the normal routing of a
message. After the Router copies a message to the Mail Journaling database, it continues to dispatch the
message to its intended recipient.
Domino mail journaling differs from message archiving. Journaling works dynamically, making a copy of each
message as it passes through MAIL.BOX to its destination and placing the copy in the Mail Journaling database.
A copy of the message is retained, even if the recipient, or an agent acting on the recipient's mail file, deletes it
immediately upon delivery. Archiving is used to reduce the size of an active mail file database by deleting
messages from one location and moving them to an offline database, usually in another location, for long-term
storage. Archiving acts on messages that have already been delivered. Journaling is performed automatically by
the server; while archiving is a manual operation, performed by end users on their own mail files. End users can
search for and retrieve messages from a mail file archive, but only an authorized administrator can examine a
Mail Journaling database.
By default, mail journaling is not enabled. You enable journaling from the Configuration Settings document. To set
up the Mail Journaling database, you specify where to store journaled messages and then set options for
managing the security and size of the database. After you enable journaling, Domino automatically creates the
Mail Journaling database in the specified location.
To set up the Mail Journaling database
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers where you want to journal mail, and
click Edit Configuration.
5. Click the Router/SMTP - Advanced - Journaling tab.
6. Complete the following fields, and then click Save & Close:
Specifying messages to journal
After you enable journaling, set mail rules on the Configuration Settings document to specify which messages to
journal. If you specify all documents and a message is returned as undeliverable, Domino journals the delivery
failure report as well as the original message. When Domino journals a message, it sets a journal flag on the
message before transferring it to the next server on the route. This ensures that servers later in the routing path
do not journal the message again. When the Router on the destination mail server delivers the message to the
user's mail file it removes the flag so to that the user remains unaware that the message was been journaled.
Field Description
Specifies whether the server supports mail journaling. Choose one: Enabled - Domino
supports mail journaling on the servers governed by this document. To journal mail, create a
Journaling server mail rule with the action "Journal this message."
Disabled - (default) Mail journaling is not supported on the servers governed by this
document.
37
Specifies the names of Notes message fields that Domino does not encrypt when adding
messages to the Mail Journaling database. Encrypted fields cannot be displayed in a view.
List any fields you want to display in a view. By default, the following fields are not encrypted:
Field encryption
Form, From, Principal, and Posted Date.
exclusion list
Note When using a mail-in database for journaling, Domino does not automatically encrypt
messages added to the database. To encrypt messages in a mail-in database use the Mail-
in database document to specify encryption of incoming messages.
If you specified "Copy to local database" as the journaling method specify the file name you
Database name want Domino to use when it creates the Mail Journaling database. The default name is
MAILJRN.NSF.
If you specified "Send to mail-in database" as the journaling method, use this field to enter
the name of the mail-in database to which the Router forwards messages to be journaled.
Mail destination Click the down-arrow to select the name of the mail-in database from the Domino Directory.
Note You must create the mail-in database beforehand; Domino does not automatically
create mail-in databases for journaling.
If you specified "Copy to local database" as the journaling method, enter the fully qualified
Notes Name of the user whose certified public key Domino uses to encrypt messages added
Encrypt on behalf to the database. To ensure privacy, consider creating a special user ID for reviewing
of user journaled messages, and protect the ID with multiple passwords. To encrypt messages sent
to a mail-in database, enable encryption on the Administration tab of the Mail-in database
document.
38
For local Mail Journaling databases, the entry in this field specifies how Domino controls the
size of the Mail Journaling database. When the database management method in effect calls
for Domino to create a new Mail Journaling database, on the day that it creates the new
database, it does so at approximately 12:00 AM. Choose one of the following methods:
Periodic Rollover - (default) When the current Mail journaling database reaches the age
specified in the Periodicity field, Domino renames the existing Mail Journaling database and
Database creates a new Mail Journaling database with the original name.
Management - Note - Domino does not automatically control the size of the Mail Journaling database. If you
Method do not use one of the available methods for controlling database size automatically, be sure
to monitor the database size and use appropriate tools to archive the journal data.
Purge/Compact - Domino deletes documents from the database after the number of days
specified in the Data Retention field and then compacts the database.
Size Rollover - When the current database reaches the size specified in the Maximum size
field, Domino renames the database and creates a new Mail Journaling database with the
original name.
If you specified Periodic Rollover in the preceding field, Domino displays this field for
Periodicity
specifying the length, in days, of the rollover interval. The default value is 1 day.
If you specified Purge/Compact in the Database Management-Method field, Domino displays
Data Retention this field for specifying the time, in days, that a message remains in the Mail Journaling
database before being deleted.
If you specified Size Rollover in the Database Management-Method field, Domino displays
Maximum size this field for specifying a size limit, in megabytes (MB), for the Mail journaling database. After
the database reaches the specified size, Domino renames it and creates a new one.
Starting and stopping the ISpy task
Create a TCP server event generator to verify the availability of the services on Internet ports on one or more
servers. A TCP server event generator uses the ISpy task to send a probe to test whether the server is
responding on a port. By default, the ISpy task monitors all enabled Internet ports (TCP services) on the server on
which it is running. You must start the ISpy task before you can create server and mail routing event generators.
The ISpy task does not start automatically. Use any of these methods to start and stop the ISpy task.
To do this Perform this task
Start the ISpy task
automatically Edit the ServerTasks setting in the NOTES.INI file to include runjava ISpy.
when the server starts
Start the ISpy task manually Enter the command load runjava ISpy at the console.
Enter either the command tell runjava ISpy unload or tell runjava quit at the
Stop the ISpy task
console.
On servers running the ISpy task, this task sends mail probes in the form of trace messages to test mail
connectivity approximately every five minutes. Under normal use, the ISpy task automatically deletes these
probes from the ISpy mail-in database and the only trace of them are entries in the Routing events view of the
server log file and on the server console. However, if you enable a journaling rule on these servers and specify
the condition "All documents," the Mail Journaling database will capture each trace message that the ISpy task
sends. To prevent the Mail Journaling database from filling up with these entries, configure a rule exception for
messages where the sender includes "ISpy."
39