Chapter 1

Deploying Domino
This chapter outlines the steps required to deploy IBM® Lotus®Domino™ 6 successfully
and introduces important concepts that youneed to know before you install Domino
servers.

Guidepost for deploying Domino

Whether you’re setting up IBM Lotus Domino 6 and IBM Lotus Notes® 6for the first time
or adding to an established Domino environment,planning is vital. Along with
determining your company’s needs, you need to plan how to integrate Domino into your
existing network. Afterplanning is complete, you can begin to install and set up Domino
servers and the Domino Administrator and build the Domino environment. The
following list describes, in order, the process to use to deploy Domino.

1. Determine your company’s server needs. Decide where to locate each server
physically, taking into consideration local and wide-area networks and the function of
each server.
2. Develop a hierarchical name scheme that includes organization and
organizational unit names.
3. Decide whether you need more than one Domino domain.
4. Understand how server name format affects network name-to-address resolution for
servers. Ensure that the DNS records for your company are the correct type for the
server names.
5. Determine which server services to enable.
6. Determine which certificate authority — Domino server-based certification authority,
Domino 5 certificate authority, third-party — to use.
7. Install and set up the first Domino server.
8. Install and set up the Domino Administrator on the administrator’s machine.
9. Complete network-related server setup.
10. If the Domino server is offering Internet services, set up Internet site documents.
There are some instances where Internet Site documents are required.
11. Specify Administration Preferences.
12. Create additional certifier IDs to support the hierarchical name scheme.
13. Set up recovery information for the certifier IDs.
14. Add the administrator’s ID to the recovery information for the certifier IDs and then
distribute the certifier IDs, as necessary, to other administrators.
15. Register additional servers.
16. If you did not choose to do so during first server setup, Create a group in the
Domino Directory for all administrators, and give this group Manager access to all
databases on the first server.
17. Install and set up additional servers.
18. Complete network-related server setup for each additional server.
19. Build the Domino environment.

Functions of Domino servers

Before you install and set up the first Domino server, consider the function and physical
location of the servers that your company needs and determine how to connect the
servers to each other. The current configuration of local and wide-area networks affects
many of these decisions. Consider your company’s need for:
• Servers that provide Notes and/or browser users with access to applications
• Hub servers that handle communication between servers that are geographically
distant
• Web servers that provide browser users with access to Web applications
• Servers that manage messaging services
 • Directory servers that provide users and servers with information about how to
communicate with other users and servers
• Passthru servers that provide users and servers with access to a single server
that provides access to other servers
• Domain Search servers that provide users with the ability to perform searches
across all servers in a Domino domain
• Clustered servers that provide users with constant access to data and provide
load-balancing and failover
• Partitioned servers that run multiple instances of the Domino server on a single
computer
• Firewall servers that provide Notes users with access to internal Domino services
and protect internal servers from outside users
• xSP servers that provide users with Internet access to a specific set of Domino
applications Your decisions help determine which types of Domino servers your
require. When you install each server, you must select one of the
following installation options:
• Domino Utility Server — Installs a Domino server that provides application
services only, with support for Domino clusters. The Domino Utility Server is a
new installation type for Lotus Domino 6
that removes client access license requirements. Note that it does NOT include support
for messaging services. See full licensing text for details.
• Domino Messaging Server — Installs a Domino server that provides messaging
services. Note that it does NOT include support for application services or Domino
clusters.
• Domino Enterprise Server — Installs a Domino server that provides both
messaging and application services, with support for Domino clusters.
Note All three types of installations support Domino partitioned servers. Only the Domino
Enterprise Server supports a service provider (xSP) environment. Hierarchical naming
for servers and users Hierarchical naming is the cornerstone of Domino security;
therefore planning it is a critical task. Hierarchical names provide unique
identifiers for servers and users in a company. When you register new servers and users,
the hierarchical names drive their certification, or their level of access to the system, and
control whether users and servers in different organizations and organizational units can
communicate with each another. Before you install Domino servers, create a diagram of
your company and use the diagram to plan a meaningful name scheme. Then create
certifier IDs to implement the name scheme and ensure a secure system.

A hierarchical name scheme uses a tree structure that reflects the actual structure of a
company. At the top of the tree is the organization name, which is usually the company
name. Below the organization name are organizational units, which you create to suit
the structure of the company; you can organize the structure geographically,
departmentally, or both. For example, the Acme company created this diagram for their
servers

Looking at Acme’s diagram, you can see where they located their servers in the tree.
Acme decided to split the company geographically at the first level and create certifier
IDs for the East and West organizational units. At the next level down, Acme made its
division according to department. For more information on certifier IDs, see the topic
“Certifier IDs and certificates” in this chapter. Components of a hierarchical name A
hierarchical name reflects a user’s or server’s place in the hierarchy and controls
whether users and servers in different organizations and
organizational units can communicate with each another. A hierarchical name may
include these components:
• Common name (CN) — Corresponds to a user’s name or a server’s name. All
names must include a common name component.

• Organizational unit (OU) — Identifies the location of the user or server in the
organization. Domino allows for a maximum of four organizational units in a
hierarchical name. Organizational units are optional.
• Organization (O) — Identifies the organization to which a user or server belongs.
Every name must include an organization component.
• Country (C) —Identifies the country in which the organization exists. The country
is optional. An example of a hierarchical name that uses all of the components is:
Julia Herlihy/Sales/East/Acme/US Typically a name is entered and displayed in this
abbreviated format, but it is stored internally in canonical format, which contains the
name and its associated components, as shown below:
CN=Julia Herlihy/OU=Sales/OU=East/O=Acme/C=US.

Note You can use hierarchical naming with wildcards as a way to isolate a group of
servers that need to connect to a given Domino server in order to route mail.

For more information, see the chapter “Setting Up Mail Routing.” Domino domains
A Domino domain is a group of Domino servers that share the same Domino Directory.
As the control and administration center for Domino servers in a domain, the Domino
Directory contains, among other
documents, a Server document for each server and a Person document for each Notes
user. Planning for Domino domains

There are four basic scenarios for setting up Domino domains. The first scenario, which
many small- and medium-size companies use, involves creating only one Domino
domain and registering all servers and users in one Domino Directory. This scenario is
the most common and the easiest to manage.

The second scenario is common when a large company has multiple independent
business units. In this case, one organization spread across multiple domains may be the
best scenario. Then all servers and users are members of the same organization, and
each business unit administers its own Domino Directory.

A third scenario is common when multiple companies work closely together yet want to
retain individual corporate identities. Then one domain and multiple organizations may
work best. Finally, the fourth scenario involves maintaining multiple domains and
multiple organizations. This scenario often occurs when one company acquires another.
Sometimes the decision to create multiple Domino domains is not based on
organizational structure at all. For example, you may want to create multiple Domino
domains if you have slow or unreliable network connections that prohibit frequent
replication of a single, large directory. Keep in mind that working with multiple domains
requires additional administrative work and requires you to set up a system for
managing them. Domains can be used as a broad security measure. For example, you
can grant or deny a user access to servers and databases, based on the domain in which
the user is registered. Using an extended ACL is an alternative to creating multiple
domains, because you can use the extended ACL to specify different levels of access to a
single Domino Directory, based on organization name hierarchy. Using Domino server
partitioning, you can run multiple instances of the Domino server on a single computer.
By doing so, you reduce hardware expenses and minimize the number of computers to
administer because, instead of purchasing multiple small computers to run Domino
servers that might not take advantage of the resources available to them, you can
purchase a single, more powerful computer and run multiple instances of the Domino
server on that single machine. On a Domino partitioned server, all partitions share the
same Domino program directory, and thus share one set of Domino executable
files.However, each partition has its own Domino data directory and NOTES.INI file; thus
each has its own copy of the Domino Directory and other administrative databases. If
one partition shuts down, the others continue to run. If a partition encounters a fatal
error, Domino’s fault recovery feature restarts only that partition, not the entire
computer.

For information on setting up fault recovery, see the chapter“Transaction Logging and
Recovery.”Partitioned servers can provide the scalability you need while alsoproviding
security. As your system grows, you can migrate users from apartition to a separate
server. A partitioned server can also be a member of a cluster if you require high
availability of databases. Security for a partitioned server is the same as for a single
server. When you set up a partitioned server, you must run the same version of Domino
on each partition. However, if the server runs on UNIX®, there is an alternative means
to run multiple instances of Domino on the server: on UNIX, you can run different
versions of Domino on a single computer, each version with its own program directory.
You can even
run multiple instances of each version by installing it as a Domino partitioned server.

Whether or not to use partitioned servers depends, in part, on how you set up Domino
domains. A partitioned server is most useful when the partitions are in different Domino
domains. For example, using a partitioned server, you can dedicate different Domino
domains to different customers or set up multiple Web sites. A partitioned server with
partitions all in the same Domino domain often uses more computer esources and disk
space than a single server that runs multiple services. hen making the decision to use
partitioned servers, remember that it is asier to administer a single server than it is to
administer multiple artitions. However, if your goal is to isolate certain server functions
on
the network — for example, to isolate the messaging hub from the plication hub or
isolate work groups for resource and activity logging you might be willing to take on the
additional administrative work. In dition, running a partitioned server on a
multiprocessor computer may prove performance, even when the partitions are in the
same domain, because the computer simultaneously runs certain processes.

To give Notes users access to a Domino server where they can create and run Domino
applications, use a partitioned server. However, to providecustomers with Internet
access to a specific set of Domino applications,
set up an xSP server environment.
Deciding how many partitions to have How many partitions you can install without
noticeably diminishingperformance depends on the power of the computer and the
operating system the computer uses. For optimal performance, partition multiprocessor
computers that have at least one, and preferably two,
processors for each partition that you install on the computer. Certifier IDs and
certificates Certifier IDs and certificates form the basis of Domino security. To
placeservers and users correctly within your organization’s hierarchical name scheme,
you create a certifier ID for each branch on the name tree. You use the certifiers during
server and user registration to “stamp” each server ID and user ID with a certificate that
defines where each belongs
in the organization. Servers and users who belong to the same name tree can
communicate with each other; servers and users who belong to different name trees
need a cross-certificate to communicate with each
other.
Each time you create a certifier ID, Domino creates a certifier ID file and a Certifier
document. The ID file contains the ID that you use to register servers and users. The
Certifier document serves as a record of the certifier ID and stores, among other things,
its hierarchical name, the name of the certifier ID that issued it, and the names of
certificates associated with it.

There are two types of certifier IDs: organization and organizational unit.
Organization certifier ID The organization certifier appears at the top of the name tree
and is
usually the name of the company — for example, Acme. During first server setup, the
Server Setup program creates the organization certifier and stores the organization
certifier ID file in the Domino data directory,
giving it the name CERT.ID. During first server setup, this organization certifier ID
automatically certifies the first Domino server ID and the administrator’s user ID. If your
company is large and decentralized, you might want to use the Domino Administrator
after server setup to create a second organization certifier ID to allow for further name
differentiation — for example, to differentiate between company subsidiaries.
For more information on working with multiple organizations, see the topic “Domino
domains” earlier in this chapter.

Organizational unit certifier IDs

The organizational unit certifiers are at all the branches of the tree and usually represent
geographical or departmental names — for example, East/Acme or Sales/East/Acme. If
you choose to, you can create a
first-level organizational unit certifier ID during server setup, with the result that the
server ID and administrator’s user ID are stamped with the organizational unit certifier
rather than with the organization
certifier. If you choose not to create this organizational unit certifier during server setup,
you can always use the Domino Administrator to do it later — just remember to recertify
the server ID and administrator’s
user ID.

Managing Notes Users.” For information on recertifying server IDs, see the chapter
“Maintaining Domino Servers.”
You can create up to four levels of organizational unit certifiers. To create first-level
organizational unit certifier IDs, you use the organization certifier ID. To create second-
level organizational unit certifier IDs, you use the first-level organizational unit certifier
IDs, and so on. Using organizational unit certifier IDs, you can decentralize certification
by distributing individual certifier IDs to administrators who manage users and servers in
specific branches of the company. For example, the Acme company has two
administrators. One administers servers and
users in West/Acme and has access to only the West/Acme certifier ID, and the other
administers servers and users in East/Acme and has access to only the East/Acme
certifier ID.

Certifier security By default, the Server Setup program stores the certifier ID file in the
directory you specify as the Domino data directory. When you use the Domino
Administrator to create an additional organization certifier ID or
organizational unit certifier ID, you specify where you want the ID stored. To ensure
security, store certifiers in a secure location — such as a disk locked in a secure area.
User ID recovery
To provide ID and password recovery for Notes users, you need to set up recovery
information for each certifier ID. Before you can recover user ID files, you need access to
the certifier ID file to specify the recovery
information, and the user ID files themselves must be made recoverable.
There are three ways to do this:
At user registration, create the ID file with a certifier ID that contains recovery
information.
Export recovery information from the certifier ID file and have the user accept it.
(Only for servers using the server-based certification authority) Add recovery
information to the certifier. Then, when existing users authenticate to their home server,
their IDs are automatically
updated. For more information, see the chapter “Protecting and Managing Notes
IDs.”
Example of how certifier IDs mirror the hierarchical name scheme To implement their
hierarchical name scheme, the Acme company created a certifier ID at each branch of
the hierarchical name tree:

To register each server and user, Acme does the following:

• Creates /Acme as the organization certifier ID during first server setup.
• Uses the /Acme certifier ID to create the /East/Acme and
• /West/Acme certifier IDs.
• Uses the /East/Acme certifier ID to register servers and users in the East coast
offices and uses the /West/Acme certifier ID to register servers and users in the
West coast offices. Uses  the /East/Acme certifier ID to create the
/Sales/East/Acme,
• /Marketing/East/Acme, and /Development/East/Acme certifier IDs.
• Uses the /West/Acme certifier ID to create the /HR/West/Acme,
• /Accounting/West/Acme, and IS/West/Acme certifier IDs.
• Uses the /Sales/East/Acme, /Sales/Marketing/Acme, and
Development/East/Acme certifier IDs to register users and servers in the East
coast division.
• Uses the /HR/West/Acme, /Accounting/West/Acme, and IS/West/Acme certifier
IDs to register users and servers in the West coast division.

Before you start the Server Setup program, decide which services and tasks to set up on
the server. If you don’t select the services during the setup program, you can later
enable them by editing the ServerTasks setting in the NOTES.INI file or by starting the
server task from the server console.
Internet services The Domino Server Setup program presents these selections for
Internet
services:
• Web Browsers (HTTP Web services) Internet
 Mail Clients (SMTP, POP3, and IMAP
mail services)
• Directory services (LDAP) Advanced Domino services These Domino services,
which are necessary for the proper operation of the Domino infrastructure, are
enabled by default when you set up a
• Domino server:
• Database Replicator
• Mail Router
• Agent Manager
• Administration Process
• Calendar Connector
• Schedule Manager
• DOLS (Domino Off-Line Services)
• These are optional advanced Domino server services that you can enable:
• DIIOP CORBA Services
• DECS (Domino Enterprise Connection Services)
• Billing

 • HTTP Server
• IMAP Server
• ISpy

• LDAP Server
• POP3 Server
• Remote Debug Server
• SMTP Server
• Stats
• Statistic Collector
• Web Retriever
Table of Domino naming requirements
Consider these guidelines when naming parts of the Domino system.

Name Characters Tips

31 maximum
Domino domain This is usually the same as the organization name.

(A-Z) or numeric (0-9) characters.

Notes named network 31 maximum By default, the Server Setup program assigns
names in the format port name network —

an identifier such as the location of the Notes

named network and the network protocol —for
example, TCPIP-Boston.
Organization 3-64 maximum* This name is typically the same as the Domino
domain name.

certifier ID and is appended to all user and server

names.
32 maximum* There can be up to four levels of organizational
Organizational unit
units.

Name Characters Tips

Server 79 maximum Choose a name you want to keep. If you change a
server name, you must recertify the server ID.
 Choose a name that meets your network’s
requirements for unique naming. On TCP/IP, use only
the characters 0 through 9, A through Z, and - (dash),
and do not use spaces or underscores. On NetBIOS,
the first 15 characters must be unique. On SPX, the
first 47 characters must be unique. Keep in mind that
Domino performs replication and mail routing on
servers named with numbers before it does those
tasks on servers named with alphabetic characters.

User 79 maximum* Use a first and last name. A middle name is allowed,
but usually not needed.
Alternate user No minimum Can have only one alternate name
Group 62 maximum Use any of these characters: A - Z, 0 - 9, & - . _ ’/
(ampersand, dash, period, space, underscore,
apostrophe, and forward slash) For mail routing, you
can nest up to five levels of groups. For all other
purposes, you can nest up to six levels of groups.

Port No maximum Do not include spaces

Country code 0 or 2 Optional

* This name may include alpha characters (A - Z), numbers (0 - 9), and the ampersand
(&), dash (-), period (.), space ( ) , and underscore (_). For more information on
network name requirements and the effect that
server name format has on network name-to-address resolution, see the chapter
“Setting Up the Domino Network.”
After installing the first Domino server and any additional servers, you configure the
servers and build the environment.
This overview lists the features that you may want to include in your
Domino environment.
1. Create Connection documents for server communication.
2. If you have mobile users, set up modems, dialup support, and RAS.
3. Set up mail routing
4. Establish a replication schedule.
5. Configure incoming and outgoing Internet mail (SMTP).
6. Customize the Administration Process for your organization.
7. Plan and create policies before you register users and groups.
8. Register users and groups.
9. Determine backup and maintenance plans and consider transaction logging.
10. Consider remote server administration from the Domino console or Web
Administrator console. Also consider the use of an extended administration server.
11. Set up a mobile directory catalog on Notes clients to give Notes users local access to
a corporate-wide directory.
12. Consider implementing clustering on servers.
 Chapter 2
Setting Up the Domino Network
This chapter describes planning concepts and presents protocol-specific procedures
required to run Domino on a network. The chapter describes using network protocols
from a Domino perspective and does not
provide general network information. Lotus Domino and networks A variety of client
systems can use wireless technology or modems to communicate with Domino servers
over local area networks (LANs), wide area networks (WANs), and metropolitan area
networks (MANs). To govern how computers share information over a network, they use
one or more protocols, which are sets of rules. For example, Notes workstations and
Domino servers use the Notes remote procedure call (NRPC) protocol running over the
LAN’s network protocol to communicate with other Domino servers. Other client
systems, such as Web browsers, Internet mail clients, wireless application protocol
(WAP) devices, and personal information management (PIM) devices, can also
communicate with Domino servers. Isolated LANs can be connected by WANs. A WAN is
either a continuous connection — such as a frame-relay, leased telephone line, or digital
subscriber line (DSL) — or a dialup connection over a modem or Integrated Services
Digital Network (ISDN) line. Dialup connections are either to an individual server or to a
LAN (through a provider network or your company’s own communications server).
Buildings or sites that are geographically close to each other can use a MAN, which is a
continuous, high-speed connection that can connect corporate LANs or connect a LAN to
the WAN. Like a WAN, a MAN is usually shared by multiple organizations. Wireless
technology that works with Domino ranges from localized transmission systems (802.11a
or 802.11b) to national or international satellite transmission systems that are
geostationary, mid-orbit, ortracked orbit. If you are planning a network for
geographically dispersed locations, consider how to achieve a cost-effective
infrastructure. Placing servers in one location requires that users in other locations
access the Domino server ac oss WAN connections, which can be slow and expensive.
Placing servers in every location and replicating databases to make the same information
available on several LANs requires attention to administration at each location. One
effective way to set up a network is to use a hub server at each location to handle
communication with hub servers in other locations. Then, only the hub servers, not
every server in the network, use WAN connections. The functionality of Notes
workstations and Domino servers depends on the effectiveness and capacity of
networks. To plan a Domino network
with sufficient capacity, you must consider not only the traffic to and from Domino
servers but also any other traffic on the network. NRPC communication
Domino servers offer many different services. The foundation for communication
between Notes workstations and Domino servers or between two Domino servers is the
Notes remote procedure call (NRPC)
service. Network protocols for NRPC communication To communicate, two computers
must run the same network protocol and software driver. For dialup connections, Lotus
Domino uses its own X.PC protocol natively; Notes and Domino also support PPP using
either Microsoft Dialup Networking (DUN) or Remote Access Service (RAS) for
network dialup. In addition, you can use any IETF-compliant PPP communications server
to dial into the network on which the Domino server resides or though which the server
can be accessed.
On LANs, Lotus Domino is compatible with the TCP/IP and IPX/SPX protocol suites, as
well as NetBIOS over the lower transports IP, IPX, and NetBEUI. For NetBIOS
connections to work, both Notes workstations and Domino servers must use the same
lower transport.

For detailed information on which protocols are compatible with Lotus Domino for each
supported operating system, see the Release Notes. Notes network ports During the
Server Setup program, Domino provides a list of Notes network ports based on the
current operating system configuration. If these ports are not the ones you want to
enable for use with the Domino server, you can edit the list during setup. Because each
network protocol consumes memory and processing resources, you might want to
exclude one or more ports and later remove the associated protocol software from the
system. In TCP/IP and NetBIOS, you can install multiple network interface cards
(NICs) and enable additional Notes network ports for each protocol, using the NOTES.INI
file to bind each port to a separate IP address or NetBIOS LANA number. For more
information, see the topic “Adding a network port on a server” later in this chapter.

Notes named networks

Consider Notes named networks in your planning. A Notes named network (NNN) is a
group of servers that can connect to each other directly through a common LAN protocol
and network pathway — for example, servers running on TCP/IP in one location. Servers
on the same NNN route mail to each another automatically, whereas you need a
Connection document to route mail between servers on different NNNs. When you set up
Server documents, be sure to assign each server to the correct NNN. Lotus Domino
expects a continuous connection between
servers that are in the same NNN, and serious delays in routing can occur if a server
must dial up a remote LAN because the remote server is inadvertently placed within the
NNN. Also bear in mind that the Notes Network field for each port can contain only one
NNN name, and no two NNN names can be the same.
NNNs affect Notes users when they use the Open Database dialog box. When a user
selects Other to display a list of servers, the servers displayed are those on the NNN of
the user’s home server for the port on
which the Notes workstation communicates with the home server. Also, when users click
on a database link or document link, if a server in their home server’s NNN has a replica
of that database, they can connect to
the replica. Note If a server is assigned to two NNNs in the same protocol, as in the
case where the server has two Notes network ports for TCP/IP, a Notes workstation or
Domino server connecting to that server uses the NNN for the port listed first in the
Server document.

Resolving server names to network addresses in NRPC Communications between Lotus

Notes and Lotus Domino run over the NRPC protocol on top of each supported LAN
protocol. When a Notes workstation or Domino server attempts to connect to a Domino
server over a LAN, it uses a combination of the built-in Notes Name Service
and the network protocol’s name-resolver service to convert the name of the Domino
server to a physical address on the network. The Notes Name Service resolves Domino
common names to their respective protocol-specific names. Because the Notes Name
Service resolves common names by making calls to the Domino Directory, the service
becomes available to the Notes workstation only after the workstation has successfully
connected to its home (messaging) server for the first time. (The protocol name-resolver
service normally makes the first connection possible.) When the Notes workstation
makes a subsequent attempt to connect to a Domino server, the Notes Name
Service supplies it with the Domino server’s protocol-specific name — that is, the name
that the server is known by in the protocol’s name service — which is stored in the
protocol’s Net Address field in the
Server document. The protocol’s name-resolver service then resolves the protocol-
specific name to its protocol-specific address, and the workstation is able to connect to
the server. Note When resolving names of Domino servers that offer Internet services,
Lotus Notes uses the protocol’s name-resolver service directly.
How name resolution works in NRPC
A Notes workstation or Domino server follows these steps to resolve the name of the
Domino server to which it is trying to connect over NRPC. Note If the Net Address field in
the Server document contains a physical address — a practice that is not recommended
in a production environment— the Notes Name Service performs the resolve directly,
thus placing the burden of maintaining physical address changes on the
Domino administrator.
1. If the workstation/server has a Connection document for the destination server that
contains the protocol-specific name, the workstation/server passes the protocol-specific
name to the protocol’s name-resolver service. If the Connection document contains a
physical address, the Notes Name Service performs the resolve directly. Normal-priority
Connection documents are checked first, and then low-priority Connection documents.
Note Unlike in Server documents, adding physical addresses in Connection documents is
not discouraged, since only the local workstation/server uses the Connection document.
2. To determine if the destination server’s protocol-specific name is cached, the
workstation checks the Location document and the server checks its own Server
document. If the name is cached, the workstation/serve r uses the last-used Notes
network port to determine the protocol and passes this value to the protocol’s
name-resolver service.
3. If the protocol-specific name is not cached, one of the following occurs, based on the
list order of enabled Notes network ports:
For a Notes workstation connected to the home (messaging) server, Notes gives the
common name of the destination Domino server to the home server, which looks in the
Domino Directory for the Server document of the destination server. The home server
locates the contents of the Net Address field for the Notes
named network that the Notes workstation has in common with the destination server
and passes this name to the protocol’s name-resolver service. If the workstation and the
destination server are in the same Domino domain but not in the same Notes named
network, the home server locates the names of each protocol that the workstation has in
common with the destination server and passes each to the appropriate protocol until a
resolve is made. If the Notes workstation can’t access its home server, it connects to its
secondary Notes name server, which carries out the
same actions as the home server.
For a Domino server, Domino checks the Server document for the destination server,
locates the contents of the Net Address field for the Notes named network that the
Domino server has in common with the destination server, and passes this name to the
protocol’s name-resolver service. If the destination server is in the same Domino domain
as the Domino server, but not in the same Notes named network, the Domino server
locates the protocol name of
each protocol that it has in common with the destination server and passes each to the
appropriate protocol until a resolve is made.
4. If Steps 1 through 3 do not produce the server’s network address, the
workstation/server offers the Domino common name of the destination server to the
name-resolver service of each protocol, based on the order of the enabled network ports
in the Server
document.

Network security
Physical network security is beyond the scope of this book, but you must set it up before
you set up connection security. Physical network security prevents unauthorized users
from breaking through the network and
using one of the operating system’s native services — for example, file sharing — to
access the server. Physical network security also comes into play when any data is
exposed, as the potential exists for malicious or
unauthorized users to eavesdrop both on the network where the Domino system resides
and on the system you are using to set up the server. Network access is typically
controlled using network hardware — such
as filtering routers, firewalls, and proxy servers. Be sure to enable rules and connection
pathways for the services that you and others will access. Newer firewall systems offer
virtual-private-network (VPN) services,
which encapsulate the TCP/IP packet into another IP wrapper where the inner TCP/IP
packet and its data are encrypted. This is a popular way to create virtual tunnels through
the Internet between remote sites. If you
want to have the Domino server access both a private VPN and the Internet for SMTP
mail, make sure your solution is able to handle full TCP data packets and that it allows
dual connections. If not, the Domino
server system may require a second NIC to work around limitations of the VPN solution.
NRPC and Internet connection security

To control connection access, you typically use a network hardware configuration, such
as a firewall, reverse proxy, or Domino passthru server, to which you can authorize
connections and define access to
network resources. In addition, you can encrypt all connections by service type.
Encryptin connections protects data from access by malicious or unauthorizedusers. To
prevent data from being compromised, encrypt all Domino and Notes services that
connect to public networks or to networks over which you have no direct control.
Encrypting the connection channel prevents unauthorized users from using a network
protocol analyzer to read data. To encrypt NRPC network traffic, use the Notes port
encryption feature. For traffic over Internet protocols, use SSL. For both NRPC and
Internet protocols, you can enforce en ryption at the server for all inbound and outbound
connections. In the case of the Notes client, you can also enforce encryption on all
outbound connections, even if the server to
which you are connecting allows unencrypted connections. 2-6 Administering the Domino
System, Volume 1
Because encryption adds additional load to the server, you may want to limit the
services for which the server uses encryption. Other ways to minimize the load that
encryption puts on the system include:
Using an additional Domino server acting as a passthru server forNRPC connections
Using a reverse proxy to manage authentication and encryptionoutside of Domino
servers when using SSL
Removing unnecessary or unused protocols or services on the server system as well as
Domino server services

Using a Domino passthru server as a proxy

A proxy is a system that understands the type of information transmitted
— for example, NRPC or HTTP-format information — and controls the information flow
between trusted and untrusted clients and servers. A proxy communicates on behalf of
the requester and also communicates
information back to the requester. A proxy can provide detailed logging information
about the client requesting the information and the information that was transmitted. It
can also cache information so requesters can quickly retrieve information again. A proxy
stops direct access from an untrusted network to services on a trusted network. If an
application proxy is in use, then application-specific heuristics can be applied to look at
the connections from the untrusted networks and determine if what is being requested is
legal or safe.
An application proxy resides in the actual server application and acts as an intermediary
that communicates on behalf of the requester. An application proxy works the same as a
packet filter, except the
application proxy delivers the packet to the destination. An application proxy can be
used with any protocol, but it is designed to work with one application. For example, an
SMTP proxy understands only SMTP. A circuit-level proxy is similar to an application
proxy, except that it doesnot need to understand the type of information being
transmitted. For example, a SOCKS server can act as a circuit-level proxy. You can use a
circuit-level proxy to communicate using Internet protocols with TCP/IP — that is, IMAP,
LDAP, POP3, SMTP, IIOP, and HTTP, as well as Internet protocols secured with SSL HTTP
is a special case. In Domino, when the HTTP Connect method is used by an HTTP proxy,
applications using other protocols can also usethe HTTP proxy, but theyuse it as a
circuit-level proxy, not as anapplication proxy. SSL uses the HTTP Connect method to
get through anSetting Up the Domino Network 2-7
Installationapplication proxy because the data is encrypted and the applicationproxy
cannot read the data. HTTPS (HTTP and SSL) use both the HTTPproxy and the Connect
method, which implies that the HTTP proxy is acircuitlevel proxy for HTTPS. The same
method is used to get NRPC,IMAP, and other protocols through the HTTPproxy.You can
set up a Domino passthru server as an application proxy forNRPC. A passthru server
provides all levels of Notes and Dominosecurity while allowing clients who use dissimilar
protocols tocommunicate through a single Domino server. The application proxydoes not
allow Internet protocols — for example, HTTP, IMAP, andLDAP — to use a Domino
passthru server to communicate, however. ForInternet protocols, you can use anHTTP
proxy with the HTTP Connectmethod to act as a circuit-level proxy.A Notes client or
Domino server canalso be a proxy client andinteroperate with either passthru (NRPC
protocol only) or as a SOCKS or
HTTP tunnel client (for NRPC, POP3, LDAP, IMAP, and SMTPprotocols). You set this up in
the Proxy setting inthe client Locationdocument.To set up a Domino passthru server as
an application proxy
When you set up an application proxy, make sure the following DomainName System
(DNS) services are correctly configured:
The databases db.DOMAIN and db.ADDR, which DNS uses to map host names to IP
addresses, must contain the correct host names and addresses.
Hosts files must contain the fully qualified domain name of the servers. If you are using
the Network Information Service (NIS), you must use the fully qualified domain name
and make sure NIS can coexist with DNS.
For information on configuring these settings, see the documentation for your network
operating system.
You must first connect the server to the untrusted network — forexample, the Internet
— and then set up Notes workstations and Domino servers to use the passthru server
as a proxy when accessing services
outside the trusted network. To set up a workstation or server to use the passthru
server, you must
specify the passthru server in the Location document for a workstation and in the Server
document for a server.

TCP/IP security considerations

In a TCP/IP network, configure all Domino servers to reject Telnet and FTP connections.
Furthermore, do not allow file system access to the Domino server or the operating
system on which it runs, unless you are
sure you can properly maintain user access lists and passwords and you can guarantee a
secure environment.
If you use the Network File System (NFS) without maintaining the password file, users
can breach security by accessing files through NFS instead of through the Domino
server. If this “back door” access method is needed, isolate the network pathway on a
LAN NIC and segment, and make sure that the ability to access files through NFS is
exclusive to this isolated secure network. Mapped directory links and Domino data
security To ensure data security, do not create a mapped directory link to a fileserver or
shared Network Attached Storage (NAS) server for a Dominoserver. These links can
cause both database corruption and security problems. Database corruption
If the network connection fails while the Domino server is writing to a database on the
file server or shared NAS server, the database can become corrupted. In addition, the
interdependence of the file sharing protocols — Server Message Block (SMB), Common
Internet File System (CIFS), and Network File System (NFS) — and the remote file
system can affect the Domino server’s performance. Domino sometimes needs to open
large numbers of remote files, and low latency for read/write operations to these files is
desirable. To avoid these problems on Domino servers, consider doing one or more
of the following:
Create an isolated network and use cut-through (non-buffering) layer-2 switches to
interconnect the Domino server to the NAS system.
Limit access to the NAS system to the Domino server.
Reduce the number of hops and the distance between hops in the connection pathways
between the Domino server and the storage system.
Use a block protocol instead of a file protocol.
Use a private storage area network (SAN) instead of a shared NAS system.
Avoid creating any file-access contention between Domino and
other applications. To avoid problems with Notes workstations, consider doing the
following:
Locate Notes workstations so that they are not accessing a remote
file server or NAS system over a WAN.
To minimize the risk of database corruption because of server failure when a Notes
client’s Domino data directory is on a file server or NAS server, evaluate the reliability of
the entire network pathway as well as the remote system’s ability to maintain
uninterrupted sessions to the Notes client over the file sharing protocols it is using (SMB,
CIFS, NFS, NetWare Core Protocol, or AppleShare).
If a Notes client’s Domino data directory is on a file server or NAS server, remember
that only one user (user session) can have the user data directory files open a time.
Lotus Notes does not support concurrent access to the same “local” database by two
clients.
Security problems
When “Encrypt network data” is enabled, all Domino server and Notes workstation traffic
is encrypted. However, the file I/O between the Domino server and the file server or
shared NAS server is not encrypted,
leaving it vulnerable to access by unauthorized users.
Planning the TCP/IP network
The default TCP/IP configuration for a Domino server is one IP address that is globally
bound, meaning that the server listens for connections at the IP addresses of all NICs on
the computer. Global binding works as
long as the computer does not have more than one IP address offering a service over
the same assigned TCP port.
The default configuration
Use these topics to plan how to integrate Lotus Domino with the TCP/IP network when
the Domino server has one IP address and is not partitioned:
NRPC name-to-address resolution over TCP/IP
Ensuring DNS resolves in TCP protocols
Advanced Domino TCP/IP configurations
Partitioned servers and IP addresses
Ensuring DNS resolves in advanced TCP/IP configurations
Moving to IPv6
This topic provides the information you need if your company is migrating to IPv6
standard:
IPv6 and Lotus Domino NRPC name-to-address resolution over TCP/IP
In the TCP/IP protocol, the method most commonly used to resolve server names to
network addresses is the Domain Name System (DNS), an Internet directory service
developed both to allow local administrators to create and manage the records that
resolve server names to IP addresses and to make those records available globally.
While the POP3, IMAP, LDAP, and HTTP services use DNS directly, the NRPC service
Within DNS, “domain” refers to a name space at a given level of the hierarchy. For
example, the .com or .org in a Web URL represents a top-level domain. In a domain
such as acme.com, a DNS server — that is,
a server running DNS software — in the Acme company stores the records for all Acme
servers, and an administrator at Acme maintains those records. When you set up a
Notes workstation on the TCP/IP network, you
normally rely on DNS to resolve the name of the workstation’s Domino home server the
first time the workstation tries to connect to it. As long as the Notes workstation and
Domino home server are in the same DNS domain level, DNS can accomplish the
resolve.When to edit the Net Address field in the Server documentThe default format for
a server’s TCP/IP network address in Lotus Domino is its fully qualified domain name
(FQDN) — for example,
app01.acme.com — based on the DNS record and the IP address references in the
system’s TCP/IP stack. When a Notes workstation or
 Domino server requests this name, the TCP/IP resolver passes it to DNS, and DNS
resolves the name directly to the IP address of the destinationserver, regardless of the
DNS domain level of the requesting system.If you do not wantto enter the FQDN in the
Net Address field, you canchange it to the simple IP host name — for example, app01—
eitherduring server setup or later by editing the Server document. Forexample, you
might use the simple IPhost name if you are setting upmultiple TCP ports for NRPC, a
configuration in which using the FQDNfor eachnetwork address can cause connection
failures if the NotesName Service returns the FQDN for the wrong TCPport. In this
case,using the simple IP host name ensures that DNS does a lookup in alldomain levels
within the scope of the domains defined in the requesting
system’s TCP/IP stack settings.Caution In a production environment, do not use IP
addresses in NetAddress fields.Doing so can result in serious administrative
complications if IP addresses change or if Network Address Translation
(NAT) connections are used, as the values returned by the Notes Name Service will not
be correct.
Secondary name servers To ensure that the Notes Name Service is always available over
TCP/IP, when you set up a Notes user, you can designate a Domino secondary name
server that stands in for the home server in these situations: The
 user’s home server is
down. The user’s home server is not running TCP/IP. The user’s home server cannot
be resolved over TCP/IP. Note In companies using multiple DNS domains, a Domino
secondary name server ensures that a Notes workstation can connect with its home
server even when the home server is in a different DNS domain. You can use policies to
automate the setup of secondary name servers.

On the Notes workstation, create a Connection document that includes the IP address
of the destination server.
On the passthru server, create a Connection document to the destination server.

If you don’t use DNS at your site or if a Domino server is not registered with DNS (as is
sometimes the case if the server offers Internet services), use one of these methods to
enable each Notes workstation and Domino
server to perform name resolution locally. Keep in mind that the upkeep required for
both of these approaches is considerable.
Place a hosts file, which is a table that pairs each system name with its IP address, on
every system that needs private access. Set up each system so that it accesses the
hosts file before accessing DNS.
Create a Connection document that contains the destination server’s IP address on
every Notes workstation and Domino server that needs to access that server. Tip Use
policies to automate the setup of Connection documents for
Notes users. Even if you use DNS, you should set up Connection documents for Notes
users in locations from which they have difficulty accessing the DNS server. For more
information on policies, see the chapter “Using Policies.”
Alternative IP name services Microsoft networking services offers four additional
methods of IP
address resolution. These methods are not as reliable as traditional DNS and hosts files
and can cause name and address confusion. For best results, do not use these methods
when also using the Notes network
port for TCP/IP.
Direct NetBIOS broadcast — The system sends out a name broadcast message so that
all of the systems on the local network segment can register the name and IP address in
their name cache. If you must use NetBIOS over IP and use Domino with both the
NetBIOS and TCP/IP port drivers, avoid name-resolution problems by giving the
Domino server and the system different names.
Master Browser cache (for NT domains or SAMBA servers) — Collects broadcasted
names and IP addresses and publishes them across the NT domain to other Master
Browser systems for Windows® systems to access in their name lookups.
Windows Internet Name Service (WINS) — Uses NetBIOS broadcasts. Unlike DNS,
which is static in nature, WINS is dynamic. Note that the TCP/IP stacks of Macintosh and
UNIX client systems may not be able to access the WINS server.
LAN Manager Hosts (LMHosts) — A static hosts file method. Caution On a Windows
system, the combination of the system’s native NetBIOS over IP name-resolver service
and DNS can cause name
resolution failure for the Domino server name.
When you register a new Domino server, you specify a common name for it. Within a
Domino hierarchical name, the common name is the portion before the leftmost slash.
For example, in the name App01/East/Acme, the common name is App01. The common
name, not the hierarchical name, is the name that the Domino server is known by in
DNS.
Note When you choose a common name for a Domino server that uses DNS, use only
the characters 0 through 9, A through Z, and the dash (-). Do not use spaces or
underscores.
Note The DNS names held in Lotus Notes and Lotus Domino are not case sensitive;
Notes workstations and Domino servers always pass DNS names to DNS in lowercase.
You can avoid problems and extra work if you consider the DNS configuration, as well as
the effect of other protocol name-resolver services, when you choose the format for the
common name of the Domino server. To avoid name-resolution problems that affect all
TCP services on Windows systems, see the topic “Ensuring DNS resolves on Windows
systems — All TCP protocols.”
For procedures to help you avoid DNS problems in NRPC, see these
topics:
Ensuring DNS resolves in NRPC — Best Practices
Ensuring DNS resolves in NRPC — Alternative practices
Ensuring DNS resolves in NRPC — A practice to use with caution
If you administer servers that provide Internet services such as HTTP, SMTP, POP3, or
LDAP, you can skip these topics, as these services use DNS directly.

Ensuring DNS resolves on Windows systems — All TCP protocols If a Domino server is a
Windows system, often two name services exist on the system — NetBIOS over IP and
DNS. If you assign the same name to both the Domino server and the system, client
applications that use either the Notes Name Service or DNS can encounter name-space
ghosting between the two names. In other words, because the NetBIOS record for a
system’s host name has already been found, the name resolving process ends and the
DNS record for the Domino server on that
system is never found.
Note For a Domino server on Windows 2000, problems occur only if you enable name
services for NetBIOS over IP in order to join an NT
domain using Server Message Blocks (SMB).
To prevent this problem:
1. Do one:
On Windows NT, assign one name as the Domino server common name and then alter
that name slightly for the system name by adding a preface such as NT-. In the Network
dialog box on the Windows NT Control Panel, specify the name in two places: the
Identification tab and the Protocols - TCP/IP properties - DNS tab.
On Windows 2000, add a preface such as W2K- to the system name, using the Network
Identification tab on the System Properties dialog box.
2. Create an A record (or, for IPv6, AAAA record) in DNS for the system name. The IP
address is the same as the one for the Domino server.
3. Create a CNAME record in DNS for the Domino server’s name, linking it to the system
name. For example, for the Domino server BosMail02/Acme, the common name is
BosMail02. You name the system NT-BosMail02. You create an A
record in DNS for NT-BosMail02.acme.com and a CNAME record for
BosMail02.acme.com, linking it with NT-BosMail02.acme.com.
The following procedures provide the best name-resolution practices for
a Domino server using the default NRPC configuration on a TCP/IP network (one Notes
network port for TCP/IP). These procedures address the following DNS configurations:
One DNS domain
Multiple DNS domain levels If your TCP/IP configuration has multiple Notes network
ports for TCP/IP, see the topic “Ensuring DNS resolves in advanced TCP/IP
configurations” later in this chapter.
When you have one DNS domain If your company uses only one DNS domain, doing the
following
eliminates the need for CNAME records in DNS:
1. Assign the same name as both the Domino server common name and the simple IP
host name registered with DNS.
2. Make sure the Net Address field on the Server document contains the server’s FQDN.
3. Create an A record (or, for IPv6, AAAA record) in DNS. For example, you set up the
Domino server App01/Engr/Acme. Thus, you register the server with DNS as app01, the
server’s common name. The Net Address field in the Server document contains
app01.acme.com
(the server’s FQDN), and the A record is: app01.acme.com IN A
192.168.10.17. When you have multiple DNS domain levels
If your company uses multiple DNS domain levels — for example, when each country in
which a multinational company has offices is a subdomain in DNS — doing the following
eliminates the need for
multiple CNAME records in DNS and ensures that DNS lookups always work, regardless
of the DNS domain level of the user’s system:
1. Assign the same name as both the Domino server common name and the simple IP
host name.
2. Make sure the Net Address field on the Server document contains the server’s FQDN.
3. Create an A record (or, for IPv6, AAAA record) in DNS.
4. If users’ systems are in a different DNS domain than that of their home server or in a
DNS subdomain of their home server’s domain, set up a secondary name server. Place
this secondary name server on the same physical network as the users’ systems or on a
network that the users can access.
5. Set up all Notes users or a subset of users affected by Step 4, or set up an individual
Notes user.
For more information on setting up groups of users, see the chapter “Using Policies.” For
more information on setting up an individual Notes user, see the topic “Setting up a
secondary name server” later
in this chapter.
For example, you register the Domino server ParisMail01/Sales/Acme with DNS as
parismail01.france.acme.com. Parismail01 is the home
server for some users in the DNS subdomain spain.acme.com. You set up a secondary
name server, Nameserver/Acme, register it with DNS as nameserver.acme.com, and
ensure that the Location documents of users
who need a secondary name server point to this server. When a user in spain.acme.com
attempts a first connection with the home server (parismail01.france.acme.com), the
connection fails because the DNS subdomain for spain.acme.com has no records for the
subdomain
france.acme.com. Notes then connects successfully with the secondary name server
(nameserver.acme.com), since the DNS subdomain for spain.acme.com does include the
records for acme.com. When the
secondary name server supplies the Notes workstation with the FQDN
from the Net Address field in the Server document for ParisMail01, DNS resolves the
FQDN to an IP address, and the user can access mail. As long as all Server documents in
the Domino domain have the TCP/IP network address in FQDN format, this approach
allows any Notes
workstation or Domino server to locate any Domino server, regardless of
its DNS domain level. Ensuring DNS resolves in NRPC — Alternative practices The
following procedures provide alternative name-resolution practices for a Domino server
using the default NRPC configuration on a TCP/IP
network (one Notes network port for TCP/IP). Domino server names that differ from
their DNS names When your name scheme for Domino servers is different than that for
DNS, use one of the following methods to translate the Domino server’s name to the
host name:
Create a local Connection document on each Notes client and Domino server that needs
to connect to the Domino server, and enter the FQDN for the system that hosts the
Domino server in the Net Address field. For example, for the Domino server named
App01/Sales/Acme on the system registered with DNS as redflier, enter
redflier.acme.com
Use an alias (CNAME) record in DNS to link the Domino server common name to the
simple IP host name. For example, for the Domino server App01/Sales/Acme on the
system registered with DNS as redflier, use a CNAME record to link the name App01 to
the name redflier. When a Notes workstation first accesses this server, it obtains the
host name from the Net Address field of the Server document and caches it, thereby
making future connections faster. IP addresses in Connection documents In situations in
which you don’t want to use any name-resolver service
— such as bringing up a new server system that you don’t want known yet, or having a
server on the Internet that you want accessible but for which you can’t use DNS —
create Connection documents that directly tell Notes workstations or Domino servers
how to access this Domino server by using the server’s IP address in the documents’ Net
Address
fields.
Network Address Translation (NAT) NAT is a method of translating an IP address
between two address
spaces: a public space and a private space. Public addresses are assigned to companies
by the Internet Corporation
of Assigned Names and Numbers (ICANN) or leased from the company’s ISP/NSP. Public
addresses are accessible through the Internet (routable) unless firewalls and isolated
networks make them inaccessible.
Private addresses are IP address spaces that have been reserved for internal use. These
addresses are not accessible over the Internet (non-routable) because network routers
within the Internet will not allow
access to them.
The following address spaces have been reserved for internal use. It is
best to use these IP addresses and not make up your own.
Class A: 10.0.0.0 to 10.255.255.255
Class B: 127.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
For example, users inside a company access the Domino server based on its assigned IP
address, which is a private address (192.168.1.1). Internet users must access the
Domino server through a NAT router, which
converts the private address to one of its static public addresses (130.20.2.2).
Therefore, a Notes client accessing the server from the

Ensuring DNS resolves in NRPC — A practice to use with caution The following practice, if
followed precisely, should ensure good DNS resolves in NRPC for companies with
multiple DNS domain levels, but
might result in extra work if the infrastructure changes. Using this practice has the
following disadvantages:
You can never assign more than one IP address in DNS to the Domino server.
If the FQDN changes, the Domino server name will not match the FQDN, thus
invalidating the DNS resolve. You will then need to create a new server and migrate
users to it.
If you use network address translation (NAT), the server’s FQDN must be identical in
both instances of DNS (internal and external shadow DNS).
You cannot use other network protocols, as many of them use flat network name
services, and those that use hierarchical name systems will not function unless the name
hierarchy is exactly the same.
Diagnosing connectivity issues can be much harder. When you have multiple DNS
domain levels
If your company uses multiple DNS domain levels — for example, when each country in
which a multinational company has offices is a subdomain in DNS — do the following:
1. Use the server’s FQDN as the Domino server common name.
2. Create an A record (or, for IPv6, AAAA record) in DNS. For example, if you register a
server with DNS as app01.germany.acme. com, you can also assign the Domino server’s
common name as
app01.germany.acme.com. In this case, the server’s Domino hierarchical name might be
app01.germany.acme.com/Sales/Acme.
Advanced Domino TCP/IP configurations
A single Domino server can have multiple IP addresses if you use multiple NICs, each
offering an address, or if one NIC offers multiple addresses. Having multiple IP
addresses allows the server to listen for connections at more than one instance of the
TCP port assigned to NRPC (1352) or at TCP ports that are assigned to other services
such as LDAP or HTTP. Both individual Domino servers and partitioned Domino
servers can have multiple NICs, each with its own IP address.

Multiple IP addresses and NICs on a Domino server Set up a Domino server with multiple
IP addresses, each with its own NIC, if you want to:
Split the client load for better performance
Split client-to-server access from server-to-server communication
Set up mail routing, replication, or cluster replication on an alternate path (private
network)
Partition a Domino server so that more than one partition offers the same Internet
service (SMTP, POP3, IMAP, LDAP, or HTTP).
Allow access to the Domino server via a TCP/IP firewall system over a different network
segment, a configuration known as a demilitarized zone (DMZ)
Use a Domino passthru server as an application proxy
Provide network/server failover, used in mission-critical resource access
Set up alternate window and/or maximum transmission unit (MTU) settings for satellite
uplink and downlink connections isolated from local access connections
For a configuration with multiple IP addresses, you must bind each listening port to the
appropriate IP address to ensure that each TCP service receives the network connections
intended for it.
For more information, see the topics “Binding an NRPC port to an IP address” and
“Binding an Internet service to an IP address” later in this chapter. For more information
on private networks for cluster
replication, see the book Administering Domino Clusters.
Note A configuration with multiple NICs does not increase the number of Domino
sessions you can have on a server. In TCP/IP, machine capacity depends on processors
and memory.
Multiple IP addresses with one NIC
Reasons to use one NIC to serve multiple IP addresses include:
Isolating local versus WAN Notes named networks so local users can see only local
Domino servers
Preventing independent remote access dialup connections (ISDN dialup router) from
being arbitrarily accessed
When setting up redundant WAN path connections for server to server access
When the use of a different TCP/IP port map is needed for firewall connections
When offering HTTP services to a different group than NRPC
connections
As a service provider when offering Domino server access for either
Notes or Web clients to different groups/companies
For a configuration with multiple addresses and one NIC, you must configure the TCP/IP
stack and bind each listening port to an IP address. Partitioned servers and IP addresses
When you set up a Domino partitioned server, it is usually best to assign a separate IP
address to each partition and use a separate NIC for each. Using a separate NIC for each
address can make the computer’s I/O
much faster. Lotus Domino is designed to listen for TCP/IP connections on all NICs in
a computer system. If more than one partition is hosting the same service (NRPC, SMTP,
POP3, IMAP, LDAP, or HTTP), fine-tune which partitions listen for which connections by
associating each service’s TCP port with a
specific IP address. For more information on associating services with IP addresses, see
the
topics “Binding an NRPC port to an IP address” and “Binding an Internet service to an IP
address” later in this chapter. As an alternative to using a separate NIC for each IP
address, you can
use a single NIC and still assign a separate IP address to each partition. For more
information, see the topic “Assigning separate IP addresses to partitions on a system
with a single NIC” later in this chapter.
If you are unable to assign a separate IP address to each partition, you can use port
mapping.
For more information on port mapping, see the topic “Configuring a partitioned server
for one IP address and port mapping” later in this chapter.
Note As an alternative to port mapping, you can use port address translation (PAT), in
which a firewall redirects the TCP port connection to a different TCP port. Both port
mapping and PAT require advanced
skills to implement correctly.
Ensuring DNS resolves in advanced TCP/IP configurations When you have Domino
servers with multiple Notes network ports for TCP/IP, follow these procedures to ensure
server name-to-address resolution by DNS. This topic covers the following
configurations:
Users in different DNS subdomains accessing one Domino server
User-to-server access and server-to-server access via different DNS subdomains
Users in different DNS subdomains accessing one Domino serverIf users are on two
isolated networks and the Domino server has a NIC for each network, use DNS to direct
the users to the NIC the server
shares with them.
1. Assign an IP address to each NIC by creating A records (or, for IPv6, AAAA records) in
DNS. Use the ping command and the IP address to test the responsiveness of the NIC.
Note If the Domino server is running Windows and there is a route between the two
networks, prevent the NetBIOS broadcasts from exiting from both adapters by using the
Windows Control Panel to disable one instance of the WINS client. Use the Bindings tab
of the Network dialog box, select All Adapters, and select the name of the NIC for which
you want to disable WINS.
2. Create two CNAME records in DNS for the Domino server, linking the server’s common
name to each NIC name in the A records. (Using CNAME records for the Domino server
provides diagnostic fidelity to test the network pathway independently of the server’s
name resolve.)
3. Add a second Notes network port for TCP/IP in Domino. For more information, see the
topic “Adding a network port on a server” later in this chapter.
4. Bind each TCP/IP port to the IP address of the appropriate NIC. On the server
console, verify that both TCP/IP ports are active and linked to the correct IP address. For
more information on binding ports to IP addresses, see the topic “Binding an NRPC port
to an IP address” later in this chapter.
5. In the Server document’s Net Address field for each TCP/IP port, use the server’s
common name only, not its FQDN.
6. On each Notes workstation, set the user’s DNS name lookup scope to the correct DNS
subdomain.

Example
At the Acme company, some users connect to the Domino server Chicago/Sales/Acme
over an Ethernet network, others over a Token Ring network. Register the Domino
server with DNS as chicago.east.acme.com for the users on the Ethernet network and as
chicago.west.acme.com for users on the Token Ring network.
1. Create start of authority (SOA) table entries in DNS for th

chi-ethernet A 10.20.20.2
chicago CNAME chi-ethernet

2. Create SOA table entries in DNS for the subdomain west.acme.com,

chi-tokenring A 10.10.10.1
chicago CNAME chi-tokenring

3. Change the name of the original Notes network port for TCP/IP to TCPIP1, and name
the second port TCPIP2.
4. Use the NOTES.INI file to bind TCPIP1 to the IP address for the Ethernet network and
to bind TCPIP2 to the IP Address for the Token Ring network.
5. In the Server document’s Net Address field for each TCP/IP port, enter chicago.
6. On the Ethernet users’ workstations, set the DNS name lookup scope to
east.acme.com, and on the Token Ring users’ workstations, set it to west.acme.com.
User-to-server access and server-to-server access via different DNS
subdomains
If users need to access a Domino server over the LAN and other Domino servers need to
access the same server over the WAN, add a second NIC to the server. Then use DNS to
direct the users to the NIC for the LAN and to direct other servers to the NIC for the
WAN.
1. Assign an IP address to each NIC by creating an A record (or, for IPv6, AAAA record)
in DNS. Use the ping command and the IP address to test the responsiveness of the NIC.
Note If the Domino server is running Windows and there is a route between the two
networks, prevent the NetBIOS broadcasts from exiting from both adapters by using the
Windows Control Panel to disable one instance of the WINS client. Use the Bindings tab
of the Network dialog box, select All Adapters, and select the name of the NIC for which
you want to disable WINS.
Installation
2. Create two CNAME records in DNS for the Domino server, linking the server’s common
name to each NIC name in the A records. (Using CNAME records for the Domino server
provides diagnostic fidelity to test the network pathway independently of the server’s
name resolve.)
3. Add a second Notes network port for TCP/IP in Domino.
For more information, see the topic “Adding a network port on a server” later in this
chapter.
4. Bind each TCP/IP port to the IP address of the appropriate NIC. On the server
console, verify that both TCP/IP ports are active and linked to the correct IP address.
For more information on binding ports to IP addresses, see the topic
“Binding an NRPC port to an IP address” later in this chapter.
5. To direct the Domino server’s first outbound connection to the
server-to-server network, edit the PORT setting in the NOTES.INI
file to read as follows:
PORT=serverportname, userportname
Where serverportname is the name of the Notes network port for
TCP/IP that other Domino servers will use to connect to this server,
and userportname is the name of the Notes network port for TCP/IP
that users will use to connect to this server.
6. In the Server document’s Net Address field for the first TCP/IP port
(the port that users will use), enter the FQDN, using the server’s
common name and the users’ DNS subdomain.
Note Listing the port that users will use first is important, as the
Notes Name Service cannot distinguish which NIC a user is
accessing and makes the connection based on the content of the Net
Address field for the first TCP/IP port listed in the Server document.
7. In the Server document’s Net Address field for the second TCP/IP
port (the port that servers will use), enter the FQDN, using the
server’s common name and the servers’ DNS subdomain.
An initiating server uses its local Domino Directory to detect the
Notes named network it has in common with this server.
8. Set each user’s DNS name lookup scope to the correct DNS
subdomain.
9. In each server’s TCP/IP stack, set the DNS name lookup scope to the
correct DNS subdomain.
2-24 Administering the Domino System, Volume 1
Example
At the Acme company, users connect to the Domino server
BostonApp04/Sales/Acme over the LAN, and other Domino servers
access it privately over the WAN. You register the server with DNS as
bostonapp04.boston.acme.com for the LAN users and as
bostonapp04.domino.acme.com for the server-to-server network over the
WAN.
1. Create the following SOA table entries in DNS for the subdomain

usr-bostonapp04 A 103.210.20.2
usr-
bostonapp04 CNAME
bostonapp04

2. Create the following SOA table entries in DNS for the subdomain
domino.acme.com, as follows:

srv-bostonapp04 A 103.210.41.1
srv-
bostonapp04 CNAME
bostonapp04

3. Change the name of the original Notes network port for TCP/IP to
TCPIP1, and name the second port TCPIP2.
4. Use the NOTES.INI file to bind TCPIP1 to the IP address for the user
network, to bind TCPIP2 to the IP address for the server-to-server
network, and to add the setting PORT=TCPIP2, TCPIP1.
5. In the Server document’s Net Address field for port TCPIP1, enter
bostonapp04.boston.acme.com. For port TCPIP2, enter
bostonapp04.domino.acme.com.
6. On each user’s workstation, set the DNS name lookup scope to
boston.acme.com. In the TCP/IP stacks of the servers that need to
connect to this server, set the name lookup scope to
domino.acme.com.
IPv6 and Lotus Domino
Because support for IPv6 by hardware and operating system suppliers
and the Internet is still in the early stages, moving to the IPv6 standard
will be a gradual process for most organizations. In Lotus Domino, you
can enable IPv6 support for SMTP, POP3, IMAP, LDAP, and HTTP
services on AIX®, Solaris®, and Linux systems.
Domino supports both IPv6 and IPv4. Thus, if an IPv6-enabled Domino
server encounters an IP address in IPv4 format, the Domino server can
still make the connection to that address.
In DNS, records that store IPv6 addresses are called AAAA records.
After you enable IPv6 on a Domino server and add the server’s AAAA
Setting Up the Domino Network 2-25
Installation
record to DNS, another IPv6-enabled Domino server can connect to it
only over IPv6. Servers that don’t support IPv6 can run Domino with
IPv6 support disabled, which is the default. These servers can
successfully connect to IPv6-enabled Domino servers only if the DNS for
the IPv6 servers contain A records.
Using IPv6 in a Domino network
For best results when using IPv6 with Domino servers, set up network
devices in the network pathway to connect directly with native IPv6,
rather than tunnel through the IPv4 network.
How Lotus Domino decides whether to connect over IPv6 or IPv4
A Domino server evaluates the address format and then, based on that
information, makes an IPv4 or an IPv6 connection.

Address format Server response

IPv4 Makes an IPv4 connection.
IPv4 address mapped Attempts to make an IPv6
to IPv6 connection and waits for the TCP/IP
software to make either an IPv6 or
IPv4 connection, depending on the
remote system’s TCP/IP stack.
IPv6 Makes an IPv6 connection.
Server name Uses DNS to resolve the name:
• If only an A record is found,
connects over IPv4.
• If only an AAAA record is found,
connects over IPv6 or waits for the
TCP/IP software to make the
connection.
• If both an A record and AAAA
record are found, uses the AAAA
record.
Planning the NetBIOS network
The Domino network is compatible with NetBIOS, a set of IBM
session-layer LAN services that has evolved into a standard interface that
applications use to access transport-layer network protocols. Domino
supports the NetBIOS interface on Windows systems over the following
transport protocols: TCP/IP (on systems running TCP/IP), NetBEUI
(supplied with all Microsoft network products), and IPX (on systems
running IPX/SPX).
Note Although you can add some NetBIOS services to Linux and UNIX
systems, NRPC communication does not use them.
2-26 Administering the Domino System, Volume 1
For detailed system requirements for using NetBIOS with Lotus Domino,
see the Release Notes.
Deciding whether to use NetBIOS services
Including NetBIOS in the Domino network has both benefits and risks.
The benefits are as follows:
NetBIOS has low overhead relative to other protocol suites. NetBIOS
over NetBEUI has the least overhead; NetBIOS over IPX has more;
and NetBIOS over TCP/IP has the most.
Because it is not directly routable, NetBIOS over NetBEUI can
provide a secure means to access your server for administration
within a flat network. To access the server over a routed IP network,
you can create a data-link switching (DLSw) tunnel to limit the
administration access with NetBIOS over NetBEUI.
Because NetBIOS name-to-address resolution services offer dynamic
registration by name broadcasts, you can use NetBIOS to build a
mobile Domino network for temporary or emergency use.
The risks of using NetBIOS involve the security of the file system on
Domino servers. Depending on the access permissions of the operating
system and on the transport protocol being used, NetBIOS name and file
services might allow users to see or access the server’s file system. When
a server provides NRPC services, mitigate this risk by disabling the
NetBIOS name and file services (SMB/CIFS) on the system so that the
system’s name cannot be seen over the network. Other Notes/Domino
systems can still find the Domino server because Lotus Domino has its
own NetBIOS name service to propagate and register the Domino
server’s NetBIOS name, but access is secure because it is controlled by
the authentication and certification features in NRPC.
If the system on which you run Domino requires NetBIOS name or
authentication services, mitigate the security risk by isolating the
NetBIOS services. Install an additional NIC on the system for NetBIOS
over a private administration network, and disable NetBIOS on the NIC
that the Domino server uses.
How to tell if NetBIOS is active on a system
The following are indications that NetBIOS is active:
On Windows systems, you can see or access another Windows
system’s file system through the Network Neighborhood (indicates
Server Message Block/NetBIOS).
You can register with an NT domain (indicates Server Message
Block/NetBIOS).
Setting Up the Domino Network 2-27
Installation
On Windows 2000 or XP systems, “NetBIOS over IP” is selected in
the system’s TCP/IP protocol settings.
Note On Linux and UNIX systems, the SAMBA server service
(Windows file server) can offer Server Message Block/NetBIOS or
Common Internet File System/IP access, or both.
Server name-to-address resolution over NetBIOS
When a Notes workstation or Domino server running NetBIOS tries to
connect to a Domino server, the initiating system offers the destination
server’s common name to the NetBIOS name service, which then
broadcasts that name and its associated network address over the
NetBIOS network.
For background information on how the Notes Name Service works with
name-resolver services such as the NetBIOS name service, see the topic
“Resolving server names to network addresses in NRPC” earlier in this
chapter.
When you use the Notes Name Service with the NetBIOS name service,
only a Notes or Domino system using the same NetBIOS transport
protocol as the destination Domino server can see the destination server’s
NetBIOS name. If the Notes or Domino system has more than one NIC
for which the NetBIOS transport protocol is enabled, only the NetBIOS
port with the same LANA binding as that of the destination server can
see the destination server’s name.
Which physical address is registered for a Domino server depends on the
transport protocol:
For NetBIOS over NetBEUI, the NIC’s 32-bit MAC address is used.
For NetBIOS over IPX, the IPX node number is used. In most cases,
this number is the same as the NIC’s 32-bit MAC address. For
information on how IPX node numbers are assigned and how to
change them, see the Novell documentation.
For NetBIOS over TCP/IP, the system’s IP address is used.
Ways to ensure successful NetBIOS resolves
Because NetBIOS broadcasting has a limited range, you may need to
create a Connection document that includes the physical address of the
destination server. This process works as long as the network pathway
can carry the given lower transport protocol.
For NetBIOS over TCP/IP, you can also do one of the following:
Use a WINS server with a static entry.
2-28 Administering the Domino System, Volume 1
In the initiating system’s TCP/IP stack settings, enable NetBIOS
name lookup by DNS. This works even if you are not using any
NRPC services; however, the destination server must be registered
with DNS.
Note NetBIOS name space is flat, even with TCP/IP. If the client is not
within the same DNS domain level, access by name may not be possible.
Naming Domino servers on NetBIOS
NetBIOS names are limited to 15 characters. If the common name of the
Domino server is longer than 15 characters, NetBIOS truncates the name.
On NetBIOS over IPX, early versions of the resolver may confuse server
names if the first eight characters of the names are the same.
Caution The resolution of a Domino server name can be adversely
affected if the server name is the same as the NetBIOS name for a
Windows system.
To prevent this problem without making it difficult to manage system
files remotely, do the following:
On Windows NT, assign one name as the Domino server common
name and then alter that name slightly for the system name by
adding a preface such as NT-. In the Network dialog box on the
Windows NT Control Panel, specify the name in two places: the
Identification tab and the Protocols - TCP/IP properties - DNS tab.
On Windows 2000, add a preface such as W2K- to the system
name, using the Network Identification tab on the System
Properties dialog box.
For more information on the NetBIOS name service, see Microsoft’s
resource kit documentation for the Windows NT and 2000 operating
systems.
Planning the IPX/SPX network
To use Lotus Domino with IPX/SPX, at least one NetWare server must
exist on the network. Notes workstations and Domino servers access the
NetWare server and use its name services — namely, the Bindery Service
or the Novell Directory Service (NDS) — to locate other Domino servers
on the IPX/SPX network. The NetWare server and a Domino system may
be separated by a switch, bridge, or router and do not have to be on the
same LAN.
Setting Up the Domino Network 2-29
Installation
When you use the Novell Bindery Service with Lotus Domino, note the
following:
The NetWare server must not be more than one hop away from a
Domino server.
The NetWare server must not be more than one hop away from a
Notes workstation when the workstation connects to a Domino
server over a WAN.
While not required, it is best if the NetWare server is not more than a
few hops away from any Notes workstation.
If Lotus Domino and the NetWare server are on different LANs, make
sure that local routers are not filtering Bindery Service or NDS NetWare
Core Protocol (NCP) broadcasts.
The IPX protocol stack service (Novell or Microsoft) on a Domino server
or Notes workstation must point to the local NetWare server as its
preferred server and/or preferred tree. Other Domino servers or Notes
workstations do not need to access the same local NetWare server as
their preferred server or tree.
A Domino server can access only one NIC for the IPX protocol and only
one instance of the SPX port driver. Make sure you have not bound the
IPX protocol to more than one NIC or frame type on the system that is
running the Domino server.
Note The use of TCP/IP tunneling of NRPC-IPX/SPX connections is not
supported.
Note NDS access is supported only over the IPX/NCP protocol.
For detailed system requirements for using Lotus Domino on IPX/SPX,
see the Release Notes.
Server name-to-address resolution over IPX/SPX
Notes workstations and Domino servers use NetWare name-resolver
services to find a Domino server on an IPX/SPX network. When naming
Domino servers, consider the requirements of the name service or
services you are using.
2-30 Administering the Domino System, Volume 1
Lotus Domino supports these NetWare services:
Bindery Service — Network services use the Service Advertising
Protocol (SAP) to update the NetWare server’s network database,
called the Bindery. Notes workstations and Domino servers use the
Bindery to look up a server’s network address. Domino servers use
the Bindery Service to advertise their NRPC services on the network.
The Bindery is a dynamic database; therefore, if a network service
does not update the Bindery within a few minutes, the Bindery
detects the entries for that service. A Domino server uses the Bindery
Service Object ID 0x039B.
Novell Directory Service (NDS) — The Novell Directory Service is
based on the X.500 directory service. The IPX/SPX port driver is the
only port driver that supports NDS. Since NDS is a static database,
network services update the database only once. The information
stored in the database is persistent, so a Domino server’s NDS object
can always be found in the NDS tree, whether or not the server is
currently running. NDS uses less network bandwidth than the
Bindery Service, which uses SAP broadcasts over IPX/NCP.
Both NDS and Bindery Service — If both services are installed, the
Notes workstation or Domino server tries an NDS lookup first. If the
NDS lookup fails, the workstation or server tries a Bindery lookup.
After you install and set up a Domino server, you use the Domino
Administrator to select which NetWare service you want the Domino
server to use.
For background information on how the Notes Name Service works with
name-resolver services such those for NetWare, see the topic “Resolving
server names to network addresses in NRPC” earlier in this chapter.
For information on setting up NDS to work with Lotus Domino, see the
appendix “Novell Directory Service for the IPX/SPX Network.”
Naming Domino servers on a Netware Bindery Service network
The NetWare Bindery Service uses the common name of the Domino
server as the server name in the Bindery. For example, the Domino
server name Chicago/Midwest/Acme becomes CHICAGO in the
NetWare Bindery. To name a Domino server that uses the Bindery
Service, choose a common name that is unique within the Bindery and
contains no more than 48 characters. In addition, do not use any of these
characters: slash (/), backslash (\), colon (:), semicolon (;), plus (+),
comma (,), asterisk (*), question mark (?).
When a the common name of a Domino server is added to the Bindery,
the Bindery converts multibyte characters to hexadecimal characters,
Setting Up the Domino Network 2-31
Installation
removes leading and trailing spaces, converts spaces to underscores, and
converts all alphabetic characters to uppercase.
Note When using Bindery emulation under NetWare 4.1 or later, all
systems that use the Bindery Service for name resolution must share one
Bindery context name. Separate the Notes named networks based on the
Bindery context name that the Notes workstations and Domino server
share for Bindery name resolution.
Naming Domino servers on a Novell Directory Service network
In NetWare Directory Services (NDS), Domino server names are the path
from the root of the NDS tree to the Domino server NDS object, in
distinguished name format. For example, if a Domino server name is
Chicago/Midwest/Acme, its NDS name is
CN=Chicago.OU=Marketing.O=Acme.
Within NDS, names must be unique. Although using the NDS
distinguished name guarantees uniqueness in NDS — even if two
Domino servers have the same common name — it’s best to specify
unique common names for Domino servers to ensure uniqueness in all
name services you are using.
To name a Domino server that uses NDS, choose a common name that
contains no more than 64 characters. Distinguished names can contain up
to 256 characters and can include the name types CN, OU, O, and C;
periods; and equal signs. Do not use any of the following in Domino
server names that use NDS: space ( ), slash (/), backslash (\), colon (:),
semicolon (;), plus (+), comma (,), asterisk (*), question mark (?).
Names in NDS are not case sensitive.
Setting up Domino servers on the network
Before installing a Domino server, make sure you have done the
following:
Installed one or more NICs on the system.
Installed protocol software if necessary.
Installed all network drivers in the correct directories.
Installed any network software required for the protocols. For more
information, see the vendor’s documentation.
After you install the server, you use the Domino Server Setup program to
accept network defaults or customize network settings.
2-32 Administering the Domino System, Volume 1
For more information, see the chapter “Installing and Setting Up Domino
Servers.”
After you run the setup program, you may need to complete one or more
of these tasks to finish setting up Lotus Domino on the network:
Change the default names assigned to Notes named networks to
make them consistent with actual network topography.
Fine-tune network port setup by adding, enabling, renaming,
reordering, disabling, or deleting ports or by enabling network
encryption or compression on a port.
Complete tasks specific to the TCP/IP, NetBIOS, or IPX/SPX
protocol.
For information on connecting Notes workstations to the network, see
Lotus Notes 6 Help.
Setting up Notes named networks
The Domino Server Setup program automatically places all servers that
are in a Domino domain and that run the same network protocol in the
same Notes named network (NNN). In the Server document, the setup
program assigns each NNN a default name in the format portname
network.
After you complete the Server Setup program, rename the NNN for each
network port in the Server document. It is useful if the name reflects both
the location of the network and its protocol. For example, if your
company has a TCP/IP network and has LANs in Boston and San
Francisco, change the name of the NNN in Boston to “TCPIP Boston
network,” and change the name of the NNN in San Francisco to “TCPIP
SF network.”
Caution Domino assumes that all servers in a NNN have a continuous
LAN or WAN connection. If this is not the case, serious delays in mail
routing between servers can occur. Be careful not to include servers with
only dialup connections in an NNN.
To change the name of a Notes named network
1. From the Domino Administrator, select the server you just set up.
2. Click the Configuration tab.
3. Expand the Server section in the view pane.
4. Click Current Server Document.
5. Click Edit Server, and then click the Ports - Notes Network Ports tab.
Setting Up the Domino Network 2-33
Installation
6. In the Notes Network field for each port, enter a new name for the
server’s Notes named network. The name can include space
characters.
7. Click Save and Close.
Fine-tuning network port setup on a server
After you install and set up a Domino server, review the list of network
ports that were enabled by the Server Setup program. Unless you
customize network settings during setup, Domino enables ports based on
the current operating system configuration. To conserve system
resources, disable the ports for protocols that you don’t need.
For information on configuring a communication port for a dialup
modem, see the chapter “Setting Up Server-to-Server Connections.”
Use Domino Administrator to make these changes to a server’s network
port setup:
Disable a network port
Enable a network port
Add a network port
Rename a network port
Reorder network ports
Delete a network port
Encrypt network data on a port
Compress network data on a port
Note On a Notes workstation, you use the User Preferences dialog box
to change port setup.
For more information on changing port preferences on a workstation, see
Lotus Notes 6 Help.
Disabling a network port on a server
Even after you disable a port, it still appears in the list of available ports
so that you can later enable it.
1. From the Domino Administrator or Web Administrator, click the
server on which you want to disable a port.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
2-34 Administering the Domino System, Volume 1
4. Select the port you want to disable, and then deselect “Port enabled.”
5. Click OK.
6. Click the Server - Status tab.
7. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
8. In the Server document, on the Ports - Notes Network Ports tab,
specify Disabled next to the name of the port you are disabling.
9. Save the Server document.
Enabling a network port on a server
If the server port you want to enable will be the Notes workstation’s only
means of connecting with the server, do not use this procedure. Instead,
use the Ports setting in the server’s NOTES.INI file.
For more information, see the appendix “NOTES.INI File.”
For information on creating a Connection document on a Notes
workstation, see Lotus Notes 6 Help.
To enable a network port
1. From the Domino Administrator or Web Administrator, click the
server on which you want to enable a port.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the port you want to enable, and then select “Port enabled.”
5. Click TCP/IP Options, LANx Options, SPX Options, or COMx
Options, and specify information as appropriate.
For more information on TCP/IP, LANx, and SPX options, see the
topics “Changing the TCP/IP connection time-out interval,”
“Defining a NetBIOS LANA number for a Notes network port,” and
“Defining a server’s NetWare name service in Lotus Domino” later
in this chapter.
For more information on COMx options, see the chapter “Setting Up
Server-to-Server Connections.”
6. Click OK.
Setting Up the Domino Network 2-35
Installation
7. Click the Server - Status tab.
8. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
9. In the Server document, click the Ports - Notes Network Ports tab,
and edit these fields as necessary:

Field Action
Port Enter the port name. Lotus Domino
assigns a default port name to each
network protocol detected on the
system.
Notes Network Enter the name of the Notes named
network for the group of Domino
servers that are in this location and
run on a particular protocol —for
example, Boston TCPIP. Space
characters are allowed in a Notes
network name.
Net Address Enter the protocol-specific name of the
server —for example, sales.acme.com.
The name you use depends on the
convention of the network protocol.
This field is used to determine the
address that other servers use to
access this server.
Disabled/Enable Choose Enabled so that other servers
d will know the port is enabled.

10. Save the Server document.

11. Make sure that this server is set up to replicate its Domino Directory
to other servers, or enter the preceding changes into the Server
document on a server that is set up to do the replication, or other
servers will not know that they can connect to this server over the
newly enabled port.
Adding a network port on a server
If the server port you want to add will be the Notes workstation’s only
means of connecting with the server, do not use this procedure. Instead,
use the Ports setting in the server’s NOTES.INI file.
For more information, see the appendix “NOTES.INI File.”
For information on creating a Connection document on a Notes
workstation, see Lotus Notes 6 Help.
2-36 Administering the Domino System, Volume 1
To add a network port
1. From the Domino Administrator or Web Administrator, click the
server on which you want to add a port.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Click New.
5. Specify the port name and driver, and click OK.
6. Click TCP/IP Options, LANx Options, SPX Options, or COMx
Options, and specify information as appropriate.
For more information on TCP/IP, LANx, and SPX options, see the
topics “Changing the TCP/IP connection time-out interval,”
“Defining a NetBIOS LANA number for a Notes network port,” and
“Defining a server’s NetWare name service in Lotus Domino” later
in this chapter.
For more information on COMx options, see the chapter “Setting Up
Server-to-Server Connections.”
7. Click OK.
8. Click the Server - Status tab.
9. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
10. In the Server document, click the Ports - Notes Network Ports tab,
and edit these fields as necessary:

Field Action
Enter the port name. Lotus Domino
Port
assigns a default
port name to each network protocol
detected on the
system.
Enter the name of the Notes named
Notes Network
network for the
group of Domino servers that are in
this location and run on a particular
protocol —for example, Boston TCPIP.
Space characters are allowed in a
Notes network name.
Field Action
Net Address Enter the protocol-specific name of
the server —for example,
sales.acme.com. The name you use
depends on the convention of the
network protocol. This field is used to
determine the address that other
servers use to
access this server.
Choose Enabled so that other servers
Disabled/Enabled
will know the
port is enabled.
11. Save the Server document.
12. Make sure that this server is set up to replicate its Domino Directory
to other servers, or enter the preceding changes to the Server
document on a server that is set up to do the replication, or other
servers will not know that they can connect to this server over the
newly enabled port.
13. If you are adding an additional TCP/IP port on a computer with
multiple NICs, see these topics:
Binding an NRPC port to an IP address
Binding an Internet service to an IP address.
14. If you are adding an additional NetBIOS port on a computer with
multiple NICs, see the topic Creating additional network ports for
NetBIOS.
Renaming a network port on a server
You might want to rename a port to reflect its function. For example,
suppose you add a second TCP/IP port named SRV-TCP so that
clustered servers can communicate over a private network. Then you
might want to might want to rename the original TCP/IP port through
which users will communicate with the server USR-TCP.
1. From the Domino Administrator or Web Administrator, click the
server on which you want to rename a port.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the port you want to rename.
5. Click Rename, and then enter the new name. Do not use spaces in the
port name.
6. Click OK.
Administering the Domino System, Volume 1
7. Click the Server - Status tab.
8. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
9. In the server document, on the Ports - Notes Network Ports tab,
change the name of the port to the new name and save the
document.
10. If this server is the source server for any Connection documents in
the Domino Directory, click Server - Connections.
11. Select a Connection document and click Edit Connection.
12. On the Basics tab, enter the new port name in the “Use the port(s)”
field.
13. Save and close the Connection document.
14. Repeat steps 11 to 13 for each Connection document for which this
server is the source.
Reordering network ports on a server
Changing the order in which ports are listed in the Setup Ports dialog
box also changes the Ports setting in the NOTES.INI file. List the ports in
the order in which you want them to be used — for example, list nearest
or fastest connections first. Then when a server uses a Notes named
network or a Connection document to locate another server, the port
with a close or fast connection will be used as the preferred path.
If the Domino server has multiple TCP/IP ports, see the topic
“Reordering multiple server ports for TCP/IP” later in this chapter.
To reorder network ports
1. From the Domino Administrator or Web Administrator, click the
server on which you want to reorder ports.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the port that you want to relocate in the list.
5. Click the up and down arrows, as necessary to relocate the port.
6. Click OK.
Setting Up the Domino Network 2-39
Installation
7. Click the Server - Status tab.
8. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
9. In the Server document, on the Ports - Notes Network Ports tab,
change the port order to the new order by cutting and pasting all the
necessary fields.
10. Save the Server document.
Note When you create a Connection document on a server, the
Connection document takes the port order from the order in the Setup
Ports dialog box. Then, whenever the server connects with the
destination server, the server obtains the port order directly from the
Connection document. If you change the port order after you create
Connection documents, you must save each Connection document again.
To have different Connection documents reflect different port orders,
change the port order, save a Connection document, change the port
order again, save another Connection document, and so on.
Deleting a network port on a server
If you delete a port, it no longer appears in the list of available ports in
the Setup Ports dialog box.
1. From the Domino Administrator or Web Administrator, click the
server on which you want to delete a port.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the port you want to delete.
5. Click Delete.
6. Click OK.
7. Click the Server - Status tab.
8. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
2-40 Administering the Domino System, Volume 1
9. In the Server document, on the Ports - Notes Network Ports tab,
delete the contents of all the fields next to the name of the port you
are deleting.
10. Save the Server document.
Encrypting NRPC communication on a server port
You can encrypt network data on a server’s Notes network ports to
prevent the network eavesdropping that’s possible with a network
protocol analyzer. Network encryption occurs at the application layer of
a given protocol and is independent of other forms of encryption.
Network data is encrypted only while it is in transit. After the data is
received and stored, network encryption is no longer in effect.
Network data encryption occurs if you enable network data encryption
on either side of a network connection. For example, if you enable
encryption on a server’s Notes network port for TCP/IP, you don’t need
to enable encryption on the TCP/IP ports of workstations or servers that
connect to the server.
If you want the server to have one TCP/IP port for Notes traffic over the
Internet and another TCP/IP port for internal traffic over NRPC, you can
encrypt the port for Internet traffic and leave the port for internal traffic
unencrypted.
Be aware that multiple high-speed encrypted connections to a server can
affect server performance adversely. Encrypting network data has little
effect on client performance. For protocols other than NRPC, you use SSL
for encryption.
For more information, see the chapter “Setting Up SSL on a Domino
Server.”
To encrypt NRPC communication
1. From the Domino Administrator or Web Administrator, choose the
server for which you want to encrypt network data.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the port you want to encrypt.
5. Select “Encrypt network data.”
6. Click OK.
7. Click the Server - Status tab.
Setting Up the Domino Network 2-41
Installation
8. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
Compressing network data on a server port
To reduce the amount of data transmitted between a Notes workstation
and Domino server or between two Domino servers, enable network
compression for each enabled network port. Whether you should enable
compression on a network port depends on the type of network
connection and the type of data being transmitted.
For compression to work, enable it on both sides of a network
connection. To enable compression for a network port on a server, use
the Server tab in the Domino Administrator. To enable compression on
network ports on Notes workstations, from the Domino Administrator,
use a setup or desktop policy settings document or from a workstation,
use the User Preferences dialog box.
For information on policy settings, see the chapter “Using Policies.”
WAN connections
Enabling network compression on X.PC ports can significantly reduce
the time it takes to send and receive data over a remote connection
between a Notes workstation and a Domino server or between two
Domino servers.
You benefit from using network compression only if the data being
transmitted is not already compressed. In the case of a network dialup
service such as Microsoft’s Remote Access Service (RAS) which includes
built-in compression, enabling compression on Notes network ports does
not provide any additional benefit. The same is true of tasks involving
data that was compressed using the Lempel-Ziv algorithm (LZ1
compression) — such as replicating a mail file with a large number of
compressed attachments.
LAN connections
While compression decreases bandwidth use on a LAN, you must weigh
this gain against increased memory and processor use, since network
compression works by buffering data before compressing it. The cost of
compression might be worth it only for a heavily loaded network.
To compress data on a server port
1. From the Domino Administrator or Web Administrator, click the
server for which you want to turn on network compression.
2. Click the Configuration tab.
2-42 Administering the Domino System, Volume 1
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the port for which you want to turn on compression.
Note Make sure “Port enabled” is selected for that port.
5. Select “Compress network data.”
6. Click OK.
7. Click the Server - Status tab.
8. Do one of these so that the change takes effect:
From the Domino Administrator’s Tools pane, choose Restart Port.
(If you can’t see the Tools pane, make sure you are in the Server
Tasks view.)
From the Web Administrator’s Ports tool, choose Restart.
Server setup tasks specific to TCP/IP
After you run the Domino Server Setup program, complete these
procedures:
1. Set up a secondary name server for Notes clients.
2. Change the server’s connection-time-out interval.
3. For servers that provide services to Internet clients, enable Domino
support for IPv6.
4. For configurations involving multiple NICs on a server or
partitioned server:
Reorder multiple Notes network ports for TCP/IP.
Bind an NRPC port to an IP address.
Bind an Internet service to an IP address.
5. For a partitioned server with a single NIC for the entire computer,
assign an IP address to each server partition
6. Change a default TCP or SSL port number.
7. Confirm that TCP/IP is configured properly.
Setting Up the Domino Network 2-43
Installation
Setting up a secondary name server
To ensure that the Notes Name Service is always available to Notes
workstations, assign a secondary name server in users’ Location
documents. You can specify a different secondary name server for each
LAN location defined. The secondary name server is used when:
The user’s home server is down.
The user’s home server is not running TCP/IP.
The name of the user’s home server cannot be resolved over TCP/IP.
For examples of situations in which the name of a home server cannot be
resolved, see the topic “Ensuring DNS resolves in advanced TCP/IP
configurations” earlier in this chapter.
Note You can use setup or desktop policy settings to assign secondary
name servers to groups of users.
For more information, see the chapter “Using Policies.”
To set up a secondary name server
1. On the Notes workstation, choose File - Mobile - Locations, and open
the location for which you want to designate a secondary name
server.
2. Click “Edit Location.”
3. Click the Advanced - Secondary Servers tab. (The Advanced tab
appears only if you have a location defined as “Local Area Network”
or “Both Dialup and Local Area Network.”)
4. In the “Secondary TCP/IP Notes server name” field, enter one of the
following:
The common name of the Domino server — for example,
Notesserver1
The hierarchical name of the Domino server — for example,
Notesserver1/Acme
5. In the “Secondary TCP/IP host name or address” field, enter one of
the following:
IP address — for example, 197.114.33.22
The fully qualified domain name — for example,
notesserver1.acme.com
The simple host name — for example, notesserver1
If you specify only the host name in this field, the workstation
must use the Domain Name System (DNS) or local hosts file to
locate the secondary name server. When you specify the IP
2-44 Administering the Domino System, Volume 1
address in this field, Lotus Domino resolves the host’s IP address
without having to perform a DNS or hosts file lookup.
6. Click “Save and Close.”
Changing the TCP/IP connection-time-out interval
You might want to increase the number of seconds that Lotus Domino
waits before terminating a connection attempt. For example, increasing
the time-out interval is often necessary on a server that dials up other
Domino servers. The default time-out interval is 5 seconds.
1. From the Domino Administrator or Web Administrator, click the
server for which you want to change the time-out interval.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the TCP/IP port.
5. Click “TCPIP Options,” and enter a number.
Note Unless the connection is over a dial-on-demand ISDN modem,
remote bridge, or router, it is best to enter a number no greater than
10, as the Notes client or Domino server won’t retry the connection
until the timer has expired.
6. Click OK.
Enabling support for IPv6 on a Domino server
You can enable support for IPv6 on a Domino server that runs the IMAP,
POP3, SMTP, LDAP, or HTTP service.
To enable IPv6, add this NOTES.INI setting to the server’s NOTES.INI
file:
TCP_EnableIPV6=1
Reordering multiple server ports for TCP/IP
If a Domino server has multiple Notes network ports for TCP/IP, the
order in which these ports are listed in the NOTES.INI file and the Server
document affects how other servers and workstations connect to this
server. The Ports setting in the NOTES.INI file determines which port a
workstation or server tries first. In the absence of other settings that bind
an NRPC, POP3, IMAP, SMTP, or LDAP service to an IP address, all of
these services will try to use the port listed first in the NOTES.INI file.
Setting Up the Domino Network 2-45
Installation
Server-to-server communication
If you add a second Notes network port for TCP/IP in order to isolate
server-to-server communication — for example, a private network for
cluster replication — list this port first in the NOTES.INI file so that
server-to-server traffic will tend to occur over this connection, thus
decreasing the data flow on the port for the user network. To change the
port order in the NOTES.INI file, use the Port Setup dialog box.
For more information, see the topic “Reordering network ports on a
server” earlier in this chapter.
Note If you are setting up a private cluster network and do not list the
server port first, you must add the setting Server_Cluster_Default_Port
to the NOTES.INI file. The disadvantage of adding this setting is that if
the server encounters a problem connecting over this port, it will not try
another port, and replication will not occur.
For more information on the Server_Cluster_Default_Port setting, see the
appendix “NOTES.INI File.”
Workstation-to-server communication
If a Domino server has a port for workstations to connect on — for
example, over a LAN — and another port for servers to connect on — for
example, over a WAN — list the workstation port first in the Server
document so that users see only servers on the LAN when they choose
File - Database - Open.
To reorder the ports in the Server document, click the Ports - Notes
Network Ports tab, and edit the fields in the table.
Binding an NRPC port to an IP address
By default, all TCP/IP-based services on a Domino server listen for
network connections on all NICs and on all configured IP addresses on
the server. If you have enabled more than one Notes network port for
TCP/IP (TCP port for NRPC) on either a single Domino server or a
Domino partitioned server, you must associate the NRPC ports and IP
addresses by binding each port to an address.
For background information on Domino server setups with multiple IP
addresses, see the topic “Advanced Domino TCP/IP configurations”
earlier in this chapter.
To bind an NRPC port to an IP address
1. For each IP address, make sure you have added a Notes port for
TCP/IP. Also make sure that each port has a unique name.
For information on adding a Notes port, see the topic “Adding a
network port on a server” earlier in this chapter.
2-46 Administering the Domino System, Volume 1
2. In the NOTES.INI file, confirm that these lines appear for each port
that you added:
Ports=TCPIPportname
TCPIPportname=TCP, 0, 15, 0
Where TCPIPportname is the port name you defined.
3. For each port that you want to bind to an IP address, add this line to
the NOTES.INI file:
TCPIPportname_TCPIPAddress=0,IPaddress
Where IPaddress is the IP address of the specific NIC.
For example:
TCPIP_TCPIPAddress=0,130.123.45.1
Note For IPv6, enclose the address in square brackets, as it contains
colons. For example:
TCPIP_TCPIPAddress=0,[fe80::290:27ff:fe43:16ac]
4. (Optional) To help you later remember the function of each port, add
the default TCP port number for NRPC to the end of the line you
entered in Step 3, as follows:
:1352
Caution Do not change the assigned TCP port number unless you
have a way to redirect the inbound connection with Domino port
mapping or a firewall that has port address translation (PAT).
In a situation where you must change the default NRPC port
number, see the topic “Changing a TCP or SSL port number” later in
this chapter.
Binding an Internet service to an IP address
If the Domino server has multiple Notes network ports for TCP/IP
(NRPC ports) and the server is also hosting the SMTP, POP3, IMAP,
LDAP, or Internet Cluster Manager (ICM) service, you must specify the
NRPC port that you want the service to use in the NOTES.INI file. If you
do not specify an NRPC port for an Internet service, by default the
service will use the port listed first in the Ports setting in the NOTES.INI
file. You can specify the same NRPC port for multiple Internet services.
For the Domino Web server (HTTP service), you use the Server
document to bind HTTP to a host name IP address.
Setting Up the Domino Network 2-47
Installation
To bind the SMTP, POP3, IMAP, LDAP, or ICM service
1. Bind each NRPC port to an IP address.
2. In the NOTES.INI file, specify the appropriate NRPC port for each
Internet service as follows:
Note If you don’t know the port name to enter for an NRPC port,
open the Server document, click the Ports - Notes Network Ports tab,
and look at the ports associated with the TCP protocol.

Service Action
POP3 Enter POP3NotesPort=port name where port
nameis the name of the NRPC port that you
want to link the service to.
IMAP Enter IMAPNotesPort=port name where port
nameis the name of the NRPC port that you
want to link the service to.
SMTP Enter SMTPNotesPort=port name where port
nameis the name of the NRPC port that you
want to link the service to.
LDAP Enter LDAPNotesPort=port name where port
nameis the name of the NRPC port that you
want to link the service to.
ICM Enter ICMNotesPort=port name where port
nameis the name of the NRPC port that you
want to link the service to.

Example
The following example shows the lines (in bold) to add to the Ports
section of the NOTES.INI file to bind two NRPC ports to their IP
addresses and to specify the second NRPC port for the SMTP service.
Ports=TCPIP, TCP1P2
TCPIP=TCP, 0, 15, 0
TCPIP_TCPIPAddress=0,10.33.52.1
TCPIP2=TCP, 0, 15, 0
TCPIP2_TCPIPAddress=0, 209.98.76.10
SMPTNotesPort=TCPIP2
Note Domino adds the lines that are not bold when you use either
the Domino Server Setup program or the Domino Administrator’s
Setup Ports dialog box to enable a port.
To bind the HTTP service
1. On the Internet Protocols - HTTP tab of the Server document, enter
one or more IP addresses or FQDNs for the server in the “Host
name(s)” field.
2. Select Enabled in the “Bind to host name” field.
Note If the server is a partitioned server and has Web sites configured
with separate IP addresses, or has virtual servers (Domino 5) configured
for one or more partitions, enter the partition’s IP address, and each Web
site or virtual server’s IP address in the “Host name(s)” field, separated
by semicolons. Alternatively, you can use FQDNs in this field. Do not list
additional Web sites and virtual hosts that have IP addresses that are
already listed in this field.
Example 1 — Server partition with Web sites
The partition’s host name is app01 and there are two Web sites
configured for it: sales.acme.com and accounting.acme.com. The Web site
sales.acme.com uses the same IP address as the partition, and the Web
site accounting.acme.com has its own IP address. Enter the following in
the “Host name(s)” field:
9.88.43.113;9.88.46.110
where 9.88.43.113 is the IP address for both the partition and the Web
site sales.acme.com and 9.88.46.110 is the IP address for the Web site
accounting.acme.com.
Example 2 — Server partition with virtual servers
The partition’s host name is app01 and there are two virtual servers
(9.88.46.114 and 9.88.46.115) and one virtual host configured for it. Enter
the following in the “Host name(s)” field:
9.88.43.113;9.88.46.114;9.88.46.115
where 9.88.43.113 is the IP address for both the partition and the
virtual host sales.acme.com, 9.88.46.114 is the IP address for virtual
server 1 (accounting.acme.com), and 9.88.46.115 is the IP address for
virtual server 2 (northeastsales.acme.com).
For information on Web sites and Internet Site documents, see the
chapter “Installing and Setting Up Domino Servers.”
Setting Up the Domino Network 2-49
Installation
Assigning separate IP addresses to partitions on a system with a
single NIC
If you use a single NIC with multiple IP addresses, you must complete
additional configuration instructions, which are based on your operating
system, for each server partition.
Note Using separate IP addresses with a single NIC can have a negative
impact on the computer’s I/O performance.
For background information on partitioned servers and the TCP/IP
network, see the topic “Partitioned servers and IP addresses” earlier in
this chapter.
IBM AIX or Linux
You must be logged on as root.
To enable an IP address in IBM AIX
1. Add one entry in the local host names file /etc/hosts for each server
partition. The entry for the partition that uses the computer host
name should already exist.
2. To enable an IP address, enter this command under the heading
“Part 2 -Traditional Configuration” in the startup file (etc/rc.net). Do
not enter this command for the partition that uses the computer host
name.
/usr/sbin/ifconfig interface alias server_name
where interface is the name of the network interface, and server_name
is the name of the partitioned server — for example:
/usr/sbin/ifconfig en0 alias server2
3. Restart the system if necessary, and test the configuration. From
another computer, use the ping command with the server names. To
show the network status, use the netstat command.
To disable an IP address in IBM AIX or Linux
Do not remove the IP address of a server partition that uses the computer
host name as its server name.
1. Enter this command at the console:
/usr/sbin/ifconfig interface delete server_name
where interface is the name of the network interface, and server_name
is the name of the partitioned server.
2. Remove the partition’s name entry from the local host names
/etc/hosts file.
3. Remove the corresponding ifconfig command from the system
startup /etc/rc.net file.
2-50 Administering the Domino System, Volume 1
Sun Solaris
This procedure is for Sun Solaris 2.6. You must have superuser privileges
to configure the NIC.
To enable an IP address in Sun Solaris
1. Add one entry in the local host names /etc/hosts file for each server
partition. The entry for the partition that uses the computer host
name should already exist.
2. For each partition, create a file named:
/etc/hostname.device:n
where device is the device name of the NIC, and n is a number that
increments for each file name. The /etc/hostname.hme0 file should
already exist and contain the computer host name.
For example, if /etc/hostname.hme0 contains the name Server1,
create:
/etc/hostname.hme0:1
which contains the name Server2. and
/etc/hostname.hme0:2
which contains the name Server3.
3. Create the alias for each IP address that goes to the NIC which is
hme0. At the console, enter:
/sbin/ifconfig hme0 plumb
/sbin/ifconfig hme0:n IP_address
where n is the number you created in Step 2 for each file name, and
IP_address is the address assigned to the corresponding server in Step
1. For example:
/sbin/ifconfig hme0 plumb
/sbin/ifconfig hme0:1 111.123.11.96
/sbin/ifconfig hme0:2 111.123.11.22
4. To verify the IP addresses that you configured, enter:
/sbin/ifconfig -a
5. To enable each IP address that you configured in Step 3, enter:
/sbin/ifconfig hme0:n up
where n is the number assigned to the file that contains the server
name. For example:
/sbin/ifconfig hme0:1 up
/sbin/ifconfig hme0:2 up
Setting Up the Domino Network 2-51
Installation
To disable an IP address, enter:
/sbin/ifconfig hme0:n down
6. To configure the NIC to support multiple IP addresses at system
startup, add this ifconfig command to the startup file (probably
/etc/rc2.d/S30sysident):
/sbin/ifconfig hme0 plumb
/sbin/ifconfig hme0:n IP_address
/sbin/ifconfig hme0:n up
where n corresponds to the number you created in Step 2 for each
file name, and IP_address is the address assigned to the
corresponding server in Step 1.
7. Test the configuration. From another computer, use the ping
command with the server names. To show the network status, use
the netstat command.
To disable an IP address in Sun Solaris
Do not remove the IP address of the server partition that uses the
computer host name as its server name.
1. To disable the IP address, type:
/sbin/ifconfig hme0:n down
where n is the number assigned to the file that contains the server
name. For example:
/sbin/ifconfig hme0:1 down
2. Remove the corresponding /etc/hostname.hme0:n file. For example,
to remove Server2, remove the /etc/hostname.hme0:1 file, which
contains the name Server2.
3. Remove the partition’s server name entry from the local host names
/etc/hosts file.
Windows
To configure a single NIC for multiple IP addresses on Windows
systems, do the following:
On Windows NT, use the Network icon on the Control Panel. For
more information, see the Windows NT documentation.
For Windows 2000, use the Network and Dial-up Connections
icon on the Control Panel , and then the Local Area Connection
icon. Click the Properties button. For more information, see the
Windows 2000 documentation.
2-52 Administering the Domino System, Volume 1
Configuring a partitioned server for one IP address and port
mapping
To configure server partitions to share the same IP address and the same
NIC, you use port mapping. With port mapping, you assign a unique
TCP port number to each server partition and designate one partition to
perform port mapping. The port-mapping partition listens on port 1352
and redirects Notes and Domino connection requests to the other
partitions.
If the port-mapping partition fails, existing sessions on the other
partitions remain connected. In most cases, Notes clients will not be able
to open new sessions on any of the partitions. However, because each
Notes client maintains information in memory about recent connections,
including those redirected by the port-mapping partition, a client may be
able to connect to a partition even when the port-mapping partition is not
running. A client or remote server that has a Connection document
containing both the IP address and the assigned port can always access
the port-mapping partition.
Because the port-mapping partition requires extra system resources,
consider dedicating the partition to this task only. To do this, remove all
other server tasks, such as mail routing and replication, from the
partition’s NOTES.INI file.
Port mapping works for NRPC communication only. However, you can
use the Server document in the Domino Directory to configure IMAP,
LDAP, and POP3 services and Domino Web servers to use unique ports
for communication. When you do, you must make the port number
available to users when they try to connect to the servers.
Note Because Internet protocols carry a large amount of data, you may
encounter I/O bottlenecks if you use a single NIC with too many server
partitions. Consider adding additional NICs and isolating the data by
protocol.
To configure for one IP address and port mapping
When you set up port mapping, the port-mapping partition
automatically routes NRPC communication requests to the other server
partitions.
1. Decide which server partition will perform port mapping.
2. Choose a unique TCP/IP port number for each server partition on
the computer. The port-mapping partition uses the assigned port,
1352. It is best to use port numbers 13520, 13521, 13522, 13523, or
13524 for the additional server partitions.
Setting Up the Domino Network 2-53
Installation
3. In the NOTES.INI file of the port-mapping partition, include one line
for the port-mapping partition and one line for each of the other
partitions. For the port-mapping partition, enter:
TCPIP_TcpIpAddress=0,IPAddress:1352
where TCPIP is the port name, and IPAddress is the IP address of the
port-mapping partition.
For each of the other partitions, enter:
TCPIP_PortMappingNN=CN=server_name/O=org,IPaddress:TCP/I
P port number
where TCPIP is the port name, NN is a number between 00 and 04
assigned in ascending sequence, server_name is the server name of the
partition, org is the organization name, IPAddress is the shared IP
address, and TCP/IP port number is the unique port number you
chose for the partition.
Note You must assign the numbers for NN in ascending order
beginning with 00 and ending with a maximum of 04. If there is a
break in the sequence, Domino ignores the subsequent entries.
4. In the NOTES.INI file of each of the other partitions, include this line:
TCPIP_TcpIpAddress=0, IPAddress:IPport_number
where TCPIP is the port name, IPAddress is the shared IP address,
and IPport_number is the unique port number you chose for the
partitioned server.
5. In the Net Address field on the Ports - Notes Network Ports tab in
the Server document for each partition, enter the fully qualified
domain name — for example, sales.acme.com — or enter the
common server name — for example, Sales.
6. Create an IP address entry for the port-mapping partition in the
DNS, NIS, or the local hosts file.
7. Include each partition name as a separate CNAME entry in the DNS,
NIS, or the local hosts file.
8. If you also plan to set up the partitions for IMAP, LDAP, and POP3
services and Web server communication, assign to each protocol a
unique port number in the “TCP/IP port number” field on the
appropriate subtabs (Web, Directory, and Mail) on the Ports -
Internet Ports tab of the Server document.
Note You must make these port numbers available to users when
they try to connect to these servers. For example, if you assign port
12080 to the Web server acme.com, users must include
acme.com:12080 in the URL in order to connect to the server, unless
they have a means to redirect the connection to this port assignment.
2-54 Administering the Domino System, Volume 1
Example
This example shows the lines you add to the NOTES.INI files of the
server partitions to set up port mapping for six partitions.
Partition 1 (the port-mapping partition)
TCPIP_TcpIpAddress=0,192.94.222.169:1352
TCPIP_PortMapping00=CN=Server2/O=Org2,192.94.222.169:135
20
TCPIP_PortMapping01=CN=Server3/O=Org3,192.94.222.169:135
21
TCPIP_PortMapping02=CN=Server4/O=Org4,192.94.222.169:135
22
TCPIP_PortMapping03=CN=Server5/O=Org5,192.94.222.169:135
23
TCPIP_PortMapping04=CN=Server6/O=Org6,192.94.222.169:135
24
Partition 2
TCPIP_TcpIpAddress=0,192.94.222.169:13520
Partition 3
TCPIP_TcpIpAddress=0,192.94.222.169:13521
Partition 4
TCPIP_TcpIpAddress=0,192.94.222.169:13522
Partition 5
TCPIP_TcpIpAddress=0,192.94.222.169:13523
Partition 6
TCPIP_TcpIpAddress=0,192.94.222.169:13524
Changing a TCP or SSL port number
The following sections describe the TCP ports that Domino services use
and provide guidelines should you ever need to change these ports.
Default port for NRPC
By default, all NRPC connections use TCP port 1352. Because the Internet
Assigned Number Authority (IANA) assigned Lotus Domino this port
number, non-Domino applications do not usually compete for this port.
Do not change the default NRPC port unless:
You can use a NAT or PAT firewall system to redirect a remote
system’s connection attempt.
You are using Domino port mapping.
Setting Up the Domino Network 2-55
Installation
You create a Connection document that contains the reassigned
port number.
To change the default NRPC port number, use the NOTES.INI setting
TCPIPportname_TCPIPAddress and enter a value available on the system
that runs the Domino server. TCP ports with numbers less than 5000 are
reserved for application vendors. You may use any number from 1024
through 5000, as long as you don’t install a new application that requires
that number.
Default ports for Internet services
You may occasionally need to change the number of the TCP or SSL port
assigned to an Internet service. Lotus Domino uses these default ports for
Internet services:

Service Default TCP port Default SSL port

POP3 110 995
IMAP 143 993
LDAP 389 636
SMTP inbound 25 465
SMTP outbound 25 465
HTTP 80 443
IIOP 63148 63149
Server Controller N/A 2050

Confirming that TCP/IP is configured properly

Before you can use TCP/IP for communication, use the following tests to
confirm that the configuration is properly set up:
1. Use the ping command with the remote system’s TCP/IP address —
for example, ping 192.9.200.1. If this is unsuccessful, the TCP/IP
software isn’t properly installed and configured. TCP/IP must be
working before you can use it. Contact the TCP/IP software vendor
or operating system vendor if you need assistance.
2. Use the ping command with the FQDN of the remote server — for
example, ping mail05.boston.acme.com. If this is unsuccessful, the
host-name-to-IP-address translation isn’t working. If you can’t ping
by host name, the server or workstation will not be able to
communicate with the server running on the remote system.
3. If you use a local hosts file, make sure that it contains the server
name and IP address of every Domino server with which you want
to communicate.
2-56 Administering the Domino System, Volume 1
4. If you use DNS, make sure that you have properly configured the
TCP/IP software on this system to query the correct DNS server.
Make sure that your DNS records include the server name and IP
address of every Domino server with which you want to
communicate.
Note Make sure that your IP host names do not contain illegal
characters such as spaces, underscores, or ampersands.
5. If you use the Network Information Service (NIS), make sure that
you have properly configured the UNIX system for NIS. Make sure
that the NIS hosts map contains the server name and IP address of
every Domino server with which you want to communicate.
6. Depending on your name-resolution practices, do one of the
following:
If your Domino server names are the same as the DNS host names,
make sure you have followed the instructions in the topics
Ensuring DNS resolves on Windows systems — All TCP
protocols, Ensuring DNS resolves in NRPC — Best practices, and
Ensuring DNS resolves in advanced TCP/IP configurations.
If your Domino server names are different from the DNS host
names, use the ping command to verify that all of the DNS names
which represent the Domino server are responding from the
correct network areas, as well as the Domino server name, if
needed.
If you are using IP addresses in Connection documents, use the
ping command to verify the IP address itself.
If you are using network address translation (NAT), verify that
access is possible from both the internal network and external
Internet using the appropriate IP addresses. If you are using
name-resolver services, make sure that the external DNS offers out
the public address and the internal DNS offers out the private
address.
For more information on the last three practices in Step 6, see the topic
“Ensuring DNS resolves in NRPC — Alternative practices” earlier in this
chapter.
Setting Up the Domino Network 2-57
Installation
Server setup tasks specific to NetBIOS
After you run the Domino Server Setup program, complete these
procedures:
1. Use the Domino Administrator to define a NetBIOS LANA number
for the NetBIOS port.
2. If you want the server to connect to different segments of a NetBIOS
network, create one or more additional Notes network ports for
NetBIOS.
Defining a NetBIOS LANA number for a Notes network port
To run NetBIOS on a server, after you complete the Server Setup
program, you must determine the NetBIOS LANA number to which the
Notes network port will be bound. The NetBIOS LANA number is a
logical number that represents a NetBIOS transport protocol stack on a
NIC. You must know which transport protocol (NetBEUI, IP, or IPX)
Notes workstations and other Domino servers are using for NetBIOS
within your workgroup or company.
For example, if the computer has two NetBIOS protocol stacks — such as
NetBIOS over NetBEUI and NetBIOS over IPX — NetBIOS/NetBEUI
uses LANA number 0, and NetBIOS/IPX uses LANA number 1.
Depending on how often you configure or reconfigure your system, the
LANA numbers may be different than the ones in this example.
If the computer running the Domino server has more than one NIC
running the same protocol stack, you must define a different NetBIOS
LANA number for each Notes network port for NetBIOS.
NetBIOS systems using the same transport protocol should be in the
same Notes named network. If you create Connection documents on the
server, the LAN port you select must also be for the same transport
protocol.
To define a LANA number in Lotus Domino
1. From the Domino Administrator or Web Administrator, click the
server for which you want to define a LANA number.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
2-58 Administering the Domino System, Volume 1
4. Select the Portname port, where Portname is the name of the NetBIOS
port for which you are defining a LANA number.
5. Click “Portname Options,” and choose Manual.
6. Enter the correct LANA number.
7. Click OK.
To find the LANA number for a NetBIOS protocol on a Windows NT
server
1. Select the Network Control Panel - NetBIOS Interface.
2. Click the Properties button. The NT information appears in the
Network Route list.
Windows NT typically has multiple NetBIOS networks configured in the
operating system. The most common NetBIOS networks on Windows NT
systems are listed below

Name Protocol
NwlnkNb Novell NetBIOS
Nbf NetBEUI
NetBIOS over TCP/IP (RFC
NetBT
1001/1002)
each network card or dialup network interface. For example, the
Network Route entry Nbf->Elnk3 is NetBEUI on a 3Com Etherlink III
card, and Nbf->NdisWan5 is NetBEUI on a Microsoft Remote Access
Service (RAS) connection.
To find the LANA number for a NetBIOS protocol on a Windows
95/98, XP, or 2000 system
Unlike a Windows NT system, a Windows 95/98, XP, or 2000 system
does not have a direct means to see the LANA associations. For
Windows 95/98, XP, or 2000 systems you can either review the system’s
registry bindings or use a Microsoft tool called LANACFG to see and
change the LANA number assignments.
The following is an example of the tool’s output from a Windows 2000
server. Note that the network route linkages shown are the same as in
Windows NT.
lanacfg [options]
showlanapaths - Show bind paths and component
descriptions for each exported lana
setlananumber - Change the lana number of a bind path
Setting Up the Domino Network 2-59
Installation
rewritelanainfo - Verify and write out lana info to the
registry
showlanadiag - Show lana diagnostic info
From the DOS prompt, enter
C:\>lanacfg showlanapaths
You see the following:
Lana: 4
-->NetBEUI Protocol-->3Com EtherLink III ISA
(3C509/3C509b) in Legacy mode
Lana: 7
-->NetBEUI Protocol-->WAN Miniport (NetBEUI, Dial Out)
Lana: 3
-->NWLink NetBIOS
Lana: 0
-->WINS Client(TCP/IP) Protocol-->Internet Protocol
(TCP/IP)-->3Com EtherLink III ISA (3C509/3C509b) in
Legacy mode
Creating additional network ports for NetBIOS
After you run the Domino Server Setup program, you can create network
segments for multiple NetBIOS interfaces on the same computer by
adding a Notes network port for NetBIOS for each additional NIC. The
NICs do not need to use the same transport protocol; each can use
TCP/IP, NetBEUI, or IPX.
In addition to adding each port for NetBIOS, do the following:
Associate each Notes network port for NetBIOS with a specific
NetBIOS interface by defining a LANA identifier for each port.
Make sure that all Domino servers that will access each other have an
interface that uses a common transport protocol. It is best if they are
also in the same Notes named network.
Make sure that the network segments to which the server system’s
NICs are attached do not have a pathway in common. The NetBIOS
name service (NetBIOS over IP) can fail if it detects the same system
name or Domino name echoing back between the pathways. If you
are using both the NetBIOS name service and DNS or a hosts file for
name resolution, make sure that the server name in DNS or the hosts
file is different from the system name.
2-60 Administering the Domino System, Volume 1
Server setup tasks specific to IPX/SPX
After you run the Domino Server Setup program, complete these
procedures:
1. Use the Domino Administrator to define a NetWare name service for
the server.
2. If the name service you use is NDS, record the server’s NDS
distinguished name in the Server document.
3. (Optional) Control which IPX/SPX address (socket number) the
server uses.
Defining a server’s NetWare name service in Lotus Domino
If you enabled the server’s Notes network port for SPX through the
Server Setup program, you must use the Domino Administrator to select
which NetWare name service a Domino server uses with IPX/SPX.
For descriptions of supported name services, see the topic “Server
name-to-address resolution over IPX/SPX” earlier in this chapter.
To select a name service
1. From the Domino Administrator or Web Administrator, click the
server for which you want to select an IPX/SPX name service.
2. Click the Configuration tab.
3. Do one of these:
From the Domino Administrator’s Tools pane, choose Server -
Setup Ports.
From the Web Administrator’s Port tool, choose Setup.
4. Select the SPX port, and select “Port enabled” if it is not already
selected.
5. Click “SPX Options,” and choose a name service.
6. Restart either the server or the SPX port in order for the change to
take effect.
Tip Record any errors that appear on the console while the server is
restarting.
7. Click OK.
Setting Up the Domino Network 2-61
Installation
Recording a server’s NDS distinguished name
The Server Setup program adds the common name of the Domino server
to the Net Address field in the Server document. If you are using the
Novell Directory Service (NDS) for the IPX/SPX network, you must edit
this field to contain the server’s NDS distinguished name.
1. From the Domino Administrator, select the server for which you
want to record the NDS distinguished name.
2. Click the Configuration tab.
3. Expand the Server section in the view pane.
4. Click Current Server Document.
5. Click “Edit Server,” and then click the Ports - Notes Network Ports
tab.
6. In the Net Address field for the SPX port, enter the server’s NDS
distinguished name. For example, enter
CN=App04.OU=Chicago.O=Acme
Note NDS names are case-sensitive. Make sure that the NDS tree
object for the Domino server has exactly the same distinguished
name as the one you enter here.
7. Click Save and Close.
Assigning the IPX socket number for a Domino server
The IPX/SPX protocol provides two types of sockets: dynamic sockets
and static, or well-known, sockets. Novell assigns well-known sockets to
products for their exclusive use. Applications using well-known sockets
always listen on the same socket number. Novell manages the
registration of these sockets, allocating them from a range of 0x2000
through 0x3FFF. Dynamic sockets are allocated from a range of 0x4000
through 0x7FFF. Applications using dynamic sockets use whichever
socket number the IPX/SPX stack allocates during the registration of the
service to the local NetWare server by the application. Using dynamic
sockets usually ensures that a socket number is not used twice.
Connections initiated by a Domino server or Notes workstation use a
dynamic socket. For the listener socket, the SPX port driver uses a
modified algorithm for allocating sockets and always tries to use the
same socket number. If the socket number is unavailable, the Domino
server lets the IPX/SPX stack assign one. When a Domino server using
SPX starts for the first time, it uses a dynamic socket and then saves the
socket number. Subsequent invocations of the Domino server use the
saved socket number. Therefore, the socket is called a persistent dynamic
socket.
2-62 Administering the Domino System, Volume 1
If for some reason this saved socket number is in use — for example, if
another application using dynamic sockets allocated the socket — the
Domino SPX server allocates a new socket number and saves it for future
invocations.
Assigning a socket number
Controlling the socket number used by the Domino server is useful in
large IPX/SPX networks because an assigned socket number prevents
server name-to-address resolution problems that result when name
service records lag behind a dynamic socket number assignment when a
server is restarted.
To control the socket number, use the NOTES.INI setting
NetWareSocket. NetWareSocket applies only to the listener socket.
Connections initiated by a workstation or server still use a dynamic
socket.
Note If NetWareSocket is set in the NOTES.INI file and the Domino
server cannot bind to the specified socket on the local system’s IPX/SPX
protocol stack, the Domino server will not start. This condition may
occur if the socket number the server normally uses is in use by another
application on the same system.
For example, if the NOTES.INI file contains the setting
NetWareSocket=9135 (which is the decimal value of 23AF), and another
application is assigned that socket number through the dynamic
assignment process, the Domino server can fail to start.
To minimize the chance of the server’s not starting, assign the
NOTES.INI setting NetWareSocket to the address of a well-known
socket. If the problem still occurs, either close the application that is
using the same socket as Domino or reassign a new socket to the Domino
server.
To determine the socket number the Domino server is using, do one of
the following:
Enter SHOW PORT SPX at the console, where SPX is the SPX port
driver name.
Check the NetWareSpxSettings setting in the NOTES.INI file. The
number after the last comma in the value is the decimal value of the
server’s IPX socket. For example, in the setting
NetWareSpxSettings=0,0,0,0,0,3,17393, the 17393 is the socket’s
decimal value.
Setting Up the Domino Network 2-63
Installation
NOTES.INI settings for networks
The following tables contain the NOTES.INI settings that pertain
specifically to networks.
For more information on these settings, see the appendix “NOTES.INI
File.”
Settings for all NRPC networks

Setting Description
Restricts the number of
portname_MaxSessions
sessions on a
specified port.
Specifies which Notes network
Ports
ports are
enabled on a system.
Settings for the TCP/IP network

Setting Description
ICMNotesPort Specifies the name of the
Notes network port for
TCP/IP with which you are
linking the Internet Cluster
Manager (ICM) service.
IMAPNotesPort Specifies the name of the
Notes network port for
TCP/IP with which you are
linking the IMAP service.
LDAPNotesPort Specifies the name of the
Notes network port for
TCP/IP with which you are
linking the LDAP service.
POP3NotesPort Specifies the name of the
Notes network port for
TCP/IP with which you are
linking the POP3 service.
SMTPNotesPort Specifies the name of the
Notes network port for
TCP/IP with which you are
linking the SMTP service.
TCP_EnableIPV6 Specifies whether or not to
enable Domino for IPv6.
TCP/IPportname_PortMappingNN Specifies the TCP/IP port
number of each
partitioned server sharing
the IP address of the port-
mapping server.
TCP/IPportname_TCPIPAddress Defines the IP address and
the port number for a
Domino server.

Setting Description
Specifies the IPX socket
NetWareSocket
number used by
the Domino server.
Specifies the decimal value of
NetWareSpxSettings
the
Domino server’s IPX socket.
Specifies the password for
NWNDSPassword
Domino to
log in to the Novell Directory
Service
(NDS) tree on system startup.
Specifies the user ID for
NWNDSUserID
Domino to log
in to the Novell Directory
Service (NDS)
tree on system startup.

Chapter 3
Installing and Setting Up Domino Servers
This chapter describes how to plan a hierarchical name tree and how to
install, set up, and register Domino servers.
Installing and setting up Domino servers
Before you install and set up the first Domino server, you must plan
server and organizational naming and security. In addition, you must
understand your existing network configuration and know how Domino
will fit into the network. If you are adding an additional server to an
existing Domino infrastructure, you must have already registered the
server and its server ID and password must be available.
For information on system requirements, see the Release Notes.
To install and set up a server
Installing a Domino server — that is, copying the server program files
onto the designated machine — is the first part of deploying a server. The
second part is using the Domino Server Setup program to configure the
server.
1. Choose a name for the server. Refer to the hierarchical name scheme
that you created based on your company’s structure.
2. Identify the function of the server — for example, will it be a mail
server or an application server? The function of the server
determines which tasks to enable during configuration.
3. Decide where to locate the server physically and decide who
administers it.
4. Decide whether the server is part of an existing Domino domain or is
the first server in a new Domino domain.
For more information on Steps 1 through 4, see the chapter
“Deploying Domino.”
5. If this is the first server in a Domino domain, do the following:
a. Install the server program files.
b. Use the Domino Server Setup program to set up the server.
3-1
Installation
c. Complete network-related setup.
d. Create organization certifier IDs and organizational unit certifier
IDs, as required by the hierarchical name scheme.
e. Distribute certifier IDs to administrators.
f. Implement Domino security.
6. If this server is part of an existing Domino domain, do the following:
a. Use the Domino Administrator to register the server.
b. Install the server program files on each additional server.
c. Use the Domino Server Setup program to set up each additional
server.
For more information on Steps 5 and 6, see the procedures that
follow and the chapters “Setting Up the Domino Network” and
“Planning Security.”
7. Perform additional configuration procedures, based on the type of
services, tasks, and programs that you want to run on this server.
Entering system commands correctly
Some of the procedures that follow include instructions for entering
commands at the system command prompt. The instructions tell you to
enter the command from the “Domino program directory” or “Notes
program directory,” depending on whether you are performing the
procedure on a Domino server or a Notes workstation. Before entering
commands, make sure you understand the following definitions of these
terms as they apply to your operating system.
Windows operating systems
On a Domino server, the Domino program directory is c:\lotus\domino,
unless you installed the program files to a different location. On a Notes
workstation, the Notes program directory is c:\lotus\notes, unless you
installed the program files to a different location.
UNIX operating systems
For Domino on a UNIX® server, the actual location of the server program
files is different from the directory you use for entering commands.
Always use the following path for entering commands:
lotus/bin/server
The “server’” portion of the path is a script that initializes a UNIX shell
so that Domino programs can run on UNIX.
3-2 Administering the Domino System, Volume 1
While by default the actual location of the lotus directory is /opt/lotus,
you can change it to any location, for example, /local/lotus or
/usr/lotus.
Server installation
The first step in deploying a Domino server is installation, or copying the
program files to the system’s hard drive.
To install Domino, see the following procedures:
Installing Domino on Windows systems
Installing Domino on UNIX systems
For information on installing servers for hosted environments, see the
chapter “Setting Up the Service Provider Environment.”
Installing Domino on Windows systems
You can install Domino on a Windows system by following this
procedure, or you can do a silent install of a local server or remote
servers. To perform a silent install, use setup.exe -r at the command
prompt to record the install configuration to a file, and then use
setup.exe -s to install the configuration. For more information on silent
install, see the InstallShield documentation.
1. Before you install the Domino server program files on a Windows
system, do the following:
Make sure that the required hardware and software components
are in place and working.
Read the Release Notes for operating system and network protocol
requirements and for any last-minute changes or additions to the
documentation.
Temporarily disable any screen savers and turn off any
virus-detection software.
Make sure that all other applications are closed. Otherwise, you
may corrupt any shared files, and the Install program may not run
properly.
If you are upgrading to Domino from a previous release, see the
Upgrade Guide.
2. Run the install program (SETUP.EXE), which is on the installation CD.
3. Read the Welcome screen, and click Next. Then read the License
Agreement and click Yes.
Installing and Setting Up Domino Servers 3-3
Installation
4. Enter the administrator’s name and the company name.
5. Choose whether you want to install partitioned servers.
6. Choose the program and data directory in which to copy the
software, and then click Next. If you are installing partitioned
servers, you choose only a program directory.
7. Select the server type you acquired:
Domino Utility Server — Installs a Domino server that provides
application services only, with support for Domino clusters. The
Domino Utility Server is a new installation type for Lotus Domino
6 that removes client access license requirements. Note that it does
NOT include support for messaging services. See full licensing
text for details.
Domino Messaging Server — Installs a Domino server that
provides messaging services. Note that it does NOT include
support for application services or Domino clusters.
Domino Enterprise Server — Installs a Domino server that
provides both messaging and application services, with support
for Domino clusters.
Note All three types of installations support Domino partitioned
servers. Only the Domino Enterprise Server supports a service
provider (xSP) environment.
8. Click Customize to choose which components to install, or click Next
to accept all components.
9. If you are installing partitioned servers, specify a data directory for
each partition.
10. Specify the program folder or accept Lotus Applications as the
program folder that will contain the software.
11. Click Finish to complete the install program.
12. Choose Start - Programs - Lotus Applications - Lotus Domino Server
to start the Server Setup program.
Installing Domino on UNIX systems
Before you install the Domino program files on a UNIX system, do the
following:
Make sure that the required hardware and software components are
in place and working.
Read the Release Notes for operating system and network protocol
requirements and for any last-minute changes or additions to the
documentation.
3-4 Administering the Domino System, Volume 1
Temporarily disable any screen savers and turn off any
virus-detection software.
Make sure that all other applications are closed. Otherwise, you may
corrupt any shared files, and the Install program may not run
properly.
If you are upgrading to Domino from a previous release, read the
Upgrade Guide.
You can install multiple instances of the Domino server on a single
system. The instances can all be the same release of Domino or different
releases. If you install different releases, only one instance can be earlier
than Domino 6.
If you want all instances to be the same release, it is best to install a
Domino partitioned server. Then all Domino partitions share one
program directory and, by doing so, conserve system resources. If you
install a single Domino server and later want to make it a partitioned
server, you can do so without removing the initial installation. When you
have multiple instances of the Domino server, each with a separate
program directory, one or more of the instances may be a partitioned
server.
For more information on partitioned servers, see the chapter “Deploying
Domino.”
To install the Domino program files on a UNIX system, you can use
either interactive mode or script mode.
To use interactive mode
You use interactive mode to install the Domino program and data files
on the local machine or to use a Telnet connection to install the Domino
program and data files on specified remote systems.
During the interactive mode installation, you can use these keys at the
UNIX command prompt:
Type h for help
Type e to exit the Install program
Press ESC to return to the previous screen
Press the spacebar to change the setting until you get the one you
want
Press TAB to accept a setting and continue to the next screen
Installing and Setting Up Domino Servers 3-5
Installation
1. Make sure the Domino server kit is available from your network or
CD ROM drive.
2. Log in to the root account for Domino Server installation.
3. Change to the directory containing the “install” script.
4. Enter the following at the root command prompt to run the script:
./install
5. Follow the on-screen instructions and specify these options:
Option Action
Add data Choose one: • Yes to change a single
directories only Domino server into a partitioned server
or add data directories to an existing
partitioned server • No to keep a single
Domino server
Choose the server type that you
Domino Server
acquired. For an xSP
installation server, you must have the Domino
type Enterprise Server.
Install
Choose one:
template files
• Yes to install new templates
• No to retain templates from a
previous release
Install xSP
Choose one:
server
(for Domino
Enter- • Yes if this is an xSP server
prise Server
• No if this is not an xSP server
only)
Program Specify the directory in which Domino
directory will store
program files.
Create Choose one: • Yes if this system will
/opt/lotus soft have only one Domino installation
link (program directory) • No if this system
will have multiple Domino installations
(multiple program directories)
Specify the directory in which Domino
Data directory
will store
data files. If you are installing a
partitioned server,
indicate that and specify multiple data
directories.
UNIX User Specify the person who will own the
name server
configuration data. If you are installing
a partitioned
server, you may specify a different
person for each
data directory.
UNIX Group Specify the group to which the UNIX
name User belongs.
If you are installing a partitioned server,
you may
specify a different group for each data
directory.

To use script mode

Script mode installation provides silent install functionality for UNIX
platforms and allows you to install saved installation settings to a local
server or remote servers.
SCRIPT.DAT, the default sample script file, contains information you
need to install the Domino server program files, including descriptions of
each parameter and instructions for using the -script option to install
partitioned servers.
1. Change the directory to the kit’s install directory on either the
CD-ROM or network drive.
2. Copy SCRIPT.DAT from the kit’s install directory to your local
system as
filename.dat
Where filename is the name you want to give to the local script file
that will contain the installation settings.
3. Open the local script file, filename.dat, and set the parameters as
needed. It is usually best to use the default settings, as follows:
Install target host name — parameter = target_hosts
Domino server installation type —Choose the server type that you
acquired.
Install template files — template_install_option = 1
Add data directories only — add_data_directories_only = 0
Install xSP server — asp_install_option = 0
Program directory — Use the directory where Domino stores
program files.
Create /opt/lotus soft link — opt_lotus_softlink = 0
Data directory — Use the directory where Domino stores data
files.
UNIX User name — Person who will own the server configuration
data
UNIX Group name — The group to which the UNIX User belongs
4. Save the local file, filename.dat.
5. Log in to the root account from your local system.
6. Switch back to the kit’s install directory (CD-ROM or network).
7. To install using the local script file, enter this command at the UNIX
console prompt:
install -script filename.dat
Installing and Setting Up Domino Servers 3-7
Installation
The Domino Server Setup program
The Domino Server Setup program guides you through the choices you
make to configure a Domino server. Setting up the first Domino server in
a domain establishes a framework that consists of the Domino Directory,
ID files, and documents. When you set up additional servers, you build
upon this framework.
Setting up the first Domino server does the following:
Creates a Domino domain.
Creates the certification log file, names it CERTLOG.NSF, and saves
it in the Domino data directory.
Uses the PUBNAMES.NTF template to create the Domino Directory
for the domain, names the directory NAMES.NSF, and places it in
the Domino data directory.
Creates an organization certifier ID, names it CERT.ID, and saves it
in the Domino data directory.
Optionally creates an organizational unit certifier ID, names it
OUCERT.ID, and stores it in the Domino Directory.
Creates a Certifier document, which describes the organization
certifier ID, in the Domino Directory.
Creates a server ID, names it SERVER.ID, and saves it in the Domino
data directory.
Uses the organization certifier ID to certify the server ID.
Creates a Server document in the Domino Directory and includes in
it information that you specified during the setup program.
Creates a Person document in the Domino Directory for the Domino
Administrator that you specified during the setup program.
Creates a user ID and password for the Domino Administrator and
attaches it as a file named USER.ID to the administrator’s Person
document in the Domino Directory.
Uses the organization certifier ID to certify the administrator’s user ID.
Gives the administrator and the server Manager access in the ACL of
the Domino Directory.
Adds the server name to the LocalDomainServers group in the
Domino Directory.
Creates the log file, names it LOG.NSF, and saves it in the Domino
data directory.
Enables the appropriate network and serial ports.
3-8 Administering the Domino System, Volume 1
Creates a mail directory in the Domino data directory and creates a
mail file in that directory for the Domino Administrator.
Creates the Reports file, names it REPORTS.NSF, and saves it in the
Domino data directory.
Updates network settings in the Server document of the Domino
Directory.
Configures SMTP, if selected during the setup program.
If “DOLS Domino Off-Line Services” was selected during the setup
program, creates the Off-Line Services file, names it
DOLADMIN.NSF, and saves it in the Domino data directory.
Updates the Access Control List in all databases and templates in the
Domino data directory tree to remove Anonymous access and/or
add LocalDomainAdmin access, depending on the selections made
during the setup program.
Configures xSP Service Provider information, if selected during the
install program.
Setting up an additional Domino server does the following:
Copies the Domino Directory, if a file location was specified during
the setup program, names it NAMES.NSF, and saves it in the
Domino data directory.
Dials the existing Domino server if the connection is made through a
modem (possible only on Windows systems).
Copies the server’s ID from the location specified during the setup
program, either from a file, a copy of the directory, or the existing
Domino server’s directory; names it SERVER.ID; and saves it in the
Domino data directory.
Retrieves the Domain name and Administrator name from the Server
document in the Domino Directory.
Creates the log file, names it LOG.NSF, and saves it in the Domino
data directory.
Copies or replicates the Administration Requests file, names it
ADMIN4.NSF, and saves it in the Domino data directory.
Copies or replicates the Monitoring Configuration file, names it
EVENTS4.NSF, and saves it in the Domino data directory.
Replicates the Domino Directory, if it doesn’t already exist, names it
NAMES.NSF, and saves it in the Domino data directory.
Creates a Connection document to the existing Domino server in the
Domino Directory.
Installing and Setting Up Domino Servers 3-9
Installation
Creates the Reports file, names it REPORTS.NSF, and saves it in the
Domino data directory.
Updates network settings in the Server document of the Domino
Directory.
Configures SMTP, if selected during the setup program.
If “DOLS Domino Off Line Services” was selected during the setup
program, creates the Off-Line Services file, names it
DOLADMIN.NSF, and saves it in the Domino data directory.
Updates the Access Control List in all databases and templates in the
Domino data directory tree to remove Anonymous access and/or
add LocalDomainAdmin access, depending on the selections made
during the setup program.
Configures xSP Service Provider information, if selected during the
install program.
Replicates changes made to the Server document with the existing
server, if any.
Removes the SERVER.ID attachment from the Domino Directory, if
applicable.
Using Domino Off-Line Services (DOLS) and iNotes Web Access
To provide iNotes™ Web Access users with the ability to work off line,
you must enable DOLS when you set up the server. DOLS enables users
to work off line, disconnected from the network, and provides many
replication features that Notes users expect when working in the Notes
client.
Users require a Notes ID so that DOLS can synchronize the offline mail
file with the server. The default DOLS configuration will prompt the user
for a Notes ID the first time they go offline with iNotes Web Access.
If you rename a user, the user must reinstall the DOLS offline
subscription in order for the offline mail file to synchronize with the
server. After a name change, the user must wait for the old Notes ID and
password to stop working, accept the name change using a Notes client,
then log on to iNotes Web Access with the new Notes ID and password.
For more information, see the chapters “Setting Up Domino Off-Line
Services” and “Setting Up iNotes Web Access.”
3-10 Administering the Domino System, Volume 1
Setting up DOLS on a server
Domino Off-Line Services (DOLS) must be configured on the Domino
server for users to be able to take applications off-line and use only a
browser to work with them. You can enable any application for DOLS.
The following templates are enabled for DOLS by default:
iNotes Web Access (iNOTES60.NTF and the R5 version)
iNotes Web Access for Outlook (MAIL6EX.NTF)
Extended Mail (MAIL6EX.NTF)
Discussion - Notes and Web (R6) database (DISCSW6.NTF).
To configure DOLS during Domino Server Setup
1. Under “Setup Internet services for,” select “Web Browsers (HTTP
services),” and then click Customize.
2. In the “Domino tasks” list, select “DOLS Domino Off-Line Services.”
3. At the end of setup, when you have the option to create an access
control list entry, add the group LocalDomainAdmins to all
databases and templates.
4. Accept the default option “Prohibit Anonymous access to all
databases and templates.” If you deselect this option, you must open
the ACL for each DOLS application and assign No Access to
Anonymous.
5. Make sure the following names are identical:
The TCP/IP DNS host name — In Windows, choose Start -
Programs - Windows Explorer. Then choose Network
Neighborhood properties - TCP/IP properties. On the DNS
Configuration tab, look at the Host field.
The server name — Open the Server document and look at the
Server name field.
The Internet host name — Open the Server document and look at
the “Fully qualified Internet host name” field.
Note DOLS runs on Domino servers configured to work through a
Microsoft IIS server.
To configure DOLS manually
If you do not configure DOLS during Domino Server Setup, you can
configure DOLS manually by editing the Server document.
1. Open the Server document.
2. Click Internet Protocols - HTTP.
Installing and Setting Up Domino Servers 3-11
Installation
3. In the “DSAPI filter file names” field, enter the DSAPI filter file name
that corresponds to the operating system that the server is running,
and then restart the server:
Win32
 - ndolextn
Linux
 - libdolextn
AIX®  - libdolextn
Solaris/Sparc
 - libdolextn
S390®  - libdolextn
iSeries®  - libdolextn
Note On the iSeries platform, the Server document is updated when
a new server is configured or an existing server is modified using the
CFGDOMSVR or CHGDOMSVR CL command with DOLS(*YES)
specified.
For more information on configuring an iSeries server with DOLS,
see the Lotus Domino 6 for iSeries Release Notes.
4. Create a DOLADMIN.NSF database from the template
DOLADMIN.NTF.
5. After the database is created, restart the Domino administrator and
click the Configuration tab. The name of the DOLADMIN.NSF is an
option in the Navigation pane.
To set up DOLS on clustered servers
Before using DOLS on a clustered Domino 6 server, make sure that:
The  Domino server is either a Domino Utility Server or Domino
Enterprise Server.
All  servers in the cluster run the same release of Domino with
DOLS
Clustered  server management is running to handle both failover
of replication and HTTP
Internet  Cluster Manager is running
Subscription  directories must have the same name on every
clustered server. For example, if a subscription is under
\data\Webmail user\7CD5957CB669AE2285256BDF00567AD8\,
this name cannot be different on a different server in the cluster.
To configure DOLS on a server that uses Web Site documents
If you create a Web Site Document (a type of Internet Site document) on
the Domino server, you must add the appropriate DOLS DSAPI filter
filename to the DSAPI field in the Web Site document for DOLS to be
enabled.
3-12 Administering the Domino System, Volume 1
If there are several Web Site documents, you must add the DSAPI filter
filename to each one. To add the DOLS DSAPI filter filename to a Web
Site document:
1. Open the Web Site document.
2. Click the Configuration tab.
3. In the “DSAPI filter” field, enter the DSAPI filter file name that
corresponds to the operating system that the server is running, and
then restart the server:
Win32 - ndolextn
Linux - libdolextn
AIX - libdolextn
Solaris/Sparc - libdolextn
S390 - libdolextn
iSeries - libdolextn
For more information on Internet Site documents, see the topic
“Configuring Internet sites with Web Site and Internet Site documents.”
Setting up iNotes Web Access on a server
iNotes Web Access provides Notes users with browser-based access to
Notes mail and Notes calendar and scheduling features. Using iNotes
Web Access, a user can send and receive mail, view the calendar, invite
people to meetings, create to do lists, keep a notebook, and work off line.
To set up iNotes Web Access, choose “Web Browsers (HTTP Web
services)” during Server Setup. If you want to give users the ability to
work off line, also choose Domino Off-Line Services (DOLS). DOLS is not
required to run iNotes Web Access.
In the Domino Administrator, make sure the following names are
identical:
The
 server’s TCP/IP name, which appears on the DNS tab of the
Network properties - TCP/IP properties box.
The server’s common name, which appears on the Basics tab of the
Server document
The  machine name of the fully qualified Internet host name, which
appears on the Basics tab of the Server document.
For example, if acme.lotus.com is the fully qualified Internet host name,
“acme” is the machine name, the host name for DNS, and Domino server
common name.
Installing and Setting Up Domino Servers 3-13
Installation
Setting up iNotes Web Access with Sametime
iNotes Web Access integrates Sametime® so that users can send and
receive instant messages. Sametime is called “Chat” in iNotes Web
Access.
Do not install Sametime and iNotes Web Access on the same Domino
server. Sametime must be installed on a dedicated server. For complete
information on installing Sametime, see the Sametime Installation Guide.
Part 1 - Set up iNotes Web Access on a Domino server
1. Set up iNotes Web Access on a server by making the appropriate
selections during Server Setup.
2. Register users with the iNotes Web Access (R6.0) mail template.
Part 2 - Create a Connection document on the iNotes Web Access
server
1. From the Domino Administrator, click the Configuration tab.
2. Select the iNotes Web Access server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click Add Connection.
5. Select Local Area Network in the “Connection type” field.
6. Enter the Sametime server’s name in the “Destination server” field.
For example: Sametime/Acme.
7. Enter the source domain of the iNotes Web Access server and the
destination domain of the Sametime server. The domain must be the
same in both fields.
8. Click “Save & Close.”
For more information on Connection documents, see the chapter “Setting
Up Server-to-Server Connections.”
Part 3 - Edit each user’s Person document and specify the Sametime
server in the “Sametime server” field
1. From the Domino Administrator, click the People & Groups tab.
2. Select the iNotes Web Access Domino directory, then click People.
3. Double-click a name to open the user’s Person document.
4. Click Edit.
3-14 Administering the Domino System, Volume 1
5. Enter the name of the Sametime server in canonical format in the
“Sametime server” field. For example, the canonical format for the
server Sametime/Sales/Acme/UK is:
CN=Sametime/OU=Sales/O=Acme/C=US
where: CN is the common name, OU is the organizational unit, O is
the organization, and C is the country code
6. Click “Save & Close.”
7. Repeat Steps 3 though 6 for each person.
Part 4 - Set up the Sametime server
Follow the instructions in the Sametime Installation Guide for installing
Sametime in a Domino domain on a dedicated server. Make sure that the
installation uses the same Domino domain in which the iNotes Web
Access server resides.
Part 5 - Create a Connection Document on the Sametime server
1. From the Domino Administrator, click the Configuration tab.
2. Select the Sametime server’s Domino Directory in the “Use Directory
on” field.
3. Click Server, and then click Connections.
4. Click Add Connection.
5. Select Local Area Network in the “Connection type” field.
6. Enter the iNotes Web Access server’s name in the “Destination
server” field.
7. Enter the source domain of the Sametime server and the destination
domain of the iNotes Web Access server.
8. Click “Save & Close.”
Part 6 - Create a one-time replica of the Tokens database on the iNotes
Web Access server
The Sametime server implements a security policy to ensure Sametime
clients that establish connections to the Sametime services are
authenticated. This security policy involves the Secrets (stauths.nsf)
database on the Sametime server.
1. Using a Notes client, choose File - Database - Open.
2. Enter the name of the Sametime server (for example,
Sametime/Acme).
3. Enter the Secrets database filename: stauths.nsf
4. Click Open.
5. Choose File -Replication - New Replica.
Installing and Setting Up Domino Servers 3-15
Installation
6. Enter the name of the iNotes Web Access server (for example,
iNotes/Acme)
7. Ensure that the database is replicated to the data directory:
...\domino\data\stauths.nsf.
8. Click OK to create the replica.
Part 7 - Push replication changes from the iNotes Web Access server to
the Sametime server
1. From the Domino Administrator, click the Server tab.
2. Click the Server Console.
3. Enter a push command to replicate the Domino directory to the
Sametime server.
For example: push Sametime/Acme names.nsf
4. Click Send.
5. Enter a push command to replicate the Secrets database to the
Sametime server.
For example: push Sametime/Acme stauths.nsf
6. Click Send.
Part 8 - Copy the Sametime applets to the Sametime server
1. Copy the contents from the Sametime applets folder on the iNotes
Web Access server to the Sametime server. On the iNotes Web
Access server, the applets are located in the “sametime” directory:
<data directory>\domino\html\sametime
2. Create a folder on the Sametime server in which to copy the iNotes
Web Access Sametime applet files. At a DOS prompt on the
Sametime server, create the folder:
>mkdir <data directory>\domino\html\SametimeApplet
Note The folder name is case-sensitive and must be named
“SametimeApplet”.
Part 9 - Verify that Sametime works with iNotes Web Access
1. Make sure that replication is complete and the Person documents
exist on the Sametime server.
2. Following the instructions in the Sametime Installation Guide for
logging into the Sametime server using the Sametime Connect Client.
Sametime must be functioning properly before you can test whether
it is working with iNotes Web Access clients.
3. Launch iNotes Web Access in a browser and click “Chat” to test the
Sametime connection.
3-16 Administering the Domino System, Volume 1
Note If the chat link does not appear in iNotes Web Access, check the
user’s Person document in the Domino directory. Verify that the name of
the Sametime server in the Sametime server field is correct.
Using the Domino Server Setup program
The following procedures describe the ways you can use the Server
Setup program.
Use
 the Server Setup program on the server you are setting up
Use the Server Setup program from a client system or from another
server
Create
 a setup profile by recording your choices during the Server
Setup program
Use  a setup profile to set up multiple servers with the same
requirements
Use  a setup profile without viewing the setup screens (“silent” setup)
Indic language support in the Domino Server Setup program
You can change both the font and the alphabet that displays when you
enter text in a field on a Server Setup program screen. Normally, the
alphabet that displays is that of the default language.
The Domino Server Setup program supports the following alphabets:
Bengali
Devanagari
Gujarati
Gurmukhi
Kannada
Malayalam
Oriya
Tamil
Telugu
Installing and Setting Up Domino Servers 3-17
Installation
To change the font
Note Changing the font is required for the Devanagari alphabet, as the
default font does not work with it.
1. Start the setup program by starting the Domino server.
2. On the Welcome screen, click Font.
3. Select a font that will work with the alphabet you plan to use.
4. To select an alphabet different from that of the default language, see
the following procedure.
To change the alphabet
Changing the alphabet is supported for the Windows, AIX, and Linux
operating systems only.
1. Start the setup program by starting the Domino server.
2. Right-mouse click on the title bar of the screen in which you want to
enter text that uses an alphabet different than that of the default
language.
3. Select “Select Input Method.”
4. Select the alphabet that you want to use.
5. Enter text in one or more fields on the screen.
Note Clicking Next to go to the next screen restores the alphabet to that
of the default language. Repeat the preceding procedure for each screen
on which you want to use a different alphabet.
Using the Domino Server Setup program locally
After installing the Domino server program files on a server, you can run
the Domino Server Setup program locally by starting the server.
The Server Setup program asks a series of questions and guides you
through the setup process. Online Help is available during the process.
Using the Domino Server Setup program remotely
After you install the program files for a Domino server on a system, you
can use either a Windows client system or another Domino server to run
the Server Setup program remotely. Running the Server Setup program
from a Windows client is easier if the client has Domino Administrator
installed — to run the program from a client without Domino
Administrator, you need the Java runtime environment plus some files
from the program directory of an installed Domino server.
For more information, see the topic “Entering system commands
correctly” earlier in this chapter.
3-18 Administering the Domino System, Volume 1
To run the Server Setup program from a Windows client with
Domino Administrator
1. Make sure that you:
Selected
 “Remote Server Setup” when you installed Domino
Administrator on the client system (on the Windows desktop,
choose Start - Programs - Lotus Applications and see if Remote
Server Setup appears in the list)
Know
 the host name or network address of the remote system
2. Install the Domino server program files on a server system, but do
not run the Domino Server Setup program.
3. At the command prompt on the server system, from the Domino
program directory, do one of the following:
On  a Windows server, enter nserver -listen
On  a UNIX server, enter server -listen
4. On the client system, choose Start - Programs - Lotus Applications -
Remote Server Setup.
5. In the Connect to Remote Domino Server dialog box, click Ping to
ensure that you can connect to the remote server.
6. Enter the host name or network address of the remote server.
7. Click OK to start the Domino Server Setup program.
To run the Server Setup program from a Windows client without
Domino Administrator, or from a UNIX workstation
1. Make sure that you know the host name or network address of the
remote system.
2. Install the Domino server program files on a server system, but do
not run the Domino Server Setup program.
3. At the command prompt on the server, from the Domino program
directory, do one of the following:
On
 a UNIX server, enter /lotus/bin/server -listen
On  a Windows server, enter nserver -listen
4. On the client system, install the Java runtime environment.
5. Create a temporary directory on the client system. For example, enter
the following at the command prompt:
On  a Windows client: mkdir c:\temp
On  a UNIX workstation: mkdir /temp
Installing and Setting Up Domino Servers 3-19
Installation
6. Do one of the following:
From
 a Windows client, copy the remote setup files
CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP.CMD
from the server to the directory you created on the client system.
These files are in C:\Domino program directory on the server.
From
 a UNIX workstation, copy the remote setup files
CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP from
the server to the directory you created on the workstation. These
files are in /Domino program directory/lotus/notes/latest/ibmpow/
on an AIX server, /Domino program directory/lotus/notes/latest/
linux/ on a Linux server, and /Domino program directory/lotus/
notes/latest/sunspa/ on a Solaris server.
7. At the command prompt on the client system, from the directory you
created, do one of the following:
On  a Windows client, enter remotesetup.cmd
On  a UNIX workstation, enter remotesetup
8. In the Connect to Remote Domino Server dialog box, click Ping to
ensure that you can connect to the remote server.
9. Enter the host name or network address of the remote server.
10. Click OK to start the Domino Server Setup program.
To run the Server Setup program from another server system
1. Install the Domino server program files on both server systems, but
do not run the Domino Server Setup program.
2. Make sure that you know the host name or network address of the
remote system.
3. At the command prompt on the local server system, from the
Domino program directory, do one of the following:
On  a Windows server, enter nserver -listen
On  a UNIX server, enter server -listen
4. Do one of the following:
On  a Windows server, enter nserver -remote
On  a UNIX server, enter server -remote
Tip Entering nserver -help or server -help displays all
parameters available for working with remote server setups.
5. In the Connect to Remote Domino Server dialog box, click Ping to
ensure that you can connect to the remote server.
6. Enter the host name or network address of the remote server.
7. Click OK to start the Domino Server Setup program.
3-20 Administering the Domino System, Volume 1
Creating a server setup profile
A server setup profile is a file that you use to quickly configure servers.
To create a server setup profile, you run the Server Setup program in
record mode, either at the server you are setting up or from a Windows
client. Creating a server setup profile from a Windows client is easier if
the client has Domino Administrator installed — to create a profile from
a client without Domino Administrator, you need the Java runtime
environment plus some files from the program directory of an installed
Domino server.
For more information, see the topic “Entering system commands
correctly” earlier in this chapter.
To create a setup profile at a server
1. Install the Domino server program files on the server system, but do
not run the Domino Server Setup program.
2. At the command prompt on the server, from the Domino program
directory, do one of the following:
On
 a Windows server, enter nserver -record
On  a UNIX server, enter server -record
Tip Entering nserver -help or server -help displays the
parameters available for working with server setup profiles.
3. Enter a name and description for the profile.
4. Continue through the setup program.
Domino saves your selections in a file with the name you specified in
Step 3. By default this file is created in the Domino program directory.
To create a setup profile from a Windows client with Domino
Administrator
1. Make sure that you selected “Remote Server Setup” when you
installed Domino Administrator on the client system.
2. Install the Domino server program files on the server system, but do
not run the Domino Server Setup program.
3. At the command prompt on the client system, from the Notes
program directory, enter
serversetup -record
4. Enter a name and description for the profile.
5. Continue through the setup program.
Domino saves your selections in a file with the name you specified in
Step 4 and stores the file in the Notes program directory on the client
system.
Installing and Setting Up Domino Servers 3-21
Installation
To create a setup profile from a Windows client without Domino
Administrator, or from a UNIX workstation
1. Install the Domino server program files on the server system, but do
not run the Domino Server Setup program.
2. On the client system, install the Java runtime environment.
3. Create a temporary directory on the client system. For example, enter
the following at the command prompt:
On
 a Windows client: mkdir c:\temp
On  a UNIX workstation: mkdir /temp
4. Do one of the following:
From  a Windows client, copy the remote setup files
CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP.CMD
from the server to the directory you created on the client system.
These files are in C:\Domino program directory on the server.
From  a UNIX workstation, copy the remote setup files
CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP from
the server to the directory you created on the workstation. These
files are in /Domino program directory/lotus/notes/latest/ibmpow/
on an AIX server, /Domino program
directory/lotus/notes/latest/linux/ on a Linux server, and
/Domino program directory/lotus/notes/latest/sunspa/ on a
Solaris server.
5. At the command prompt on the client system, from the directory you
created, enter:
remotesetup -record
6. Enter a name and description for the profile.
7. Continue through the setup program.
Domino saves your selections in a file with the name you specified in
Step 6 and stores the file in the client-system directory that you
created in Step 3.
Using a server setup profile
You can use a server setup profile at the server you are setting up or
from a client system. Using a server setup profile from a Windows client
is easier if the client has Domino Administrator installed — to use a
profile from a Windows or UNIX client without Domino Administrator,
you need the Java runtime environment plus some files from the
program directory of an installed Domino server.
3-22 Administering the Domino System, Volume 1
When you use a setup profile, you choose whether or not to view the
setup screens as you run the profile. Running a profile without viewing
the screens is sometimes referred to as a “silent” setup.
For more information, see the topic “Entering system commands
correctly” earlier in this chapter.
To use a setup profile at the server
1. Install the Domino server program files on a server system, but do
not run the Domino Server Setup program.
2. At the command prompt on the server, from the Domino program
directory, do one of the following:
On
 a Windows server, enter nserver -playback
On  a UNIX server, enter server -playback
Tip Entering nserver -help or server -help displays the
parameters available for working with server setup profiles.
3. Choose the profile to use. If you don’t see the profile you want in the
list, click Browse to locate the directory that contains the profile.
4. To change the existing profile, select “Modify selected profile.” Click
OK to start the server setup.
To use a setup profile from a Windows client with Domino
Administrator
1. Make sure that you selected “Remote Server Setup” when you
installed Domino Administrator on the client system.
2. Install the Domino server program files on a server system, but do
not run the Domino Server Setup program.
3. At the command prompt on the server system, from the Domino
program directory, do one of the following:
On  a Windows server, enter nserver -listen
On  a UNIX server, enter server -listen
4. At the command prompt on the Windows client, from the Notes
program directory, enter:
serversetup -playback
5. In the Connect to Remote Domino Server dialog box, click Ping to
ensure that you can connect to the server.
6. Enter the host name or network address of the server.
7. Click OK.
8. Choose the profile to use. If you don’t see the profile you want in the
list, click Browse to locate the directory that contains the profile.
Installing and Setting Up Domino Servers 3-23
Installation
9. To change the existing profile instead of running it to set up a new
server, select “Modify selected profile.”
10. Click OK to start the server setup.
To use a setup profile from a Windows client without Domino
Administrator, or from a UNIX workstation
1. Install the Domino server program files on a server system, but do
not run the Domino Server Setup program.
2. At the command prompt on the server system, from the Domino
program directory, do one of the following:
On
 a Windows server, enter nserver -listen
On  a UNIX server, enter server -listen
3. On the client system, install the Java runtime environment.
4. Create a temporary directory on the client system. For example, enter
the following at the command prompt:
On  a Windows client: mkdir c:\temp
On  a UNIX workstation: mkdir /temp
5. Do one of the following:
From  a Windows client, copy the remote setup files
CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP.CMD
from the server to the directory you created on the client system.
These files are in C:\Domino program directory on the server.
From  a UNIX workstation, copy the remote setup files
CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP from
the server to the directory you created on the workstation. These
files are in /Domino program directory/lotus/notes/latest/ibmpow/
on an AIX server, /Domino program
directory/lotus/notes/latest/linux/ on a Linux server, and
/Domino program directory/lotus/notes/latest/sunspa/ on a
Solaris server.
6. At the command prompt on the client system, from the directory you
created, enter:
remotesetup -playback
7. In the Connect to Remote Domino Server dialog box, click Ping to
ensure that you can connect to the server.
8. Enter the host name or network address of the server.
9. Click OK.
3-24 Administering the Domino System, Volume 1
10. Choose the profile to use. If you don’t see the profile you want in the
list, click Browse to locate the directory that contains the profile. To
change the existing profile, select “Modify selected profile.”
11. Click OK to start the server setup.
Doing a silent server setup
A “silent” setup is one in which you do not view the setup screens as you
run the server setup profile. You can do a silent setup at the server you
are setting up or from a client system. Doing a silent setup from a
Windows client is easier if the client has Domino Administrator installed
— to do a silent setup from a Windows or UNIX client without Domino
Administrator, you need the Java runtime environment plus some files
from the program directory of an installed Domino server.
Tip When doing a silent setup, display a progress bar (Windows) or
have percent-complete written to the command line (UNIX) by adding
the -pb parameter to the end of the command.
For more information, see the topic “Entering system commands
correctly” earlier in this chapter.
To do a silent setup at the server
1. Install the Domino server program files on a server system, but do
not run the Domino Server Setup program.
2. At the command prompt on the server, from the Domino program
directory, do one of the following:
On
 a Windows server, enter nserver -silent c:\myprofile.pds
On  a UNIX server, enter server -silent /myprofile.pds
where myprofile is the name you gave to the profile file.
Note If the profile file is not in the root directory, use the profile’s
full path in the command.
Tip Entering nserver -help or server -help displays the
parameters available for working with server setup profiles.
3. If the profile uses existing server, certifier, or administrator IDs that
require passwords, do the following:
a. Create a text file that contains the passwords for the existing IDs.
The keywords in this are:
Server=
AddServer=
Certifier=
OUCertifier=
Administrator=
Installing and Setting Up Domino Servers 3-25
Installation
b. Add a parameter in the command line for the name of the
password file. For example, on Windows enter:
nserver -silent c:\myprofile.pds c:\passwd.txt
4. If this is a partitioned server setup, add the = parameter to the
command line to specify the NOTES.INI file in this partition’s
Domino data directory. For example, on Windows enter:
nserver -silent c:\myprofile.pds
=c:\lotus\domino\data2\notes.ini
5. Check the ERRORLOG.TXT file in the Domino data directory to
confirm that the setup is complete, or to view any error messages
that were generated during setup.
To do a silent setup from a Windows client with Domino
Administrator
1. Make sure that you selected “Remote Server Setup” when you
installed Domino Administrator on the client system.
2. Install the Domino server program files on a server system, but do
not run the Domino Server Setup program.
3. At the command prompt on the server system, from the Domino
program directory, do one of the following:
On
 a Windows server, enter nserver -listen
On  a UNIX server, enter server -listen
4. At the command prompt on the client system, from the Notes
program directory, enter:
serversetup -silent c:\myprofile.pds -remote serveraddress
Where myprofile is the name you gave the setup profile and
serveraddress is the host name or network address of the server you
are setting up.
Note If the profile file is not in the root directory, use the profile’s
full path in the command.
5. If the profile uses existing server, certifier, or administrator IDs that
require passwords, do the following:
a. Create a text file that contains the passwords for the existing IDs.
The keywords in this are:
Server=
AddServer=
Certifier=
OUCertifier=
Administrator=
3-26 Administering the Domino System, Volume 1
b. Add a parameter in the command line for the name of the
password file. For example, on Windows enter:
serversetup -silent c:\myprofile.pds c:\passwd.txt
-remote serveraddress
6. If this is a partitioned server setup, add the = parameter to the
command line to specify the NOTES.INI file in this partition’s
Domino data directory. For example, on Windows enter:
serversetup -silent c:\myprofile.pds -remote
serveraddress =c:\lotus\domino\data2\notes.ini
7. Check the ERRORLOG.TXT file in the Notes data directory to
confirm that the setup is complete, or to view any error messages
that were generated during setup.
To do a silent setup from a Windows client without Domino
Administrator, or from a UNIX workstation
1. Install the Domino server program files on a server system, but do
not run the Domino Server Setup program.
2. At the command prompt on the server system, from the Domino
program directory, do one of the following:
On
 a Windows server, enter nserver -listen
On  a UNIX server, enter server -listen
3. On the client system, install the Java runtime environment.
4. Create a temporary directory on the client system. For example, enter
the following at the command prompt:
On  a Windows client: mkdir c:\temp
On  a UNIX workstation: mkdir /temp
5. Do one of the following:
From  a Windows client, copy the remote setup files
CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP.CMD
from the server to the directory you created on the client system.
These files are in C:\Domino program directory on the server.
From  a UNIX workstation, copy the remote setup files
CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP from
the server to the directory you created on the workstation. These
files are in /Domino program directory/lotus/notes/latest/ibmpow/
on an AIX server, /Domino program
directory/lotus/notes/latest/linux/ on a Linux server, and
/Domino program directory/lotus/notes/latest/sunspa/ on a
Solaris server.
Installing and Setting Up Domino Servers 3-27
Installation
6. At the command prompt on the client system, from the Notes
program directory, enter:
remotesetup -silent c:\myprofile.pds -remote
serveraddress
Where myprofile is the name you gave the setup profile and
serveraddress is the host name or network address of the server you
are setting up.
Note If the profile file is not in the root directory, use the profile’s
full path in the command.
7. If the profile uses existing server, certifier, or administrator IDs that
require passwords, do the following:
a. Create a text file that contains the passwords for the existing IDs.
The keywords in this are:
Server=
AddServer=
Certifier=
OUCertifier=
Administrator=
b. Add a parameter in the command line for the name of the
password file. For example, on Windows enter:
remotesetup -silent c:\myprofile.pds c:\passwd.txt -remote
serveraddress
8. If this is a partitioned server setup, add the = parameter to the
command line to specify the NOTES.INI file in this partition’s
Domino data directory. For example, on Windows enter:
remotesetup -silent c:\myprofile.pds -remote
serveraddress =c:\lotus\domino\data2\notes.ini
9. Check the ERRORLOG.TXT file to confirm that the setup is complete,
or to view any error messages that were generated during setup.
The Certification Log
When you set up the first Domino server in a domain, the Server Setup
program creates the Certification Log. If you delete the log, you can
recreate it, but be aware that the new log will not contain the information
it previously stored.
3-28 Administering the Domino System, Volume 1
The Certification log records information related to recertification and
name changes. When you add servers and users to Domino, the
Certification Log maintains a record of how you registered them. For
each registered server and user, the Certification Log stores a document
containing the following information:
Name
 and license type
Date
 of certification and expiration
Name, license type, and ID number of the certifier ID used to create
or recertify the ID
Create a replica of the Certification Log on every server that is a
registration server and on every server that stores a Domino Directory
that is used for user management — for example, renaming and
recertifying users. If the server whose Domino Directory replica you are
using does not have a Certification Log, user-management actions will
fail.
Server registration
Before you install and set up additional servers, you must register them.
In effect, registering a server adds the server to the system. The server
registration process creates a Server document for the server in the
Domino Directory and creates a server ID. After registering and
installing a server, you use the Server Setup program to obtain a copy of
the Domino Directory for the new server and to set up the server to run
particular services and tasks — for example, the HTTP service, the Mail
Router, and so on.
Note When setting up an additional server, obtaining the Domino
Directory from the registration server via dialup over a modem is
possible for Windows systems only. For other operating systems, the
additional server must be on the network in order to communicate with
the registration server.
Before you register servers, plan and understand your company’s
hierarchical name scheme. The name scheme defines which certifier ID to
use when you register each new server. In addition, make sure that you
have access to each certifier ID, know its password, and have created ID
recovery information for it.
If you have decided to use the Domino server-based certification
authority (CA), you can register servers without access to the certifier ID
file and its password.
Installing and Setting Up Domino Servers 3-29
Installation
For more information on the hierarchical name scheme, see the chapter
“Deploying Domino.” For information on ID recovery, see the chapter
“Protecting and Managing Notes IDs.” For more information on using
the Domino server-based CA, see the chapter “Setting Up a Domino
Server-based Certification Authority.”
The registration server, which is the server that initially stores changes to
documents in the Domino Directory until the Domino Directory
replicates with other servers, must be up and running on the network. To
register servers from your workstation, you must have access to the
registration server and have at least Author access with the Server
Creator and Group Modifier roles in the ACL of the Domino Directory.
When you register a server, Domino does the following:
Creates
 a server ID for the new server and certifies it with the
certifier ID
Creates
 a Server document for the new server in the Domino
Directory
Encrypts
 and attaches the server ID to the Server document and
saves the ID on a disk or in a file on the server
Adds  the server name to the LocalDomainServers group in the
Domino Directory
Creates  an entry for the new server in the Certification Log
(CERTLOG.NSF)
If you have a Domino server-based CA for issuing Internet certificates,
you can choose to configure the new server to support SSL connections
by providing a server key ring password and the server’s host name.
Then, Domino does the following:
The  registration process creates a certificate request in the
Administration Requests database (ADMIN4.NSF) to be processed
by the server’s Internet CA
The  registration process creates a “create SSL key ring” request in
ADMIN4.NSF
Once  you set up and start the new server and the “create SSL
keying” request has replicated to it, the “create SSL key ring” request
creates the server key ring file and an “enable SSL ports” request for
the administration server of the Domino Directory
The  “enable SSL ports” request enables all the SSL ports on the new
server and creates a “monitor SSL status” request for the new server
The  “monitor SSL status” request restarts all of the Internet tasks
currently running on the new server so that the tasks will accept SSL
connections
3-30 Administering the Domino System, Volume 1
Note You must use the Domino Administrator if you want to use this
server registration process to configure a new server for SSL.
For more information on these requests, see the appendix
“Administration Process Requests.”
Registering a server
Note If you have not specified a registration server in Administration
Preferences, this server is by default:
The
 server specified in the NewUserServer setting in the NOTES.INI file
The Administration server
1. If you are supplying the certifier ID, make sure that you have access
to it and that you know its password.
2. If you are using the Domino Administrator and would like the new
server to support SSL, make sure that you have an Internet CA
configured.
3. From the Domino Administrator or Web Administrator, click the
Configuration tab.
4. From the Tools pane, click Registration - Server.
5. If you are using the Domino Administrator, do the following:
a. If you are using the CA process, click Server and select a server
that includes the Domino Directory that contains the Certificate
Authority records, and the copy of the Administration Requests
database (ADMIN4.NSF) that will be updated with the request
for the new certificate. Then click “Use the CA Process,” select a
CA-configured certifier from the list, and click OK.
b. If you are supplying the certifier ID, select the registration server.
Then click “Certifier ID” and locate the certifier ID file. Click OK,
enter the password for the certifier ID, and click OK.
c. In the Register Servers dialog box, click Continue if you want to
apply the current settings to all servers registered in this
registration session; otherwise, complete these fields:

Field Action
Click Registration to specify the registration
Registration
server.
Server
Certifier If the certifier ID displayed is NOT the one you
want to use for all servers registered in this
session, or if you want to use the Domino
server-based CA instead of a
certifier ID, click Certifier and you return to
Step 4.

Field Action
If you want the server to support SSL, select
Internet
an Internet
Certificate CA from the list.
Authority
Security
Choose either North American (default) or
type
International. In practice, there is no difference
between
a North American and an International ID type.
(Optional) To change the expiration date of the
Certificate
Server
expiration Certificate, enter the date in mm-dd-
yyyyformat in the
date Certificate Expiration Date box. The default
date is 100 years from the current date, minus
allowances for leap
years.
d. Click Continue.
6. If you are using the Web Administrator, do the following:
a. Select a registration server that includes the Domino Directory
that contains the Certificate Authority records, and the copy of
the Administration Requests database (ADMIN4.NSF) that will
be updated with the request for the new certificate.
b. Select a CA-configured certifier from the list, and click OK.
7. In the Register New Server(s) dialog box, complete these fields for
each server that you want to register:

Field Action
Server name Enter the name of the new server.
Server title Enter the server title, which appears on the
Configuration tab in the All Server Documents
view
and in the Server Title field of the Server
document.
Domino The default domain name is usually the same
domain as the
name name of the organization certifier ID.
Enter the name of the person who administers
Server
the
administrator server.
name
ID file Required if you are going to store the server ID
password in the Domino Directory.
Optional if you store the server ID in a file.
The password is case-sensitive and characters
you use will depend on the level you set in the
Password quality scale.
Password Choose the level of complexity for the
quality password. By
scale default, the level is 0, where 16 is the highest.
Field Action
Location for • Select “In Domino Directory”to store the
server ID in
storing server the Domino Directory.
ID
• Select “In File”to store the server ID file in a
file.
Then click “Set ID File,”select the name and
path for
the file, and click Save.
Note You don’t see this field from the Web
Administrator, as the server ID is stored in the
Domino
Directory.

8. (Domino Administrator only) If you chose an Internet CA in the

Register Servers dialog box and you want the server to support SSL
connections, click Advanced, select “Enable SSL ports,” and
complete the following fields:
Server
 key ring password — Enter a password for the server key
ring
Server
 host name — Enter the fully qualified domain name of the
server, for example, app01.acme.com
9. Do one:
Click the green check box to add the server to the registration
queue.
Click  the red X to clear the fields.
10. The server registration queue displays the servers ready to be
registered. To display the settings for a server, select the server name
in the queue.
11. Click one:
New  Server — To clear fields in the Register New Server(s) dialog
box
Register  All — To register all servers in the registration queue
Register  — To register the highlighted server in the registration
queue
Remove  — To remove the highlighted server from the registration
queue
Done  — To close the Register Server(s) dialog box. Any servers
remaining in the registration queue will not be registered.
12. After you register a server, install it and then run the Server Setup
program to configure it.
Installing and Setting Up Domino Servers 3-33
Installation
Optional tasks to perform after server setup
After running the Server Setup program, you may want to perform one
or more of the following tasks, depending on the needs of your company:
Create
 an additional organization certifier ID.
Create
 an organizational unit certifier ID.
Use  Internet Site documents to configure Internet protocol server
tasks:
Enable  the Internet Sites view
Create  an Internet Site document
Set  up security for Internet Site documents
Creating an additional organization certifier ID
When you set up the first server in a domain, you create an organization
certifier. If your hierarchical name scheme calls for having multiple
organizations but only one Domino Directory, you must create an
additional organization certifier ID.
For more information on organization certifier IDs, see the chapter
“Deploying Domino.”
1. From the Domino Administrator, click the Configuration tab.
2. From the Tools pane, choose Registration - Organization.
3. (Optional) To change the registration server, which is the server that
initially stores the Certifier document until the Domino Directory
replicates, click Registration Server, select the correct server, and
then click OK. If you have not specified a registration server in
Administration Preferences, the registration server is by default:
The
 local server, if there is one and it contains a Domino Directory
The server specified in the NewUserServer setting in the
NOTES.INI file
The  Administration server
4. (Optional) Click Set ID file to change the location where Domino
stores the certifier ID. Be sure to keep the certifier ID file in a secure
place so that it is readily accessible to register new servers and users,
but safe from misuse. By default, the certifier ID is stored in C:\.
3-34 Administering the Domino System, Volume 1
5. Complete these fields:

Field Action
Enter the name of the organization. Enter a
Organization
name
different from the one used on the
name
organization certifier
ID created when you set up the first Domino
server.
(Optional) Adding an organizational country or
Country code
region
code for the country or region where the
organization’s
corporate headquarters are located minimizes
the
chance that another organization has the same
organization name as yours. Enter the country
or region
code only if you have registered your
organization
name with a national or international
standards body.
 For multinational companies, you can enter a
country
or region in which the company has offices, as
long as
the organization name is registered there.
Enter a case-sensitive password for the
Certifier
certifier. The
password characters you use for this password depend
on the
level set in the “Password quality scale”field.
Password Choose the level of complexity for the
quality password. By
scale default, the level is 8, where 16 is the highest.
Security type Choose either North American (default) or
International. In practice, there is no
difference between
a North American and an International ID
type.
Mail Enter the name of the administrator who
certification handles
recertification requests. The name specified
requests to
here
(Administrator) appears in the Certifier document in the
Domino Directory. If you are creating a
certifier ID for an off-site administrator, enter
that administrator’s name in this
field.
(Optional) Enter text that appears in the
Location
Location field
of the Certifier document.
(Optional ) Enter text that appears in the
Comment
Comment field
of the Certifier document.
6. Click Register.
Creating an organizational unit certifier ID
You can create up to four levels of organizational unit (OU) certifiers. To
create first-level OU certifier IDs, you use the organization certifier ID.
To create second-level OU certifier IDs, you use the first-level OU
certifier IDs, and so on.
For background information on OU certifier IDs, see the chapter
“Deploying Domino.”
Installing and Setting Up Domino Servers 3-35
Installation
For background information on OU certifier IDs, see the topic “Certifier
IDs and certificates.”
Note The registration server is the server that initially stores the
Certifier document until the Domino Directory replicates. If you have not
specified a registration server in Administration Preferences, the
registration server is by default:
The
 local server if there is one and it contains a Domino Directory
The server specified in NewUserServer setting of NOTES.INI
The  Administration server
To create an organizational unit certifier ID
1. From the Domino Administrator, click the Configuration tab.
2. From the Tools pane, select Registration - Organizational Unit.
3. (Optional) To change the registration server, click Registration
Server, select the correct server, and then click OK.
4. Do one:
Select  “Supply certifier ID and password.” Click Certifier ID,
select the certifier ID, click Open, and click OK. Enter the ID
password, and click OK.
Select
 “Use the CA Process” and then choose a CA certifier from
the list.
5. Click OK. If you are supplying the certifier ID, enter its password
and click OK.
6. (Optional) To change the registration server, click Registration
Server, select the correct server, and then click OK.
7. (Optional) To change which certifier ID to use to register the new
certifier ID:
a. Click Certifier ID.
b. Select the certifier ID, click Open, and click OK.
c. Enter the ID password and click OK.
8. (Optional) Click “Set ID File” if you want to change the location
where Domino stores the certifier ID. Be sure to keep the certifier ID
file in a secure place so that it is readily accessible to register new
servers and users, but safe from misuse. By default the ID is stored in
C:\.

Field Action
Organizational Enter a name for the new organizational unit.
Unit
Enter a case-sensitive password for the
Certifier
certifier. The
password characters you use for this password depend
on the
level set in the “Password quality scale”field.
Password Choose the level of complexity for the
quality password. By
scale default, the level is 8, where 16 is the highest.
Security type Choose either North American (default) or
International. In practice, there is no
difference between
a North American and an International ID
type.
Mail Enter the name of the administrator who
certification handles
recertification requests. The name specified
requests to
here
(Administrator) appears in the Certifier document in the
Domino Directory. If you are creating a
certifier ID for an off-site administrator, enter
that administrator’s name
in this field.
(Optional) Enter text that appears in the
Location
Location field
of the Certifier document.
(Optional) Enter text that appears in the
Comment
Comment field
of the Certifier document.

10. Click Register.

Internet Site documents
Internet Site documents are used to configure the Internet protocols
supported by Domino servers. A separate Internet Site document is
created for each protocol — Web (HTTP), IMAP, POP3, SMTP Inbound,
LDAP, and IIOP — which is then used to provide protocol configuration
information for a single server, or for multiple servers in a Domino
organization. Specifically, you can create:
Web
 Site documents. You create a Web site document for each Web
site hosted on the Domino server.
LDAP
 Site documents. You create an LDAP site document for
LDAP protocol access to an organization in a directory.
IMAP, POP3, and SMTP Site documents. You create an individual
Internet Site document for each mail protocol for which you enter an
IP address.
IIOP  Site documents. You create an IIOP Site document to enable
the Domino IIOP (DIIOP) task on the server. This task allows
Domino and the browser client to use the Domino Object Request
Broker (ORB) server program.
Internet Site documents make it easier for administrators to configure
and manage Internet protocols in their organizations. For example, prior
to Domino 6, if you wanted to set up a Web site in your organization, it
was necessary to configure each Domino server in the domain with
Mapping documents, Web realms, and File Protection documents. If you
had virtual servers and virtual hosts, you had to do the same thing for
them. In Domino 6, you can configure a Web Site document so that all
servers and hosts use it to get configuration information for a Web site,
including mapping information, file protection information, and Web
realm authentication information.
You must use Internet Site documents if you:
Want  to use Web-based Distributed Authoring and Versioning
(WebDAV) on a Domino Web server.
Have  enabled SSL on your server and want to use Certificate
Revocation Lists to check the validity of Internet certificates used to
authenticate with the server.
Are  using a service provider configuration on your server (see “For
service providers only” below).
Modifications to Internet Site documents (including the creation of new
Site documents) are dynamic. The server or protocol does not need to be
restarted after you create a new Site document, or after you modify or
delete an existing one. Changes generally take effect minutes after the
change is made. The ability to dynamically create, modify, or delete
Internet Site documents is especially valuable in service provider
environments, so that existing hosted organizations are not interrupted
when a new hosted organization is configured.
The Domino server is configured to use Internet Site documents if this
option is enabled on the server document. If the option is not enabled,
the server defaults to Server document settings to obtain configuration
information for Internet protocols.
Internet Site documents are created in the Internet Sites view, which is
used to help manage Internet protocol configuration information by
listing the configured Internet Site documents for each organization in
the domain.
3-38 Administering the Domino System, Volume 1
Caution If you use an Internet site document to configure one Internet
protocol on a server, you must also use Internet site documents for all
Internet protocols on that server. For example, you cannot set up an
LDAP Internet Site document and, on the same server, use the Server
document to configure HTTP.
While most protocol settings are configured in Internet Site documents,
there are some settings that need to be configured in the Server
document to support Internet protocol configurations. These include
settings for:
Enabling
 and configuring the TCP/IP port.
Enabling
 and configuring the SSL port (including redirecting TCP to
SSL).
Accessing
 the server — such as who can access the server and how.
For more information on server access settings, see the chapter
“Controlling Access to Domino Servers.”
Setting up Internet Site documents on a Domino server
Do the following to set up basic Internet Site functionality on a Domino
server.
1. Create Internet Sites document for the Internet protocols you want to
use.
2. Set up security for each Internet Site document.
3. Enable Internet Site documents on the server.
For service providers only
Internet Site documents are required for hosted organizations. These
documents control each hosted organization’s use of Internet protocols.
A hosted organization can only use an Internet protocol if the hosted
organization has an Internet site document for that protocol. A shared IP
address may be used for all hosted organizations, or unique IP addresses
may be set up for each hosted organization. Internet Site documents link
IP addresses to the individual hosted organizations for each Internet
protocol.
When registering hosted organizations, you have the option to create
Internet Site documents during hosted organization registration, or you
can choose to create them later.
Installing and Setting Up Domino Servers 3-39
Installation
Service providers need to consider the following when using Internet Site
documents:
Each
 hosted organization has one Web Site document that can be
created during hosted organization registration. You must create this
initial Web Site document to activate the HTTP protocol. If you have
multiple Web sites, you need one individual Web Site document for
each additional Web site for each organization. If the hosted
organization supports DOLS, the Web Site document must contain
the name of the DSAPI filter file name. For more information, see the
topic To configure DOLS on a server that uses Web Site documents
in this chapter.
You must create one mail protocol Site document (IMAP, POP3, or
SMTP) for each protocol used by each organization.
In  a hosted environment, Domino IIOP (DIIOP) can use the
information in the IIOP Internet site document to define the scope of
the Domino Directory used to validate users. With DIIOP, you can
use any Java® code running on any server on the network.
If  your configuration has one IP address that is shared by multiple
hosted organizations, HTTP, IMAP, LDAP, POP3, and SMTP are the
available protocols. For IMAP, LDAP, POP3, and SMTP users, the
name provided during authentication must be the user’s Internet
e-mail address, so that the server knows the organization of which
each user is a member. Anonymous access to LDAP is not supported
in this configuration.
To  enable SSL for a hosted organization, you must enter the server IP
address in the field “Host names or addresses mapped to this site”
on the Basics tab of the Internet Site document.
Creating an Internet Site document
You can create Internet Site documents for Web, IMAP, POP3, LDAP,
SMTP Inbound, and IIOP Internet protocols. You create one document at
a time.
To create an Internet Site document
1. From the Domino Administrator, click Configuration - Web - Internet
Sites.
2. Click Add Internet Site, and select the type of Internet Site document
to create.
3-40 Administering the Domino System, Volume 1

Field Action
Descriptive name (Optional) Enter a name that differentiates
for this site
this site from all others that you create. This name
appears in the Internet Sites view in this
format: the type of Internet Site, the
descriptive name, and the host name or
address. For example:
Web Site: MyWebSite (www.acme.com)
If you do not enter a name, the default
name is the type of Internet Site document
with the host name or address appended.
For example:
POP3 Site: (www.acme.com)

(Required for all Internet Site documents)

Organization
Enter the
name of the registered organization that
hosts the
Internet Site document. The name must
correspond
to the organization’s certifier.
Note For Web Sites set up in a non-service
provider configuration, this name can be
any
suitable word or phrase.
Use this Web site (Web Site documents only) Choose one: •
to handle Yes —This Web site processes incoming
requests which HTTP requests if Domino cannot locate the
cannot be Web sites that were entered in the “Host
mapped to any names or addresses mapped to this
other Web sites site”field. • No (default) —This Web site
does not process incoming HTTP requests
for which Domino cannot locate a Web site.

(Required for all Internet Site documents)

Host names or
Enter the
addresses target host names or IP addresses that
mapped to trigger a
this site connection’s use of this Internet Site
document.
If the site is set up for SSL, you must
specify IP addresses.
Domino servers (Required for all Internet Site documents)
that Enter the
host this site name of one or more Domino servers that
host this
site. You can use any variation of
distinguished name (for example,
Server1/Sales/Acme) as well as wildcards
(for example, */Acme).
The default is (*), which means that all
servers in the domain can host this site.
If you leave the field blank, the Internet
Site will not be loaded on any Domino
 server.

4. For all Internet Site documents, complete the settings on the Security
tab.
5. Some Internet Sites require additional configuration. The table below
indicates the Internet Site documents that require additional
configuration, and the locations for settings in those documents for
enabling additional configuration information unique to those
protocols.

Document Complete
Web Site
Configuration tab Domino Web Engine tab

IMAP Site Public Folder tab

IIOP Site Configuration tab
6. Save and close the document.
Setting up security for Internet Site documents
To set up security for Internet Site documents, you can enable SSL server
and client authentication, name-and-password authentication, or
anonymous access for Internet and intranet clients.
In order to enable SSL for Internet Sites, you must configure the SSL port
on the Server document and set up SSL on the server by obtaining a
server certificate and key ring from an Internet certificate authority.
To set up SSL authentication, you must create a server key ring file for
each Internet Site document. However, if the Internet site documents are
for the same organization, but are created for different protocols, a single
server key ring file can be used. Be sure to enter the server key ring file
name in the appropriate field on the Security tab of each site document.
If you want to use Certificate Revocation Lists (CRL) for Internet
certificate authentication, the server must be using a Domino
server-based certification authority for issuing Internet certificates.
To enable SSL for a hosted organization, you must use the server IP
address in the field “Host names or addresses mapped to this site” on the
Basics tab of the Internet Site document.
Note For Web sites, the common name on the server key ring must
match the DNS name to which the IP address in the Web Site document
is mapped. The IP address must be stored in the field “Host name or
addresses to map to this site,” which is located on the Web Site
document. If you enable Redirect TCP to SSL in a Web Site document,
both the host name and the IP address must be stored in this field.
You should be familiar with SSL authentication, name and password
authentication, and anonymous access before completing these steps.
For more information about SSL authentication, see the chapter “Setting
Up SSL on a Domino Server.”
For more information about name-and-password authentication and
anonymous access, see the chapter “Setting Up Name-and-Password
Authentication and Anonymous Access on a Domino Server.”
To set up security for Internet Site documents
Note In Domino 6, it is possible to effectively prohibit access to an
Internet Site by selecting “no” for all authentication options in an Internet
Site Document. These options include TCP authentication, SSL
authentication, and TCP anonymous access.
1. From the Domino Administrator, click Configuration - Web - Internet
Sites.
2. Choose the Internet Site document to modify, and click Edit
Document.
3. Click Security, and complete these fields:

Field Enter
TCP Authentication
Anonymous (Applies to all Internet sites, except IMAP
and POP3) Choose one:

• Yes —To allow anonymous access to this

site • No —To prohibit anonymous access
Name & Choose one: • Yes —To require a user to
password authenticate with the user’s name and
Internet password to access the site

• No —To not require name and password

authentication
Redirect TCP to (Applies to Web Site only) Choose one: •
SSL Yes —To require clients and servers to use
the SSL protocol to access the Web site • No
—To allow clients and servers to use SSL or
TCP/IP to access the Web site

Field Enter
SSL Authentication
Anonymous (Applies to all Internet sites, except IMAP
and POP3) Choose one:

• Yes —To allow users access over the SSL

port without authenticating with a name and
password • No —To deny users anonymous
access
Name & Choose one: • Yes —To require a user to
password authenticate with user name and Internet
password in order to access this site using
SSL • No —To not require a name and
password

Client certificate (Applies to Web Site, IMAP, POP3, and

LDAP) Choose one:
• Yes —To require a client certificate for
access to this site
• No —To not require a client certificate
SSL Options
Key file name Enter the name of the server key ring file.
Protocol version Choose one:
 • V2.0 only —Allows only SSL 2.0
connections. • V3.0 handshake —Attempts
an SSL 3.0 connection. If this fails and the
requester detects SSL 2.0, attempts to
connect using SSL 2.0. • V3.0 only —Allows
only SSL 3.0 connections. • V3.0 with V2.0
handshake —Attempts an SSL handshake,
which displays relevant error messages.
Makes an SSL 3.0 connection if possible. •
Negotiated (default) —Attempts an SSL 3.0
connection. If this fails, attempts to use SSL
2.0. Use this setting unless you are having
connection problems caused by incompatible
protocol versions.
Accept SSL site Choose one: • Yes —To accept the
certificates certificate and use SSL , even if the server
does not have a certificate in common with
the protocol server • No (default) —To
prohibit the acceptance of SSL site
certificates for access

Field Enter
Accept expired Choose one: • Yes —To allow clients access,
SSL certificates even if the client certificate is expired

• No —To prohibit client access using

expired SSL certificates
Check for CRLs Choose one:
• Yes —To check the certifier’s Certificate
Revocation List (CRL) for the user certificate
you are attempting to validate. If a valid
CRL is found and the user certificate is on
the list, the user certificate is rejected.
• No —To not use Certificate Revocation
Lists
Trust expired
Choose one:
CRLs
• Yes —To use expired but otherwise valid
Certificate Revocation Lists when attempting
to validate user certificates
• No — To reject expired Certificate
Revocation Lists
Allow CRL search Choose one: • Yes —If the attempt to locate
to fail a valid Certificate Revocation List fails,
proceed as if “Check for CRLs”is set to No.

• No —If a valid Certificate Revocation List

for the user certificate is not found, reject
the certificate. If “Trust expired CRLs”is set
to Yes, an expired CRL is valid. If “Trust
expired CRLs” is set to No, the
authentication will fail for every user
certificate for which a matching valid CRL is
not located.
SSL Security
SSL ciphers Click Modify to change the SSL cipher
settings for this site document. These
settings apply only to SSL v3. SSL v2
 ciphers cannot be changed.

Choose Yes to enable SSL v2 for this site

Enable SSL V2
document.
Enabling Internet Sites on a server
If you enable the use of Internet Sites on a Domino server, the server
obtains Internet protocol configuration information from site documents.
Comparable configuration settings in the Server document are not used.
If the use of Internet Sites is not enabled, comparable Server document
settings are used to obtain protocol configuration information.
Installing and Setting Up Domino Servers 3-45
Installation
You can only use the Internet Sites view for Domino 6 servers. Servers
running Domino 5.0x or earlier do not have the option for enabling the
Internet Sites view.
Note Each time you start or restart HTTP, a console message indicates
whether the HTTP task is using Internet Sites or the Server document
(Web Server Configurations view) to obtain Internet protocol
configuration information.
To enable Internet Sites on a server
1. Open the Server document you want to edit, and click Edit Server.
2. Click the Basics tab.
3. In the Basics section, enable “Loads Internet configurations from
Server/Internet Sites documents.”
4. Save the document.
5. Restart the server.
Note The HTTP task is backward-compatible with the Web Server
Configurations view.
Starting and shutting down the Domino server
Start the Domino server so users can access shared databases and obtain
other server services. Do not enter keystrokes or click the mouse while
the Domino server is starting or shutting down.
Note If the server program is running, do not use CTRL+S to stop
scrolling the console, because no server services take place until you
press a key to continue.
To start the server

Operating system Action

Choose Start - Programs - Lotus
Windows NT and 2000
Applications -
Lotus Domino Server.
UNIX Enter the path for the Domino program
directory. For example, if you installed
Domino in the /opt directory, enter:
/opt/lotus/bin/server

To shut down the server

Enter either exit or quit at the console. It may take ten seconds or more
for the server to shut down.
Chapter 4
Setting Up Server-to-Server Connections
After you configure servers, create Connection documents to enable mail
transfer, replication, and remote access between servers on different
networks.
Planning server-to-server connections
Servers must connect to each other to exchange data, for example to
replicate databases and exchange mail. You can create connections
between servers across a local area network (LAN) or wide area network
(WAN); using a dialup modem or remote access service; using a passthru
server, which is a server that acts as an intermediary server between a
client and its destination; or over the Internet.
For a calling server to connect to a given destination server, it requires
information about how and when to contact the destination server. The
information about how to contact the destination server includes the
network to use to reach the target server, and, depending on the type of
network, the network addresses, phone number, and other information
needed to make the connection.
When a server needs to connect to a destination server on the same Notes
Named Network, the information needed to make the connection is
readily available and the connection occurs automatically, without any
administrative intervention. However, when two servers don’t share a
common network, the calling server must be able to obtain this
information by some other method. In a Domino network, administrators
create Connections documents in the Domino Directory to store
information about how to connect to a destination server.
In addition to providing the network information required to contact a
destination server, Connection documents can also specify when to
contact the destination server. Depending on the type of communications
required, a calling server may attempt to establish contact with the
remote server immediately, or only at scheduled intervals. For example,
a server looking up a name on, or performing cluster replication with a
given destination server requires immediate access to a remote server.
4-1
Configuration
On the other hand, to perform tasks such as routing mail or replicating
databases, a calling server may require only periodic access to the
destination server. When setting up a Connection document for a task that
doesn’t require immediate access, you can specify when the calling server
attempts to make the connection. Network information in a Connection
document is used to create the connection to the specified destination
server, whether or not the connection is related to a task defined in the
schedule part. In other words, a calling server can use the network
information in a Connection document to contact a specified destination
server when contacting that server for reasons other than mail routing or
replication.
Connections between servers — that is, your connection topology —
should enable servers to exchange information reliably and efficiently,
maximizing the capacity of the physical network, while minimizing
connection-related costs.
When creating Connection documents for scheduled operations or to
enable contact with a destination server, keep the following factors in
mind:
The
 physical network to which the servers belong — Are servers in
the same, or different Notes named networks?
Function
 of the server — What is the primary role of the server? For
example, is it an application server, Web server, or Directory server?
Does the server provide passthru or dialup access to connect remote
or disparate networks?
Tasks running on the server — Does the server require Connection
documents for both replication and mail routing?
Access  requirements — Does the server need to be reached over a
modem connection or as a passthru destination?
Does  the planned connection topology make the best use of the
available network infrastructure? It the server hardware adequate to
support its role in replication or routing? For example, if a server is
to be used as a replication hub, does it have a fast processor,
sufficient memory, and enough disk space? Does the server require
multiple NICs? Is there enough bandwidth between servers to
support the anticipated traffic?
Keep
 the number of Connection documents and the number of
“hops” — that is, the number of between the connecting and
destination servers — to a minimum.
The Domino domain location of the servers — Are servers in the
same domain, adjacent domains, non-adjacent domains?
4-2 Administering the Domino System, Volume 1
The number of Connection documents that you create for a server
depends on whether the server is running the replication task and/or the
mail task. When you configure a server, the Server document, by default,
enables mail routing. When you create a Connection document,
replication is enabled. Depending on how you use the server — that is,
whether you store mail files and/or application databases on it — you
must create a minimum of one or two Connection documents.

For more information on configuring replication, see the chapter

“Scheduling Replication.”
For more information on mail routing, see the chapter “Overview of the
Domino Mail System.”
Servers can also use information gathered from an External Domain
Network Information (EDNI) document to make a connection. As an
administrator, you configure this document to retrieve names and
addresses of servers in another domain so that users and servers do not
require Connection documents to connect to servers in that domain.
For more information on EDNI documents, see the topic “Setting up
external domain lookups” later in this chapter.
Remote (modem) access and server topology
Servers that are not on the same LAN or WAN can use modem
connections to communicate with each other. For example, servers in
remote field offices can establish modem connections with servers in a
central office to route mail or replicate databases.
To create a topology for remote servers, first determine which databases
the workstations and servers access frequently. In particular, think about
how you want to route mail and replicate databases. Determine if users
and servers in remote locations need access to certain mail and other
databases. If so, consider these methods to make the databases available:
Create
 replicas of the databases on a remote server
For information about using database replicas, see the chapter
“Scheduling Replication.”
Setting Up Server-to-Server Connections 4-3
Configuration
Place
 modems on local servers that remote users need to access.
For information about connecting servers by modem, see the topic
“Planning for modem use” later in this chapter.
Set
 up a passthru server for use by remote servers or users.
For information about setting up passthru servers, see the topic
“Setting up a server as a passthru server” later in this chapter.
Because users who connect to a remote server over a Notes Direct Dialup
connection typically have only one modem on their workstations, by
default, they can connect to that one server only. Creating replicas of
frequently used databases on that server enables remote users to access
multiple databases over a single dialup connection.
Setting up a passthru server enables remote workstations or servers that
connect to one Domino server to access additional Domino servers also.
Using a passthru server consolidates modem resources on a few Domino
servers and centralizes administration and troubleshooting.
How a server connects to another server
A connecting server uses the following steps to determine how to
connect to a destination server. As soon as the connecting server
successfully connects to the destination, it stops searching for additional
connection methods.
1. The connecting server tries to connect using the same method it used
the last time it made a successful connection to the destination
server. Note these two exceptions:
 the server never connected to the destination server, the server
If
searches for a path (consisting of a network port and any passthru
servers) to the destination server.
If the server has connected previously, but the connection now
fails, the server conducts a new path search if it is the first attempt
of the day.
2. The connecting server checks to see if it already has a WAN port
connection to the destination server.
3. The server examines normal-priority Connection documents in the
Domino Directory for information on what path to use to connect to
the destination server. A normal-priority Connection document is
one that has Normal selected in the “Usage priority” field. If multiple
normal-priority Connection documents exist for the same destination
4-4 Administering the Domino System, Volume 1
server, the server chooses the Connection document to use based on
the type of connection in the following order:
Local
 Area Network
Network
 Dialup
Notes Direct Dialup
Passthru
 server
Hunt  group of passthru servers
Note A server that uses a passthru connection to reach the
destination server must first be able to connect to the passthru server.
To provide information on how to connect to the passthru server,
you may have to create an additional Connection document.
4. The connecting server checks information stored in memory about
other servers in the server’s Notes named network. It uses this
information to define a path to the destination server. The server
reads this information from Server documents in its local Domino
Directory.
5. If the connecting server’s local Domino Directory does not contain
information about the destination server, it tries to connect directly to
the destination server on the LAN by using the server common name
as its address.
6. The connecting server checks the low-priority Connection
documents. A low-priority Connection document is one that has Low
selected in the “Usage priority” field.
7. If the connecting server still cannot find a path to the destination
server, it issues a message that a connection is not possible.
Note For workstations connecting to servers, the search logic is the
same except that the workstation tries to use the passthru server listed as
default in the Location document to make the connection if Steps 1
through 5 fail. If the Location document does not define a default
passthru server and the workstation is already connected to a server over
a Notes Direct Dialup connection, the workstation uses that server as a
passthru to reach the destination server.
To display information about how a server makes a connection, open the
Miscellaneous Events view in the log file (LOG.NSF). To change the
amount of information Domino records about connections in the log file,
change the log level.
For more information on log files, see the chapter “Using Log Files.”
Setting Up Server-to-Server Connections 4-5
Configuration
Replication and server topology
As the number of Domino servers on your network increases, so does the
amount of replication required to distribute information across the
network. Because replication uses memory and processing time, plan
how servers connect to perform replication. If you allow servers to
replicate at random, so that a given server replicates a single database
with multiple servers, or perhaps replicates different databases with
different servers, servers can become so overloaded with replication
requests that it interferes with their ability to respond to client requests.
To provide for efficient replication, consider setting up some servers as
dedicated replication servers. Using dedicated servers to handle
replication greatly reduces the amount of work that database servers have
to devote to replication, because the database servers have to replicate with
the replication servers only, instead of having to replicate with every
server that maintains a copy of a given database. To control replication,
you create Connection documents that specify which servers to replicate
with and when.
How you connect servers for replication depends on many factors,
including the layout of physical network and the size of your
organization, as well as the extent to which you want to re-use existing
Connection documents created for mail routing. There are several
different configurations, or topologies, you can use to control how
replication occurs between servers:
Hub-and-spoke

Peer-to-peer

Ring 
Choose the replication strategy that provides the most efficient
replication performance. In many cases, you’ll use different topologies in
different parts of the network.
Using a hub-and-spoke topology to manage replication
A hub-and-spoke topology is generally the most common and efficient
replication topology in larger organizations, because it minimizes
network traffic. Hub-and-spoke replication establishes one central server
as the hub, which schedules and initiates all replication with all of the
other servers, or spokes. The spokes update the hub server by replication
(and mail routing), and the hub in turn updates each spoke. Hub servers
replicate with each other or with master hub servers in organizations that
use more than one hub. In short, the hub server acts as the traffic
manager of the system, overseeing system resources, ensuring that
replication takes place with each spoke in an orderly way, and
guaranteeing that all changes are replicated to all spoke servers.
4-6 Administering the Domino System, Volume 1
To set up replication in a hub-and-spoke system, you create one
Connection document for each hub-and-spoke connection. To ensure that
the replication task on the hub, rather than the spokes, assumes most of
the work always, in each Connection document specify the hub server as
the source server, the spoke server as the destination server, and
pull-push as the replication method.
A hub-and-spoke topology can be especially useful at large,
multiple-server sites or in a centralized office that needs to connect via
phone or leased lines to smaller, regional offices. If you have a large site,
you can use a combination of topologies — for example, two
hub-and-spoke arrangements and one peer-to-peer arrangement between
the two hub servers.
The major drawback of hub-and-spoke topology is that it is vulnerable to
single point of failure if the hub is not working. Deploying a backup
server that replicates the hub and can quickly be reconfigured into a hub
server if the primary hub goes down can alleviate this shortcoming.
Benefits of a hub-and-spoke topology
1. Install multiple protocols on hub servers to enable communication in
a Domino system that uses more than one protocol. This places hub
servers in multiple Notes named networks, another source of
efficiency. Hub servers can connect multiple Notes named networks,
where a single hub server and its spoke servers often make up one
Notes named network.
2. Bridge parts of a network — for example, a LAN and a WAN.
3. Centralize administration of the Domino Directory, standardize
database ACLs, and limit access to the hub. You can designate the
hub with Manager access and the spokes with Reader access so that
you make those changes on one replica on the hub to synchronize the
spokes.
4. Designate hubs by role — for example, replication hubs and mail
hubs.
5. Place server programs such as message transfer agents on hubs to
make them easily accessible.
6. Connect remote sites with a hub server.
7. Minimize network traffic and maximize network efficiency.
8. Centralize data backup at the hub. By backing up databases on the
hub only, you conserve resources on spoke servers.
9. Improve server load balancing. However, network traffic increases
on the hub LAN segment. If you have more than 25 servers per hub,
Setting Up Server-to-Server Connections 4-7
Configuration
establish tiers of hubs. If a hub goes down, replication for that hub
and its spokes is disabled until the hub is repaired or replaced.
Note Do not use hub-and-spoke replication for databases larger than
100MB that have replicas on less than four servers. Instead, schedule
replication for these databases to occur separately from other
replications.
Using a peer-to-peer topology to manage replication
In a peer-to-peer topology, replication is less centralized than in a
hub-and-spoke configuration, with every server being connected to every
other server. Because peer-to-peer replication quickly disseminates
changes to all servers, it is often the best choice for use in small
organizations, or for sharing databases locally among a few servers.
However, it can be inefficient when a database resides on more than a
few servers.
In a peer-to-peer topology, the potential for replication problems
decreases, because only two servers communicate for each replication
and no hub or intermediary servers are involved. However, peer-to-peer
replication requires many Connection documents, increases
administration since you must avoid overlap in replication schedules,
and prevents you from standardizing ACL requirements.
Other topology strategies
Another method of managing replication is to use Cluster replication.
This ensures constant access to data, because data on one server is
duplicated on one or more cluster mates. If the primary server becomes
unavailable, data can be obtained from other servers in the cluster.
For more information on using clusters, see the book Administering
Domino Clusters.
Other replication topologies include:
End-to-end
 - Also known as a chain topology, connects two or more
servers in a chain. Information travels in one direction along the
chain and then travels back in the other direction. End-to-end
replication is less efficient than ring replication but is useful in
situations where information needs to travel in only one direction.
Ring
 - Similar to an end-to-end topology, but connects servers in a
circle so that replication occurs within a closed loop. Ring replication
can be useful in a large organization for replicating information
between hub servers.
4-8 Administering the Domino System, Volume 1
Binary
 tree - Connects servers in a pyramid fashion: the top server
connects to two servers below, each of which connects to two servers
below, and so on. Information travels down the pyramid and then
back up.
Using existing mail routing connections for replication
As you plan for replication, consider re-using the connections you may
have already set up for Notes mail routing. If you previously created a
Connection document for mail routing, you can easily enable the
replication task on that document.
Unlike mail routing, which works in one direction and requires a pair of
Connection documents to enable two-way routing, replication between
servers works in both directions, and requires only one Connection
document between each pair of servers. Because the server that initiates
replication takes on the larger share of the replication workload, if decide
to add replication to one of the Connection documents already used for
mail routing between two servers, add the replication task to the
document on the more powerful server in the pair.
Examples of server topology
This topic provides examples of the following server topologies:
Example
 of hub server topology
Hub-and-spoke
 topology
Hub-and-spoke
 with peer-to-peer topology
Application
 server topology
Mail  and directory server topology
Remote  server topology
Example of hub server topology

The hub servers at Acme Corporation handle server communication

between servers located on the East and West Coasts. These servers are
geographically distant and connect over the Internet using a modem or
ISDN line. Controlling communication through hub servers is beneficial
because it centralizes administration for connections that may be costly
or time consuming.
By using hub servers, only two servers, not every server in the
organization, need to make the remote connection.
The firewall server is a Domino server that protects Hub-E/East/Acme
and Hub-W/West/Acme from outside users. Because the firewall server
uses Domino instead of some other type of firewall software, the hub
servers can use Domino features, such as mail and replication, to send
and receive information.
Example of hub-and-spoke topology
In this example, the Acme Corporation has one hub server,
Hub-E/East/Acme, and three spoke servers. The spoke servers —
HR-E/East/Acme, HR-S/South/Acme, and HR-W/West/Acme —
contain an Employee Benefits application. Employees on the East Coast
access the application on HR-E/East/Acme; employees on the West
Coast access a replica of the application on HR-W/West/Acme; and
employees in the South access a replica of the application on
HR-S/South/Acme. Any changes to the application replicate through
Hub-E/East/Acme to the HR servers. The HR servers send changes to
the hub, which then sends changes back to the HR servers. With the three
Connection documents that Acme created, the hub server performs the
replication, reducing the load on the spokes. Making the application
available to East, West, and South users prevents them from making
costly WAN connections to the application.

In this example, the Acme Corporation has two hub servers —

Hub-W/West/Acme and Hub-E/East/Acme — connected peer-to-peer.
Each hub server replicates with several spoke servers. Any changes
replicate through the hubs to the spoke servers. The spoke servers send
changes to the hub, and then the hubs replicate with each other and send
changes back to the spoke servers.
Example of application server topology

Depending on where you locate applications, they can be accessible to

Notes users, to browser users, or to both Notes and browser users. To be
available to browser users, an application must be on a Domino Web
server.
In this example, Web/East/Acme stores a Web application for the
organization’s Web site. The application is accessible to browser users
who are outside the Acme Corporation. Webstage-E/East/Acme and
Webstage-W/West/Acme have replicas of the Web application. Users
can make changes to the Web application on Webstage-E/East/Acme
and Webstage-W/West/Acme. Webstage-W/West/Acme uses a
Setting Up Server-to-Server Connections 4-11
Configuration
schedule that sets up replication through the hub servers to
Webstage-E/East/Acme. Webstage-E/East/Acme does not have a
replication schedule, so once changes to the Web application are
complete, users manually replicate changes from
Webstage-E/East/Acme to Web/East/Acme. This replication makes the
changes available to users outside the Acme Corporation.
The Acme Corporation also has two servers that do not host Web
applications — HR-E/East/Acme and HR-W/West/Acme. These
servers contain an Employee Benefits application that only internal
employees who use a Notes workstation can access. Employees on the
East Coast access the application on HR-E/East/Acme, and employees
on the West Coast access a replica of the application on
HR-W/West/Acme. Any changes to the application replicate through
the hub servers to the HR servers. Making the application available to
East and West Coast users prevents them from making costly WAN
connections to the application.
In this example, three firewalls on Domino servers are used to protect the
Acme network from external intruders: one firewall exists between the
hub server in Acme’s West Coast office and the public network over
which it communicates with the East Coast Office; a second firewall
protects the hub server at the East Coast office; a third firewall protects
Webstage-E/East/Acme from attacks that might come from the Internet
through Web/East/Acme.
Example of mail and directory server topology

The Acme Corporation uses two mail servers — one for each geographic
location. All users send mail using a mail database located on either
Mail-E/East/Acme or Mail-W/West/Acme. The mail databases are
accessible to all mail client software — Notes workstations, IMAP, POP3,
and browsers.
Routing mail messages is similar to replicating changes made in
databases. In this example, the mail servers route messages through the
hub servers to the mail server in the other location. For example, when
4-12 Administering the Domino System, Volume 1
Alan Jones/Sales/East/Acme sends a message to Susan
Salani/HR/West/Acme, the message routes from Mail-E/East/Acme to
Hub-E/East/Acme, from Hub-E/East/Acme to Hub-W/West/Acme,
and then from Hub-W/West/Acme to its final destination
Mail-W/West/Acme. Susan Salani/HR/West/Acme reads the message
on her mail server, Mail-W/West/Acme.
Directory servers provide users and servers with information about other
users and servers — for example, information needed to address or send
mail. Directories contain information about how to communicate with all
Notes and Internet users and Domino servers. In many cases, you can set
up a mail server as a directory server.
In this example, a condensed directory catalog is on each Notes client
and a Domino Directory is on each server — Mail-E/East/Acme,
Hub-E/East/Acme, Hub-W/West/Acme, and Mail-W/West/Acme. To
resolve names, clients check the local directory catalog first; if the name is
not there, Domino checks the Domino Directory.
Domino uses replication, which is the process by which Domino updates
one directory database with changes from a directory database on
another server. For example, if a change is made on Mail-E/East/Acme,
the change is sent to the replicas on Hub-E/East/Acme,
Hub-W/West/Acme, and Mail-W/West/Acme. Users cannot access the
directories on the hub servers; users access directories only on the mail
servers.
At Acme Corporation, replication occurs automatically at a scheduled
time. The replication schedule determines how long it takes for changes
to appear on the directory servers.
Again, a firewall using a Domino server lets you use Domino features to
send information across the WAN — in this case, you use the mail
routing and replication features.

users and servers have access to the entire system by connecting to one
server (the passthru server). Acme uses the passthru to function only as a
bridge between the remote user or server and the rest of the system. To
keep the load on the passthru to a minimum, the server does not contain
application or mail databases.
Users who work remotely dial in through the passthru server and can
access any server in the system. As most of Acme’s users who dial in
remotely have only one modem on their system, using the passthru
server allows them to access multiple servers with one connection. To
reduce traffic on the passthru server, Acme recommends that its remote
users replicate databases and then work on the local replicas. Then users
can work in their local replicas and dial in and replicate occasionally with
the server replicas.
Acme dedicated five modems to the passthru server. The remote server
also dials into one of these modems for replication. Because this server
makes its connection in the early morning hours, the connection does not
conflict with users trying to access the system.
Acme uses a hunt group configuration for its modems so that users have
only one phone number to dial when connecting. Acme’s phone
infrastructure is set up so that multiple modems can have one phone
number. For this type of hunt group (all modems are on one server),
Acme does not need to create a Connection document to set up the hunt
group.
4-14 Administering the Domino System, Volume 1
The remote server is in Acme’s satellite office in Ohio. Employees who
work in this office focus on marketing and use this server to access
various marketing related databases. The remote server contains replicas
of relevant databases, and it replicates once a day to update the
databases. By using the remote server, users in the Ohio office save time
and resources because they don’t have to dial into Acme’s system as
often.
Creating a LAN connection
You must create a Connection document to schedule mail routing to and
replication between servers on a LAN. You might also need to create a
Connection document to provide the information needed to ensure a
server uses a certain protocol when connecting to another server on the
LAN.
A LAN Connection document can also be used to provide the
information needed for servers to make other types of connections, such
as constant connections to Internet servers.
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click Add Connection.
5. Select Local Area Network in the “Connection type” field.
6. Complete these field

Field Description
Connection
Select Local Area Network.
Type
Source server The name of the connecting server.
Source The name of the connecting server’s domain.
domain This field is
required only for mail routing.
Use the The name of the network ports (or protocols)
port(s) that the
connecting or source server uses to connect to
the
destination server.
continued

Field Description
Usage priority Choose one: Normal (default) - Select this
option if this document defines the primary path
to a server. Low - Select this option to define a
backup path to a server. For more information
about the effect of specifying the usage priority
for a connection, see the topic “Forcing a server
connection to use a specific protocol”later in this
chapter.

Destination The name of the answering server.

server
Destination The name of the answering server’s domain.
domain This field is required only for mail routing.
Optional Provide an optional network address to facilitate
network attempts to locate the destination server over a
address TCP/IP connection. If the field contains no entry,
Domino attempts to determine the address of
the destination server from the following
sources: the server’s memory cache, an
External Domain Network Address document, or
system services that search the local hosts file
or DNS to resolve the name. Enter a fully-
qualified host name or IP address —for
example, HR-E.Acme.com or 192.22.256.36.
Because IP addresses are subject to change, for
ease of management, it’s best to use host
names in Connection documents. When a host
name is used, if the IP address changes, the
connecting server obtains the updated IP
address from the DNS.
7. Click the Replication/Routing and Schedule tabs to define the tasks
you want to run, and select the times you want the server to contact
its destination.
8. Click Save & Close.
Forcing a server connection to use a specific protocol
If multiple protocols are available for connecting a source server to a
given destination, you can specify which protocol to use by setting the
usage priority in a Connection document describing how the source
server contacts the destination. The usage priority specified in a
Connection document determines the order in which Domino selects the
Connection document when searching for how to connect a source server
to a destination. If multiple ports are enabled on the two servers, you can
4-16 Administering the Domino System, Volume 1
force Domino to use a specific port by specifying it in the Connection
document and setting the Usage priority field to Normal.
For example, suppose that both SPX and TCP/IP are enabled on Server
A, the source server, and Server B, the destination server. You create a
Connection document from Server A to Server B specifying that Server A
uses the port TCP/IP to contact Server B and set the usage priority in this
document to Normal. When determining how to connect to Server B,
Server A first checks the Domino Directory for a normal-priority
Connection document governing the connection. After locating the
document, Server A learns that the TCP/IP port is specified, and
proceeds to use that port to attempt a connection to Server B. Setting the
usage priority works for all types of Connection documents: LAN, Notes
Direct Dialup, Network Dialup, Passthru, and so forth.
If multiple normal-priority Connection documents exist for the same
destination server, the connecting server chooses one based on the type
of connection in the following order of preference:
1. Local Area Network
2. Network Dialup
3. Notes Direct Dialup
4. Passthru server
5. Hunt group of passthru servers
You can also use the usage priority setting to configure a backup path to
a destination server. When you set the usage priority for a Connection
document to Low, the connecting server only uses the information in the
document to connect to the destination server as a last resort, after it has
exhausted all other possible means of locating connection information.
For more information on how a server determines the route to a
destination, see the topic “How a server connects to another server”
earlier in this chapter.
To set the usage priority for a connection
1. From the Domino Administrator, click the Configuration tab.
2. Click Server, and then click Connections.
3. Select the Connection document for which you want to set the usage
priority, and click Edit Connection.
Setting Up Server-to-Server Connections 4-17
Configuration
4. Complete this field, and then click Save & Close:

Field Enter
Usage
Choose one:
priority
Normal - This Connection document defines a
primary path to the destination server. The
connecting server attempts to use this
Connection document to make the connection to
the destination server.
Low - This Connection document defines a
backup path to the destination server. The
connecting server uses this Connection
document only as a last resort when trying to
connect to the destination server.
Setting up external domain lookups
By default, a Notes user who wants to open a database on a server
outside the local Domino domain, can do so only if there is a Connection
document in either their Personal Address book, or in the Domino
Directory on their home server that describes how to reach the target
server. To enable Notes users to connect more easily to servers outside of
their domain, you can create an External Domain Network Information
(EDNI) document in the Domino Directory.
The EDNI document works in conjunction with a server task called
GETADRS to import address information from another Domino domain
so that Notes users can connect to servers in the external domain. In the
EDNI document, you specify the external Domino domain containing the
servers you want users to connect to and the protocols for which you
want connection information. In many cases, TCP/IP is the only protocol
for which you may need a document. You also specify a server in your
local domain that requests the information (Requesting Server) and a
server in the external domain that supplies the information (Information
Server).
To gather information, the requesting server runs the GETADRS
program, which asks the specified information server for a list of the
servers in the external Domino domain. GETADRS returns the address
information it obtains to an AdminP request for processing. When the
Administration server processes the request, it places the information in
the Domino Directory as a response document to the original EDNI
document.
After AdminP adds the server address information to the local Domino
Directory users attempting to open databases on servers in the external
domain can use the information from this document to make the
connection without requiring a connection document.
4-18 Administering the Domino System, Volume 1
Using EDNI documents, you can reduce the number of Connection
documents in the Domino Directory, eliminating those that are not
required for replication or routing.
Before creating an EDNI document, determine if the connection
information is useful for the domain. For example, if you are using the
NetBIOS protocol, which isn’t a routable protocol, a direct connection to
the external domain may not be possible even if you have the network
address of the server in an EDNI document. Also, if an external domain
server has multiple TCP/IP ports, the host name or address returned to
the EDNI document may not be the address of the appropriate port to
use. Because each protocol has its own restraints, you should thoroughly
research and test the external domain lookup capability using the
network system configuration at your organization before using it.
To share information across domains, the Domino domain requesting the
information must be cross-certified with the external domain.
Because the Requesting Server gathers information from Server
documents in an external domain, these documents need to be
configured properly to enable successful server name lookups. For
example, a document with a fully qualified host name or IP address
would enable a successful lookup, but a document with only the server
common name may not (unless that common name were a full host
name).
The data from an external domain server lookup resolves client requests
for a server address only; it does not add additional server names to a
client’s request for a list of servers.
To set up an External Domain Network Information document
1. Verify that the local domain is cross-certified with the external
domain.
2. From the Domino Administrator, click the Configuration tab.
3. Open the Server folder, and then click External Domain Network
Information.
4. Click Add Ext Domain Net Info.
5. Complete these fields, and then click Save & Close:

Field Description
The name of the local domain server that
Requesting
performs the
server request for external domain information. This
server runs the GETADRS task to obtain
information from the
information server in the external domain.
The name of the server in the external domain
Information
from
server which the requesting server obtains information.
The name of the external domain. Domain to
query
The name of one or more protocols in the
Protocols to
external
domain to query. Specify only protocols that are
query
used in
both domains.
6. Run the GETADRS program on the Requesting server. You run
GETADRS using any of these methods:
Run
 the program manually from the server console by entering:
LOAD GETADRS
Create
 a program document to run the program as a scheduled
task. Running GETADRS as a scheduled task ensures that
information in the local Domino Directory remains synchronized
with updates from the external domain.
For information about running server tasks in a program document,
see the appendix, “Server Tasks.”
Add GETADRS to the ServerTasks or ServerTasksAt lines in the
NOTES.INI file of the requesting server; the task runs at server
startup, or at the specified time, respectively.
After GETADRS obtains information from the external domain, for
each protocol specified in the EDNI, AdminP creates an External
Domain Network Address document as a response document to the
original EDNI. Each response document contains the names and
addresses of the servers in the queried domain that use that protocol.
By default, AdminP processes the information returned by
GETADRS to create the External Domain Network Address
documents at the interval scheduled in the Server document. You
can run AdminP manually to force it to process the request
immediately.
For more information about scheduling AdminP requests, see the
chapter “Setting Up the Administration Process.” For information
about Tell commands used with AdminP, see the appendix “Server
Commands.”
4-20 Administering the Domino System, Volume 1
Internet connections
To enable a Domino server to connect to another server across the
Internet, you must establish Internet access with an Internet Service
Provider (ISP) and register an Internet domain name with the ISP — for
example, acme.com. After you contract Internet service, create
Connection documents to instruct the local Domino servers how to
contact the target server.
Servers can connect to the ISP using a direct connection or by way of a
Domino or non-Domino proxy server. If the local network uses a proxy
server to connect to the Internet, the calling Domino server does not need
to connect to the ISP directly, because the proxy server establishes this
connection to the ISP.
Servers connecting to the Internet require networking software that is
compatible with the Internet. If TCP/IP is not already installed on the
Domino server, install the protocol using the installation instructions
included with the operating system. If you do not have a Domino
TCP/IP port enabled for the server, add and enable the port.
For information about adding a network port to a Domino server, see the
chapter “Setting Up the Domino Network.”
Direct (leased-line) connection
A leased-line connection is considered a direct connection to the Internet.
If you have a leased-line connection, Domino servers on the internal
LAN connect to the Internet through a firewall or router over a lease

A firewall filters traffic passing between the internal network and the
Internet and is usually part of a TCP/IP router. Most firewalls work by
hiding the IP addresses of computers on your internal network from the
Internet, thus breaking the connection between the internal and external
networks, so that while there is a connection between the internal LAN
and the firewall, and from the firewall to the Internet, there’s no direct
connection between the Internet and the local network.
To connect a Domino server to an Internet server over a direct
connection, create a LAN Connection document to the target server.
Setting Up Server-to-Server Connections 4-21
Configuration
For more on how to create a LAN Connection document, see the topic
“Creating a LAN connection” earlier in this chapter.
Proxy connections
A proxy is a server that provides indirect access to the Internet. A proxy
server usually runs in conjunction with firewall software to pass
incoming and outgoing requests between servers on either side of a
firewall. If your organization uses a proxy server for its Internet
connection, a Domino server on the internal LAN connects to the Internet
through the proxy and firewall servers, which, in turn, connect to your
ISP. Because the proxy server establishes the connection with the ISP, the
Domino server does not connect to the Internet directly.
ISP
Leased-line
Firewall/router Webstage-E

A Domino proxy server is one type of proxy server. You set up a Domino
passthru server as a proxy for the Internet the same way that you set up a
passthru server for internal Domino communication. You do not need to
configure the server differently for Internet connections. The proxy
server does not have to be a Domino server.
Creating a server-to-server Internet connection through a proxy
server
When two Domino servers both have direct, constant connections to the
Internet, each can use the IP address of the other to contact it as though
both servers were on the same LAN. To define the connections between
the two, you create a LAN Connection document.
However, when a server is connected through a proxy server, rather than
having a direct connection, after you create a LAN Connection document
to define the connection, you must complete the proxy information in the
Server document of the calling server as described in the following
procedure:
1. From the Domino Administrator, click the Configurations tab and
expand the Server view.
2. Select the Server document of the server to connect to the Internet
through the proxy, and click Edit Server.
4-22 Administering the Domino System, Volume 1
3. Click the Ports - Proxies tab, and then do one of the following:
To
 connect through an HTTP proxy, in the HTTP Tunnel proxy
field, enter the proxy’s fully-qualified domain name or IP address
and specify the port to use for the connection. For example, enter
httpproxy.company.com:8080 or 192.168.77.34:8080.
To  connect through a SOCKS proxy, in the SOCKS proxy field,
enter the proxy’s fully-qualified domain name or IP address of the
SOCKS proxy and specify the port to use for the connection. For
example, enter socks.company.com:1080 or 192.168.77.34:1080.
Note If you enter values for both fields, Domino uses the HTTP
Tunnel proxy.
4. Click Save & Close.
Note By default, if the server is configured to use a proxy, it uses the
proxy for all connections. To prevent use of the proxy for connections to
certain servers, enter the server names in the “No Proxy for these hosts or
domains” field on the Ports - Proxies tab on the Server document.
Passthru servers and hunt groups
Passthru is a process that runs on a server and establishes connections
between the users and servers connected to that server and other servers.
Passthru connections use an intermediary server as a “stepping stone” to
connect the two servers. Passthru is useful in two instances:
When
 two servers connect directly — When a client (in this case,
either a Notes client or a Domino server) does not share a common
protocol with a destination server, you can set up an intermediary
server that runs both protocols as a passthru server to enable the
client to connect to the destination. For example, suppose that Server
A, which runs only NetBIOS, needs to connect to Server C, which
runs only TCP/IP. If Server B runs both NetBIOS and TCP/IP,
Server B can act as a passthru server to allow communication
between Server A and Server C.
When
 you want to provide additional security — Domino lets you
apply additional access controls to passthru connections, enabling
you to use passthru connections to act as an proxy server for filtering
NRPC traffic. You can specify the users and servers that can access a
server as a passthru destination, as well as those that can use a server
to make passthru connections to another server. Internet protocols
such as HTTP, IMAP, and LDAP cannot use a Domino passthru
server to communicate with a destination server.
Setting Up Server-to-Server Connections 4-23
Configuration
You can set up a passthru server so that it leads to additional passthru
servers as well as directly to a passthru destination server. Thus, you can
chain together multiple passthru connections to enable a client to pass
through several servers until it connects to a given target server.
Passthru access is valuable to Notes client users as well. When you
provide a Notes client with access a to a passthru server, the client user
can connect to a single server to access other network servers. For mobile
users, this enables access to multiple destination servers on the same
LAN over a single phone connection. Using a passthru server this way
saves the time and expense of configuring many individual servers to
support modem connections and of requiring Notes client users to use
multiple phone calls to access multiple servers.
Passthru Logging
To enable to monitoring of passthru traffic for security reasons, after you
configure a server as a passthru server, the server log (LOG.NSF) records
information about passthru sessions established through that server. For
example, the log records information about users who access this server
for to make passthru connections to other servers.
For more information about server log files, see the chapter “Using Log
Files.”
Hunt groups
If your telecommunications infrastructure supports a hunt group — that
is, a pool of modems that are connected to different phone lines but that
use a single phone number — you can configure Domino servers and
Notes client users to connect to a hunt group on a passthru server.
Whenever a call is made to the hunt group number, the incoming call is
routed to the first available modem in the group.
You can use a hunt group with one or more passthru servers. If more
than one passthru server is used in the hunt group, to allow any passthru
server in the hunt group to receive a call and route it to the destination
server, the calling server or user must use a Hunt Group Connection
document.
For more information about configuring Lotus Notes clients to use a
passthru server, see Lotus Notes 6 Help.
4-24 Administering the Domino System, Volume 1
Planning the use of passthru servers
Perform these steps to set up passthru servers:
1. List all the workstations and servers that need to access a passthru
server. Also list the protocols that the workstations and servers run.
2. List the destination servers that the workstations and servers need to
access. Also list the protocols that the destination servers run.
3. Determine where in the topology to locate the passthru server based
on which workstations and servers need access and which servers
are the destinations. The passthru server must run all of the protocols
that the workstations and servers that access it run, as well as all of
the protocols of the destination servers. In addition, the passthru
server must have enough modem connections to handle the
anticipated dial-in traffic.
If you anticipate high traffic through the passthru server, create a
dedicated passthru server. A dedicated passthru server does not
contain applications and mail databases. It functions solely to
provide workstations and servers with access to destination servers.
Also, determine if you want to use more than one passthru server in
a hunt group. In a hunt group, one phone number represents all
passthru servers in the group, and the load is automatically spread
among the passthru servers. Be sure to set up all passthru servers in
a hunt group to pass through to the same destination servers.
4. Determine the users and servers whose access to the passthru servers
and destination servers you need to restrict. Create policy settings
documents that include setup and desktop settings to prevent access
to the servers.
5. List the Notes client users that need to use a passthru server and
determine a default passthru server for each. If you have many Notes
client users, create user setup policies to evenly assign them among
the default passthru servers to ensure optimal server performance.
If you plan to use hunt groups, list which Notes client users will
connect to each hunt group. Record the name and phone number of
the hunt group and the names of all the destination servers that
members of the hunt group pass through to.
For more information about using policies to manage server access, see
the chapter “Using Policies.”

Example of a passthru server topology

The Acme company has a dedicated passthru server that functions only
to provide workstations and servers with access to destination servers.
This server does not contain any databases. The passthru runs all the
protocols that the destination servers run so that users and servers that
connect to it have access to the entire system.
Note that passthru can benefit users and servers on the same network as
the passthru server as well as remote users and servers. For example,
some of the Notes clients in the above diagram are on the same LAN as
Webstage-E and HR-E, but because they do not share any protocols, they
cannot access these servers without using passthru.
The above topology requires the following configuration:
Notes
 Direct Dialup Connection document on the remote server for
connection to passthru server.
Passthru
 Connection document on the remote server to specify
passthru.
Connection
 documents on the remote server for connection to each
destination server.
Modified
 Location document on local Notes clients to specify name
of passthru server.
Notes
 Direct Dialup Connection document on remote Notes clients
for connection to passthru.
Passthru
 Connection documents on remote Notes clients to specify
passthru connection.
4-26 Administering the Domino System, Volume 1
Modified
 Server documents (to allow appropriate access rights) on
passthru and destination servers.
Setting up a server as a passthru server
Set up a server as a passthru server to enable users and other servers to
route through it to connect to a passthru destination server.
1. From the Domino Administrator, click the Configuration tab.
2. Click Server - All Server Documents.
3. Open the Server document for the server that you want to set up as a
passthru server, and click Edit Server.
4. Click the Security tab, and in the Passthru Use section, complete
these fields and then click Save & Close:

Field Description
If this server is not a passthru destination, leave
Access this
this field
server blank.
For information about setting up a server as a
passthru destination, see the topic “Setting up a
server as a passthru destination”later in this
chapter.
Route Specifies the names of the users, groups, and
through servers allowed to connect to a destination
server through this server. When this field is
blank (the default), the server does not allow
passthru connections.
Enter an asterisk (*) to provide passthru access
for all users and servers, even those not listed in
the Domino
Directory. Enter a hierarchical name with an
asterisk as the common name to provide access
for all users and servers certified by a particular
organization or organizational unit. For example,
the entry */Acme allows access to all users in
the Acme organization.
Separate multiple entries with commas or
semicolons.
Entries in this field are granted passthru access,
even if denied general access to the server in
the Server Access section of the Server
document Security tab.

Field Description
Cause calling Specifies the names of users, groups, and
servers allowed to use the modem on this server
to connect to a remote
destination server. By default, this field is blank
and the server prohibits all incoming connections
from generating calls to other servers. Enter an
asterisk (*) to allow incoming connections from
any source to initiate a call to a destination
server.
 If you allow incoming connections from any
source to initiate calls, when recording the event
in the Passthru Connections view of the Notes
Log, Domino indicates only that the connecting
client was not authenticated, rather than
specifying the name of the source.
Specifies the names of the remote servers this
Destinations
server can
allowed connect to as passthru destinations.
By default, this field is blank and the server
allows routing to all servers configured as
passthru destinations. Adding entries to this field
restricts passthru access from this server to the
specified destination servers only.
5. Set up servers as passthru destinations.
For information about setting up a server as a passthru destination,
see the topic “Setting up a server as a passthru destination” later in
this chapter.
6. Create Connection documents as necessary to connect the passthru
server to destination servers that do not share the same LAN.
Setting up a server as a passthru destination
Set up a server as a passthru destination to enable users and servers to
access it through a passthru server.
1. From the Domino Administrator, click the Configuration tab.
2. Click Server - All Server Documents.
3. Open the Server document for the server that you want to set up as a
passthru destination, and click Edit Server.
4. Click the Security tab, enter values in this Passthru Use field, and
then save the document:

Field Description
Specifies the names of the users, groups, and
Access this
servers
server allowed to access the server as a passthru
destination. When this field is blank (the default),
the server is not available as a passthru
destination.
Enter an asterisk (*) to provide access for all
users and servers, even those not listed in the
Domino Directory. An asterisk followed by a
certifier name provides access for all users and
servers certified by a particular organization or
organizational unit. For example, the entry
*/Acme allows access to all users in the Acme
organization.
Separate multiple entries with commas or
semicolons.

Note Access to a passthru destination is subject to restrictions set in the

Server Access section of the Server document’s Security tab. These fields
define general access to the server.
You can grant a user or server general access to a server and prohibit
access to the same server as a passthru destination. However, if you deny
a user or server general access to a server, those users and servers cannot
access the server as a passthru destination.
Creating a passthru connection
After you set up the passthru and destination servers, you can set up
servers to connect to passthru servers. Creating a passthru connection
enables the server to forward requests from users and other servers to
connect to a specified destination server.
Note The passthru Connection document specifies the server to use for
passthru, but does not define how to connect to the passthru server. If a
server does not have a direct connection to the passthru server over the
LAN, you must create a separate Connection document to define the
path to the passthru server.
Before creating a passthru connection, verify that the current server is not
configured to use a default passthru server. When a server is configured
to use a default passthru server and it receives a request to connect to a
destination server for which no other connection is defined, it attempts to
route through the named server to the requested destination. If the
named server is not set up to allow passthru connections to the requested
destination server, the passthru attempt places an unnecessary load on
both servers.
Setting Up Server-to-Server Connections 4-29
Configuration
To verify that a server is not configured to use a default passthru
server
1. From the Domino Administrator, click the Configuration tab.
2. Click Server - Current Server document.
3. Click the Basics tab and expand the Server Location Information
section.
4. Verify that the “Passthru server” field is empty.
To create a passthru connection
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click Add Connection.
5. Complete these fields:

Field Description
Connection type Select Passthru server
The name of the server connecting to the
Source server
passthru
server
Source domain The name of the connecting server’s domain
Use passthru The name of the passthru server or hunt
server group that
or hunt group this connection uses to reach the destination
server
Usage priority Choose one:
• Normal (default) - Select this option if this
document defines the primary path to a
server.
• Low - Select this option to define a backup
path to
a server.
For more information about the effect of
specifying the usage priority for a
connection, see the topic “Forcing a server
connection to use a specific protocol”earlier
in this chapter.
Destination The name of the destination server to
server connect to
 through the passthru server.
Destination
The name of the destination server’s domain
domain
6. Click the Replication/Routing and Schedule tabs to define the tasks
you want to run, and select the times you want the server to call its
destination.
7. Click Save & Close.
Connecting a server to a hunt group
A hunt group is a collection of telephone extensions that is assigned one
phone number. Each call that comes in to that number is assigned to the
next free line in the group. If your telecommunications infrastructure
supports hunt groups, any passthru server in the hunt group can receive
a call and route it to a specified destination server.
After you set up a hunt group, create a Hunt Group Connection
document to enable servers to connect to the hunt group servers.
A Hunt group connection document is required whenever a hunt group
has multiple passthru servers. If a hunt group has a single passthru
server, create a Network dialup Connection document to define the
connection, rather than a hunt group Connection document.
To create a Hunt group connection document
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click Add Connection.
5. Complete these fields and then click Save & Close:

Field Description
Hunt group
Connection
type
Source The name of the server connecting to the hunt
server group
Source The name of the connecting server’s domain.
domain Required
only if the source server and destination server
are in
different Domino domains.
Use the port The modem port
Always use Specifies when the modem on the source server
area includes
code the area code to dial a number. Choose one:
• Yes - The server always includes the area code
to dial,
even when dialing numbers in the local
exchange.
• No - (default) The server includes the area
code only
when dialing numbers outside the local area
code.

Field Description
Usage
Choose one:
priority
• Normal (default) - Select this option if this
document
defines the primary path to a server.
 • Low - Select this option to define a backup
path to a
server.
For more information about the effect of
specifying the usage priority for a connection,
see the topic “Forcing a server connection to use
a specific protocol”earlier in this chapter.
Hunt group Enter a unique name to identify the hunt group,
for example, AcmeEastHuntGroup. If you create
passthru Connection documents that use this
connection, the hunt
group name you enter in them must match the
name entered here.
The name you enter name here is also used to
apply commands to the hunt group servers. For
example, to replicate a database that is located
on a hunt group
server, enter:
rep hunt_group_name database
In this case, the calling server initiates the
modem connection to the designated hunt group
and then replicates the specified database on
each server where it resides.
The name of the domain to connect to through
Destination
the hunt
domain group. Required only if the source server and
destination server are in different Domino
domains. Enter a domain
name to ensure that the hunt group connects to
a server in the specified domain.
The country code to use when dialing the
Destination
number of the
country code hunt group modem.
Destination The area code to use when dialing the number
area of the
code hunt group modem.
Destination The phone number of the hunt group modem.
phone
number
The name of the login script file to use when
Login script
connecting
name to the hunt group.
Arguments required during processing of the
Login script
specified
login script; for example, name and password.
arguments
Enter
arguments from left to right in the order of use.

Planning for modem use

For a Domino server to communicate with a remote Domino server by
modem, you must
Install
 one or more modems on the calling and receiving servers.
Configure
 the communication port.
Create
 a dialup modem connection from the calling server to the
receiving server. Domino uses either a Notes Direct Dialup
connection or a Network Dialup Connection to communicate with
another server over a modem. The type of connection required
depends on whether each server is directly connected to a modem.
For information about creating dialup connections, see the topics
“Creating a Notes Direct Dialup connection” and “Creating a
Network Dialup connection” later in this chapter.
Installing modems
The number of modems that you can use on a server is dependent on the
operating system and system resources — for example, the number of
available communication ports. Each modem needs its own
communication port.
If you expect heavy dialup use, install additional modems or install a
multiple-port communication board to connect multiple modems to
multiple communication ports on a single board.
Use these questions to help you determine the number of modems:
1. How many users and servers do you want to be able to use the
server simultaneously?
The number of modems that you install on a remote server
determines the number of users and servers that can access it
simultaneously. Consider the expense of purchasing more modems
against server accessibility.
2. Do users take advantage of workstation-to-server replication when
accessing the server?
To reduce server demand, encourage users to keep local replicas of
databases on their workstations, work on them without a dialup
modem connection, then connect to the central server to exchange
new and updated documents with the central server’s database.
3. What types of users connect to this server?
If the server supports a high number of users who connect
exclusively over dialup connections — for example, when a server’s
primary users are field personnel who are always on the road —
Setting Up Server-to-Server Connections 4-33
Configuration
dialup demand for the server is higher than on a server where users
only occasionally use modem connections.
Modems and modem command files
After you install a modem on a server, configure the communication port
by specifying the modem type and port number.
Specifying a modem type automatically associates a modem with a
modem command file. A modem command file is a text file containing
commands that Domino issues to the modem. If none of the available
modem types matches your modem, you can modify a generic modem
command file or contact IBM support to obtain the appropriate modem
file.
Modem command files, which have the file extension MDM, tell the
modem how to operate. They are specific to Domino and the type of
modem you are using. When you choose a modem type, you must select
a matching modem file. Domino comes with specific modem command
files for a wide variety of modems.
Domino installs modem files in the Domino Data\Modems subdirectory.
Commands in the modem command file are arranged as required by the
X.PC protocol provided with Domino.
Domino provides a generic all-speed modem file, GEN_ALL.MDM,
which you can modify. For information on modem command files and
instructions on modifying them, use a text editor to read the file
TEMPLATE.MDM. Use this file in conjunction with the documentation
that came with the modem to modify modem command files.
Modify a modem command file only under the following circumstances:
 you need additional commands that a Domino modem command
If
file does not provide
If Domino does not provide a modem command file that is
compatible with your modem
  the default modem command file, AUTO.MDM, does not work
If
 you cannot obtain a modem file that works with your modem from
If
IBM support
Creating a Notes Direct Dialup connection
When both the local and remote Domino servers have their own
modems, you can use a Notes Direct Dialup (dialup modem) connection
to connect them. After the local server connects to the remote server, it
can perform tasks, such as route mail and replicate databases.
4-34 Administering the Domino System, Volume 1
When using Notes Direct Dialup connections, Domino uses the X.PC
protocol driver. The X.PC protocol driver is installed automatically when
you install a Domino server. It links Domino to a computer’s operating
system and the hardware devices that handle the communication.
Notes Direct Dialup connections use Domino security and thus offer
tighter security than Network Dialup connections to a remote access
server.
1. Make sure that you already installed a modem and that one exists on
the destination server.
2. From the Domino Administrator, click the Configuration tab.
3. Click Server, and then click Connections.
4. Click Add Connection.
5. Select Notes Direct Dialup in the “Connection type” field.
6. Complete these fields:

Field Description
Source
The name of the calling server.
server
Source
The name of the calling server’s domain.
domain
Use the The name of the communications port that the
port(s) calling or source server uses.
Always use
Specifies whether the source server always uses
area code
the area code when dialing. Choose one: • Yes -
The server always includes the area code to dial,
even when dialing numbers in the area code
defined in the source server’s Server document.
Use this option if your phone system requires an
area code for local calls.
• No - (default) The server includes the area
code only when dialing numbers outside the
local area code.
Usage Choose one: • Normal (default) - Select this
priority option if this document defines the primary path
to a server. • Low - Select this option to define a
backup path to a server.

For more information about the effect of

specifying the usage priority for a connection,
see the topic “Forcing a server connection to use
a specific protocol”earlier in this chapter.

Field Description
Destination The name of the remote server.
server
Destination The name of the remote server’s domain.
domain
The country code for the remote server. Enter
Destination
this
country code number only if it’s required to complete the call.
Destination The remote server’s area/city code. Enter this
area number
code only if it’s required to complete the call.
Destination The phone number of the remote server.
phone
number
Login script The name of the connect script to use when
file connecting to
name the remote server. Supply this file name only if
additional information is required to authenticate
with
the destination server after dialing completes.
Between 1 and 4 values used by the login script
Login script
when
authenticating with the destination server. For
arguments
example,
enter a login name and password if the login
scripts must
provide these elements when connecting to the
destination server. The script uses the values in
the order
in which they are entered. Values entered in this
field are
not encrypted and are displayed in the clear.

7. Click the Replication/Routing and Schedule tabs to define the tasks

you want to run, and select the times you want the server to call its
destination.
8. Click Save & Close.
Note To ensure the best performance for connections that use
data-compressing modems, don’t apply Domino network data
encryption to ports using these modems. Rather than reducing the size of
the transmitted data, the modem’s hardware compression techniques can
increase it, negating the benefits of the modem compression.
For more information about encrypting data on an NRPC port, see the
chapter “Setting Up the Domino Network.”
Creating a Network Dialup connection
To connect a local Domino server with a remote server that does not have
its own modem, create a Network dialup connection. Domino uses
Microsoft Dial-Up Networking (DUN) and the Microsoft Remote Access
Service (RAS) to make a dialup connection to a non-Domino server on
the remote network. After establishing the connection, the local server
uses the remote access service to communicate with the destination
4-36 Administering the Domino System, Volume 1
server. Domino can interact with resources on the other network as if it
were connected directly to the network, routing mail and replicating
databases with servers on the remote network.
Because RAS uses its own compression, Domino compression should not
be used with RAS.
Notes clients and Domino servers who establish a Network Dialup
connection to a Remote Access Server can access the entire remote
Domino network over the remote LAN. After establishing a connection,
the calling client or server can communicate with servers on the remote
LAN using the network protocols defined in RAS only, that is, TCP/IP
and Netbios.
To create a Network dialup connection
1. Configure the modem port on the source server.
2. Make sure that the remote access service is properly set up on the
local Domino server and on the remote network server.
On the local server, configure DUN to dial out to the RAS server.
On the non-Domino remote server, configure RAS to answer calls.
For details on how to configure RAS, refer to the documentation
provided with the operating system.
3. From the Domino Administrator, click the Configuration tab.
4. Click Server, and then click Connections.
5. Click Add Connection.
6. Complete these fields:

Field Description
Network
Dialup
Connection
type
Source The fully-distinguished Notes name of the
server connecting
server. For example, Server1/Sales/ACME.
Source The name of the connecting server’s Domino
domain domain.
Required only if the source server and
destination server
are in different Domino domains
Use LAN Specifies the port that the server uses to
port(s) establish the
network dialup connection using the remote
access
service.
continued

Field Description
Usage Choose one: • Normal (default) - Select this
priority option if this document defines the primary path
to a server. • Low - Select this option to define a
backup path to a server. For more information
about the effect of specifying the usage priority
for a connection, see the topic “Forcing a server
connection to use a specific protocol”earlier in
this chapter.

Destination The fully-distinguished Notes name of the

server Domino server you want to access. For SMTP
routing connections, enter the host name of the
destination server, for example,
internet.isp.com.
Destination The name of the destination server’s Domino
domain domain. Required only if the source server and
destination server are in different Domino
domains. Leave this field blank when configuring
SMTP routing to an ISP server.
Optional Provide an optional network address to facilitate
network attempts to locate the destination server over a
address TCP/IP connection. If the field contains no entry,
Domino attempts to obtain the destination
server’s IP address from the IP protocol stack.
Enter a fully-qualified host name or IP address
—for example, HR-E.Acme.com or
192.22.256.36. Because IP addresses are
subject to change, for ease of management, it’s
best to use host names in Connection
documents. When a host name is used, if the IP
address changes, the connecting server obtains
the updated IP address from the DNS.

7. Click the Replication/Routing and Schedule tabs to define the tasks

you want to run, and select the times you want the server to contact
its destination.
8. Click Save & Close.
Forcing a server connection to use a specific protocol
If multiple protocols are available for connecting a source server to a
given destination, you can specify which protocol to use by setting the
usage priority in a Connection document describing how the source
server contacts the destination. The usage priority specified in a
Connection document determines the order in which Domino selects the
Connection document when searching for how to connect a source server
to a destination. If multiple ports are enabled on the two servers, you can
4-16 Administering the Domino System, Volume 1
force Domino to use a specific port by specifying it in the Connection
document and setting the Usage priority field to Normal.
For example, suppose that both SPX and TCP/IP are enabled on Server
A, the source server, and Server B, the destination server. You create a
Connection document from Server A to Server B specifying that Server A
uses the port TCP/IP to contact Server B and set the usage priority in this
document to Normal. When determining how to connect to Server B,
Server A first checks the Domino Directory for a normal-priority
Connection document governing the connection. After locating the
document, Server A learns that the TCP/IP port is specified, and
proceeds to use that port to attempt a connection to Server B. Setting the
usage priority works for all types of Connection documents: LAN, Notes
Direct Dialup, Network Dialup, Passthru, and so forth.
If multiple normal-priority Connection documents exist for the same
destination server, the connecting server chooses one based on the type
of connection in the following order of preference:
1. Local Area Network
2. Network Dialup
3. Notes Direct Dialup
4. Passthru server
5. Hunt group of passthru servers
You can also use the usage priority setting to configure a backup path to
a destination server. When you set the usage priority for a Connection
document to Low, the connecting server only uses the information in the
document to connect to the destination server as a last resort, after it has
exhausted all other possible means of locating connection information.
For more information on how a server determines the route to a
destination, see the topic “How a server connects to another server”
earlier in this chapter.
To set the usage priority for a connection
1. From the Domino Administrator, click the Configuration tab.
2. Click Server, and then click Connections.
3. Select the Connection document for which you want to set the usage
priority, and click Edit Connection.
Setting Up Server-to-Server Connections 4-17
Configuration
4. Complete this field, and then click Save & Close:

Field Enter
Usage
Choose one:
priority
Normal - This Connection document defines a
primary path to the destination server. The
connecting server attempts to use this
Connection document to make the connection to
the destination server.
Low - This Connection document defines a
backup path to the destination server. The
connecting server uses this Connection
document only as a last resort when trying to
connect to the destination server.

Setting up external domain lookups

By default, a Notes user who wants to open a database on a server
outside the local Domino domain, can do so only if there is a Connection
document in either their Personal Address book, or in the Domino
Directory on their home server that describes how to reach the target
server. To enable Notes users to connect more easily to servers outside of
their domain, you can create an External Domain Network Information
(EDNI) document in the Domino Directory.
The EDNI document works in conjunction with a server task called
GETADRS to import address information from another Domino domain
so that Notes users can connect to servers in the external domain. In the
EDNI document, you specify the external Domino domain containing the
servers you want users to connect to and the protocols for which you
want connection information. In many cases, TCP/IP is the only protocol
for which you may need a document. You also specify a server in your
local domain that requests the information (Requesting Server) and a
server in the external domain that supplies the information (Information
Server).
To gather information, the requesting server runs the GETADRS
program, which asks the specified information server for a list of the
servers in the external Domino domain. GETADRS returns the address
information it obtains to an AdminP request for processing. When the
Administration server processes the request, it places the information in
the Domino Directory as a response document to the original EDNI
document.
After AdminP adds the server address information to the local Domino
Directory users attempting to open databases on servers in the external
domain can use the information from this document to make the
connection without requiring a connection document.
4-18 Administering the Domino System, Volume 1
Using EDNI documents, you can reduce the number of Connection
documents in the Domino Directory, eliminating those that are not
required for replication or routing.
Before creating an EDNI document, determine if the connection
information is useful for the domain. For example, if you are using the
NetBIOS protocol, which isn’t a routable protocol, a direct connection to
the external domain may not be possible even if you have the network
address of the server in an EDNI document. Also, if an external domain
server has multiple TCP/IP ports, the host name or address returned to
the EDNI document may not be the address of the appropriate port to
use. Because each protocol has its own restraints, you should thoroughly
research and test the external domain lookup capability using the
network system configuration at your organization before using it.
To share information across domains, the Domino domain requesting the
information must be cross-certified with the external domain.
Because the Requesting Server gathers information from Server
documents in an external domain, these documents need to be
configured properly to enable successful server name lookups. For
example, a document with a fully qualified host name or IP address
would enable a successful lookup, but a document with only the server
common name may not (unless that common name were a full host
name).
The data from an external domain server lookup resolves client requests
for a server address only; it does not add additional server names to a
client’s request for a list of servers.
To set up an External Domain Network Information document
1. Verify that the local domain is cross-certified with the external
domain.
2. From the Domino Administrator, click the Configuration tab.
3. Open the Server folder, and then click External Domain Network
Information.
4. Click Add Ext Domain Net Info.
Setting Up Server-to-Server Connections 4-19
Configuration
5. Complete these fields, and then click Save & Close:

Field Description
The name of the local domain server that
Requesting
performs the
server request for external domain information. This
server runs the GETADRS task to obtain
information from the
information server in the external domain.
The name of the server in the external domain
Information
from
server which the requesting server obtains information.
The name of the external domain. Domain to
query
The name of one or more protocols in the
Protocols to
external
domain to query. Specify only protocols that are
query
used in
both domains.

6. Run the GETADRS program on the Requesting server. You run

GETADRS using any of these methods:
Run
 the program manually from the server console by entering:
LOAD GETADRS
Create
 a program document to run the program as a scheduled
task. Running GETADRS as a scheduled task ensures that
information in the local Domino Directory remains synchronized
with updates from the external domain.
For information about running server tasks in a program document,
see the appendix, “Server Tasks.”
Add GETADRS to the ServerTasks or ServerTasksAt lines in the
NOTES.INI file of the requesting server; the task runs at server
startup, or at the specified time, respectively.
After GETADRS obtains information from the external domain, for
each protocol specified in the EDNI, AdminP creates an External
Domain Network Address document as a response document to the
original EDNI. Each response document contains the names and
addresses of the servers in the queried domain that use that protocol.
By default, AdminP processes the information returned by
GETADRS to create the External Domain Network Address
documents at the interval scheduled in the Server document. You
can run AdminP manually to force it to process the request
immediately.
For more information about scheduling AdminP requests, see the
chapter “Setting Up the Administration Process.” For information
about Tell commands used with AdminP, see the appendix “Server
Commands.”
4-20 Administering the Domino System, Volume 1
Internet connections
To enable a Domino server to connect to another server across the
Internet, you must establish Internet access with an Internet Service
Provider (ISP) and register an Internet domain name with the ISP — for
example, acme.com. After you contract Internet service, create
Connection documents to instruct the local Domino servers how to
contact the target server.
Servers can connect to the ISP using a direct connection or by way of a
Domino or non-Domino proxy server. If the local network uses a proxy
server to connect to the Internet, the calling Domino server does not need
to connect to the ISP directly, because the proxy server establishes this
connection to the ISP.
Servers connecting to the Internet require networking software that is
compatible with the Internet. If TCP/IP is not already installed on the
Domino server, install the protocol using the installation instructions
included with the operating system. If you do not have a Domino
TCP/IP port enabled for the server, add and enable the port.
For information about adding a network port to a Domino server, see the
chapter “Setting Up the Domino Network.”
Direct (leased-line) connection
A leased-line connection is considered a direct connection to the Internet.
If you have a leased-line connection, Domino servers on the internal
LAN connect to the Internet through a firewall or router over a leased
phone line.
ISP
Leased-line
Firewall/router Webstage-E
Corporate LAN
A firewall filters traffic passing between the internal network and the
Internet and is usually part of a TCP/IP router. Most firewalls work by
hiding the IP addresses of computers on your internal network from the
Internet, thus breaking the connection between the internal and external
networks, so that while there is a connection between the internal LAN
and the firewall, and from the firewall to the Internet, there’s no direct
connection between the Internet and the local network.
To connect a Domino server to an Internet server over a direct
connection, create a LAN Connection document to the target server.
Setting Up Server-to-Server Connections 4-21
Configuration
For more on how to create a LAN Connection document, see the topic
“Creating a LAN connection” earlier in this chapter.
Proxy connections
A proxy is a server that provides indirect access to the Internet. A proxy
server usually runs in conjunction with firewall software to pass
incoming and outgoing requests between servers on either side of a
firewall. If your organization uses a proxy server for its Internet
connection, a Domino server on the internal LAN connects to the Internet
through the proxy and firewall servers, which, in turn, connect to your
ISP. Because the proxy server establishes the connection with the ISP, the
Domino server does not connect to the Internet directly.
ISP
Leased-line
Firewall/router Webstage-E
Corporate LAN
Proxy server
A Domino proxy server is one type of proxy server. You set up a Domino
passthru server as a proxy for the Internet the same way that you set up a
passthru server for internal Domino communication. You do not need to
configure the server differently for Internet connections. The proxy
server does not have to be a Domino server.
The Network Dialup tab and complete the following fields:

Field Description
Choose a Select Microsoft Dial-up Networking
service
type
Configure Lets you specify the Dial-up Networking entry that
service the server uses when connecting to this destination.
Click Edit Configuration, and complete this field in
the Microsoft Dial-up Networking dialog box:
• Dial-up Networking name - Name of the Microsoft
Dial-up Networking phonebook entry on the source
server containing the information on how to dialup
the remote
server.
Optionally, you can complete the following
additional fields in the dialog box. If you complete
these fields, the settings override those configured
in the specified Dial-up Networking entry on the
server. These settings are used by the remote
access service, not by Domino. Complete the fields
and then click OK
• Login name -The name that the server uses to log
in to the
remote access server.
• Password - The password the server uses to log in
to the remote access server. For security reasons,
when you enter
the password, it appears as a series of asterisks.
After you
save the Connection document, before storing the
document Domino encrypts the password with the
public
keys of the source server and the users and servers
listed in
the Owners and Administrators fields of the
document.
• Phone number - The phone number of the remote
access server. If the server uses pulse dialing, do
not enter a phone number in this field. Also, be sure
to select Pulse in the
 server’s modem configuration options and in the
Microsoft Dial-up Networking dialog, provide a
phone number and check the Use Telephony dialog
properties box.
• Area code - Area code of the remote access
server.
• Country code - Country code of the remote access
server.
• Dial-back phone number - The phone number of
the source server. If the remote access server has
call-back enabled, it
calls this number after authentication completes.
• Domain - The Windows logon domain of the
remote access service

Coordinating dialup ISP connections between servers

When two geographically distant servers are both connected to the
Internet, they can use the Internet connection to replicate databases or
route mail. When both servers have constant connections to the Internet,
scheduling these tasks is easy. But if either server’s Internet connection is
intermittent, for example, if one server uses a dialup connection to an
ISP, it can be difficult to schedule tasks to coincide with times when both
servers are available.
To automate the coordination of dialup schedules, Domino lets you
create an AutoDialer connection. An AutoDialer connection provides a
link between two Connection documents: one document that controls
when a source server initiates the given replication or mail routing task;
and one document that controls when the destination server dials up an
ISP to establish an Internet connection. An AutoDialer task on both
servers tracks the task schedule set in the source server’s Connection
document and prompts the destination server to come online in time to
receive requests from the calling server.
The source server uses the destination server’s IP address to establish the
connection. Because this requires a stable IP address, the destination
server’s ISP must provide static IP addresses; that is, it must assign the
server the same IP address every time the server connects to the ISP.
AutoDialer connections honor the timeout settings specified for the
modem communication port. If a connection is idle for the amount of
time specified, Domino closes the connection.
Example of using an AutoDialer connection
Two remote servers, Jupiter and Pluto, share a common Domino
Directory and must replicate once a day with each other. Jupiter, a
powerful server with a direct connection to the Internet, is located at
company headquarters in New York. Pluto, a much less powerful
4-40 Administering the Domino System, Volume 1
computer, located at a branch office in San Francisco, connects to the
Internet by dialing up a local ISP number. To enable Jupiter to assume
the greater share of the workload, the administrator chooses to have it
serve as the source server and initiate the replication. Because a direct
dialup connection between the servers would require a costly
long-distance call, the administrator decides to connect the servers over
the Internet to perform the replication.
To enable replication, the administrator creates an AutoDialer connection
for the two server by doing the following:
1. Creates a Pluto-to-ISP Network Dialup connection document that
provides information on how to connect the destination server, Pluto,
to the ISP, using a local phone number. In the Pluto-to-ISP
connection document, the administrator then does the following:
Enables
 AutoDialer and specifies that Pluto will begin to dial up
the ISP three minutes before the scheduled replication with
Jupiter.
Assigns
 the AutoDialer connection the name “PlanetReplication.”
2. Creates a Jupiter-to-Pluto LAN connection document that provides
information on how the source server, Jupiter, connects to Pluto. In
the Jupiter-to-Pluto LAN connection document, the administrator
then does the following:
To  enable Jupiter to locate Pluto on the Internet, specifies Pluto’s
IP address in the Optional Network Address field.
Enables AutoDialer and assigns the AutoDialer connection in this
document the same name as the AutoDialer connection in the
Pluto-to-ISP Connection document: “PlanetReplication” This
name provides the link between the two documents.
Sets  the schedule on the Jupiter-to-Pluto connection document to
begin replication at 10:00 AM.
3. After saving both documents, the Domino Directory must be
replicated so that both servers are aware of the change. The
administrator on Pluto dials the server into the ISP and then issues
the replicate command from the server console to replicate the
Domino Directory between the two servers.
4. The administrator on Pluto then adds the AutoDialer task to the
ServerTasks item in the NOTES.INI file to start the AutoDialer task
on Pluto.
Domino then searches the available Connection documents to locate any
that have the AutoDialer connection name “PlanetReplication.” After it
finds the matching documents, Domino calculates when Pluto must dial
up its ISP to answer the replication request from Jupiter, and sets this
Setting Up Server-to-Server Connections 4-41
Configuration
schedule in the Pluto-to-ISP connection document. In this example,
because Pluto is in the time zone GMT -08:00, it must dial up the ISP at
6:57 AM local time to come online three minutes before Jupiter, in the
time zone GMT -05:00, initiates replication at 10:00 AM local time.
At 6:57 AM the AutoDialer on Pluto requests the dialup information
from the Pluto-to-ISP connection document and dials the ISP. Three
minutes later, Jupiter sends a replication request over the Internet to
Pluto.
Using AutoDialer with Notes Direct Dialup connections
Although AutoDialer is intended primarily for use in coordinating
connections over the Internet between two servers, you can also use
AutoDialer to enable a remote Domino server to dial directly into
another Domino server, or into a passthru server.
For more information, see the topic “Coordinating Notes Direct Dialup
connections between servers” later in this chapter.
To set up an AutoDialer connection
1. Create a Network Dialup connection document that defines how the
destination server for the scheduled task connects to its ISP.
For information on creating a Network Dialup connection, see the
topic “Creating a Network Dialup connection” earlier in this chapter.
2. On the Replication/Routing tab of the Connection document you
created in Step 1, complete the following fields in the AutoDialer
section:

Field Description
AutoDialer Select Enabled
Task
Specifies a name for this AutoDialer connection.
AutoDialer
Enter
connection any unique name, for example,
name InternetReplication. It’s best to use a name
that’s short and descriptive.
The name you enter in this field must also
appear in the AutoDialer connection name field
in the Connection
document that provides the schedule for this
task (see Step 5).
Connect Specifies how many minutes before a scheduled
remote action
that this server will dial up to connect to the
server to
Internet. To
network ensure availability, specify a time value that
enables the server to be online several minutes
before the start of the
scheduled action.
3. Click Save & Close
4. Create a LAN Connection document that defines how the source
server for the scheduled task connects to the destination server.
5. Enter the following information in the Connection document you
created in Step 4 and the click Save & Close:

Tab Field Description

Basics Optional
Enter the IP address of the
network
destination server.
address
Replication/ Use Select Enabled.
Routing AutoDialer to
connect
remote
server to
network
AutoDialer The AutoDialer connection name
connection specified in the Network Dialup
name connection document you
created in Step 2, for example,
InternetReplication.
Schedule Schedule Select Enabled
Connect at Specify the time to replicate with
times or route mail to the destination
server. Enter a specific time only,
for example, 10:00 AM, not a
time range.
Repeat Leave this field blank. Domino
interval does not support repeat intervals
for AutoDialer connections.
Days of week Specify the days when the calling
server attempts to make this
connection.
Connect the destination server (the dialing server) to the Internet by
having it dial up the ISP.
7. From the server console of the destination server, enter the
command:
Replicate servername directoryfile
Where servername is the name of the source, or replication, server,
and directoryfile is the filename of the Domino Directory database.
For example, enter:
Replicate Jupiter NAMES.NSF
8. Add the AutoDialer task to the ServerTasks item in the NOTES.INI
file to start the AutoDialer task on Pluto
Coordinating Notes Direct Dialup connections between servers
To enable two servers to perform scheduled tasks when one or both of
them uses a dialup connection to access the network, you can create an
AutoDialer connection to automatically coordinate the dialup schedule
with the task time. In most cases you use an AutoDialer connection to
schedule tasks over Internet dialup connections, but an AutoDialer
connection can also enable a remote Domino server to dial directly into
another Domino server, or into a passthru server.
The process for creating an AutoDialer connection for use with a Notes
Direct Dialup connection is similar to the one used to create an
AutoDialer connection for a Network Dialup connection. For replication
tasks, set up the more powerful server to be the source server, and the
less powerful server, generally the server with the dialup connection, to
be the destination server.
If the dialing server connects into a passthru server rather than
connecting directly to the replication server, all communications between
the dialing server and the replication server occur through the passthru
server. The replication server cannot locate the dialing server on the
network except with the help of the passthru server and so requires a
Passthru connection document to provide this information. In addition,
you must also configure the dialing server, as well as the replication
server, as passthru destinations.
To set up an AutoDialer connection for use with Notes Direct Dialup
connections
1. Create a Notes Direct Dialup connection document that defines how
the dialing, or destination, server connects to the Domino server
initiating replication (the source server).
For information on creating a Notes Direct Dialup connection, see the
topic “Creating a Notes Direct Dialup connection” earlier in this
chapter.
If the dialing server dials into a passthru server, rather than directly
into the source server, in addition to this Notes Direct Dialup
connection document, you must also create a Passthru connection
document if one doesn’t already exist. You must also set up the
source server as a passthru destination.
Note The AutoDialer section on this Passthru connection document
is not used.
For information on creating a Passthru connection document, see the
topic “Creating a passthru connection” earlier in this chapter.
4-44 Administering the Domino System, Volume 1
2. On the Replication/Routing tab of the Connection document you
created in Step 1, complete the following fields in the AutoDialer
section:

Field Description
AutoDialer
Select Enabled
Task
Specifies a name for this AutoDialer connection.
AutoDialer
Enter
connection any unique name, for example,
name AutoDialReplication. It’s best to use a name
that’s short and descriptive.
The name you enter in this field must also
appear in the AutoDialer connection name field
 in the Connection docu-

ment that provides the schedule for this task

(see Step 5).
Connect Specifies how many minutes before a scheduled
remote action
that this server will dial up to connect to the
server to
Internet. To
network ensure availability, specify a time value that
enables the server to be online several minutes
before the start of the
scheduled action.

Click Save & Close.

4. Create a Passthru connection document describing how the
replication server connects to the destination server.
5. Enter the following information in the Passthru connection document
you created in Step 4:

Tab Field Description

Replication/ Use Select Enabled.
Routing AutoDialer to
connect
remote
server to
network
AutoDialer The AutoDialer connection name
connection specified in the Notes Direct
name Dialup Connection document in
Step 2, for example,
AutoDialReplication.
Schedule Schedule Select Enabled
Connect at Specify the time to replicate with
times or route mail to the answering
server. Enter a specific time only,
for example, 10:00 AM, not a time
range.
Repeat Leave this field blank. Domino
interval does not support repeat intervals
for AutoDialer connections.
Days of week Specify the days when the calling
server attempts to make this
connection.

Click Save & Close.

Setting Up Server-to-Server Connections 4-45
Configuration
Encrypting Network Dialup Connection documents
Domino can hide and encrypt the parameter part of the Network Dialup
Connection document by using the public keys of specific user or server
IDs. When completed, only users and servers with those IDs can make
connections using the document and can view the parameters in the
document.
Use these steps to encrypt a Connection document created prior to
Release 5 so that only the users and servers you specify can use the
document to make a connection and view the settings in the document.
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Open the Network Dialup Connection document.
5. Choose File - Document Properties.
6. Click the Security tab (the key icon), and deselect “All readers and
above.”
7. In the “Public Encryption keys” field, enter the names of users and
servers who need access to the document, and then save the
document.
Configuring a communication port
If you specified a communication port when you configured the server,
you do not need to specify the port again. You configure an additional
communication port only when you add an additional modem or other
device to a server or when you need to adjust the settings for a port
currently in use.
1. Install the modem on the server communication port and ensure that
the operating system recognizes the port.
2. From the Domino Administrator, select the Server - Status tab.
3. From the Servers pane, select the server on which to set up the port.
On platforms, such as UNIX, for which there is no Domino
Administrator client, you can set up ports remotely.
4. From the Tools pane, click Server - Setup Ports.
5. Select the name of the port on which you installed the modem, for
example, COM1.
If the communication port name does not exist, select New, type the
name of the communication port on which you installed the modem,
select XPC for the driver, and then click OK.
4-46 Administering the Domino System, Volume 1
6. Select Port Enabled.
7. If you want to enable Domino network data encryption, select
“Encrypt network data.”
Note Enabling network encryption can slow performance,
especially for connections that use data-compressing modems. Never
apply Domino network data encryption to ports that use
data-compressing modems. Rather than reducing the size of the
transmitted data, the modem’s hardware compression techniques
can increase it, negating the benefits of the modem compression. For
more information about setting up network data encryption for a
port, see the topic Encrypting network data on a server port.
8. Select “Compress network data” to enable Domino network data
compression. Network compression occurs only if it is enabled on
both sides of the connection. If compression is not enabled on the
server being connected to, data will not be compressed.
9. Click portname Options, where portname is the name of the port
whose settings you want to change.
10. Modify default port settings, as needed and then click OK.
Note These settings apply to digital-analog modems only, not cable
or DSL modems.
The default port settings work in most situations. However, if you
are performing troubleshooting, you may wish to adjust some of the
settings. The following settings are available:

Field Description
Associates a modem with a modem command file. If
Modem
none of
type the listed modems is an exact match for the
installed modem, select the closest match by brand
and speed. If the modem is 100% Hayes-
compatible, select “Auto Configure” (AUTO.MDM) for
Domino to determine the modem type automatically
and select the appropriate Hayes command file.
Because the Auto Configure modem file does not
provide optimal performance, use it only as a
temporary measure while obtaining an appropriate
modem
If there’s no match and your modem is not 100%
Hayes-compatible, you may need to edit an existing
modem command file or create a new one. For
information about
your modem, see your modem documentation.
For information about editing modem command
files, see the topic “Modifying a modem command
file”later in this chapter.

Field Description
Maximum Specifies the maximum speed at which the
port communication port on the computer sends data to
speed the modem and receives data from the modem.
Domino selects a maximum data transmission speed
based on the modem type you select. The maximum
speed is limited by the maximum speed specified in
the modem’s command file and may also be limited
by the server’s operating system. Default value is
19200. Specify the highest value supported by your
modem hardware. Select a lower port speed if you
are having trouble with a noisy phone line or cannot
establish the carrier. When using a null modem, the
maximum port speed on both computers must
match.
Speaker Specifies how loudly to amplify modem tones during
volume connection attempts. Choose the volume that best
allows you to monitor call progress: Low Medium, or
High; or choose Off to mute the modem.
Dial
Choose one:
mode
• Tone - For touch-tone phone lines. • Pulse - For
rotary phone lines or modems that do not support
touch-tone dialing.
Log Select this option to help troubleshoot modem
modem connection problems by recording modem control
I/O strings and responses in the Miscellaneous Events
view of the server’s Notes Log (LOG.NSF). To
conserve disk space, after the problem is fixed,
deselect this option to prevent the extra information
from being recorded.
Log script Select this option to help troubleshoot
I/O communication problems between servers that
occur after the modem establishes a connection.
The server records script file responses and replies
in the Miscellaneous Events view of the server’s
Notes Log (LOG.NSF). To conserve disk space, after
the problem is fixed, deselect this option to prevent
the extra information from being recorded.
Hardware Specifies how data is sent between the computer
flow and the modem. Select this option (the default on
control operating systems other than UNIX) to enable data
flow control. Deselect this option only if you’re using
a modem or external serial port that doesn’t support
flow control. When deselected, messages about
errors and retransmissions can appear in the Phone
Calls view of the log file (LOG.NSF).

Field Description
Select this option (the default) to require the
Wait for
modem to detect
dialtone a dialtone before dialing. Deselect this option on
phone
before systems where dial tone detection is a problem.
dialing
Dial Specifies the time, in seconds, that the source
timeout server
continues attempting to connect to the destination
server
before it cancels the attempt. Increase the dial
time-out
period when using pulse dialing or when calling
overseas.
The default value is 60.
Specifies the time, in minutes, that the modem on
Hangup if
the source
idle server waits before hanging up if there is no data
passing
through the connection. The default value is 15. For
ports
that workstation users dial into, specify a longer idle
time so
users have time to read or compose long
documents.
Port Specifies the port number for the current port type.
number Domino
automatically sets the port number to the number
specified
in the port name —for example, if COM7 is the port
name,
the port number is 7. On UNIX systems, specify a
port
number Nthat matches the /dev/cuaN device file
that you
linked to the asynchronous port.

11. To specify an acquire script for this port, click Acquire Script, select
the script in the Acquire Script dialog box, and then click OK.
For more information on acquire scripts, see the topic “Writing and
editing acquire and login scripts” later in this chapter.
12. If necessary, you can edit acquire scripts and modem command files.
For information about editing modem command files and acquire
scripts, see the topic “Modifying modem command files and acquire
scripts” later in this chapter.
Modifying modem command files and acquire scripts
When you modify a modem command file or acquire script, you can only
modify the file on the local server. To apply a modified modem file to a
remote server, edit the file locally and copy it to the Domino
Data/Modems subdirectory on the remote server. Then restart the server
so that the modifications take effect.
1. Use the documentation that came with the modem to determine
which additional commands you must add to the modem command
file.
2. From the Domino Administrator, select the Server - Status tab.
3. From the Tools pane, click Server - Setup Ports.
Setting Up Server-to-Server Connections
4. From the Communication Ports box, select the modem
communications port; for example, COM1.
5. Click portname Options, where portname is the name of the
communications port you selected in step 4.
6. To edit a modem file, in the Modem type field, select the modem
command file that you want to modify — typically, Generic
All-Speed Modem File and click Modem File.
To edit an acquire script, click “Acquire Script.”
7. Edit the content of the file as necessary. Refer to the comments at the
top of the file for instructions.
8. Click Save to save the file using the current name.
Or, to save the file under a new name, click Save As, enter a new
name for the modified file in the File name field, and the click Save.
9. Click Done to close the Edit dialog box, and then click OK to close
each of the remaining open dialog boxes.
Note To ensure the best performance for connections that use
data-compressing modems, don’t apply Domino network data
encryption to ports using these modems. Rather than reducing the size of
the transmitted data, the modem’s hardware compression techniques can
increase it, negating the benefits of the modem compression. For more
information about setting up network data encryption for a port, see the
chapter “Setting Up the Domino Network.”
Using acquire and login scripts
How you specify a script when making a call depends on the type of
script.

Type of
Steps
script
Acquire Specify the script when you set up the communication
script port.
When the server makes a call using the specified port,
Domino
uses that acquire script to obtain a modem from a
modem pool.
Domino runs the commands in the acquire script
before
running the commands in the modem script.
Specify a login script in the Notes Direct Dialup
Login script
Connection
document for connecting to a specified server. When
making a
call to that server, Domino uses the specified login
script.

Writing and editing acquire and login scripts

Domino uses acquire and login scripts to make certain connections. A
Domino server that doesn’t have its own modem can use an acquire
script to obtain a modem from a modem pool on a communications
server. The server runs the commands in the acquire script prior to
running the commands in the modem file used to make the connection.
You specify the acquire script to use when configuring the modem port.
Check the documentation that came with the communications server to
see if the server includes an acquire script.
Login scripts provide information required to access a destination server
and are required by some Direct dialup connections. The server runs the
commands in the login script after running the modem command file.
You can edit an existing acquire or login script or create new ones from
scratch using any text editor. When editing or writing scripts, use the
appropriate script commands, keywords, and comments. The keywords
identify and classify the script file. The script commands execute
sequentially. The keywords you use depend on the device that the script
sets up.
Any time you change a script, make sure you save the file with an SCR
extension and copy it to the Notes Data/Modems subdirectory of every
workstation and the Domino Data/Modems subdirectory of every server
that uses the script.
General rules for writing script files
1. Start lines with a colon to indicate a branch label. Do not exceed the
maximum branch label length of eight characters. If you specify more
than eight characters, the script uses only the first eight.
2. Start lines with a semicolon to indicate a comment line.
3. Do not exceed the maximum line length of 80 characters.
4. Embed control characters 0 - 20H in strings. For example, use ^M for
CTRL+M. Use double carets for a literal caret. For example, use ^^M
for CARET+M.
5. Specify up to four optional arguments for login scripts: ^1, ^2, ^3,
^4. Then, when you make a call on the workstation or server, you
enter values for these arguments, or you enter them permanently in
the Connection document in the Domino Directory or Personal
Address Book. The values you enter replace the ^1, ^2, ^3, or ^4 in
the script when you make each call.
6. Raise the data terminal ready (DTR) signal at the start of script file
processing. If the modem does not automatically raise this signal,
you must use the DTR_HIGH command.
Setting Up Server-to-Server Connections 4-51
Configuration
Editing script files
Script files are ASCII text files with the extension SCR that Domino stores
in the Modems subdirectory of the Domino data directory. You can open
and edit login scripts and acquire scripts using any text editor. In
addition, you can also open an acquire script for editing from the Port
Setup dialog box during the process of setting up a server’s
communications port.
For information about how to edit an script from the Port Setup dialog
box, see the topic “Configuring a communication port” earlier in this
chapter.
Script keywords
Use these keywords when you write a script file.
DESC
A one line description of the script file’s purpose. Dialog boxes for
selecting the script display the text associated with this keyword. Always
include a DESC line in a script file to provide users with information
about the script. For example, if you open the Acquire Script dialog box
while setting up a communication port, the following text appears for the
default acquire script (COMSERV.SCR):
Acquire a modem via a communications server
Similarly, mobile users who use login scripts when configuring dialup
communications from a Notes client, see the value of the DESC keyword
in the login script.
TYPE
Tells whether the script is an acquire or connect script. For example:
TYPE CONNECT
ARG...ARG4
For connect scripts only, these optional keywords precede a description
of each of the four script arguments. You may write scripts using from 0
through 4 arguments. For example, you might use the following script
arguments and descriptors in a connect script file:
ARG1 1. REMOTE DTE ADDRESS:
ARG2 2. None entered:
ARG3 3. None entered:
ARG4 4. None entered:
ARG1 is a keyword and “1. REMOTE DTE ADDRESS:” is the description
that appears in the Call Setup dialog box. ARG2, ARG3, and ARG4 are
4-52 Administering the Domino System, Volume 1
keywords. “X. None entered:” lets users enter arguments when making
the call. Users can enter arguments when they choose File - Mobile - Call
Server, select More Options, and then select Call Setup; or they can enter
arguments in the Notes Direct Dialup Connection document in the
Domino Directory or Personal Address Book.
Commands for acquire and connect scripts
The available script commands are described in this table.

Command Description Syntax

BREAK Sends a communications BREAK [time]
break. Time is specified in
100ms intervals. Default is
500ms. Maximum is
2000ms. Timing of breaks
is not exact.
DTR_HIGH Raises the DTR signal on DTR_HIGH
the selected port. If the
modem or other
communication device does
not automatically raise data
terminal ready (DTR) at the
start of script file
processing, use the
DTR_HIGH script command
or configure DTR on your
modem or communication
device.
DTR_LOW Lowers the DTR signal on DTR_LOW
the selected port.
ERROR Tells the script file to ERROR label
branch to the specified
label if an error previously
occurred. If no label is
specified, the ERROR
condition is cleared, but no
branch occurs.
FAIL Terminates execution of the FAIL [text string]
current script. The optional
text string is logged in the
log file (LOG.NSF).
GOTO Branches unconditionally to GOTO label
the specified label. If the
label does not exist, the
script file terminates, and
the error is logged in the
log file (LOG.NSF).

Command Description Syntax

LOG OFF Turns off informational LOG OFF
logging if you have Log
modem I/O selected (for
execution of this script
only). Uses the log file
(LOG.NSF).
LOG ON Turns on informational LOG ON
logging if you have Log
modem I/O deselected.
This command logs
execution of only this
script.
PROMPTUSER Displays an interactive PROMPTUSER“Dialog
dialog box to prompt a box title”
user from a script. The [“Title1”“[initializer]”
user needs to run a script “Title2”“[initializer]”
with this command from a “Title3”“[initializer]”
Notes client. “Title4”“[initializer]”]
REPLY Sends a string to the serial REPLY “string”[;]
port. Carriage return/line
feed is sent at the end of
the string unless you
include a semicolon (;).
WAIT Waits a given amount of WAIT [time] [FOR
time for the case-sensitive “string”]
specified string, which
must be enclosed in
quotes. Any data other
than a matched string is
passed along. If a time is
not specified, waits a
maximum of 60 seconds.
WATCH Same as WAIT, but with WATCH [time] [FOR]
multiple responses and “string1”statement
actions. The WATCH “string2”statement
command terminates ENDW
(continues to the next
instruction) when one of
the strings is matched or
when time-out occurs.

Connecting Notes clients to servers

After you set up a server to accept inbound connections, it can accept
them from both servers and clients. The methods used to establish
connections from clients to servers on remote networks are similar to
those used when connecting one server to another. To connect to a
remote Domino server, clients may require Connection documents, and
depending on the type of connection, might also require a modem, COM
port information, and other data, documents, and files. You can also
connect clients to non-Domino Internet servers. The following table
provides information on other types of information required to create
client-to-server connections.
Requirements for connecting Notes clients to remote servers over
various access media

Type of client and Required documents

Additional files and
connection in the
to Domino network Personal Address information
Book required
Notes client Office Location Notes user ID
connecting directly to document. For Name of a server
Domino network over connections through a containing a
LAN, cable data passthru server the Domino Directory
network, or digital Location document Name and port
subscriber line (DSL) must specify the number of proxy
name of the passthru server, if any
server Connections
through a passthru
server require a
Passthru Connection
document
Notes client Home (Notes Direct Notes user ID
connecting directly to Dialup) Location Name of a server
Domino network over document. For containing a
dialup line connections through a Domino Directory
passthru server the Dialup phone
Location document number Modem and
must specify the COM port
name of the passthru information
server Notes Direct
Dialup Connection
document
Connections through a
passthru server
require a Passthru
Connection document

Type of client and Required documents

Additional files and
connection in the
to Domino network Personal Address information
Book required
Notes IMAP or POP3 Internet Location E-mail address
mail client connecting document Account Incoming and
directly to an documents outgoing mail
Internet mail server server addresses
over LAN, cable, or Proxy server
DSL connection information
Notes IMAP or POP3 Home (Network Internet mail
mail client connecting Dialup) Location address ISP
to an Internet mail document Account account and
server over a dialup document Network password Incoming
connection Dialup Server and outgoing mail
document server addresses
Dialup telephone
number
To connect to Domino through a passthru server, users must specify the
name of the passthru server in the current Location document and set up
Passthru Connection documents.
Chapter 5
Setting Up and Managing Notes Users
After setting up and configuring the first Lotus Domino 6 server, you can
set up Lotus Notes 6 users.
Setting up Notes users
Lotus Notes 6 users are people who use the Notes client to access
Domino servers and databases and have a Notes ID, a Person document,
and, if they use Notes Mail, a mail file.
Before you register new Lotus Notes 6 users, you may want to specify
default settings that apply to all users you register. Default settings make
user registration easy and fast and ensure that user settings are
consistent.
You can define many default settings, such as what mail server users
have or what certifier ID to use for user registration. You can also specify
a default workstation execution control list (ECL) to protect data from
unauthorized workstation access.
To define default settings, use any of these tasks:
1. Create a Registration Settings document to define default user
registration settings.
2. Create a user Setup Settings document to populate the user’s
Location document and bookmarks. Setup settings include Internet
browser and proxy settings, applet security settings, and desktop
and user preferences.
3. Create a Desktop Settings document to make dynamic changes on
user workstations.
4. Create a default workstation execution control list (ECL) to set up
workstation security.
5. Specify default user registration settings in Administration
Preferences.
6. Specify default user settings in the Register Person dialog box.
For more information on policies and settings documents, see the chapter
“Using Policies.”
5-1
Configuration
To set up Notes users, you can register them in Notes or migrate them
from an external mail system or directory. Before you begin to add users,
it is best to specify default settings that Notes applies during registration.
To add users, you register them and use the Lotus Domino 6
server-based certification authority which issues the appropriate
certificate or use the appropriate certifier ID and password, which
generates a user ID and certificates that allow users appropriate system
access. After registering Notes users, you need to prepare the installation
files so users can install Notes on their workstations.
User registration
You need to register users before they can install Notes on their
workstations. For each user, the registration process creates:
A Person document in the Domino Directory.
A  user ID that is stamped with appropriate certificates (does not
apply to non-Notes users).
A  mail file (Optional).
Notes offers different options for registering users. For example, using
Basic user registration is fast and easy because it automatically assigns
many default settings to users. If you use Advanced user registration,
you can assign more advanced settings, such as adding a user to a
Windows NT or an Active Directory group. You can also register users
by importing them from a text file or migrating them from a foreign
directory.
If you use the Register Person dialog box to register users, you can sort,
view, and modify user settings in the view of the User Registration
Queue (USERREG.NSF) that appears in the dialog box. This database
contains information on users pending registration. When you exit the
Register Person dialog box, you can save all users pending registration
and register them later. When you access the dialog box again, the User
Registration Queue automatically opens to display all users pending
registration.
Before you register users, review your organization’s hierarchical name
scheme and decide where each user fits into that scheme. Based on the
name scheme, you know which certifier ID to use to register users, which
server to use as the registration server, and on which server to store the
user’s mail files. When you register users, you must have the appropriate
access to each server that you use, and you must know the password for
each certifier ID that you use. If you intend to implement policies in your
organization, create policies and settings documents before you register
users so that you can assign policies during registration.
5-2 Administering the Domino System, Volume 1
For more information on creating non-Notes users, see the topic
“Creating non-Notes, Internet Users” in this chapter.
User registration and the server-based certification authority
When registering users, you have the option of using the traditional
certifier ID and password combination or using the Domino server-based
certification authority (CA). Prior to registering users, you need to
understand the Domino server-based CA, be familiar with the benefits of
using the CA, and know how to use the Domino server-based CA. An
administrator can be designated as a Registration Authority (RA) for the
server-based certification authority (CA). You can now assign to the
administrator responsible for user registration, the role of RA. This
allows one administrator to register users with certificates issued by the
server-based certification authority.
For more information on the Domino server-based certification authority,
see the chapter “Setting Up a Domino Server-Based Certification
Authority.”
Example of registering two Notes users
Here is an example of how administrators at the Acme Corporation
registered two users based on each user’s place in the organization’s
hierarchy. The users work in different locations and departments.

To give Alan appropriate access within the system and to place him
appropriately in the hierarchy, the administrator uses the
Sales/East/Acme certifier ID to register him. Alan Jones’ full hierarchical
name then becomes Alan Jones/Sales/East/Acme.
Setting Up and Managing Notes Users 5-3
Configuration
The administrator specifies Mail-E, which is located on the East Coast
Acme LAN, as Alan’s mail server. Then Alan’s mail server is on the same
LAN as his workstation, so that when he receives and sends mail, he can
connect directly to the server that stores his mail file.
Robin Rutherford works in the Accounting department in Acme’s West
Coast division. The administrator uses the Accounting/West/Acme
certifier ID to register Robin. Mail-W is Robin’s mail server, and her full
hierarchical name is Robin Rutherford/Accounting/West/Acme.
Customizing user registration
You can define specific options to customize how Domino registers users.
If you choose to use a certifier ID and password instead of the Lotus
Domino 6 server-based certification authority (CA), Domino uses the
certifier ID specified in Administration Preferences; or if there is none, it
uses the ID specified in the CertifierIDFile setting in the NOTES.INI file.
1. Make sure to have the following before you begin customizing user
registration:
Access
 to the certifier ID and its password, if you are not using a
certifier enabled for the CA process.
Editor
 access or Author access with Create Document role and the
UserCreator privilege in the Domino Directory. UserCreator role
is required regardless of your access level.
Access
 to the Domino Directory from the machine you work on.
Local or remote access to USERREG.NSF.
Create  new databases access on the mail server to create user mail
files during registration.
Create  document access to CERTLOG.NSF on the registration
server.
GroupModifier
 role or at least Editor access to add users to
groups.
Note Do note modify the ACL for USERREG.NSF using the File -
Database - Access Control menu commands. Use the User
Registration Database Access button on the Advanced Person
Registration Options dialog box.
2. From the Domino Administrator, click the People & Groups tab.
3. From the Servers pane, choose the server to work from.
4. Select Domino Directories, and then click People.
5. From the Tools pane, click People - Register. Enter the password for
the certifier that you are currently using.
5-4 Administering the Domino System, Volume 1
Note While registering a user, you can specify whether you want to
register the user with the server-based CA, or with a certifier ID and
password. This selection is made on the ID Info panel in advanced
user registration.
6. Click the Options button, and then choose any of these options:

Option Purpose
Do not continue Stops registration if you have multiple users
on selected
registration and the registration encounters an error. The
errors default
is to continue on registration errors.
Keep Keeps successfully registered users in the
successfully queue. The
registered users default is to remove successfully registered
in users
the queue from the queue.
Try to register Tries to register queued users, even if their
queued people registration status contains errors. For
with example, if you
error status choose this option, a user whose password is
 insufficiently complex will be registered. The
default
is not to register queued users who have
error status.
Allow Allows registration of users who were
registration previously
of previously registered in Notes. The default is not to
register
registered previously registered Notes users.
people
Checks every directory to see if the user’s
Search all
name
directories for already exists.
duplicate names
Enforce short Forces all short names to be different from
name one
uniqueness another.
Don’t prompt If you choose this option, these additional
for a options
duplicate person appear. Choose one:
• Skip the person registration —Skips the
user
registration for both short name and full
name
single matches.
• Update the existing address book entry —
Overwrites the existing user if the single
match
found is on the full name. Short name
uniqueness
is then required.
The default is to prompt for duplicate users.

Option Purpose
Don’t prompt
for a duplicate If you choose this option, these additional
mail file options appear. Choose one: • Skips the
person registration. • Generates a unique
mail file name by appending a number
beginning with 1, then 2, etc., to a non-
unique mail file name until a unique name is
found.
• Replaces the existing mail file - option does
not apply when the mail file is being created
in the background via the Administration
Process, or if the current ID does not have
delete access to the mail file that is being
replaced. The default is to prompt for a
duplicate mail file.
Don’t prompt If you choose this option, these additional
for a duplicate options appear. Choose one: • Skips the
roaming person registration. • Generates a unique
directory roaming directory name by appending a
number beginning with 1, then 2, etc., to a
non-unique roaming file name until a unique
name is found. The default is to prompt for a
duplicate roaming directory.
Generate Click this check box to automatically set
random user random passwords for the users you are
passwords registering. If you select this option, you do
not need to specify passwords for the users
you are registering.
User Displays the Registration Database Access
Registration Control Settings dialog box, where you can
Database add or remove members from the access
Access control list as well as change access control
settings.
7. Click OK.
Registering users
You can use any of these methods to register Notes users:
Basic
 user registration
Advanced
 user registration
Text file registration
Registration
 settings
Migration
 tools (for people using an external mail system or
directory) registration
5-6 Administering the Domino System, Volume 1
Basic
 user registration from the Web Administrator
Advanced
 user registration from the Web Administrator
The method you use to register people depends on a number of issues,
including whether you have defined default settings, whether you want
to assign users more advanced options (such as alternate names),
whether you need to import users from a foreign mail system or
directory, and whether your user settings are in a text file.
Note When registering users with non-ASCII characters in their user
names, Notes attempts to convert non-ASCII characters to ASCII. If one
or more characters cannot be converted to ASCII, the Internet address is
not generated. You need to be aware of this when registering users
whose names cannot be converted to ASCII characters because you will
need to create those Internet addresses manually.
Basic registration
For fast and easy registration, use the Basic user registration options.
Basic registration requires you to define user-specific settings, such as
user name and password, but also offers you the convenience of
applying some default settings to users. You can define default settings
in the Registration preferences (found in the Administration Preferences
dialog); you can define settings in the Register Person dialog; or you can
use Notes default settings. Some of the non-default settings you define in
Basic registration include the user name and password. You can also
assign users to specific groups.
All settings available in Basic registration are also available in Advanced
registration. You can choose to view and perform Advanced registration
at any time by clicking the Advanced check box in the Register Person
dialog.
Advanced registration
Advanced registration offers all the settings included in Basic registration
and also allows you to change default settings and define advanced or
specific settings — for example, assign an alternate name to a user or add
the user to a Windows NT or Active Directory group.
Text file registration
To register users from a text file — that is, a file that contains information
on one or more users — import them into the registration queue from the
Register Person dialog box. This action creates an entry for each user in
the User Registration Queue and allows you to modify user settings
individually.
Setting Up and Managing Notes Users 5-7
Configuration
Web registration
User registration can now be done using the Domino Web Administrator.
You register users via the Web in a manner that is very similar to user
registration done with the Domino Administrator.
For more information on registering users with the Web Administrator,
see the topic “Using the Domino Web Administrator to register users” in
this chapter.
If you are a service provider, for more information on registering users
from the hosted organization site, see the chapter “Managing a Hosted
Environment.”
Registration Settings
To simplify the process of registering users, you can create policies and
Registration Settings documents to preset registration settings for
different types of users. For example, users who work in Human
Resources may have different registration settings than users who work
in Sales. You can create Registration settings for both groups of users,
and use them to register everyone with the proper settings. In addition,
when you add new users to either group later, the same registration
settings apply.
Note Registration settings do not apply to user registration done with
the Web Administrator.
Migration from external mail system or directory
You can migrate users who use an external mail system or directory into
Notes. You register them using migration tools accessed through the
Migrate People button in the Register Person dialog box. After migrating
them, you can modify their settings.
The following list details the types of users you can migrate into Notes:
Lotus
 cc:Mail
Microsoft
 Exchange
LDIF  (from an LDAP directory)
LDAP 
Microsoft Mail
Windows  NT/Windows 2000
Active  Directory
5-8 Administering the Domino System, Volume 1
Roaming users
Users who access Notes from more than one Notes client can access their
customized settings and personal information automatically from any
Notes client in the domain. Data for these users, known as roaming users,
replicates between the user’s machine and a roaming user server, where
these files are stored. When a roaming user logs on from a different
Notes client, it automatically retrieves the user’s ID file, Personal
Address Book, bookmarks, and journal from the roaming user server.
Any changes the user makes in these files replicate to the roaming user
server. This enables the roaming user to have a consistent experience
from any Notes client.
Using default user settings when registering users
When you use default settings, the user registration process is fast and
easy. The default settings can originate from a variety of sources:
Notes
 includes a set of default settings.
You can define default settings in the registration preferences in the
Administration Preferences dialog box. Define these settings before
registering users. The registration preferences do not offer all the
default settings, only some of the more basic ones, such as
designating the Registration server.
For more information on registration preferences, see the chapter
“Setting Up and Using Domino Administration Tools.”
You
 can define default settings through the user registration
interface using either of two methods: one method uses settings for a
user previously added to the user registration queue, and the other
method uses settings defined on the Register Person - New Entry
dialog box.
For example, if you have already added users to the user registration
queue, the non-user-specific settings that were applied to the last
user, now serve as defaults for the next user. Similarly, you can
define settings on the Register Person - New Entry dialog box. If you
import or migrate users while in this mode, users inherit settings you
defined.
Only settings you define as registration preferences remain from session
to session. All other default settings return to Notes defaults each time
you begin a new registration session.
Default Notes user registration settings
This table lists all the default user registration settings that Notes
provides. The values in this table appear only under these conditions:
Previous
 values have not been set in Registration preferences
Previous
 values have not been set in the Register Person dialog box
User registration fields that do not appear in this table do not have
default values.

Field Default
Registration Local server if it contains a Domino Directory.
Server Otherwise, server specified in NewUserServer
setting of the NOTES.INI file, or the Administration
server.
Password 8
Quality Scale
Set Internet
Off
password
Internet FirstnameLastname@Internet domain —for
address example, RobinRutherford@Acme.com.
Internet
Current TCP/IP host domain
Domain
Address name
Firstname Lastname
format
Mail server Local server if it contains a Domino Directory or
Administration server
Mail file
Mail(R6)
template
Create file now On
Mail system Lotus Notes
Mail file name mail\<firstinitial><first7charactersoflastname>.nsf
Editor with Delete documents rights Mail file owner
access
Create full text
Off
index
Set database
Off
quota
Off Set
warning
threshold
Create a Notes On
ID for this
person
Let this person
Off
roam

Field Default
Certifier ID If you are not using the server-based
certification authority (CA), Notes uses the
certifier ID specified in Administration
Preferences; or if there is none, it uses the ID
specified in the CertifierIDFile setting of the
NOTES.INI file. If you are working in a hosted
environment and registering users to a hosted
organization, be sure that you are working with
a certifier that was created for that hosted
organization.
Security type Either North American or International
Certificate Two years from current date
expiration date
Location for In Domino Directory
storing user ID
Local
None
administrator
On Put roaming
user files on mail
server
Personal roaming roaming\
folder
Sub folder format FirstName LastName
Create roaming Selected
files now
Clean-up action Do not clean up

Using Basic Notes user registration with the Domino Administrator

Perform Basic user registration to assign users basic settings, such as a
name and password, and to add users to existing groups. To make
registration fast and easy, Basic registration uses default values for all
other user settings. If you have selected the Advanced option, you are
using Advanced user registration, not Basic user registration.
For more information on Advanced user registration, see the topic
“Using Advanced user registration” in this chapter.
If you want to assign advanced and/or specific settings to a user — such
as giving users alternate names or adding users to Windows NT groups
— use Advanced user registration.
Note To modify user settings after you add the user to the User
Registration Queue, select the user from the queue and then make your
changes. To modify certain settings for multiple users at once, select the
names in the queue and then make changes.
Naming conventions
When adding users, user names can consist of multiple-byte characters,
uppercase and lowercase alpha characters (A - Z), numbers (0 - 9), and
the ampersand (&), dash (-), dot (.), space ( ) , and underscore (_).
Hosted Environments
If you are working in a hosted environment, when registering users,
ensure that you are using a certifier that was created for the hosted
organization into which you are registering the users. This applies
regardless of whether you are using a certifier and password or the
server-based CA.
To use Basic registration with the Domino Administrator
1. Make sure you have the following before you begin registration
using the Domino Administrator:
Access
 to the certifier ID and its password, if you are not using the
Lotus Domino 6 server-based certification authority (CA) and are
using the Domino Administrator.
Access
 to the Domino Directory from the machine you work on.
Editor
 access or Author access with Create Documents and the
UserCreator role in the Domino Directory on the registration
server.
Create  new databases access on the mail server if you plan to
create user mail files during registration.
Access  to the certification log (CERTLOG.NSF) on the registration
server.
2. From the Domino Administrator click the People & Groups tab.
3. From the Servers pane, choose the server to work from.
4. Select Domino Directories, and then click People.
5. From the Tools pane, click People - Register. Enter the password for
the certifier that you are currently using.
Note While registering a user, you can specify whether you want to
register the user with the server-based CA, or with a certifier ID and
password. This selection is made on the ID Info panel in advanced
user registration.
6. Click the Registration Server and then select the server that registers
all new users, or accept the default, and then click OK. If you have
not defined a registration server in Administration Preferences, the
server is one of these by default:
The  local server if it contains a Domino Directory
The  server specified in NewRegServer setting of the NOTES.INI file
The  administration server
7. Enter a first name, middle name (if necessary), and last name. The
user’s Short name and Internet address are automatically generated.
To change the Short name or Internet address, click the appropriate
space and enter the new text.
8. Enter the password for the user ID. Criteria for this password is
based on the level set in the Password Quality Scale in the Password
Options dialog box. The default level is 8. The password you specify
must correspond with the password quality that you select in
“Password Options.”
For more information on password quality scale, see the chapter
“Protecting and Managing Notes IDs.”
9. (Optional) To assign a policy to this user, select one from the Explicit
policy list.
For more information on policies, see the chapter “Using Policies.”
10. (Optional) Click the Policy Synopsis button to see an overview of this
user’s effective policies.
11. (Optional) To enable roaming capability for this user, click the “Let
this person roam” check box.
12. Click the green check mark. The user name appears in the
Registration status view (the user registration queue). Or click the
red X to clear all fields and start over.
13. Click Register, and then click OK.
To add the user to a group during user registration
You can add a user to a group during user registration.
1. Click Advanced, and then click Groups.
2. Choose the group to which you are adding the user, and click Add.
3. Continue the registration process as usual.
Using Advanced Notes user registration with the Domino
Administrator
Advanced registration offers all the settings included in Basic registration
and also allows you to change default settings and apply advanced
settings to users.
Note You can modify user settings at any time once you add the user to
the User Registration Queue by selecting the user from the queue and
then making changes. You can also modify certain settings for multiple
users at once by selecting the users in the queue and making changes.
You can cancel user registration and clear all fields at any time by
clicking the red X.
Hosted Environments
If you are working in a hosted environment, when registering users,
ensure that you are using a certifier that was created for the hosted
organization into which you are registering the users. This applies
regardless of whether you are using a certifier and password or the
server-based CA.
To use Advanced registration with the Domino Administrator
1. Make sure you have the following access before you begin
registration:
Access
 to the certifier ID and its password, if you are not using the
Lotus Domino 6 server-based certification authority (CA).
Access
 to the Domino Directory from the machine you work on.
Editor
 access or Author access with Create Documents role and
the UserCreator privilege in the Domino Directory on the
registration server.
Create  new databases access on the mail server if you plan to
create user mail files during registration.
Create  explicit policies and settings documents if you plan to use
policy-based system administration.
Access  to the certification log (CERTLOG.NSF) on the registration
server.
2. From the Domino Administrator, click the People & Groups tab.
3. From the Servers pane, choose the server to work from.
4. Select Domino Directories, and then select People.
5. From the Tools pane, click People - Register.
6. Enter the certifier password and click OK.
Note The Certifier Information Recovery Warning dialog box appears.
Review the information in the dialog box, select the check box and click OK.
7. Click Advanced.
From the Basic tab, complete these fields:

Field Enter
Registration Click Registration Server to change the
Server registration server (which is the server that
initially stores the Person document until
the Domino Directory replicates), select the
server that registers all new users, and
then click OK. If you have not defined a
registration server in Administration
Preferences, this server is by default one of
these: • The local server if it contains a
Domino Directory • The server specified in
NewUserServer setting of the NOTES.INI
file
• The administration server
First name, Middle The user’s first and last names and (if
name, Last name necessary) middle name. The user’s Short
name and Internet address are
automatically generated. To change the
Short name or Internet address, click the
appropriate space and enter the new text.
Short name A short name in the format
FirstInitialLastName is automatically
created as you enter the user’s name. For
example, JSmith is the short name for John
Smith. You can modify this field.
Password A password for the user ID.
Password options Click Password options to set a level for the
password in the Password Quality Scale.
The default level is 8. For more
information, see “Understanding the
password quality scale.” Click the check
box “Set Internet password”to give
Internet users name and password access
to a Domino server and to set an Internet
password in the Person document. This
field is automatically selected if you select
the Other Internet, POP, iNotes, or IMAP
mail types. Click “Synch Internet password
with Notes ID password”to make the
Internet password in the Person document
the same as the Notes password. This is a
requirement for users who want to use
iNotes Web Access to read encrypted mail
or work offline.
Mail system Click to change the user’s mail system
from the default of Lotus Notes to an
Internet-based system or iNotes Web
Access.

Field Enter
Explicit policy Select the explicit policy to apply to this
user. For more information on policies, see
“Policies.”
Policy synopsis Click to see a summary of this user’s
effective policies.
Let this person Click to enable roaming capabilities for this
roam user. Doing so enables the Roaming tab.
Create a Notes ID Click to create a Notes ID for this person
for this person during the registration process.

Field Enter
Mail system Choose one of the available mail types and
complete the necessary associated fields:
• Lotus Notes (default)
• Other Internet
• POP
• IMAP
• iNotes
• Other
• None
 If you select Lotus Notes, POP, or IMAP,
the Internet address is automatically
generated.
If you select Other Internet, POP, or IMAP,
the Internet password is set by default.
If you select iNotes (iNotes Web Access),
you can change other user registration
selections to iNotes Web Access defaults by
clicking Yes when prompted.
If you select Other or Other Internet, enter
a forwarding address. This address is the
user’s current address, where the user
wants mail to be
sent. For example, if a user temporarily
works at a different location and/or uses a
different mail system, the user can have
her mail forwarded to that new address.
Or, a user may resign from the company
but leave a forwarding address so that mail
addressed to the old address is forwarded
to
the new location.

Field Enter
Mail server The user’s mail server. If you have not defined a
mail server in Administration Preferences, this
server is (by default) the local server if it contains
a Domino Directory; otherwise, it is the
Administration server.

Mail file The file name of the mail file. By default, the path
name and file name are
mail\<firstinitial><first7charactersoflastname>.nsf
.
Create file Choose one: • Create file now (default). • Create
now/Create file in background - Creating mail files in the
file in background forces the Administration Process to
background create the files and saves time during the user
registration process. When you migrate users who
have mail to convert, this field is automatically set
to Create file now.

Mail file A mail template from the list of available mail

template templates. For a description of the template, select
the template and click About. The default is
Mail(R6) (MAIL6.NTF).
Create full Click to generate a full-text index of the mail
text index database.
Mail file Click to open the Mail Replica Creation Options
replicas dialog box on which you can select the servers to
which the mail file will replicate. This option only
applies to clustered servers.
Mail file Select the level of access in the access control list
owner to assign to the user of the mail database from the
access Mail file owner access list. By default, mail users
have Editor with Delete documents access to their
own mail files; all other users have no access. This
option can be used to prevent mail users and/or
owners from deleting their own mail file. If the mail
owner access is Designer or Editor, the
administrator ID currently being used is added to
the mail file ACL as Manager.
Set
Click to enable, and then specify a size limit
database
(maximum of 10GB) for a user’s mail database.
quota
Set Click to generate a warning when the user’s mail
warning database reaches a certain size, and then enter the
threshold warning size (maximum of 10GB).

Field Enter
Internet The Internet e-mail address assigned to this
address user.
Internet The domain to be used in the Internet address
Domain —for example, Acme.com.
Address name The format of the Internet address. The default
format format is FirstNameLastName@Internet
domain without a separator —for example,
RobinRutherford@Acme.com.
Separator The character inserted between names and
initials in the Internet address. The default is
None.

Field Enter
Create a
Click to create a Notes ID for this user.
Notes ID
for this person
Choose a certifier ID to use when creating the
Certifier Name
user
list name during user registration when a Notes
user ID is not being created for the user.
This field appears if the check box “Create a
Notes ID for this person”is not selected.
If you are working in a hosted environment
and are registering a user to a hosted
organization, be sure to register that user with
a certifier created for that hosted organization.
Use CA Click to use the Lotus Domino 6 server-based
process certification authority (CA) to register this user.
The certifier ID and password will not be
needed to complete the user registration
process if you use the Lotus Domino 6 CA.
If you are working in a hosted environment
and are registering a user to a hosted
organization, be sure to register that user with
a certifier created for that hosted organization.
This field appears if the check box “Create a
Notes ID for this person”is selected.
Field Enter
Click if you want to use a certifier ID and
Certifier ID
password
instead of the server-based CA. To change to a
different
certifier ID, click Certifier ID, select the new
ID, enter
the password, and then click OK.
If you are working in a hosted environment
and are
registering a user to a hosted organization, be
sure to
register that user with a certifier created for
that hosted
organization.
This field appears if the check box “Create a
Notes ID
for this person”is selected.
Choose either North American or International.
Security type
The
security type determines the type of ID file
created and
affects encryption when sending and receiving
mail
and encrypting data. North American is the
stronger of
the two types.
This field appears if the check box “Create a
Notes ID
for this person”is selected.
The expiration date of the user ID in mm-dd-
Certification
yyformat.
expiration The default is two years from the current date.
date
This field appears if the check box “Create a
Notes ID
for this person”is selected.
Location for Choose one:
storing user • In Domino Directory (default). The ID file is
ID stored as an attachment to the user’s Person
document.
• In file (default location:
<datadirectory>\ids\people\user.id). Click Set
ID file
to change path.
• In mail file. This option is only available with
iNotes Web Access and allows Notes users to
read their
encrypted mail while using iNotes Web Access.
This field appears if the check box “Create a
Notes ID
for this person”is selected.

12. (Optional) To add the user to an existing group:

Click
 the Groups tab with the user highlighted (you can highlight
multiple users also).
Select
 the group or groups to assign and click Add.
For more information on adding users to groups, see the chapter “Setting
Up and Managing Groups.”
Setting Up and Managing Notes Users 5-19
Configuration
13. (Optional) If you have enabled roaming capabilities for the user, click
the Roaming tab, and complete any of these fields. The fields do not
appear if you did not click “Let this person roam” on the Basic tab
and “Create a Notes ID for this person.” Domino uses default values
(if available) for fields you do not modify.

Field Enter
Put roaming user Click to store the user’s roaming
files information on
on mail server the same server used for mail.
Click Roaming Server to open the Choose
Roaming Server
Roaming
User Files Server dialog box on which you
specify
the server that stores the user’s roaming
information. If you select Put roaming user
files on
mail server, the Roaming Server defaults
to the
user’s mail server.
The subdirectory that contains the user’s
Personal roaming
roaming
folder information. By default, this is based on
the
sub-folder format you specify, but you can
customize it.
The method used to name roaming
Sub-folder format
subdirectories
on the roaming server. This determines the
default
Personal roaming folder for each user.
Create roaming Choose one of these: • Create file now -
files now/Create Default. • Create roaming files in
roaming files in background - Click to create the user’s
background roaming files the next time the
Administration Process runs. Creating
roaming files in the background forces the
Administration Process to create the files
and saves time during the user registration
process.

Field Enter
Clean-up option Choose one of the following roaming user
client clean-up options. Clean-up will only
occur on clients that have been installed
and configured for multiple users.
• Do not clean-up (default). —Roaming
user data will never be deleted from the
Notes client
workstation to which the user roamed.
• Clean-up periodically. —Enables the
“Clean up every N days”field on which you
specify the number of days that should
pass before roaming user data is deleted
from the Notes client
workstation.
• Clean-up at Notes shutdown. —Roaming
user data will be deleted from the Notes
 client
workstation immediately upon Notes
shutdown.
• Prompt user —The user is prompted on
exiting the client as to whether they want
to clean up their personal files. If the user
chooses Yes, the data directory on that
client workstation is deleted. If the user
chooses No, the user is
prompted as to whether they want to be
asked again on that client. If the user
chooses No, the user is not prompted
again. If the user chooses Yes, the user is
prompted again the next time the user
exits the client on that workstation.
Click this button to open the “Roaming
Roaming Replicas
Files
Replica Creations Options”dialog box on
which
you can designate to which servers a user’s
roaming files should replicate. This option
only
applies to clustered servers.

Field Enter
Setup profile Name of an R5 User Setup profile to assign.
Note If you are using policies, you cannot
use a
user setup profile.
A word that distinguishes two users who
Unique org unit
have the
same name and are certified by the same
certifier
ID.
Departmental or geographical location of
Location
the user.
continued

Field Enter
Local The name of a user who has Author access
administrator to the Domino Directory but who does not
have the UserModifier role. This setting
allows the local administrator to edit Person
documents.
Comment A comment about the user, regarding the
user’s registration.
Alternate name Choice of alternate name language. The
language certifier ID used to register this user must
contain the alternate name language for it
to appear here.
Alternate name The alternate name of the user. The
certifier ID used to register this user must
contain the alternate name language for it
to appear here.
Alternate org unit A word that distinguishes two users who
have the same name and are certified by
the same certifier ID. The certifier ID used
to register this user must contain the
alternate name language.
Preferred Choose a preferred language for the user,
language that is, the language that the user prefers
to use.
Windows User Click to set user options for Windows NT or
Options Windows 2000. Opens the “Add Person to
Windows NT/2000”dialog box on which you
can specify whether to add the user to
Windows NT and/or the Windows 2000
Active Directory. Enter the Windows
account name for the user, and select the
name of the Windows NT or Windows 2000
group to which you are adding the user.

15. Click the green check mark. The user name appears in the
Registration status view (the user registration queue).
16. Click Register and then click Done.
Registering users from a text file
When registering users from a text file, you can import them through the
Import Text File button on the Register Person dialog box, which places
users as entries in the User Registration Queue and allows you to modify
user settings individually.
If you want to add the text file to the NOTES.INI file so that Notes does
not prompt you to browse for the text file, enter BatchRegFile= filename to
the NOTES.INI file.
You can also define a separator for the text file by adding
BatchRegSeparator = character to the NOTES.INI file. The separator
character cannot be a character used in any of the user parameter settings
in the text file. If you do not specify a BatchRegSeparator, a semicolon (;)
separator is used.
For more information on this NOTES.INI variable, see the appendix
“NOTES.INI File.”
Settings applied to a group of users
These user settings are available for you to modify before using the menu
(choose People - People - Register) to import and register users. Notes
applies these settings to all users in the group.
Registration
 Server
Password
 Quality Scale
Set  Internet password
Internet
 address
Internet  Domain
Format 
Mail  server
Mail  file template
Mail  system
Mail  file name
Mail  file owner access
Set  database quota
Set  warning threshold
Certifier  ID
Security  type
Certificate  expiration date
Store  user ID in Domino Directory or File
Add  users to selected groups
Local  administrator
Add
 NT User Accounts
Setting up the text file
To set up a text file, create a line in the text file for each user. Enter the
parameters for each user in exactly the order shown in the table below.
Use one semicolon to separate parameters, and use one semicolon to take
the place of each contiguous parameter that you decide not to specify.
For example, this line in a text file specifies only a last name and
password:
Alexis;;;;password1
This line in a text file specifies a complete name, home server, and User
Setup policies:
Alexis;Catherine;R.;;password1;;;Marketing /
Acme;;;;;;Marketing Profile
Note that only the last name and password parameters are required.

Orde
Parameter Enter
r
The last name of the user. This parameter
1 Last name
is required.
2 First name The first name of the user.
3 Middle initial The middle initial of the user.
4 Organizational A name for another level to add to the
unit hierarchical name. This name distinguishes
between two users who have the same
name and are certified by the same
certifier.
A password for the user. This parameter is
5 Password
required.
6 ID file The directory in which you want to store
directory the user’s ID. You can store the ID in this
directory in addition to or instead of as an
attachment in the Domino Directory. You
must create the directory before
registration. For this parameter to take
effect, select the In File option on the ID
Info panel for storing the user ID. This
parameter overrides the default ID
directory shown in the Register Person -
New Entry dialog box.
7 ID file name The name you want to assign to the ID file.
This file name applies only if you store an
ID in an ID file directory. If you do not
specify a user ID file name, the name on
the ID is based on the person’s name.
8 The name of the user’s mail server. This
Mail server
parameter overrides the one you select
name
during registration.
9 Mail file The mail file directory for the user.
directory
10 Mail file name The name for the user’s mail file. If you do
not use this parameter, the name is based
on the person’s name if the person uses
Notes mail.

Orde
Parameter Enter
r
11 Location Descriptive location information that is
added to the user’s Person document. If
someone addresses mail to this user and
there is another user with the same name,
Notes displays the location to help the
sender distinguish the two users.

12 Comment An identifying comment that is added to the

user’s Person document.
13 Forwarding The full route to the user —for example,
address JSmith@acme.com. If you don’t enter this
information in the text file, you can edit the
Forwarding address field in the user’s Person
document. This parameter is required for
Other and Other Internet mail users.
14 Profile The name of the user setup profile.
15 Local The name of a user who has Author access
administrator to the Domino Directory. This person can
modify the user’s Person document.
16 Internet The Internet address of the user. This
address parameter is required for Lotus Notes, POP3,
iNotes, and IMAP mail.
17 Short name This name is entered by default. A short
name is used to create a return Internet
address if the Internet address is not
entered.
18 Alternate The alternate name of the user. Note that
name the certifier ID used to register this user
must contain the alternate name language.
19 Alternate org A word that distinguishes two users who
unit have the same name and are certified by the
same certifier ID. Note that the certifier ID
used to register this user must contain the
alternate name language.
20 Mail The file name of the mail template you want
template file to use.

To register users from a text file

Notes uses the certifier ID specified in Administration Preferences; or if
there is none, it uses the ID specified in the CertifierIDFile setting of the
NOTES.INI file.
1. Make sure that you have the following before you begin registration:
Access
 to the certifier ID and its password if you are not using the
Lotus Domino 6 server-based certification authority (CA)
Editor
 access or the UserCreator role in the Domino Directory on
the registration server
Create
 new databases access on the mail server if you plan on
creating mail files
2. Use a text editor to create a text file that contains ID information for
each user.
3. From the Domino Administrator, click the People & Groups tab.
4. From the Servers pane, choose the server to work from.
5. Select Domino Directories and then click People.
6. Complete Step 7 or Step 8, depending on how you want to import
and register users.
7. To register users and apply individual settings:
a. From the Tools pane, click People - Register. Enter the certifier
password and click OK. The Certifier Information Warning
dialog box may appear. Click OK.
b. Click Import Text File, select the text file, and click Open.
c. To modify user registration settings, select a user from the User
Registration Queue and make your changes on the Register
Person user interface.
d. Click Register to register the highlighted user or select multiple
users in the registration queue and click Register All. Click OK.
For more information on specifying registration settings, see the topic
“Using Advanced Notes user registration” earlier in this chapter.
8. To register users and apply settings to them as a group:
a. Set the registration Administration Preferences and create the
policies that you want to apply to a group of users.
b. From the Tools pane, click People - Register.
5-26 Administering the Domino System, Volume 1
c. Enter the certifier ID password and click OK.
d. Choose the Explicit Policy that you want to apply to the users
you are registering.
e. Click Import Text File, select the text file, and click Open.
f. Click Register or Register All.
For more information on setting Administrator Preferences and
Registration Preferences, see the chapter “Setting Up and Using Domino
Administration Tools.”
For more information on the settings you can modify, see the topic
“Using Advanced Notes user registration” earlier in this chapter.
Registering users with the Web Administrator
Registering users with the Domino Web Administrator is almost identical
to registering users with the Domino Administrator. Before reviewing
this information and before attempting to register users via the Web
Administrator, you need to be familiar with using the Web
Administrator and with Notes user registration in general.
Note The Registration Preferences (from File - Preferences -
Administration Preferences) that can be set for user registration with the
Domino Administrator do not apply to user registration with the Web
Administrator. During user registration on the Web, only registration
settings set through policies or through the server-based CA apply. Other
settings are entered manually or are defaults.
For more information on using the Web Administrator, see the chapter
“Setting Up and Using Domino Administration Tools.”
Web registration and the server-based certification authority
Web registration for Notes users requires the use of the Domino
server-based certification authority (CA). You need to understand what
the Domino CA is, as well as how to set it up and use it.
To register users with the Web Administrator, the Web administrator
must be listed as an RA for that certifier. The server that is running the
Web Administrator should also be listed as an RA but that role is not
required for the server. It is required for the administrator. If the server is
not listed as an RA, the administrator that is an RA will need to open the
Administration Requests database and approve the administration
request to register the user. You must assign the RA role in the Domino
Administrator client, not in the Web Administrator. To assign the RA
role, use the Modify Certifier tool on the Configuration panel.
For more information on the server-based certification authority, see the
chapter “Setting Up a Domino Server-Based Certification Authority.”
Setting Up and Managing Notes Users 5-27
Configuration
Web registration and policies
Web user registration, like user registration done from the Domino
Administrator, can be simplified by assigning policies during the
registration process. Create the policies and related policy settings
documents, prior to initiating Web user registration. Before registering
users, familiarize yourself with polices in Lotus Domino 6 as well as with
using policies with the Web Administrator.
The use of policies for user registration with the Domino Web
Administrator is optional.
For more information on policies, see the chapter “Using Policies.”
For more information on using policies with the Web Administrator, see
the chapter “Setting Up and Using Domino Administration Tools.”
To register users with the Web Administrator
Follow the instructions to register a user, with basic or advanced
registration, in these procedures:
Using
 Basic user registration with the Web Administrator
Using
 Advanced user registration with the Web Administrator
Using Basic user registration with the Web Administrator
Perform Basic user registration from the Web Administrator to assign
users’ basic settings, such as a name and password, and to add users to
existing groups from a Web browser instead of from the Domino
Administrator.
When using the Web Administrator client, you need to have set up a
server-based certification authority (CA) to register Notes users. The
Web administrator, as well as the server on which the Web
Administrator database resides, must be listed as a registration authority
(RA) for that certifier. You must assign the RA role in the Domino
Administrator client, not in the Web Administrator. To assign the RA
role, use the Modify Certifier tool on the Configuration panel.
For more information on the server-based CA and the RA, see the
chapter “Setting Up a Domino Server-Based Certification Authority.”
Note The Registration Preferences (from File - Preferences -
Administration Preferences) that can be set in user registration with the
Domino Administrator do not apply to user registration with the Web
Administrator. During user registration on the Web, only registration
settings set through policies or through the server-based CA apply. Other
settings are entered manually or are defaults.
5-28 Administering the Domino System, Volume 1
To use Basic user registration with the Web Administrator
1. Make sure you have the following before you begin registration:
The
 [UserCreator] role in the Domino Directory.
The
 registration authority (RA) designation for whatever CA
(Certificate Authority) that is selected for user registration. The
Domino Web Administrator requires the user of the server-based
CA.
2. From the Web Administrator click the People & Groups tab.
3. From the Servers pane, select Domino Directories, and then click
People.
4. From the Tools pane, click People - Register.
5. Choose a CA Certifier.
6. (Optional) Choose an Explicit policy.
7. (Optional) If you would like the selections for CA Certifier and
Explicit policy to be set as the default, click the check box “Save as
default.”
8. Click OK.

Field Action

First name, Middle Enter a first name, middle name (if

name, necessary),
Last name and last name.
Short name The user’s Short name is automatically
generated. To change the Short name,
enter the
new text.
Enter the password for the user ID.
Password
Criteria for
this password is based on the level set
in the
Password Quality Scale in the Password
Options dialog box.
Choose a password quality. The default
Password quality
level is
8. The password you specify must
correspond
with the password quality that you
select in
“Password Options.”

Field Action
Mail System Choose one of the available mail types
and complete the necessary associated
fields:
• Lotus Notes (default).
• Other Internet —choosing this option
automatically selects the “Set Internet
password”check box.
• POP —choosing this option
automatically selects the “Set Internet
password”check box.
• IMAP —choosing this option
automatically selects the “Set Internet
password”check box.
• iNotes —You are prompted to make
other registration selections for iNotes.
• Other
If you select Lotus Notes, POP, or IMAP,
the Internet address is automatically
generated.
If you select Other Internet, POP, or
IMAP, the Internet password is set by
default.
If you select iNotes (iNotes Web
Access), you can change other user
registration selections to iNotes Web
Access defaults by clicking Yes when
prompted.
If you select Other or Other Internet,
enter a forwarding address. This
address is the user’s current address,
where the user wants mail to
be sent. For example, if a user
temporarily works at a different location
and/or uses a different mail system, the
user can have her mail forwarded to
that new address. Or, a user
may resign from the company but leave
a forwarding address so that mail
addressed to the old address is
forwarded to the new
location.
Set Internet
Click to set an Internet password.
password
Synch Internet Click to synchronize the Internet
password password
with Notes ID with the Notes ID password.
Create a Notes ID for
Click to create a Notes ID.
this
person
(Optional) To assign a policy to this
Explicit policy
user, select
one from the Explicit policy list.

Field Action
Mail System Choose one of the available mail types
and complete the necessary associated
fields:
• Lotus Notes (default).
• Other Internet —choosing this option
automatically selects the “Set Internet
password”check box.
• POP —choosing this option
automatically selects the “Set Internet
password”check box.
• IMAP —choosing this option
automatically selects the “Set Internet
password”check box.
• iNotes —You are prompted to make
other registration selections for iNotes.
• Other
If you select Lotus Notes, POP, or IMAP,
the Internet address is automatically
generated.
If you select Other Internet, POP, or
IMAP, the Internet password is set by
default.
If you select iNotes (iNotes Web
Access), you can change other user
registration selections to iNotes Web
Access defaults by clicking Yes when
prompted.
If you select Other or Other Internet,
enter a forwarding address. This
address is the user’s current address,
where the user wants mail to
be sent. For example, if a user
temporarily works at a different location
and/or uses a different mail system, the
user can have her mail forwarded to
that new address. Or, a user
may resign from the company but leave
a forwarding address so that mail
addressed to the old address is
forwarded to the new
location.
Set Internet
Click to set an Internet password.
password
Synch Internet Click to synchronize the Internet
password password
with Notes ID with the Notes ID password.
Create a Notes ID for Click to create a Notes ID.
this
person
(Optional) To assign a policy to this
Explicit policy
user, select
one from the Explicit policy list.

Field Action
First name,
Enter a first name, middle name (if
Middle name,
necessary), and last name.
Last name
Short name The user’s Short name is automatically
generated. To change the Short name, enter
the new text.
Password Enter the password for the user ID. Criteria
for this password is based on the level set in
the Password Quality Scale in the Password
Options dialog box.
Password Choose a password quality. The default level
quality is 8. The password you specify must
correspond to the password quality that you
select in “Password Options.”
Mail System Choose one of the available mail types and
complete the necessary associated fields: •
Lotus Notes (default). • Other Internet —
choosing this option automatically selects the
“Set Internet password” check box.

• POP —choosing this option automatically

selects the “Set Internet password”check box.
• IMAP —choosing this option automatically
selects the “Set Internet password”check box.
• iNotes —You are prompted to make other
registration selections for iNotes. • Other. If
you select Lotus Notes, POP, or IMAP, the
Internet address is automatically generated. If
you select Other Internet, POP, or IMAP, the
Internet password is set by default. If you
select iNotes (iNotes Web Access), you can
change other user registration selections to
iNotes Web Access defaults by clicking Yes
when prompted. If you select Other or Other
Internet, enter a forwarding address. This
address is the user’s current address, the
address to which the user wants mail to be
sent. For example, if a user temporarily works
at a different location and/or uses a different
mail system, the user can have her mail
forwarded to that new address. Or, a user
may resign from the company but leave a
forwarding address so that mail addressed to
the old address is forwarded to the new
location.

Field Action
Set Internet Click to set an Internet password.
password
Synch Internet Click to synchronize the Internet password
password with with the Notes ID password.
Notes ID

Create a Notes Click to create a Notes ID.

ID for this
person
Explicit policy (Optional) To assign a policy to this user,
select one from the Explicit policy list.

Fields Action
Mail System Choose one of the available mail types and
complete the necessary associated fields:
• Lotus Notes (default)
• POP
• IMAP
• iNotes
• Other Internet
• Other
• None
If you select Lotus Notes, POP, or IMAP the
Internet address is automatically generated.
If you select Other Internet, POP, or IMAP, the
Internet password is set by default.
If you select iNotes (iNotes Web Access), you
can change other user registration selections
to iNotes Web Access defaults by clicking Yes
when prompted.
If you select Other or Other Internet, enter a
forwarding address. This address is the user’s
current address, the address to which the user
wants mail to be sent. For example, if a user
temporarily works at a different location
and/or uses a different mail system, the user
can have her mail forwarded to that new
address. Or, a user may resign from the
company but leave a forwarding address so
that mail addressed to the old address is
forwarded to the new location.

Fields Action
Mail Choose a server to be assigned as the user’s mail
Server server.
Mail file The file name of the mail file. By default, the path
name and the file name are
mail\<firstinitial><first7charactersoflastname>.nsf.
Mail Choose a mail template from the list of available
template mail templates. For a description of the template,
select the template and click About. The default is
Mail(R6) (MAIL6.NTF).

Create full Click to generate a full-text index of the mail

text index database.
Mail file Select the level of access in the access control list
owner to assign to the user of the mail database from the
access Mail file owner access list. By default, mail users
have Editor with Delete documents access to their
own mail files; all other users have no access. This
option can be used to prevent mail users and/or
owners from deleting their own mail file. If the mail
owner access is Designer or Editor, the
administrator ID currently being used is added to
the mail file ACL as Manager.
Set
Click to enable, and then specify a size limit
database
(maximum 10GB) for a user’s mail database.
quota
Set Click to generate a warning when the user’s mail
warning database reaches a certain size, and then enter the
threshold warning size (maximum of 10GB).
Click the Address tab, and enter values in any of these
fields.
Field Action
Internet
The Internet e-mail address assigned to this user.
address
Internet The domain to be used in the Internet address —
Domain for example, Acme.com.
Address The format of the Internet address. The default
name format is FirstNameLastName@Internet domain
format without a separator —for example,
RobinRutherford@Acme.com.
Separator The character inserted between names and initials
in the Internet address. The default is None.

Field Action
Create a Notes ID Click to create a Notes ID for this user.
for this person
Certifier name list Choose a certifier from the list if you are
not creating a Notes ID for this user. This
field is visible only if you do not select
the check box “Create a Notes ID for this
person.”
CA-configured Choose a CA-configured certifier to use to
certifier register the user. This field is only visible
if you select the check box “Create a
Notes ID for this person.”
Certificate
expiration Choose one: • Months —Enter the
number of months during which the
certifier is valid. • Date —Specify the
date on which the certificate expires. The
default is two year’s from the current
date.
This field is only visible if you select the
check box “Create a Notes ID for this
person.”
Security type Choose either North American or
International. The security type
determines the type of ID file created
and affects encryption when sending and
receiving mail and encrypting data. North
American is the stronger of the two
types. This field is only visible if you
select the check box “Create a Notes ID
for this person.”
Location for storing Non-modifiable field that displays the
user ID location in which the user’s ID will be
stored. This field is only visible if you
select the check box “Create a Notes ID
for this person.”

Field Actions
Create replica(s) Click this check box to create replicas of
of the mail
mail database. files on additional servers that you specify.
Select options for Use these options as necessary: • Add —
creation of mail Click to open the Server for Mail File
database replicas Replica Creation dialog box. Use this dialog
box to choose the server(s) on which to
create mail file replicas. • Remove —
Choose one or more servers to remove
from the list of servers on which to create
mail file replicas, and then click Remove. •
Remove All —Click to remove all servers
from this list. These options are available
only if the check box “Create replicas of
mail database”is selected.

Field Action
Click to activate the roaming user
Roaming user
registration
options to register this user as a roaming
user.
Put on mail
Choose one of these:
server/
• Put on mail server —Click to place the
Choose a server
user’s
roaming files on the user’s mail server.
• Server name —Click to store the user’s
roaming
file on the “Current Server”or select
another
server of your choice.
The subdirectory that contains the user’s
Personal roaming
roaming
folder information. By default, this is based on
the
sub-folder format you specify, but you can
customize it.
The method used to name roaming
Sub-folder format
subdirectories
on the roaming server. This determines the
default
Personal roaming folder for each user.
Field Action
Clean-up options Choose one of the following roaming user
client clean-up options. Clean-up will only
occur on clients that have been installed
and configured for multiple users.
• Do not clean-up (default) —Roaming user
data is not deleted from the Notes client
workstation
to which the user roamed.
• Clean-up every —Enables the “Clean up
every N days”field on which you specify the
number of days that should pass before
roaming user data is deleted from the
Notes client workstation.
• Clean-up at Notes shutdown —Roaming
user data is deleted from the Notes client
workstation
immediately upon Notes shutdown.
• Prompt user —The user is prompted on
exiting the client as to whether they want
to clean up their personal files. If the user
chooses Yes, the data directory on that
client workstation is deleted. If the user
chooses No, the user is
prompted as to whether they want to be
asked again on that client. If the user
chooses No, the user is not prompted
again. If the user chooses Yes, the user is
prompted again the next time the user
exits the client on that workstation.

16. Click Register and Done.

Registering non-Notes, Internet users
Use the Domino Administrator to create non-Notes, Internet-only users.
Internet-only users do not have Notes IDs or certified public keys.
The procedure for creating a non-Notes, Internet-only user requires the
use of the User Registration interface as well as many of the security
features such as the Certificate Requests database and the Domino
server-based CA.
During this procedure, the user must open the Certificate Requests
database to accept the certificate authority in their browser and request a
client certificate. The user must be logged on to the workstation and
browser that needs to establish the trust with the CA. After the request
has been approved and processed, the user picks up the certificate, using
the same browser on the same workstation used to make the request. The
user then needs to export the certificate. The final step is importing the
Internet certificate into the user’s Person document.
Before completing this procedure, read the chapter “SSL and S/MIME
for Clients.”
Setting Up and Managing Notes Users 5-37
Configuration
To set up an Internet user
1. From the Domino Administrator, click the People & Groups tab.
2. Select Domino Directories, and then click People.
3. From the Tools pane, click People - Register.
4. Complete the fields in the User Registration user interface, following
the instructions in the topic Using Advanced Notes user registration
with the Domino Administrator with these exceptions:
On
 the Basics tab, in the Mail System field, do not select Lotus
Notes as the mail system. Choose an Internet-based mail system
instead.
On  the Basics tab, do not select the check box “Create a Notes ID
for this person.”
(Optional)
 On the Address panel, for users with a mail system of
“Other Internet” enter a forwarding address. The forwarding
address is the Internet address to which this user would like their
e-mail forwarded in the event they leave the company.
On  the ID Info panel, ensure that you do not select the check box
“Create a Notes ID for this person.”
The  Roaming panel does not apply to Web-only users because
roaming users are required to have Notes IDs. Internet-only users
do not have Notes IDs.
5. When registration is complete, add an Internet Certificate to the
user’s Person document by completing the procedures in the topic
“To obtain an Internet certificate for an Internet client.”
Adding an alternate language and name to a user ID
The alternate naming feature allows you to assign two names to a user: a
primary name and alternate name. The primary name is internationally
recognizable; the alternate name is recognizable in the user’s own native
language. Before you can add an alternate name to a user, add an
alternate language and name to the certifier ID by recertifying the
certifier ID. You cannot add alternate names to servers.
Alternate names are helpful because they let users use their native
language and character set for display and name lookup purposes. For
example, a user can type in a name in a native language and character set
when sending mail or choose to display all documents in a database in a
native language and character set.
5-38 Administering the Domino System, Volume 1
Each alternate name is associated with a language specifier that identifies
the native language of the name. Typically, the alternate name is
specified in a character set consistent with the specified language;
whereas the primary name is specified in an internationally recognizable
character set. Both types of names provide the same security within the
Domino system. For example, you can use alternate or primary names in
an ACL or a group.
You can add multiple alternate names to an organization certifier (as
many alternate names as there are language specifiers recognized by
Notes). An organizational unit certifier may also contain multiple
alternate names, but each name must correspond to one of the language
specifiers assigned to its parent certifier. The organizational unit certifier
does not need to contain all the language specifiers that its parent
contains. For example, /Acme may contain five language specifiers,
while its child certifier Sales/Acme contains a subset of those.
A user ID may contain only one alternate name. The language specifier
associated with the alternate name must correspond to a language
specifier in the parent certifier ID. When you assign an alternate name to
a user, the alternate name and language specifiers are added to the user
ID, to the Notes certificates issued to the user, and to the user’s Person
document.
To add an alternate name to a certifier ID
In this procedure, you assign an alternate name and its associated
language to the organization certifier ID and its organizational unit
(child) certifiers through the certification process. You first recertify the
organization certifier, and then use the certifier to recertify its
organizational unit certifiers.
1. Have the certifier ID to which you want to add the alternate name
accessible, if you are not using the Lotus Domino 6 server-based
certification authority (CA).
2. From the Domino Administrator, click the Configuration tab.
3. Choose Certification, and then click Certify.
4. If the server name that is shown is not the registration server, click
Server, choose the server you want to use and click OK.
5. Do one of these:
To
 use the server-based CA, click Use the CA process and select a
CA-configured certifier from the list.
To use a certifier and password, click Supply certifier ID and
password, click Certifier ID, select the certifier ID, and then click
OK. Enter the password and click OK.
Setting Up and Managing Notes Users 5-39
Configuration
6. Select the ID you want to recertify and then enter the password and
click OK. To add an alternate language and name to the organization
(root) certifier, select the same ID that you chose in the previous step.
7. Click Add.
8. Choose the alternate language in the Language field. If you are
recertifying an organizational unit certifier, the available languages
include all languages associated with the organization (root)
certifier ID.
9. (Optional) Enter a country code for the organization. This option is
available only for organization certifier IDs.
10. Enter a name for the organization/organization unit in the
Organization/OrgUnit field.
11. Click OK.
12. (Optional) To add another alternate language, click the Add button
and repeat Steps 7 through 11.
13. Click Certify.
To add an alternate name to an existing user ID
Use the Lotus Domino 6 server-enabled certification authority (CA) or
the certifier ID to recertify the user.
1. Make sure that the certifier contains an alternate name with the
language specifier you want to use.
2. From the Domino Administrator, click the People & Groups tab.
3. From the Servers pane, choose the server to work from.
4. Click the Configuration tab.
5. Choose Tools - Certification - Certify.
6. If you are not using the Lotus Domino 6 server-based certification
authority (CA), select the certifier ID that certified the user ID to
which you are assigning an alternate name and enter the password.
Click OK.
7. Select the user ID to which you are assigning an alternate name and
enter the password. Click OK.
8. Click Add. Select a language from the list and enter a new Common
Name for that language, and click OK.
9. (Optional) Specify a new certifier expiration date and a new
password quality.
10. Click Certify.
11. You are prompted as to whether you want certify another, click Yes
or No, accordingly.
5-40 Administering the Domino System, Volume 1
To add an alternate name while registering a new user
Before you add an alternate name to a new person, make sure you have a
certifier that contains the alternate name and language specifier you
want to use. You assign the name and language in the Other pane of the
Register Person dialog box during advanced user registration.
For more information on advanced user registration, see the topic “Using
Advanced Notes user registration” earlier in this chapter.
Setting up client installation for users
Depending on the size of your enterprise, you may need to provide an
installation method for only a few users or for thousands of users. In
addition, you may need to customize the installation process so that
users install only the features they need. After you register users, decide
how to deploy client installations for users. Users can install all three
clients — the Notes client, Domino Administrator client, and Domino
Designer® — or they may install only one or two clients.
As an administrator, you can customize the installation process for your
users so that they install the features that they need. The installation
information in this section ranges from installing the Domino clients
using the installation CD to creating transform files to customize the
installation process.
Before you install Lotus Notes clients
Before you begin installing Lotus Notes clients, make sure that you or
your users do the following:
 the computer on which you are upgrading runs anti-virus
If
software, close the application.
If you are upgrading Lotus Notes on an Apple computer running OS
X, turn off all options in the Application Sharing tab of the Shared
System Preferences panel to avoid any errors.
To  successfully install, upgrade, and use Lotus Notes 6, users must
be allowed both Write and Modify permissions to the Program
directory, Data directory, and all associated subdirectories.
If  you are upgrading Lotus Notes on a Windows NT, 2000, or XP
computer, you must have administrator rights to the system. On a
Windows NT 4.0 computer, log in as an administrator or set
administrator-level privileges for All Users. This can be done from
the command line.
Setting Up and Managing Notes Users 5-41
Configuration
Windows
 NT, 2000, and XP users should log onto their computers
with administrative rights to install Lotus Notes 6. For cases in which
administrative rights are not available, enable the setting “Always
install with elevated privileges.” Refer to the Release Notes for the
most current information on permissions required when installing as
a non-administrator.
Options
 for installing the Lotus Notes client on Restricted or
Standard/Power User computers are described in the Microsoft
Windows 2000, Windows XP, and Windows Installer documentation.
Review
 options for customizing the Notes client installing and set up.
Installation methods
Domino offers several methods or types of installation that you can make
available to the Domino Notes users in your enterprise.
Single-user
 client installation — This installation is usually done
from the CD or from files placed on the network.
For more information on installing the Domino administration client,
see the chapter “Setting Up and Using Domino Administration Tools.”
Multi-user
 installation — This option is available only for Notes
client installation. Multi-user installation is not available for
installing the Domino Administrator client or Domino Designer.
For more information on multi-user installation, see the topic
“Multi-user installation” in this chapter.
Shared
 installation — This option installs all program files to a file
server while the users’ data files reside on their local workstations.
For more information on shared installation, see the topic “Installing
the Domino clients in a shared network directory” in this chapter.
Automated
 client installations (silent installation) — This option can
be used with or without a transform file depending on whether you
want to customize the silent installation.
Customized
 installations — This option uses the transform file to
customize the installation process.
Batch  file installation — This option enables users to install the
clients by running a batch file that you create for them.
Installation
 with command line utilities — This option allows users
to install the clients using a command line utility that you provide for
them.
Scriptable  setup — This option uses a setting in the NOTES.INI file to
provide information to the client setup wizard.
5-42 Administering the Domino System, Volume 1
For information on multi-user installations, see Sharing a Computer with
other users[[ if you have installed Lotus Notes 6 Help. Or, go to
http://www.lotus.com/LDD/doc to download or view Lotus Notes 6
Help.
Single-user client installation
To perform a basic single-user installation, you use the Lotus Domino 6
CD to install the Notes client, the Domino Administrator client or the
Domino Designer client directly onto the user’s workstation.
1. Before you install the client program files on a Win32 system, do the
following:
Make
 sure that the required hardware and software components
are in place and working.
Read
 the Release Notes for disk-space requirements and for any
last-minute changes or additions to the documentation.
Temporarily
 disable any screen savers and turn off any
virus-detection software.
Make  sure that all other applications are closed. Otherwise, you
may corrupt shared files, and the Install program may not run
properly.
If  you are upgrading to Domino from a previous release, see the
Upgrade Guide.
2. Run the client install program (SETUP.EXE), which is on the
installation CD.
Installing the Domino clients in a shared network directory
As an administrator, you can offer a shared network installation to your
users. In a shared network installation, all program files are installed on a
file server, and the users’ data files reside on their local workstations.
Multi-user installation is neither supported in a shared file configuration
nor available for use on Macintosh computers.
During the installation of the network image, all program files for Lotus
Notes, Domino Administrator, and Domino Designer are installed. To
run Lotus Notes, Domino Administrator and Domino Designer client
installs from one set of program files on a file server, you create multiple
transform files.
Note To perform a shared installation and run the transform file,
end-users must have the Windows Installer service on their workstations.
After you install the program files to a directory on a server, users can
run a shared version of the software, thereby saving on disk space usage.
Setting Up and Managing Notes Users 5-43
Configuration
However, if the server is unavailable, users cannot run Notes. When
users install Notes from this directory, only the data files
(DESKTOP.DSK, BOOKMARK.NTF, and all local databases) are copied
to their workstations. The program files remain on the server, where they
are shared among all users. As users run Notes, the program files are
read into memory on their workstations.
Assign to those users who install Notes client software from the file
server “Read” access to the directory containing the files.
Upgrading shared installations
Do not attempt to upgrade over existing network image files. To upgrade
an existing network image, delete all files in the existing network image
and install the new network image files to the same location.
To set up the shared network installation
1. Before you begin this installation process, do the following:
Make
 sure that the required hardware and software components
are in place and working.
Read
 the Release Notes for disk-space requirements and for any
last-minute changes or additions to the documentation.
Temporarily
 disable any screen savers and turn off any
virus-detection software.
Make  sure that all other applications are closed. Otherwise, you
may corrupt shared files, and the Install program may not run
properly.
2. Log on as administrator on the drive on which you are installing the
program files.
3. From the command line, use this syntax to run setup and create the
administrator image on the network:
E:\path to install kit\setup /A
In this example, drive E represents the drive on which the client
installation files are located, which is usually the drive letter of the
CDROM drive containing the Domino CD. The /A creates the
administrator image on the network.
4. Enter the name of the directory that will store the installed files. By
default, this directory is the first network drive accessible from your
workstation. To specify a network drive and directory other than the
default, click Change.
5. Click Install. Every client option is installed. A directory structure
that is useable and understandable by the operating system is
5-44 Administering the Domino System, Volume 1
created. Users can run the install program directly from this
directory structure that you provide using the Lotus Notes 6.msi file
created in the root of the directory structure.
6. Create a transform file for the installation of the end user’s local data
files.
For more information on creating a transform file, see the topic “Creating
a transform file” in this chapter.
Providing an installation tool (method) for the users
After successfully installing all client files to a shared directory on the
network, you can instruct users to use the transform file to install the
client on their own workstations.
Automating client installation
Automated client installation supports all three Domino clients and
simplifies installation for end users because it presents very few or none
of the installation windows; thus, it is called a silent installation.
Before you begin this installation process, do the following:
Make
 sure that the required hardware and software components are
in place and working.
Read
 the Release Notes for disk-space requirements and for any
last-minute changes or additions to the documentation.
Temporarily
 disable any screen savers and turn off any
virus-detection software.
Make  sure that all other applications are closed. Otherwise, you may
corrupt shared files, and the Install program may not run properly.
To use silent installation
Use this format to run the install in silent mode:
Setup.exe /s/v"/qn"
When the installation is complete, the shortcut icons appear on the
desktop.
To display a prompt when the installation is complete or when it fails,
use the + parameter as follows:
Setup.exe /s/v"qn+"
Running a silent install provides users with the default installation
options. To customize the type of installation or to specify options to
install on the user’s system, use a transform file with the silent install.
Setting Up and Managing Notes Users 5-45
Configuration
Multi-user installations
Multi-user installation applies to Microsoft Windows (Win 32) users
only. The multi-user installation is only supported for the Notes client
installations; it is not supported for installing the Domino Administrator
client or the Domino Designer. Therefore, the multi-user option is only
available in the Notes installation kit.
Use the multi-user installation if your enterprise has multiple users who
share a single workstation. Then when users log onto the system, they
run the Lotus Notes 6 client setup and their own personal data files —
that is, BOOKMARK.NSF, NAMES.NSF, and other files are created.
The multi-user installation differs from a shared installation in that
Program files are located on the local system in a multi-user install,
which can be an advantage. This allows for access to the Notes client
regardless of which network drives are available. In a shared installation,
users are dependent on the availability of shared network drives.
In a multi-user installation, install the Domino Program files to a central
location on the local system. Each user has their own data directory
located in the system’s application data directory for the current user.
The actual location varies as follows according to operating system:
Example
 1 — c:\Documents and Settings\user\Local
Settings\Application Data\Lotus\Notes Data
Example
 2 — c:\winNT\Profiles\user\Local Settings\Application
Data\Lotus\Notes Data
Example
 3 — c:\Bin\Win95\Profiles\user\Local
Settings\Application Data\Lotus\Notes Data
Each user’s individual data files are created when the user logs on to the
workstation, launches the Lotus Notes 6 client, and completes the client
setup. The multi-user option is only visible to those users with
administrative privileges on the local system. This installation option is
not enabled for other users.
Note Individual Location documents are no longer needed for each user
that utilizes the Notes client on the same workstation, as compared to
previous releases where individual Location documents had to be
created for each user when multiple users attempted to use the same
Notes client installation on a workstation.
Providing a Batch file for installing the Domino Notes clients
Create a batch file that installs the Domino clients to a user workstation.
User’s can then install the client by running the batch file.
5-46 Administering the Domino System, Volume 1
Sample batch file
msiexec /i "Lotus Notes 6.msi" TRANSFORMS="custom.mst"
Providing command line utilities for installation
Provide command line utilities so that users can install one or more
clients on their workstations. This table presents sample command line
utilities that you can modify to suit your needs.

Type of install Sample command line utility

Transform install msiexec /i “Lotus Notes 6.msi”
TRANSFORMS=“custom.mst”
Transform silent install msiexec /i “Lotus Notes 6.msi”/qn
TRANSFORMS=“custom.mst”
Silent install with msiexec /i “Lotus Notes 6.msi”/qn+
fail/success prompt
Silent install setup.exe /s /v“/qn”
Verbose logging setup.exe /v“/L*v”c:\temp\install.log

Customizing client installations

Client installs can be customized to allow you, the administrator, to
control the options that are installed and/or available to users. Use
transform files to deselect options — for example, modem files — that
you don’t want to install by default. You also use transform files to hide
the options that you do not want users to change — regardless of
whether you choose to install a particular option. Modify the Visible and
Initial State settings for each installation option that you want to
designate as hidden or not hidden.
For more information on what you can customize, see the topic
“Installation options available using the transform file” in this chapter.
If you prefer, you can allow the user to see and complete most of the
fields on numerous windows that can be displayed during the
installation process.
For more information on transform files, see the topics “Creating a
transform file” and “Using transform files for end-user installations” in
this chapter.
Creating a transform file
Creating a transform file requires a third-party tool such as InstallShield
Tuner OEM Edition. Lotus Domino 6 contains a version called
InstallShield Tuner for Lotus Notes, that you can use with Domino to
create a transform file to customize the installation process.
Setting Up and Managing Notes Users 5-47
Configuration
Note The version of InstallShield Tuner for Lotus Notes that is included
with Domino works only with Lotus Domino 6, not with other products.
You can use transform files to set up shared and customized installations.
Access their Web site at http://www.installshield.com for further
information.
How to install the InstallShield Tuner for Lotus Notes
From the Lotus Domino 6 installation CD, in the Apps/InstallShield
Tuner for Lotus Notes directory, run the setup file, SETUP.EXE.
How to create a transform file
Use this procedure to create a transform file with InstallShield Tuner for
Lotus Notes. Users can then apply the transform file when installing
clients.
For more information on shared installations, see the topic “Installing the
Domino clients in a shared network directory” in this chapter.
1. Invoke the InstallShield Tuner program and browse to locate the
configuration file that has a .itw file name extension. The .itw
configuration file is located in the same directory with the Notes
installation that you want to configure.
2. Click Create a new transform file.
3. In the Select an MSI file field for the Windows Installer Package
option, select the msi file (Lotus Notes 6.msi).
4. In the New project name and location field for the Windows Installer
Transform option, enter the custom transform name. Save the file to
the same path on which the install kit resides.
5. Click Create.
6. Make any other desired modifications to the default settings
provided.
7. Click Save.
For more information on transform files, see the topics “Installation
options available using the transform file” and “Using transform files for
end-user installations” in this chapter.
After creating the transform file, you apply the transform file to the
installation process. The installation process then uses the values that you
set in the transform file in place of default values.
5-48 Administering the Domino System, Volume 1
Installation options available using the transform file
Using a transform file, you can customize installation for the users in
your enterprise.
Customizing the location of the Install directories
Use this procedure to specify a location other than the default location in
which to store the installation directories. When specifying directory
names, use names that contain eight or fewer characters.
1. From Application Configuration, select Setup Properties.
2. Click Add/Remove Program Settings.
3. Change the PROGDIR property to the location in which you are
storing the program files.
4. Change the DATADIR property to the location in which you are
storing the data files. This is the new default data directory.
Setting the installation to Multi-User by default
In a multi-user installation, the administrator installs the Domino
Program files to a central location on the local system. Each user has their
own data directory located in the system’s application data directory for
the current user.
Note End-users must have Administrator rights to choose a multi-user
installation and must only install the Notes Client. End-users must also
have Administrator rights to upgrade an existing multi-user installation.
1. From Application Configuration, select Setup Properties.
2. Change the value in the ApplicationUsers property to AllUsers. By
default the installation is now a multi-user installation.
For more information on multi-user installation, see the topic “Multi-user
installations” in this chapter.
Adding custom files to a client installation
To add custom files to a client installation, create a transform file.
Note This customization option replaces the COPYFILE.TXT feature
that was available in previous releases of Lotus Domino.
1. Copy the custom files to the install directory or place them in a
directory within the install directory — for example,
PathToInstallKit\AllClient\CopyFiles\custom.mdm.
2. Click Target System Configuration - Files.
Setting Up and Managing Notes Users 5-49
Configuration
3. In the top pane, click Browse and locate the source directory, which
is the directory from which you are copying the custom files.
4. In the bottom pane, select the destination directory, for example,
ProgramFiles\Lotus\notes\Data\modems.
5. Drag and drop the custom file from the source directory to the
destination directory.
Using transform files for end-user installations
After creating a transform file, you can use that file for end-user client
installations.
To apply a transform
This section contains two sets of instructions. The first set explains how
to apply a transform file for a user interface (UI) installation — that is, an
installation that presents a user interface. The second set explains how to
apply a transform file for a silent install — that is, an installation that
does not present a user interface and therefore does not require any user
interaction. There is also a section on using a batch file to launch the
command.
For installations using the transform file (and for silent installations)
using the msiexec commands, the network installation should not be the
first installation of Notes that you perform unless you are certain that all
of the client workstations contain the Windows Installer Service.
Note The command line path is the default installation path or the path
for the transform file.
User interface (UI) installation
In this example, the “installdir” parameter and the “datadir” parameter
are used to overwrite the default settings designated by the transform
file.
1. Change to the install directory that contains both the Lotus Notes
6.msi and the transform, *.mst, files.
5-50 Administering the Domino System, Volume 1
2. Do one of these:
To
 install to the default Program and Data directories, enter this
command from the command line:
msiexec /i "Lotus Notes 6.msi"
TRANSFORMS="custom.mst"
To
 overwrite the default Program and Data directories with the
ones you specify, enter this command from the command line:
msiexec /i "Lotus Notes 6.msi" INSTALLDIR=C:\Test
DATADIR=C:\Test\Data TRANSFORMS="custom.mst"
Silent install
1. Change directory to the install directory that contains both the Lotus
Notes 6.msi and the transform, *.mst, files.
2. Do one of these:
 you want to install to the default Program and Data directories,
If
enter this command from the command line:
msiexec /i "Lotus Notes 6.msi" /qn
TRANSFORMS="custom.mst"
 you want to overwrite the default Program and Data directories
If
with the ones you specify, enter this command from the command
line:
msiexec /i "Lotus Notes 6.msi" /qn INSTALLDIR=C:\Test
DATADIR=C:\Test\Data TRANSFORMS="custom.mst"
For more information on silent installations, see the topic “Automating
client installation” in this chapter.
Using a batch file to enter the command
You can also create a batch file that the user launches to start the
command. A sample batch file is shown below:
Sample batch file
msiexec /i "Lotus Notes 6.msi" TRANSFORMS="custom.mst"
Using the SETUP.INI file setting to apply one transform file to all
client installs
Use a setting in the SETUP.INI file in the install directory to apply one
transform file to all installs. Using this method prevents the end user
from having to enter a command line parameter or from using a batch
file.
Setting Up and Managing Notes Users 5-51
Configuration
Modify the command line in the SETUP.INI to read as follows:
CmdLine+/l*v %TEMP%\notes6.log TRANSFORMS=custom.mst
The transform file is applied when SETUP.EXE is launched.
Setting up Notes with a scriptable setup
The scriptable setup option uses a setting in the NOTES.INI file to
provide information to the client setup wizard. During installation, the
wizard displays only the panels that users need to set up the Notes client.
The NOTES.INI setting ConfigFile= points to a text (.TXT) file that
contains the parameters that the wizard needs. The wizard reads the text
file and completes the setup. The user is able to bypass the wizard
screens for which parameters have been provided by the text file.
The settings and parameters that you can use in the text file are listed in
this table:

Setting Description
User’s hierarchical name —for
Username
example,
John Smith/Acme
Directory path to the user’s ID file
KeyfileName
name
—for example, c:\program
files\lotus\notes\data\jsmith.id
Domino server in the same domain
Domino.Name
as the
user name. You do not need to
enter a
hierarchical name.
An address for the Domino server,
Domino.Address
such as
the IP address of the server, if
needed, to
connect to the server. For
example, server.acme.com or
123.124.xxx.xxx
Domino.Port Port type, such as TCPIP
1 to connect to the Domino server,
Domino.Server
0 for no
connection
1 forces display of the “Additional
AdditionalServices
Services”
panel even if sufficient information
is
provided for these services; the
Additional
Services panel lists Internet,
proxy, and
replication settings.
AdditionalServices.NetworkDial To configure a network dialup
 connection to
Internet accounts created via
Additional
Services dialog box
Incoming mail (POP or IMAP)
Mail.Incoming.Name
server name

Setting Description
Mail.Incoming.Server 1 for POP; 2 for IMAP
Mail.Incoming.Protocol Mail account user name or login name
Mail.Incoming.Username Mail account password
Mail.Incoming.Password An address —such as the IP address
—of the home server, if needed to
connect to server
Mail.Incoming.SSL 1 to use SSL; 0 not to use SSL
Mail.Outgoing.Name Outgoing mail account name, a
friendly name used to refer to these
settings
Mail.Outgoing.Server Outgoing mail (SMTP) server name
Mail.Outgoing.Address User’s Internet mail address, such as
user@isp.com
Internet Mail domain name such as
Mail.InternetDomain
isp.com
Directory.Name Directory account name, a friendly
name used to refer to these settings
Directory.Server Directory (LDAP) server name
News.Name News account name, a friendly name
used to refer to these settings
News.Server News (NNTP) server name
NetworkDial.EntryName Name of remote network dialup phone
book entry
NetworkDial.Phonenumber Dial-in number
NetworkDial.Username Remote network user name
NetworkDial.Password Remote network password
NetworkDial.Domain Remote network domain
DirectDial.Phonenumber Phone number of Domino server
DirectDial.Prefix Dialup prefix, if required. For example,
9 to access an outside line.
COM port to which the modem is
DirectDial.Port
connected
DirectDial.Modem File specification of modem file
Proxy.HTTP HTTP proxy server and port —for
example, proxy.isp.com:8080
Proxy.FTP FTP proxy server and port —for
example, proxy.isp.com:8080
Proxy.Gopher Gopher proxy server and port —for
example, proxy.isp.com:8080

Setting Description
Proxy.SSL SSL proxy server and port —for
 example,
proxy.isp.com:8080
HTTP tunnel proxy server and port —
Proxy.HTTPTunnel
for
example, proxy.isp.com:8080
Socks proxy server and port —for
Proxy.SOCKS
example,
proxy.isp.com:8080
Proxy.None No proxy for these hosts or domains
Use the HTTP proxy server for FTP,
Proxy.UseHTTP
Gopher,
and SSL security proxies
Proxy.Username User name if logon is required
Proxy.Password User password
Transfer outgoing mail if this number
Replication.Threshold
of
messages held in local mailbox
Replication.Schedule Enable replication schedule

Managing users
The Administration Process helps you manage users by automating
many of the associated administrative tasks. For example, if you rename
a user, the Administration Process automates changing the name
throughout databases in the Notes domain by generating and carrying
out a series of requests, which are posted in the Administration Requests
database (ADMIN4.NSF). Changes are made, for example, in the Person
document, in databases, in ACLs and extended ACLs. However, the
Administration Process can be used only if the database is assigned an
administration server.
Rename a user
There are several ways in which you “rename” a user. Usually they
involve changing a user’s common or alternate name. However, in
Domino Notes, the name hierarchy becomes part of the user’s name. So if
a user is moved and certified by a new hierarchy, then that too is
considered renaming. The rename tasks are:
Change
 a Notes user’s common name
Notify
 a user of a change to private design elements during a name
change
Rename
 a Web user
Move  a user name in the name hierarchy
Upgrade  a user name from flat to hierarchical
5-54 Administering the Domino System, Volume 1
Change user roaming status
You can change a user’s roaming status via the following tasks:
Change
 a roaming user to nonroaming
Change
 a nonroaming user to roaming
Move a user's files
In contrast to moving a user from one hierarchy to another, which is a
simple renaming action, you may also need to move a user’s actual files.
To do so, you use the following task:
Moving
 a user’s mail file and roaming files from the Domino
Administrator or the Web Administrator
Delete a user name
When you delete a user name, you have the option of maintaining some
of the files, while denying the user access to them. The Administration
Process helps you automate the following tasks:
Delete
 a user name
Deleting
 a user name with the Web Administrator
User maintenance
In addition to the tasks listed above, there may be times when you need
to locate a user, recertify a user’s ID, or another user-related task. Use the
following procedures:
Changing
 a user’s Internet address
Finding
 a user name in the domain with the Domino Administrator
or Web Administrator
Recertifying
 user IDs
Monitoring
 user licenses
While managing users, you may also need to recertify a certifier ID.
Recertifying
 a user ID
Recertifying
 a certifier ID
Synchronizing Windows NT or Windows 2000 Active Directory and
Notes users
You can synchronize Notes users with users in Windows NT and in
Windows 2000 Active Directory. You can also manage Notes users from
the Windows NT User Manager, and from the Windows 2000 Microsoft
Management Console.
Setting Up and Managing Notes Users 5-55
Configuration
For more information on synchronizing Notes users with Windows NT
users, see the chapter “Using Domino With Windows Synchronization
Tools.”
Changing Notes user names with the Administration Process
When you change the name of a user, the Administration Process
implements the name change by initiating requests to the affected
documents, databases, database ACLs, and Extended ACLs. In the
Domino Administrator, when you change the common name, alternate
name, or hierarchical name of a user, you “rename” them. Using rename,
you can change the name of one or more users in the following ways:
Change
 a user’s common or alternate name
Add an alternate name to a user if one is not yet assigned
Move  a user to a new hierarchy
Upgrade a user name from flat to hierarchical
Administration Process requirements
In order for the Administration Process to facilitate the name changes,
the databases must have an assigned administration server.
In addition, the certifier ID you use and any ancestor of the certifier must
have a Certifier document in the Certificates view of the Domino
Directory. For example, if you use the certifier ID for
/Sales/NYC/ACME, the Domino Directory must contain Certifier
documents for /ACME, /NYC/ACME, and /Sales/NYC/ACME.
For more information on assigning an administration server, see the
chapter “Setting Up the Administration Process.”
For more information on certifiers, see the chapter “Deploying Domino.”
Viewing user name change requests
To review the administration requests that are generated when renaming
a user name, open the Administration Request (ADMIN4.NSF) database
in your Domino Directory.
For more information on processing renaming requests in the
Administration Requests database, see the topic “Changing Notes user
names with the Administration Process” in this chapter.
5-56 Administering the Domino System, Volume 1
Notifying users of changes to private design elements during a
name change
You can enable an agent that sends to the user an e-mail message
notifying the user of a name change and containing links to databases in
which the user created or modified design elements such as a folder or
view. To update the private design elements with the user’s new name,
the user must then open the database via the database links in the e-mail
notification. This update to the user name allows the user to maintain
access to their own private design elements. Enable the Mail Notification
agent from within the administration requests database (ADMIN4.NSF).
Note The AdminP Mail Notification agent runs only on Domino Release
5.05 or more recent servers and sends e-mail to Notes Release 5.05 or
more recent clients.
1. From the Domino Administrator, click Server - Analyses.
2. Click Administration Requests (6).
3. Locate the administration request to rename the user and then open
the request.
4. Choose Actions - Enable/Disable User Notification. The agent is
enabled and automatically sends to the user an e-mail message
containing links to databases in which the user created or modified
design elements such as a folder or view.
5. Click OK.
Troubleshooting name changes
The public key in the Person document must match the one on the user
ID. If a public key has been changed or corrupted in some way, you see
this message in the Administration Requests database: “The name to act
on was not found in the Address Book.”
For more information on correcting this problem, see the chapter “Setting
Up the Administration Process.”
Renaming a Notes user’s common or alternate name
Use this procedure to make any of the following changes to a user or to
more than one user name:
Change
 the common name
Change
 or add an alternate name
Delete
 the alternate name
Synchronize
 the name change between Notes and Windows NT, or
Notes and Active Directory
Setting Up and Managing Notes Users 5-57
Configuration
When a user is renamed, the user’s Internet address often needs to be
changed accordingly. You can change a user’s Internet address as part of
a change to the user’s common or alternate name, but you cannot use this
rename procedure to change only the Internet address. If you attempt to
use this procedure to change only a user’s Internet address, you will
generate an error.
For more information on changing only a user’s Internet address, see the
topic “Changing a user’s Internet address” in this chapter.
For information on using an agent to notify a user of changes to private
design elements during a name change, see the topic “Changing Notes
user names with the Administration Process” in this chapter.
Note To use the Domino alternate name functionality, Domino R5.0.2 or
later must be running on all servers involved with the name change, the
user’s workstation, and the administrator’s workstation.
To rename a user's common name
1. To rename a user, you must have:
Editor
 with Create documents access, or UserModifier role to the
Domino Directory
At  least Author with Create documents access to the Certification
Log
2. From the Domino Administrator, click the People & Groups tab.
3. Click People and select a user name.
4. From the tools pane, click People - Rename.
5. In the Rename Selected Notes People dialog box, verify the number
of days you want to honor the old name. The default is 21 days. You
can change that value if desired.
6. Click “Change Common Name.”
5-58 Administering the Domino System, Volume 1
7. In the “Choose a Certifier” dialog box, do the following:

Field Action
Server Do one of these:
• If you are using the Lotus Domino 6
server-based CA, choose the server that is
used to access the Domino Directory to look
up the list of certifiers. • If you are supplying
a certifier ID, select the server that is used
to locate the list of certifiers so that the
Certifier ID file can be updated with the
latest set of certificates for itself and all of its
ancestors. This is also the server on which
CERTLOG.NSF is updated.
Use the CA Choose this option if you have configured
process the Lotus Domino 6 server-based CA.
• Select a CA configured certifier from the
list and click OK.
Supply certifier Choose this option if you are using a certifier
ID and password ID and password. • Choose the certifier ID
that certified the user’s ID and click Open.
For example, to rename Joe
Smith/Sales/NYC/ACME, use the certifier ID
named SALES.ID.
• Click “Certifier ID”to select an ID other
than the one displayed. • Enter the
password for the certifier ID and click OK.

In the “Certificate Expiration Date” dialog box, enter a new

certification expiration date if desired. The default certificate
expiration date is two years from the current date. The “Edit or
inspect each entry before submitting request” check box is selected
and cannot be modified.
9. In the Rename Person dialog box, complete the following fields as
appropriate. In this dialog box you have the option of synchronizing
Windows NT user names or Active Directory user names, and
changing primary and alternate name information where
appropriate

Field Action
New Primary Name Information
First , Middle, This is the name with which the user was
and registered.
Last Name Make changes to the user’s name as
appropriate.
continued

Field Action
Qualifying Org. (Optional) A name to differentiate this user
Unit from another user with the same user name,
certified by the same certifier. This adds a
differentiating component that appears
between the common name and the certifier
name.
Short Name (Optional) Created at registration, the default
is first initial, last name. You can change this
name. It does not change automatically based
on changes to the primary name fields. You
must make this change manually.
Internet (Optional) Created at registration, the default
Address is first initial, last name. You can change this
name. It does not change automatically based
on changes to the primary name fields. You
must make this change manually.
Rename Available to Windows NT User Manager only.
Windows NT Check this box if you want to synchronize the
User Account name change in both the Domino Notes and
Windows NT or Active Directory account.

Complete this step only if the user has an alternate name or if you
are assigning alternate names. If you are not working with alternate
names, skip this step and go to Step 11.

Available only if you are renaming a user

New Alternate
whose
Name certifying organization has alternate names
Information assigned.
Enter the common name in the alternate
Common Name
language.
To delete an alternate name, simply delete
the name
and do not enter a new one.
(Optional) A name to differentiate this user
Qualifying Org.
from
Unit another user with the same user name,
certified by
the same certifier. This adds a differentiating
component that appears between the
common name
and the certifier name.
Original The alternate language currently assigned to
Language the user.
(Non modifiable)
Select from the list to assign a new alternate
New Language
language.

11. Select one of the following:

OK
 - to submit the name change.
Skip
 - if you are renaming more than one user’s common name
and you want to continue to the next name without submitting a
name change for the current name.
5-60 Administering the Domino System, Volume 1
Cancel
 Remaining Entries - to cancel this name change and name
changes for any other names you selected and have not yet
submitted.
12. When the Processing Statistics dialog box appears, review the
information to verify that all name changes have succeeded. If any
fail, check the Certifier Log (CERTLOG.NSF) to determine the reason
for the failure.
13. Click OK.
Moving a user name in the name hierarchy
When you move a user to a different Organizational Unit, the certifier
changes, thus the user’s name hierarchy changes. Since the name
hierarchy in Domino Notes is part of the user’s name, when you move a
user to a different certifier you have essentially changed the user’s name.
You can use the Administration Process to move a user name to a
different location (Organizational Unit) in the organization’s hierarchical
name scheme or to move a name to a different Organization altogether.
For example, if Alice Brown/Marketing/Acme leaves a job in the
Marketing department for a job in Sales, you can certify her user ID with
the /Sales/Acme certifier, which, in effect, moves her to that
Organizational Unit. Her full hierarchical name then becomes Alice
Brown/Sales/Acme.
You can also move a user to another Organization, however to do so,
your Domino Directory must contain cross-certificates between the
Organizations involved. So, for example, if Alice
Brown/Marketing/Acme leaves a job at Acme to work for the Acme
subsidiary AcmeSub that has its own Organization Certifier, you can
certify her ID with the /AcmeSub certifier so that her name becomes
Alice Brown/AcmeSub. Using this example, the Domino Directory must
have cross-certificates between /Acme and /AcmeSub.
There are two parts to moving a user name:
1. Request the move using the originating certifier.
2. Complete the move by using the target (new) certifier to approve the
request and issue the new certificate.
For more information on the Administration Process, see the chapter
“Setting Up the Administration Process.” For more information on
cross-certificates, see the chapter “Protecting and Managing Notes IDs.”
For information on using an agent to notify a user of changes to private
design elements during a name change, see the topic “Changing Notes
user names with the Administration Process” in this chapter.
Setting Up and Managing Notes Users 5-61
Configuration
Changing primary and alternate name information during the move
If an alternate name has been assigned, the administrator who performs
the approval phase of the move automatically has the option to change
primary name information. If an alternate name has not been assigned,
you can designate whether the administrator who completes the move
can modify primary name fields. To use the Domino alternate name
functionality, Domino 5.0.2 or later must be running on all servers
involved with the name change, the user’s workstation, and the
administrator’s workstation.
Synchronizing the name change between Notes and Windows NT or
Notes and Active Directory
While completing the move, you also have the option of synchronizing
the name change between Notes and Windows NT or Notes and Active
Directory. To do so, select “Rename NT user account” on the Rename
Person dialog box.
To move a user name in the name hierarchy
1. To move a user name in the name hierarchy, you must have:
Access
 to the certifier you are using
At  least Editor access to the Administration Requests database
2. From the Domino Administrator, click the People & Groups tab.
3. Click People and select a user name.
4. From the tools pane, click People - Rename.
5. The “Honor old names for up to <x> days” field is set to 21 days by
default. You can change that value if desired.
6. Click “Request Move to New Certifier.”
7. In the Choose a Certifier dialog box, complete these fields:

Field Action
Server Do one of these:
• If you are using the Lotus Domino 6 server-
based
CA, choose the server that is used to access the
Domino Directory to look up the list of
certifiers.
• If you are supplying a certifier ID, select the
server
that is used to locate the list of certifiers so
that the
Certifier ID file can be updated with the latest
set of certificates for itself and all of its
ancestors. This is
also the server on which CERTLOG.NSF is
updated.

Field Action
Supply Choose this option if you are using a certifier ID
certifier and
ID and password.
password
• Choose the certifier ID that certified the
user’s ID and
click Open. For example, to rename Joe
Smith/Sales/NYC/ACME, use the certifier ID
named SALES.ID.
• Click “Certifier ID”to select an ID other than
the one
displayed.
• Enter the password for the certifier ID and
click OK.
Use the CA Choose this option if you have configured the
process Lotus Domino 6 server-based CA. • Select a
CA-configured certifier from the list and click
OK.

Field Action
Verify the information. If it is incorrect, cancel
Old Certifier
the
procedure and begin again.
Enter or select the new certifier. This is the
New Certifier
name
hierarchy that issues a certificate for the user
in the new hierarchy.
For example, to certify Joe Smith from
/Sales/NYC/ACME into /Service/NYC/ACME,
enter /Service/NYC/ACME or select from the
list.
Edit or inspect Selected by default. Do one: • Keep selected.
each entry The Rename Person dialog box appears with
before non-modifiable fields of Primary and Alternate
submitting Name information. Review the information for
request accuracy. Go to Step 9. • If you do not want to
verify each entry, clear the check box. Review
the processing information that displays to
verify that all name changes were successful.
If any fail, check the Certifier Log to determine
the reason for the failure. Go to Step 10, then
complete the procedure “To approve the name
change.”

9. (Optional) Click the “Allow the primary name to be changed when

the name is moved” check box if you want the opportunity to change
the user’s name when you approve the move.
Setting Up and Managing Notes Users 5-63
Configuration
10. For each name selected, choose one of the following:
OK
 - to submit the name change.
Skip
 - if you are renaming more than one user name and you want
to continue to the next name without submitting a name change
for the current name.
Cancel
 Remaining Entries - to cancel this name change and name
changes for any other names you selected and have not yet submitted.
To complete the name change
1. From the Domino Administrator, click Server - Analysis -
Administration Requests (6).
2. Choose the Name Move Requests view. This view categorizes
submissions by certifier. Each name awaiting approval is listed
under its new certifier. Select the name(s) to move.
3. Click Complete move for selected entries.
4. To complete the move, in the Choose a Certifier dialog box, make the
following selections:

Field Action
Server Do one of these:
• If you are using the Lotus Domino 6
server-based CA, choose the server that is
used to access the Domino Directory to look
up the list of certifiers. • If you are
supplying a certifier ID, select the server
that is used to locate the list of certifiers so
that the Certifier ID file can be updated with
the latest set of certificates for itself and all
of its ancestors. This is also the server on
which CERTLOG.NSF is updated.
Use the CA Choose this option if you have configured
process the Lotus Domino 6 server-based CA.
• Select a CA-configured certifier from the
list and click OK.
Supply certifier Choose this option if you are using a
ID and password certifier ID and password. • Choose the
certifier ID that certified the user’s ID and
click Open. For example, to rename Joe
Smith/Sales/NYC/ACME, use the certifier ID
named SALES.ID.
 • Click “Certifier ID”to select an ID other
than the one displayed. • Enter the
password for the certifier ID and click OK.

If you are moving a user name from one hierarchy to another

hierarchy, a cross certificate is required. If your local Domino
Directory does not contain a cross certificate for the certifier, you are
prompted to create one. Click Yes.
6. In the “Certificate Expiration Date” dialog box, do the following and
then click OK:

Field Action
The name hierarchy of the certifier
Certifier
that will
issue the new certificate (non-
modifiable).
New certificate (Optional) Specify a certifier ID
expiration expiration
date date other than the default two years
from
the current date.
Edit or inspect each Selected by default. You can remove
entry the
before submitting check mark if you do not want to
request verify the
entries.

Field Action
New Primary Name Information
First, Middle, and This is the name with which the user
Last was
Name registered. Make changes to the user’s
name as
appropriate.
Qualifying Org. Unit (Optional) A name to differentiate this
user from another user with the same
user name,
certified by the same certifier. This adds
a
differentiating component that appears
between the common name and the
certifier name.
(Optional) Created at registration, the
Short Name
default is
first initial, last name. You can change
this
name optionally. It does not change
auto-
matically based on changes to the
primary name
fields. You must make this change
manually.
(Optional) Created at registration, the
Internet Address
default is
first initial, last name. You can change
this
name optionally. It does not change
auto-
 matically based on changes to the
primary name
fields. You must make this change
manually.
Rename Windows NT Available to Windows NT User Manage or
User Account Active Directory users only. Check this
box if you want to synchronize the name
change in both the Domino Notes and
Windows NT or
Domino Notes and Active Directory
accounts.

New Alternate Available only if you are renaming a user

Name whose certifying organization has alternate
Information names assigned.
The common name in the alternate
Common Name
language.
Qualifying Org. (Optional) A name to differentiate this user
Unit from another user with the same user
name, certified by the same certifier. This
adds a differentiating component that
appears between the common name and the
certifier name.
Original The alternate language currently assigned to
Language the user (non-modifiable).
New Language Select from the list to assign a new
alternate language. This option is available
only if the user is moving into an
Organizational Unit or Organization that has
an alternate language assigned.

9. Choose one of the following:

OK
 — to submit the name change approval.
Skip
 — if you are renaming more than one user and you want to
continue to the next name without submitting a name change for
the current name.
Cancel
 Remaining Entries — to cancel this name change and name
changes for any other names you selected and have not yet
submitted.
10. When the Processing Statistics dialog box appears, review the
information to verify that all name changes have succeeded. If any
fail, check the Certifier Log (CERTLOG.NSF) to determine the reason
for the failure. Click OK.
Renaming a Web user
Use the Domino Administrator to rename a Web user. The Administration
Process generates an administration request to rename the user.
1. From the Domino Administrator, click the People & Groups tab.
2. Click People and then select the Web user you are renaming.
3. From the Tools pane, click People - Rename. The “Rename Selected
HTTP, POP3, and IMAP People” wizard is activated.
5-66 Administering the Domino System, Volume 1
4. In the “Honor old names for up to <21> days” field, either accept the
default or enter a value between 14 and 60 days.
5. Click Next.
6. Select each name whose common name components you want to
change, and then change the name as desired. Repeat for each name
you are changing.
7. Click Next. A message displays indicating the number of Web user
names that will be changed.
8. Click Finish.
For information on creating a non-Notes, Internet user, see the topic
“Registering non-Notes, Internet users” in this chapter.
Upgrading a user name from flat to hierarchical
In order to use the Administration Process to expedite name changes,
your organization must use hierarchical names. Use this procedure to
upgrade a user name from a flat format to a hierarchical format.
Upgrading a user name from flat to hierarchical affects both the primary
and alternate name information. To use the Domino alternate name
functionality, Domino 5.0.2 or later must be running on all servers
involved with the name change, the user’s workstation, and the
administrator’s workstation.
Note This procedure does not apply to roaming users.
To upgrade a user name from flat to hierarchical
1. To rename a user you must have:
Editor
 with Create documents access, or the UserModifier role to
the Domino Directory
At  least Author with Create documents access to the Certification
Log
2. From the Domino Administrator, click the People & Groups tab.
3. Click People and select a user name.
4. From the tools pane, click People - Rename.
5. Click “Upgrade to Hierarchical.”
6. In the “Choose a Certifier” dialog box, make the following selections:

Field Action
Server Do one of these:
• If you are using the Lotus Domino 6
server-based CA, choose the server that is
used to access the Domino Directory to look
up the list of certifiers. • If you are supplying
a certifier ID, select the server that is used
to locate the list of certifiers so that the
Certifier ID file can be updated with the
latest set of certificates for itself and all of its
ancestors. This is also the server on which
CERTLOG.NSF is updated.
Use the CA Choose this option if you have configured
process the Lotus Domino 6 server-based CA.
• Select a CA-configured certifier from the
list and click OK.
Supply certifier Choose this option if you are using a certifier
ID and password ID and password. • Choose the certifier ID
that certified the user’s ID and click Open.
For example, to rename Joe
Smith/Sales/NYC/ACME, use the certifier ID
named SALES.ID.
• Click “Certifier ID”to select an ID other
than the one displayed. • Enter the
password for the certifier ID and click OK.

In the “Certificate Expiration Date” dialog box, accept or change the

new certification expiration date. The default certificate expiration
date is two years from the current date.
Tip The “Edit or inspect each entry before submitting request”
check box is selected and cannot be modified.
8. In the Rename Person dialog box, you have the option of changing
the primary or alternate name information. Then choose one of the
following:
OK
 - to submit the name change approval.
Skip
 - if you are upgrading more than one user name and you
want to continue to the next name without submitting a name
change for the current name.
Cancel
 Remaining Entries - to cancel this name change and name
changes for any other names you selected and have not yet
submitted.
When the Processing Statistics dialog box appears, review the
information to verify that all name changes have succeeded. If any
fail, check the Certifier Log (CERTLOG.NSF) to determine the reason
for the failure. Click OK.
Changing a roaming user to nonroaming
When you change a user from roaming to nonroaming, the
Administration Process changes the user’s status in their Person
document from roaming to nonroaming and deletes the user’s roaming
files and replicas from the servers on which those files reside.
1. From the Domino Administrator, click the People & Groups tab.
2. Choose People and select one or more roaming user name(s) you are
changing to nonroaming.
3. From the tools pane, click People - Roaming.
Note If you selected a mixed group of roaming and nonroaming
users, the Mixed Roaming Profile dialog box appears and prompts
you to select either roaming or non-roaming. Click the check box
“Remove roaming profiles from <n> selected users.” In this case, <n>
is the number of roaming users selected.
4. Click the check box “Perform updates in background” to process
each user in the background.
Tip Run the process in the background so that you can use the
Administrator client while requests are processed.
To verify the change
The procedure changes the user’s status in their Person document from
roaming to nonroaming. To verify that the change has been made:
1. From the Domino Administrator, click the People & Groups tab.
2. Click People and then select the user you changed to nonroaming.
3. Click Edit Person to open the user’s Person document.
4. Click the Roaming tab. The “User Can Roam” field should display No.
To approve the mail file deletion
If you chose to change a roaming user to nonroaming, you must approve
the deletion requests in the Administration Requests (ADMIN4.NSF)
database. Changing a roaming user to nonroaming, requires that the
user’s roaming files and replicas are deleted.
1. From the Domino Administrator, choose Server - Analysis -
Administration Requests (R6).
2. Select the Pending Administrator Approval view.
Setting Up and Managing Notes Users 5-69
Configuration
3. Depending on your choices when you changed the user from
roaming to nonroaming, do one of these:
 you are certain that you want to approve one or more deletion
If
requests without looking at detail information for those requests,
select the requests, and click Approve Selected Requests and then
click OK.
If you would like to see detail on one or more requests before
approving the deletion of roaming files, select and open the
request, click Edit Request, review the detail information, then
choose Approve Replica Deletion, or choose Reject Replica
Deletion.
4. Click Save and Close.
Changing a nonroaming user to roaming
When you change a user from nonroaming to roaming, the
Administration Process changes the user’s status in their Person
document from nonroaming to roaming and creates a personal
subdirectory for each roaming user. This personal subdirectory contains
the roaming user’s files and, by default, is placed in the Domino/data
path, unless you specify another location. You can optionally choose a
separator character if you want to include one in the user’s directory
name.
Before changing a nonroaming user to roaming, read the roaming user
information in the topic “Using Advanced user registration” in this
chapter.
To change a nonroaming user to roaming
1. To change a nonroaming user, you must have the following:
Editor
 with UserModifier access or Author with Create documents
role and UserModifier privilege to the Domino Directory
2. From the Domino Administrator, click the People & Groups tab.
3. Select one or more nonroaming user name(s).
4. From the Tools pane, click People - Roaming.
Note If you selected a mixed group of roaming and nonroaming
users, the Mixed Roaming Profile dialog box appears and prompts
you to select either roaming or non-roaming. Click the check box
“Assign roaming profiles to <n> selected users.” In this case, <n> is
the number of nonroaming users selected.
5-70 Administering the Domino System, Volume 1
5. Complete these fields:

Field Action
Where should Choose one: • Store on user’s mail server —
the user’s Places the user’s roaming files on the user’s
roaming files mail server. (The user’s mail server was
be stored? designated during user registration.) •
Roaming Server —Click the button to specify
the server on which you want to store the
user’s roaming files. • Store user ID in
personal address book —(Optional) Places the
user’s ID in their own local personal address
book.

User’s
Choose one: • Base folder —Name of the
personal
folder in which to store
roaming folder
the user’s roaming files. By default the user’s
base folder is located in the Domino\data
directory. For example, if you want the base
folder to be called Roaming for all your
roaming users, enter Roaming to create the
Domino\data\Roaming directory.
• Sub-folder format —The format to use when
naming the roaming user’s personal subfolder.
By default this is the user’s short name format.
You can
 change this format if desired and you can
optionally choose a separator character. A
personal folder (subfolder) is created in the
Base folder for each user you upgrade to
roaming user.
If folder exists Choose one:
• Skip person —if a folder already exists.
• Generate folder name —to create a new
folder.

Field Action
Roaming user Choose one: • Do not cleanup —No cleanup is
client clean up performed on roaming user files. • Cleanup
options every <number> days —Specify a number
between 0 and 365. • Cleanup at Notes
shutdown —Cleans up files when Notes is shut
down. • Prompt user —The user is prompted
on exiting the client as to whether they want
to clean up their personal files. If the user
chooses Yes, the data directory on that client
workstation is deleted. If the user chooses No,
the user is prompted as to whether they want
to be asked again on that client. If the user
chooses No, the user is not prompted again. If
the user chooses Yes, the user is prompted
again the next time the user exits the client on
that workstation.

Perform Processes requests in the background leaving

updates the
in background administration client available for other
administration activities.
Note If you do not choose this option, the
Administration client is busy until the
Administration Process completes the upgrade.

To verify the change

The procedure changes the user’s status in their Person document from
nonroaming to roaming. To verify that the change has been made:
1. From the Domino Administrator, click the People & Groups tab.
2. Select the user you promoted to roaming.
3. Click “Edit Person” to open the user’s Person document.
4. Click the Roaming tab. The “User Can Roam” field should display
“In Progress” or “Yes.” The “In Progress” status displays until
replication has occurred and all replicas of the user’s files are
updated.
5-72 Administering the Domino System, Volume 1
Changing a user’s Internet address
To modify only a user’s Internet address, modify the user’s Person
document.
1. From the Domino Administrator, click the Files tab and open the
Domino Directory (NAMES.NSF).
2. Select the user name and click Edit Person.
3. On the Mail tab, modify the name in the Internet Address field as
necessary.
4. Click Save and Close.
You can also modify a user’s Internet name when performing a user
rename, such as changing a user’s common name. To modify the user’s
Internet address using the Tools -> People -> Rename feature, you must
also modify another component of the user’s name, such as the short
name, at the same time that you are modifying the Internet address.
For more information on renaming a user with the options on the Tools
pane, see the topic “Renaming a Notes user’s common or alternate
name” in this chapter.
Deleting a user name with the Domino Administrator
You can delete a user name with the Administration Process by initiating
a delete person command from the Domino Administrator, by using the
Web Administrator, or by using the Windows NT User Manager or
Windows 2000 Active Directory. When you delete a user name, you may
want to add that user to a “termination” group to prevent the user from
accessing servers. When you create a termination group, assign the
group type “Deny Access” to the group.
You can also use this procedure to delete a roaming user name.
For more information on the administration requests that are generated
when you delete a roaming user, see the appendix “Administration
Process Requests.”
If the server is running Windows NT or Active Directory, you can delete
the user’s Windows NT or Active Directory account as well.
There may be times when you want to maintain a user’s mail file even
though you have deleted the user from the Domino Directory. That
option is available to you when you delete a user name. However, if you
choose to delete the user’s mail file, you must approve the mail file
deletion in the Administration Request database (ADMIN4.NSF). If you
delete a roaming user name, you must approve replica deletions.
Setting Up and Managing Notes Users 5-73
Configuration
For more information on Domino and Windows NT or Active Directory
directory synchronization, see the chapter “Using Domino with
Windows Synchronization Tools.”
For more information on the Web Administrator, see the chapter “Setting
Up and Using Domino Administration Tools.”
To delete a user
1. To delete a user, you must have:
Author
 with delete documents access and the UserModifier role,
or Editor access to the Domino Directory
Author
 with Create documents access to the Certification Log
2. From the Domino Administrator, click the People & Groups tab.
3. Click People and select the user names you are deleting.
4. From the tools pane, click People - Delete.
5. Complete these fields:

Field Enter
What should Choose the appropriate option(s): • Do not
happen with the delete the mail database —to delete the
user’s mail Person document but leave the user’s mail
database(s)? files intact. • Delete the mail database on
the user’s home server —to delete mail files
on the user’s home server only. • Delete
mail replicas on all other servers —this
option is active only if Delete the mail
database on the users home server was
chosen. This option deletes all mail database
replicas on other servers.
Add deleted user To deny a user access to servers
to Deny Access immediately: 1. Click Groups. 2. Select a
Group (This Deny Access Group from the list. 3. Click
option is active OK.
only if one or
more groups of
type Deny
Access exists.)
Select this option to delete the
Delete user’s
corresponding user
Windows account in Windows NT or Windows 2000
NT/2000 Active
account, if Directory account.
existing
Delete user from Select this option to remove the account
this from the
Domino Domino Directory immediately, while
Directory initiating
immediately Administration Process requests to remove
the
user’s name from ACLs, Names fields, etc.

Note If you choose to delete a user’s mail file, you must have at least
Editor with delete documents access to the Administration Requests
database and delete documents access to the Domino Directory.
6. Click OK.
For more information on shared mail databases, see the chapter “Setting
Up Shared Mail.”
To approve the mail file deletion
If you chose to delete any mail databases, including replicas, you must
approve the requests in the Administration Requests (ADMIN4.NSF)
database.
1. From the Domino Administrator, choose Server - Analysis -
Administration Requests (R6).
2. Select the Pending Administrator Approval view.
3. Depending on your choices when you deleted the user name, do one
of the following:
 you are certain that you want to approve one or more requests
If
without looking at detail information for those requests, select the
request, and click Approve Selected Requests and then click OK.
If you would like to see detail on one or more requests before
approving the deletion, select and open the request, click Edit
Request, review the detail information, then choose Approve
Replica Deletion, or choose Reject Replica Deletion.
4. Click Save and Close.
Deleting a user name with the Web Administrator
You can delete user names via the Web Administrator, as well as from
the Domino Administrator. Review the introductory information in the
procedure “Deleting a user name with the Domino Administrator”
before initiating this procedure.
1. Make sure you have the following before you begin deleting user
names:
 least Author access and “Delete documents” privileges in the
At
Domino Directory.
2. From the Domino Web Administrator, click the People & Groups tab.
3. Click People and select the user names you are deleting.
4. From the tools pane, click People - Delete.
Setting Up and Managing Notes Users 5-75
Configuration
5. Complete these fields:

Field Enter
What should Choose the appropriate option(s): • Do not
happen with the delete the mail database - to delete the
user’s mail Person document but leave the user’s mail
database(s)? files intact. • Delete the mail database on
the user’s home server - to delete mail files
on the user’s home server only. • Delete
mail replicas on all other servers - this
option is active only if “Delete the mail
database on the users home server”was
chosen. This option deletes all mail database
replicas on other servers.
Add user to To deny a user access to servers
Deny Access immediately: 1. Click Groups. 2. Select a
Group (This Deny Access Group from the list. 3. Click
option is active OK.
only if one or
more groups of
type Deny
Access exists.)
Select this option to delete the user’s
Delete user’s
corresponding
Windows domain Windows domain account.
account
Delete user from Select this option to remove the account
this from the
Domino Domino Directory immediately, while
Directory initiating
immediately Administration Process requests to remove
the
user’s name from ACLs, Names fields, etc.

6. Click OK and then click Close.

To approve the mail file deletion
If you chose to delete any mail databases, including replicas, you must
approve the requests in the Administration Requests (ADMIN4.NSF)
database.
1. From the Web Administrator, choose Server - Analyses -
Administration Requests (R6).
2. Select the Pending Administrator Approval view.
3. Depending on your choices when you deleted the user name, do one
of the following:
 you are certain you want to approve one or more requests
If
without looking at details for those requests, select those requests,
and click Approve Selected Requests.
If you want to view detail on one or more requests before
approving the deletion, select and open the request, click Edit
Document, review the detail information, and then click Save and
Close, or click Cancel.
5-76 Administering the Domino System, Volume 1
Moving a user’s mail file and roaming files from the Domino
Administrator or the Web Administrator
You may need to move mail files when you need more space on a server
or when users change jobs. When a mail file is moved, the
Administration Process first moves it to a new server, then issues a
request to delete the old mail file from its original mail server. You must
approve this mail file deletion. The Administration Process also changes
the information in the “Mail file name” and “Mail server” fields in the
user’s Location document.
Moving a user’s mail file to a Lotus Domino Release 6 clustered server
allows you to choose additional servers on which to create replicas. The
user interface provides a list of all the servers (cluster mates) you can
choose from. You can also click the server name to specify paths for each
server.
Moving a mail database archive
You can move a mail database archive when you move a mail database
to another server if the archive is located on the same server as the mail
file. Mail archiving is usually done to save space on mail servers;
therefore, if a mail database archive is on a different server there is
typically no reason to move the archive. Mail databases are often moved
for resource balancing purposes.
To move only a mail file
1. To move a user’s mail files, you must have:
Editor
 access with Create documents role, or Author access with
the UserModifier role in the Domino Directory
2. From the Domino Administrator or Web Administrator, click the
People & Groups tab.
3. Click People and select the person whose mail file you are moving.
4. Click Move to Another server.
5. Choose a destination server to which you are moving the mail file. If
the destination server you choose is a clustered server, it appears
“checked” in the Additional mail server field on this dialog box.
6. (Optional) Enter a new directory to which the mail file should be
moved. You can accept the default of mail\.
7. (Optional) Click Link to Object Store if you are using shared mail and
want to link the mail file to the object store.
Setting Up and Managing Notes Users 5-77
Configuration
8. (Optional) Choose one of theses:
From
 the Domino Administrator, click Remove all mail replicas if
the server is in a cluster and you want all mail replicas to be
deleted.
From
 the Web Administrator, click Delete old replicas if the server
is in a cluster and you want to delete mail file replicas from a
cluster.
9. If you are working with clustered servers, you can selected
additional servers in the cluster to which the mail database can be
moved. To select additional servers, click the check box next to the
server name in the Additional mail server field.
10. Click OK.
11. Click Close.
To approve the mail file deletion
When the mail file is on the new mail server, you must approve the mail
file deletion in the Administration Requests database (ADMIN4.NSF).
1. From the Domino Administrator or the Web Administrator, click
Server - Analysis - Administration Requests (6).
2. Choose the Pending Administrator Approval view.
3. Locate the Approve mail file deletion request and open that request.
4. Click “Edit Document.” Review the request.
5. Click “Approve Mail File Deletion.”
6. Click Save and Close.
To move a user's mail file and/or roaming files
You can move a user’s roaming files and mail files at the same time to the
same destination server. However, if you want to move a user’s roaming
files to one server and the mail files to another server, you must complete
the procedure twice — once for the roaming files and then once for the
mail files. The roaming files that are moved are JOURNAL.NSF,
BOOKMARK.NSF, and NAMES.NSF.
You can use this procedure to move any user’s mail files, whether they
are roaming users or not.
5-78 Administering the Domino System, Volume 1
The files are moved by the Administration Process in the background so
that you can continue to perform administration activities while the files
are being moved.
1. To move a user’s mail and/or roaming files, you must have:
Editor
 with Create documents access, or Author access with the
UserModifier role to the Domino Directory
At  least Author with Create documents access to the Certification
Log (for roaming files move)
CreateReplica
 access to the destination server
2. From the Domino Administrator or the Web Administrator, click the
People & Groups tab.
3. Click People and select a user name.
4. From the tools pane, click People - Move to Another Server.
5. Complete these field
6. If you are working with clustered servers, you can select additional
servers in the cluster to which the mail database can be moved. To
select additional servers, click the check box next to the server name
in the Additional mail server field.
7. Click OK.
Setting Up and Managing Notes Users 5-79
Configuration
To approve the requests
When the mail file is on the new mail server, be sure to open the
Administration Requests database (ADMIN4.NSF). Locate the “Approve
file deletion” request and approve the request. When the roaming files
are on the new roaming server, locate the “Approve file deletion”
requests for the roaming files in ADMIN4.NSF and approve them.
1. From the Domino Administrator or the Web Administrator, click
Server - Analysis - Administration Requests (6).
2. Choose the Pending Administrator Approval view.
3. Locate the Approve mail file deletion request and open that request.
4. Click “Edit Document.” Review the request.
5. Click “Approve Mail File Deletion.”
6. Locate the roaming file approval requests, and repeat steps 4 and 5
to approve the deletion of the roaming files.
7. Click Save and Close.
Recertifying a user ID
Before a user ID reaches its expiration date, recertify the user ID using the
original certifier ID. The user ID is recertified without renaming the user.
Use the Certificate expiration view to determine which certifiers need to
be recertified. Access this view from Files - Certlog.nsf - By Expiration
date. All certifiers are listed by expiration date.
For more information on certifiers and certification, see the chapter
“Deploying Domino.”
Note To recertify a user ID using a certifier other than the certifier used
to create the user ID, see “Moving a user name in the name hierarchy” in
this chapter.
To recertify a user ID
Follow these steps to use the Administration Process to recertify a
hierarchical ID that is about to expire.
1. To recertify a user ID, you must have:
Author
 with Create documents access and the UserModifier role,
or Editor access to the Domino Directory
 least Author with Create documents access to the Certification
At
Log (CERTLOG.NSF)
2. From the Domino Administrator, click the People & Groups tab.
3. Select the user to be recertified with the same certifier.
4. From the tools pane, select People - Recertify.
5. Complete these fields:

Field Action
Server Do one of these:
• If you are using the Lotus Domino 6
server-based CA, choose the server
that is used to access the Domino
Directory to look up the list of
certifiers. • If you are supplying a
certifier ID, select the server that is
used to locate the list of certifiers so
that the Certifier ID file can be
updated with the latest set of
certificates for itself and all of its
ancestors. This is also the server on
which CERTLOG.NSF is updated.
Use the CA process Choose this option if you have
configured the Lotus Domino 6 server-
based CA.
• Select a CA configured certifier from
the list and click OK.
Supply certifier ID and Choose this option if you are using a
password certifier ID and password. • Choose
the certifier ID that certified the user’s
ID and click Open. For example, to
rename Joe Smith/Sales/NYC/ACME,
use the certifier ID named SALES.ID.
• Click “Certifier ID”to select an ID
other than the one displayed. • Enter
the password for the certifier ID and
click OK.

Field Action
New certificate expiration (Optional) Specify a certifier ID
date expiration
date other than the default two
years from
the current date.
Only renew certificates (Optional) Enter a date to recertify
that only a
will expire before subset of selected user IDs,
according to
their current expiration dates.
(Optional) Select the option to edit
Edit or inspect each entry
or
before submitting request inspect each entry before submitting
the
request if you want to view each
certificate
before it is renewed.

7. If you selected the option to view each entry prior to its being
submitted, the Recertify Person dialog box appears with
non-modifiable information in the primary and common name fields.
Review the information that displays, then select one of the
following:
OK
 - to submit the name change.
Skip
 - if you are recertifying more than one user ID and you want
to continue to the next without submitting a recertification for the
current name.
Cancel
 Remaining Entries - to cancel this recertification, as well as
those for any other names you selected and have not yet
submitted.
8. When the Processing Statistics dialog box appears, review the
information to verify that all name changes have succeeded. Click
OK. If any fail, check the Certifier Log (CERTLOG.NSF) to determine
the reason for the failure.
Recertifying a certifier ID or a user ID
Use this procedure to recertify a certifier ID or a user ID with the same
certifier ID that was used previously to certify the certifier ID or user ID.
Certifier IDs are used to certify other certifiers, servers, and users. A
certifier ID issues a certificate to another user, server or certifier that is on
the hierarchical level immediately below the certifier. For example, in the
Organizational Unit Sales/NYC/ACME, NYC is the certifier for Sales;
ACME is the certifier for NYC. The Organization certifier, in this case
ACME, can certify itself.
You can also recertify a user ID with a different certifier ID, that is, a
certifier ID other than the one used to previously certify the user ID.
Although recertifying a user ID with a different certifier is allowed, it is
not recommended that you do so using this procedure. In this case, you
are renaming the user, which is a very complex process involving
changes to ACLs for various databases, changes to lists of group
members, and other related entries. Recertifying a user ID with a
different certifier does not invoke the Administration Process, so all
changes need to be made manually. To recertify a user with a different
certifier ID, we recommend using the Rename tool, and requesting a
move to a new certifier — see the topic “Moving a user name in the name
hierarchy” earlier in this chapter.
5-82 Administering the Domino System, Volume 1
When you recertify an ID you can:
Provide
 a new expiration date for certificates about to expire
Add
 a new alternate name to the certifier ID
Change
 the minimum password quality
Types of IDs you can recertify
You can recertify any of the following types of IDs:
Organizational
 unit
Server 
User 
Organization certifier (when it is used to certify itself)
For more information on certifier IDs, see the chapter “Deploying
Domino.”
To recertify a certifier ID or a user ID
1. From the Domino Administrator, click Configuration.
2. From the tools pane, click Certification - Certify.
3. In the “Choose a Certifier” dialog box, make the following selections:

Field Action
Server Do one of these:
• If you are using the Lotus Domino 6 server-based
 CA,
choose the server that is used to access the Domino
Directory to look up the list of certifiers.
• If you are supplying a certifier ID, select the
server that is
used to locate the list of certifiers so that the
Certifier ID
file can be updated with the latest set of certificates
for itself and all of its ancestors. This is also the
server on
which CERTLOG.NSF is updated.
Choose the certifier ID that issued the original
Supply
certificate. For
certifier example, to recertify the certifier ID for
ID /Sales/NYC/ACME,
and choose the /NYC/ACME certifier ID, which is NYC.ID.
password • Click “Certifier ID”to select an ID other than the
one
displayed.
• Enter the password for the certifier ID and click
OK.
Note Although not recommended, you can choose a
different certifier ID to recertify a user ID, instead of
using
the original certifying ID.
Use the Choose this option to use the server-based
CA certification
process authority (CA).
• Select a CA-configured certifier from the list and
click OK.

4. In the “Choose ID to Certify” box, select the certifier ID or user ID

that you want to recertify. For example, to recertify
Sales/NYC/ACME, choose SALES.ID.
5. Enter the password and click OK.
6. In the Certify ID dialog box, complete the following fields as
necessary:

Field Enter
The registration server for the current
Current Server
certifier ID.
(nonmodifiable)
The name hierarchy of the certifier that
Current certifier
issued the
certificate. (nonmodifiable)
(Optional) Specify a certifier ID expiration
Expiration date
date other
than the default two years from the current
date.
Public half of the primary RSA key pair stored
Primary key
in the
Notes ID file. This RSA key pair is used for
electronic
signatures on documents and certificates, and
on mail
encryption when both the sender and the
recipient
have a North American Notes license. This
key pair is
also used for network authentication.
(nonmodifiable)
International The public half of the international RSA key
key pair. This
key pair is used for mail encryption when
either the
sender or recipient are running with an
International
Notes license. (nonmodifiable)
Subject name
Certifier ID(s) you are working with.
list
Click to add and certify an alternate name.
Add
Select the
alternate language, country code (optional),
and the
organization identifier for the language.
Rename Rename the alternate name selected in the
Subject name list. This button is not available
when
recertifying user Ids. This button is enabled
only when alternate languages have been
assigned.
Removes the alternate name selected in the
Remove
Subject
name list.
Password Move the slider to change the level of
quality complexity and
variety of characters entered for the
password.

Finding a user name in the domain with the Domino Administrator

or the Web Administrator
You can search for a user name in the domain and obtain logs that
include document links and directory links to each occurrence of the user
name. This procedure can be performed from the Domino Administrator
or from the Web Administrator.
To find references to a user's name with the Domino Administrator
1. From the Domino Administrator, click the People & Groups tab.
2. Select one or more user name(s) that you want to locate in the
domain.
3. From the tools pane, click People - Find Users.
4. Click Yes to initiate the Administration Request to locate all the
occurrences of the selected name(s) in the enterprise.
To find references to a user's name with the Web Administrator
1. From the Web Administrator, click the People & Groups tab.
2. Enter the name of the user whose name you are trying to find.
3. Click Send.
4. (Optional) Continue adding user names that you want to search for.
5. Click Done.
To view the results of the name search
To view the log of locations where the user name(s) are located:
1. From the Domino Administrator or the Web Administrator, click
Server - Analysis - Administration Request (6).
2. Select the All Requests by Action view and locate the “Find Name in
Domain” request.
3. Double-click the report to access the Administration Process - Log
document.
License Tracking
License Tracking allows you to monitor the number of active Notes users
within a Notes domain. You can use License Tracking to determine how
many client licenses you have, whether you need to purchase additional
licenses, and when you need to purchase them.
Note License Tracking cannot be used in a hosted environment.
Setting Up and Managing Notes Users 5-85
Configuration
How license tracking works
Client usage is tracked on each server. When a user authenticates with a
server using the Notes client, HTTP, IMAP, POP3, SMTP, or the LDAP
protocol, the user’s full canonical name, protocol, and time and date of
access are collected. Once each day, an administration request sends to
the administration process, information regarding new users and
information regarding users who have not accessed the server within the
last 30 days. The administration process running on the administration
server processes the request.
The administration process creates a new User License document in the
UserLicenses database (USERLICENSES.NSF) for each new user
reported in the administration request. Documents are updated with the
new time and date for those users who already have a document in the
User Licenses database. If a user does not access any servers in the
Domino domain for one full year, the corresponding User License
document is deleted from the User Licenses database.
Note If a user is deleted from the Domino Directory, the corresponding
User Licenses document is deleted. If a user is renamed, the
corresponding document is also renamed accordingly. Existing
administration requests are used to maintain this user information.
After the administration process updates USERLICENSES.NSF, the
License Tracking document in the Domino Directory is updated with the
total number of users whose information was tracked that night. The
License Tracking document is updated once each day. These daily updates
enable you to review this information at any time to obtain an up-to-date
report on the number of client licenses that you have available for use.
By default, administrators have Manager access to the User Licenses
database and users have no access.
Note The Server/Licenses view that displayed in Domino R5 is not part
of the License Tracking feature.
Enabling or disabling license tracking
Use this procedure to either enable or disable License Tracking.
1. From the Domino administrator, click the Configuration tab.
2. Choose Server - Configurations.
3. Select the server and click Edit Configuration.
4. On the Basics tab, in the License Tracking field, click Disabled or
Enabled according to what you want to do.
5. Click Save and Close.
5-86 Administering the Domino System, Volume 1
Calculating the number of licenses in use
Use this procedure to recalculate the number of Notes and/or iNotes
Web Access users in your domain. A document is created for each server
in your domain, listing the number of Notes and iNotes Web Access
users on each server.
1. From the Domino administrator, click the Files tab.
2. Open the License Tracking database.
3. Choose Licenses or Licenses - By Server and click Recalculate Licenses.
Custom welcome page deployment
For a consistent, custom appearance across a company or organization,
you can create custom welcome pages, and then deploy them to users
through policies and desktop settings documents. They can be as simple
as a background with a company logo, or sophisticated pages with
multiple frames and many different types of content.
You can create as many welcome pages as you want. However, there is a
limit to the number of welcome pages that will display in the Default
Welcome Page menu in the desktop settings. This limit is approximately
ten pages, depending on the character length of the welcome page titles.
The limit only affects how many welcome pages appear in the desktop
settings menu. All welcome pages will be deployed to the user’s
bookmarks, no matter how many there are.
Create and work on your corporate welcome page database locally, and
then copy it to the server when you are finished. This keeps users from
seeing your changes in progress, ensuring that they only see finished pages.
Designate a default welcome page for individual users by deploying it in an
explicit policy, or for entire organizations by using organizational policies.
Tip To ensure that a custom welcome page is available to set as the
default for users, create that page first to make sure it will be available
for selection on the desktop settings menu.
Creating the welcome page database
1. From the Domino Administrator, choose File - Database - New.
2. In the Server field, select Local.
3. In the Title field, enter the name of the new database. The file name
is entered by default, but you can modify it. The file name can be
anything except BOOKMARK.NSF.
4. In the Template Server field select Local.
Setting Up and Managing Notes Users 5-87
Configuration
5. Click Show advanced templates.
6. Click the Bookmarks (R6) template.
7. Click OK.
Creating welcome pages
You create corporate welcome pages the same way you create them in
the Notes client. For even more options and control over your welcome
pages, open your welcome page database in the Domino Designer and
run the “Toggle advanced configuration editor” agent.
When you finish working on welcome pages locally, copy the welcome
page database to a server to make it available to users.
Deploying welcome pages using desktop settings
1. Open the welcome page database on the server.
2. From the Domino Administrator click the People & Groups tab.
3. From the menu, choose Create - Policy Settings - Desktop Settings.
4. From the Domino Administrator task bar, click the welcome page
database and drag it to the Corporate Welcome Pages database field.
This creates a database link.
5. (optional) From the Default Welcome Page menu, select a welcome
page to appear automatically when users log in.
6. (optional) Click “Do not allow users to change their home page” to
prevent users from creating or selecting a home page other than the
default.
7. Click Save and Close.
Implement these desktop settings in one or more policies, and then
assign them to users to finish deploying your custom welcome pages.
The changes will deploy to users the next time they log in.
For more information on policies, see the chapter “Using Policies.”
Modifying and redeploying welcome pages
Keep your local copy of the welcome page database, and use it to work on
any changes you might want to make later. Once the changes to the local
database are complete, save the database and copy it to the server again.
You will then need to go back into each of the desktop settings
documents that point to the welcome page database and create new
database links to the new version. Once this is complete, the changes will
deploy to users the next time they log in.
5-88 Administering the Domino System, Volume 1

Chapter 6
Setting Up and Managing Groups
This chapter describes how to create and manage groups.
Using groups
Groups are lists of users, groups, and servers that have common traits.
They are useful for mailing lists and access control lists. Using groups
can simplify administration tasks. For example, if you create a group
called “Terminations” that lists all former employees, you can enter the
Terminations group name in the “Not access” field in the Server Access
section of the Security tab on each Server document. When an employee
leaves the company, you add the employee’s name to the Terminations
group and then force replication of the Domino Directory to prevent the
employee from having access to all servers in the domain. Using a
Terminations group saves you the time and effort of manually adding
individual employee names to each Server document when employees
leave the company.
To create a group, you create a Group document in the Domino
Directory. You can add registered users to the group as you create the
Group document and you can add new users to a group as you register
them. There is no limit to the number of names that you can add to a
group. However, the total number of characters used for names in the
group cannot exceed 15KB. To keep groups manageable, split a large list
of users into two or more groups.
By default, the Domino Directory contains two groups:
LocalDomainServers and OtherDomainServers. LocalDomainServers
includes all servers in the current domain. Domino automatically adds
servers that you register in the current domain to the
LocalDomainServers group. OtherDomainServers includes all servers
that are not in the current domain. For example, OtherDomainServers
might include the names of servers in other companies with which your
company communicates. If you set up a connection to a server in another
company or domain, add the server name to the OtherDomainServers
group.
6-1
Configuration
A third group, LocalDomainAdmins, may reside in the Domino
Directory if the “Add LocalDomainAdmins group to all databases and
templates” check box was selected during first server setup for a domain.
The LocalDomainAdmins group contains names of the domain
administrators.
Each group must have an owner — usually an administrator or database
manager.
Creating and modifying groups
Create and modify groups from the Domino Administrator. You can nest
one or more groups within an existing group, that is, create a group and
then add one or more existing groups as members of the new group. For
mail-routing, you can nest up to five levels of groups. For all other
purposes, you can nest up to six levels of groups. You can also use the
Web Administrator to create and modify groups.
Creating a group with the Domino Administrator
1. Make sure that you have Editor access or Author access with the
GroupCreator role in the Domino Directory.
2. From the Domino Administrator, click the People & Groups tab.
3. From the Servers pane, select the server to work from.
4. Select Domino Directories, and then select Groups - Add Group.
5. Complete these fields on the Basics tab:

Field Action
Group name Enter a name for the group, using any of these
characters: A - Z, 0 - 9, & - . _ ’(ampersand,
dash,
period, space, underscore, and apostrophe) for
the name. A group name can be a maximum
of 62
characters in length. For easier administration,
use a
name without spaces. Do not use a name that
is in use as the name of an organizational unit
in the
hierarchical name scheme.
Note Do not create group names containing
a / (slash) unless you are working in a hosted
environment. Using the / in group names in a
non-hosted environment causes confusion with
hierarchical naming schemes. Hierarchical
names are
required in a hosted environment.

Field Action
Group type Select a group type. The group type specifies
the purpose of the group and determines the
views in the Domino Directory where the
group name appears. For example, mailing list
groups appear in the Mail Users view, and
access control groups appear in the Access
Control view. Using specific group types
improves performance by reducing the size of
view indexes in the Domino Directory. • Multi-
purpose —Use for a group that has multiple
purposes —for example, mail, ACLs, and so
on. This is the default.
• Access Control List only —Use for server and
database access authentication only. • Mail
only —Use for mailing list groups. • Servers
only —Use in Connection documents and in the
Domino Administration client’s domain
bookmarks for grouping. • Deny List only —
Use to control access to servers. Typically
used to prevent terminated employees from
accessing servers, but this type of group can
be used to prevent any user from accessing
particular servers. The Administration Process
cannot delete any member of the group.

Category (Optional) Choose a Category if you have

created any. Use the category field to
categorize groups in any way that you need to.
Description (Optional) Enter a description of the group in
the Description field.
Mail Domain Enter the Domino domain in which this group’s
mail address will reside in the Mail Domain
field.
Internet Enter the Internet e-mail address for this
address group in the Internet Address field.
Members Click Members, select users, servers, or
groups to add, click Add, and then click OK.

Field Action
Owners Add an owner name or modify the list of group
owners.
Add an administrator name or modify the list
Administrators
of group
administrators.
Allow foreign Choose one: • Yes —To allow synchronization
directory between a post office directory, such as the
synchronization cc:Mail post office directory or a Microsoft
Exchange Address Book, and the Domino
Directory • No —To prevent synchronization
between a post office directory, such as the
cc:Mail post office directory or a Microsoft
Exchange Address Book, and the Domino
Directory

Non-modifiable field. Provides the hierarchical

Last modified
name
of the last administrator that made changes to
the
Group document.

Creating a group with the Web Administrator

Create groups from the Web Administrator, just as you would from the
Domino Administrator.
1. Make sure that you have Editor access or Author access with the
GroupCreator role in the Domino Directory.
2. From the Web Administrator, click the People & Groups tab.
3. Select Domino Directories, and then select Groups.
4. Click Add Group.

Field Action
Group name Enter a name for the group, using any of these
characters: A - Z, 0 - 9, & - . _ ’(ampersand,
dash,
period, space, underscore, and apostrophe)
for the
name. A group name can be a maximum of 62
characters in length. For easier administration,
use a
name without spaces. Do not use a name that
is in use
as the name of an organizational unit in the
hierarchical name scheme.
Note Do not create group names containing
a / (slash) unless you are working in a hosted
environment. Using the / in group names in a
non-hosted environment causes confusion with
hierarchical naming schemes. Hierarchical
names are
required in a hosted environment.
Group type Select a group type. The group type specifies
the purpose of the group and determines the
views in the Domino Directory where the
group name appears. For example, mailing list
groups appear in the Mail Users view, and
access control groups appear in the Access
Control view. Using specific group types
improves performance by reducing the size of
view indexes in the Domino Directory.
• Multi-purpose —Use for a group that has
multiple purposes —for example, mail, ACLs,
and so on. This is the default.
• Access Control List only —Use for server and
database access authentication only.
• Mail only —Use for mailing list groups.
• Servers only —Use in Connection documents
and in the Domino Administration client’s
domain
bookmarks for grouping.
• Deny List only —Use to control access to
servers. Typically used to prevent terminated
employees from accessing servers, but this
type of group can be used to prevent any user
from accessing particular servers. The
Administration Process cannot delete
any member of the group.
(Optional) Choose a Category if you have
Category
created any.
Use the category field to categorize groups in
any way
that you need to.
(Optional) Enter a description of the group in
Description
the
Description field.

Field Action
Mail Domain Enter the Domino domain in which this group’s
mail address will reside in the Mail Domain
field.
Internet Enter the Internet e-mail address for this
address group in the Internet Address field.
Members Click the arrow to the right of the Members
field, select users, servers, or groups to add,
click Add, and then click OK.

Field Action
Owners Add an owner name or modify the list of group
owners.
Add an administrator name or modify the list
Administrators
of group
administrators.
Allow foreign Choose one: • Yes —To allow synchronization
directory between a post office directory, such as the
synchronization cc:Mail post office directory or a Microsoft
Exchange Address Book, and the Domino
Directory • No —To prevent synchronization
between a post office directory, such as the
cc:Mail post office directory or a Microsoft
Exchange Address Book, and the Domino
Directory

Non-modifiable field. Provides the hierarchical

Last modified
name
of the last administrator that made changes to
the
Group document.

8. Click Save and Close.

Modifying groups with the Domino Administrator or Web
Administrator
Use the Domino Administrator or the Web Administrator to modify
groups.
Adding members to a group with the Domino Administrator or Web
Administrator
1. Make sure that you have Editor access or Author access with Create
Documents role and GroupModifier privilege in the Domino
Directory.
2. From the Domino Administrator or Web Administrator, click the
People & Groups tab.
3. From the Domino Administrator, from the Servers pane, choose the
server to work from. Omit this step if you are using the Web
Administrator.
4. Select Domino Directories, and then select Groups.
5. Select the group to which you are adding members, and click Edit
Group.
6. Do one of these:
From
 the Domino Administrator, click Members and then select
users, servers, or groups to add.
From
 the Web Administrator, select the users, servers, or groups
to add.
7. Click Add, and then click OK.
8. Click Save and Close.
Deleting members from a group with the Domino Administrator or
Web Administrator
1. Make sure that you have Editor access or Author access with
GroupModifier privilege in the Domino Directory.
2. From the Domino Administrator or Web Administrator, click the
People & Groups tab.
3. From the Domino Administrator, from the Servers pane, choose the
server to work from. Omit this step if you are working with the Web
Administrator.
4. Select Domino Directories, and then select Groups.
5. Select the group from which you are deleting one or more members,
and click Edit Group.
6. Do one of these:
From
 the Domino Administrator, click Members and then select
users, servers, or groups to delete.
From
 the Web Administrator, select the users, servers, or groups
to delete.
Setting Up and Managing Groups 6-7
Configuration
7. Click Remove and click OK.
Note From the Domino Administrator, to remove all members from
the group, do not select any members; just click Remove All, and
then click OK.
8. Click Save and Close.
Creating a Terminations group with the Domino Administrator or
Web Administrator
You may want to create a group for employees who no longer have
access to specific servers in your organization. When you are deleting a
person from the Domino Directory, you can then add that person’s name
to a Terminations group that is assigned a group type of Deny List Only.
This is particularly useful for preventing terminated employees from
accessing servers.
1. Create a group named Terminations and assign it a group type of
Deny List Only. For more information on creating groups, see
Creating a group with the Domino Administrator or Creating a
group with the Web Administrator. Setting Up and Managing
Groups
Note Groups of the type “Deny List Only” do not have to be named
Terminations; assign any name that you choose. We only suggest the
name “Terminations” for clarity.
2. From the Domino Administrator or Web Administrator, follow
instructions for deleting a user name, but on the Delete Person dialog
box, locate the “Add deleted user to Deny Access Group” field and
then click Groups.
For more information on deleting a user name, see the chapter
“Setting Up and Managing Notes Users.”
3. Continue the delete process as usual, and then click OK.
Managing groups
To manage groups, you can do the following tasks:
Assign
 a policy to a group
Edit
 a group
Deleting
 a group with the Domino Administrator or the Web
Administrator
Finding
 a group member
6-8 Administering the Domino System, Volume 1
Finding
 a group name in the domain with the Domino Administrator
or Web Administrator
Use
 the Manage Groups tool to add and remove group members
While managing groups, you may also need to recertify a certifier ID. To
do so, see Recertifying a certifier ID or a user ID.
Assiging a policy to a group
To apply policy settings to an entire group, you can assign a policy to the
group. Assign an Explicit policy or assign both an Explicit policy and an
Organizational policy. An Explicit policy combined with an
Organizational policy creates an effective policy for the group. You can
use the Policy Synopsis tool to view how an effective policy affects the
members of a group.
Prior to assigning policies to groups, familiarize yourself with all aspects
of policies and how they are applied.
For more information on policies, see the topic “Policies.”
For more information on applying policy settings, see the topic “Planning
and assigning policies.”
For more information on policies and policy settings, see the chapter
“Using Policies.”
To assign a policy to a group
1. From the Domino Administrator, click People & Groups tab.
2. Choose Groups and select the group to which you are assigning a
policy.
3. Choose Tools - Groups - Assign Policy.
4. Complete these fields:

Field Action
Non-modifiable field. Displays the name of the
Selected
selected
directory and the server on which the directory
resides.
Non-modifiable field. Displays the number of
For:
groups
you have selected. This field is blank prior to
finalizing
the assignment of a policy.

Field Action
Non-modifiable field. Displays the number of
Users with an
users in
existing policy the selected groups who already have policies
applied
to them. Prior to finalizing the assignment of
the
policy, this field displays “Unknown.”After the
policy
is applied, this field displays a value.
Choose an explicit policy from the list. If this
Policy
field
displays “None Available,”you have not created
any
explicit policies that can be applied to a group.
Click this check box to allow policies that have
Allow
already
replacement been applied to users in the selected groups to
of be
policies replaced by the policy you are now assigning.
Click this check box only if you also assigning
View Policy
an
Synopsis organizational policy to the selected groups. A
policy
synopsis is composed of an explicit policy and
an
organizational policy. The synopsis shows the
net effect of the two policies.
When you click this check box, the Choose
Organizational Policy dialog box opens. Choose
the
Organizational policy that applies and click OK.
The
Policy Synopsis document appears.
Perform Click this check box to update in the
updates background, the
in background group settings according to what is specified in
the
policies. Performing all updates in the
background
allows you continue using the Domino
Administrator
 client while updates are being performed.
Updates are
done directly to the Domino Directory without
using
the Administration Process.

5. Click OK.
Editing a group
Use this procedure to edit any of the group attributes that are listed on
the Group document in the Domino Directory. You can modify the group
name, group type, description, group membership, group owner,
administrator, and specify whether foreign directory synchronization is
allowed. Foreign directory synchronization allows synchronization
between a post office directory, such as the cc:Mail post office directory
or a Microsoft Exchange Address Book, and the Domino Directory.
With group renaming, there isn’t any tolerance for simultaneous
occurrences of the new and old names while the name change makes its
way across databases in the domain. For example, if a group name
changes in the Domino Directory before it has a chance to change in a
database ACL, the old group name in the database ACL is invalid. (This
limitation doesn’t occur with user and server renaming.) As a
workaround, you can initiate the group rename action during non-peak
work hours — for example, during the weekend — or you can
immediately process the requests, rather than waiting for the changes to
occur according to Administration Process schedules.
To edit a group
1. To edit a group, you must have:
Editor
 with Create documents access, or the UserModifier role to
the Domino Directory
At  least Author with Create documents access to the Certification
Log
2. From the Domino Administrator, click the People & Groups tab.
3. Select Domino Directories, and then select Groups.
4. Select the group that you want to edit, and click Edit Group.
5. Make changes to any of the following fields on the Basics tab:

Field Action
Group Enter a name for the group, using any of these
name characters: A
- Z, 0 - 9, & - . _ ’(ampersand, dash, period, space,
underscore, and apostrophe) for the name. A group
name
can be a maximum of 62 characters in length. For
easier
administration, use a name without spaces. Do not
use a
name that is in use as the name of an
organizational unit in
the hierarchical name scheme.
Note Do not create group names containing a /
(slash).
Using the / in group name causes confusion with
hierarchical naming.
Group
Select one of these:
type
Multi-purpose —Use for a group that has multiple
purposes —for example, mail, ACLs, and so on.
This is the default.
 Access Control List only —Use for server and
database access authentication only.
Mail only —Use for mailing list groups.
Servers Only —Use in Connection documents and in
the Domino Administration client’s domain
bookmarks for
grouping
Deny List only —Use to control access to servers.
Typically used to prevent terminated employees
from accessing servers, but can be used to prevent
any user from accessing particular servers. The
Administration Process cannot delete any member
of the group.

Field Action
Category (Optional) Select a category to which you are
adding the group and click OK. The Category field
can be used to categorize your groups in any
manner that you want. If the category that you
want to use is not listed in the dialog box, add the
category name in the New Keyword field and click
OK.
Description Enter a description of the group.
Mail Enter the name of the mail domain for the group.
Domain This is especially useful for enterprises that have
more than one mail domain.
Internet Enter the Internet address that applies to the
Address group.
Members Add or remove group members. Type a member
name in the field or double-click this field to open
the Select Names dialog box, and then do any of
the following: • Open another address book by
selecting • Find names that begin with a specified
string if you are unsure of the spelling or the
complete name • Add a person or group to the
group by selecting the person or group and
clicking Add • Remove a group member by
selecting the member in the right pane and
clicking Remove • Remove all members of a group
by clicking Remove All • Add a member to a group
by clicking New, typing the member name, and
clicking OK • View detailed information by
selecting a person or group and clicking Details •
Copy an entry from the open address book to the
Local address book by selecting the name and
clicking the Address Book icon

• Open another Group document by selecting the

group name and clicking Open

Field Action
Add an owner name or modify the list of group
Owners
owners.
Add an administrator name or modify the list
Administrators
of group
administrators.
Foreign Choose one: • Yes —To allow synchronization
directory between a post office directory, such as the
synchronization cc:Mail post office directory or a Microsoft
allowed Exchange Address Book, and the Domino
Directory • No —To prevent synchronization
between a post office directory, such as the
cc:Mail post office directory or a Microsoft
Exchange Address Book, and the Domino
Directory

Non-modifiable field. Provides the hierarchical

Last modified
name of
the last administrator that made changes to
the Group
document.

(Optional) To sort the list of group members before saving the Group
document, click Sort Member List.
8. Click Save and Close.
To immediately change the name of a group throughout the domain
1. To process the “Rename Group in Address Book” request
immediately, choose the group rename action from the
administration server for the Domino Directory and then enter this
server command:
tell adminp process new
2. To immediately process the “Rename in Person Documents” request,
from the administration server for the Domino Directory, enter the
command:
tell adminp process daily
3. Replicate the modified Domino Directory and Administration
Requests database from the administration server for the Domino
Directory to all other servers in the domain.
4. To force processing of the “Rename Group in Access Control List”
and “Rename Group in Reader/Author fields” requests on each
server, on each server in the domain, enter the command:
tell adminp process all
For more information on server commands, see the appendix “Server
Commands.”
Setting Up and Managing Groups 6-13
Configuration
Deleting a group with the Domino Administrator or the Web
Administrator
Follow these steps to use the Administration Process to delete a group
from the Domino Directory and from database ACLs and Extended ACLs.
If the server is running Windows NT or Active Directory and contains a
group account for this group, you can delete that group account, too.
For more information about synchronizing Domino and Windows NT or
Domino and Active Directory, see the chapter “Using Domino with
Windows Synchronization Tools.”
To delete a group with the Domino Administrator
1. To delete a group, you must have at least Author with delete
documents access and the GroupModifier role, or Editor access to the
Domino Directory.
2. From the Domino Administrator, click the People & Groups tab.
3. Select the name of the group you are deleting.
4. Click Delete Group and click Yes to continue.
5. If the server is running Windows NT or Active Directory, Domino
prompts you to delete the corresponding group account from the
Windows domain. Click Yes to delete the group account.
6. Select one of the following:
Yes
 - to immediately delete all references to the group in this
replica of the Domino Directory.
No  - to post a “Delete in Address Book” request in the
Administration Requests database and have the Administration
Process delete references to the group in the Domino Directory,
and database ACLs and Extended ACLs.
Cancel
 - to cancel the request entirely.
7. Click OK.
Tip You can also delete a group from the Tools panel using Groups -
Delete.
6-14 Administering the Domino System, Volume 1
To delete a group with the Web Administrator
1. To delete a group, you must have at least Author with delete
documents access and the GroupModifier role, or Editor access to the
Domino Directory.
2. From the Web Administrator, click the People & Groups tab.
3. Select the name of the group you are deleting.
4. Click Tools - Groups - Delete.
5. Choose any of these options on the Delete Groups dialog box.

Field Action
Click this check box to immediately
Delete group from this
delete
Directory immediately. all references to this group in this
replica of the Domino Directory.
If you do not choose this option, a
“Delete in Address Book”request is
posted in the Administrator
Requests database and the
Administration Process deletes
references
to the group in the Domino
Directory, database ACLs, and
Extended ACLs.
Delete the groups Click this check box to delete the
Windows group’s
domain account. corresponding Windows domain
account
if one exists.

6. Click OK.
7. Click Close.
Finding a group name in the domain with the Domino Administrator
or Web Administrator
Use this procedure to locate every occurrence of one or more specific
group names within a domain. This is especially useful when moving
groups to other servers or domains or when verifying that you have
completely deleted a group name from your domain.
To find a group name with the Domino Administrator
1. From the Domino Administrator, click the People & Groups tab.
2. Select one or more group name(s) that you want to locate in the
domain.
3. From the Tools pane, click Groups - Find Group(s).
4. Click Yes to initiate the Administration Request to locate all the
occurrences of the selected group(s) in the enterprise.
To find a group name with the Web Administrator
1. From the Web Administrator, click the People & Groups tab.
2. From the Tools pane, click Groups - Find Group(s).
3. Enter a group name in the Find Groups dialog box and click Send.
4. (Optional)Continue adding group names that you want to search for.
5. Click Done.
To view the log of locations
To view the log of locations where the group name(s) are located:
1. From the Domino Administrator, click Server - Analyses -
Administration Requests (6).
2. Select the view All Requests by Action and access the “Find Name in
Domain” request.
3. Double-click the request to access the Administration Process - Log
document. Locate the “Links to items found within Domino
Directory documents:” field. This field contains the links to the
Group documents located using the Find Groups action.
Using the Manage Groups tool to manage groups
The Manage Groups option on the tools pane provides a quick and easy
method for managing existing Domino groups. You can open any
Domino Directory to which you have access, and you can then add or
remove people and groups from groups as necessary. You can also view
details on groups.
To use the Manage Groups tool
1. From the Domino Administrator, click the People & Groups tab.
2. From the tools pane, click Groups - Manage.
3. Complete these fields as necessary:

Field Enter
The directory that you want to open. A list
People and
of all users and groups in the directory is
Groups Look In
displayed.
Group Hierarchies The directory containing the group you are
Look in managing.

Field Enter
Show me Choose one:
• All group hierarchies - To display all of
the group hierarchies in the selected
directory. • Only member hierarchies - To
display all of the groups in which the
selected user is a member.
List alphabetically Lists alphabetically, all people and groups
in the selected directory.
List by Lists by organization, all people and groups
organization in the selected directory.
Show group type Multi-purpose —Use for a group that has
multiple purposes —for example, mail,
ACLs, and so on. This is the default. Access
Control List only —Use for server and
database access authentication only. Mail
only —Use for mailing list groups. Servers
Only —Use in Connection documents and in
the Domino Administration client’s domain
bookmarks for grouping. Deny List only —
Use to control access to servers. Typically
used to prevent terminated employees
from accessing servers, but can be used to
prevent any user from accessing particular
servers. The Administration Process cannot
delete any member of the group.

4. Do any of the following:

To
 add a member to a group, select the group in the Group
hierarchies pane, then select the user or group from the People &
Groups list, and click Add.
To remove a member from a group, select the member from the
Group hierarchies pane, and click Remove. To remove all
members from a group, click the Member field, do not select any
members, and click Remove All, and then click OK.
To  view a group document, select the group from the Group
hierarchies pane and click Details.
5. When you finish managing groups, click Done.
Finding a group member
You can quickly locate a group member by completing the following
procedure.
1. From the Domino Administrator, click the People & Groups tab, and
then click Groups.
2. On the Action bar, click Find Group Member.
Note You may have to scroll to the right to reveal the button.
3. Enter the common name (for example, Jane Doe) and click OK. If the
group member is found, a check mark appears next to the group or
groups in which the member name is located.
Chapter 7
Tip Y
Creating Replicas and Scheduling Replication
This chapter explains how to set up replicas and schedule replication.
Replicas
To make a database available to users in different locations, on different
networks, or in different time zones, you create replicas. All replicas share
a replica ID which is assigned when the database is first created. The file
names of two replicas can be different, and each replica can contain
different documents or have a different database design; however, if their
replica IDs are identical, replication can occur between them.
As users add, edit, and delete documents in different replicas of a
database, the content in the replicas is no longer identical. To ensure that
the content in all replicas remains synchronized, you use Connection
documents to schedule replication between the servers that store the
replicas. Then multiple sites, teams, and users can make changes to a
database and share those changes with everyone else who has access to
that database. In addition, using replicas and scheduling replication
reduces network traffic. Users never need to connect to a single central
server that stores the only replica of a particular database. Instead, they
can access a replica of that database on one or more local servers.
These distributed replicas can also be Web sites that are hosted on
different Lotus Domino 6 servers. Then users aren’t dependent on one
server when they attempt to access critical applications over the Internet.
If one server is unavailable, users can access another replica of the
database on another server. You can also use replicas to help manage
ongoing Web site design. On one server, you can set up a Web staging
area where you design and test new pages. When the design changes are
tested and ready to be released, you can replicate this server with the
server storing the replica of the Web site that is available to users. By
using replicas and replication this way, you prevent Web users from
seeing your “work-in-progress.”
7-1
Configuration
A replica of a database isn’t the same as a copy of a database that you
make by choosing File - Database - Copy. Although a copy of a database
may look the same as the original database, a copy doesn’t share a replica
ID with the original database and so it can’t replicate with it.
Deciding when to create a replica
Plan your replica strategy carefully, and create replicas on servers only
when necessary. The more replicas, the greater the demand on server
and network resources and the greater the need for additional
maintenance. To prevent unnecessary proliferation of replicas, assign
Create Replica server access to only a few administrators. Then tell users
and application developers to send their requests for new replicas to
these administrators.
Create a replica of a database to:
Improve
 performance of a heavily used database.
Distribute
 network traffic.
Keep  a database that you’re redesigning separate from a production
version of the database.
Keep  a database available even if one server goes down.
Make  a database available to users in remote locations.
Provide  a replica containing only a subset of information that is
relevant to a particular workgroup.
Set  up Domino system administration — for example, you must
create replicas of the Domino Directory, the Administration Requests
database, and other critical system databases.
Place  a replica of a master template on each server that stores a
database that inherits from the master template.
Create  a backup database from which you can restore information if
data becomes corrupted; since corrupted data often replicates, use
this only as a secondary backup method.
Keep in mind that two replicas will contain slightly different content
between replications. If users need access to the most up-to-date
information in a database, you can create replicas on clustered servers
and then set up replication in clusters. In a cluster, all replicas are always
identical because each change immediately replicates to other servers in
the cluster.
For more information on setting up individual databases for replication,
see the topic “Creating replicas using the Administration Process” in this
chapter.
7-2 Administering the Domino System, Volume 1
How server-to-server replication works
For server-to-server replication, the Replicator on one server calls
another Domino server at scheduled times. By default, the Replicator is
loaded at server startup.
To schedule replication between servers, the servers must be able to
connect to each other in order to update replicas. You may need to create
Connection documents to enable server connections, depending on your
server topology. As users add, edit, and delete documents in a database,
the replicas contain slightly different information until the next time the
servers replicate. Because replication transfers only changes to a
database, the network traffic, server time, and connection costs are kept
to a minimum.
During scheduled replication, by default, the initiating server first pulls
changes from the destination server and then pushes changes to the
destination server. As an alternative, you can schedule replication so that
the initiating server and destination server each pull changes or so that
the initiating server pulls changes only or pushes changes only.
You can also use the server commands Pull, Push, and Replicate to
initiate replication between servers.
For more information on server connections and Connection documents,
see the chapter “Setting up Server-to-Server Connections.”
Replication, step-by-step
To fully-understand replication, you need to be familiar with the
information in the topics “Guidelines for setting server access to
databases” and with “Setting up a database ACL for server-to-server
replication” in this chapter. You also need to fully familiarize yourself
with the information on replication in the appendix “Server Commands.”
1. Replication is initiated by a server or a workstation in one of the
following ways:
Replication
 schedule settings in a Connection document take
effect.
A  replication command to replicate immediately is issued at the
server console. The server console commands include replicate,
pull, push, and load replica.
Settings
 in a Program document. The Program document starts a
new task on the server rather than sending work to an existing
task.
Creating Replicas and Scheduling Replication 7-3
Configuration
A replication command to replicate immediately is issued by an
end-user working in the Notes client user interface. This is done
from a workstation only, not from a server.
Scheduled
 replication from a Notes client. This is done from a
workstation only.
The servers authenticate each other by finding a certificate in
common and testing to be sure that certificates are authentic.
For more information on server console replication commands, see the
appendix “Server Commands.”
For more information on the Program document, see the appendix
“Server Tasks.”
2. The Replicator constructs a list of local files to replicate and asks the
remote server to find those that have a match with the list of local
files.
Note If the server initiating the replication cannot connect to the
remote server, or if it cannot search the remote server (Server B),
replication fails.
3. When the Replicator finds a match, it looks at the replication history
to find the last time the replicas replicated. The Replicator uses the
history in the local database which is the destination database when
“pulling” and is the source database when “pushing.” Typically
there are two such entries, one for each direction (push/pull).
  there is no entry in the replication history, if access rights have
If
changed, or if the selective replication settings have changed, the
Replicator has to search all documents in the source database, not
just those that have changed since the last replication.
4. The Replicator searches the source replica for changes that have
occurred since the last replication.
The
 Replicator constructs a list of documents in the source
database that have changed since the last successful replication.
(For a pull, the source is the database on the remote server; for a
push, the source is the database on the local server.) The list is
restricted by the Selective Replication Settings. The time that the
search begins is recorded in the replication history so that
succeeding replications do not process changes that have been
replicated.
If  the data in the source database has not changed since last
successful replication to the destination database, no replications
take place and the replication history is not updated.
7-4 Administering the Domino System, Volume 1
5. Replication between the source database and the destination
database occurs. Replication history is updated fro replication from
source database to destination database. If access is sufficient,
replication history for both the source and destination databases is
updated.
 replication is not successful, the replication history is not
If
updated and the next replication will search the same databases
again.
Guidelines for setting server access to databases
For replication to occur properly, you must assign servers the
appropriate access in the database ACL. Follow these guidelines when
you set server access to databases.
Assign an access level that is at least as high as the highest user
access level
For example, design changes made to the replica on Server A replicate to
Server B only if the replica on Server B gives Server A at least Designer
access.
Include servers in read access lists for database design elements
If a database design element has a read access list associated with it that
allows access only to certain users with Reader access, include the names
of replicating servers in the read access list in addition to the server
names with Reader access in the database ACL. For example, if a replica
on Server A includes a form access list that limits who can read
documents created with the form, include Server B in the read access list
and give Server B at least Reader access in the ACL to allow Server B to
pull new documents and changes to documents created with the form.
Assign appropriate access to intermediate servers
If replication occurs through an intermediate server, the intermediate
server acts first as a destination server, then as a source server and must
have the access level necessary to pass along the changes. For example, if
you want ACL changes on Server A’s replica to replicate to Server C by
way of Server B, Server B’s replica must give Manager access to Server A,
and Server C’s replica must give Manager access to Server B.
Creating Replicas and Scheduling Replication 7-5
Configuration
Assign Reader access for one-way replication
Give a server Reader access to a replica when you want to allow the
server to receive information from the replica but not to send changes
back. For example, to allow Server B to receive changes from a replica on
Server A but not to send changes to Server A, give Server B Reader
access to the replica on Server A.
Assign Editor access to allow author changes to replicate
If a replica includes an Authors field that allows authors to modify their
own documents, a server must have at least Editor access, not Author
access, to replicate these modifications. For example, changes made to
Server A’s replica by someone with Author access only replicate to
Server B if Server B’s replica gives Server A at least Editor access.
Setting up a database ACL for server-to-server replication
You add the names of servers to a database ACL in the same way that
you add the names of people. The access level given to a server in an
ACL determines what, if any, changes that server can replicate to the
replica.
For more information on setting up a database ACL, see the chapter
“Controlling User Access to Domino Databases.”
Default server groups in an ACL
By default, every database ACL includes the server groups
LocalDomainServers and OtherDomainServers.
LocalDomainServers
This group represents servers that are in the same Domino domain as the
server that stores the replica. Typically you assign this group a higher
access level in the database ACL than the OtherDomainServers group.
OtherDomainServers
This group represents servers that are not included in the Domino
domain of the server that stores the replica. Typically you assign this
group a lower access level in the database ACL than
LocalDomainServers. For example, assigning this group Reader access in
the ACL ensures that the local Domino domain retains control over the
database.
7-6 Administering the Domino System, Volume 1
Note Do not add the names of servers from outside companies to
LocalDomainServers or to OtherDomainServers. Both these groups are
included in all databases by default and may have a high access level in
some cases. Instead, create a group specifically for the external servers
with which your company communicates; for example, create a group
called “External Servers.” Then add this group to database ACLs as
needed.
For more information on setting up groups, see the chapter “Setting Up
and Managing Groups.”
Access level privileges
For each access level, you can select or deselect these privileges:
Create
 documents
Delete
 documents
Create
 personal agents
Create  personal folders/views
Create  shared folders/views
Create  LotusScript/Java agents
Read  public documents
Write  public documents
In general, for servers, enable all the privileges that the selected access
level allows. This ensures that the server has access that is as high as
users might have and can replicate all user changes. However, to prevent
certain changes from replicating without deselecting privileges for each
user, you can deselect a particular privilege for a server entry in the ACL.
For example, to prevent all document deletions made in a database on a
particular server from replicating, deselect “Delete documents” in the
ACL entry for the server. Then when users who have “Delete
documents” access in the ACL delete documents, the deletions don’t
replicate.
For more information on setting up database ACLs, see the chapter
“Controlling User Access to Domino Databases.”
Creating Replicas and Scheduling Replication 7-7
Configuration
Server access levels
This table describes access levels in terms of server access, from the
highest access to the lowest.
ou can also find a group member from the Domino Directory,
Groups view.

Access Allows a server to push Assign to

level these changes
Manager ACL settings Database Servers you want to use
encryption settings as a source for ACL
Replication settings All changes. For tight
elements allowed by lower database security, give
access levels this access to as few
servers as possible. In a
hub-and-spoke server
configuration, you
typically give the hub
server Manager access.
Designer Design elements All Servers you want to use
elements allowed by lower as the source for design
access levels changes. Use Manager
access instead if you want
one server to control ACL
and design changes.
Editor All new documents All Servers that users use
changes to documents only to add and modify
documents. In a hub-and-
spoke configuration, you
typically give the spoke
servers Editor access.
Author New documents No servers. You don’t
typically use this access
for servers.
Reader No changes; server can Servers that should never
only pull changes make changes. Servers in
the OtherDomainServers
group are often given
Reader access.
Depositor New documents. Also No servers. You don’t
prevents the server from typically use this access
pulling changes. for servers.
No No changes. Also prevents Servers to which you want
Access the server from pulling to deny access. Servers in
changes. the OtherDomainServers
group are sometimes
given No Access.

Note A database that doesn’t replicate should have at least one server in
its ACL to serve as the administration server for the database. This
allows the Administration Process on a server to update names in the
ACL when names in the organization change.
For more information on administration servers, see the chapter “Setting
Up the Administration Process.”
7-8 Administering the Domino System, Volume 1
Creating replicas using the Administration Process
Through the Domino Administrator you can use the Administration
Process to initiate the creation of one or more replicas. You can create
replicas on servers in the same domain or in another domain. You should
make sure that Connection documents are in place to schedule
replication between the source and destination servers, unless the servers
are members of the same cluster, in which case this is not strictly
necessary.
For more information on the administration requests that processed
while creating a replica see the appendix “Administration Process
Requests.”
1. If you are creating a replica on a destination server in another
domain, make sure that:
There
 is an outbound Cross Domain Configuration document in
the Administration Requests database (ADMIN4.NSF) on the
source server that allows the Administration Process to export
Create Replica requests to the destination server.
There
 is an inbound Cross Domain Configuration document in the
Administration Requests database on the destination server that
allows the Administration Process to import Create Replica
requests from the source server’s domain.
Connection
 documents enabled for mail are in place that allow the
source server to send mail to at least one server in the destination
server’s domain.
You’ve  set up cross-certification if servers in the two domains do
not share a common certifier.
2. Make sure that you:
Have  Create Database access in the Server document of the
destination server(s).
Have  at least Reader access in the ACL of the databases on the
source server.
3. Make sure that the source server:
Is  running the Administration Process.
Has  Create Replica access in the Server document of the
destination server(s).
Note Do not use the wild card character (*) in the “Create Replica”
field of the destination server’s Server document because this
character causes the request to fail.
Creating Replicas and Scheduling Replication 7-9
Configuration
4. Make sure each destination server:
 running the Administration Process.
Is
Has
 at least Reader access in the ACL of the source replica.
5. From the Domino Administrator, select the source server in the
server pane on the left. To expand the server pane, click the servers
icon in the server pane.
6. Click the Files tab.
7. In the files window, select one or more databases for which you want
to create replicas.
8. From the Tools pane, choose Database - Create Replica. Or, drag the
selected database(s) to the Create Replica tool.
9. (Optional) If the current domain includes a cluster, click “Show only
cluster members” to display only destination servers that are
members of the cluster.
10. Select one or more destination servers. To select a server if it doesn’t
appear in the list, select Other, specify the hierarchical server name,
then click OK.
11. (Optional) Select a destination server, click “File Names” to choose a
custom file path on the destination server for any database you’re
replicating, and then click OK. You can repeat this procedure for
each destination server. If you don’t choose this option, the database
is stored on the destination server in the same location as on the
source server.
To put the replica in a directory below the data directory, type the
directory name, backslash, and then the file name — for example,
JOBS\POSTINGS. If the specified directory does not exist, Domino
creates it for you.
12. Click OK. A dialog box shows the number of databases processed
and indicates if any errors occurred.
Creating replicas by dragging databases to a destination server
You can drag and drop databases to a destination server icon to create
replicas on that server. When you use this method, store all replicas in
one, preexisting directory on the destination server. This method uses the
Administration Process to automate creation of the replica.
1. From the Domino Administrator, click the Files tab.
2. Select one or more databases you want to replicate in the files pane.
3. Drag the selected databases to a destination server in the server pane
on the left.
7-10 Administering the Domino System, Volume 1
4. In the dialog box that appears, select “Create replica,” select a
directory on the destination server in which to store the replica(s),
then click OK.
Table of replication settings
By default, two replicas exchange all edits, additions, and deletions if the
servers the replicas are on have the necessary access. However, you can
customize replication. For example, to save disk space, you can prevent
the transfer of documents that are not pertinent to your site.
You can specify replication settings on a new replica as you create it or
on an existing replica. You can specify some replication settings for
multiple replicas at once from a central source replica. You must have
Manager access to a replica to set replication settings for it.
Caution Replication settings are not intended to be used as a security
measure.
This table summarizes the available replication settings.

Setting Controls Panel option

Remove documents not When Domino purges Space Savers

modified in the last x document deletion
days stubs and, optionally,
unmodified
documents
Only replicate incoming The cutoff date, so Other
documents saved or that a replica only
modified after: date receives documents
created or modified
since the date.
Which documents are
scanned during the
first replication after
clearing the
replication history
The size of Space Savers
Receive summary and
documents that a
40KB of rich text only
replica receives
Replicate a subset of Which documents a Space Savers
documents replica receives Advanced
Replicate Which non-document Advanced
elements this replica
receives

Setting Controls Panel option

Do not send deletions
Whether a replica can Send
made in
this replica to other send document
replicas deletions
to other replicas
Do not send changes in Whether a replica can Send
database title & catalog send changes to the
info to
other replicas database title and
Database Catalog
categories to other
replicas
Do not send changes in
Whether a replica can Send
local
security property to other send changes to the
replicas Encryption database
property (in the
Basics tab
of the Database
Properties
box) to other replicas
Temporarily disable Whether a replica can Other
replication replicate
Scheduled replication The replication Other
priority priority of a database
used in
Connection
documents for
scheduling replication
The publishing date
CD-ROM publishing date Other
for a
database on a CD-
ROM

You can manage these settings for multiple replicas from a central source
replica.
For more information, see the topic “Specifying replications settings for
multiple replicas from one source replica” in this chapter.
Limiting the contents of a replica
Use the following replication settings to limit the size of a replica or to
display a subset of information relevant to a particular group of users.
Remove documents not modified in the last x days
The number of days specified here, known as the purge interval, controls
when Domino purges deletion stubs from a database. Deletion stubs are
markers that remain from deleted documents so that Domino knows to
delete documents in other replicas of the database. Because deletion
stubs take up disk space, Domino regularly removes deletion stubs that
are at least as old as the value specified. It checks for deletion stubs that
require removal at 1/3 of the purge interval. For example, assuming the
default value, 90 days, when a user opens a database, Domino checks if it
has been at least 30 days since it removed deletion stubs, and if so it
7-12 Administering the Domino System, Volume 1
removes any deletion stubs that are at least 90 days old. The Updall task,
which runs by default at 2:00 AM, also removes deletion stubs.
You can shorten the purge interval, if you want, but be sure to replicate
more frequently than the purge interval; otherwise, deleted documents
can be replicated back to the replica.
Optionally, you can select the check box to remove documents in the
replica that haven’t changed within the purge interval. If you select the
check box, when Domino removes deletion stubs it also removes
documents that haven’t changed within the specified number of days.
These documents are purged, meaning no deletion stubs remain for the
documents, so the documents aren’t deleted in other replicas. The “Only
Replicate Incoming Documents Saved or Modified After: date” setting
prevents the purged documents from reappearing through replication. If
the other replicas have this check box selected, similar document purging
occurs in them.
Caution If you select the check box on a non-replicated database,
documents are lost and you can only recover them from a system
backup.
Note Domino regularly removes deletion stubs according to the purge
interval even if you don’t select the check box.
Only Replicate Incoming Documents Saved or Modified After: date
A replica can only receive documents created or modified since the date
specified. If you clear the database replication history, during the next
replication, Domino scans only documents created or modified since the
date specified here. If you clear the date before clearing the replication
history, Domino scans all documents in the database.
Use this option in conjunction with clearing the replication history to
solve replication problems. If you clear or change this date, when
Domino next purges deletion stubs, it resets the date to correspond to the
number of days specified in “Remove documents not modified in the last
x days” setting. For example, if Domino purges deletion stubs on 1/1/99
and the “Remove documents not modified in the last x days” setting is
90, on 1/1/99 Domino resets the date to 10/1/98. If the check box is
selected in the “Remove documents not modified in the last x days”
setting — meaning documents that meet the purge interval criteria are
purged as well as deletion stubs — this automatic date reset insures that
the purged documents aren’t replicated back into the replica.
Creating Replicas and Scheduling Replication 7-13
Configuration
Receive summary and 40KB of rich text only
If you select this setting, Domino prevents large attachments from
replicating and shortens the documents that this replica receives. The
shortened documents contain only a document summary that includes
basic information, such as the author and subject, and the first 40K of
rich text.
When users open a shortened document, they see “(TRUNCATED)” in
the document title. To view the entire document, users open it and
choose Actions - Retrieve Entire Document.
Keep the following points in mind when using this setting:
Users
 can’t categorize or edit shortened documents.
Agents
 don’t work on shortened documents.
Shortened
 documents do not replicate unless the destination replica
also has this option selected.
Replicate a subset of documents
Use this setting to specify that a replica receives only the documents in a
specific directory or view or only documents that meet selection criteria
specified in a formula. Replication formulas are similar to view selection
formulas.
Keep in mind the following points when you use replication formulas:
You
 cannot use @DbLookup, @UserName, @Environment, or @Now
in a replication formula.
Using
 @IsResponseDoc in a replication formula causes all response
documents in a database to replicate, not just those that meet the
selection criteria. To avoid this, use @AllChildren or
@AllDescendants instead. If you use @AllChildren or
@AllDescendants, make sure the database performance property
“Don’t support specialized response hierarchy” is not selected.
7-14 Administering the Domino System, Volume 1
Replicate
Use this setting to control which non-document elements a replica
receives. This table describes the options:

Replicate Default Description

Forms, Selected If selected, allows a replica to receive
views, and design changes, such as changes to
so on forms, views, and folders from a source
replica. If deselected, prevents a replica
from receiving design changes.
Alternatively, you can assign source
servers Editor access or lower in the ACL;
however, doing so prevents agents from
replicating. Don’t select this option when
you first create the replica because the
new replica won’t contain any design
elements for displaying information.
Agents Selected If selected, allows a replica to receive
agents. If deselected, prevents the replica
from receiving agents, although the
replica still receives changes made by the
agents.
Replication Not If selected, ensures that replication
formula selected settings specified for multiple destination
replicas from one source replica can
replicate. This option is required if you’re
using a central source replica to manage
replication settings for multiple replicas.
Access Selected If selected, allows the replica to receive
control list ACL changes from any server that has
Manager access in the replica’s ACL.
Deletions Selected If selected, allows the replica to receive
document deletions. If deselected, the
replica won’t receive deletions through
replication, but users assigned “Delete
documents”access in the replica ACL can
still delete documents from the replica.
Note If “Do not send deletions made in
this replica to other replicas”(on the Send
panel of the Replication Settings dialog
box) is selected for the source replica, this
replica won’t receive deletions from the
source replica, regardless of this setting.
Fields Not If deselected, the replica receives all fields
selected in each document received. If selected,
you select a subset of fields to receive,
but you should only do this if you have a
thorough knowledge of application design.
Limiting what a replica sends
Use these settings to limit what one replica sends to other replicas.
Do not send deletions made in this replica to other replicas
This setting prevents deletions made in this replica from replicating. As
an alternative, you can deselect the ACL option “Delete documents” for
the server storing this replica.
Do not send changes in database title & catalog info to other
replicas
This setting prevents changes made to this replica’s database title or
Database Catalog categories from replicating.
Do not send changes in local security property to other replicas
This setting prevents changes to the database Encryption property (set by
choosing Encryption on the Basics tab of the Database Properties box).
Use this primarily to prevent changes made to this property on a local
replica from replicating to a server. For example, if this setting is selected
and you disable the Encryption property on a local replica, the property
remains selected on a server replica.
Assigning miscellaneous replication settings
The Other panel of the Replication Settings dialog box includes these
miscellaneous settings.
Temporarily disable replication
Select this to temporarily suspend replication while you troubleshoot a
problem. You can select this for one database, or if you use the Domino
Administrator, you can disable replication of multiple databases. If a
database is on a cluster server, disabling replication suspends both
cluster replication and scheduled replication.
For more information on clusters, see the book Administering Domino
Clusters.
Scheduled replication priority
You can assign a priority of High, Medium, or Low to a database. Then
in a Connection document, you can schedule replication so that
databases of a particular priority replicate at specific times. For example,
you can schedule low-priority databases to replicate less frequently and
schedule high-priority databases to replicate more frequently. If you
assign a different priority to two replicas, the priority of the replica on
the server that initiates the scheduled replication takes precedence.
7-16 Administering the Domino System, Volume 1
Replication priority doesn’t apply to replicas on a cluster of servers.
Cluster replication occurs whenever a change occurs, not according to
schedules in Connection documents.
CD-ROM publishing date
Some organizations — for example, publishing companies — distribute
databases on CD-ROM rather than replicate them. To receive updates,
users replicate with a replica on the organization’s server. The users
specify the date the information was published on the CD-ROM so that
the first replication with the organization’s replica scans only documents
created or modified since the publishing date. If users do not specify the
date, the initial replication unnecessarily scans the entire database, which
can be a slow process, especially if it occurs over a dial-up connection.
Specifying replication settings for one replica
1. Make sure you understand replication settings.
2. Do one of the following:
To
 specify replication settings for a replica as you create it, click
Replication Settings in the New Replica dialog box.
To  modify replication settings on an existing replica, open the
replica and choose File - Replication - Settings. This requires
Manager access.
3. Click the Space Savers panel and then select/deselect options.
4. Click the Send panel and then select/deselect options to limit what
the replica can send to other replicas.
5. Click the Other panel and then select/deselect options.
6. Click the Advanced panel and then select/deselect any of the options
under “Replicate.” Ignore the options above “Replicate.” These are
used for managing replication settings for multiple replicas of a
database from one central source replica.
7. Click OK.
Creating Replicas and Scheduling Replication 7-17
Configuration
Specifying replication settings for multiple replicas from one source
replica
You can customize replication settings for multiple replicas of a database
from one central source replica and then replicate these custom settings
to the appropriate replicas. This approach to customizing replication
allows you to centralize replication management and requires that you
know the replication requirements for each replica.
The only replication settings you can specify using centralized
management are “Replicate a subset of documents,” to control which
documents a replica receives, and “Replicate,” to control which
non-document elements a replica receives.
Note that changing centrally-administered replication settings requires
two replications for the changes to take effect: the first replication to
replicate the new settings from the source server to the destination
servers and a second replication to replicate based on the new settings.
The second replication doesn’t occur until the source database is updated
in some other way; to force the new settings to take effect if the source
database isn’t updated, clear the replication history.
1. Make sure you understand replication settings.
2. Make sure you have Manager access in the ACL of the central source
replica. Make sure that the central source replica has Manager access
in the ACL of all destination replicas.
3. Do one of the following:
Click
 Replication Settings in the New Replica dialog box to specify
replication settings for a new replica.
Open
 the central source replica, and then choose File - Replication
- Settings to modify existing replication settings.
4. Click the Advanced panel.
5. To specify a destination server, click the computer icon next to
“When computer,” specify the name of the destination server, select
Add Server, then click OK. Or accept the default entry. To specify a
Notes client as a destination server, enter the Notes user’s
hierarchical name.
6. To specify a source server, click the computer icon next to “Receives
from,” specify the name of a source server, select Add Server, then
click OK. Or accept the default entry. To specify the name of a Notes
client as a source server, enter the Notes user’s hierarchical name.
7. To delete a server, click either computer icon, select a server, select
Delete Server, then click OK.
7-18 Administering the Domino System, Volume 1
8. To have the specified destination replica receive a subset of
documents, click “Replicate a subset of documents” and then specify
the views/folders to replicate or specify a replication formula.
9. To specify which non-document elements the replica should receive,
select appropriate options under “Replicate.” You must select
“Replication formula.”
10. Repeat Steps 5 through 9 for each additional destination/source
server combination.
11. Click OK.
Examples of specifying replication settings for multiple replicas
Using the same replication settings for all destination servers
The Acme Corporation has a database called Technical Support on the
server Support-E/East/Acme, which it uses to post information about
customer problems and problem resolutions. The database displays
customer suggestions made during the support calls in a view called
Customer Suggestions. Acme has three servers at satellite sales offices:
Sales-Bos-E/East/Acme, Sales-Phil-E/East/Acme, and
Sales-Hart-E/East/Acme. The satellite sales offices are only interested in
customer suggestions and not in other details of technical support calls.
Therefore, Acme replicates only the contents of the Customer
Suggestions view to these servers. To accomplish this, it completes the
replication settings dialog box on the Technical Support database on
Support-E/East/Acme as follows. Note that although the “When
computer” box shows only Sales-Bos-E/East/Acme, there are similar
settings for Sales-Phil-E/East/Acme and Sales-Hart-E/East/Acme.
Using separate replication settings for each destination server
The Acme Corporation has a database called Sales Leads on the server
Sales-E/East/Acme. Acme has three servers at satellite sales offices:
Sales-Bos-E/East/Acme, Sales-Phil-E/East/Acme, and
Sales-Hart-E/East/Acme. Each satellite sales office is only interested in
leads pertaining to its area. Each document in the Sales Leads database
includes the field “Office” with one of these keywords selected: Boston,
Philadelphia, Hartford. To replicate only sales leads pertaining to Boston
to Sales-Bos-E/East/Acme, Acme completes the replication settings
dialog box on the Sales Leads database on Sales-E/East/Acme.
Acme sets up replication from Sales-E/East/Acme to
Sales-Phil-E/East/Acme and to Sales-Hart-E/East/Acme in a similar
fashion.
Creating Replicas and Scheduling Replication 7-19
Configuration
Although these examples describe server-to-server replication, you could
use similar settings to configure replication between a central source
replica and replicas on Notes clients. For example, salespeople could
replicate directly with the source replica and receive only leads pertinent
to their areas. To accomplish this, specify Notes users’ hierarchical names
as destination servers.
Scheduling server-to-server replication
For replication to occur between two servers, you create a Connection
document that specifies how and when the information exchange occurs.
Connection documents are stored in the Domino Directory. Use only one
Connection document at a time to handle all replication between each
pair of servers. Creating unnecessary Connection documents increases
network traffic and congestion.
Both mail routing and replication are enabled by default, but you can
change this setting and use separate Connection documents to schedule
each task. This way, you can control the specific time(s), time range(s), or
the repeat interval for replication and mail routing separately, and
increase or decrease these settings, as needed.
How you connect servers for replication depends on the location of the
servers. You can connect servers for replication over a Local Area
Network (LAN) or over an intermittently connected serial line, such as a
dial-up modem or Remote access service connection. In addition, you can
use passthru servers for replication.
Replicating over the Internet is performed identically as with a LAN
using TCP/IP. The Domino server must be in the same Notes domain as
the Domino server with which you want it to replicate. If it’s not, your
server needs a certificate in common with the other server.
To set up Connection documents for replication
Schedule only one server to connect at a time.
1. Make sure that:
Each
 pair of servers can connect to each other.
The Domino Directory is replicating properly.
2. From the Domino Administrator, click the Configuration tab.
3. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
4. Click Server, and then click Connections.
7-20 Administering the Domino System, Volume 1
5. Click the connection you want to work with, and then click Edit
Connection.
6. On the Basics tab, complete these fields:

Field Enter
Usage Choose “Normal”to force the server to use the
priority network information in the current Connection
document to make the connection.
Source
The name of the calling server.
server
Source
The name of the calling server’s domain.
domain
Use the The name of the network port (or protocol) that
Port(s) the calling server uses. If you don’t want to
specify the actual port for making a local area
network connection, but would prefer to have
Domino determine the port used, don’t list any
ports in the Use the Port(s) field in the LAN
Connection document. Domino uses all the
information it has, including all enabled LAN
ports and all enabled or disabled Connection
documents, to determine the best path to use to
connect with the other server.
Destination The name of the answering server. You can also
server specify a Group name that contains server
names so that the Source server replicates with
each server listed in the group you specify. To
do this, you create a group that contains servers
only, and specify “Servers only”as the group
type. The group cannot contain the names of
other groups of servers.
Destination The name of the answering server’s domain.
domain
Click the Replication/Routing tab, and then complete
these fields:
Field Enter
Replication
Choose Enabled.
task
Replicate Choose one: • High • Medium & High • Low &
databases of Medium & High (default)
Priority
Replication Choose one: • Pull Pull • Pull Push (default) •
type Pull Only • Push Only

Field Enter
Files/Directories The names of specific databases or directories
to Replicate of databases that you want to replicate.
Separate entries with semicolons (;) and
specify the names as they exist on the calling
server. If the database is in a subdirectory to
the data directory, include the path relative to
the data directory —for example,
EAST\SALES.NSF. To specify all files within a
directory and any of its subdirectories, enter
the directory name relative to the data
directory with the directory slash, for example
EAST\. You can’t use wild cards (*).
Replication The amount of time, in minutes, that
Time Limit replication has to complete.

Click the Schedule tab, and then complete these fields:

Field Enter
Schedule Choose Enabled.
Call at times The times between which you want replication
to occur each day; the default is 8 AM - 10
PM.
Repeat interval The number of minutes between replication
of attempts; the default is 360 minutes.
Days of week The days of the week to use this replication
schedule; the default is Sun, Mon, Tue, Wed,
Thu, Fri, Sat.
Click Save and Close.
Customizing server-to-server replication
To customize replication, you can:
Specify
 replication direction
Schedule
 times for replication
Replicate
 only specific databases
Replicate
 databases by priority
Limit  replication time
Use  multiple replicators
Refuse  replication requests
Force  immediate replication
7-22 Administering the Domino System, Volume 1
Specifying replication direction
When you choose replication direction, you identify which server(s) send
and receive changes. The direction you choose does not affect or restrict
the functionality of the replication process itself.
By default, Domino uses Pull-Push as the replication direction. However,
you can specify a different replication direction.
Pull-Push,
 the default replication direction, is a two-way process
in which the calling server pulls updates from the answering
server and then pushes its own updates to the answering server.
Using Pull-Push, the replicator task on the calling server performs
all the work.
Pull-Pull
 is a two-way process in which two servers exchange
updates. Using Pull-Pull, two replicators — one on the calling
server and one on the answering server — share the work of
replication.
Push-only
 is a one-way process in which the calling server pushes
updates to the answering server. One-way replication always
takes less time than two-way replication.
Pull-only
 is a one-way process in which the calling server pulls
updates from the answering server. One-way replication always
takes less time than two-way replication.
To change the replication direction:
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click the connection you want to work with, and then click Edit
Connection.
5. Click the Replication/Routing tab.
6. Select the new replication direction from the Replication Type menu.
You can also specify replication direction when you force replication. For
example, you could use the Push-only or Pull-only method from the
server console when there is an update in a Domino Directory on one
server and you want to manually propagate that change to the other
servers.
For information on forcing immediate replication, see the topic “Forcing
immediate replication” later in this chapter.
Creating Replicas and Scheduling Replication 7-23
Configuration
Scheduling times for replication
Whenever possible, schedule replication for times when there is less
activity on the network — before or after work or at lunch time.
You can schedule server-to-server replication to happen at specific times,
or you can specify a time range with a repeat interval. By scheduling
replication for a time range, you ensure that the servers exchange
information several times a day. After the server makes a successful
connection, it waits the amount of time specified in the “Repeat interval
of” field on the Connection document before calling the other server again.
For example, suppose a Connection document schedules
Hub-E/East/Acme to call HR-E/East/Acme from 8 AM until 5 PM with
a repeat interval of 120 minutes. If Hub-E/East/Acme calls and
replicates successfully with HR-E/East/Acme at 8:30 AM,
Hub-E/East/Acme does not place the next call until 10:30 AM.
Be sure to consider time zones when you schedule replication between
servers in different countries. You want to replicate the documents created
during each time zone’s peak business hours and schedule replication for
an off-peak time. For example, to schedule replication between a server in
New York and a server in Germany, schedule replication between 3 AM
and 1 PM Eastern Standard Time (EST) to correspond to Germany’s
business hours, which are six hours later than EST.
The default replication time setting is 8 AM to 10 PM, with a repeat
interval of 360 minutes.
Scheduling replication for one specific time
Use a specific time when you schedule replication of low priority
databases, when daily updates of databases are sufficient, or when
you’re certain that attempts by the server to connect are successful after
just a few retries — for example, on different networks at the same site.
You might want to replicate low-priority databases at night when the
rates are less expensive or there is less load on the system.
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click the connection you want to work with, and then click Edit
Connection.
5. Click the Schedule tab.
7-24 Administering the Domino System, Volume 1
6. In the “Connect at times” field, enter a specific time — for example,
8 AM.
7. In the “Repeat interval of” field, enter 0.
8. Click Save and Close.
The server calls and attempts to connect at the exact time you specified. If
unsuccessful, the server tries to connect for an hour. Whether or not the
connection succeeds, the next call does not occur until 8 AM the next
morning.
Scheduling replication for a list of times
Use a list of times to schedule replication for medium and low priority
databases and for when a few daily updates of databases are sufficient or
when you’re certain that connection attempts will be successful after just
a few retries — for example, for a connection on different networks at the
same site.
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click the connection you want to work with, and then click Edit
Connection.
5. Click the Schedule tab.
6. In the “Connect at times” field, enter a list of specific times — for
example, 8 AM, 1 PM, 4 PM.
7. In the “Repeat interval of” field, enter 0.
8. Click Save and Close.
The server calls at the first time specified, 8 AM. If unsuccessful, the
server retries for up to an hour, until 9 AM. Whether or not the call
succeeds, the next call occurs at the next scheduled time, 1 PM. If
unsuccessful, the server retries for up to an hour, until 2 PM. This process
continues for each specific time you specify.
Scheduling replication for a time range with a repeat interval
Specify a time range when you schedule replication for high priority
databases.
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
Creating Replicas and Scheduling Replication 7-25
Configuration
3. Click Server, and then click Connections.
4. Click the connection you want to work with, and then click Edit
Connection.
5. Click the Schedule tab.
6. In the “Connect at times” field, enter a time range — for example,
8 AM - 5 PM.
7. In the “Repeat interval of” field, enter how frequently replication
should take place — for example, 120 minutes.
8. Click Save and Close.
If the first call is unsuccessful, the server retries periodically until it
successfully establishes a connection and replicates. If the server cannot
connect, it keeps trying until the end of the time range. If the server
successfully replicates, it calls again at the specified repeat interval after
the previous call ended.
Scheduling replication for a time range without a repeat interval
Use a time range without a repeat interval for medium and low-priority
databases. Also use a time range without a repeat interval when daily
updates of a database are sufficient or when you know that a long retry
period is necessary — for example, if you have busy phone lines and you
know it will take several attempts to make the connection.
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click the connection you want to work with, and then click Edit
Connection.
5. Click the Schedule tab.
6. In the “Connect at times” field, enter a time range — for example,
8 AM - 5 PM.
7. In the “Repeat interval of” field, enter 0.
8. Click Save and Close.
The server attempts the first call at the start of the time range. If
unsuccessful, the server tries again and again. The time between call
attempts increases with each unsuccessful attempt. The server retries the
call for the entire range or until a connection is made. After a failed call,
the server retries periodically for the entire call range. However, it does
not call again after a successful exchange of information.
7-26 Administering the Domino System, Volume 1
Scheduling replication for different days of the week
You can create a different replication schedule for different days of the
week.
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click the connection you want to work with, and then click Edit
Connection.
5. Click the Schedule tab.
6. In the “Days of week” field, enter the days on which you want
replication to occur.
7. Click Save and Close.
For example, you could create two Connection documents — one that
schedules replication for Monday to Friday, and another that schedules
replication for Saturday and Sunday.
Staggering schedules
You can use staggered schedules on hub-and-spoke topology. For
example, you could schedule the first server to replicate from 8 AM to 10
AM, the second server from 8:05 AM to 10:05 AM, and so on. You can
create a simple round-robin schedule for a hub server and its spokes,
repeating as often as is practical. This process spreads all data within a
hub’s sphere of influence quickly.
Replicating only specific databases
By default, Domino replicates all databases that two servers have in
common. To replicate only specific databases:
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click the connection you want to work with, and then click Edit
Connection.
5. Click the Replication/Routing tab.
Creating Replicas and Scheduling Replication 7-27
Configuration
6. In the “File/Directories to Replicate” field, enter the database names
or directory names of specific databases you want to replicate.
Separate entries with semicolons (;).
7. Click Save and Close.
To specify an individual database, enter the file name of the database,
including the NSF extension. If the database is in a subdirectory of the
data directory, include the path relative to the data directory — for
example, EAST\SALES.NSF.
To specify all files within a directory and any of its subdirectories, enter
the directory name relative to the data directory with the directory slash,
for example EAST\. You can’t use wild cards (*).
If the replication type is Pull-Pull, only the connecting server receives the
specified databases during replication. The other server still receives all
databases in common with the calling server.
Replicating databases by priority
Database managers assign a replication priority to databases so that
Domino administrators can schedule replication for databases based on
priority. For example, you can schedule high-priority databases that are
critical to business operations — for example, the Domino Directory — to
replicate frequently. You can schedule low-priority databases to replicate
during off-hours.
To replicate databases by priority:
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click the connection you want to work with, and then click Edit
Connection.
5. Click the Replication/Routing tab.
6. In the “Replicate databases of” field, select the priority of databases
to replicate.
7. Click Save and Close.
The default setting is Low & Medium & High. Domino automatically
replicates all databases that two servers have in common.
7-28 Administering the Domino System, Volume 1
If two replicas are assigned different priorities, Domino uses the priority
assigned to the replica on the server that initiates the replication. If you
schedule databases to replicate by priority and a particular database isn’t
replicating often enough, ask the database manager to increase the
priority level of that database.
Limiting replication time
Limiting the time a server has to replicate with another server prevents
extensive replication sessions and allows you to control the cost of
replication with servers in remote sites. For example, if replication
depends on a long-distance phone call and the database takes time to
replicate, you can limit how long the replication period lasts.
To limit the time a server has to replicate:
1. From the Domino Administrator, click the Configuration tab.
2. Select the connecting server’s Domino Directory in the “Use
Directory on” field.
3. Click Server, and then click Connections.
4. Click the connection you want to work with, and then click Edit
Connection.
5. Click the Replication/Routing tab.
6. In the “Replication Time Limit” field, enter the maximum connection
time in minutes.
7. Click Save and Close.
If the “Replication Time Limit” field has a value in it and the replication
isn’t complete at the end of the specified time or if the server crashes,
then replication will begin where it left off once it restarts. When the field
is blank, Domino uses as much time as it needs to complete the
replication session.
Caution If you specify an inappropriately low value and the databases
do not have time to replicate completely, replication terminates upon
reaching the time limit, regardless of how little progress, if any, occurred.
The log file (LOG.NSF) records a message indicating that termination has
occurred but that the replication was successful. The replication history
isn’t updated so that the next replication takes place after the last
complete replication event.
To limit replication time for all servers, edit the NOTES.INI file to
include the ReplicationTimeLimit setting.
Creating Replicas and Scheduling Replication 7-29
Configuration
Using multiple replicators
If you create Connection documents that schedule a server for multiple
simultaneous or overlapping replications with different destination
servers, set up multiple replicators to handle the replication sessions
simultaneously. Multiple replicators efficiently use server resources,
shorten replication cycles (especially in hub servers), and save replication
time.
When you use multiple replicators, each replicator handles only one
replication session at a time. For example, if Hub-E/East/Acme is
scheduled to replicate with HR-E/East/Acme and with
Hub-W/West/Acme simultaneously, one replicator handles replication
between Hub-E/East/Acme and HR-E/East/Acme, while a second
replicator handles replication between Hub-E/East/Acme and
Hub-W/West/Acme.
Multiple replicators handle multiple replications between one source
server and multiple destination servers simultaneously. Multiple
replicators do not handle replications of multiple individual databases on
a source server with a single destination server. For example, if both
Database 1 and Database 2 on Hub-E/East/Acme need to replicate with
Hub-W/West/Acme, only one replicator handles each replication
session, one at a time.
Examine the Connection documents that schedule replication on each
server. By adjusting the schedules and enabling multiple replicators, you
can shorten the time it takes to complete a replication cycle. With this
shortened cycle, you can schedule one or more additional cycles per day,
which means fewer database updates and speedier replications per cycle.
After you start multiple replicators, you can use the Tell command to
stop all replicators; however, you can’t use the Tell command to stop a
specific replicator.
If you do not enable multiple replicators, do not schedule a server to call
another server on different ports at the same time. For example, if you
use one replicator, do not schedule Hub-E/East/Acme to call
Hr-E/East/Acme on COM1 and Hub-E/East/Acme to call
Hub-W/west/Acme on COM2 simultaneously.
7-30 Administering the Domino System, Volume 1
To enable multiple replicators

Method Steps
From the Edit the Replicators or ServerTasks setting in
NOTES.INI file the NOTES.INI file.
From the console Enter the Load Replica command at the
console. Use this method if you need more
replicators and you don’t want to shut down
the server to change the NOTES.INI file. Each
time you enter this command, the server loads
another replicator.
For more information on settings in the NOTES.INI file, see
the appendix “NOTES.INI File.”For more information on
entering server commands, see the appendix “Server
Commands.”

Refusing replication requests

To prevent a server from accepting a request for replication, edit the
NOTES.INI file to include the setting ServerNoReplRequests. If this
setting is set to 1, the called server refuses all replication requests.
You can use this feature to reduce the replication workload on a
particular server or to isolate a server for troubleshooting. Or you may
want to force the calling server to cover the time and cost of the entire
replication process.
Forcing immediate replication
You can replicate changes to critical databases, such as the Domino
Directory, without waiting for a scheduled connection. After you create
Connection documents to schedule server-to-server replication, you can
use a server command to force immediate replication.
There are many situations when forcing replication is necessary. For
example, you may want to update a database immediately, without
waiting for scheduled replication to occur, or you might need to replicate
with a different server because the usual server is unavailable. You can
force immediate replication to trace replication and mail routing
problems or to force changes to critical system databases — such as in the
Domino Directory — to spread quickly through the domain. When you
force immediate server-to-server replication, you can initiate replication
in one or in both directions.

Command Result
Replicate Replicates changes to databases in both
directions; Domino performs Pull-Push
replication.
Pull Replicates changes to databases in one
direction where the initiating server pulls
changes from the other server.
Push Replicates changes to databases in one
direction where the initiating server
pushes database changes to the other
server.

Disabling database replication

You can disable replication of a database — for example, to stop
replication while you troubleshoot problems. Then, after you correct the
problem, enable replication again. You can disable and enable replication
of one database, or if you use the Domino Administrator, you can disable
and enable replication of multiple databases at once.
To disable replication of one database
1. Open the database and choose File - Replication - Settings.
2. Select Other.
3. Select “Temporarily disable replication” and then click OK.
To enable replication again, repeat Steps 1 and 2, and in Step 3 deselect
“Temporarily disable replication.”
To disable replication of multiple databases
1. From the Domino Administrator, select the server in the server pane
on the left that stores the databases. To expand the server pane, click
the servers icon in the server pane.
2. Click the Files tab.
3. Select the databases for which you want to disable replication.
4. From Tools, click Database - Replication. Or, drag the selected
databases to the Replication tool.
5. Select “Disable,” and then click OK.
To enable replication again, repeat Steps 1 - 4, and in Step 5 select
“Enable replication.”
7-32 Administering the Domino System, Volume 1
Forcing a server database to replicate
Replication between database replicas on servers typically occurs
according to schedules in Connection documents. However, there are
times when you want to force replication between two replicas, rather
than wait for replication to occur on schedule. For example, you might
force replication when you want to test replication settings or
troubleshoot replication problems.
Replicating from the database
1. Open the database.
2. Choose File - Replication - Replicate.
3. Select “Replicate with options” and click OK.
4. Select the server that stores the replica with which you want to
replicate.
5. Select “Send documents to server” to send updates from the replica
you selected on your workspace to the server you selected in Step 4.
6. Select “Receive documents from server” to send updates from the
server you selected in Step 4 to the replica selected on your
workspace.
7. Click OK.
Replicating from the server console
You can use a database option with the Replicate, Pull, or Push server
commands to force replication of a specific database that two servers
have in common.
Use
 the Replicate command to send changes to and receive changes
from a specified server
Use the Pull command to receive changes from a specified server
Use  the Push command to send changes to a specified server
For example, to send changes to the database PRODUCTS.NSF from the
server Webstage-E/East/Acme to the server Web/East/Acme, enter the
following command from Webstage-E/East/Acme:
Push Web/East/Acme Products.nsf
Creating Replicas and Scheduling Replication 7-33
Configuration
Viewing replication schedules and topology maps
You can see a graphical representation of each server’s replication
schedule at a glance with the Domino Administrator. Each server’s
replication schedule appears separately, even if the server is a member of
a group listed in the “Destination server” field in a Connection
document.
You can also see a graphical representation of your replication topology.
Replication topology maps are most useful for quickly displaying the
replication topology and for letting you easily follow connections
between servers.
Each server, network, cluster, and cc:Mail Post Office has its own icon. A
line represents each replication connection. A replication connection
between two servers appears as a broken red line. Multiple connections
between servers appear as lines superimposed on each other.
To view replication schedules
1. From the Domino Administrator, click the Replication tab.
2. Click Replication schedule.
3. Patterns represent the replication status of each server: Schedule is
being performed; Schedule is complete; Schedule isn’t complete.
To start the topology Maps task
The Maps task enables you to view replication topology from the
Domino Administrator. You only need to run this task on one server in
your domain. The information it gathers will replicate to the other
servers, as long as it has permission to do so. This task refreshes topology
information nightly.
This task is not enabled by default. To see replication topology
information, enable the Maps task manually.
1. From the Domino Administrator, click the Servers - Status tab.
2. Click Tools - Start.
3. Select Maps Extractor from the menu and then click Start Task.
4. Click Done.
7-34 Administering the Domino System, Volume 1
To display the replication topology map
1. From the Bookmarks pane, select the server for which you want to
create a topology map.
2. Click the Replication tab.
3. Do one of the following:
Click
 “Replication topology by connections” to view connections
between the server you selected and all of the servers connected to
it.
Click
 “Replication topology by clusters” to view all server clusters
and their replication patterns.
4. (Optional) Double-click any server in the topology map to make that
server the center of the map.
5. (Optional) Double-click a line connecting any two servers to open the
corresponding Connection document in the Domino Directory.
To focus on a specific area of the topology map, use the plus (+) and
minus (-) keys to zoom in and out.
Creating Replicas and Scheduling Replication 7-35
Configuration

Chapter 8
Setting Up Calendars and Scheduling
You can set up the calendar and scheduling features to allow users to
schedule meetings and reserve resources.
Calendars and scheduling
The calendar and scheduling features allow users to check the free time of
other users, schedule meetings with them, and reserve resources, such as
conference rooms and equipment. As an administrator, you can define
holidays that are particular to your organization or country. Lotus Domino
6 includes a set of default Holiday documents, which you can modify.
Users import this information directly into their personal calendars.
The calendar and scheduling features use the Schedule Manager (Sched
task), the Calendar Connector (Calconn task), and the Free Time system
(a combination of Sched, Calconn, and nnotes tasks) to operate. When
you install Lotus Domino 6 on a server (any server except a directory
server), the Sched and Calconn tasks are automatically added to the
server’s NOTES.INI file. When you start the server for the first time, the
Schedule Manager creates a Free Time database (BUSYTIME.NSF for
non-clustered mail servers and CLUBUSY.NSF for clustered mail
servers) and creates an entry in the database for each user who has filled
out a Calendar Profile and whose mail file is on that server or on one of
the clustered servers.
Each user can keep a personal calendar and create a Calendar Profile that
identifies who may access the user’s free time information and specifies
when the user is available for meetings. When users invite other users to
meetings, the Free Time system performs the free-time lookups. The Free
Time system also searches for and returns information on the availability
of resources. If the lookup involves searching in Free Time systems on
different servers or scheduling applications, the Calendar Connector
sends out the queries. When users schedule appointments in their
calendars and reserve resources, the Schedule Manager task collects and
updates that information in the Free Time database.
By default, the Schedule Manager has access to the Free Time database,
so you do not have to define the ACL for this database.
Chapter 8
Setting Up Calendars and Scheduling
You can set up the calendar and scheduling features to allow users to
schedule meetings and reserve resources.
Calendars and scheduling
The calendar and scheduling features allow users to check the free time of
other users, schedule meetings with them, and reserve resources, such as
conference rooms and equipment. As an administrator, you can define
holidays that are particular to your organization or country. Lotus Domino
6 includes a set of default Holiday documents, which you can modify.
Users import this information directly into their personal calendars.
The calendar and scheduling features use the Schedule Manager (Sched
task), the Calendar Connector (Calconn task), and the Free Time system
(a combination of Sched, Calconn, and nnotes tasks) to operate. When
you install Lotus Domino 6 on a server (any server except a directory
server), the Sched and Calconn tasks are automatically added to the
server’s NOTES.INI file. When you start the server for the first time, the
Schedule Manager creates a Free Time database (BUSYTIME.NSF for
non-clustered mail servers and CLUBUSY.NSF for clustered mail
servers) and creates an entry in the database for each user who has filled
out a Calendar Profile and whose mail file is on that server or on one of
the clustered servers.
Each user can keep a personal calendar and create a Calendar Profile that
identifies who may access the user’s free time information and specifies
when the user is available for meetings. When users invite other users to
meetings, the Free Time system performs the free-time lookups. The Free
Time system also searches for and returns information on the availability
of resources. If the lookup involves searching in Free Time systems on
different servers or scheduling applications, the Calendar Connector
sends out the queries. When users schedule appointments in their
calendars and reserve resources, the Schedule Manager task collects and
updates that information in the Free Time database.
By default, the Schedule Manager has access to the Free Time database,
so you do not have to define the ACL for this database.
8-1
Configuration
Using clustered Free Time databases
For clustered mail servers, the Schedule Manager creates the clustered
Free Time database (CLUBUSY.NSF) the first time a server starts. The
clustered version of the Free Time database works the same as the Free
Time database (BUSYTIME.NSF). Each clustered server has a replica of
the clustered Free Time database, which stores information about users
whose mail files exist on servers in the cluster.
If you add a previously non-clustered server to a cluster, the Schedule
Manager deletes the BUSYTIME.NSF database on that server and creates
CLUBUSY.NSF, which then replicates to all cluster members. If you
remove a server from a cluster, the opposite occurs: Schedule Manager
deletes CLUBUSY.NSF and creates BUSYTIME.NSF. Until the Schedule
Manager validates the database by checking to see if the location of
users’ mail files has changed, the clustered Free Time database contains
information about users whose mail server you removed from the
cluster. This validation also occurs once each day (at 2 AM) to update
free-time information for users whose mail files have been added to or
removed from a mail server. You can update the information at any time
by entering the Tell Sched Validate command at the console.
A benefit of clustered scheduling is that schedule information is always
available, even when users’ home servers are down. With non-clustered
scheduling, if users’ home servers are not available, the Free Time
database is not available for searching.
Other advantages of using clustered scheduling include improved
performance and reduced server traffic. Because the Free Time database
is available from other members in a cluster, the server that receives a
user’s query does not have to search another server’s Free Time database
for schedule information about a user whose mail server is in the cluster.
Example of scheduling a meeting
This section describes the process of scheduling a meeting when users
share the same mail server and domain, have different domains, and use
different scheduling applications.
In the following examples, Kathy wants to check the free time of and
schedule a meeting with three users — Bob, who is in the same domain
as Kathy; Robin, who is in a different domain; and Susan, who uses a
different scheduling application (Lotus Organizer®).
8-2 Administering the Domino System, Volume 1
Users in the same domain
1. Kathy creates a meeting invitation and chooses to search for Bob’s
free time.
2. A free time query is sent to Kathy’s mail server.
3. The Free Time system looks for Bob’s name in the Free Time
database (BUSYTIME.NSF or CLUBUSY.NSF) on Kathy’s mail
server.
 Bob and Kathy have the same mail server or if Bob’s and
If
Kathy’s mail servers are part of a cluster, the Free Time system
finds the information and returns Bob’s free time to Kathy.
If the Free Time system does not find any information on Bob, it
converts Bob’s name into a fully qualified name.
If  Bob’s mail server is unavailable and his Free Time database is
not clustered, a message appears indicating that the server is
unavailable, and the Find Time dialog box indicates that Bob’s
information is unavailable.
4. Kathy’s Domino Directory is checked for Bob’s Person document.
When the Person document is found, the Calendar Connector sends
the request to Bob’s mail server, the name of which is listed in Bob’s
Person document.
5. The Free Time system on Bob’s mail server looks in its Free Time
database and returns the information to Kathy via the Calendar
Connector. If the Free Time system doesn’t find any information, the
query fails, and the Find Time dialog box indicates that Bob’s
information is unavailable.
Users in different domains
1. Kathy creates a meeting invitation and chooses to search for Robin’s
free time. In addressing the invitation, Kathy specifies Robin’s
domain.
2. A query is sent to Kathy’s mail server.
3. The Free Time system looks for Robin’s name in the Free Time
database on Kathy’s mail server. It determines Robin’s mail server is
in a different domain.
4. Kathy’s Domino Directory is searched for a document that matches
Robin’s domain.
 the Free Time system finds an Adjacent Domain document, it
If
looks at the Calendar server name field of the document for the
name of a server that accepts calendar queries for Robin’s domain.
The Free Time system then forwards the query to this server for
processing.
Setting Up Calendars and Scheduling 8-3
Configuration
 the Free Time system finds an Adjacent Domain document with
If
an empty Calendar server name field, it fails; and the Find Time
dialog box indicates that Robin’s information is unavailable.
If the Free Time system finds a Non-adjacent Domain document, it
looks at the “Route requests through Calendar server” field of the
document for the name of the server (which is in a domain
adjacent to Kathy’s and Robin’s) that accepts calendar queries for
Robin’s domain. The Free Time system then forwards the query to
this server for processing.
If  the Free Time system finds a Non-adjacent Domain document
with an empty “Route requests through Calendar server” field, it
fails; and the Find Time dialog box indicates that Robin’s
information is unavailable.
If  the Free Time system doesn’t find any domain documents, the
query fails; and the Find Time dialog box indicates that Robin’s
information is unavailable.
Users in other calendar domains
1. Kathy creates a meeting invitation and chooses to search for Susan’s
free time.
2. A query is sent to Kathy’s mail server.
3. The Free Time system looks for Susan’s name in its Free Time
database. It does not find the information, so it converts Susan’s
name into a fully qualified one.
4. Kathy’s Domino Directory is searched for Susan’s Person document.
5. The Free Time system looks in Susan’s Person document and locates
the name of her mail server in the Mail server field and the name of
her calendar domain in the Calendar Domain field.
6. Because Susan is using Lotus Organizer as her scheduling
application, the Free Time system finds that her calendar domain
does not match her mail server domain. The Free Time system then
looks for a Domain document for the calendar domain.
7. The Free Time system finds a Foreign Domain document for Susan’s
calendar domain. The Calendar server field in the Foreign Domain
document identifies the name of the server that accepts queries for
Susan’s domain; the “Calendar system” field identifies the name of
the add-in program — for example, Organizer or IBM®
OfficeVision® — that actually does the free-time lookup on Susan’s
server. The Free Time system forwards the query to the appropriate
server (the server listed in the Calendar server field) for processing.
8-4 Administering the Domino System, Volume 1
If the Free Time system doesn’t find a Foreign Domain document, the
query fails; and the Find Time dialog box indicates that Susan’s
information is unavailable.
Setting up scheduling
How you set up scheduling depends on where users are located — that
is, in the same Domino domain or in different Domino domains — and
whether users use alternate scheduling applications, such as Lotus
Organizer and IBM OfficeVision.
For users in the same Domino domain
Scheduling is automatically set up for non-clustered and clustered Free
Time databases. You need to create the Resource Reservations database
so that users can search for and reserve resources.
For users in adjacent Domino domains
1. Make sure that you have set up Adjacent Domain documents in the
Domino Directory to establish communication between the domains.
For more information on Adjacent Domain documents, see the
chapter “Setting Up Mail Routing.”
2. From the Domino Administrator, click the Configuration tab.
3. Choose the Domino Directory in the “Use Directory on” box.
4. Click Messaging - Domains, and then open each appropriate
Adjacent Domain document.
5. Click the Calendar Information tab, complete this field, and save the
document:
The name of the server in the adjacent domain that
accepts and processes all scheduling queries for that
domain.
Calendar server
name
E
6. Set up the Resource Reservations database if you want to allow users
to search for and reserve resources.
Setting Up Calendars and Scheduling 8-5
Configuration
For users in non-adjacent Domino domains
In order for two non-adjacent domains to do free-time lookups between
each other, you need to define a Calendar server in an intermediate
domain that is adjacent to both the querying and the target domains.
Note Free-time lookups require reasonable network response time and
direct LAN connections from the intermediate domain to the two
separate non-adjacent domains.
1. Make sure that you have set up Non-adjacent Domain documents in
the Domino Directory to establish communication between the
domains.
For more information on Non-adjacent Domain documents, see the
chapter “Setting Up Mail Routing.”
2. From the Domino Administrator, click the Configuration tab.
3. Choose the Domino Directory in the “Use Directory on” box.
4. Click Messaging - Domains, and then open each appropriate
Non-adjacent Domain document.
5. Click the Calendar Information tab, complete this field, and save the
document:
6. Set up the Resource Reservations database if you want to allow users
to search for and reserve resources.
For users of Lotus Organizer or IBM OfficeVision
Lotus Domino 6 scheduling works with both Lotus Organizer® and IBM
OfficeVision®. If users want to keep their schedules in either program,
set up scheduling to include them. You need to create a Foreign Domain
document for each alternate scheduling application.
1. Make sure you already set up a Foreign Domain document in the
Domino Directory for each alternate scheduling application.
For more information on Foreign Domain documents, see the chapter
“Setting Up Mail Routing.”
2. From the Domino Administrator, click the Configuration tab.
Choose the Domino Directory in the “Use Directory on” box.
4. Click Messaging - Domains, and then open each appropriate Foreign
Domain document.
5. Click the Calendar Information tab, complete these fields, and save
the document:
For Notes mail users who use a different scheduling application,
enter the name of the foreign domain in the Calendar Domain field
of each user’s Person document.
7. Set up the Resource Reservations database if you want to allow users
to search for and reserve resources.
Setting up the Resource Reservations database
The Resource Reservations database is where users schedule and manage
meeting resources. Resources may include conference rooms and
equipment, such as overhead projectors and video machines. Users can
select a particular resource and reserve a time for it, or they can choose a
time and let the Resource Reservations database display resources
available during that time.
The Resource Reservations database contains three types of documents:
Site Profile, Resource, and Reservation. A Site Profile document identifies
the site where particular resources are located. A Resource document
defines the resource name — for example, the name or number of the
conference room. After you create Site Profile and Resource documents,
the Schedule Manager tracks the free time of a resource the same way it
tracks free time for users. To reserve a resource, a user can either create a
Reservation document or add the resource to a meeting invitation.
Setting Up Calendars and Scheduling 8-7
Configuration
To set up the Resource Reservations database
1. From the Domino Administrator, choose File - Database - New.
2. Complete these fields on the New Database dialog box.

Field Action
Server Enter the name of the server on
which you are creating the
database.
Title Enter the name of the database.
File Name Enter a file name for the database.
Use the file name extension nsf.
Template server Choose the template server from
which you will be copying the
template.
Show advanced Click this check box to display
templates additional templates including the
Resource Reservations
(RESRC60.NTF) template.
Inherit future design Click the check box if you want the
changes database to inherit design changes
that will be made to the template in
the future.

3. Select the Resource Reservations 6 (RESRC60.NTF) template.

4. Click OK.
Setting up the database ACL for the Resource Reservations
database
After creating the Resource Reservations database, set up the ACL for the
database. Assign the CreateResource role to anyone who needs to create
a site or a resource. The CreateResource role is required.
1. From the Domino Administrator, choose File - Database - Access
Control.
2. List the names of all users who are authorized to create Resources
and Site Profile documents and assign to them the [CreateResource]
role.
For more information on setting database ACLs, see the chapter
“Controlling User Access to Domino Databases.”
3. Click OK.
8-8 Administering the Domino System, Volume 1
Creating Site Profile and Resource documents
A Site Profile document defines a particular site where a resource exists
and associates that site with a Resource Reservations database and the
Domino Directory. You must create at least one Site Profile document
before you can create Resource documents.
When you create a Resource document, you define the resource name,
type, and availability; and you specify who can reserve the resource.
There are three types of resources:
Room
 — Typically a conference room that you want to allow users to
reserve for meetings. When you set up this resource, you must enter
the seating capacity of the room.
Online
 Meeting Place — Meeting held “online” via Sametime 3.0
running with Domino Release 6.
For more information on setting up Sametime, see the IBM Lotus
Sametime 3.0 Administrator’s Guide. Go to
http://www.notes.net/doc to download documentation.
Other — Resources that are not rooms or online meetings, but that
you want to make available for users to reserve
After you set up resources, users can search for the free time of a
resource and schedule the resource for a meeting while searching for free
time and inviting users to the meeting. For each Resource document you
create, the Administration Process creates a corresponding Resource
document in the Domino Directory. During a free-time query, the Free
Time system searches the Free Time database to find the location of these
resources and returns information on the availability of both the resource
and the invitees.
When setting up rooms as resources, enter the room information in a
consistent format, either by name or by number. Doing so will limit the
number of errors caused when a room cannot be located in the database.
When a user reserves a conference room with type-ahead enabled, Lotus
Domino 6 searches for the conference room by room number or by room
name, but not by both. Lotus Domino 6 looks up rooms according to how
they have been added to the Resource Reservations database — either by
name or by number. If a user enters a room name and the room resource
is set up by room number, an error is generated and the room is not
located. Setting up all room resources by room name or by room number
helps eliminate this type of error.
Setting Up Calendars and Scheduling 8-9
Configuration
When you create a Site Profile or Resource document, the new resource is
not available for users to schedule until the Administration Process adds
the resource to the Domino Directory and the addition replicates to all
replicas that are on servers used for scheduling resources of the Domino
Directory.
To create a Site Profile document
1. Make sure that you have Manager access and the [CreateResource]
role in the ACL of the Resource Reservations database.
2. From the Domino Administrator, click the Files tab.
3. From the Servers pane, select the server from which you want to
work.
4. Open the Resource Reservations database, and select any view
except Calendar, My Reservations, and Reservations Waiting for
Approval.
5. Click New Site.
6. Complete these fields:
7. Click Save and Close.
To create a Resource document
1. Make sure that you have the [CreateResource] role in the ACL of the
Resource Reservations database and that at least one Site Profile
document has already been created.
2. From the Domino Administrator, click the Files tab.
3. From the Servers pane, select the server from which you want to
work.
4. Open the Resource Reservations database.
5. Click New Resource
6. Choose one of these Resource Types:
Room
 — if the resource is a room
Other
 — if the resource is not a room
Online
 Meeting Place — if you will be meeting via Sametime
server.
7. Click the Resource Information tab, and complete these fields:

Field Enter
A unique name that identifies the resource
Name
—for
example, a room number.
Click to display a list of available sites, and
Site
then
choose one.
Category Name for category of Resource —for
(Appears when example, Electronic or AV. This field also
you select Other displays names of all previously entered
as Resource Category values, from which you can
Type) choose.
Capacity The capacity of the resource, for example,
(Appears when the seating capacity of a room.
you select Room
as Resource
Type)
A description of the resource —for example,
Description
large
 conference room with a video monitor.
Internet address An Internet address that iCalendar users
can use to reserve the resource.
The Internet Address field is not visible for
Online Meeting Place.

Field Enter
Owner Choose one: • None —Click if no owner is assigned
restriction to the resource and anyone can reserve the
s resource. • Owner only —Click to assign a
Resource owner. Only the Resource owner can
process Resource requests without special
approval. Enter the name of the resource owner in
the Owner’s name field. The owner is the person or
group to whom requests from other users (those
not listed in the List of names field) are forwarded
for approval and processing. • Specific people —
Click to allow only specified users access to the
resource. Enter the names of users allowed to
reserve this resource in the List of names field. •
Autoprocessing —Click to allow only specified users
and groups access to the resource and to assign a
resource owner. Enter the name of the resource
owner in the Owner’s name field. The owner is the
person or group to whom requests from other
users (those not listed in List of names field) are
forwarded for approval and processing. Enter the
names of users allowed to reserve this resource in
the List of names field. • Disable reservations —
Click to prevent users from reserving a resource
from a meeting notice and directly from the
Resource Reservations database.
Availability Choose one of these: • 24 hours everyday —The
settings resource is available 24 hours each day. When you
select this availability setting, other availability
settings are disabled. • Time zone —Specify the
time zone for the resource. The default is Local
Time, but you can specify others as applicable,
such as Eastern Time. • Days of week and hours of
days —Select the days of the week that the
resource is available. Specify availability start time
and end time for each available day selected.

(Optional) Enter additional comments as

Other
necessary.
comments

Field Enter
Online
meeting The default database, stconf.nsf, is entered by
database default. This field cannot be modified.

External Name of the mail-in database on the Sametime

address server. The name you enter here must be
identical to the name of the Sametime Mail-in
database in the Domino Directory.
Sametime Name of the Sametime server hosting the
server meeting.
Audio Video Choose one: • Audio —Voice only • Audio and
Support Video support —Voice and video display

Editing and deleting Resource documents

After you create a Resource document, the information that you can
change includes the Availability Settings, Description, Capacity, Online
resource data, Other Comments, and Ownership Options fields. To
change any other information about the resource, you must delete the
Resource document and then create a new one containing the new
information.
New resource information is not available until the Administration
Process updates the Resource document in the Domino Directory and the
change replicates to all relevant replicas of the Domino Directory that are
on servers used for scheduling resources.
If you delete a resource from the Resource Reservations database, an
Administration Process Request document for the resource deletion is
created in the Administration Requests database (ADMIN4.NSF). To
delete the resource and remove it from the Domino Directory, you must
open the Administration Requests database and approve the request for
deletion. Note that to approve requests you need the appropriate access
in the ACL of the Administration Requests database.
To edit a Resource document
1. Make sure that you have the [CreateResource] role in the ACL of the
Resource Reservations database.
2. From the Domino Administrator, click the Files tab.
3. From the Servers pane, select the server from which you want to
work.
4. Open the Resource Reservations database, and then click Resources.
5. Open the Resource document you want to edit and click Edit
Resource.
6. Edit any of the following fields for resources of type Room or Other.

Field Enter
Description Description of the resource.
Capacity (for The capacity of the resource, if it has one —
Rooms for
only) example, the seating capacity of a room.
Category (for Name for category of Resource —for
Other example,
only) Electronic or AV. This field also displays
names of
all previously entered Category values, from
which
you can choose. Non-modifiable field.
Owner
Choose one:
restrictions
• None —Click if no owner is assigned to the
resource and anyone can reserve the
resource.
• Owner only —Click to assign a Resource
owner. Only the Resource owner can process
Resource requests. Enter the name of the
resource owner in the Owner’s name field.
• Specific people —Click to allow only
specified users access to the resource. Enter
the names of
users allowed to reserve this resource in the
 List
of names field.
• Autoprocessing — Click to allow only
specified users access to the resource and to
assign a resource owner. Enter the name of
the resource owner in the
Owner’s name field. The owner is the person
to whom requests from other users (those
not listed in List of names field) are
forwarded for approval and processing. Enter
the names of users allowed to reserve this
resource in the List of names field.
• Disable reservations —Prevent users from
reserving a resource from their mail file.

Field Enter
Availability
Choose one:
settings
• 24 hours everyday —The resource is
available 24
hours each day. When you select this
availability
setting, other availability settings are
disabled.
• Time zone —Specify the time zone for the
resource. The default is Local Time, but you
can
specify others as applicable, such as Eastern
Time.
• Days of week and hours of days —Select
the days
of the week that the resource is available.
Specify
availability start time and end time for each
available day selected.
Enter additional comments about the
Other comments
resource as
necessary.
An Internet address that iCalendar users can
Internet address
use to
reserve the resource.

Field Enter

Description Description of the resource.

The default database, STCONF.NSF, is
Online Meeting
entered by default. This field cannot be
Database
modified.
External address Name of the mail-in database on the
Sametime server. The name you enter here
must be identical to the name of the
Sametime Mail-in database.
Name of the Sametime server hosting the
Sametime server
meeting.
Audio Video Choose one: • Audio —voice only • Audio
Support and Video —Voice and video display
Other comments Modify or enter comments regarding the
resource as desired.

To delete a resource
When you delete a resource, an administration request that requires
the administrator’s approval is also generated. After deleting the
resource in the user interface, open the Administration Requests
database and approve the deletion there. Instructions for both
procedures are included here.
1. Make sure that you have the [CreateResource] role in the ACL of the
Resource Reservations database.
2. From the Domino Administrator, click the Files tab.
3. From the Servers pane, select the server from which you want to
work.
4. Open the Resource Reservations database, and then click Resources.
5. Open the Resource document that you are deleting, and click Delete
Resource.
6. Click Yes and click OK.
To approve the resource deletion
To process the deletion, the request needs approval in the Administration
Requests database. Complete these steps to approve the “Approve
Resource Deletion” administration request.
1. From the Domino Administrator, click Server - Analysis -
Administration Requests (6).
2. Click Pending Administrator Approval.
3. Open the Approve Resource Deletion request document and click
Edit Document.
4. Click Approve Resource Deletion.
5. Choose Yes and then click OK to approve the deletion.
Setting user access rights to edit and delete reservations
To allow a user to delete a reservation in the Resource Reservations
database on a Notes Client, assign Editor access to that user in the
database ACL of the Resource Reservations database. The Delete
Reservation button is then enabled.
To allow a Web user to delete a reservation in the Resource Reservations
database, via a Web browser, assign Editor access to that user in the
database ACL of the Resource Reservations database. In a Web view, the
Move to Trash and the Empty Trash buttons are then enabled.
8-16 Administering the Domino System, Volume 1
Reservations that are created manually or with Calendaring and
Scheduling, can be deleted by a requester with Editor access to the
Resource Reservations database, a resource owner with Editor access to
the Resource Reservations database, or by a database manager with
Editor access to the Resource Reservations database and the
CreateResource role.
Single-room, non-repeating reservations that are created manually in the
Resource Reservations database can be edited by the requester of the
reservation, with Editor access to the Resource Reservations database, if
the reservation has a status of “waiting for approval” or if the reservation
has been accepted. Repeating room or resource reservations that are
created manually cannot be edited.
Creating Holiday documents
Holiday documents provide a way for your organization to have a
centrally managed collection of documents that contain information on
scheduled holidays and events. Users select the type of Holiday
documents to import and add the information to their personal
calendars. Lotus Domino 6 includes default Holiday documents that you
can modify or delete; you can also add Holiday documents specific to
your organization’s needs. Holiday documents are stored in the Domino
Directory.
You categorize Holiday documents according to a group name. For
example, you may have a group named “Full-time” that contains all the
company holidays for full-time employees. The default Holiday
documents included with Lotus Domino 6 have group names associated
with countries or religions — for example, United States or Italy — and
the groups contain documents specific to holidays in each country. As an
administrator, you may want to modify or delete these documents to
reflect your organization’s needs. Then you can advise all users to import
a specific group of Holiday documents.
To add a document to an existing group, select the group when you
create a new Holiday document. To create new groups, enter a new
group name in the Holiday document. Remember that your users import
Holiday documents according to group name, not document name, so be
sure to plan the organization of documents in groups.
Setting Up Calendars and Scheduling 8-17
Configuration
To create a Holiday document
1. From the Domino Administrator, click the Configuration tab.
2. Select the Domino Directory server in the “Use Directory on” field.
3. Click Miscellaneous - Holidays.
4. Click Add Holiday.
5. Complete these fields on the Basics tab:

Title Action
Group Do one of these: • Select a group from the list
• Add a new group in the New keyword field
and then click OK

Enter the name of the holiday —for example,

Title
Christmas
Repeat Specify how often the holiday repeats: •
Monthly by Date • Monthly by Day • Yearly •
Custom —If you choose Custom, enter one or
more dates on which the holiday repeats.

If you chose Custom in the Repeat field in Step 5, do not

complete Step 6. Instead, go to Step 7.
Field Action
Start date Enter the date when the holiday first occurs.
This date may be the actual date of the holiday
(such as New Year’s day) or it may be the date
from which to start the holiday. For example, if
your organization gives employees every other
Friday off from June through August, enter
June 1 as the Start Date and select “For” from
the Continuing field to specify an end date of
August 31.
Continuing Choose one: • Until —Click Until and then
enter a specific date in the “Repeat Until”field.
• For —Click For and then specify the number
of months or years during which the holiday
repeats in the “Repeat For”field.
Repeat until Enter the last date on which the Holiday should
(Displays if repeat.
you select
Until in the
Continuing
field.)

Field Action
Repeat For Enter the number of months or years during
(Displays if which the holiday should repeat.
you select For
in the
Continuing
field.)
Repeat Choose how often the holiday repeats by
Interval month and day.
(Applies to
Monthly by
Date and by
Day)
If the date Choose one: • Don’t Move • Move to Friday •
falls on a Move to Monday • Move to Nearest Weekday
weekend
(Applies to
Monthly by
Date only)

Complete this step only if you chose Custom in the

Repeat field in Step 5.
Field Enter
Repeat Dates Enter the date or dates when the holiday
(Applies only occurs —for example, 01/01/02, 01/02/2003.
to Custom.)

Complete these fields:

Field Action
Mark time as Choose how each user’s calendar will record
this holiday: • Busy —This holiday will appear
as Busy time in the user’s schedule so that
meetings cannot be scheduled on the holiday.
• Free —This holiday will appear as Free time
in the user’s schedule, so that meetings can be
scheduled on that holiday.

Detailed (Optional) Enter a detailed description of the

description holiday.

Click Save and Close.

To view the default Holiday documents

Lotus Domino 6 includes default Holiday documents that contain
information on holidays observed around the world. The Holiday
documents are organized into groups by country or religion. For
example, the Italy group contains documents specific to Italian holidays.
1. From the Domino Administrator, click the Configuration tab.
2. Select the Domino Directory server in the “Use Directory on” field.
3. Click Miscellaneous - Holidays to see all the default Holiday
documents.
To modify an existing Holiday document
After you modify or delete an existing Holiday document, users receive
the modifications only when they choose to run import from their mail
files.
1. From the Domino Administrator, click the Configuration tab.
2. Select the Domino Directory server in the “Use Directory on” field.
3. Click Miscellaneous - Holidays.
4. Choose the geographical/religious category for the Holiday.
5. Select the desired Holiday document and click Edit Holiday.
6. Modify fields as you wish.
For more information on the individual fields, see the topic “To create a
Holiday document” in this chapter.
Collecting detailed information from user calendars
If a user requests it, additional detailed data is available to other users.
This information is stored in the Freetime database, BUSYTIME.NSF or
CLUBUSY.NSF. For clustered servers, the database is CLUBUSY.NSF, for
non clustered servers, the database is BUSYTIME.NSF. To limit growth
of this database, do not enable the server to collect this data. You can
enable or disable this feature across the entire Domino domain from the
server’s Configuration Settings document, or you can set it for specific
servers.
8-20 Administering the Domino System, Volume 1
To collect detailed calendar information from user calendars
1. From the Domino Administrator, click the Configuration tab.
2. Choose Server - Configurations.
3. Select the Server Configuration document you want to modify, and
click Edit Configuration.
4. On the Basics tab, click the check box “Extract calendar details.” The
feature is enabled.
5. Choose any of these calendar details to extract:
Chair
 — Allows other users to see who will chair the meeting
Location
 — Allows other users to see the site location of the
meeting
Room  — Allows other users to see the name or other identifier for
the room
6. Click Save and Close.

Chapter 9
Using Policies
Using policies, you can distribute and control a standard set of
administrative settings for user registration and setup, desktop
configuration, mail archiving, and security.
Policies
Using a policy, you control how users work with Notes. A policy is a
document that identifies a collection of individual policy settings
documents. Each of these policy settings documents defines a set of
defaults that apply to the users and groups to which the policy is
assigned. Once a policy is in place, you can easily change a setting, and it
will automatically apply to those users to whom the policy is assigned.
Policy settings documents cover these administrative areas:
Registration
 — If a policy including registration policy settings is in
place before you register Notes users, these settings set default user
registration values including user password, Internet address format,
roaming user designation, and mail.
Setup
 — If a policy including setup policy settings is in place before
you set up a new Notes client, these settings are used during the
initial Notes client setup to populate the user’s Location document.
Setup settings include Internet browser and proxy settings, applet
security settings, and desktop and user preferences.
Desktop
 — Use desktop policy settings control and update the user’s
desktop environment or to reinforce setup policy settings. For
example, if a change is made to any of the policy settings, the next
time users authenticate with their home server, the desktop policy
settings restore the default settings or distribute new settings
specified in the desktop policy settings document.
Mail
 archiving — Use archive policy settings to control mail
archiving. Archive settings control where archiving is performed and
specify archive criteria.
9-1
Configuration
Security
 — Use security settings to set up administration ECLs and
define password-management options, including the
synchronization of Internet and Notes passwords.
Organizational and explicit policies
There are two types of policies: organizational and explicit.
Understanding the differences between the types helps you plan the
implementation.
Organizational policies
An organizational policy automatically applies to all users registered in a
particular organizational unit. For example, to distribute default settings
to all users registered in Sales/Acme, create an organizational policy
named */Sales/Acme. Then when you use the Sales/Acme certifier ID to
register a user, that user automatically receives the settings in the
corresponding organizational policy.
If you move a user within the hierarchical structure — for example,
because the user transfers from the Sales department to the Marketing
department — the organizational policy for the corresponding certifier
ID is automatically assigned to the user. For example, if you move the
user from Sales/Acme to Marketing/Acme, all settings defined in the
desktop, archiving, and security policy settings documents associated
with the */Marketing/Acme organizational policy are assigned to the
user. The new policy settings become effective the first time users
authenticate with their home server.
Explicit policies
An explicit policy assigns default settings to individual users or groups.
For example, to set a six-month certification period for contract workers
in all departments, create an explicit policy and then assign it to each
contract employee or to the group that includes all contract employees.
There are three ways to assign an explicit policy: during user registration,
by editing the user’s Person document, or by using the Assign Policy
tool.
For information on assigning an explicit policy, see the topic “Assigning
an explicit policy,” later in this chapter.
9-2 Administering the Domino System, Volume 1
Using Exceptions
You can assign an exception attribute to either an organizational or
explicit policy. You use an exception to allow the user to override a
policy setting that is otherwise enforced throughout an organization.
When you create an exception policy, you specify only the settings that
will not be enforced. Then when you assign the exception policy, it
exempts users from enforcement of those settings only.
Exception policies are a way to give someone in an organization special
treatment, possibly because of their position or job requirements. For
example, the */Acme policy includes a Registration policy setting that
enforces a mail database quota of 60 MB. However, a small group of
employees in Acme need to exceed this quota. The solution is to create an
“exception” policy that includes only a Registration policy settings
document, that does not set a quota limitation on the mail database.
When this exception policy is assigned to users, they can override the
database quota setting. Because exception policies defeat the
enforcement of policy settings, use them sparingly.
Policy hierarchy and the effective policy
The effective policy for a user is a set of derived policy settings that are
dynamically calculated at the time of execution. The field values in an
effective policy may originate from many different policy settings
documents. Each hierarchical level can have an associated policy, so
users may have a combination of policy settings that include the values
set at their OU level, and those inherited from a parent policy. The
resolution of those settings, stepping up through the organizational
hierarchy, determines the effective policy for each user.
In addition to organizational policies, users may also have explicit
policies assigned to them. In that case, the order of resolution is that all
organization policy settings are resolved first, then any explicit policy
settings are resolved.
For example, if you want all users to use the same Internet mail name
format, set that value in the Registration policy settings document for the
top-level policy. Once you have set this value, you do not have to change
it or reenter it in subsequent child policies. You simply “inherit” this
value from the parent by selecting the inherit option. However, if you
have a select group of international users for whom this setting is a
problem, you can create an explicit policy that applies to the select group
only. The combination of the explicit and organizational policies together
provide the control and the flexibility you need.
Using Policies 9-3
Configuration
There are two tools that help you determine the effective policy
governing each user. The Policy Viewer shows the policy hierarchy and
associated settings documents, and a Policy Synopsis report shows the
policy from which each of the effective settings was derived.
Inheritance and the child policy relationship
Inheritance plays an important role in determining a user’s policy
settings in both organizational and explicit policies. Through the
parent-child relationship, you create a hierarchy of policies to set your
administrative practices across the enterprise. In a policy hierarchy,
policy documents build the relationship, and policy settings documents
determine the value of the fields based on their position in the hierarchy.
Using field inheritance and enforcement, you control the default settings.
In organizational policies, the hierarchy of policies is determined
automatically based on the Organization’s hierarchy. The policy
*/Sales/Acme is the child policy of */Acme. Since explicit policies do not
follow the organizational structure, when you create explicit policies, you
build in the hierarchy, based on the naming structure. For example, if
you create an explicit policy named /Contractors that includes several
settings that apply only to contract employees who may be employed for
six month to a year. However you want short-term temporary
employees, employed for only one or two weeks, to inherit only some of
those settings. You create a child explicit policy called Short
term/Contractors.
The following figure shows a policy hierarchy. In this hierarchy, the policy
at each organizational level has set its own password quality setting.
In the following figure, Joe User inherits a password quality setting from
a parent policy. Inheriting a setting occurs in the child policy at the field
level in a policy settings document.

Another way that a user “inherits” field-level settings is through

enforcement. In the illustration below, the password quality setting is
enforced in the parent policy at the field level in the Registration policy
settings document. If settings are enforced in a parent policy, the settings
at the child policy level do not apply.

Example of using policies

The administrator at the Acme company wants to use policies to:
Set
 the same Internet address format for all users
Set
 users in Acme/Sales to be roaming users
Set  a custom mail template for employees in Acme/Sales
Set
 a 24-month certification expiration for permanent employees
Set  a 6-month certification expiration for temp
To accomplish these goals, the administrator creates these policies:
  
   

   
      
   
     
      
     
                                    
  
  

 




                           
An  organizational policy for Sales/Acme (*/Sales/Acme) that sets
roaming options and specifies a custom mail template.
An  explicit policy for temporary employees that specifies a 6-month
certification expiration. When temporary employees are registered,
this explicit policy is applied along with the organizational policy
that correlates to the organizational unit in which the employees are
registered.
Planning and assigning policies
Before you register and set up users, plan and create policies. Then,
during user registration, assign the policies. If users are already
registered, you can plan and create policies, but you cannot assign any
registration and setup policy settings, since those apply only once,
during user registration and setup.
To plan and assign policies
1. Determine which settings to assign to all users in specific
organizational units. For these settings, create organizational policies.
2. Determine which settings to assign to individual users or groups. For
these settings, create explicit policies.
3. Register users and assign explicit policies during registration.
4. For users who are already registered, assign explicit policies by
editing the Person document or using the Assign Policy tool.
5. (Optional) Create and assign exception policies.
9-6 Administering the Domino System, Volume 1
To plan and assign policies for a hosted organization
When you use policies for hosted organizations, your policy must
include registration policy settings. You can use either an organizational
or explicit policy. Depending on the type of policy you use, you create
the policy either before you register the hosted organization or during
registration.
For a hosted organization, do one of the following:
Explicit
 policy — Create an explicit policy that includes a registration
settings document before you register the hosted organization.
Organization
 policy — When you are registering a hosted
organization, create an organizational policy and a registration
settings document when you are prompted to do so.
Creating policies
Creating a policy is a two-step process. If you create an organizational
policy, it automatically applies—when you register users. If you create
an explicit policy, you assign it manually during user registration, in the
Person document or by using the Policy Assignment tool.
For more information on assigning explicit policies, see the topic
“Assigning an explicit policy,” later in this chapter.
1. Create one or more of the following policy settings documents to
define default settings that you want to assign to users:
Registration
 policy settings
Setup
 policy settings
Desktop
 policy settings
Security
 policy settings
Archive
 policy settings
2. Create a Policy document, which identifies specific policy settings.
Creating a registration policy settings document
If you include a registration policy settings document in a policy, when
you register users, many registration settings are filled in for you. If you
use an organizational policy, when you register users with the
corresponding certifier ID, that policy is automatically applied. If you use
an explicit policy, you select the policy during registration.
Using Policies 9-7
Configuration
For more information on user registration settings, see the chapter
“Setting Up and Managing Notes Users.” For more information about
the password quality scale, see the chapter “Protecting and Managing
Notes IDs.”
To create registration settings
1. Make sure that you have Editor access to the Domino Directory and
one of these roles:
PolicyCreator
 role to create a settings document
PolicyModifier
 role to modify a settings document
2. From the Domino Administrator, select the People & Groups tab,
and then open the Settings view.
3. Click “Add Settings,” and then choose Registration.
4. On the Basics tab, complete these fields:

Field Action
Name Enter a name that identifies the users
that use these settings. If you are a
server provider, enter the name of the
hosted organization.

Description Enter a description of the settings.

Select the registration server from the
list. Choose a registration server
Choose a password Select a password quality level. If you
quality are a service provider, you must select
a minimum password quality of “Any
Password”or, if specifying a number,
level 2. After users authenticate with
their home servers, password quality
is governed by security settings.

Set Internet password Check the “Set Internet

password”check box to set the
password that is stored in each user’s
Person document. This password gives
users access to Internet services. If
you are a service provider, you must
complete this field.

Field Action
Use mail Do one: • Select to store the user’s roaming
server for information on the same server used for mail. •
roaming Deselect and enter the name of the server to
server store the user’s roaming information.
Create Choose one: • Create roaming files now —to
roaming create the user’s roaming files during user
files options registration. • Create roaming files in background
—to use the Administration Process to create the
user’s roaming files after user registration.

Cleanup Choose one: • Do not clean up —to not clean up

options roaming user files. • Clean up every N days —and
enter a number between 0 an 365.

Field Action
Mail system Choose a mail system. • If you are a service
provider, choose Lotus Notes only if you run
Domino Off-Line Services (DOLS) in the hosted
organization. • If you choose Other, Other
Internet, or None, continue with Step 8.

Mail server Choose the server that stores the user’s mail file.
• If your organization supports DOLS, choose a
DOLS-enabled server.
Mail Choose one: • MAIL6.NTF —if the organization
template uses Lotus Notes, POP3, or IMAP. • INOTES5.NTF
—if the organization uses iNotes. • Your
organization’s custom mail template

Field Action
Security Type Choose North American or
International
Certificate Expiration Choose one: • Static date —and then
Date enter an expiration date. The default
static date is 24 months from the
creation. • Months from user creation
—and then enter the number of
months. The default is 24 months.

Location for storing Choose one or more: • In Domino

user ID Directory —to store the ID in the
user’s Person document. • In File —
and then click “Set ID File”to select
the path and specify the location to
store the ID. • In Mail File —to store
the ID in the user’s mail file.

Field Action
Choose the group to which you will
Group assignments
add all
users you register using these
registration
settings. Leave this field blank if you
are not
registering all users into one group.
Local administrator Enter the name of the administrator.
 If you are a service provider, enter
the name of the administrator at the
hosted
organization in this format:
administrator name/certifying hosted
organization

Creating a setup policy settings document

Use a setup policy settings document to define the default look and
content of the user workspace and create Location and Connection
documents that simplify server connections. Setup policy settings are
applied only once, during user setup. To maintain these settings, specify
the same settings in a desktop policy settings document. If a change is
made to any policy setting, the desktop policy settings will reinforce the
setup settings the next time users authenticate with their home server.
Among the settings you can specify are the user preferences. These are
preferences that Notes users can usually specify for their desktop
environment. If you set these preferences in a policy and then reinforce
them using desktop policy settings, Notes users will be able to change
their preferences, but the change will be only temporary.
Before you create a setup policy settings document, set up the Domino
system for any or all of the following:
Domain
 search server
Web Navigator and InterNotes server
Databases
 you want to add to the user’s bookmarks in the Favorites
folder
Mobile  directory (or client directory) catalogs
Passthru  servers, LAN servers, Internet servers, and remote servers
TCP/IP  and NDS Notes name servers
Host  domains where Java applets are assumed to be safe
Proxy  servers
To create setup policy settings
1. Make sure that you have Editor access to the Domino Directory and
one of these roles:
PolicyCreator  role to create a settings document
PolicyModifier  role to modify a settings document
2. From the Domino Administrator, select the People & Groups tab,
and then open the Settings view.
3. Click “Add Settings,” and then choose Setup.
9-12 Administering the Domino System, Volume 1
4. On the Basics tab, complete these fields:

Field Action
Name Enter a name that identifies the users (and, if
you are a service provider, the hosted
organization) that use these settings.
Description Enter a description of the settings.
Catalog/Domain Choose the name of the server used for
Search server domain searches.
Directory Enter the name of the server whose Domino
server Directory you want users to use.
Sametime Enter the name of the server used to connect
server to Sametime.
Local mailfile Choose this option to create a local copy of
the user’s mail file.
Internet Choose the Internet browser used from this
browser location.
Retrieve/open If you chose Notes or Notes with Internet
pages Explorer as the Internet browser, choose the
location from which to run the Web Retriever
process.

Field Action
Default Create a link for each database to add to the
databases user workspace. If the server that stores a
added to database is down during setup, a bookmark
bookmarks will not be created.

Create a link for each database to add as a

Create As new
new replica
replicas on to the user workspace.
user’s
machine
Mobile Create a link for each mobile directory catalog
directory to add
catalogs automatically to the user workspace.

Field Action
Trusted hosts Enter the name of trusted hosts.
Network access for trusted
Choose one:
hosts
• Disable Java
• No access allowed
• Allow access only to originating
host • Allow access to any trusted
host • Allow access to any host

Network access for

Choose one: • Disable Java
untrusted hosts
• No access allowed
• Allow access only to originating
host
Trust HTTP proxy
Choose one: • Yes

• No

Creating a desktop policy settings document

You use a desktop policy settings document to control the user’s
workspace. Desktop settings are enforced the first time a user logs in to
Notes and runs setup. After the initial setup, you can use them to update
the user’s desktop settings or to reinforce setup settings desktop settings.
Users receive updates to the settings when any of the policy settings
change, and then the desktop policy settings are enforced the next time
users authenticate with their home server.
To use a desktop policy settings document to enforce the settings
specified in the setup policy settings document, specify the same settings
in a desktop policy settings document. For example, to ensure that the
Sametime server specified in the setup policy settings document remains
the same each time the user logs in, enter the Sametime server name in
both the setup and desktop policy settings documents.
To use a desktop policy settings document to add to or update the user’s
desktop workspace, change the setting in the desktop policy settings
document. For example, to change the Sametime server specified in the
setup policy settings document, specify a different server in the desktop
policy settings. Other changes you can make to the user’s desktop
workspace that do not reflect setup policy settings include setting up a
default home page, customizing the welcome page, upgrading the mail
template, and specifying how and when Smart Upgrade runs to upgrade
the Notes client. If you are updating from a previous version of Domino,
you can use a desktop policy settings document to define the settings
used when converting previous mail file templates to the Domino 6 mail
template, mail6.ntf.
You also use a desktop policy settings document to manage and update
bookmarks. You can, for example, set up a bookmark hierarchy for Notes
users by creating an outline of bookmarks that includes folders and links
such as database links, document links, and URL links. You can create
folders that have links within the folders. All of the folders and
bookmarks in the outline are then placed on the Bookmark Bar of the
Notes client. To add bookmarks to an existing folder on the user’s
desktop, such as More Bookmarks, include the folder in the bookmark
outline. Any links included in that folder are merged with the
corresponding folder in the Notes client. You can also create a folder
called “Startup” that includes links that open automatically every time
the user logs in to Notes.
You can also set user preferences, usually set by Notes users. If you set
user preferences, Notes users will still be able to change their
preferences, but the changes will be only temporary. The next time the
desktop policy is enforced, their preferences will be reset to the original
policy settings.
For more information on seamless mail upgrades, see the Upgrade Guide.
To create Desktop settings
1. Make sure that you have Editor access to the Domino Directory and
one of these roles:
PolicyCreator
 role to create a settings document
PolicyModifier
 role to modify a settings document
2. From the Domino Administrator, select the People & Groups tab,
and open the Settings view.
3. Click “Add Settings,” and then choose Desktop.
4. Under Basics, complete these fields:
Name  — Enter a name that identifies the users (and, if you are a
service provider, the hosted organization) that use these settings.
Description
 — Enter a description of the settings.
5. Under Server Options, complete these fields:

Field Action
Catalog/Domain Choose the name of the server used for
Search server domain searches.
Domino
Enter the name of the server whose Domino
Directory
Directory you want users to use.
server
Sametime Enter the name of the server used to connect
server to Sametime.
Local mailfile Check the field Create local mailfile replica to
create a local copy of the user’s mail file.
Deploy version If you use Smart Upgrade, enter the Notes
version to which you want users to upgrade.
Upgrade If you use Smart Upgrade, use
deadline mm/dd/yyyyformat to enter the date by
which users must upgrade. If users to do not
upgrade by this date, the upgrade happens
automatically.

Field Action
Prompt user Do one: • Check yes to inform users before
before upgrading their mail files. Allows users to
upgrading mail defer upgrade. • Uncheck (default) to upgrade
file without notification.

Old design The default asterisk (*) uses any mail

template name template. (Optional) Enter the name of the
for your mail current template you are using.
files
Enter the build version of the Notes client in
If running this
the
version of format Build Vnn_mmddyyyy (example, Build
notes: V60_06282002). To upgrade all versions, use
an asterisk *.
To find the build version, use Help - About
Domino Administrator.
Use this Mail Enter the new mail template file name.
template

Field Action
By default the number of folders created
Ignore 200
during
category limit conversion is limited to 200 folders. Do one:
• Check yes to override that limit and create
as many
folders as necessary (default).
• Uncheck to enforce the limit.

Mail file to be Do one: • Check if mail file will be used by an

used by IMAP IMAP mail client. • Uncheck if IMAP will not be
mail clients used (default).

Upgrade the The conversion does not upgrade private

design of folders automatically. Do one: • Check yes to
custom folders include custom folders in the design upgrade
(default). • Uncheck to exclude custom folders
in the design upgrade.

Prompt before Do one: • Check yes to inform users before

upgrading upgrading their mail folder design. Allows
folder design users to defer upgrade. • Uncheck (default) to
upgrade folder design without notifying users.

If you chose to notify users before updating

Notify these
mail
administrators template or folders, enter the names of
of administrators
mail upgrade who should receive status information.
status

Field Action
Corporate Add the database link to the database
Welcome Pages containing custom welcome pages. Note
database You cannot use the Web Administrator to
create links.

Default Welcome Do one: • Select the welcome page users

page see when they start Notes.

• Select “No default Welcome Page”if there

is no default welcome page. (default)
Homepage For the field “Do not allow users to change
selection their home page”do one: • Check to prohibit
users from choosing their own home page. •
Uncheck (default) to allow users to change
their home page.

Field Enter
Create As new Create a link for each database to add as
replicas a new
on user’s machine replica to the user workspace.
Create a link for each mobile directory
Mobile directory
catalog to
catalogs add automatically to the user workspace.
Bookmarks to Drag and drop or copy links to add to the
merge user’s
with bookmarks. Arrange links in the order
users’bookmarks you want
them to display. However, do not add any
links
above the Favorites folder, because they
will be
added to the bottom of the user’s
bookmarks list.

Field Action
Trusted hosts Enter the name of trusted hosts.
Network access for trusted
Choose one: • Disable Java
hosts
• No access allowed
• Allow access only to originating
host • Allow access to any trusted
host • Allow access to any host

Network access for

Choose one: • Disable Java
untrusted hosts
• No access allowed
• Allow access only to originating
host
Trust HTTP proxy Choose one:
• Yes
 • No

Field Action
Name Enter a name that identifies the users (and,
if you are a service provider, the hosted
organization) that use these settings.
Description Enter a description of the settings.

On the Password Management tab, complete these fields:

Field Action
Allow users to Choose one: • Yes (default) —to allow users
change Internet to use a Web browser to change their
password over Internet passwords. • No
HTTP

Synchronize Choose one: • No (default) • Yes —to allow

Internet users to use the same password to log in to
password with both Notes and the Internet.
Notes password

Check Notes Choose one: • No (default) • Yes —to

password require a password for Notes authentication.

Field Action
Required Enter the number of days a password can be
change in effect
interval before it must be changed.
Enter the number of days users have to
Allowed grace
change an
period expired password before being locked out.
Password Enter the number of expired passwords to
history store.
(Notes only) Storing passwords prevents users from
reusing old
passwords.

Field Action
The default administration ECL is the default
Admin ECL
value
for this field.
Choose one:
• Edit —to edit the default administration ECL.
• New —to create a new administration ECL.
Enter
the name of the new ECL and choose options
in the
Workstation Security: Execution Control List
dialog
box. The name of the new ECL appears in this
field.
Update Mode Choose one:
• Refresh —to update workstation ECLs with
 changes made to the Administration ECL. If a
setting appears in both the administration and
workstation ECL, the administration ECL
setting
overrides the workstation ECL setting.
• Replace —to overwrite the workstation ECL
with
the Administration ECL. This option overwrites
all
workstation ECL settings.

Field Action
Update
Choose one:
Frequency
• Once Daily —to update the workstation ECL
when
the client authenticates with the home server
and
either it has been a day since the last ECL
update or the administration ECL has
changed.
• When Admin ECL Changes —to update the
workstation ECL when the client authenticates
with the home server and the administration
ECL
has changed since the last update.
• Never —to prevent the update of the
workstation
ECL during authentication.

Mail archiving and policies

For the first time in Lotus Domino 6, administrators can centrally control
mail file archiving using policies. Archiving is particularly useful for mail
databases because when a user sends a mail message, Notes
automatically saves a copy of it in the Sent view, causing the mail file to
increase in size. Archiving the mail file frees up space and improves the
performance of the mail database by storing documents in an archive
database when they are old or not in use anymore.
The mail archive database is a Notes database, and can be accessed like
any other Notes database. The views in a user’s mail archive mirror the
views in the mail file and includes all the folders that exist when mail is
archived. So users can find and retrieve archived messages easily from
within their archive database. When a document has one or more
responses, the entire document hierarchy is archived.
You can also use archiving policy settings to define a document retention
policy for your mail files. With document retention, you define the
criteria for old documents, and then simply delete them from the mail
database without archiving them.
If you choose not to include archiving policy settings in your policies,
Notes users can still archive mail files using database archive settings in
the Notes client.
How mail file archiving works
Mail file archiving is a three-step process that includes document
selection, copying files to an archive database, and mail file cleanup.
Document
 selection — choosing which documents to archive based
on activity and on folder selection. For example, you can define an
old document as a one that has not been modified for 365 days. You
can then archive all documents that match that criteria, or you can
archive only documents in specific folders that match that criteria.
Copying
 — copying selected documents from the source mail file to
an archive database destination.
Mail
 file clean up — reducing the size of the source mail file by
deleting archived documents or reducing them in size. You can
reduce the size of the document by first removing attachments, and
then leaving only the header information or leaving the header
information and a portion of the mail document.
Client-based and server-based archiving
When you use policies to manage archiving, you use either server-based
archiving or client-based archiving. In either case you can archive to a
server. The terms server-based or client-based refer to where the
archiving process occurs, either on a server or on the client’s workstation.
If you choose to archive on a server, you must create a program
document to run the Compact server task. If you choose client-based
archiving, however, the workstation must be running in order to archive
documents. If archiving is scheduled at a time during which the
workstation is not running, archiving will not occur. You can archive
mail files to the following:
Server-based
 archiving — Using this option, the mail server archives
to the mail server itself, or to another server that you designate as the
archive server.
Client-based
 archiving — Using this option the individual
workstations process mail file archiving. Depending on where the
mail file resides, either on a mail server or on their individual
workstations, mail is archived to the mail server, a designated server,
or to their local workstations.
For more information on using a program document to run the Compact
server task, see the chapter “Improving Database Performance.”
Using Policies 9-23
Configuration
An example of using policies to manage mail file archiving
Acme’s administrator is happy to learn of policy-based archiving because
of these issues with archiving mail files:
Space
 is tight on the mail server.
Acme
 needs a centralized archive server.
Archiving
 cannot occur during peak work hours.
End  users must not be allowed to control their archive settings.
Lotus  Notes 6 clients will not be rolled out immediately.
To resolve the problems to Acme’s archiving issues, the administrator
uses these Archive policy settings, and applies them to all users, via
organizational policies.
Archive  settings are centrally managed and enforced by the
administrator; users are prohibited from changing or creating
archive settings.
Server-based  archiving is enabled from a mail server to a designated
archive server.
The  designated archive server is a Domino 6 server so that policies
can be enforced in a mixed environment.
Archiving  is scheduled to occur during off hours.
Optionally,  pruning (removing attachments and body of mail, but
leaving header information intact) might be helpful, depending on
how tight space is on the mail server.
Using the mail archive log
To monitor mail document archiving, you can log archiving activity to an
archive log database. Information stored in a user’s Archive Log include
the log date, the number of documents stored in the archive database and
deleted from the mail file, archive failures, and the locations of the
original mail file source and archives destinations.
You can use the mail archive log, for example, to track a document you
thought was deleted. You can easily scan the Archive Log to see if the
document was archived. And since the archive log provides links to
archived documents, you can access the archived document from within
the archive log.
Specifying the name and location for the Archive Log database
By default, the archive log database is stored in c:\notes\data\archive,
where archive is the default name for the archive directory. The default
name format for a user’s archive log database file is l_xxxx.nsf, where l_
is the prefix and xxxx is the name of the user’s mail database. The name
9-24 Administering the Domino System, Volume 1
of the log database is based on a specified number of characters (the
default is 6) from the user’s ID. For example, for the end user John Smith,
whose ID is jsmith, the archive log database name is l_jsmith.nsf.
For more information about the type of information stored in an
Archiving Log, see the chapter “Improving Database Performance.”
Creating an archive policy settings document
To set up mail file archiving, you use both archive and archive criteria
policy settings documents. The archive policy settings document
specifies whether or not to allow archiving either centrally by
administrators or privately by Notes users. If you prevent all archiving,
then that is your archive policy setting, and you must include it in your
policy. If you prevent private archiving, then the Archive Settings policy
document determines how documents in the user’s mail file are archived
and users cannot change these settings or create private archive settings.
If you allow archiving, use the archive policy settings document to define
whether archiving is server-based or client-based, to specify source and
destination archive servers, and to set the archive schedule. You can also
change the name and location of the default archive log file if you choose.
Each archive policy settings document requires at least one archive
criteria policy settings document, which specifies the criteria for
document selection and defines how to clean up the mail file.
To create archive policy settings
1. Make sure that you have Editor access to the Domino Directory and
one of these roles:
PolicyCreator
 role to create a settings document
PolicyModifier
 role to modify a settings document
2. From the Domino Administrator, select the People & Groups tab,
and then open the Settings view.
3. Click “Add Settings,” and then select Archive.
4. On the Basics tab, complete these fields:
Name  — Enter a name that identifies the users (and, if you are a
service provider, the hosted organization) that use these settings.
Description
 — Enter a description of the settings.
5. (Optional) Under Archiving options, choose one of the following if
you want to prohibit archiving. The default is to allow both.
Prohibit  archiving — to prohibit all archiving. Then save the
document.
Using Policies 9-25
Configuration
Prohibit
 private archiving settings — to prohibit Notes users from
creating private archive settings or modifying the archive settings
defined in this settings document.
6. Under Archive locations, choose one:
Archiving
 will be performed on user’s local workstation — to use
the Notes client workstation to perform the archive process (the
default).
Archiving
 will be performed on a server — to use a server to
perform the archive process.
Note If you choose “Archiving will be performed on a server,” you
must create a program document to run the compact task.
For more information on using a program document to run the
Compact server task, see the chapter “Improving Server
Performance.”
7. Under “Archive source database is on,” specify the server or
workstation on which the mail file that will be archived is located.
Choose one:
Local
 — if the mail file is on the user’s workstation (available for
client-based archiving only).
Specific
 server — if the mail file is on a server other than the mail
server. Then specify the name of the server.
Mail  server — if the mail file is on a mail server (default).
8. Under “Destination database is on,” specify the server or
workstation on which of the archive database will reside. If you
allow private archiving, you must give the user Create access on the
destination server to create an archive database. Choose one:
Local  — to create the mail archive database on the user’s
workstation (available for client-based archiving only).
Specific  server — to create the mail archive database on a server
other than the mail server. Then specify the name of the server.
Mail  server — to create the mail archive database on the mail
server.
9. On the Selection Criteria tab, do one or more of the following:
Click  New Criteria to create a new Archive Criteria Settings
document. Then, click Add Criteria and select your newly defined
criteria document.
Click  Add Criteria, and then choose an archive criteria settings
document to add criteria.
9-26 Administering the Domino System, Volume 1
Click
 Remove Criteria, and then choose an archive criteria settings
document to remove criteria.
For information on creating an archive criteria settings document, see
the topic “Creating Criteria for mail archiving,” later in this chapter.
10. Click the Logging tab. Under Archive Logging, check the field “Log
all archiving into a log database” to log archiving activity to a log
database (the default).
11. (Optional) Change any of these fields if you want to change the
location of the log directory and log file name.
12. In the field “Include document links to archived documents,” do one:
Check
 the field to include links to archived documents in the log
(default). If you include links, users can open archived documents
from within the log database.
Uncheck
 the field to exclude links to archived documents in the
log. If you exclude links, users must open the archive database to
view archived documents.
13. If you chose client-based archiving, click the Schedule tab. In the
field “Enable client-based scheduled archiving” do one:
Check  (default) to set up a schedule for client-based archiving,
and then specify the schedule.
Uncheck  to allow users to set their own schedule for archiving.
Using Policies 9-27
Configuration
14. (optional) If you checked “Enable client-based scheduled archiving”
complete one or more of these fields

Field Action
Allow end user to Do one: • Check to allow users to modify the
modify schedule archive schedule. You can enable this setting
settings even though private archive settings are
prohibited. • Uncheck (default) to prohibit
users from modifying the archive schedule.

Frequency Choose one: • Daily and then select the

days of the week on which to archive.

• Weekly (default), and then choose the day

of the week on which to archive.
Run at Specify the time. The default is 12:00 pm.
Note The Notes client must be running for
scheduled archiving to occur.

15. Under Location, specify the locations from which to archive. For
example, if you are using client-based archiving, you may want to
archive only from a user’s office workstation, not from an island or if
the user has dialed in. Choose one:
Any
 location — to archive from any location.
Specific
 location — and then specify one or more locations.
16. On the Advanced tab, the field “Don’t delete documents that have
responses” do one:
Check (default) to archive but not delete documents that have
responses.
Uncheck to archive and then delete documents that have
responses.
17. Save the document.
Creating criteria for mail archiving
You use an Archive Criteria policy settings document to define sets of
criteria to use when archiving a Notes user’s mail documents. You create
an Archive Criteria policy settings document from within an Archive
policy settings document. After you create archive criteria, you can use it
in one or more archive policy settings documents.
When you specify archive criteria, you determine what to do with old
documents in a user’s mail file. Do you archive them (copy them to an
archive database) or just delete them? If you archive them, you
9-28 Administering the Domino System, Volume 1
determine how to “clean up” the copies of the archived mail documents
that remain the user’s mail file. And finally, you define what an old
document is.
Mail file criteria answers these questions:
How
 should documents be archived? Archiving can be a
combination of copying old documents to an archive database and
then performing clean-up tasks on the users mail file, or just deleting
them
How should documents be cleaned up? Once documents have been
copied to an archive database, you can either delete the copies that
remain in the user’s mail file, or reduce the size of the document.
Which documents should be cleaned up? You provide a definition of
an “old document” by specifying age criteria, and then applying that
age criteria either to all documents or all documents in specified
folders.
Specifying the name and location for the Archive database
By default, the archive mail database is stored in the directory archive,
located in the data directory. Archive is the default name for the archive
directory. The default name format for a user’s archive database file is
a_xxxx.nsf, where a_ is the prefix and xxxx is the name of the mail
database. The name of the archive database is based on a specified
number of characters (the default is 6) from the user’s mail file. For
example, for the end user John Smith, whose mail file is jsmith, the
archive database name is a_jsmith.nsf.
To create archive criteria policy settings
1. From the Domino Administrator, select the People & Groups tab,
and then open the Settings view.
2. Do one:
Select
 the Archive policy settings document for which you want to
create archive criteria settings, and then click “Edit Settings.”
Click
 “Add Settings” and then select Archive to create a new
Archive policy settings document.
3. Select the Archive Criteria tab, and then click “New Criteria.”

Field Action
Name Enter a name that identifies the archive
criteria. When you add criteria to a criteria
policy settings document, this is the name
that appears in the selection box. This
name also appears in the user’s mail folder
outline under tools - archive.
Description Enter a description of the criteria.
Archiving is Do one: • Check to enable this archive
enabled criteria. • Uncheck if you are creating
archive criteria to use later.

Field Action
Name Enter a name that identifies the archive
criteria. When you add criteria to a criteria
policy settings document, this is the name
that appears in the selection box. This
name also appears in the user’s mail folder
outline under tools - archive.
Description Enter a description of the criteria.
Archiving is Do one: • Check to enable this archive
enabled criteria. • Uncheck if you are creating
archive criteria to use later.

Field Action
Archive Directory The default is archive. Enter a new
name if you want to change it.
Archive Prefix The default is the letter a, followed by
an underscore (_). Enter a new prefix
if you want to change it.
Archive suffix The default is no suffix. Enter a suffix
for the archive database name if you
 want to add one.

Number of characters The default is 6.—To change this, enter

from original filename the number of characters to use from
the user’s mail file to create the
archive database name.
Save the document.

4. Provide the following information on the Basics tab.

Creating a policy document
When you create a policy, you use a Policy document to specify which
policy settings documents to include. You can create policy settings
documents before you create the policy document, or you can create
them while you create the Policy document.
If you are creating an exception policy, include only the policy settings
documents that have settings whose values you do not want to enforce.
For each setting you do not want to enforce, change the value as
required. Exceptions are made at the policy setting level. When the
effective policy settings are resolved, any settings you specify in the
exception policy apply.
Policy document names
The names of Policy documents must be in one of the formats below.
However, when you create a Policy document, you do not have to
include the asterisk (*) or slash (/) when you enter a policy name.
Domino adds them for you depending on the type of policy you specify.
*/organization — an organizational policy that is automatically
applied at the organization level
*/organizational unit/organization — an organizational policy that is
automatically applied to an organizational unit
*/hosted organization — an organizational policy that is automatically
applied to a hosted organization
* — an organizational policy that is automatically applied to
everyone in the Domino Directory
/policyname — an explicit policy that must be assigned manually, but
can be assigned at any organizational level
To create a policy document
1. Make sure that you have Editor access to the Domino Directory and
one of these roles:

PolicyCreator role to create a policy document
PolicyModifier
 role to modify a policy document
2. From the Domino Administrator, click the People & Groups tab, and
then open the Policies view.
3. Click Add Policy.
9-32 Administering the Domino System, Volume 1
4. Under Basics, complete these fields:
Enter a description of the policy. Description
Choose one:
Explicit  — to create a policy to assign to specific users
and groups.
Organizational
 — to create a policy that is automatically
assigned to all users in the part of the organization
specified in the Policy name field.
Policy type
Enter one:
A  unique name, for an explicit policy.
The name of the organization or organizational unit,
such as Acme or Sales/Acme
The  name of the hosted organization
To  create a policy for all hosted organizations in the
Domino Directory, do not enter a policy name. By
default Domino will enter the asterisk for you.
Policy name
Action Field
5. (Optional) Click Create Child to create a child policy document that
includes the name of the parent policy. You can save the child policy
document and return to it at a later time. When you close this
document you return to the parent policy document.
6. To specify the policy settings documents to include in this policy, for
each type of settings do one:
Select
 a policy settings document from the list.
Click
 “New” to create a new policy settings document. Then, after
you create the policy settings document, select it from the list.
Note If the name of the new policy settings document does not
appear as a selection, you may need to refresh. Press F9)
7. (Optional) To create an exception policy, click the Administration tab
and enable “Exception Policy.”
Caution Be cautious when creating an exception policy. An
exception policy allows a user to override enforced policy settings.
8. Save the document.
For more information on exception policies, see the topic “Organizational
and explicit policies,” earlier in this chapter
Creating a child policy document
When you create a child policy, you use a Policy document to specify
which policy settings documents to include.
In explicit policies, you create a child policy by setting up the
child/parent name structure. For example, the policy /Contractors may
have a child policy called /Short term/Contractors.
In organization policies, child policies follow the hierarchy of the
organization. So the child of */Acme is */Sales/Acme.
To create a child policy
1. Make sure that you have Editor access to the Domino Directory and
one of these roles:
PolicyCreator
 role to create a policy document
PolicyModifier
 role to modify a policy document
2. From the Domino Administrator, click the People & Groups tab, and
then open the Policies view.
3. Select the name of the policy for whom you want to create a child
policy and click Edit Policy.
4. Under Basics, click Create Child.
5. In the Policy Name field do one:
Organizational
 policy — enter the name of the organizational unit,
followed by the Organization or the Organizational unit that
displays in the Parent Policy field. For example, if */Acme is in the
Parent policy field and you want to create a child policy for the
Sales/Acme organization unit, enter Sales/Acme. When the policy
is saved, the name will be */Sales/Acme.
Explicit
 policy — enter a name for the child policy followed by the
text that displays in the Parent policy field. For example, if the
Parent policy field is /Contractors and you want to create a child
named Short term, enter Short term/Contractors. When the policy
is saved the name will be /Short term/Contractors.
6. Complete the remaining fields using the same procedure you used to
create a policy document.
9-34 Administering the Domino System, Volume 1
Managing policies
To manage policies, you can do any of the following:
Edit
 policies
Delete
 policies
Create
 a report of the effective policy
View policy relationships
Assign an explicit policy or change a policy assignment
Editing policies
Use this procedure to edit existing policy and policy settings documents.
Although you can delete a policy from the Domino Directory, you must
use the Policy - Delete tool on the Configuration tab to remove all
occurrences of the policy and its settings.
1. Make sure that you have at least Editor access to the Domino
Directory and the PolicyModifier role.
2. From the Domino Administrator, click the People & Groups tab.
3. Open the Domino Directory, and choose one of these views:
Policies
 — to edit a policy document.
Settings
 — to edit a policy settings document.
4. Open, edit, and then save the document.
Deleting policies
Use this procedure to delete policy and policy settings documents. This
table describes the result of each type of deletion
To delete a policy
1. From the Domino Administrator, click the Configuration tab, and
then open the Policies - Hierarchy view.
2. Select the policy or settings document you want to delete.
3. Click Tools - Policies - Delete.
The policy tools are not available in the Web Administrator client. For
more information on deleting policies in the Web Administrator, see the
chapter “Setting up and Using Domino Administration Tools.”
Using the Policy Synopsis tool to determine the effective policy
To determine the effective policy governing a selected user, use the
Policy Synopsis tool to generate a report that is written to the Policy
Synopsis Results database (POLCYSYN.NSF).
Note The policy tools are not available in the Web Administrator client.
To use the Policy Synopsis tool
1. From the Domino Administrator, click the People & Groups tab.
2. Select the People view, and then select one or more users.
3. From the Tools pane, select Policy Synopsis.
4. Under Select Report Type choose one:
Summary
 Only — (default) to produce a report that lists the
hierarchy of policy documents used to derive the effective policy
for the specified user.
Detailed
 — to produce a report that lists the hierarchy of policy
documents of the effective policy for the specified user, and
includes the actual values, and the policy and policy settings
documents from which the value was derived. Then select the
policy settings documents for which you want details.
5. Under Results Database choose one:
Append
 to this database — (default) to add to the list of previous
reports.
Overwrite
 this database — to remove reports in the database and
write the new reports.
6. (Optional) Click Results Database to change the name or location of
the results database. The default is Policy Synopsis Database on local.
7. Click OK. When the Policy Synopsis Results database
(POLCYSYN.NSF) opens, double-click the report to open it.
9-36 Administering the Domino System, Volume 1
Viewing policy relationships
The policy viewer is a convenient tool you can use to view each policy,
the settings associated with each policy, and how they relate to each
other. The policy viewer is also versatile because of the number of ways
in which you can view policy documents. For example, you can view the
settings for each policy, the settings by functional area, or the settings
assigned to a specific users. You can also view effective policies on
different levels in the policy hierarchy, which helps you to understand
the impact of changing a policy setting. You can view policy documents
using one of two views, By Hierarchy and By Settings.
How to use the policy viewer
The policy viewer has three panes. Depending on your selection in the
top left pane, the results in the right top pane differ. The bottom pane
always shows either an actual policy settings document or an effective
policy settings document, based on your selections in the top two panes.
You can edit a policy settings document in the policy viewer. You cannot
edit an effective policy because the settings are derived settings.
Example of using the By Settings view
The administrator at the Acme company wants to use the policy viewer to:
View
 all policy settings documents in a domain
View
 all policies that use a selected policy settings document
View  and edit a policy settings document
View  the effective policy settings
To view this information the administrator performs these tasks:
Selects  the By Settings view in the policy viewer and looks in the
upper left pane to view all policy settings documents, grouped by
administrative area.
Selects  one of the policy settings in the upper left pane. All policies
that use that policy settings document display in the upper right
pane. The actual policy settings document displays in the bottom
pane, where it can be edited.
In  the top right pane, selects one of the policies. The effective
policy settings display in the bottom pane. These cannot be edited.
Using Policies 9-37
Configuration
Example of using the By Hierarchy view
The administrator at the Acme company wants to use the policy viewer to:
View
 the policy hierarchy for the Acme domain
View
 the policy hierarchy for a Notes user in the Acme domain
View  the settings documents used by each policy
View  the differences between the effective policy and the policy
settings for a policy settings document
To view this information the administrator performs these tasks:
Selects  the By Hierarchy view in the policy viewer and in the field
“Show policy hierarchy for,” selects Acme domain. Looks in the
upper left pane to view the policy hierarchy.
In  the field “Show policy hierarchy for,” selects “Specific User,”
and then selects the name of a user to view the user’s policy
hierarchy in the upper left pane.
Selects  a policy in the left pane to view the policy settings
documents used by the selected policy in the upper right pane.
In  the top right pane, selects one of the policy settings documents.
The administrator can switch from the effective policy settings to
the actual policy settings document in the bottom pane.
To  see how changing a policy setting affects the effective policy,
the administrator can edit the policy settings document and then
switch views in the bottom pane.
Using the policy viewer
You use the policy viewer to view the relationships of policies and policy
settings documents in a policy hierarchy.
By Settings view
1. From the Domino Administrator, click the Configuration tab.
2. Open the Policies view, and then select the By Settings view.
9-38 Administering the Domino System, Volume 1
3. Choose any of the following tasks:

Task Action
View a list of all Expand the functional areas in the left
policy pane.
settings documents
in
your domain
View a list of all 1. In the left pane, select a policy
policies that use a 2. settings document. View the policies
policy settings that use that policy settings
document (display document display in the right pane.
in the right pane)
View and edit a Select a policy settings document in
1.
policy the left
settings document pane.
The selected policy settings
2.
document
displays in bottom pane. Double-click
the
document to edit it.
View the effective 1. Select a policy settings document in
policy settings for a 2. the left pane. Select a policy
functional area 3. document that uses those settings in
(displays in the the right pane. View the effective
bottom pane) policy in the bottom pane.

Task Action
View the policy 1. In the field “Show policy hierarchy
hierarchy for the a 2. for,” select a domain. View the
domain domain’s policy hierarchy in the
upper left pane.

In the field “Show policy hierarchy

View the policy 1.
for,”
hierarchy for a select Specific User, and then select
Notes the
user name of a Notes user.
View the policy hierarchy for the user
2.
in the
upper left pane
1. Select a policy in the left pane. View
View the settings
2. the policy settings documents used
documents used by
by the selected policy in the upper
each policy
right pane.

Task Action
View the differences 1. In the top right pane, selects a policy
between the 2. settings document and make any
effective policy and changes to the settings. In the
the policy settings bottom pane choose one of the
for a policy settings “Show”options to view either the
document effective policy settings or the actual
policy settings document.

Assigning an explicit policy

You assign explicit policies manually in one of three ways, during user
registration, using the Assign Policy too, or in the person document. If
your policies include setup and registration settings, assign them during
user registration so that you can take advantage of these settings.
Use the Assign Policy tool to apply explicit policies to existing Notes
users or to groups, or to change the assignment from one explicit policy
to another.
Note The Assign Policy tool is not available in the Web Administrator.
You can also add, change, or remove an explicit policy assignment to an
individual Notes user in the Person document. All changes to policy
assignments are recorded in the log file (LOG.NSF).
Assigning explicit policies in the Person document
You can assign or change a user’s explicit policies in the Person
document. Changes to the Desktop, Security, or Archive policy settings
that are associated with an explicit policy can be distributed this way.
Changes to a user’s settings that were previously defined using
Registration and Setup policy settings are not made retroactively, so you
would need to make any changes to those settings manually in the
Person document. For example, roaming user settings can be defined in a
Registration policy setting document. But you cannot change a user’s
roaming user status by changing the Registration policy setting
document for that user.
Assigning explicit policies using the Assign Policy tool
You can assign an explicit policy to a user or group, or you can change
the explicit policy assignment using the Assign Policy tool. Use this tool
when you want to make changes to multiple users or groups. You can
distribute changes to the Desktop, Security, or Archive policy settings
that are defined in explicit policies using this tool. When you change the
explicit policy for a user or group using this tool, you have the option of
9-40 Administering the Domino System, Volume 1
viewing the way the policy assignment change impacts the effective
policy for that user or group.
From the Person document
1. Make sure that you have at least Editor access to the Domino
Directory or that you have Author access with the UserModifer role.
2. From the Domino Administrator, click the People & Groups tab, and
then open the People view.
3. Select the name of the person whose policy assignment you want to
change, and click “Edit Person.”
4. In the Person document, click the Administration tab.
5. Under Policy Management, in the Assigned policy field, do one:
To
 assign or change an explicit policy assignment, select a policy
from the list.
To  remove an explicit policy assignment, select the name of the
explicit policy and delete it.
6. Save the document.
From the Assign Policy tool
1. Make sure that you have at least Editor access to the Domino
Directory and the ObjectModifier role.
2. From the Domino Administrator, click the People & Groups tab.
3. Do one:
Open
 the People view, select one or more users, and then from the
Tools pane, click People.
Open
 the Groups view, select one or more groups, and then from
the Tools pane, click Groups.
4. Choose Assign Policy.
5. For the field “Allow replacement of an existing policy,” do one:
Check this option to replace an existing explicit policy with a new
one.
This  option is not available if the selected user or if no users in the
selected group have an explicit policy currently assigned.
6. In the Policy field, select the explicit policy you want to assign from
the list.
7. Check the “Perform updates in background” option when you are
assigning policies to a large number of users.
Using Policies 9-41
Configuration
8. (Optional) Click “View policy synopsis” to see the new effective
policy.
9. In the “Choose Organizational Policy” dialog box, choose the
organizational policy you want to combine with the explicit policy to
create the new effective policy.
The policy tools are not available in the Web Administrator client. For
more information on deleting policies in the Web Administrator, see the
chapter “Setting up and Using Domino Administration Tools.”
9-42 Administering the Domino System, Volume 1

Chapter 10
Setting Up Domain Search
This chapter describes how to set up Domain Search, which Lotus Notes
or Web users can use to search an entire Domino domain for documents,
files, and attachments from a centralized server.
Domain Search
Notes and Web users can use Domain Search to search an entire Domino
domain for database documents, files, and attachments that match a
search query.
To support Domain Search, you need to designate a Domino server as
the indexing server, which builds a domain wide index that all Domain
Search queries run against. In order for the indexing server to build the
index, you must first create a Domain Catalog on the server — a database
that controls which databases and file systems get indexed. The indexing
server then spiders, or crawls, the servers that contain the content to be
indexed.
When a user submits a query, the results that the indexing server returns
contain only database documents to which that user has appropriate
access.
If the indexing server is set up as a Domino Web server, it can support
searches from both Lotus Notes and Web browsers.
Support for multiple languages
With Domain Search, you can index and search on documents regardless
of their language. Even multiple-language documents can be indexed.
If users choose to display document summaries in their search results,
Domain Search cannot create these summaries in all languages. You can
use the NOTES.INI setting FT_Summ_Default_Language to specify
which language the summary should default to in these cases.
For more information, see the appendix “NOTES.INI File.”
10-1
Configuration
Domain Search and single-database full-text search
Single-database full-text indexing and domain indexing are distinct
processes in Lotus Notes/Domino, and most likely you will want to use
both.
Use Domain Search for less active databases such as archives and
product specifications. Use full-text indexes for single databases for
active databases such as mail files, discussion databases,
problem-tracking databases, or any database used for generating reports.
You might also want to have single-database full-text indexes on servers
with restricted user access, or in cases where users already know what
database they want to search in.
For information on setting up full-text indexes for single databases, see
the chapter “Setting Up and Managing Full-text Indexes.”
Implementing Domain Search
Implementing Domain Search in a Domino domain involves these major
tasks:
Planning
 the Domain Index
Creating
 the Domain Index
Customizing
 Domain Search forms
Setting up Notes users for Domain Search
Setting  up Web users for Domain Search
Server configurations for Domain Search
This topic describes required and optional configurations for the servers
you use for Domain Search.
Configuration for the Domain Catalog
It is best to set up the Domain Catalog on the same server that indexes
the Domino domain. If you have a very large number of databases to
catalog, you can decrease network traffic by running the Catalog task
nightly on all servers. That way, when the Catalog task runs on the
server that contains the Domain Catalog, the Domain Catalog uses pull
replication from the local catalogs rather than spiders every database.
You can shorten the time it takes to run the Catalog task by splitting it
among several servers: Server A catalogs servers 1 to 25, Server B
catalogs servers 26 to 50, Server C catalogs servers 51 to 75, and so on.
You can also limit the scope of the Domain Catalog by using the “Limit
domain cataloging to the following servers” field.
10-2 Administering the Domino System, Volume 1
Configurations for the Domain Index
The indexing server must be capable of handling the load of creating
indexes and handling user queries. The indexing server should be fast,
powerful, and have a large amount of disk space. Multiple processors, a
large amount of RAM, and multiple high-volume drives will increase the
efficiency and capabilities of searches.
For indexing servers running Windows NT or Windows 2000, the
following minimum configuration is required:
An
 Intel Pentium II 350MHz processor
256MB
 RAM
Free  disk space equal to approximately 30 percent of the size of the
data being indexed
For information on estimating the size of the data to be indexed, see
the topic “Estimating the size of the Domain Index” later in this
chapter.
If your organization has more than six Domino servers, dedicating one
server as the indexing server provides optimal performance.
Consider clustering indexing servers to ensure greater reliability and
fault-tolerance and to balance the load from user queries. If you use
clustered indexing servers, create a replica of the Domain Catalog on
each of those clustered servers.
For more information, see the book Administering Domino Clusters.
Domain Search over a WAN
If your organization is geographically dispersed, cataloging databases
over a WAN is the only way that different locations can share a single
Domain Index. The cataloging server should access the WAN directly
rather than through a hub server, because cataloging uses large amounts
of processing resources.
To index data in different locations, you can choose to replicate all
databases to be indexed to servers in the same location as the indexing
server, thus eliminating the need for the indexing server to spider over
the WAN. The servers containing the databases to be indexed should be
ones with fast LAN connections. Even within the same location,
databases on servers with slow LAN connections should be replicated to
ones with fast connections.
Tip You can use replication events in the Notes Log as a guide for
determining which servers have fast connections by looking at the
information for the Domain Catalog database (CATALOG.NSF).
Setting Up Domain Search 10-3
Configuration
Determine which servers the Catalog was able to do pull replication with
in an average time of less than 1 minute.
Reset the “Include in multi database index” database property for each
replica on the servers to be indexed, because this setting does not always
replicate.
When you create the Domain Index, use the “Limit domain wide
indexing to the following servers” field to limit indexing to these servers.
Planning the Domain Index
Because the initial process of spidering databases and file systems and
creating a full-text index for an entire Domino domain can take days or
even weeks, it is important to plan carefully before starting the indexing
server. The more you have thought about what data sources should be
indexed, how they should be categorized in the Domain Catalog and
search form, and how much space your Domain Index requires, the less
work you will have to do.
Note Indexing unnecessary databases causes users’ search results to be
less meaningful, takes up space on the server, and adds time to the
indexing process, which indexes about 700MB to 1GB of information per
hour, depending on hardware and the content being indexed. At a
minimum, avoid indexing the following types of databases:
Administration Requests databases, database catalogs, database libraries,
Event message databases, log databases, mail databases, portfolio
databases, and server statistics databases.
Here is a methodology for planning the Domain Index.
1. Use the Domain Catalog to control settings for which databases to
index.
2. (Optional) Use the Domain Catalog to control settings for which file
systems to index.
3. (Optional) Estimate the size of the Domain Index.
4. (Optional) Prevent attachments from being indexed.
5. Use the Domino Administrator to assign each database to be indexed
to one or more categories in the Domain Catalog and the search
form.
6. Analyze any security issues that implementing Domain Search in
your organization might raise.
10-4 Administering the Domino System, Volume 1
The Domain Catalog
The Domain Catalog, a database that uses the CATALOG.NTF template,
controls which databases and file systems get indexed for Domain
Search. Even if your organization is not implementing Domain Search,
the Domain Catalog is a useful administrative tool for such tasks as
keeping track of the location of database replicas.
You create the Domain Catalog by enabling the Catalog task on the
server that will index the Domino domain.
The portions of the Domain Catalog of interest to the Domain Search
administrator are those that indicate which databases and file systems
the indexing server will include in the Domain Index, as well as the
forms used to search the index. Database designers and managers select
a database for indexing by enabling the database property “Include in
multi database indexing.” (Administrators can configure this setting for
multiple databases using the Domino Administrator.) These settings are
saved to the Domain Catalog when the Catalog tasks runs.
Administrators can also control which databases are included in the
Domain Index by customizing the selection formula for a hidden view
($MultiDbIndex) in the Domain Catalog.
Administrators specify which file systems to index by adding a File
System document to the Domain Catalog for each file system on a server.
Because the Catalog task creates the Domain Catalog by using pull
replication of the database catalogs on individual servers, updating the
Domain Catalog is usually not a lengthy process if you have already
created a database catalog on every server. What can be time consuming,
however, is rebuilding the views in the Domain Catalog after an update.
For more information on creating database catalogs, see the chapter
“Setting Up Database Libraries and Catalogs.” For more information on
rebuilding views, see the chapter “Maintaining Databases.”
Setting Up Domain Search 10-5
Configuration
Domain Catalog views
The Domain Catalog’s views provide information about the databases,
servers, and users in the Domino domain.
Hidden views
You can display hidden views in the Domain Catalog by holding down
CTRL-SHIFT as you open the Catalog. Server tasks use hidden views to
access information quickly. The hidden views $MultiDbIndex and
$FileSystem are the work queues for the Domain Indexer task. These
views show which databases and file systems will be spidered to create
the Domain Index. The $MultiDbIndex view is sorted by replica ID,
number of documents in the replica, and server to ensure that the most
recent replica (the one containing the greatest number of documents) is
the one included in the Domain Index.
Creating the Domain Catalog
You create the Domain Catalog by enabling the Catalog task on the
server that hosts the Catalog for the Domino domain. The Catalog task
uses pull replication to create the Domain Catalog from the individual
catalogs you have created on servers throughout the Domino domain.
You can replicate the Domain Catalog to other Domain Catalog servers
(such as those in a cluster).
1. From the Domino Administrator, select the server that you want to
contain the Domain Catalog.
2. Click the Configuration tab.
3. Expand the Server section in the view pane.
4. Click Current Server Document.
10-6 Administering the Domino System, Volume 1
5. Click Edit Server, and then click the Server Tasks - Domain Catalog
tab.
6. In the Domain Catalog field, select Enabled.
7. Click OK.
8. To change the scope of the Domain Catalog, select the servers that
you want to include in the “Limit domain cataloging to the following
servers” field. Use wildcard characters to index all servers certified
with a specific certifier — for example */Sales/East/Acme. If the
field is blank (default), all servers in the domain are cataloged.
Tip Use this field to limit the scope of the Domain Catalog to
regional locations or to expand its scope to multiple Domino
domains by cataloging multiple Domain Catalog servers.
9. Click “Save and Close.”
10. Make sure the Catalog task is included in the ServerTasksAt1 setting in
the server’s NOTES.INI file, or use another method (start the Catalog
task at the console or create a Program document) to run the task.
When the Catalog task starts for the first time, Domino creates the
Domain Catalog database based on the CATALOG.NTF template and
adds entries to the ACL so the database replicates properly within the
domain. The Administration Process creates the group
LocalDomainCatalogServers in the Domino Directory and adds the
server that contains the Domain Catalog to that group.
Selecting which databases to include in the Domain Index
The indexing server spiders databases that have the option “Include in
multi database indexing” selected on the Design tab of the Database
Properties box.
Begin by using the hidden view $MultiDbIndex in the Domain Catalog to
see which databases have already been selected to be included in the
Index by database managers. If you see databases in the view that should
not be in your Domain Index, such as personal mail databases or
databases of limited interest, or if important databases are missing from
the view, either customize the $MultiDbIndex view’s selection formula or
use the Domino Administrator to include or exclude databases.
Using $MultiDbIndex to view which databases will be indexed
1. From the Domino Administrator, choose File - Database - Open.
2. Select the cataloging server for the domain, and then select Domain
Catalog.
3. Hold down CTRL-SHIFT and click Open.
The Domain Catalog opens and displays its hidden views.
Setting Up Domain Search 10-7
Configuration
4. In the view pane, click $MultiDbIndex.
The view displays the replica ID of each database that will be
included in the Domain Index, followed by a line of information
about each replica.
Note If multiple replicas of a database were selected for indexing,
Domain Search selects the replica containing the greatest number of
documents.
Using $MultiDbIndex to change which databases will be indexed
Customizing the selection formula for the $MultiDbIndex view is the
simplest and best way to control which databases are included in the
Domain Index.
The following is an example of a custom selection formula. In this
example, the indexing server will ignore “Include in multi database
indexing” settings and index only databases in the smoketestdata
directory on servers that contain “hub” in the server name.
SELECT @IsAvailable(ReplicaID) &
@IsUnavailable(RepositoryType) & @Contains((pathname);
"smoketestdata") & @Contains((server); "hub")
Using Domino Administrator to change which databases will be
indexed
You can use the Domino Administrator to select or deselect the “Include
in multi database indexing” option on multiple databases at the same
time.
1. From the Domino Administrator, select the server that contains the
databases you want to include in or exclude from the Domain Index.
2. Click the Files tab.
3. Make sure you have Manager access in the ACL for each database
you want to include or exclude.
Tip On the Files tab, you can right-click a database and choose
Access Control - Manage to display its ACL.
Note If you want to include databases whose ACLs restrict default
access, make sure that the LocalDomainServers or
LocalDomainCatalogServers group has at least Reader access to each
database you want to include.
4. Select the databases you want to include or exclude.
Note If you plan to limit the servers to be indexed and have placed
replicas on those servers, you might need to select those replicas
now, even if the “Include in multi database index” database
property was set in the original databases, because this setting does
not always replicate.
10-8 Administering the Domino System, Volume 1
5. In the Tools pane on the right, select Database - Multi-Database
Index.
6. Select Enable or Disable.
7. Click OK.
8. Assign categories for each database that you included.
For information on assigning categories, see the topic “Assigning
database categories for the Domain Search form” later in this
chapter.
Selecting which file systems to include in the Domain Index
For each server in a domain, you can create a File System document in
the Domain Catalog to specify which file system directories to include in
the Domain Index. You can index any file system that resides on the
indexing server or on a network resource mapped to that server, as long
as the server has at least Read access to the file system.
For file system searches, the indexing server must also be set up as a
Domino Web server. This allows the server to return links to documents
in the file system and to return those documents in response to queries
from both Notes and Web clients.
For information on setting up a Web server, see the chapter “Setting Up
the Domino Web Server.”
Caution Domain Search filtering of results to users based on access
works only with Domino databases.
For more information on file system security and Domain Search, see the
topic “Domain Search security” later in this chapter.
To select which file systems to include
Add a reference to each file system in the File System document, and
then map the URL path to the file system directory so that the Domino
Web server can retrieve the found documents for users. Complete the
following steps for each server that has file systems you want to index.
1. Start the Domino Administrator or Notes client.
2. Choose File - Database - Open.
3. In the Server field, select the server that contains the Domain
Catalog.
4. Select the Domain Catalog and click Open.
5. In the view pane, click File Systems.
6. Click “Add File System.”
7. Select the server that contains the file system you want to index.
Setting Up Domain Search 10-9
Configuration
8. Beside the “Current file system list” box, click Add.
9. In the Add File System dialog box, enter the location of a file system
to include, for example c:\lotus\domino\data\files.
10. Enter a keyword, such as “files,” to associate with the file system.
You need to use this keyword in Step 14, as the portion of the
incoming URL pattern that follows the forward slash (/).
11. Click OK to add the file system to the list.
12. Repeat Steps 8 through 11 to add more file systems to the list.
13. When you have completed the list, click “Save and Close.”
14. Create a Web Site Rule document for the Web site for this file system.
This step is needed to map the incoming URL pattern to the file
system directory on the target server.
For more information, see the chapter “Setting Up the Domino Web
Server.”
15. Restart the server, or enter this command at the server console so
that the mapping settings take effect:
tell http restart
Assigning database categories for the Domain Search form
On the Design tab of the Database Properties box, you can assign one or
more categories to each database to be included in the Domain Index.
These categories appear on the search form to provide a user with a way
to narrow a search. Categories are also displayed in views of the
database catalog and Domain Catalog. You must have Manager access to
a database to create the categories.
Note Searching within categories is supported only for Domino
databases. Whenever a user specifies a category on the search form,
search results will not include any documents from file systems.
Use the Categories view in the Domain Catalog to see whether database
managers have assigned databases to appropriate categories. To edit or
add categories, use Database Properties for each database.
To view the search categories
1. Open the Domain Catalog.
2. In the view pane, click Databases and then click By Categories to
view a list of categories.
3. To see information on the databases that have been included in each
category, select View - Expand All.
10-10 Administering the Domino System, Volume 1
To add or change search categories
1. From the Domino Administrator, select the server that contains the
databases to which you want to assign categories.
2. Click the Files tab.
3. Make sure you have Manager access in the ACL for each database to
which you want to assign a category.
Tip On the Files tab, you can right-click a database and choose
Access Control - Manage to display its ACL.
4. Select the database that you want to categorize.
5. Choose File - Database - Properties.
6. Click the Design tab.
7. Make sure “List in Database Catalog” is selected.
8. In the Categories box, enter one or more categories for the database.
Separate category names with a comma.
Estimating the size of the Domain Index
The size of a Domain Index is related to the size of the data being
indexed, not to the size of the database. A small database with a lot of
text can generate a larger index than a large database that has a lot of
design elements. There is no easy way to measure the data in a database,
but you can use a percentage of database size to estimate the size of the
Domain Index.
You can use the hidden view $MultiDbIndex in the Domain Catalog to
find the sizes of all databases selected for indexing. You can also use this
view to find out which of these databases have already been indexed
individually by their database managers — and use full-text index size as
a more accurate indicator of the space a database will take up in the
Domain Index.
1. From the Domino Administrator, choose File - Database - Open.
2. Select the cataloging server for the domain, and then select Domain
Catalog.
3. Hold down CTRL-SHIFT and click Open.
4. In the view pane, click ($MultiDbIndex).
Setting Up Domain Search 10-11
Configuration
5. For each database listed, double-click the database entry to display
the Database Entry document.
Note If more than one replica of a database is listed, the indexing
server indexes the replica on the server you include in the “Limit
domain wide indexing to the following servers” field when you
create the index. If this field is blank, the indexing server indexes the
replica with the greatest number of documents.
6. Do one of the following for each database set to be part of the
Domain Index:
 there is a value in the “Number of bytes indexed” field on the
If
Full Text tab, record it.
If there is no value in the “Number of bytes indexed” field, record
a number between 20 and 40 percent of the value in the Database
size field on the Database tab. Record 20 percent if the database is
heavy on design, 40 percent if it is heavy on text.
7. Add the values from Step 6 to obtain an estimate of the Domain
Index in bytes.
Tip To convert your estimate to megabytes, divide by 1024 twice.
Excluding attachments from the Domain Index
The following types of attachments are excluded from the Domain Index
by default: .au, .cca, .dbd, .dll, .exe, .gif, .img, .jpg, .mp3, .mpg, .mov, .nsf,
.ntf, .p7m, .p7s, .pag, .sys, .tar, .tif, .wav, .wpl, .zip.
To exclude all other types of document attachments, set the following
NOTES.INI variable for the indexing server:
FT_Index_Attachments=2
Domain Search security
When a user performs a Domain Search on Domino databases, Domain
Search checks each result against the ACL of the database in which the
result was found to verify that the user has access to read the document.
To perform this check, the Domain Catalog contains a listing for all
databases that includes each database’s ACL. For Domino to include a
link to a result document in a user’s result set, the user must have the
necessary access to read the document — that is, have at least Reader
10-12 Administering the Domino System, Volume 1
access to the database that includes the document and be included in the
Readers field, if the document has one. The security check works as follows:
1. Domino checks the -Default- entry in the database access control list.
  the -Default- entry has Reader access or greater, the user can
If
read the document, and Domino returns the result in the result set.
If the -Default- entry has less than Reader access, Domino checks
whether the user has Reader access or greater in the ACL. If not,
Domino does not include the document in the result set because
the user is not authorized to read that document.
2. If the user has Reader access or greater, Domino checks whether the
result document has a Readers field.
If  the result document does not have a Readers field, the user can
read the document, and Domino returns the result in the result set.
If  the result document has a Readers field, Domino checks
whether the user is included in the Readers field. If not, Domino
does not include the document in the result set because the user is
not authorized to read that document.
If  the user is included in the Readers field, the user can read the
document, and Domino returns the result in the result set.
Caution The security checking works only for search results from
Domino databases. Results from file system searches depend on file
system security — users see the search result even if they are not
authorized to view the document. Thus, users may not be able to access
all search results or they might be able to discern confidential
information from the existence of a particular search result. Be sure to set
file system security properly and index only file systems for which
security is not a high priority.
Tip If you want to index file systems for which security is a high
priority, you can attach the files to Notes documents in a database
selected for indexing.
Search security and server access lists
If you use server access lists within a domain to limit access to
information, you might need to check the ACLs of databases on those
servers to ensure that results are filtered. Otherwise, a search might
return a result to a user who cannot access the result document. In some
cases, users might be able to discern confidential information from a
search result.
Setting Up Domain Search 10-13
Configuration
For example, the Acme corporation has two application servers,
App-E/East/Acme and App-W/West/Acme. Acme users are certified
with one of two organizational unit certifiers: /East/Acme or
/West/Acme. App-E/East/Acme does not allow access to any user with
a /West/Acme certificate. Databases on the server have the -Defaultsetting
in their ACLs set to Reader to ensure that /West/Acme users
cannot access those databases.
When Acme implements Domain Search, /West/Acme users who query
Domain Search might receive search results that include links to and
summaries of documents in databases on App-E/East/Acme, because
the ACLs of those databases do not prohibit /West/Acme users from
seeing those results. (On Windows systems, document summaries are
included in the search results if users select the Detailed Results option.)
The server access lists continue to maintain database security in this
environment, because /West/Acme users cannot access documents from
those links, but the mere existence of links and summaries could reveal
confidential information to the /West/Acme users.
To avoid this issue, check the ACLs for databases that are protected by
server access lists to ensure that they are set to filter correctly. To do this,
assume that the server access list does not exist. Change the ACL so that,
in the absence of a server access list, the database would be secured
appropriately. This ensures that when Domain Search checks the
database ACL, it filters out results that users cannot access.
If you are running Domino on Windows and are not sure that you can
properly maintain database ACLs, you might want to prevent anyone
from seeing document summaries by setting the indexing server’s
NOTES.INI variable to FTG_No_Summary=1.
Note This example assumes that the indexing server has a certificate
that allows access to both App-E/East/Acme and App-W/West/Acme.
Creating and updating the Domain Index
The indexing server relies on the Domain Catalog to tell it which
databases and file systems to include in the Domain Index. You use the
Server document to enable the Domain Indexer task and set a schedule
for it to run. By default, the Domain Indexer task runs once an hour.
10-14 Administering the Domino System, Volume 1
To set the Domain Indexer task
1. If you have Web clients, make sure you have set up the indexing
server, as well as each server to be spidered by the indexer, as a
Domino Web server.
For more information on setting up a Domino Web server, see the
chapter “Setting Up the Domino Web Server.”
2. Make sure you have created the Domain Catalog on the indexing
server.
For more information, see the topic “The Domain Catalog” earlier in
this chapter.
Note The Catalog task that creates the Domain Catalog must have
finished before you start the Domain Indexer task.
3. From the Domino Administrator, select the server that you want to
be the indexing server.
4. Click the Configuration tab.
5. Expand the Server section in the view pane.
6. Click Current Server Document.
7. Click “Edit Server,” and then click the Server Tasks - Domain
Indexer tab.
8. In the Schedule field, select Enabled.
9. Click OK.
10. Set the indexing schedule to meet the needs of your organization.
11. Select the servers that you want to include in the index in the “Limit
domain wide indexing to the following servers” field. Use wildcard
characters to index all servers certified with a specific certifier — for
example */Sales/East/Acme. If the field is blank (default), the
Domain Indexer indexes all databases for which the “Include in
multi database indexing” property is enabled.
12. If you have Web clients, do the following to allow the indexing
server to form valid URLs when the results of a search are displayed
in a browser:
a. Click the Internet Protocols - HTTP tab.
b. For the host name, enter the fully qualified name of the computer
that serves as the indexing server, for example,
servername.acme.com.
c. Click the Domino Web Engine tab.
Setting Up Domain Search 10-15
Configuration
d. Under Generating References to this Server, enter the
information for the indexing server. Make sure you use the
server’s fully qualified domain name in the Host name field.
e. Under Conversion/Display, in the “Redirect to resolve external
links” field, select “By Database.”
Selecting “By Database” allows the indexing server to resolve more
URLs for users. If the indexing server can’t resolve the database link
in a URL, it checks with the Domain Catalog to locate a replica of the
database.
13. Click “Save and Close.”
14. Restart the server by entering this command:
restart server
The Domain Indexer runs when next scheduled.
Note The indexing server must complete the initial indexing pass before
users can perform searches. Check the Domain Indexer Status view in the
Domain Catalog to be sure the initial pass is complete.
Tuning Domain Indexer performance
Each time the Domain Indexer task runs, it looks in the Domain Catalog
for new databases that have the “Include in multi database indexing”
property enabled. It then looks for documents and files in existing
databases and file systems that are new or changed since the last time it
ran, and adds them to the Domain Index.
To meet the specific needs of your organization, adjust the frequency
with which the Domain Indexer runs. Greater frequency results in more
up-to-date indexes, but consumes greater CPU resources. By default, the
Domain Indexer task runs every 60 minutes. Experiment with different
indexing frequencies to yield the best results for your organization.
You can also enhance search performance by tuning the number of
indexing threads used by Domain Search. Each indexing thread indexes
one repository at a time. With a greater number of threads, the indexing
server can index more databases simultaneously, but this requires more
CPU utilization, and response to search queries may be slow. With fewer
indexing threads, response to queries is faster because of greater CPU
availability, but changes are not reflected in the index as quickly.
10-16 Administering the Domino System, Volume 1
By default, the indexing server uses two indexing threads per CPU, so a
server with two CPUs uses four indexing threads when indexing. By
adding the variable FT_Domain_Idxthds=n to the NOTES.INI file of the
indexing server, you can control the total number of threads used for
indexing on that server. For example, by adding
“FT_Domain_Idxthds=8” to the NOTES.INI file of an indexing server
with two CPUs, you change the number of indexing threads to eight.
Note Do not exceed eight threads per server or you may degrade the
performance of the server, even on servers with more than four CPUs.
Changing the location of Domain Index files
By default Domain Index files are placed in a directory named
FTDOMAIN.DI in the Domino data directory of the indexing server. You
can change the location of the Index files by specifying a different
directory in the following NOTES.INI setting:
FT_Domain_Directory_Name=directory
Deleting databases from the Domain Index
You must have Manager access to a database to delete it from the
Domain Index.
The database will be deleted from the index after the next update has
been performed by both the Catalog task and the Domain Indexer task.
1. From the Domino Administrator, select the server that contains the
databases that you want to delete from the Domain Index.
2. Click the Files tab.
3. Make sure you have Manager access in the ACL for each database
you want to delete.
Tip On the Files tab, you can right-click a database and choose
Access Control - Manage to display its ACL.
4. Select the databases you want to delete.
5. In the Tools pane on the right, click Database and then select
Multi-Database Index.
6. Select Disable.
7. Click OK.
Note Removing a database from the Domain Catalog or deleting every
copy of a database also has the effect of deleting the database from the
Domain Index.
Setting Up Domain Search 10-17
Configuration
Backing up the Domain Index and Catalog
Back up the Domain Index and the Domain Catalog as often as necessary
to be useful to your organization. Weekly backups are probably sufficient
for most organizations.
Backing up the Domain Index
Make sure you back up the entire FTDOMAIN.DI subdirectory on the
indexing server as soon as the server has completed building the index
for the first time.
Caution Before you back up the Domain Index, check the Domain
Indexer Status view in the Domain Catalog to make sure that the Domain
Indexer task has finished — if you attempt to back up the Domain Index
while the Domain Indexer task is running, catastrophic data loss can
result.
Backing up the Domain Catalog
You can include the Domain Catalog (CATALOG.NSF) in the databases
for transaction logging. However, do not back up the Catalog while the
Catalog task is running.
For more information on transaction logging, see the chapter
“Transaction Logging and Recovery.”
Customizing Domain Search forms
Domain Search includes several default forms, including forms for
searching, specifying file systems, and presenting results.
Both the search and results forms can be customized to suit
organization-specific needs. An application developer can, for example,
add a corporate logo to either form, or rearrange the fields.
For more information on customizing search forms, see the book
Application Development with Domino Designer.
The developer can create additional search forms, and you can use setup
policy settings (for new users) or desktop policy settings (for existing
users) to provide bookmarks to the new forms to users. For example,
users might use one form to search only Human Resources databases, or
use another form to store searches for future use. The bookmarks for
search forms appear in the user’s More Bookmarks folder.
For more information on using policy settings, see the chapter “Using
Policies.”
10-18 Administering the Domino System, Volume 1
Results forms — where do the document titles come from?
When viewing a Domain Search results form, it can be helpful to know
where the Domain Indexer finds the document titles that it displays in
the results. The Indexer checks each document for the following Notes
fields or items that might represent the document’s title: Title, Subject,
Headline, and Topic field; window title (as designated by the developer
of that Domino application); and view summary (using the default form
and default view). If the Indexer can’t find any of these items,
“Document has no title” is displayed in the results.
Note Computing the window title for large numbers of documents
requires CPU utilization. You can omit this computation by adding the
following setting in the indexing server’s NOTES.INI file:
FT_No_Compwintitle=1
In file systems such as IBM Lotus SmartSuite® or Microsoft® Office, the
title and author are extracted from the document properties fields. For
HTML files, TITLE and AUTHOR tags are used.
Setting up Notes users for Domain Search
Notes users can perform domain searches as soon as you add the
designated indexing server to the “Catalog/Domain Search server” field
in their Location documents.
For information on how users perform domain searches, see Lotus Notes
6 Help.
Using Policies
After you set up a Domain Search server for a Domino domain, you can
use policies to automate the process of setting up Domain Search for new
or existing Notes users in that domain. For new users, record the name of
the Domain Search server in setup policy settings; for existing users,
record the server’s name in desktop policy settings. Setup policy settings
populate the new user’s Location document at registration. Whenever
existing users authenticate with their home server, Lotus Notes checks
desktop policy settings and updates the current Location document with
the name of the Domain Search server.
For more information on policy settings, see the chapter “Using Policies.”
Manual setup from a Notes workstation
The following circumstances require users to set up Domain Search at
their workstations.
Setting Up Domain Search 10-19
Configuration
A new user wants to do a domain search before the workstation has
authenticated with its home server.
A  user wants to be able to do domain searches from alternate Notes
locations.
A  user wants to do a domain search in a Domino domain other than
the one to which the user belongs.
To perform the setup:
1. Start the Notes client.
2. Choose File - Mobile - Edit Current Location.
3. Do the following for each location for which you want to use Domain
Search:
a. Click the Servers tab.
b. In the “Catalog/domain search server” field, enter the name of
the indexing server.
c. Click Save and Close.
Note If the user enters the name of the indexing server incorrectly or
specifies a server that is not an indexing server, Notes returns an error.
Tip If users enter the name of an indexing server in a Domino domain
other than their own but you have included the name of their indexing
server in the desktop policy settings applied to them, the
“Catalog/domain search server” field reverts to the policy setting the
next time the users authenticate with their home server. To preserve links
to an indexing server in another Domino domain, users can bookmark
the search form from that server while they are performing a search.
Setting up Web users for Domain Search
For Web users to have access to Domain Search functionality, the
indexing server, as well as all the servers being spidered by the indexer,
must be set up as Domino Web servers.
For information on setting up a Domino Web server, see the chapter
“Setting Up the Domino Web Server.”
When you are ready to roll out Domain Search to Web users, the Web
application developer must add to the site’s home page a link to the
search form, which is contained in the Domain Catalog on the indexing
server.
10-20 Administering the Domino System, Volume 1
To see for yourself what performing a domain search is like for a browser
user, you can use a URL command in your browser to simulate such a
link. Enter the following command in your browser, substituting the
common name of your indexing server for servername:
http://servername/catalog.nsf?domainquery
When the search form displays, you can define your search. If you have
properly configured the indexing server and the servers holding the
data, your search results display links that can be successfully followed
to each document found.
Using content maps with Domain Search
Content maps let users browse for information rather than search for it
using full-text search. Content maps organize documents by topics, or
content, into categories that are similar to the categories on sites such as
AltaVista and Yahoo!
You can assign document content categories for documents in the
Domain Catalog to organize information in a content map.
To assign content categories
You can assign content categories to both Lotus Notes documents and
Web URLs. You assign content categories from a Lotus Notes client, and
you must have Author access to the Domain Catalog database.
1. Start the Lotus Notes client.
2. Do one of the following:
To
 categorize a Notes document, navigate to the document. You
must have at least Editor access to the document (or Author access
if you created the document).
To  categorize a Web URL, make sure that the default browser in
your Location document is set to Lotus Notes. Then, in the Lotus
Notes client, navigate to the Web page by clicking the Open URL
icon (top right) and entering the URL in the Address field.
3. Choose File - Document Properties.
4. Click the Meta tab (plus sign).
5. Do one of the following:
To  assign the document to an existing category, click Categorize,
select one or more categories, and click OK.
To  assign the document to a new category, type the category name
in the Keywords field.
Setting Up Domain Search 10-21
Configuration
6. Click “Post to Catalog.”
Note If the “Post to Catalog” button is dimmed, try clicking another
field on the Meta tab, or click another tab and then return to the Meta
tab, to enable it.
For a Lotus Notes document, click the “Post to Catalog” button to
add content category information to hidden meta fields in the
document header and to add a content categories document for the
document to the Content by Category view in the Domain Catalog.
For a Web URL, click this button to add a content categories
document for the URL to the Content by Category view in the
Domain Catalog.
To view content categories
The Domain Catalog displays content categories in the Content - By
Category view.
1. Start the Lotus Notes client.
2. Click the arrow to the right of the search icon:
3. Choose Domain Search.
4. Click Browse Catalog.
5. In the view pane, click Content and then click By Category.
6. Expand the categories to display document and URL titles.
7. Double-click a document or URL title to open a link to the document
or URL.
You can customize the Content by Category view to suit
organization-specific needs.
For more information on customizing views, see the book Application
Development with Domino Designer.
To change content categories
You change content categories by editing the DocContent Link
documents in the Domain Catalog. You must have Editor access to the
Domain Catalog.
1. Start the Lotus Notes client.
2. Click the arrow to the right of the search icon.
3. Choose Domain Search.
4. Click Browse Catalog.
5. In the view pane, click Content and then click By Category.
6. Expand the categories to display document or URL titles.
10-22 Administering the Domino System, Volume 1
7. Select an entry to re-categorize and choose Actions - Edit Document.
This displays the DocContent Link document for the entry.
8. Specify a new category in the Keyword field.
9. Click “Save and Close.”
Note This procedure updates the category information for this entry in
the Domain Catalog but does not change the category information saved
in the meta fields of the document itself.
NOTES.INI settings for Domain Search
The following table describes the NOTES.INI settings that pertain
specifically to Domain Search.
For more information on these settings, see the “NOTES.INI File”
appendix.

Setting Description
Specifies the directory for the
FT_Domain_Directory_Name
Domain Index
files on the indexing server.
Specifies the total number of
FT_Domain_Idxthds
threads used for
indexing by the indexing server.
Specifies whether to exclude
FT_Index_Attachments
document
attachments not already excluded
by default
from the Domain Index.
Specifies whether to compute the
FT_No_Compwintitle
window
titles for documents that are
returned by a
search.
FT_Summ_Default_Language Specifies the language for document
summaries in search results
whenever the
language in the document is not
supported by the summary feature.
Specifies whether to display
FTG_No_Summary
document
 summaries in search results.

Chapter 11
Setting Up Domino Off-Line Services
This chapter explains how to enable an application to go offline with
Domino Off-Line Services (DOLS) and how to administer DOLS
applications on the Domino 6 server.
Domino Off-Line Services
Domino Off-Line Services (DOLS) provides a way for users to take IBM
Lotus Domino Release 6 Web applications offline, work in them, and
synchronize the changes with an online replica on the Domino server.
Users are not required to have IBM Lotus Notes 6 client because the
applications are accessed with a browser.
Nearly all Notes functionality is retained when a DOLS-enabled
application (called a subscription) is taken offline. Users can compose,
edit, delete, sort, and categorize Notes documents, and perform full-text
searches. DOLS subscriptions can make full use of Java applets, agent
execution, and workflow. DOLS also supports full data replication,
retains application logic, and supports the full Notes security model.
The developer and administrator must set up and configure a DOLS
subscription for offline use.
The developer copies a number of elements into the subscription, makes
design changes if necessary, and configures the subscription in the
Offline Subscription Configuration Profile document.
The administrator makes sure DOLS is installed properly on the server,
sets security for the subscription, sets up agents, makes changes to the
Offline Subscription Configuration Profile document if necessary, and
helps users install the subscription.
11-1
Configuration
Once the subscription is enabled, users can access it on the server using a
browser. The user clicks in a new frame on the subscription’s main page
to open a JavaScript menu. When the user selects “install” from the
menu, the subscription is installed on their computer.
Also installed on their computer is the Lotus iNotes™ Sync Manager, a
utility for managing DOLS subscriptions. Users can open subscriptions
online or offline, synchronize, and set subscription properties with the
Sync Manager.
For more information, see the Lotus iNotes Sync Manager Help
(available from the Help menu of the Lotus iNotes Sync Manager).
Overview of DOLS administrator tasks
Developers and administrators perform different tasks to prepare a
DOLS subscription for users. Administrators perform the following
tasks:
1. Setting up DOLS on a server.
For more information on setting up DOLS on a server, see the
chapter “Installation.”
2. Creating a DOLS Offline Security Policy document.
3. Increasing security for DOLS subscriptions.
4. Increasing the server’s output timeout for DOLS downloads.
5. Configuring the DOLS subscription.
6. Setting up agents for the DOLS subscription.
7. Send users the URL of the subscription. If the offline security policy
is “Prompt for ID,” also make sure they have a Notes user ID and
Internet password so they can open the subscription.
Typically, the first step is for a user to enter the URL of a Domino server,
along with the path and name of a DOLS-enabled Web application on
that server, into their browser. The browser contacts the server through
the Web Server task, also called the nHTTP task (1a), and the Web Server
then communicates with the Web application (1b).
If the Web application has appropriate security levels set in the ACL, the
user is prompted to log into the Web application using their name and
Internet password. This authentication is also handled by the Web
Server.

If the application is DOLS-enabled, and an Offline Configuration

Document (OCD) was created and saved, the user sees the DOLS Web
Control when they open the application. The user clicks the Web control
and selects “Install Subscription...” to start downloading the application
to their computer.
When the user selects “Install Subscription...,” the application requests
the OCD (2a). A special DSAPI filter file on the server, listening for URL
Web server requests, notices the OCD request. The filter queries the
client to determine if the iNotes Sync Manager (iNSM) client software is
already installed. If not, the filter tells the browser to begin downloading
a set of DOLS File Sets to the client over the HTTP connection (2b). These
file sets are used to install the iNotes Sync Manager software.

Once the DOLS File Sets are downloaded, they are uncompressed, and
the iNotes Sync Manager launches (3). The Sync Manager then
configures the client for the incoming application, and launches a Sync
Task, which initiates a Remote Procedure Call (nRPC) connection with
the Domino server (4a). This secure, Domino replication connection
performs a number of operations to download and initialize the
application on the client (4b). When synchronization is complete, a
subscription of the application exists on the client. A subscription
includes all databases that were listed in the OCD as making up the
application. Their contents are adjusted according to Administrator and
user settings, as well as security information to ensure that the user on
the client has access to only the data to which they had access on the
server. Also, full-text indexes of all offline databases can be created if the
user requests it.
Setting Up Domino Off-Line Services 11-5
Configuration
 When the user wants to
open the application offline, they select it from a
list in the Sync Manager and click “Open Offline.” The Sync Manager
launches a local copy of the Web Server and the local browser (5a). The
Sync Manager tells the local Web server to connect with the local browser
(5b), and with the offline copy of the application (5c). The local Web
Server then validates the user’s login and password information, and
displays the application offline (locally) just as it would display it online
(on the server). Any data the user creates, modifies, and saves while
using the offline application is stored in the local version of the
application.
11-6 Administering the Domino System, Volume 1

of the application, the Sync

Manager, either by the user’s command or
automatically on a schedule, launches the Sync Task, which again creates
an nRPC connection to the Domino server (6a). The Sync Task then
replicates any or all data between the client copy of the application to the
server copy. Any changes to the security levels of the online application
are synchronized offline. Any outgoing e-mail which has accumuIated in
the local mail.box file is copied to the server and dispatched to the mail
router task for delivery. When synchronization is complete, the user may
disconnect from the network and continue using the application offline.
Creating a DOLS Off-line Security Policy document
Use Offline Security Policy documents to set different ID policies for
users in different domains. For example, you can generate IDs
automatically for users inside the company, but require users in a
domain outside the company to provide IDs you have given them.
To create an Offline Security Policy Document, do the following:
1. Open Lotus Domino Administrator 6.
2. Click the Configuration tab.
3. Click Offline Services.
Setting Up Domino Off-Line Services 11-7
Configuration
4. Click Security.
5. Click “New Security Policy.”
6. Fill out the following fields in the Basics tab:

Field Description
Security domain Enter the domain that this policy affects.
For example, /US/Company, or /Company
(include the leading slash). All users in this
domain are subject to the deployment
policy you set in this document. The
domain specified in this field includes
users one level down from the root. For
example, /Cambridge/Lotus includes users
in /Security/Cambridge/Lotus and
/Dev/Cambridge/Lotus.

Prompt for ID Before the subscription installs, users are

during download asked to specify where on their computer
their user ID is stored. The administrator
must provide an ID to the user. This is the
default ID deployment policy.
Automatically Before installation, a certifier ID is
generate user IDs generated for the user automatically. The
Automatic tab appears when this option is
selected. Click this tab and attach the
certifer ID to be generated, set the
password, and set the ID expiration date.
It is recommended that you do not attach
the absolute root certifier for your
organization (for example, /Lotus).
Instead, you should automatically
generate a user ID against a subcertifier
(for example, /NewUsers/Lotus). You may
also want to generate the user ID in a new
domain.
Use the Domino Before installation, the server looks for an
Directory for ID existing user ID in the Domino Directory
lookup (formerly called the Names and Address
book). The Lookup tab appears when this
option is selected. Enter the relative path
for the Domino Directory that contains the
IDs.
Field Description
Roaming User Override security policy for roaming users.
Select this box to set the Domino server to
behave
appropriately with “Roaming users”who
access the subscription. The server will
recognize the user as a Roaming user,
ignore the current security policy, and find
the user’s ID on the user’s home server.
ID Management Overwrite existing user IDs. Select this
box to have user’s offline ID overwritten
with a new ID each
time they install a subscription.
CautionThis setting should not be turned
on in
an enterprise that uses encrypted
subscriptions. Users whose IDs are
overwritten will not be able
to open an offline subscription encrypted
with a key from the previous ID.

Field Description
Attach a certifier ID to this rich text field.
Certifier ID to use
The
certifier ID must support the Security
domain specified in the “Security
domain”field.
For example, if the Security domain is
/A/B/C, then either /A/B/C, /B/C, or /C
would be acceptable certifiers.
The certifier ID file attached here must
share the
same root certifier as the server’s ID for
DOLS. If
they do not share the same root certifier,
the user may receive replication errors
about a lack of cross-certifiers.
Password for Enter the password for the certifier ID.
certifier The
ID password, which is case-sensitive, must
be correct or the user will not be able to
install.
Make sure you protect stored passwords
by appropriately restricting the ACL of this
database (doladmin.nsf).
Expiration date to Select or enter an expiration date for the
set ID. For
on created user example, 03/31/2006.
IDs

Field Description
Address book to look up Enter the database filename, with
ID relative
files from path, of the directory where your
server’s
user IDs reside. The target database
must
have standard NAB views and
 documents,
with ID files attached to each person
document.

Option Description
Tighten access to the Open the ACL for the subscription
database and add the users and groups to
whom you want to grant access.
Anonymous must have “No Access.”
Tighten security on the To limit who can open and edit the
configuration document Offline Subscription Configuration
Profile document for a particular
subscription, open the subscription’s
“DOLS Offline Configuration”form in
Lotus Domino Designer 6 and
change security settings in the Form
properties.
Tighten security on To ensure that unsanctioned users
offline data cannot access the subscription data
offline using another software
product, encrypt the subscription in
the Offline Subscription
Configuration Profile document.
Tighten security for all To propagate a security setting to
subscriptions on the all the existing DOLS subscriptions
server on a server, make sure the
subscriptions are set to inherit
design changes from the DOLS
Resource template (DOLRES.NTF);
change the setting in DOLRES.NTF;
then run the Designer task. For
more information on the Designer
task, see the topic “Synchonizing
databases with master templates.”

Increasing the server’s output timeout for DOLS downloads

DOLS administrators should increase the output timeout time if users
will be installing the DOLS file set over a phone line. To increase the
server output time:
1. Open Lotus Domino Administrator 6.
2. In the navigation pane, click Server - Current Server Document.
3. Click the Internet Protocols tab, then the HTTP tab. Change the
“Output timeout” field to 18000 seconds to allow enough time for
downloads. Change this accordingly, depending on the speed of
your connection.
Configuring the DOLS subscription
You choose configuration settings for the subscription in the Offline
Subscription Configuration Profile document. You must edit and save a
configuration document in every subscription even if you make no
changes to the document. A subscription can have only one configuration
document, even if the subscription has multiple databases. The
configuration document must be stored in the main database. The main
database is the database in the subscription from which the user
downloads the subscription.
You can change configuration settings even after users have downloaded
the subscription.
To edit the configuration document
1. Copy the appropriate design elements into the main database.
2. Open the database in Notes.
3. Choose Actions - Edit Offline Configuration to open the document.
Note that some of the fields have default values, which you can
change. You can use wild card characters in any field.
4. Click the Basics tab. The name of the main database should be in the
“Subscription title” field. If it is not, enter it.

Name of Field Action

Domino services to The offline subscription may need
install offline • Basic support for full-text indexing,
services (required) • LotusScript and unscheduled agents
Full-Text Indexing • (such as Web open), Java back-end
LotusScript and classes and applets, MAPI enablement,
unscheduled agents • or custom services. Select the
Java classes and appropriate boxes so that only files the
applets • Custom users actually need are downloaded to
Services • MAPI their machine. MAPI enablement is
enablement • Default available only when you use the
Language Extended Mail Template (MAIL6EX.NTF)
for Web Mail or iNotes Access for
Microsoft Outlook users. Choose a
default language for the Web Control
menu and the iNotes Sync Manager.
Users can override this setting by
selecting a different language from the
Web Control menu.
Custom services to This field is available only when you
install offline select the “Custom services”box.
Enter the name of custom service files
to be
unpacked and executed on the user’s
computer during installation of the
subscription. Custom services have the
following syntax: CustomServiceName
[Setup.exe [SetupArguments]]. For
example:
mycustomname mysetupfile.exe -z -r
-u
If you specify more than custom
service, separate the services with
commas. For example:
mycustomname mysetupfile.exe -z -r
-u, mycustomname2 mysetupfile2.exe
-z -r -u
For more information on custom file
sets, see
the topic “Creating custom file sets for
a DOLS subscription.”

Name of Field Action

Type of schedule
Select this field, then specify the time of
Daily
day
you want synchronization to occur.
Select this field, then check the days
Weekly
you want
the synchronization to occur.
Select this field, then specify the day of
Monthly
the
 month you want the synchronization to
occur.
Enter the time of day for the
Start time
subscription to
start scheduled synchronization.
Frequency
Select this box if you want
Repeating schedule
synchronization to
repeat at certain intervals after the
initial start
time.
Interval Specify the time between repeating
synchronizations. Enter a number and
then
choose either minutes or hours. For
example,
you can enter 180 minutes or 3 hours.
Limitations
Stop synchronization Specify the time you want the
at synchronization
to stop.
Recurrence exceptions
Schedule disabled Select this box to make a disabled
synchronization schedule the default
state. The subscription only
synchronizes once, when it is installed.
The user can override this setting in the
offline synchronization properties.

Name of Field Description

File Rules
Required files Enter the subscription’s required files. Required
to files
replicate are databases, templates or directories that are
automatically installed offline, and are
replicated every time the subscription is
synchronized.
All required files and directories must be
specified relative to the server’s data directory.
For tips on using directory names and wildcards
when you specify more than one Required file
or Optional file, see the topic “Creating multiple
database DOLS subscriptions.”
Enter the subscription’s optional files. Optional
Optional files
files are databases, templates or directories
to replicate
that can be enabled
or disabled in the sync manager for offline
installation
and replication. For example, in addition to the
required file(s), you may want to download a
related
Help database or an archived discussion
database as an
optional file.
All optional files and directories must be
specified
relative to the server’s data directory.
Optional databases replicate as
 “stubs,”meaning only
the design is replicated. Users can open Sync
Properties, click the Sync Options tab, select
the
database, and deselect the disable box. The
data is then
replicated at the next synchronization. To save
disk
space, users can disable an optional file, and
the data is
removed at next synchronization.
Enable replication of optional files by default:
Select this box to automatically download and
synchronize new databases found in the
subscription’s
directories on the server. For example, if one of
the
optional databases is designed to create new
databases,
the new databases are automatically
downloaded and
synchronized.

Name of Field Description

Directory
Synchronize directory catalog:
catalog
Select this box to install a directory catalog
with the subscription. Then enter the file name,
including directory path, of the catalog
database on the server (for example,
dircats\mydircat.nsf). If the server
administrator has specified a default offline
directory catalog for the server by adding
$DOLSDirectoryCatalog = nameofcatalog.nsf to
the NOTES.INI on the server, you can leave
this field blank and the server’s default offline
catalog is replicated with the subscription. A
catalog filename specified here will override the
server’s default offline directory catalog.
Choose the “Replicate as an optional
file”checkbox to specify the catalog as an
optional file. If the directory catalog is specified
an optional file, the “Enable replication of
optional files by default”checkbox must be
checked for the catalog to replicate the first
time.
In order for iNotes Access for Outlook users, or
iNotes
Access for Web Mail users, to take a directory
catalog offline, you must add the name of a
directory catalog, including the NSF extension,
to the $DOLSDirectoryCatalog setting in the
server’s NOTES.INI file.
For more information on using directory
catalogs with DOLS, see the topic “Adding a
directory catalog to the application”before
adding one to your subscription.
Encryption Encrypt this subscription:
 Select the box to enable encryption. Then
select the level of encryption. Encryption
prevents an unauthorized user from accessing
the offline subscription’s data using another
software product.
If the subscription has multiple databases, all
of these databases are encrypted.
If the subscription has a shared file, you must
encrypt all susbcriptions sharing the file. An
unencrypted subscription may not be able to
open an encrypted file.
Using strong encryption causes a database to
open more slowly than it would using a weaker
encryption or no encryption.
Do not encrypt the database from the Database
Properties box. Use the Offline Subscription
Configuration document to prevent
unauthorized users from reading subscription
data using other applications.

Name of Field Description

Sync Options
Date Filtering Only sync documents modified within the last
[number] days: Select this box to preset a
default, date-based filter on all databases
created offline. For example, if you specify 30
days, only documents created or modified in
the last 30 days will synchronize. Once
installed, users can reset this for each
subscription file using the iNotes Sync Manager.

Halt Limit database size to [number] MB: Select this

Conditions box to specify the maximum size in megabytes
of the offline database. You cannot specify a
number less than 10. Limit subscription size to
[number] MB: Select this box to specify the
maximum size in megabytes of the entire
offline subscription. You cannot specify a
number less than 10. You can preset an
automatic halt to the offline synchronization
when a database exceeds a particular size, or
when the subscription as a whole exceeds a
particular size. The user can override this
setting. Be careful not to specify a size that
may be too limiting. The offline subscription
may not be fully operational if synchronization
is interrupted prematurely.
Sync Options: Optional actions
Full-Text
Select this box to force full-text indexing of the
Index
subscription after synchronization. The user can
subscription
override this setting.
after sync
Compact Select this box to force the subscription to
subscription compact after synchronization.
after sync
Notify on Select this box if you want the user to receive a
completion of message when synchronization is complete.
sync The user can override this setting. If warnings
are displayed during the synchronization
process, and this option is selected, each
warning message will display.

Route mail on Select this box so that pending outgoing mail

client messages are sent before the user exits from
shutdown the iNotes Sync Manager. The user can
override this setting.

Name of Field Description

Select this box so that synchronization occurs
Replicate on
before the
client user exits from the iNotes Sync Manager. The
shutdown user can
override this setting.
Use multi- Select this box so that the subscription can be
user installed to
data directory a client with a Notes multi-user setup.
Subscription data
is stored in the user’s personal profile data
directory.
Select this box to allow the subscription to
Allow per-user
share a file
shared with another subscription, as long as as the
same user
subscription has installed both files.
data
For example, a user installs this subscription
with the directory catalog dircat1.nsf. If the
user then installs another subscription that
uses dircat1.nsf., and also selects this option,
the two subscriptions share dircat1.nsf.
All subscriptions that share the same file must
be either encrypted or not encrypted. Non-
encrypted subscriptions may not be able to
share a file that is encrypted.

Name of field Action

Push subscription settings to iNotes Sync
Push
Manager.
subscription Select this box to push changes made to the
settings: active Off-Line Subscription Configuration
Profile Document
(on the server), down to the iNotes Sync
Manager (on
the client), without requiring a reinstallation of
the
subscription.
The following are the only settings and actions
that
cannot be changed on the user’s computer
unless the
user deletes and reinstalls the subscription.
Encryption
Per-user shared subscriptions
Multi-user data directories
 Passthru server settings
Optional TCP/IP addresses
A change in the subscription title
Adding new services or custom filesets
Deleting or moving the main.nsf
Force user to accept subscription changes. This
box is
only visible when “Push subscription settings to
iNotes
Sync Manager”is selected. Select this box to
force the
user to accept changes in the Offline
Subscription
Configuration Profile document. Not selecting
this box
allows users to prevent the changes from
occurring on
their subscriptions.

Name of field Action

Read only Make schedule read-only. Select this box to dim
subscription the scheduled replication settings in the
settings: Properties dialog -Schedule tab of the
subscription on the user’s computer. You can
push this to users by selecting it before they
install the subscription, or by using the “Push
subscription settings”feature. Make sync options
read-only. Select this box to dim the Sync
Options settings in the Properties dialog - Sync
Options tab of the subscription on the user’s
computer. You can push this to users by
selecting it before they install the subscription,
or by using the “Push subscription
settings”feature.
Passthru Use passthru server to connect to destination
server server. Select this box to use a passthru server
settings: to connect to the Domino server that hosts the
subscription. You must enter the name of the
passthru server.
Network Use optional TCP/IP address to connect to
Settings: destination server. Select this box to provide
primary and/or secondary TCPIP addresses for
the destination Domino server hosting the
subscription. This is especially useful for users
who access the server through both an intranet
and an extranet. If the primary address is not
reachable, the iNotes Sync Manager tries the
secondary address to connect to the server.
Then enter the name of the primary and
secondary addresses. If users connect to the
host server through a passthru server, the
addresses must be for the passthru server.
Alternatively, an administrator can configure
these settings for all the subscriptions hosted
on a particular server by adding addresses to
the $DOLS_TCPIPAddress and
$DOLS_TCPIPAddress2 settings in the server’s
NOTES.INI.

9. (Optional) At the bottom of the configuration document, select

whether to display the default download page or create your own
download page. The download page is what users see while they’re
installing a subscription. It’s useful for showing instructions,
company graphics, warnings, or tips. Do one of the following:
Leave
 “Display default download page contents” selected to have
the download page contain the default text and graphics. You can
add text, HTML, or images in the rich-text field below the default
text and graphics.
Select
 “Display only the custom contents below” to create a
download page. A rich-text field appears in which you can add
text, HTML, or images.
10. Save and close the configuration document.
11. Save and close the subscription.
12. (Optional) Customize the subscription. For more information on
customizing the subscription, see the topic “Optional tasks for DOLS
developers.”
Setting up agents for the DOLS subscription
Agents are small programs that perform actions in a subscription.
Because they can be powerful tools, they must have permission from the
server to perform their actions. Agents inherit the permissions of their
“signer.” An agent’s signer can be the user who created it, or a user or
organization designated by an administrator. An administrator can also
register a “dummy” user on the server and make it the signer of agents.
This provides more control and security, because the dummy user won’t
do anything the administrator doesn’t want done.
For an agent to perform actions on a server an administrator must add its
signer, or a group the signer is in, to the Server document (Security -
Agent Restrictions).
Agents can perform both unrestricted actions and restricted actions.
Restricted actions can potentially cause serious damage to the server, so
administrators must be careful about the permissions of agents that
perform restricted actions.
Note There are also two kinds of agents: triggered and scheduled.
Triggered agents are activated by a user action, like clicking a button or
selecting a menu item. Scheduled agents run automatically, on a
schedule, or when events happen inside a database, such as a new mail
document arriving. Only triggered agents work offline.
Setting Up Domino Off-Line Services 11-19
Configuration
If a subscription contains triggered agents, do the following to make
them work offline.
1. If the subscription contains restricted agents, create a group called
“DOLS_Restricted_Agents” in the Domino Directory.
2. Add the full names of the signers of the restricted agents to the
“DOLS_Restricted_Agents” group.
If an agent has been configured to run as a Web user (Agent
Properties - Design tab - Run as web user), use the full name of its
signer. Otherwise, use the full name of the signer who modified it
last (for example, NewDevelopment/IBM).
3. If the subscription uses unrestricted agents, create a group called
“DOLS_Unrestricted_Agents” in the Domino Directory.
4. Add the full names of the signers of the unrestricted agents to the
“DOLS_Unrestricted_Agents” group.
If an agent has been configured to run as a Web user (Agent
Properties - Design tab - Run as Web user), use the full name of its
signer. Otherwise, use the full name of the signer who modified it
last (for example, NewDevelopment/IBM).
5. In the Server document, on the Security tab - Agent Restrictions
section, add “DOLS_Restricted_Agents” to the “Run restricted
LotusScript/Java agents” field. Add “DOLS_Unrestricted_Agents”
to the “Run unrestricted LotusScript/Java agents” field.
6. Make sure agent signers have at least Editor access in the ACLs of all
databases where the agent runs.
7. Use the DOLCert.id (in the Domino data directory) as the certifier ID
to create cross-certificates for each user or organization you specified
as being able to execute agents. DOLCert.id creates cross-certificates
issued by “O=DOLS.” There may already be cross-certificates issued
by the Lotus Domino 6 server for these names. You can use the ID
file or public key for the agent user and organization to generate
cross-certificates.
Note If a database uses agents, make sure they’re all signed and that the
server’s CERT.ID is cross-certified with the DOLCERT.ID.
11-20 Administering the Domino System, Volume 1
Optional tasks for DOLS administrators
In addition to required administration tasks, there are a few optional
tasks for the administrator:
Adding a directory catalog to the subscription
Viewing DOLS download information
Reducing DOLS download time with the client installation CD
Reducing DOLS download time with selective replication
Web Control instructions for DOLS users
Adding a directory catalog to a DOLS subscription
Adding a directory catalog to a DOLS subscription allows users to take
Domino Directory information offline. To add a directory catalog to a
subscription:
1. Read the following.
Adding
 a catalog means more for a user to download. To keep
download time reasonable, you may want to create a directory
catalog specifically for offline users, which contains only the
information they absolutely need.
To  add a default catalog, open the NOTES.INI file on the server
and add the line $DOLSDirectoryCatalog=nameofcatalog.nsf
(nameofcatalog being the actual name of the catalog). Once you do
this, you don’t need to specify a catalog in the “Directory catalog
to replicate” field in the Offline Configuration Profile document.
You must add a default catalog for iNotes Access for Outlook
users.
From  the DOLS Customize subform, you can create a field that
looks up a catalog’s name on the server record and populates the
“Directory catalog to replicate” field with that name.
2. Open the Offline Subscription Configuration Profile document.
3. Enter the name of the catalog in the “Directory Catalog” field in the
Rules tab.
Setting Up Domino Off-Line Services 11-21
Configuration
Viewing DOLS download information
To view information on subscription use, click the Configuration tab in
Lotus Domino Administrator 6. Then click Offline Services - Users. In the
Users view, you can see the name of each user who has installed a
subscription, the names of the security domains, the names of the
applications downloaded, and the download dates and times.
Click a column header to change the order of the data in the view. Open
a document to see all the information on a particular download.
Reducing DOLS download time with selective replication
By controlling what is replicated offline, you can control the size of a
subscription and reduce download time for remote users who may have
a slow connection. To set limits on what users take offline, do the
following:
1. Open the main subscription.
2. Open the Database Properties box.
3. From the Database Basics tab, click “Replication Settings.”
4. In the “Replication Settings” dialog box, click Advanced.
5. Enter one of the following in the “When computer” field:
“OfflineSync/DOLS”
 - Settings apply to all users of the
subscription.
User/Domain
 - Settings apply to that user only.
Note Individual user settings take precedence over
“OfflineSync/DOLS” settings.
6. Choose replication settings:
For example, you can check “Replicate a subset of documents” and
choose the folders and views you want synchronized to the user’s
machine. You can also have the documents synchronized by formula.
For example, you can check “Select by Formula” and enter a formula
so that only selected users are able to synchronize a selected folder.
Note DOLS requires that you add the following text to any selective
replication formula that you create. If you forget to add this text,
offline users will not be able to open their offline applications:
|Form="DOLSOfflineConfiguration"
The following example shows a selective replication formula with
the required text:
SELECT From=@UserName|Form="DOLSOfflineConfiguration"
7. To save the settings, click OK.
11-22 Administering the Domino System, Volume 1
Web Control instructions for DOLS users
The Web Control is a pop-up menu in the subscription from which users
can install the subscription, synchronize, choose a language for the
interface text, and open the subscription online or offline. To open the
pop-up menu, users click on either the words “Go Offline,” or an image
in a frame on the main Web page of the subscription.
For more information on customizing how users install the subscription,
see “Customizing how users install the DOLS subscription” in the Lotus
Domino Designer 6 Help.
To access the Web Control menu using shortcuts
The following are instructions on installing a DOLS subscription with
minimal use of a mouse. Along with a username, password, and address,
you may want to send these instructions to users who want or require
alternative access to software features.
To take a subscription offline:
1. Open the subscription online.
2. Click once anywhere on the Web page.
3. Press TAB to move the focus to different frames until the focus is on
the image or words “Go Offline.” This is the Web Control.
4. Press ENTER. The pop-up menu opens.
5. (Optional) Press the up and down arrow keys to navigate to the
Language menu item, then press the right arrow key. The list of
languages opens. Press the up and down arrow keys to navigate to a
language and press ENTER. This is the language the subscription
interface appears in offline.
6. Open the pop-up menu again.
7. Press the up and down arrow keys to select Install Subscription.
Note There are no keyboard shortcuts for the Languages menu.
DOLS troubleshooting and error messages
If you have problems configuring a subscription to go offline, you may
want to look at the following log files:
DOL.LOG
 (found in the \Program Files\Lotus iNotes directory on
the client machine).
LOG.NSF
 (found in the \Program Files\Lotus iNotes\Data directory
on the client machine). To open this file from a browser while offline,
enter http://127.0.0.1:89/LOG.NSF.
Setting Up Domino Off-Line Services 11-23
Configuration
Error messages
The following table lists client and server error messages you may see as
you use DOLS. These error messages are logged in LOG.NSF under
Miscellaneous Events. You can locate LOG.NSF in the \Program
Files\Lotus iNotes\Data directory on the client machine. To open this
file from a browser while offline, enter http://127.0.0.1:89/LOG.NSF.

Error Message Description

Error requesting offline The Offline Subscription
configuration Configuration
from the server. Profile document is missing or you
may have a connection error.
Open LOG.NSF to see the
corresponding server error
message.
This subscription is not An error occurred during
configured download.
correctly to go offline. Open LOG.NSF to see the
corresponding
server error message.
Unable to download file set This is an HTTP request error and
component information for this involves an access restriction.
Open
subscription. LOG.NSF to see the corresponding
server error message.
The Offline Subscription
HTTP Error 404.
Configuration
Profile document may be missing.
The remote server is not a
Synchronization failure.
known
TCP/IP host.

Chapter 12
Planning the Service Provider Environment
This chapter describes the server and IP configurations and discusses
configuration-related decisions that you will make before you set up an
xSP server.
Planning the xSP server environment
The generic term “xSP” can refer to many different types of service
providers — application, Internet, storage, and management — to name
just a few.
A Domino service provider delivers services to small-and medium-sized
businesses, or multiple hosted organizations from a single Domino
domain. To those hosted organization, the service provider offers
Internet protocol-based access to a specific set of applications running on
Domino servers. By using a service provider, a company can outsource
the administration of applications and services that were formerly run on
the company’s computer infrastructure.
This portion of the documentation focuses on the decisions you will be
making when planning and setting up your xSP server environment. You
can then use your xSP server to host small and medium businesses.
The Domino service provider administrator
The responsibilities of a service provider administrator, include
maintaining both the server environment at the host site and to varying
degrees, the hosted organizations.
First and foremost, the service provider administrator is responsible for
setting up and maintaining xSP servers — that is, protocol and database
servers — as well as any Domino clusters and network routers.
12-1
Service Provider
Although the hosted organization administrator can perform some of the
user and group maintenance, the service provider administrator
performs a significant amount of the administrative tasks required to
maintain a hosted organization. At a minimum, the service provider
administrator is responsible for registering and maintaining hosted
organizations and controlling which applications the hosted organization
uses. In addition, the service provider administrator must create and
maintain a mechanism that the hosted organization’s administrators use
to communicate problems and issues that require the intervention of the
service provider administrator.
Ways to set up a service provider environment
There are two ways to set up a service provider environment. You can set
up an xSP server, which features a shared Domino Directory or you can
user server partitioning. The term “shared Domino Directory” indicates
that there is one Domino Directory shared by multiple hosted
organizations. All data is secured and accessible only by the small or
medium business that owns the data. A second option is Domino server
partitioning, which you use to run multiple instances of the Domino
server on a single computer.
Set up an xSP server to offer pure Internet protocol-based access to a
specific set of applications on Domino servers. For example, iNotes Web
Access is such an application. Using an xSP server reduces the total cost
of ownership for a designated set of services, offered to several
customers accessing the server through standard Internet protocols. In a
service provider environment, you are hosting multiple companies in one
Domino domain.
Use Domino partitioning to offer a Domino server where the customer
can have Notes Client access and can create and run their own Domino
applications. Setting up a partitioned server is particularly effective when
the partitions are in different Domino domains. Partitioning provides a
completely separate server for each customer, as well as a completely
separate Domino Directory.
For more information on partitioned servers, see the chapter “Setting Up
the Domino Network.”
12-2 Administering the Domino System, Volume 1
Securing the service provider environment
The Domino service provider environment uses all of the standard
Domino security features to ensure complete security for the service
provider and the hosted organizations that subscribe to the service
provider services. An xSP environment that has multiple hosted
organizations has potentially thousands of users whose access must be
restricted to their own data only.
In addition, the service provider configuration uses extended ACLs in
the Domino Directory to protect the data of each hosted organization
from access by users in other hosted organizations. The extended ACLs
required to support the xSP security model are automatically established
when new hosted organizations are created. Plan and test carefully if you
want to modify ACLs and extended ACLs in an xSP environment —
security is extremely important.
The authentication controls in Site documents control only who can
authenticate and use the Internet protocols. After authentication, ACLs
and extended ACLs control the data that can be read from and written to
the Domino Directory.
For more information on extended ACLs, see the chapter “Setting Up
Extended ACLs” and for more information on ACLs, see the chapter
“Controlling User Access to Domino Databases.”
A user in a hosted organization cannot directly access databases in any
subdirectories other than the hosted organization’s directory. Exceptions
are the “help” and “common” subdirectories of the Domino data
directory which contains databases accessible to users in all hosted
organizations.
To provide users with access to databases outside that of the hosted
organization’s subdirectory, create a directory link within the hosted
organization’s directory.
For more information on how directory links work and how to create
them, see the chapter “Organizing Databases on a Server.”
Planning the Service Provider Environment 12-3
Service Provider
Using Domino features in a hosted server environment
There are several Domino features that need to be set up for a hosted
environment, just as they would need to be set up in a non-hosted,
enterprise environment. This section describes the features are required
in a hosted environment and explains when to set them up.
Domino certificate authority
For some Internet certificates and for Domino Off-Line Services (DOLS),
you must use the Domino certificate authority (CA). The Domino CA is
required only if a hosted organization uses DOLS or wants to generate
Notes IDs. For example, a hosted organization may require Notes IDs for
its users if it uses a third-party application that uses the C API to perform
a function. If a hosted organization uses the Web Administrator to
manage their own users and groups, the hosted organization must use
certifiers issued by the Domino server-based CA.
If a hosted organization’s users are registered at the service provider site,
they can be registered with certifier IDs and passwords or with the
Domino server-based CA.
Using SSL in a hosted environment
To use SSL in a hosted environment, you must do the following for each
hosted organization:
Create
 a new Domino server-based Certificate Authority (CA). Two
or more hosted organizations cannot share the same Domino CA.
Create
 a Certificate Requests database.
For more information on setting up and using the Domino server-based
CA and creating the Certificate Requests database, see the chapter
“Setting Up a Domino Server-Based Certification Authority.”
Policies
Policies are required when using the Domino service provider software.
Before registering a hosted organization, the service provider
administrator must decide which policy settings to implement. Before
registering a hosted organization, the service provider administrator can
create policy documents and policy settings documents and then assign
those documents during registration, or the service provider
administrator can create the documents during the hosted organization
registration process.
12-4 Administering the Domino System, Volume 1
For more information on policies, see the chapter “Using Policies” and
see the topic “Using Policy Documents in a hosted environment” later in
this chapter.
Domino Off-Line Services
Domino Off-Line Services (DOLS) is supported in a hosted environment.
If a hosted organization uses DOLS, the hosted organization must be
registered with the Domino server-based CA. The registration process for
hosted organizations that support DOLS is almost identical to the setup
and registration of hosted organizations that do not support DOLS.
For more information on Domino Off-Line Services (DOLS), see the
chapter “Setting Up Domino Off-Line Services.”
Using the C API Extension Manager in a hosted environment
The C API Extension Manager is fully supported in a hosted
environment; however, there can be only one Extension Manager on a
server. If the Extension Manager must provide different services for each
hosted organization, program the Extension Manager to do the filtering.
For more information, see the C API User’s Guide and the C API Reference
Guide on the IBM Web site, www.ibm.com.
Planning the IP Address configurations in a hosted environment
A crucial step in planning an xSP configuration is to determine which of
the following IP address configurations to use:
One
 IP address that is shared by multiple hosted organizations
One IP address for each individual hosted organization
A  combination of the above two configurations
The IP address configuration that you choose will have an impact on
your entire xSP configuration.
Planning the Service Provider Environment 12-5
Service Provider
One IP address that is shared by multiple hosted organizations
The following figure shows xSPserver1 supporting multiple hosted
organizations sharing IP address 92.32.2.0.
xSPserver1 supports three hosted organizations with one
shared IP Address.

Note SSL is not supported in this configuration because Domino does

not provide server authentication on a per-hosted-organization basis.
If the configuration features one IP address shared by multiple hosted
organizations, POP3, IMAP, HTTP, SMTP, LDAP and Domino IIOP are
the available protocols. In this configuration, each IP address entered on
the Internet Site documents must be the same for each protocol. The
POP3, IMAP, and LDAP users must use their Internet e-mail addresses
to authenticate. This configuration does not support anonymous access to
LDAP.
One IP address for each individual hosted organization
If you are using SSL, use a unique IP address for each hosted
organization. To use this configuration, you must bind the IP address to
the xSP server.
For more information on binding an IP address to a hosting server, see
the chapter “Setting Up the Service Provider Environment.”
The following figure shows xSPserver2 supporting three hosted
organizations, each with its own unique IP address.
Individual IP addresses for each hosted organization.
Multiple hosted organizations on one server.

Planning the distribution of hosted organization data

The following four configurations are supported for distributing hosted
organization data within the service provider environment.
When you configure a hosted environment, databases must reside on the
xSP server — that is, the server to which the hosted organizations are
connecting.
Hosted organization data on one server
All of a hosted organization’s data can reside on one server. As the
number of hosted organizations increases, you can easily add additional
servers.
One hosted organization with all data on one server.
As the customer base increases, servers may be added.

Multiple organizations on one server with a shared application

Multiple hosted organizations can share an application that is served
from a single server. Data for the hosted organizations resides on the
server with the application.
Three hosted organizations sharing one application from a single server.
Deciding which protocols and services to offer in the xSP
environment
Another aspect of planning a hosted environment is determining which
services to offer to customers. There are some considerations unique to
the Lotus Domino service provider environment that you will need to
take into consideration when determining which protocols (services) you
are offering to hosted organizations.
If you are offering mail services, you must provide the protocols to
support them. If you do not offer mail services, you do not need the
POP3, IMAP, or SMTP protocols.
Deciding which protocols and services to offer in the xSP
environment
Another aspect of planning a hosted environment is determining which
services to offer to customers. There are some considerations unique to
the Lotus Domino service provider environment that you will need to
take into consideration when determining which protocols (services) you
are offering to hosted organizations.
If you are offering mail services, you must provide the protocols to
support them. If you do not offer mail services, you do not need the
POP3, IMAP, or SMTP protocols.

Protocol/Service Requirement
When sending mail via iNotes Web Access,
HTTP with iNotes
enable HTTP on the server that stores the mail
Web Access
file.
IIOP Domino IIOP is required to run Java code.
LDAP If you use POP3 or IMAP and the client mail
application supports LDAP, you can also use
LDAP to provide the mail clients with addressing
services. Lightweight Directory Access Protocol
(LDAP) is a standard Internet protocol for
accessing and managing directory information.
If LDAP will be used with the Domino Directory,
the LDAP protocol must be started.
POP3 and IMAP POP3 and IMAP are access protocols only, that
is, they retrieve mail. SMTP is required to
enable POP3 and IMAP users to send mail.
Additionally, the POP3 or IMAP client must be
configured to send mail via an SMTP server.
SSL SSL can be used in addition to Domino’s security
services. SSL supports data encryption to and
from clients and provides message-tampering
detection and optional client authentication.
Note SSL is supported only for hosted
environments that use a unique IP address
 configuration.

Resolving mail addresses in a hosted environment

IP addresses are resolved via the Domain Name System (DNS), local host
file, or a combination of the two.
For ease-of-access and ease-of-administration, you can use host names
and Web site names to resolve mail addresses and to process transactions.
The following table indicates which names are used by each protocol.

Name Protocol
Server host name For POP3 and IMAP clients use server
example, host names to locate host servers
serverA.corporation.com when retrieving mail. Inbound
HTTP transactions can use server
host names when resolving
transactions. LDAP clients use
server host names when
performing directory lookups. Web
browsers can use server host
names in URLs, in addition to other
types of DNS names.

HTTP transactions are resolved via

Web site name
Web
For example, site name.
www.corporation.com
The domain portion of an SMTP mail transactions use the
Internet domain
e-mail address. For example, portion of an Internet e-mail
the address.
corporation.com portion of the This domain name must also be
entered
e-mail address in the Global Domain document.
MX
JUser@corporation.com records must designate the IP
addresses for the servers receiving
SMTP mail.

For information on the Domain Name Service (DNS) and MX records,

see the chapter “Overview of the Domino Mail System.”
For more information on the Domain Name System (DNS) and MX
records, see the topics The Domain Name System (DNS) and SMTP mail
routing and Examples of using multiple MX records.
Using activity logging for billing at hosted organizations
Using activity logging, you can collect data about the server activity
generated by users — such as, user activity on a POP3 server — and
server activity not generated by users - such as, replication of a hosted
organization’s databases. The log file (LOG.NSF) records activity logging
data. To create reports of activity data, write a Notes API program to
access the information in the log file.
Note The activity logging C API is included in the Lotus C API Toolkit
for Domino and Notes 6. This public C API can be used to read activity
data.
For more information on activity logging, see the chapter “Setting Up
Activity Logging.”
Activity records
Many sessions that the Domino server hosts last for an extended period
of time. To avoid losing activity information, many activity types
generate regular checkpoint records. For example, a two-hour Notes
session creates eight records: one open record, six checkpoint records and
one close record, assuming that the default checkpoint interval of 15
minutes is used. You need only review the most recent checkpoint record
for any activity because each checkpoint record shows all logged activity
data.
Billing methods
You will want to consider various billing methods based on your
business requirements. Consider one of these billing methods:
Number
 of users at the hosted organization site.
Number
 of users at the hosted organization site, plus disk space
usage.
Actual
 use. To collect activity data by database, use activity logging.
To collect the data by individual hosted organization, use the activity
logging API to write a custom application that sorts the data by
hosted organization. Then, you can bill each hosted organization
accordingly.
Deciding which applications to offer multiple hosted organizations
In addition to deciding which protocols and services to offer, you must
decide which applications to host. You can make a single application
available to multiple hosted organizations; you can offer individual
applications to each hosted organization; or, you can offer a combination
of the two.
Suggested criteria
Prior to choosing and installing applications for hosted organizations, do
the following:
1. Decide how to track the applications available to each hosted
organization. Lotus Notes/Domino 6 does not include an application
to track installed applications.
2. Evaluate applications. For example, if an application is Notes-based,
it may need to access external files, or, it may be a Java application.
3. Evaluate the reliability of the application. Is the application reliable
or does it cause the server to stop or crash? Determine the impact, if
any, that each application has on server performance.
4. Determine if the application presents any security risks. Ensure that
the application does not allow users to navigate the file system or
add or run their own executable programs.
5. Evaluate how well the new application integrates with the existing
configuration.
6. Test each application on a non-production server before installing it
on an xSP server. Make sure that each application is easy to install
for each hosted organization.
Note Domino does not support the use of servlets for xSP servers.
Example of planning a hosted environment
xSP International is a Domino service provider that plans to host Web
applications and offer services and protocols to many hosted
organizations. To configure the hosted environment, xSP international
plans to set up a Domino domain that includes clustered servers,
allowing them to define physical storage locations, other than the default,
for their hosted organizations.
xSP International plans to support SSL; therefore, they will use unique IP
addresses. They begin by installing two servers in their Domino domain:
Server1 and Server2. Although each server will contain data for multiple
hosted organizations, the data for each individual hosted organization
will reside on only one server. The data for a hosted organization will not
be distributed across multiple servers. Identical applications will run on
each server. If needed, xSP International can add additional servers to
this

xSP International will initially register four hosted organizations in this

domain. To set up the first hosted organization, CompanyA, the service
provider administrator does the following:
1. Reads the topic “Installing the first server or additional servers for
hosted environments” prior to installation. After reading all of the
information in the chapters listed in Step 2, the service provider
completes the “Installing the first server or additional server for
hosted environments” procedure.
2. Reads the information in the chapter “Deploying Domino” and then
reads the chapter “Installing and Setting Up Domino Servers”. After
installing the initial xSP server, the service provider completes as
many procedures from these chapters as necessary.
3. Determines that a billing strategy based on actual usage suits the
requirements of CompanyA and xSP International.
4. Enables activity logging on all servers in the domain.
5. Uses the activity logging API to write a custom application to sort
data by hosted organization so that xSP International can bill each
hosted organization according to actual usage.
Chapter 13
Setting Up the Service Provider Environment
This chapter explains how to set up a hosted organization, lists and
explains the files and documents created when you register a hosted
organization, and provides other related information.
Setting up the service provider environment
Setting up the service environment consists of understanding the
information presented in the topics below so that you can make decisions
based on the services you are providing to customers, as well as
completing the tasks in the topics listed below.
Installing
 the first server or additional servers for hosted
environments
Setting
 up the Domino Certificate Authority for hosted
organizations
Using Policy Documents in a hosted environment
What  happens during hosted organization registration?
Binding  the IP addresses of the hosted organization to the xSP
server
Creating  Loopback addresses in a hosted environment
Using
 Internet Site documents in a hosted environment
Configuring
 Internet sites with Web Site and Internet Site
documents
Using
 Global Web Settings documents
Configuring
 activity logging for billing hosted organizations
13-1
Service Provider
Installing the first server or additional servers for hosted
environments
All servers in an xSP domain run as xSP servers; therefore, you only use
the “-asp” portion of the setup command when you install the first server
in an xSP domain. All servers subsequently installed into the domain are
automatically configured as xSP servers.
Configuring the first or an additional server for a hosted environment
does the following:
Creates
 an All Servers Configuration Settings document if there is no
Configuration Settings document.
Modifies
 the All Servers Configuration Settings document to set
proper defaults for service providers.
Sets  up an extended ACL for the Domino Directory (NAMES.NSF)
and the Administration Requests database (ADMIN4.NSF) to limit
access to only users and/or administrators in the same hosted
organization.
Modifies
 the Server document to set proper defaults for service
providers.
Sets  the ACL on databases in the data directory.
Modifies  a server-specific Configuration Settings document (if one
exists) to set defaults for service providers.
Modifies  the database ACL for Anonymous from “NoAccess” to
“Reader.”
The service provider configuration provides services to multiple hosted
organizations from a single Domino Directory.
Before performing this procedure, see the chapter “Installing and Setting
Up Domino Servers.”
1. To install the first xSP server, do one:
For  Win32 systems, run this command from the directory in which
the SETUP.EXE file is located:
setup.exe -asp
For
 UNIX, run this command:
install -asp
For more information on installing Domino on UNIX, see the chapter
“Installing and Setting Up Domino Servers.”
2. Start the server.
3. Choose the Domino Enterprise server setup.
4. As the Setup wizard runs, enter the information appropriate to your
configuration.
13-2 Administering the Domino System, Volume 1
Setting up a hosted organization
To set up a hosted organization, complete these procedures:
1. (Optional) Set up a server-based certification authority (CA).
2. Create a policy document.
3. Create a registration policy settings document.
4. Register a hosted organization.
5. Bind the IP addresses of the hosted organization to the xSP server.
6. Create the necessary Internet Site documents and the Web Site
document.
Setting up the Domino certificate authority for hosted
organizations
When registering hosted organizations, you can use the Domino
server-based certification authority (CA). If you don’t use the
server-based CA, you can use Domino’s certifier ID and password
for security purposes.
A CA vouches for the identity of both server and client by issuing
Internet certificates that are stamped with the CA’s digital signature.
The digital signature ensures the client and server that both the client
certificate and the server certificate can be trusted. The CA also issues
trusted root certificates, which allow clients and servers with certificates
created by different CAs to communicate with each another.
Each hosted organization must have its own Domino CA. If the hosted
organization uses DOLS or if they require Notes IDs, the hosted
organization must use the Domino server-based CA. If the hosted
organization administrator plans to use the Web Administrator, that
hosted organization must use the Domino server-based CA to
register users.
As part of setting up a CA, create a Certificate Requests database.
Then, using the Certificate Requests database, you can submit Internet
certificate requests through a browser, pick up new or renewed
certificates, and receive notification regarding request status.
For more information on the Domino CA and the Certificate Requests
database, see the chapter “Setting Up a Domino Server-Based
Certification Authority.”
Setting Up the Service Provider Environment 13-3
Service Provider
Using policies in a hosted environment
Policies are required in a hosted environment. To establish the
registration settings that are required for hosted organizations, create
a policy document and a registration policy settings document.
Each hosted organization must have its own, unique registration policy
settings document. Multiple hosted organizations cannot share a
registration policy settings document.
For more information on policies, see the chapter “Using Policies.”
To meet the requirements for creating policy and registration policy
settings documents, you can create the policy before registering the
hosted organization, or you can create the policy during the registration
of the hosted organization.
To
 create the policy before registering the hosted organization
Create an explicit policy prior to registering the hosted organization.
Create the registration policy settings document before creating the
hosted organization. Before attempting to use the explicit policy,
make sure that you have referenced the appropriate registration
policy settings document in that policy document.
To  create the policy while registering the hosted organization
Create an organizational policy and a registration policy settings
document when prompted during hosted organization registration.
The Register Hosted Organization user interface displays the
documents that you need to create for hosted organizations during
the registration process. These documents are presented in the order
in which they need to be created.
Requirements for the registration settings document for hosted
organizations
For a hosted organization, the registration settings documents must
include the following settings:
The
 Policy Name field must contain a valid registration policy
settings document name.
The
 Password Quality field must have a value of at least “Any
Password.” Do not choose “Password is optional.”
“Set
 Internet Password” must be selected.
13-4 Administering the Domino System, Volume 1
What happens when you register a hosted organization?
You must use the Register Hosted Organization user interface to register
each hosted organization. When you register a hosted organization, the
following files and documents are created:
The
 certificate for the hosted organization is created. If a
modification to the certificate is ever required, you can locate the
certificate as follows: From the Domino Administrator, click the
People & Groups tab. Click Certificates.
The hosted organization certificate is cross-certified with the service
provider’s certificate. A Cross Certification document is created. To
verify that cross certificates were created, from the Domino
Administrator, click the Configuration tab. Click Server -
Miscellaneous - Certificates. Click Notes Cross Certificates.
The  service provider’s certificate is cross-certified with the hosted
organization certificate. A Cross Certification document is created.
A  Global Domain document is created. The Global Domain
document stores the primary Internet domain name by which the
hosted organization is known and stores secondary Internet domain
names by which the hosted organization can receive Internet mail.
A  data directory is created for the hosted organization. This directory
is assigned the name that is specified in the Directory field on the
Storage panel of the Register Hosted Organization interface. By
default, for Win32 systems, the hosted organization’s data directory
is placed directly beneath Domino/data. On UNIX systems, the
default is /local/notesdata. You can specify another location in the
Physical Storage Location field on the Storage panel of the Register
Hosted Organization interface.
A  mail subdirectory for the hosted organization is created beneath
the hosted organization’s data directory.
A  mail file is created for the hosted organization’s administrator.
This is an NSF and resides in the mail subdirectory for the hosted
organization.
An  ACL file is created for each hosted organization to provide
security for the hosted organization’s directory. The ACL file prevents
users in one hosted organization from traversing a directory that
belongs to another hosted organization. If a hosted organization’s
ACL file is deleted, users in other hosted organizations may be able to
review the content of the directories belonging to the hosted
organization that is no longer protected by an ACL file. Do not
confuse hosted organization ACL files with database ACLs, which
control server, user, and group access to databases that reside on a
Setting Up the Service Provider Environment 13-5
Service Provider
Domino server. The actual databases may or may not be protected
according to how individual database ACLs are set.
The ACL file resides in the Domino data directory and is named
hosted organization name.ACL.
For more information on setting database ACLs, see the chapter
“Controlling User Access to Domino Databases.”
An
 extended ACL is applied to the Administration Requests
database (ADMIN4.NSF) and the Domino Directory (NAMES.NSF)
to restrict access to the data in those databases. The extended ACL is
enabled on the Domino Directory when the first hosted organization
is registered.
The
 database ACL entry for “Anonymous” is changed from
NoAccess to Reader access in NAMES.NSF when the first hosted
organization is registered.
Entries
 are made for the hosted organization administrator in the
database ACLs and the extended ACLs to allow the hosted
organization administrators to Browse, Read, Create, Delete, and
Write documents for their hosted organization.
Extended
 ACL entries are created for all users and groups in a
hosted organization (*/HostedOrganizationName) providing Browse
and Read access to that hosted organization only.
An  extended ACL entry is created for “Anonymous” for each hosted
organization with all access disabled. Entries are also made in the
Form and Field Access in extended ACLs with Read Deny checked
for the following fields:
Schema: Domino, Form: Group, Attributes: InternetAddress,
MailDomain, Members, and Type. Form:Person, Attributes:
AltFullName, Certificate, FirstName, InternetAddress, LastName,
Location, MailAddress, MailDomain, o, OfficeCity, OfficeCountry,
OfficeState, OfficeStreetAddress, OU, ShortName, UserCertificate,
PublicKey, and Type. Schema: LDAP, Form:DominoPerson,
Attribute: cn.
If LDAP Anonymous access is allowed to a hosted organization, the
above fields match the “default” ACL for LDAP set in the Domain
Configuration document. This list can be modified. Plan and test
carefully before you modify ACLs and extended ACLs in an xSP
environment — security is extremely important.
For more information on extended ACLs, see the chapter “Setting up
Extended ACLs” and for more information on modifying the default
extended ACL settings established during hosted organization
13-6 Administering the Domino System, Volume 1
registration, see the topic “Modifying the extended ACL settings
established during hosted organization registration” in this chapter.
An
 Internet Site document is created for each Internet service for
which you provide an IP address or host name on the Internet panel
of the Register Hosted Organization interface. The documents that
are created contain default information for the protocol. You provide
additional, detailed information for these documents during hosted
organization registration. If you provide an address or host name for
multiple protocols, you are prompted to create the Internet Site
document for each Internet protocol. You must create the Internet
Site document in order to use the corresponding Internet protocol.
You are also prompted to create one Web Site document for each
hosted organization. The Web Site document is the Internet Site
document for the HTTP protocol. If a hosted organization has
multiple Web sites, create one additional Web Site document for each
additional Web site.
Note The Basics tab on the Server document contains the field
“Loads Internet configurations from Server/Internet Sites
documents,” which is enabled by default and cannot be changed in a
hosted environment. When this field is enabled, settings on the
Internet Site document take precedence over settings on the Server
document. This field is set when the servers are installed.
For more information on Web Site documents, see the chapter “Setting
up the Domino Web Server.” For more information on Internet Site
documents, see the chapter “Installing and Setting Up Domino Servers.”
If  you are using clustered servers, you can use the Storage panel on the
Register Hosted Organization interface to create additional storage for
the hosted organization on one or more servers in the cluster.
Note The HostedOrganizationAdmin group is created by default
(when you set up the hosted environment) and administrators are
automatically added to that group. Administrator groups enable you
to administer groups of people with administrator rights at one time
instead of individually establishing rights and settings for each
hosted organization administrator.
Where to store data for hosted organizations
To decide where to store a hosted organization’s data, evaluate whether
you are saving private data or shared data. Store a hosted organization’s
private data in a directory belonging to the hosted organization. Store
shared data in a common data directory accessible to all.
Setting Up the Service Provider Environment 13-7
Service Provider
Registering hosted organizations with names requiring a server in
UTF-8 locale
If you will be registering hosted organizations that have names
containing characters from more than one character set, the registration
server must be run in a UTF-8 locale. For example, if both Korean and
Japanese hosted organization names must be supported, the server must
be in a UTF-8 locale. If only the Japanese hosted organization names are
supported, the server can be run in Japanese locale.
Opening databases on an xSP server
When the service provider administrator uses the File - Database - Open
menu commands to open a database, the Open Database dialog box does
not list all of the databases on the server, but all of the databases are
available by typing the database name in the Filename field, and then
clicking Open. For convenience, create bookmarks for the most
frequently opened databases.
Example of registering a hosted organization
In this example, Acme Printing, a small business, subscribes to
messaging services and some transaction-processing services offered by
xSP International, a Domino service provider.
To register Acme Printing as a hosted organization, the service provider
administrator at xSP International answers these questions:
Does
 Acme Printing support DOLS users? Do they need Notes IDs?
If Acme Printing supports DOLS or needs Notes IDs for any purpose,
a Domino CA needs to be created for the hosted organization. If not,
they can use certifier IDs and passwords. Acme Printing does
support DOLS users.
Which
 mail protocol does Acme Printing use? If they use POP3 or
IMAP, they need SMTP on the same server. Acme uses POP3, so they
need SMTP.
Which registration settings are needed for the registration policy
settings document for Acme Printing? The service provider
administrator determines that Acme Printing needs the CA-related
settings and POP3-related mail settings. Other default settings can
also be used.
13-8 Administering the Domino System, Volume 1
Does
 Acme Printing require storage locations in addition to the
default storage locations? If the service provider administrator set up
Acme Printing on a clustered server, they’ll be able to use additional
storage on servers in the cluster. On what server and directory will
that storage be located?
Later,
 when an administrator is ready to register users for the hosted
organization, they can determine whether they can simplify user
registration by creating additional policy settings documents, such as
desktop policy settings documents and security policy settings
documents. An administrator can create these policy settings
documents as he would for any Lotus Domino enterprise. User
registration for Acme Printing employees is done by the service
provider administrator instead of by an Acme Printing administrator
using the Web Administrator.
The service provider administrator at the service provider site, does the
following from the Domino Administrator:
1. Creates a Domino server-based CA for Acme Printing because they
support DOLS. Each hosted organization that needs a server-based
CA requires its own Domino CA because the CA cannot be shared
across multiple hosted organizations.
2. Creates an explicit policy named AcmePolicy and an associated
registration policy settings document.
3. Chooses Tools - Hosted Organization - Create to open the Register
Hosted Organization interface.
4. The service provider administrator begins completing the required
fields on each panel and enters information in these optional fields:
On
 the Basics panel, selects the option “Organization supports
DOLS” and chooses the explicit policy named AcmePolicy.
On  the Internet panel, enters an IP address in the HTTP
Host/Address, SMTP Host/Address, POP3 Host/Address, and
Directory Host/Address fields because Acme requires these for its
Web site, for POP3 messaging with SMTP, and for LDAP services,
respectively.
On  the ID Info panel, chooses CA Enabled and chooses the CA
Server on which the Acme CA was created because Acme
supports DOLS users.
On  the Storage panel, because Acme will be hosted on a clustered
server at the service provider site he enters an additional physical
storage location in “Physical Storage location for server name”.
Setting Up the Service Provider Environment 13-9
Service Provider
5. After entering information in the Register Hosted Organization
interface, clicks the Register button.
6. Completes the Web Site document, the POP3 Site document, the
SMTP Site document, and the LDAP Site document. While
completing the Web Site document, the service provider
administrator follows the instructions for enabling the correct DSAPI
filter file name to support DOLS.
For more information on specifying the DSAPI filter file name in the
Web Site document, see the chapter “Installing and Setting Up
Domino Servers.”
7. Completes the procedure to bind the hosted organization’s IP
address to the Network Interface Card on the xSP server because the
IP Address configuration includes individual IP addresses for each
hosted organization.
8. Checks the following views and directories to see the documents and
files that have been created for the hosted organization, Acme
Printing.
From
 the Domino Administrator, People & Groups tab, he clicks
Certificates to verify that Acme Printing’s certificate has been
created. He also verifies that Acme Printing’s certificate is
cross-certified with xSP International’s certificate, and that xSP
International’s certificate has been cross-certified with Acme
Printing’s certificate.
From
 the Domino Administrator, he opens the Domino Directory
and chooses Servers - Domains to see the Global Domain
document for the Acme Printing. On the Basics tab, the field
“Local primary Internet domain” contains the primary Internet
domain name by which the hosted organization is known. He also
enters a secondary Internet domain name in the “Alternate
Internet domain aliases” field by which Acme Printing can receive
Internet mail.
Verifies
 that the hosted organization’s data directory was created,
as well as the hosted organization’s mail directory. The service
provider administrator also verifies that the ACL file, Acme
Printing.acl was created and that the mail file for the hosted
organization’s administrator has been created.
13-10 Administering the Domino System, Volume 1
From
 the Domino Administrator, he opens the Domino Directory
and checks the Server - Internet Sites view. The service provider
administrator sees that these documents exist for Acme: Web Site
document, SMTP Site document, POP3 Site document and LDAP
Site document. This view also contains a Global Web Settings
document for xSP International and three Web Site Rule
documents.
From
 the Domino Administrator, opens the Policy view and
checks the explicit policy (AcmePolicy) and the associated
registration policy settings document (Acme).
Registering a hosted organization
The information that you enter in the fields on the Register Hosted
Organization interface is used to populate many of the documents that
define the hosted organization. For example, you select the policy that
applies to the hosted organization from a list of available policies.
Otherwise, the policy can be created during the hosted organization
registration process. Additionally, the Internet-related information
determines which Internet Site documents are created for the hosted
organization. The Internet Site documents contain the information
needed to run the Internet servers in a service provider configuration
and support all possible configurations of IP addresses and DNS host
names. In a hosted environment, a Site document is required for each
protocol that the hosted organization uses.
For more information on the Web Site document, see the chapter “Setting
Up the Domino Web Server” and for more information on Internet Site
documents, see the chapter “Installing and Setting Up Domino Servers.”
1. Ensure that you are working with the xSP server you just installed. If
you need to change to another server, choose File - Open Server, or
File - Preferences - Administration Preferences to select the server.
2. From the Domino Administrator, click the Configuration tab.
3. From the Tools pane, click Hosted Org - Create.
4. Enter the certifier’s password, and click OK.
5. Complete these fields on the Basics panel of the Register Hosted
Organization interface:

Field Action
Registration Server Enter the name of the server to use
during the registration process. The
Domino Administrator contacts the
registration server while performing
registration tasks.
Organization name Enter a unique name for the hosted
organization. The name must be fewer
than 28 characters and cannot contain a
period (.) because the hosted organization
name is also used as the hosted
organization’s virtual Domino domain
name for routing purposes. For ease-of-
administration, use a short name with no
spaces. Organization name is a required
entry that is also used in the Internet Site
documents.
Choose this option if the hosted
Organization
organization supports Domino Off-Line
supports DOLS
Services (DOLS).
Password Enter a case-sensitive password for the
certifier. The characters you use for this
password depend on the level set in the
Password quality scale.
Password quality Displays the Password Quality Scale that
you can use to define the complexity of
the password. Do not choose “Password is
optional.”
Explicit Policy Choose the explicit policy document that
is the ancestor of the registration policy
settings document you are assigning to
the hosted organization. Click None
Available if you have not yet created the
necessary policies and/or settings
documents.
First Name, Middle Enter the name of the hosted organization
Name, Last Name administrator.
Password Enter a password for the hosted
organization administrator.

Complete as many of these fields as needed to enable the

corresponding protocols for the hosted organization. When you enter
the host name or IP address for a protocol, that protocol is enabled
when the corresponding Site document is created. You are prompted
to complete the corresponding Site document later during this
registration process.

Field Action
Internet Domain Enter the name of the Internet domain.
By default, the exact Internet domain
name that you specified for this hosted
organization on the Mail tab of the
registration policy settings document is
entered. For example, enterprise.com.
HTTP Host/Address Enter the host name or IP address of the
HTTP server for the hosted organization.
SMTP Host/Address Enter the host name or IP address of the
server that receives SMTP transactions
for the hosted organization.
POP3 Host/Address Enter the host name or IP address of the
POP3 server for the hosted organization.
IMAP Host/Address Enter the host name or IP address of the
IMAP server for the hosted organization.
Directory Enter the host name or IP address of the
Host/Address LDAP server for the hosted organization.
IIOP Host/Address Enter the host name or IP address of the
Domino IIOP server for the hosted
organization.

Field Action

CA Enabled Choose this option if the hosted

organization supports DOLS or uses
Notes IDs.
CA Server Enter the name of the server on which
you created the Domino CA. This is the
server on which the CA process will
create Internet Certificates. This button
is active only if you have created a
Domino CA.
Set ID file Specify the drive and directory in which
the ID file is to be stored. By default, the
certifier ID name matches the hosted
organization name. The certifier ID
mustbe unique to the hosted
organization.

Field Action
Mail Server By default, this field contains the name of the
mail server for the hosted organization
exactly as you entered it in registration policy
settings document for the hosted
organization. The hosted organization and the
administrator’s mail file will be stored on this
server. This field cannot be modified.
Directory By default, this field contains the name of the
directory in which the hosted organization’s
data resides. For ease-of-administration, the
directory name is created for you and is
identical to the hosted organization name.
This field cannot be modified.
Host Indicates whether the corresponding server
hosts the hosted organization. This field
cannot be modified for the first entry in this
list. The first server entry in this list has a
check mark because that server is identified
in the registration policy settings document
as the mail server for the hosted
organization. For all other servers, a check
mark in this box identifies that server as a
host server for the hosted organization.
Server Name Name of the server that is hosting the hosted
organization. If multiple server names appear
in this list, the first server in the list is the
hosting server; other servers are the cluster
mates.
Physical The directory name that is displayed is an
Storage location alternate location where the hosted
organization’s data directory will reside if you
do not use the default location.
Physical Use this field to create a directory link to an
Storage location additional storage location for the hosted
for <server organization you are registering. This field is
name> activated when you select a server in the
Server Name field. The check box for the
server must be checked in order to select it.
To add a directory link, enter the full path for
the storage location and then click the check
box so that the directory link displays in the
Physical Storage Location field. To delete a
directory link, select the link in the
ServerName/Physical Storage Location fields.
When the path displays in the modifiable
“Physical Storage Location for <server>”field,
click the X.

Field Action
Location Enter text to define the location of the
hosted organization.
Comment Enter text to define the hosted organization’s
name and other information.

Modifying the extended ACL settings established during hosted

organization registration
Plan and test carefully before you modify ACLs and extended ACLs in
an xSP environment — security is extremely important.
When hosted organization registration is complete, all actions that are
identified in the topic “What happens when you register a hosted
organization?” are complete. You may want to enable Read access on
some fields for a hosted organization. To allow Read access to fields for
the anonymous entry in a hosted organization, in the extended ACL
settings, change Browse from Deny to Allow. In the Forms and Fields
Access section, select Show Modified, and change the fields from Read
Deny to Read Allow.
Note The individual fields are listed in the topic “What happens when
you register a hosted organization?” in this chapter.
For more information on extended ACLs, see the chapter “Setting Up
Extended ACLs.”
Binding the IP addresses of the hosted organization to the xSP
server
If you assign an individual IP address to each hosted organization, use
one of the following procedures to bind the IP address of each hosted
organization to the network interface card in the xSP server. This
procedure applies only to configurations that include unique IP
addresses.
For more information on the IP configurations that you can use in a
hosted environment, see the chapter “Planning the Service Provider
Environment.”
SUN Solaris
Enter these commands as the root user, where <hme0> is the network
interface card.
ifconfig <hme0>:1 plumb
ifconfig <hme0>:1 <hosted_company1_ip> <server_ip> up
ifconfig <hme0>:2 plumb
ifconfig <hme0>:2 <hosted_company2_ip> <server_ip> up
.
.
.
ifconfig <hme0>:x plumb
ifconfig <hme0>:x <hosted_companyx_ip> <server_ip> up
IBM AIX
Enter the following command as the root user, where <en0> is the
network interface card.
ifconfig <en0> alias <IP address of hosted organization>
netmask 255.0.0.0
Microsoft Windows NT 4.0
1. From the Microsoft NT desktop, right-click the Network
Neighborhood desktop icon and choose Properties.
2. Choose Protocols, and then double-click TCP/IP Protocol.
13-16 Administering the Domino System, Volume 1
3. From the TCP/IP Properties box, click Advanced.
4. Click Add to add additional hosted organization IP addresses.
Accept the default subnet mask of 255.0.0.0.
Microsoft Windows 2000
1. From the Windows 2000 desktop, right-click the Network
Neighborhood desktop icon and choose Properties.
2. Right-click the Ethernet adapter, and then select Properties.
3. From the Adapter Properties box, double-click Internet Protocol
(TCP/IP).
4. Click Advanced.
5. Click Add to add additional hosted organization IP addresses.
Accept the default subnet mask of 255.0.0.0.
Creating loopback addresses in a hosted environment
If you use a network router in the xSP configuration and you assigned a
unique IP address to each hosted organization, you must create a
loopback address for each hosted organization. The instructions vary by
platform.
SUN Solaris
Enter these commands as the root user:
ifconfig <lo0>:1 plumb
ifconfig <lo0>:1 <hosted_company1_ip> <server_ip> up
ifconfig <lo0>:2 plumb
ifconfig <lo0>:2 <hosted_company2_ip> <server_ip> up
.
.
.
ifconfig <lo0>:x plumb
ifconfig <lo0>:x <hosted_companyx_ip> <server_ip> up
IBM AIX
Enter this command as the root user:
ifconfig <lo0> alias <IP address of hosted organization>
netmask 255.0.0.0
Setting Up the Service Provider Environment 13-17
Service Provider
Microsoft Windows NT 4.0
1. From the Windows NT desktop, right-click the Network
Neighborhood icon, and choose Properties.
2. Click Adapters, choose Add, and select MS Loopback Adapter.
3. When the adapter has been added, click Protocols and select TCP/IP
Protocol.
4. Select MS Loopback Adapter.
5. Click the “Specify an IP Protocols” tab, and enter the IP address for
the HTTP cluster 9.95.87.142.
6. Enter the subnet mask 255.255.255.128 and click OK.
7. Restart the system.
Microsoft Windows 2000
1. From the Windows 2000 desktop, right-click the Network
Neighborhood icon, and choose Properties.
2. Right-click the Ethernet adapter and choose Properties.
3. From the Adapter Properties box, double-click Internet Protocol
(TCP/IP).
4. Click Advanced.
5. Click Add to add an additional IP address. Accept the default subnet
mask of 255.0.0.0.
Using Internet and Web Site documents in a hosted environment
The Internet Site documents and the Web site document contain
configuration settings for the Internet protocols. A Site document is
created for each protocol for which you enter an IP address or a host
name on the Internet panel of the Register Hosted Organization interface.
The Site document is created containing default information; you must to
enter additional information in each Site document either during hosted
organization registration or later. The Internet protocol is not active until
the corresponding Internet Site or Web Site document is completed and
saved.
The Site documents contain the information needed to run the Internet
servers in a service provider configuration. They support all possible
configurations of IP addresses and DNS host names.
13-18 Administering the Domino System, Volume 1
Internet Sites view
Using the Internet Sites view, you can view all Internet Site documents,
sorted according to hosted organization name. The Global Web Settings
documents and Web Site Rule documents also display in this view. The
following table describes each document shown in the view.

Internet Site
Description
document
Web Site documents are generated for the
Web Site document
HTTP
protocol. Each hosted organization has one
Web site
document that can be created during hosted
organization registration. If a hosted
organization has
multiple Web sites, you must create one Web
Site
document for each additional Web site.
Note See the chapter “Installing and Setting
Up
Domino Servers,”for information on
configuring
Web Site documents.

IMAP Site document These are the mail protocol Internet Site
POP3 Site documents. An individual Internet Site
document SMTP document is created for each mail protocol for
Inbound Site which you enter an IP address on the Internet
document panel of the Register Hosted Organization
interface.
LDAP Site
This document is generated for LDAP servers.
document
Domino IIOP (DIIOP) uses the information in
IIOP Site document
the
IIOP Internet Site document to define the
scope of the
Domino Directory used to validate users.
DIIOP
 enables you to use any Java code running on
any
server on the network. DIIOP is not yet
supported in
a shared IP address configuration.
The Global Web Settings document applies
Global Web Settings
one or
document more Web Site Rule documents to all servers
in the
Domino domain or only to specified servers in
the Domino domain. The Global Web Settings
document is automatically created during
setup of a hosted organization.
Web Site Rule The Web Site Rule document is created from
document within
the corresponding Web Site document. The
three Web Site Rule documents that are
automatically created in a hosted
environment are DOLS, iNotes help files, and
iNotes.cab.

Viewing Web Site and Internet Site documents for a hosted

organization
1. From the Domino Administrator, click Files and open the Domino
Directory (NAMES.NSF).
2. Choose Server - Internet Sites.
3. Select the name of the hosted organization whose Internet Site
documents you want to view.
4. Double-click a document name to open it.
For more information on creating an Internet Site document, see the
chapter “Installing and Setting Up Domino Servers” and for information
on creating a Web Site document, see the chapter “Setting Up the
Domino Web Server.”
Configuring Internet sites with Web Site and Internet Site
documents
In a hosted environment, each Internet Site document defines the
configuration settings for an Internet protocol for a hosted organization.
When you register a hosted organization, you are prompted to create one
or more Internet Site documents as part of the hosted organization
registration process.
Note You have the option of not creating the Internet Site document
during hosted organization registration. You must then create the
Internet Site document in order to use the protocol.
For more information on Internet Site documents, see the topic “Using
Internet and Web Site documents in a hosted environment” in this
chapter.
A Web Site document is required for the HTTP protocol. You are
prompted to create one during the hosted organization registration
process. If multiple Web sites are assigned to one IP address — that is,
multiple DNS names are registered to one IP address — create a Web site
document for each Web site.
Note If the hosted organization supports DOLS, on the Web Site
document, specify a DSAPI filter file name according to the operating
system of the xSP server that hosts that hosted organization. Win32
requires the file ndolextn; and Linux, AIX, Solaris/Sparc, S390, and
iSeries require libdolextn.
For more information on specifying the DSAPI filter file name in the Web
Site document, see the chapter “Installing and Setting Up Domino
Servers.”
13-20 Administering the Domino System, Volume 1
For security purposes, you can create a File Protection document for each
server. A File Protection document controls the access that Web browser
clients have to the files on a server’s hard drive. Create the File Protection
document after creating any Web Site document(s) and/or Internet Site
documents that you need.
For more information on File Protection documents, see the chapter
“Controlling Access to Domino Servers.”
Global Web Settings documents and the service provider
environment
Domino automatically creates a Global Web Settings document when
you install the Lotus Domino service provider software. The Global Web
Settings document is associated with three Web Site Rule documents that
automatically create several directories that may be required by
numerous users at any hosted organization. The Web Site Rule
documents make files accessible from one central location on the server,
so that these files do not need to be individually downloaded for each
hosted organization. The benefit is a substantial savings in disk space
because the service provider can provide the files to all users that need
them without having to duplicate them for each individual hosted
organization.
By default, the Global Web Settings document applies to all servers in a
Domino domain. If you do not want the Global Web Settings to apply to
all servers in a Domino domain, edit the document and specify the
servers to which the document applies.
The directories that are created via the Global Web Settings document
reside in the hosted organization\domino\ directory path.
Three associated Web Site Rule documents that contain the following
settings are created when the Global Web Setting document is created in
a hosted environment:

Web Site Type of Target server directory

Incoming
Rule rule
rule pattern
document
DOLS Directory /download/* domino\html\download
iNotes help domino\html\inotes5\help
Directory
files /inotes5/help/*
iNotes.cab Redirection /iNotes.cab domino\html\iNotes.cab

The Web Site Rule document for DOLS-enabled hosted organizations

downloads to a central location files that are required when the hosted
organization tries to access a DOLS-enabled database.
Setting Up the Service Provider Environment 13-21
Service Provider
The iNotes.cab file is an archive file that contains controls that are
installed into a browser and make iNotes features available to browsers.
The iNotes help files are downloaded to a central location on the server
so that they do not have to be individually downloaded for each hosted
organization.
The Global Web Settings document and the Web Site Rule documents
appear in the Internet Sites view. You can be review, edit, or delete them
from this view.
Editing a Global Web Settings document
Edit the Global Web Settings document to apply one or more Web Site
Rules to one or more servers in a Domino domain.
1. From the Domino Administrator, click the Files tab.
2. Open the Domino Directory (NAMES.NSF).
3. Choose Server - Internet Sites.
4. Select the Global Web Settings document that you want to modify,
and click Edit Global Web Settings.
5. On the Basics tab, edit these fields as necessary:

Field Action
Descriptive name Enter a name that describes the Web Site
for Rules that
this site will be associated with this document.
Domino servers Enter one: • An asterisk (*) if the
that host this site document is to apply to all servers in the
Domino domain. • One or more names of
servers to which this document applies.

Click Save and Close.

Configuring activity logging for billing hosted organizations

You can configure activity logging to collect transaction information that
is stored in the log file (LOG.NSF) and can be used for billing purposes.
Set up the Configuration Settings document to enable activity logging on
specific servers that you designate. You can enable activity logging on
one server, or more than one server, or on all servers in your domain.
1. From the Domino Administrator, click Configuration - Server -
Configurations.
2. Do one of these:
To
 enable activity logging on all servers in the domain, open the
existing All Servers Configuration Settings document.
To  enable activity logging on all servers except one (or a small
number of servers), open the existing All Servers Configuration
Settings document and complete the fields on the Activity
Logging tab as shown below. Click Add Configuration to create a
new Configuration Settings document for each server that is an
exception to the settings in the All Servers Configuration Settings
document. Disable activity logging for the servers on which you
are not running activity logging.
To  enable activity logging for one server, create a Configuration
Settings document.
3. On the Activity Logging tab, complete these fields:

Field Action
Select this check box to enable activity
Activity logging is
logging on
enabled each server that you designate.
Select all logging types for which you want
Enabled Logging
to
Types collect billing information.
Checkpoint
Enter the number of minutes that transpire
interval
between activity logging updates to
LOG.NSF.
The checkpoint interval applies to the
logging
types that you selected and that have
open, active
sessions.
(Optional) Select this check box to create
Log checkpoint at
Notes
midnight session and Notes database checkpoint
 records
every day at midnight.
Log checkpoints (Optional) Select this check box to create
for Notes
prime shift session and Notes database checkpoint
records at
the beginning and end of a specific time
period.
Specify the start and end times for the
time period.

Viewing logged activity data in a hosted environment

By default, logged activity data is stored in binary format in the log file,
LOG.NSF. A service provider administrator can create a Results database
to view the logged data for a hosted organization.
1. From the Domino Administrator, click the Server - Analysis tab.
2. From the Tools panel, click Analyze - Activity.
3. On the Server Activity Analysis dialog box, complete these fields:

Field Action
Select server Click the check box to and then do one of
activity types to these: • Select an activity type to view,
search for and then click Add. Repeat to continue
adding types. • Click Select All to view all
activity types.
Select the start date and end date of the
Start Date
time
End Date period for which you want to analyze
logged activity data. Activity data for the
time period you specify is stored in the
Results database.
Select the start time and end time of the
Start Time
logged
activity data you want to analyze. Activity
End Time
data
for the specified time period is stored in
the
Results database.
Results Database Do the following:
1. Click this button to open the Results
Database
dialog box.
2. Specify the server on which the Results
database will reside, the title (name) of
the database, and the file name.
3. Click OK.

4. Choose one:
Append
 to this database — To append the data to the existing
Results database.
Overwrite
 this database — To overwrite the data in the existing
Results database with new data.
5. Click OK. When the message box displays “Analysis Completed,”
click OK. The Log Analysis - Log Events view opens.
Chapter 14
Managing a Hosted Environment
This chapter contains instructions for moving a hosted organization from
one server to another, modifying the Server document, adding a hosted
organization to a server to provide new Web applications, viewing
hosted organizations, using the Web Administrator to manage users and
groups at a hosted organization site, and performing other actions
required to maintain a hosted environment.
Maintaining hosted organizations
As a service provider administrator, maintaining the hosted
organizations in your hosted environment is of primary importance.
Responsibilities include maintaining the servers that host your
organizations, maintaining the hosted organizations and their data, as
well as the users at those sites.
The majority of the administration activities that are performed in a
hosted environment are exactly the same as the same activities in a
non-hosted environment. The following topics explain how to complete
activities that are unique to or different in a hosted environment. Where
necessary, there is also explanatory information.
Adding
 a hosted organization to an additional server to provide new
Web applications
Deleting
 a hosted organization
Disabling
 services temporarily for a hosted organization
Enabling
 anonymous access to a hosted organization’s database
Managing Users at a hosted organization
Moving  a hosted organization from one server to another server
Removing  a hosted organization from a backup or load-balancing
server
Restoring  a hosted environment after a server crash
14-1
Service Provider
Temporarily
 disabling services for a hosted organization
Using
 a browser to access a hosted organization’s Web site
Using
 the Resource Reservations database in a hosted environment
Viewing
 a hosted organization
Web  Administration from the hosted organization site
Adding a hosted organization to an additional server to provide
new
Web applications
A hosted server environment can be configured to allow multiple servers
to provide Web applications to one or more hosted organizations. Part of
managing a hosted environment is enabling additional servers to serve
Web applications to a hosted organization. Web applications can be
distributed across multiple servers, while serving as many hosted
organizations as you designate.
You can enable a hosted organization that is currently being served
applications by one or more servers to be served a Web application by an
additional server.
To add a hosted organization to an additional server to provide new
Web applications
1. Create a data directory for the hosted organization on the target
server.
2. Create an ACL file for the hosted organization in the data directory
of the target server.
3. Create a Web Site document for the hosted organization, where the
new Web Site document’s DNS name resolves to the target server’s
IP address or name. This new Web Site document allows servers and
routers to distinguish between servers. Use the Basics tab on the new
Web Site document to enter the host names or addresses that map to
the site and the Domino servers that host the site.
4. To support the hosted organization, make other Web
application-specific modifications — for example, configure the
Welcome page.
5. For Web applications only, create the DNS names that direct users to
this server and to this hosted organization’s Web site.
For more information on setting up a Web Site document, see the chapter
“Setting Up a Domino Web Server.”
14-2 Administering the Domino System, Volume 1
Deleting a hosted organization
The service provider administrator is responsible for deleting a hosted
organization when the hosted organization stops subscribing to a service
provider’s services. When you delete a hosted organization, the
following documents, files, and directories for the hosted organization
are deleted:
Data
 directory
Cross
 certificates
ACL  file
Extended
 ACL entries in the Domino Directory’s ACL file
HostedOrganizationAdmins
 group
Global  Domain document
Internet  Site documents
Policy  document
To delete a hosted organization
1. From the Domino Administrator, click the Configuration tab.
2. Click Tools - Hosted Organization - Delete.
3. Select the name of the hosted organization to delete.
4. Choose one of these Processing types:
Immediately
 clean up Domino Directory — To remove all
references to the hosted organization from the Domino Directory
immediately
Use Administration Process only — To remove all references to
the hosted organization from the Domino Directory when the
“Delete hosted organization” administration request runs
Note Both processing types generate administration requests and
both require that you open the Administration Requests
(ADMIN4.NSF) database and approve the deletion of hosted
organization storage.
5. Click OK. You are prompted to confirm the deletion. Click Yes, and
then click OK.
To approve the deletion request
1. Click the Server - Analyses tabs.
2. Click Administration Requests (6).
3. Open the “All Requests by Name” view.
Managing a Hosted Environment 14-3
Service Provider
4. Open the “Approve Deletion of Hosted Organization Storage”
request.
5. Click Edit Document. Click “Approve Hosted Organization Storage
Deletion” to approve the request.
6. Click Yes, and then click OK.
Temporarily disabling services for a hosted organization
To disable all Internet services for a hosted organization, use the Internet
Site documents to set all authentication options to No for all Internet
protocols for a hosted organization. To enable Internet service for that
hosted organization at a later time, set the authentication options to Yes.
1. From the Domino Administrator, choose Files and open the Domino
Directory (NAMES.NSF).
2. Choose Servers - Internet Sites.
3. Select the Internet Site document that contains the settings you want
to modify, and click Edit Document.
4. Click Security. Set the “Anonymous” and “Name and Password”
fields to No to disable the service for the hosted organization. To
enable the service at a later time, reset these same fields to Yes.
For more information on the Authentication fields on the Security tab of
the Site documents, see the chapter “Installing and Setting Up Domino
Servers.”
Enabling anonymous access to a hosted organization’s database
To make a hosted organization’s database available to anonymous Web
site users, add “Anonymous” to the ACL file. Adding Anonymous to the
ACL file does not expose all of the hosted organization’s data to
anonymous users. For example, anonymous Web users cannot browse a
hosted organization’s directory because browsing is disabled.
Do not confuse an ACL file, which provides security for the hosted
organization itself, with a database ACL, which controls the access that
server, users, and groups have to a database.
14-4 Administering the Domino System, Volume 1
Sample ACL file
The content of a sample ACL file for a hosted organization named
company1 with Anonymous access is shown below.
.
ASP Admin/ASP
*/company1
Anonymous
LocalDomainServers
LocalDomainAdmins
[owner=company1]
In addition to modifying the ACL file, modify the hosted organization’s
database ACL to allow anonymous access to the database.
For more information on modifying a database ACL, see the chapter
“Controlling User Access to Domino Databases” and for more
information on modifying the Web Site document security settings, see
the chapter “Installing and Setting Up Domino Servers.”
Moving a hosted organization to another server
You may need to modify some of the procedures in this section to better
fit your individual configuration. For example, you may need to modify
your network router configuration if your configuration includes a
network router.
Moving a hosted organization that has a unique IP address varies
somewhat from moving a hosted organization that has a shared IP
address.
Moving a hosted organization that has a unique IP address
To move a hosted organization that has a unique IP address, complete
these procedures:
1. Re-create the hosted organization infrastructure on the destination
server.
2. Open the registration policy settings document for the hosted
organization that you are moving and change the original mail
server name to the name of the destination server — that is, the new
mail server.
Managing a Hosted Environment 14-5
Service Provider
3. Use the Domino Administrator to move databases and move users
that have mail files from the source server to the destination server.
4. Prohibit access to the source server.
5. Move non-database files from the source to the destination server.
6. Enable access to the destination server.
7. From the source server, remove the infrastructure for the relocated
hosted organization.
Moving a hosted organization that has a shared IP address
To move a hosted organization that shares an IP address with other
hosted organizations, you must change the IP address of the hosted
organization that you are moving. In addition, you must modify the
server information in the documents, as well as the DNS entries for the
hosted organization you are moving. DNS entries are often cached and
may require a substantial amount of time to process a change.
Complete these procedures:
1. Prohibit access to the source server.
2. Enter the destination server name in the “Domino servers that host
this site” field in all of the Site documents for the hosted
organization.
3. Create a hosted organization infrastructure on the destination server.
4. Open the registration policy settings document and change the
original mail server name to the name of the destination server —
that is, the new mail server.
5. For users who have mail files, use the Domino Administrator to
move the users from the source server to the destination server.
6. Move nondatabase files from the source server to the destination
server.
7. Enable access to the destination server.
8. Remove the infrastructure from the source server.
To create the hosted organization's infrastructure on the destination
server
1. On the destination server, do one of these:
Create
 a subdirectory of the data directory. The new subdirectory
name must be identical to the subdirectory name on the source
server.
Create
 a new data directory and a directory link.
14-6 Administering the Domino System, Volume 1
2. If any directory links, database links, or Web site directory references
are located outside of the hosted organization’s subdirectory, create
new directories for those links.
3. Copy the hosted organization’s ACL file from the source server’s
data directory to the destination server’s data directory.
4. If any Web application requires a “per hosted organization
infrastructure,” create that infrastructure.
To edit the hosted organization's registration policy settings
document
1. From the Domino Administrator, open the Domino Directory.
2. Choose Policies - Settings.
3. Select the registration policy settings document you want to edit.
4. Click Edit Settings.
5. On the Mail tab, choose the name of the destination mail server from
the list displayed in the “Choose the mail server” field.
6. Click Save and Close.
To move the mail file and other databases
Caution During this procedure, do not approve the mail file deletion in
the Administration Requests database (ADMIN4.NSF) If you approve
the deletion too soon, the user will not have access to the mail file on the
source server. Approve the mail file deletion later, when doing so will
not impact user access to the mail file.
1. Make sure that you and the source server have Create Replica access
to the destination server.
2. From the Domino Administrator, click People & Groups.
3. Select the person whose mail file you are moving.
4. From the Tools panel, click People - Move.
5. Enter the destination mail server name in the Destination field.
Include the hosted organization subdirectory.
6. Select the server and paths on which you want to create mail files.
Replicas will be created at the location you select.
7. Click OK.
For more information on moving mail files, see the chapter “Setting Up
and Managing Notes Users.”
Managing a Hosted Environment 14-7
Service Provider
To enable access to the destination server
1. Associate the hosted organization’s IP address with the destination
server according to your particular setup. You may need to update
host files, DNS server settings, and the IP address assigned to the
TCP/IP stack.
2. You may need to stop and restart the server depending on your
TCP/IP stack. Whether or not you can modify the IP addresses that
are served without restarting the server depends on your individual
configuration.
To prevent access to the source server
Complete this procedure after you have successfully initiated as many
“Move mail file” actions as necessary. This procedure applies only to
moving a hosted organization that has a unique IP address.
1. Shut down the Domino server on the source server.
2. Disassociate the hosted organization’s IP address from the source
server. You may need to modify host files or DNS server settings, as
well as the IP address assigned to the TCP/IP stack.
To move non-database files from the source server to the
destination server
1. Copy all database files from the source server to the destination
server.
2. From the source server, recursively delete the non-database files that
you copied to the destination server.
3. Copy all non-database files in directories that are not within the
hosted organization’s data directory. Copy the files from the source
server to the destination server.
4. Determine whether any Web application requires
per-hosted-organization data that has not already been copied. Copy
that data to the destination server, and then delete it from the source
server.
5. (Optional) Replicate the data from the source server to the
destination server to ensure that all changes made to the source
server appear on the destination server.
6. Change the IP addresses hosted by the destination server to include
the new addresses — that is, those formerly hosted by the source
server. Modify all Internet Site documents as necessary.
7. Restart the Domino server on the destination server.
14-8 Administering the Domino System, Volume 1
For more information on the Internet Site documents, see the chapters
“Setting Up the Service Provider Environment” and “Installing and
Setting Up Domino Servers.” For more information on the Web Site
document, see the chapter “Setting Up a Domino Web Server.”
To remove the infrastructure from the source server
1. Open the Administration Requests database (ADMIN4.NSF) and
approve the requests to delete the source databases. When all
requests have been successfully processed — that is, when the
databases have been deleted — proceed to the Step 2.
For more information on approving administration requests, see the
chapter “Setting Up the Administration Process.”
2. Delete the hosted organization’s subdirectory from the source server.
3. Delete any directories that are specific to the hosted organization and
that reside outside of the hosted organization’s data directory.
4. Delete the hosted organization’s ACL file from the data directory on
the source server.
To prevent access to the source server
1. Shut down the Domino server on the source server.
2. Disassociate the hosted organization’s DNS names from the source
server’s IP address. Associate those DNS names with the destination
server’s IP address.
3. If SSL was used for encryption, do not copy the old key ring file to
the destination server. Use the destination server’s key ring file.
4. Open each Internet Site document to modify the IP address for the
hosted organization on the destination server. Make sure that Web
site names are correct.
For more information on Internet Site documents, see the topics
Internet Site documents and Using Internet Site documents in a
hosted environment.
5. Restart the Domino server on the source server.
Managing a Hosted Environment 14-9
Service Provider
Removing a hosted organization from a backup or load-balancing
server
Use this procedure to remove a hosted organization and all of its services
from a server that provides hot-backup or load-balancing capability. In
this configuration, one unique IP address is used for each hosted
organization. You do not need to modify the Internet Site documents
because the network router controls redirection connections for
load-balancing and for hot-backups.
To remove a hosted organization from a backup or load-balancing
server
1. Perform the necessary steps to do one of these:
Prevent
 the network router from distributing the data from this
hosted organization to the destination server
Deconfigure
 the hot-backup server
2. Delete files and databases from the hosted organization’s data
directories and from any other directories in which hosted
organization files reside.
3. Delete the hosted organization’s data directory.
4. Delete the hosted organization’s ACL file from the Domino data
directory.
To remove a hosted organization from a server that provides
Web-application support
1. Remove the DNS name for the Web application.
2. Delete the Web Site document for the Web application.
3. Modify common data for the application to remove support for the
hosted organization.
4. Delete the content of the hosted organization’s data directory.
5. Delete the hosted organization’s ACL file.
14-10 Administering the Domino System, Volume 1
Restoring a hosted environment after a server crash
To recover quickly from various system failures and server crashes,
implement transaction logging in the hosted environment. Also, create a
daily backup so that you can restore current data if necessary.
Restoring the Domino Directory and extended ACLs
If the Domino Directory in a hosted environment becomes corrupted,
you also lose the extended ACLs for NAMES.NSF and for
ADMIN4.NSF.Restart the servers so that transaction logging will restore
the data, including the content of the Domino Directory. You cannot
recreate the Domino Directory from the template. You must use
transaction logging and/or a recent backup of NAMES.NSF in order to
restore the Domino Directory and the extended ACLs.
If you are not using transaction logging, restore the Domino Directory
from the most recent daily backup.
For more information on transaction logging, see the topics Transaction
logging and How transaction logging works.
For more information on transaction logging, see the chapter
“Transaction Logging.”
How the Domino service provider software responds to a DNS
outage
The Domino service provider software can withstand DNS outages. After
the Internet Site documents have been loaded into the Domino ASP
cache, on subsequent loading of the cache, if there are any DNS-lookup
errors, cache entries are not immediately removed but are instead
removed slowly over time. DNS-lookup errors occur when DNS is
unavailable or host names cannot be resolved into IP addresses. If there
are any invalid host names in your Internet Site documents or if DNS is
unavailable, then the DNS recovery code is activated. Cache deletions
then require more time — up to two hours.
For example, a cache deletion results when you remove an IP address or
host name from an Internet Site document or remove a server from the
list of Domino servers that host the site.
The Domino service provider software recognizes Internet Site
documents during the resulting time-out period. To minimize this
recovery time-out, ensure that there are no invalid host names in your
Internet Site documents. If there are no invalid host names and DNS is
available, then cache deletions occur within five minutes.
Managing a Hosted Environment 14-11
Service Provider
The following console message is logged if there are invalid host names
in the Internet Site documents (excluding the Web Site document):
Lookup of IP address for host hostname.com failed
Using a browser to access a hosted organization’s Web site
Use a browser to access a hosted organization’s Web site; include the
name of the hosted organization’s directory in the URL. Use this syntax:
http://Web_site_name/hosted_organization/database_name
For example, to access the home page for the hosted organization Acme
Printing, enter:
www.acmeprinting.com/acme_printing/homepage.nsf
For example, to access your own mail file named JSMITH.NSF, at the
hosted organization named Acme Printing, enter:
www.acmeprinting.com/acme_printing/mail/jsmith.nsf
Note You can use a Web Site document to redirect users to other Web
sites.
For more information on redirecting users to other Web sites, see the
chapters “Setting Up the Domino Web Server” and “Installing and
Setting Up Domino Servers.”
Using the Resource Reservations database in a hosted
environment
You can create a Resource Reservations database that can be used for the
service provider site and for all hosted organizations. This Resource
Reservations database is created in the Domino data directory.
To create the Resource Reservations database
1. Use the template RESRC60.NTF to create the Resource Reservations
database.
For information on creating a database, see the topic Creating a
Database[[ if you have installed Lotus Notes 6 Help. Or, go to
http://www.notes.net/doc to download or view Lotus Notes 6
Help.
2. After creating the database, open the new database.
14-12 Administering the Domino System, Volume 1
3. Edit the database ACL as follows:
a. To the service provider administrator, assign the “Create
Resource” role which allows the administrator to create new
entries in the database.
b. To default users, assign the “NoAccess” role to prevent users
outside of the hosted organization from accessing the database.
4. Close the database.
Caution Do not assign access rights and roles directly to a hosted
organization. Because the Resource Reservations database is not
automatically protected by an extended ACL, if you assign access rights
and roles to a hosted organization, users in the hosted organization will
be able to open the Resource Reservations database for other hosted
organizations.
To create a Site Profile document to support a hosted organization
In the Resource Reservations database, each hosted organization is
treated as a site. Create a Site Profile document for each individual
hosted organization.
1. From the Domino Administrator, open the new Resource
Reservations database.
2. To add a new hosted organization, click Add Site.
3. Enter the hosted organization name in the Site name field. Using the
hosted organization name sets the extended ACLs on the
Resource/Reservations database for the site, thereby preventing
unauthorized users from accessing this database.
4. Enter the name of the hosted organization in the Domain name field.
5. Click Save and Close.
6. Add resources and reservations to the database.
For more information on the Resource Reservations database, see the
chapter “Setting Up Calendars and Scheduling.”
Managing a Hosted Environment 14-13
Service Provider
Viewing hosted organizations
The People and Groups views in the Domino Administrator are
categorized by organization name or by non-hierarchical (flat) name. The
non-hierarchical view is the default. To use the organization view, click
People or click Groups and then click by Organization.
You can view a list of the hosted organizations and corresponding Site
documents in the Domino Directory.
For more information on viewing Web Site and Internet Site documents,
see the chapter “Setting Up the Service Provider Environment”
Managing users at a hosted organization
As a service provider administrator, you have varying levels of
responsibilities for user management, according to the agreements you
have with your various hosted organizations. To perform user
management actions from the service provider site, use the Domino
Administrator to register, delete, or perform any user or group
management action.
If you will be performing all user management actions from the service
provider site, see specific areas of the documentation that explain the
actions you want to perform. For example, you would most likely want
to access these areas of the documentation:
Registering
 users
Managing
 users
Creating
 and modifying groups
Managing
 groups
Deleting  a group with the Domino Administrator or the Web
Administrator
User management from the hosted organization site
To enable hosted organizations to use the Web Administrator to add and
delete users and groups, see the topic “Web Administration from the
hosted organization” in this chapter.
14-14 Administering the Domino System, Volume 1
Using the Web Administrator to manage users at a hosted
organization
The hosted organization administrator can use the Domino Web
Administrator to maintain users and groups. Before using the Web
Administrator, the hosted organization administrator must be familiar
with the Web Administrator.
For more information on the Web Administrator, see the chapter “Setting
Up and Using Domino Administration Tools.”
To use the Web Administrator, you must also use the server-based
certification authority (CA). Set up and load the CA before attempting to
access and use the Web Administrator.
For more information on the server-based CA, see the chapter “Setting
Up a Domino Server-Based Certification Authority.”
Note If a hosted organization’s users are registered at the service
provider site, they can be registered with certifier IDs and passwords or
with the Domino server-based CA. To register a user for a particular
hosted organization, ensure that the service provider administrator is
using a certifier created for that hosted organization. Users registered by
the hosted organization administrator at the hosted organization site
must be registered using the Domino server-based CA.
To set up access to the Web Administrator at a hosted organization
site
Before using the Web Administrator, the hosted organization
administrator must have rights in the ACL for WEBADMIN.NSF,
NAMES.NSF, and ADMIN4.NSF. The service provider administrator
must assign these rights to the hosted organization administrators who
are responsible for managing users and groups with the Web
Administrator.
Add
 the hosted organization administrator to the
HostedOrganizationAdmins group and assign Author access with
the People&Groups role in the ACL.
Add the hosted organization administrator to the
LocalDomainAdmins group and assign Manager access and All roles
in the ACL.
Managing a Hosted Environment 14-15
Service Provider
The hosted organization administrator needs special access in
NAMES.NSF. The service provider administrator assigns these rights to
the hosted organization administrators:
Add
 the hosted organization administrator to the
HostedOrganizationAdmins group and assign Editor access with
default roles — that is, Create documents, Delete documents, Read
public documents, Write public documents, and Replicate or copy
documents. Also assign the GroupCreator, GroupModifier,
UserCreator, UserModifier roles.
Give the hosted organization administrator the following access to the
Administration Request Database (ADMIN4.NSF):
Author
 access with the Create documents and Read public
documents roles.
To use the Web Administrator to manage users and groups
To maintain users and groups with the Web Administrator, the hosted
organization administrator performs these tasks:
Registering
 users with the Web Administrator
Deleting
 a user name with the Web Administrator
Creating
 a group with the Web Administrator
Deleting
 a group with the Web Administrator
Addressing messages to users at a hosted organization
To send mail to users and administrators at a hosted organization, the
user names and group names in the senders address book must contain
full name references that include the Internet domain name in the
address or that use a Notes address that includes the domain name. For
example:
An
 address that includes the Internet name:
Robert_Owens@Acme.com
Where Acme is the Internet domain name
A  Notes address that includes the domain name: Robert
Owens/hosted_organization@Acme
Where “hosted_organization” is the hosted organization name and
Acme is the Internet domain name
14-16 Administering the Domino System, Volume 1

Chapter 15
Setting Up the Administration Process
This chapter describes how to set up the Administration Process, a
program that simplifies administrative tasks, such as deleting users,
creating replicas, and editing ACLs.
The Administration Process
The Administration Process is a program that automates many routine
administrative tasks. For example, if you delete a user, the
Administration Process locates that user’s name in the Domino Directory
and removes it, locates and removes the user’s name from ACLs, and
makes any other necessary deletions for that user. If you want to delete
all replicas of a database, the Administration Process finds the replicas on
servers in the domain and provides an interface for deleting them.
The Administration Process automates these tasks:
Name
 management tasks, such as rename person, rename group,
delete person, delete group, delete server name, recertify users, and
store Internet certificate.
Mail
 file management tasks, such as delete mail file and move mail
file.
Server
 document-management tasks, such as store CPU count, store
platform, and place network protocol information in Server
document.
Roaming user management, such as roaming user setup, move
roaming users to other servers, upgrade a nonroaming user to
roaming status, and downgrade roaming user to nonroaming status.
User  mail file management tasks, such as performing Access Control
List (ACL) changes and enabling agents. For example, the “Out of
Office” agent is enabled and disabled by Notes client users.
Person
 document management tasks, such as storing the user’s Notes
version and client platform information.
Replica
 management tasks, such as create replica, move replica, or
delete all replicas of a database.
15-1
Administration
Administration servers
Administration servers control how the Administration Process does its
work. You specify an administration server for the Domino Directory
and for specific databases. By default, the first Lotus Domino server you
set up in a domain is the administration server for the Domino Directory.
The administration server for the Domino Directory maintains the
Domino Directory’s ACL, performs deletion and name change operations
in that Domino Directory, and these changes are replicated to other
servers in the domain. If you have multiple directories in your domain —
not replicas of other domain’s directories, but more than one of your own
— you can specify an administration server for each of the directories in
your domain. Do not specify an administration server in your domain for
a replica of another domain’s Domino Directory.
All databases need an administration server to manage name changes
and deletions that apply to the database — for example, changes to the
ACL, Readers and Authors fields, or Names fields. If a database has
replicas, you assign an administration server to only one replica. Then
the Administration Process makes all changes to that replica, and
replication for that database carries out the changes in all other replicas.
You can also set up one or more extended administration servers to
distribute across multiple servers the processing of administration
requests that modify the Domino Directory.
For more information on extended administration servers, see the topic
“Using an extended administration server” later in this chapter.
The Administration Requests database
The Administration Requests database (ADMIN4.NSF) is created on the
administration server for the Domino Directory when that server starts
for the first time. Requests for work to be done by the Administration
Process are stored in the Administration Requests database. The status of
work done by the Administration Process is also stored there as response
Log documents to the requests, in the form of Administration Request
documents. To complete tasks, the Administration Process posts and
responds to requests in the Administration Requests database. Domino
servers use replicas of this database to distribute requests made on one
server to other servers in the domain.
When other servers start, if the Administration Requests database does
not exist, the server creates a replica stub of the Administration Requests
database and waits for it to be initialized from another server in the
domain. Every server in the domain stores a replica of the
Administration Requests database and the Domino Directory.
15-2 Administering the Domino System, Volume 1
The Administration Requests database also acts as the interface to the
Domino Certificate Authority requests. It is the responsibility of the
Registration Authority to monitor the status of the Certification
Authority (CA) Requests. The CA requests can be removed from the
view or resubmitted for processing in the same manner as the
Administration Process Requests.
For more information on working with requests see the topics “The
Administration Requests database” and “Managing Administration
Process requests” in this chapter.
For more information on the Registration Authority (RA), see the chapter
“Setting Up a Domino Server-Based Certification Authority.”
The Certification Log
To use the Administration Process to perform name changes and
recertifications, the Certification Log (CERTLOG.NSF) must reside on the
server that stores the Domino Directory in which you will initiate the
name change or recertification. If the Certification Log exists on another
server, move the Certification Log to the server containing the Domino
Directory on which you are initiating the name change or recertification.
The Certification Log contains a permanent record of how you register
servers and users, including information about the certifier ID. The
Certification Log also contains messages that describe the results of
recertification requests that the Administration Process is processing.
For more information on the Certification Log, see the chapter “Installing
and Setting Up Domino Servers.”
Specifying the administration server for the Domino Directory
Choosing the administration server for the Domino Directory depends on
your network setup, the available equipment, and the anticipated
changes that will be made to the Domino Directory via the
Administration Process. Large numbers of name-management operations
— rename and delete requests for example — result in many changes to
the Domino Directory with the subsequent view rebuilding and thereby
affecting performance. Making a heavilly-accessed server the
administration server of the Domino Directory results in slow server
performance from a user’s perspective. Giving only one, or a few servers
the responsibility of being the administration server of many databases
may result in that server continually processing delete and name change
requests. Choosing the administration server also involves planning how
to assign administration servers for other databases in the domain
because all name management operations require extensive searching of
databases to determine which server is the administration server for the
Setting Up the Administration Process 15-3
Administration
ACLs, Reader and Author fields, Name fields and unread lists. When
choosing the administration server for databases in a domain, your
choices include:
Using
 a hub server as the administration server for the Domino
Directory and for other databases.
Using
 a dedicated registration server as the administration server for
the Domino Directory and using one or more separate hub servers as
administration servers for other databases.
Using a multifunction server as the administration server for the
Domino Directory and distributing administration responsibilities
for the other databases to other servers.
Setting multiple administration servers, called extended
administration servers, for the Domino Directory to provide for less
centralized, more regional, directory management.
If the domain has only a few servers, consider using one administration
server for both the Domino Directory and for other databases. The
majority of the administration server resources are used for updating the
Domino Directory and replicating to keep the Domino Directory
consistent across the domain. The responsibility of the administration
server of other databases is to maintain ACLs, Reader, Authors, and
Names fields; and unread lists during name management operations.
While this option centralizes administration, it may result in slower
server performance as the domain grows and the use of the
Administration Process to update the Domino Directory and maintain
databases increases.
A second option involves using a dedicated registration server as the
administration server for the Domino Directory. You limit this server’s
responsibility to the processing of Domino Directory changes. You can
then use other servers, such as database hubs, for processing ACL
changes to other databases. To do so, specify the database hub as the
administration server for those databases. You can divide the
responsibility for database ACL changes among several administration
servers; but, you must make sure that when there are multiple replicas of
a database in the domain, you assign an administration server for only
one replica.
A third option involves using multiple servers to maintain the Domino
Directory. If your domain is geographically dispersed, having a single
administration server for the Domino Directory means all administration
requests for Domino Directory changes have to replicate to this one
server and the resultant changes have to replicate back. If your company
is organized hierarchically, that is, it is composed of multiple
organizations and organizational units, extended administration servers
15-4 Administering the Domino System, Volume 1
can be assigned to maintain the directory documents associated with
people, groups, and servers whose names have that organization or
organizational unit component.
Using a server that contains mail and other databases as the
administration server for the Domino Directory is possible, but is not
recommended for performance reasons.
Always run the most recent version of Lotus Domino 6 on the
administration server of the Domino Directory and the extended
administration servers, so that you can use all of the newest
Administration Process features.
Note If you use an LDAP client to administer the Domino Directory, the
Administration Process is not aware of these changes and does not
extend the changes to other databases. For example, if you delete a
Person document, you must manually remove references to that person’s
name in other places that it occurs because the Administration Process
does not do this for you.
For more information on extended administration servers, see the topic
“Using an extended administration server” later in this chapter.
Setting up the Administration Process
To set up the Administration Process, you must complete these tasks:
1. Specify the administration server for the Domino Directory in the
domain. This is done during installation.
For more information on installing a server, see Installing and Setting
Up Domino Servers.
2. Specify an administration server for databases in the domain.
3. (Optional) Set up cross-domain processing to enable an
administration server in one domain to export requests to and/or
import requests from an administration server in another domain.
4. Verify that the administration process is set up correctly.
5. Set up ACLs for the Administration Process.
Setting Up the Administration Process 15-5
Administration
Specifying an administration server for databases
The Administration Process uses administration servers to manage
administrative changes that apply to databases. Either the administrator
or the database manager can specify the administration server for a
database. Perform this procedure on an as-needed basis.
Note To change the administration server for a database, you must have
Manager access to the database or be designated as a Full access
administrator on the Security tab of the Server document.
1. From the Domino Administrator, open the domain containing the
server with the database for which you are setting an administration
server.
2. From the Servers pane, select the server containing the database you
are setting as an administration server.
3. Click the Files tab and then select the database to which you are
assigning an administration server.
4. From the Tools pane, click Tools - Database - Manage ACL.
5. Click Advanced.
6. Complete these fields and then click OK:
Verifying that the Administration Process is set up correctly
After you set up the administration server and the Administration
Process, verify that both are running correctly.
1. From the Domino Administrator, click Server - Analyses -
Administration Requests(6).
2. Open the “All Requests by Action” view.
3. Verify that the request “Put server’s Notes build number into Server
record” appears in the view.
4. Sixty minutes after the Administration Process begins running, open
the Administration Requests database again and open the response
Log document for the request.
Note Log documents are listed directly beneath the request that the
document pertains to. The heading Administration Request - Log
appears at the top of each Log document.
5. Review the information in the response Log document to ensure that
the request has run.
6. Complete the procedure, “Setting up ACLs for the Administration
Process.”
Administration Process support of secondary Domino Directories
Domino supports the use of secondary Domino Directories for
maintaining user names and groups that you want to store in a directory
other than your primary Domino Directory, NAMES.NSF. For example,
you may want to maintain Notes users with Notes IDs in NAMES.NSF,
but maintain Web-only users in a secondary Domino Directory.
A secondary Domino Directory can use the same administration server
as your primary Domino Directory, NAMES.NSF, or you can designate
another server as the administration server for the secondary directory.
When you initiate a name-management or group-management action
from a secondary Domino Directory, the administration process records,
in the Administration Request document, the replica ID of the secondary
directory. When a server locates and then attempts to process a
name-management or group-management administration request, the
server checks for the replica ID. If there is no replica ID stored in the
Administration Request document, the administration server for
NAMES.NSF processes the request.
If a replica ID is located, the server attempts to open the database. If it is
successful, the server checks the ACL to determine whether it is the
Setting Up the Administration Process 15-7
Administration
administration server for that directory. If so, the server processes the
request. If it is not the administration server for that directory, the server
leaves the request to be processed by the appropriate administration
server. If the server is unable to open the database, it ignores the request.
For more information on secondary Domino Directories, see the chapter
“Setting up Directory Assistance.”
For more information on designating a server as an administration
server, see the topic “Specifying an administration server for databases”
earlier in this chapter.
Processing administration requests across domains
You set up Cross-domain Configuration documents to enable a server in
one domain to mail administration requests to a server in another
domain. Set up the Cross-domain Configuration document after you
specify an administration server for the Domino Directory in each
domain. The Administration Process for the Domino Directory must be
set up on a server in each domain. Cross-domain processing works only
when the administration server of the Domino Directory is a Lotus
Domino Release 5 or more recent server.
These tasks can be processed across domains:
Delete
 person in Domino Directory
Delete
 server in Domino Directory
Rename
 server in Domino Directory — that is, upgrade the server
name from flat to hierarchical
Rename  person in Domino Directory
Create  replica
Get  replica information for deletion — This request is generated
when you delete a database and its replicas
Note During cross-domain processing, any requests imported from
another domain and any subsequent requests created by the imported
requests are processed by Lotus Domino Release 5 and more recent
servers only.
15-8 Administering the Domino System, Volume 1
Setting up cross-domain processing of administration requests
To set up cross-domain processing of administration requests, you need
to do the following:
Create
 the necessary cross-certificate documents in the Domino
Directory. Requests going to another domain require cross
certificates between the two domains.
Create
 a Connection document in the Domino Directory allowing a
server in one domain to connect to a server in another domain. Each
domain must have a Connection document.
Create
 one or more Cross-domain Configuration documents in the
administration requests database for each domain from which you
will import administration requests and to which you will export
administration requests.
Edit the Directory Profile document for the Domino Directory to include
the names of anyone allowed to create a Cross-domain Configuration
document. On the Directory Profile document, add the administrators
names to the “List of administrators who are allowed to create
Cross-domain Configuration documents in the administration requests
database” field. If a Cross-domain configuration document is created by
someone whose name is not in that field or who is not a manager of the
Domino Directory, that configuration will be ignored.
The Administration Requests database contains Cross-domain
Configuration documents that specify how domains exchange and
process administration requests. When you configure a Cross-domain
Configuration document, you designate the trusted entities, which are
persons, servers, or certifiers. All requests received from the domain
must be signed by one of its trusted entities. Rename requests are the
exception; they are signed by certifiers so their validity is determined by
the certificates and the cross-certificate in the destination domain’s
Domino Directory. For Rename requests going to another domain, there
must be appropriate cross-certificates between the two domains.
Additionally, the Domino Directory of the destination domain must
either have all Certifier documents, with the certifier’s public key, for the
organizational structure represented in the name change request, or it
must be able to access those Certifier documents from a trusted Directory
specified via Directory Assistance.
For more information on setting up trusted directories via Directory
Assistance, see the chapter “Setting Up Directory Assistance.”
For more information on Certifier documents, see the chapter “Installing
and Setting Up Domino Servers.” For more information on
cross-certificates, see the chapter “Protecting and Managing Notes IDs.”
Setting Up the Administration Process 15-9
Administration
Benefits of cross-domain processing
Cross-domain processing offers these benefits:
1. Processing administration requests across domains can protect the
integrity of the data in databases. For example, if a person is deleted
from the directory in one domain, corresponding deletions occur in
the other domains.
2. Access to information is enhanced because a name change is
propagated to other domains. For example, people and servers
registered in one domain can also be listed in the directory
documents and database ACLs in another domain. Cross-domain
processing allows users and servers to have access to databases and
servers in both domains.
3. Applications are easily distributed because databases are easily
replicated from servers in one domain to servers in other domains.
Administrators do not have to install and update applications
individually on all servers.
Creating a Cross-domain Configuration document
1. Make sure that you have already set up the necessary Connection
documents and cross certificates to allow communication between
the servers.
2. From the Domino Administrator, choose Server - Analysis -
Administration Requests(6).
3. Choose the Cross Domain Configuration view and click “Add
Configuration.”
4. On the Configuration Type tab, choose one of these:
Inbound
 to create an inbound request configuration
Outbound
 to create an outbound request configuration
5. If you chose Inbound in Step 4, click Inbound Request Configuration
and then complete these fields

Field Enter
Receive AdminP requests The name of one or more
from domains domains from which this server
will receive requests.
List of AdminP requests Select any of these requests
allowed from other domains that this server will accept from
other domains and then click
OK.
• Create Replica • Delete Person
in Address Book • Delete Server
in Address Book • Get Replica
Information for Deletion

• Rename Person in Address

Book • Rename Server in
Address Book
Only allow Create Replica
requests if intended for one
of the following servers
List of approved signers
Field
Domains to submit
AdminP requests to
List of AdminP requests to
submit
Only submit Create
Replica requests to the
domains listed above if
the destination server is
one of the following
List of approved signers
Click Save and Close.
Complete the procedure “ is set up correctly.”
Setting up ACLs for the Administration Process
Each administrator who uses the Administration Process to perform
tasks must have the appropriate access rights and roles in the Domino
Directory (NAMES.NSF), secondary directories — if applicable,
Server names in your current
domain that will accept Create
Replica requests from other
domains. This field displays if
the Create Replica request is
selected.
Names of approved signers —
that is, a trusted signer for the
request type for the destination
domain. An inbound request is
rejected if it is signed by
someone who is not a trusted
signer. If you selected Create
Replica requests from the list
above, the request’s author is
required to have Create Replica
access to the destination server.
Create Replica requests must be
signed by the source server.
Enter
The name of one or more
domains to which this server will
send requests.
will send and then click OK.
• Create Replica • Delete Person
in Address Book • Delete Server
in Address Book • Get Replica
Information for Deletion •
Rename Person in Address Book •
Rename Server in Address Book
Server names to which you will
send Create Replica requests.
Also enter the This field displays
if the Create Replica request is
selected.
Names of approved signers —that
is, a trusted signer for the
request type from
will not be sent if it signed by
someone who is not a trusted
signer. If you selected the Create
Replica request from the list
above, the request’ required to
have Create Replica access to the
destination server. Create Replica
requests must be signed by the
source server.
Administration Requests database (ADMIN4.NSF), and the Certification
Log database (CERTLOG.NSF).
The quickest way to provide administrators with the access they need is
to give them the minimum levels of access:
For
 the Domino Directory, create an administrator group of type
Person Group with Editor access, and list the administrators in the
group.
For the Administration Requests database, give administrators
Author access. If an administrator will be approving requests, give
Editor access.
For  the Certification Log database, give administrators Author with
Create documents access.
To assign access to administrators so they can perform only specific
tasks, see the table below which specifies the access that administrators
need in the ACLs of the Domino Directory, secondary directories — if
applicable, Administration Requests database, and Certification Log
database. If an error occurs during any administrative task, the
administrator must have Editor access in the ACL of the Administration
Requests database to perform the task again.
For more information on setting up and modifying an ACL, see the
chapter “Controlling User Access to Domino Databases.”
Note If extended ACLs are enabled and you have specified who can
modify documents for an organization, administration requests will fail
if they are initiated by anyone not specified in the extended ACL.

Administrator
Task Administrator Administrator
needs
this access in needs this needs this
the access access in
Domino in other
Directory ADMIN4.NSF databases
Add a None. However,
Author with CreateResource
resource to the
or delete a Administration Create role in the
resource from Process updates
documents Resource
the the
Resource Domino Reservations
access
Directory to
Reservations reflect the database
change
database
Author with
Add group Author with
Create
documents and Create
the
ServerModifier
documents
role
access and
GroupModifier
role
Add users to Author with
group GroupModifier
role. If
administrator
has
access greater
than Author,
that access is
sufficient
Add servers to
One of these: Author with None
and
remove • Author access
Create
servers and
from a cluster ServerModifier documents
role access
• Editor access
Approve a
One of these: Editor access Author with
request
to move a • Author with Create
user Create documents
name to documents access to the
another access
hierarchy and Certification
UserModifier/ Log
Server Modifier
role
• Editor access
Delete
Approve the Editor access None
documents
deletion of a access
resource from
the
Resource
Reservations
database
Create mail Author access
Author with Create new
files and the
database
automatically UserCreator role Create
access
during user documents on the
registration
registration access server

Task Administrator
Administrator Administrato
needs this
needs this access r needs this
access in
in the Domino access in
other
Directory ADMIN4.NSF
databases
Create replicas No requirement Author with All of these: •
of databases Create Create replica
documents access to the
access destination
server
• Reader
access to the
database on
the source
server
 • In addition,
the source
server must
have Create
replica access
to the
destination
server, and
the
destination
server must
have Reader
access to one
replica of the
database.
Delete group One of these: • Author with None
Author with Create
Delete documents documents
access and the access
GroupModifier
role • Editor
access
Delete servers One of these: • Author with None
Author with Create
Delete documents documents
and the access
ServerModifier
role
• Editor access
Delete users* One of these: • Author with None
Author with Create
Delete documents documents
access and the access
UserModifier role

• Editor access

Task Administrator
Administrator Administrato
needs this
needs this access r needs this
access in
in the Domino access in
other
Directory ADMIN4.NSF
databases
Delete users One of these: • Editor None
and their mail Author with
files* Delete Delete
users and their documents and
private design the UserModifier
elements role • Editor with
Delete
documents
access
Enable Editor access Author with None
password- Create
checking documents
during access
authentication
Find name Editor access None None
with UserModifier
role
Move replicas None Author with Both of these:
from a cluster Create • Same access
server documents as “Create
access replicas of
databases”
• Manager
access to the
original
database
Move replicas None Editor Both of these:
from a non- • Same access
clustered as “Create
server replicas of
databases”
• Manager
access to the
original
database

Task Administrator
Administrator Administrator
needs this
needs this access needs this
access in
in the Domino access in
other
Directory ADMIN4.NSF
databases
Move user to One of these: • Editor Create replica
another server Author access access on the
and UserModifier new mail
role • Editor server In
access addition, the
old mail
server must
have Create
replica access
to the new
mail server,
and the
person whose
mail file is
being moved
must be
running a
Notes Release
5 or higher
client.
Recertify user One of these: • Author with Author with
IDs and server Author with Create Create
IDs Create documents documents
documents access access to the
access and Certification
UserModifier/ Log
Server Modifier
role
• Editor access
Register user Author with Author with If creating
Create Create mail
documents documents files/roaming
access and access if using files, Create
User/Creater role Administration database
Process for access on the
background mail server
processing and/or
roaming
server,
accordingly. If
creating
replicas,
Create Replica
access on the
replica
servers. If
CERTLOG.NSF
resides on the
registration
server, Create
document
access to
CERTLOG.NSF
is required.

Task Administrator
Administrator Administrato
needs this
needs this access r needs this
access in
in the Domino access in
other
Directory ADMIN4.NSF
databases
Remove all None None None
replicas of a
database
Rename users One of these: • Author with Author with
and convert Author with Create Create
users and Create documents documents
servers to documents access access to the
hierarchical access and Certification
naming UserModifier/ Log
Server Modifier
role
• Editor access
Sign database None None None
Specify the One of these: • Author with None
Master Address Author access Create
Book name in with documents
Server ServerModifier access
documents role
• Editor access
Add Internet Editor Author with None
certificate Create
documents
access

Update client None None None

information in
Person record

*To delete a user’s Windows NT account or from an Active Directory, when

deleting a user, the Delete Person request must be made from a computer
running Windows NT or Active Directory, respectively, and the initiator must be
a Windows NT Domain or Active Directory administrator with rights to delete
user accounts.
For more information on Windows NT and Active Directory procedures,
see the chapter, “Using Domino With Windows Synchronization Tools.”
The Administration Requests database
Information about each administrative task that you want the
Administration Process to handle is stored in the Administration
Requests database (ADMIN4.NSF). This database lists both the specific
task and also the requests and responses that the Administration Process
posts and processes to complete the task. At least once each day, check
the views described in the table below for requests that require
administrator attention or approval; also check for errors.
For more information on how the Administration Process completes
specific administrative tasks, see the appendix “Administration Process
Requests.”

View Displays
Requests that warrant attention and may require
Administrative
action on
Attention the part of the administrator.
Required
Requests that require administrator approval
Pending
before
Administrator processing can be completed.
Approval
All Activity by Responses to requests, sorted by server.
Server
Responses with errors encountered, sorted by
date. All Errors by Date
Responses with errors encountered, sorted by
All Errors by
server.
Server
All Requests
Requests and responses, sorted by action.
by
Action
All Requests
Requests and responses, sorted by name.
by
Name
All Requests
Requests and responses, sorted by server.
by
Server
Requests to move a user’s name in the name
Name Move
hierarchy.
Requests

View Displays
Cross Domain Cross-domain configurations sorted by domain and
- then by
Configuration inbound requests that are accepted and outbound
requests
that are accepted.
Cross Domain Requests that cannot be delivered to the inbound
- domain.
Delivery
Failures
 Requests to create an Internet certificate and
Certificate
requests to
Requests create a Notes certificate. This view is typically
monitored
by the administrator who has been designated
Certification
Authority and Registration Authority.
Requests to revoke an Internet certificate. This
Revocation
view is
Requests typically monitored by the administrator who has
been
designated Certification Authority and Registration
Authority.
Requests that have generated updates to the
Configuration
Certifier
Updates document in the Domino Directory and the
Certificate
Authority Configuration document in the Issued
Certificate
List (ICL) database.
Requests to update the recovery information for a
Recovery
certifier.
Information This view is typically monitored by the
administrator who
Updates has been designated Certification Authority and
Registration Authority.
For more information on ID recovery, see the
topics “ID
recovery”and “Recovering an ID”in the chapter
“Protecting and Managing Notes IDs.”

To view documents in the Administration Requests database, you can

use either the Domino Administrator or the Web Administrator.
For information about messages that appear in the Administration
Requests database, see the chapter “Troubleshooting.”
Administration Process requests that require the administrator’s
approval
When administration requests that cannot be processed without the
administrator’s approval are received, they are stored in the
Administration Requests database and are flagged as requiring approval.

Administrator actions Result of approving the administration

that request
generate Administration
Process
requests requiring
approval
Delete database (with
Approving an “Approve Replica Deletion”
“Delete
all replicas of this administration request posts the
database” “Request
selected on the Delete Replica Deletion”administration request
File to
dialog box). begin the process of removing all
replicas of the
database that is being deleted.
Approving an “Approve file
Delete mail file during a
deletion”request
delete person in Domino during a Delete person in Domino
Directory
Directory action posts the “Request file deletion”

Delete roaming user
Delete user in Domino
Directory
Move a database from a
non-clustered server
administration request so that a user’s
mail file
can be deleted.
Approving the “Approve mail file
deletion” administration request posts
the “Request mail file
deletion”administration request to begin
the process of deleting the mail files
from the mail server.
Approving the “Approve replica deletion”
administration request posts the
“Request Replica Deletion”administration
request to begin the process of deleting
the roaming file replicas from the
roaming server.
Approving the “Approve deletion of
private
design elements”administration request
posts
the “Request to delete private design
elements”
request so that private design elements
can be
deleted. Private design elements are
private
agents, views, and folders signed by the
person
who has been deleted.
Approving the “Approve deletion of
moved
replica”request posts a “Request to
delete non-cluster move replica”so that
the original database can be removed
from the source
server.

Administrator actions Result of approving the administration

that request
generate Administration
Process
requests requiring
approval
Move person’s name in Approving the “Move person’s name in
hierarchy (From the hierarchy”is done by the administrator of
“Name Move the target organization. This approval
Requests”view) allows for the posting of the “Initiate
rename in Domino Directory”request to
begin the moving of the user’s name to
a new hierarchy.
Moving a mail file from
Approving the “Approve file deletion”
one
server to another administration request posts the
“Request file deletion”administration
request to begin the process of deleting
the old mail file from the old home mail
server after the mail file is moved to
the new mail server.
Moving roaming files
Approving the “Approve replica deletion”
from
one server to another administration request post the “Request
Replica Deletion”administration request
to begin the process of deleting the
roaming file replicas from the old
roaming server.
Approving the “Approve mail file
deletion” administration request posts
the “Request mail file
deletion”administration request to begin
the process of deleting the old mail files
from the old mail server after the mail
files have been
moved to the new mail server.
Remove resource Approving the “Approve resource delete”
administration request posts the
“Remove resource”administration
request so that a
resource, such as a conference room
name, can
be deleted from the Domino Directory.
Rename user Approving the “Approve Retract Name
Change”administration request cancels a
user
name change request and causes the
user’s
previous name to remain in effect.
Request a Notes
An “Approve Certificate Request”
certificate or
request an Internet administration request is generated
certificate. when you use the CA to issue a new
Notes or Internet
certificate, and the request needs to be
approved by a registration authority.
Approving the “Approve Certificate
Request” allows the process to continue
to the next step.

Administrator actions Result of approving the administration

that request
generate Administration
Process
requests requiring
approval
These actions initiated An Approval request is generated in the
for nonhierarchical destination domain when an identical,
names, across domains: nonhierarchical user name or server
• Delete person in name is located. The Approval request
Domino Directory • allows the administrator to determine
Delete server in Domino whether the user name or server name
Directory • Rename is the one that should be deleted or
person in Domino renamed. Approving the request allows
Directory • Rename the rename or delete process to occur.
server in Domino
Directory

Request status icons in the Administration Request database

The Administration Request database contains icons that indicate the
current status of each administration request that is in the
Administration Requests database. Use these icons to just glance at a
request to determine its status
Managing Administration Process requests
Managing the Administration Process involves approving requests,
forcing requests when they must be processed immediately, and
checking the Administration Requests database for errors.
To approve a request
Check the Administration Requests database daily for requests that
require approval.
1. From the Domino Administrator, choose Server - Analyses -
Administration Requests(6).
2. Select the server and then open the Administration Requests
(ADMIN4.NSF) database.
3. Open the Pending Administrator Approval view.
4. Open the request and click Edit Document.
5. Click Approve request type. For example, if you are deleting a user’s
mail file, click Approve Mail File Deletion.
6. Click Save and Close.
To force a request
Follow this procedure to force a request to occur immediately instead of
waiting for the Administration Process to initiate the request based on
the timing schedule.
1. From the Domino Administrator, select the remote server.
2. Choose Server - Status - Server Console.
3. Enter this command in the Domino Command field and click Send:
Tell adminp p all
or
Tell adminp p a
Setting Up the Administration Process 15-25
Administration
To check for errors
Check the Administration Requests database daily for errors which
appear in response Log documents marked with a red X.
1. From the Domino Administrator, choose Server - Analyses -
Administration Requests(6).
2. Open the “All Errors by Date” or “All Errors by Server” view to
review errors.
3. Select any errors that you want to delete and click “Remove from
view.”
4. To reprocess one or more failed requests, select the requests and click
“Reprocess Selected Requests.” The error is removed from this view
and can be viewed in another view showing requests to be
processed, such as “All Activity by Server.”
To reprocess a failed request
1. From the “All Errors by Date” or “All Errors by Server” view, review
the reason that the request failed.
2. Make the appropriate corrections so that the request does not fail
again.
3. Choose the request and click “Reprocess Selected Requests.”
4. Check the Administration Requests database later to verify that the
request was processed without error.
Controlling the size of the Administration Requests Database
When administrators make full use of the Administration Process, a large
number of request documents and the resulting response Log documents
are generated in the administration requests database (ADMIN4.NSF),
and the database can become quite large. Access Control List (ACL)
management; Readers, Authors and Names fields management; and mail
file management requests are processed by all servers in the domain with
resulting response Log documents created with the status “This name
did not appear anywhere” or “This file is not on this server.”
To prevent these types of documents from being saved, set the “Store
Admin Process log entries when status of no change is recorded” to No
on the All Servers document for your domain.
For more information on the Administration Process and the settings in
the All Servers document, see the topic “Scheduling administration
request processing” later in this chapter.
15-26 Administering the Domino System, Volume 1
Using Space Saver settings
Check the “Space Saver” settings of ADMIN4.NSF on all servers because
these settings do not replicate in the domain and ensure that the
“Remove documents not modified in the last # days” is checked. Be sure
the value entered for this setting is a reasonable number — depending on
how long you want to keep the history of the activity of the
administration requests — for example, less than 90 days. This
information is stored in Catalog documents. If you run the catalog, you
can create a view that displays this information.
1. From the Domino Administrator, choose Files and then right-click
Administration Requests database.
2. Choose Properties and click Replication Settings - Space Savers.
3. Click “Remove documents not modified in the last # days” and
choose a number of days from the list. Click OK.
Using a Program document to compact the Administration
Requests database
Create a Program document that will compact ADMIN4.NSF on the
servers in your domain on a regular basis.
For more information on using Program documents to compact a
database, see the chapter “Improving Database Performance”.
Using Selective Replication formulas
Use a selective replication formula to prevent the response Log
documents in ADMIN4.NSF from replicating. Information in Log
documents is a record of the status of the work a server does in response
to an administration request. This response Log is interesting to you, the
administrator, and to the server that created it, but not to every server in
the domain. As a result, you may want to go to the “Space Saver” section
of the database replicator settings of ADMIN4.NSF and create a selective
replication formula that prevents Log documents from replicating.
Response Log documents have the type “Type=AdminLog.” Change the
type to “Type!=AdminLog.” Another option is to use a type that only
replicates the documents to one server in the domain, therefore, you have
only one server on which to check status. After you create this formula,
check the box that allows replication formulas to replicate.
For more information on setting up and using replication formulas, see
Limiting the contents of a replica[[ if you have installed Lotus Domino
Designer 6 Help. Or, go to http://www.notes.net/doc to download or
view Lotus Domino Designer 6 Help.
Setting Up the Administration Process 15-27
Administration
Suspending administration request processing
As previously mentioned, name management administration requests
that are processed on the administration server of the Domino Directory
can result in modifications to the Domino Directory, causing re-indexing
and replication of the Domino Directory. For some domains, the impact of
these changes on this server is burdensome during normal working hours.
Therefore, controls are present in the Server document for suspending the
operation of the Administration Process over a daily interval.
To suspend administration request processing
1. From the Domino Administrator, click the Configuration tab.
2. Choose Server - All Server Documents.
3. Select the server whose Server document you are editing.
4. Click the Server Tasks - Administration Process tab.
5. Complete these fields, and then click Save and Close.
6. Click Save and Close.
For more information on scheduling processing of administration
requests, see the topic “Scheduling Administration Request processing”
later in this chapter.
Controlling user access to the Administration Requests database
Some administration requests are created by Notes client users during
specific phases of an administrative operation, such as while moving a
roaming user’s mail file. If a user has multiple clients, for example, one at
home and one at work, before the client creates one of these
administration requests, it checks whether an identical request has been
created either by itself or by the user running on another client. To
perform this check, and to avoid creating possible redundant
administration requests, the user needs Author access to the
Administration Requests database because of the detailed administration
information that appears in that database. Some administrators prefer
that their users not see the information in the Administration Requests
database. If you want to run in a manner that prevents users from seeing
the content of the Administration Requests database, the default access
on ADMIN4.NSF can be set to Depositor. Setting this type of access can
result in multiple requests for users appearing from the same operation
because the client cannot determine whether a request that it is about to
create already exists.
Once you have upgraded all of your clients to Lotus Notes 6, the default
access to ADMIN4.NSF can be set to “None” because the client will just
mail requests to the Administration Requests database if the user does
not have access.
Customizing the Administration Process
To customize the Administration Process, you can do any of these tasks:
Change
 the number of threads used to process a request
Control
 the size of the Administration Requests database
Create
 a customized view
Create a third-party administration request
Enhance  the core Administration Process through the Extension
Manager
Schedule  administration request processing
Set  up an extended administration server
Suspend  the processing of administration requests
Changing the number of threads used by the Administration
Process
By default, the Administration Process uses three threads to process
requests. To improve Administration Process performance, increase the
number of threads.
1. From the Domino Administrator, click Configuration - Server -
Current Server Document.
Note If you want to edit a Server document for another server, click
Configuration - Server - All Server Documents and then select the
document you want to edit.
2. Click Edit Document and then click Server Tasks.
3. Enter a value greater than 3 in the “Maximum number of threads”
field in the Basics section of the tab.
4. Click Save and Close.
Setting Up the Administration Process 15-29
Administration
5. To allow the change to take effect, stop the Administration Process
and then restart it. Enter these commands from the server console:
tell adminp q
load adminp
Creating an $AdminP view
By default, the Administration Process scans all documents in a database
looking for matches in the Readers and Authors fields or Names fields,
when an Administration Request for a particular value in that field is
received. You can create a view that restricts the scanning for matches in
Readers and Authors fields, or Names fields, to the documents appearing
in that view. The view must be assigned the name $AdminP.
For information on creating a view, see Application Development with
Domino Designer.
Enhancing the Administration Process through the Extension
Manager
You can extend the Administration Process to enhance its current core
functionality — that is, processing all administration requests created
through the Notes user interface or by a Domino server. Using the
Extension Manager to extend the Administration Process, you can use
the core Administration Process functionality and develop additional
tasks based on Administration Process actions.
For more information on creating and using an Extension Manager
program, see the Lotus C API User Guide. For more information on
creating an Extension Manager for the Administration Process, see the
ProcessRequestEMCallback function entry in the Lotus C API Reference.
Creating a third-party Administration Request
You can extend the Administration Process by creating an administration
request directed to a third-party server add-in task that interprets the
request and acts on it. When creating a third-party administration
request, specify:
The
 Message Queue name in the ProxyProcess field of the request.
The Administration Process uses this data to pass the request’s and
response’s note IDs.
The Server name in the ProxyServer field of the request to identify
the Domino server on which the server add-in task is running.
A  Text version of an identifier, greater than “5000,” in the
ProxyAction field.
15-30 Administering the Domino System, Volume 1
The Administration Process acts on third-party requests by opening the
message queue and placing a message with the IDs of the administration
request and log notes in it. The add-in task monitors the message queue
and then performs the required processing.
For information on creating a server add-in task that processes
third-party administration requests, see the Lotus C API User Guide.
To verify which task is processing a request
To verify whether AdminP or another task is processing an
administration request:
1. From the Domino Administrator, choose Server - Analyses -
Administration Requests(6).
2. Open the “All Requests by Action” view.
3. Select the request, right-click the mouse button and choose
Document Properties.
4. Click the Field tab, and then locate the ProxyProcess field which
contains the name of the task that is processing the administration
request.
The ProxyProcess field is set by the program that created the request.
Scheduling Administration Request processing
Each setting in the Administration Process section of the Server
document controls the timing of specific types of requests. Interval
settings and replication schedules for each server determine how quickly
the administrative settings replicate throughout the domain. As these
requests are carried out, the speed with which they are replicated to the
appropriate databases in the domain depends on the replication schedule
for those servers. If necessary, you can schedule separate replication
events for more immediate updates.
To adjust the default timing of when administration requests are carried
out, edit the Server document. You may want to force a request to occur
immediately if the administration request is critical.
For more information on using server console commands to force
administration request processing, see the topic “Managing
Administration Process requests” earlier in this chapter.
Setting Up the Administration Process 15-31
Administration
To schedule Administration Process requests
1. From the Domino Administrator, click the Configuration tab.
2. Choose Server - All Server Documents.
3. Select the server whose server document you are editing.
4. Click the Server Tasks - Administration Process tab.
5. Complete these fields, and then click Save and Close.

Field Enter
The number of minutes that pass between
Interval
the
processing of name-management requests —
rename,
delete, and recertify. The default is 60
minutes.
Execute once a The time when updates to Person documents
day occur
and “Rename person in unread lists”requests
requests at
run.
The default is 12 AM.
Interval The number of days that pass between
between running the
purging mail file Object Collect task against a mail file that
uses shared
and deleting mail and deleting the mail file. The default is
when 14 days.
using object
store
Start executing The day on which Updates to Authors and
on Readers
fields in a database and discovery of shared
and
private design elements for a deleted person
occur.
The default is Sunday.
Start executing The time when the updates to Authors and
at Readers
fields in a database and discovery of shared
and
private design elements for a deleted person
occur.
The default is 12 AM.
The number of days during which the Notes
Mail file moves
client
expire after will update mail-related changes. The default
 is 21
days. Valid values are 7 to 60, inclusive.
Store Admin Logs a “No change”status entry in the
Process log Administration Process log each time a
entries database is
when status of scanned to determine whether an
no administration
change is request requires a change to that database
recorded and no change is made. The default is No.
Keeping this field set to “No”may greatly
reduce the size of the Administration Request
database.
For more information controlling the size of
the Administration Requests database, see
the topic “Controlling the size of the
Administration Requests database.”

Field Enter
(Optional) Time when the Administration
Suspend Admin
Process
Process at stops processing requests. To conserve
server
resources, suspend the Administration
Process during peak computer hours.
For more information on suspending the
Administration Process, see the topic
“Suspending
administration request processing.”
(Optional) Time when the Administration
Restart Admin
Process
Process at starts processing requests again. To
conserve server
resources, set the Administration Process to
restart
during non-peak computer usage hours. For
more
information on suspending the Administration
Process, see the topic “Suspending
administration
request processing.”

Using an extended administration server

An extended administration server is an administration server that
processes Domino Directory administration requests. The target
documents in the Domino Directory are added to, modified, or deleted
only if they belong to a particular namespace within the Domino
Directory. A namespace is defined by a certification hierarchy, for
example, OU=Sales/O=Acme, where the organization is Acme and the
organizational unit is Sales. You can specify the organization or one or
more organizational units as a namespace for which an extended
administration server is used to process administration requests. The
traditional administration server modifies all of the target documents in a
Domino Directory which either do not belong to any namespace or to
which an extended administration server has not been assigned.
You can designate extended administration servers for one Domino
Directory by selecting a namespace in the Domino Directory’s extended
access interface and designating a particular server as an administrator
for that namespace. The new interface allows you to specify the exact
namespace that an individual administration server is responsible for.
The extended administration server distributes the administration
responsibilities across multiple servers which is especially useful for
remote administration of servers that are geographically dispersed. The
concept of the extended administration server was developed in order to
make remote administration available to administrators.
All of the Domino servers in the domain must Lotus Domino 6 servers or
newer to use the extended administration server feature.
Setting up an extended administration server
Complete these instructions to set up an extended administration server.
1. From the Domino Administrator, click the Files tab and then open
the Domino Directory (NAMES.NSF).
2. Choose Files - Database - Access Control.
3. Click Advanced and select Enable Extended Access.
4. Click Basics and click Extended Access.
5. In the Names list, select the namespace (an organization or one or
more organizational units) for which you are assigning an
administration server.
6. Select the server that you are designating as an administration server.
7. Choose one of these “Access applies to” settings:
This
 entry only — to assign the selected administration server to
the selected namespace only. Namespaces that are subordinate to
the selected namespace are not affected by this selection.
This
 entry and all descendants — to assign the selected
administration server to the selected namespace and to all
subordinate namespaces.
8. In the Access field, in the Allow column, click Administer.
9. Click OK.
10. Click Yes.
Removing an extended administration server
Complete these instructions to remove an extended administration server.
1. From the Domino Administrator, click the Files tab and then open
the Domino Directory (NAMES.NSF).
2. Choose Files - Database - Access Control.
3. Click Extended Access.
4. In the Names list, select the namespace (an organization or one or
more organizational units) from which you are removing an
administration server.
5. Select the server that will no longer be an administration server for
the selected namespace.
6. Click Remove.
7. Click OK.
8. Click Yes.
Adminstration Process Statistics
Use the Administration Process statistics to monitor and review the
administration process activity on the servers in your Domino domains.
Administration Process statistics and their descriptions are listed in this
table

Administration Process
Reason for update to statistic
Statistic
ACLsModified Statistic is updated when the
Administration Process modifies a
database ACL.
ReaderAuthorModified Statistic is updated when the
Administration Process modifies a
database due to a user name change,
resulting in a change to Reader
 and/or Author fields for that
database.

ReplicasDeleted Statistic is updated when the

Administration Process deletes a mail
file due to a mail database move, or
when user, the user’s mail file and
replica are deleted. This statistic is
also updated when replicas are
removed due to a Delete Database
request.
ReplicasCreated Statistic is updated when the
Administration Process creates a mail
file due to a mail file move.
AppointmentsModified Statistic is updated when the
Administration Process updates an
appointment due to a name change.
ProfilesModified Statistic is updated when the
Administration Process updates the
calendar profiles due to a user’s name
change.
DesignElementsDeleted Statistic is updated when the
Administration Process removes a
design element from a database. In
most cases this occurs when a user is
deleted and the agents that were
created by the user are removed from
a database.
DirectoryDocumentsDeleted Statistic is updated when the
Administration Process deletes entries
from the Domino Directory, for
example, deletions due to deleting a
user or a server.

Administration Process
Reason for update to statistic
Statistic
DirectoryDocumentsModified Statistic is updated when the
Administration Process modifies
entries in the Domino Directory, for
example, when a user is renamed.
DirectoryDocumentsAdded Statistic is updated when the
Administration Process updates
entries in the Domino Directory, for
example, when Mail-In database
entries are added for future
processing.
Cross Domain Request Sent Statistic is updated when the
Administration Process sends
requests from one domain to another
domain. This occurs when cross-
domain processing is enabled.
Cross Domain Request Statistic is updated when the
Rejected Administration Process receives or
rejects requests from another
domain. This occurs when cross-
domain processing is enabled.
Cross Domain Request Statistic is updated when the
Accepted Administration Process receives or
accepts requests from another
domain. This occurs when cross-
domain processing is enabled.

Administration request messages

The response Log documents in the Administration Requests database
contain error messages that describe any errors that occur during the
processing of an administration request. Error messages also appear on
the console of the administration server. Administrators who want to be
notified when one of these events occurs on a server, can create an Event
Handler document in EVENTS4.NSF to define how they want to be
notified.
For more information on Event Handlers, see the chapter “Monitoring
the Domino Server.”
For details on what the particular messages mean and for information on
the corrective actions that can be taken, see the documentation in
EVENTS4.NSF for that message.
This table describes the messages and, in some cases, the causes of
messages that appear in the Administration Requests database. In addition,
the table indicates the corrective action to take, where appropriate.

Corrective action to
Message Occurs during
take
The time after which When thetimearrives,
Renaming
this select
request can be “Perform request
processed Recertification again”in
has not been reached. the response Log
This document.
request cannot be
processed
until time; check the
Perform request again?
box
after time.
The date after which Resubmit the request
Renaming
this from
request is no longer the Domino Directory.
valid Recertification
has passed. This
request
could only be
processed
until time; the current
date
and time is time.
This name does not
Renaming None
appear
in the ACLs of any Deletion
databases designating
server
as their Administration
Server.
The mail file was Delete all
None
previously replicas
deleted on serverby a of a mail file
Delete when
Mail File administration deleting a user
request. name
The mail file specified Delete all
None
for replicas
this person in the of a mail file
Address when
Book does not exist on deleting a user
this
server. name
A replica of this Delete all
None
person’s replicas
mail file does not exist of a mail file
on when
this server. deleting a user
name
Resubmit the request
The signature on this Renaming
from
request has expired. the Domino Directory.
The issuer of this Resubmit the request
Renaming
request from
does not have the the Domino Directory.
proper Be
authority. sure to use a certifier
ID that
is an ancestor of the
user ID.

Corrective action to
Message Occurs during
take
All of the required Resubmit the request
Any request
fields in from
the request have not the Domino Directory.
been
signed.
Cause of error- An
unauthorized person or
a
non-Domino program
edited a posted
request.
This indicates a failed
security attack.
The request’s new Copy Server’s Delete the request, and
public key does not Certified Public then shut down and
match the designated Key restart the appropriate
server. Cause of server to issue a new
error- The key in the request. Delete the
request doesn’t match public key from the
that in the Server Server document.
document.
The existing public key
Copy Server’s None
is
newer than the public Certified Public
key Key
in the request.
Cause of error- The
server
was recertified before
this
request could be
carried
out.
The request’s signer Place Server’s Delete the original
and the designated Notes Build request and then
server are not the number into restart the server. Click
same. Cause of error- Server Record “Perform request
The server specified in again”in the response
the request did not Log document.
sign the request. This
may indicate a failed
security attack from a
forged request or a
request generated by a
non-Domino program.
The selected certifier is Request Move
Reissue the request and
not to
the target certifier in New Certifier specify the correct
the certifier.
move request.
Cause of error- The
target
certifier is not the one
you
specified when you
issued
the original request.

Corrective action to
Message Occurs during
take
A required certifier was Initiate Rename Do the following: 1.
not found in the in Domino Create the necessary
Address Book. If you Directory Certifier document(s) in
see the error when the Recertify Server the Domino Directory.
administrator is in Domino 2. For each Certifier
performing an action, Directory docu-ment, copy the
the Certifier or Cross- Recertify Person certified public key from
Certifier document is in Domino the certifier ID to the
identified in the Notes Directory Certifier document in
Log on the Rename Person the Domino Directory.
administrator’s client. in Domino 3. At the server
If the Administration Directory console, enter load
Process reports the Rename Server updall names.nsf -t
error, the Certifier or in Domino $certifiers. 4. Click
Cross-domain Certifier Directory “Perform request
document is identified again”in the response
in the log (LOG.NSF) of Log document.
the server that
reported the error.
The change request Resubmit the request
Rename
was not from
for a server or person. the Domino Directory.
Cause of error- An
unauthorized person or
a
non-Domino program
edited a posted
request.
This can indicate a
failed
security attack.
The Administration Restart the server, and
Delete Unlinked
Process then
cannot set the target Mail File click “Perform request
time again”
for processing in the response Log
requests. document.
This type of All requests
Upgrade the server to
Administration except
Request cannot be Copy Server’s hierarchical naming so
you
performed on a Certified Public can complete all
Key
non-hierarchical and Place Administration Process
server. Server’s
Notes Build requests on it.
Number Into
Server
Record

Corrective action to
Message Occurs during
take
The Administration Upgrade the server to
When a server
Process the
is not designed to running an current release.
support older
this type of version of Notes
Administration
Request. encounters a
Domino 5.0
Administration
Request. An
older server is
unable to
process the
request.
The name to act on Renaming Delete the corrupted
was not found in the Recertification public key from the
Address Book. Cause Server or Person
of error -The public document. From a
key is corrupt in the Server document: 1.
Person or Server From the Domino
document. Administrator, select a
server and click the
Configuration tab. 2.
Click Edit document. 3.
Click the Miscellaneous
tab. 4. Delete the
public key from the
Certified Public Key
field, or if you are
adding one, enter a
public key. 5. Click
Save and Close. From
a Person document:
1. From the Domino
Administrator, click the
People & Groups tab. 2.
Select the person
whose Person
document you are
modifying. 3. Click Edit
Person. 4. Click the
Public Keys tab. 5.
Delete the public key
from the Certified Public
Key field, or if you are
adding one, enter a
public key. 6. Click
Save and Close.

Corrective action to
Message Occurs during
take
Delete user, Give the person making
The administrator or
server, the
database manager or group request the appropriate
requesting the delete access to the Domino
action
needs Author access Directory, and then
(or select
greater) to the Address “Perform request
again”in
Book. the response Log
document.
The requests require at
least
Author (with Delete
documents) access
with the
appropriate role
(UserModifier,
ServerModifier, or
GroupModifier). The
person must have
access to
the replica of the
Domino
Directory used to
submit
the request and to the
replica on the
administration server
for
the Domino Directory.
The person requesting Delete users, The person submitting
the delete action servers, groups, the request doesn’t
cannot delete or resources have appropriate access
documents in the to the replica of the
Address Book. Cause Domino Directory. Give
of error- This can the person making the
indicate a failed request the appropriate
attempt by an access to the Domino
unauthorized person to Directory.
delete documents from
the Domino Directory.
The Administration Restart the server and
Delete Mail file
Process then
cannot set the
click “Perform request
execution
time for a spawned again”in the response
request. Log document.
This server is not
Remove Server Manually delete the
currently
a member of a cluster. from Cluster database.
This
database cannot be
marked
for deletion.
Give the person making
The Author of the Create Replica
the
Administration Request request Create
Move Replica
is Database
not allowed to create access to the
destination
databases on this server. Then click
server. “Perform
request again”in the
response Log
document.

Corrective action to
Message Occurs during
take
Mail file already exists. Create Mail File None
New mail file not
created.
The person requesting Move Replica Give the person making
this move action needs Non-cluster the request Manager
at least Manager move replica with Delete documents
access to the access. Then select
database. “Perform request
again”in the response
Log document.
Server name not found Rename in Wait for the name
in Access change to
Public Address book. Control List replicate to the Domino
 Directory on this
server.
Then select “Perform
request
again”in the response
Log
document.

Chapter 16
Setting Up and Using Domino Administration
Tools
This chapter explains how to install and navigate the Domino
Administrator. It also includes information on setting up and using the
Web Administrator, which allows you to administer a Domino server
using a browser.
The Domino Administrator
The Domino Administrator is the administration client for Notes and
Domino. You can use the Domino Administrator to perform most
administration tasks. You can administer the Domino system using the
local Domino Administrator or using the Web Administrator.
Information about the Domino Administrator in this section includes:
Domino
 Administrator installation
Setting
 up and starting the Domino Administrator
Selecting
 a server to administer in the Domino Administrator
Setting Domino Administrator preferences
Navigating
 Domino Administrator
How  administrative tasks are organized on the Domino
Administrator tabs.
Installing the Domino Administrator
When you install and set up a Domino server, the Server Setup program
does not install the Domino Administrator, which is the administration
client. You must run the Domino Administrator client setup to install the
Domino Administrator client. There are many ways to set up your
Administrator client installation.
Do not install the Domino Administrator on the same system on which
you installed the Domino server. Doing so compromises Domino’s
security and impairs server performance.
16-1
Administration
For more information on installing the Domino clients, including the
Domino Administrator, see the chapter, “Setting Up and Managing
Notes Users.”
Setting up the Domino Administrator
1. Make sure the Domino server is running.
2. Start the Domino Administrator.
3. The first time you start the Domino Administrator, a setup wizard
starts. After you answer the questions displayed by the setup wizard,
the Domino Administrator client opens automatically.
Starting the Domino Administrator
There are several ways to start Domino Administrator.
1. Make sure the Domino server is running.
2. Do one:
From
 the Windows® control panel, click Start - Programs - Lotus
Applications - Lotus Domino Administrator.
Click
 the Domino Administrator icon on the desktop.
From
 the Notes client, click the Domino Administrator bookmark
button or choose File - Tools - Server Administration
Navigating Domino Administrator
The user interface for the Domino Administrator is divided into four
panes. Clicking in one pane dynamically updates information in other
panes. The following figure shows the user interface for the Domino
Administrator.

Server pane
The server pane displays the servers in the domain, grouped in different
views. For example, you can view all servers in the domain or view them
by clusters or networks. To “pin” the server pane open, click the pin icon
at the top of the server pane.
Task pane
The tasks pane provides a logical grouping of administration tasks
organized by tabs. Each tab includes all the tasks associated with a
specific area of administration. For example, to manage the files located
on a particular server, select a server and click the Files tab.
Results pane
The appearance of the results pane changes, based on the task you are
performing. For example, the results pane may display a list of files, as
on the Files tab, or an active display of real-time processes and statistics,
as on the Server - Monitoring tab
Tools pane
The tools pane provides additional functions associated with a selected
tab. For example, from the Files tab you can check disk space and
perform tasks associated with files.
Window tabs
Use window tabs to switch from one open window to another in the
Domino Administrator. Every time you open a database or a document,
a new window tab appears beneath the main menu bar.
Domains
You can access the servers in each domain that you administer. Click a
domain to open the server pane.
Bookmark bar
The Bookmark bar organizes bookmarks. Each icon on the Bookmark bar
(running down the left edge of the Domino Administrator window)
opens a bookmark or a list of bookmarks, which can include Web
browser bookmarks.
Selecting a server to administer in the Domino Administrator
To administer a server, you select the server from a server list. You can
have multiple server lists, each of which is represented by a button. After
you select a server, information about that server appears in all the tabs.

Button Description
 Lists your “favorite”servers —that is, those you
Favorites
administer most
frequently. To add a server to Favorites, choose
Administration -
Add Server to Favorites, and then specify the name of
the server to
add.
Lists all servers in a domain. You can also view servers
Domain
by
hierarchy or by network.

For more information on adding domains, see the topic “Setting Basics
Preferences,” later in this chapter.
To update a server list
The first time you start the Domino Administrator, the system
automatically creates a server list, based on the domains listed in
Administration Preferences. If you add new servers to the list, choose
Administration - Refresh Server List.
16-4 Administering the Domino System, Volume 1
Setting Domino Administration preferences
To customize the Domino Administrator work environment, set any of
these administration preferences

Preference Description
Basics • Select domains to administer
• Add, edit, or delete domains Set domain
• location setting Select domain directory server
• Specify Domino Administrator startup settings
•

Files • Customize which columns appear on the Files

• tab Change the order in which columns appear
• Limit the types of files that the Domino
Administrator retrieves

Monitoring Configure global settings used to monitor the

•
server Enable server health statistics and
•
reports
Registration • Select global settings to use to register users,
servers, and certifiers
Statistics Select global settings for statistic reporting and
•
charting Enable statistic alarms while
•
monitoring statistics

Setting Basics preferences

To manage Domino domains, set Basics preferences.
1. From the Domino Administrator, choose File - Preferences -
Administration Preferences.
2. In the Basics section, under “Manage these Domino Domains” do
one:
Click
 New to add a domain, and then continue with Step 3.
Click
 Edit to edit an existing domain, and then continue with
Step 3.
Click
 Delete to delete an existing domain

Field Action
Enter the name of the domain to
Domain name
add,
 or edit an existing name.
Domino directory servers for Enter one or more directory
this servers,
domain separated by commas, or edit
the list. For example:
Mail-E/East/Acme Mail-
W/West/Acme
What location settings do Choose one: • Do not change
you want to use for this location • Change to this
domain? location. Specify the location
from which you want to manage
this domain.

Field Action
On startup Do one:
• Choose “Don’t connect to any
server”
• Choose “Connect to last used
server”
• Choose “Connect to specific
server”
and then specify the startup
domain and startup server.
Show Administrator Welcome Do one:
Page • Check this box to see the
Welcome
page each time you start the
Domino Administrator.
• Uncheck this box if you do not
want
to see the Welcome page.

Setting Files preferences

Setting Files preferences, you can customize which columns appear on
the Files tab, change the order in which columns display, and limit the
types files the Domino Administrator retrieves.
By default, the Files tab displays columns in this order:
Title

File
 Name
Physical
 Path
Files  Format
Size 
Max  Size
Quota 
Warning 
Created 
Last  Fixup
Is  Logged
Template 
To set Files preferences
1. From the Domino Administrator, choose File - Preferences -
Administration Preferences.
2. Click the Files section.
3. Do one:
To  add a column, select a column from the Available Columns list
and click the right arrow to add it to the “Use these Columns” list.
To
 remove a column, select a column from the “Use these
Columns” list and click the left arrow to remove it from the list.
4. Click the up or down arrows to change the order of the columns in
the “Use these Columns” list.
5. Check “Retrieve only (NSF, NTF, BOX) Domino file types (faster)” to
limit the types of files retrieved. Uncheck this box to retrieve all file
types.
6. Click OK or click Monitoring to continue setting Administration
Preferences.
For more information on setting Files preferences in the Web
Administrator, see the topic “Setting Files Preferences for the Web
Administrator” later in this chapter.
Setting Up and Using Domino Administration Tools 16-7
Administration
Setting Monitoring preferences
You can use the default Monitoring preferences or customize them.
1. Choose File - Preferences - Administration Preferences.
2. Click Monitoring, and then complete the Global settings for
Monitoring

Field Action
Enter the maximum amount of
Do not keep more than <n>
virtual memory, in MB, used to
MB of monitoring data in
store monitoring data. Default is
memory (4 - 99MB)
4.
Not responding status Enter the amount of time after
displayed after <n> minutes which the “not
of inactivity responding”status displays. The
default is 10 minutes.
Generate server health Select this option to include
statistics and reporting health statistics in charts and
reports. Note You must enable
this option to use the Server
Health Monitor, which is part of
the IBM Tivoli Analyzer for Lotus
Domino.
In the Location section, complete these fields:
Field Action
When using this location Choose the Location document.
Monitor servers Do one:
• Choose “From this
computer”to monitor servers
from the local Domino
administration client.
• Choose “From server”and then
click Collection Server. Select
the Domino server running the
Collector task for the servers
being monitored by the location
you selected.
Poll server every <n> Enter the server’s polling
minutes (1-60 minutes) interval, in minutes. • If “From
this computer”is selected, the
default is 1 minute.

• If “From server”is selected, the

default is 5 minutes.
Automatically monitor Select this option to start the
servers at startup Domino Server Monitor when
you start the Domino
Administrator.

Setting Registration preferences

Within the Domino Administrator, you can set default registration
preferences that apply whenever you register new certifiers, servers, and
users.
1. From the Domino Administrator, choose File - Preferences -
Administration Preferences.
2. Click Registration.
3. Complete any of these fields:

Field Action
Registration Select a domain from the list. The registration
Domain domain is the domain into which users and
servers are registered.
Create Notes
Click to create a Notes ID for each new user
IDs for new
during the registration process.
users
Certifier name Choose a certifier ID to use when creating the
list user name during user registration when a
Notes user ID is not being created for the user.
This field appears if the check box “Create a
Notes ID for this person”is not selected. If you
are working in a hosted environment and are
registering a user to a hosted organization, be
sure to register that user with a certifier
created for that hosted organization.

Certifier ID Do one:
• Choose “Certifier ID”to use the certifier ID
and password. Then click Certifier ID, select
the certifier ID file, and click OK to select the
certifier ID used to register new certifiers,
servers, and users. • Choose “Use CA
Process”to use the Domino server-based
certification authority.
Registration Click Registration Server to change the
Server registration server, which is the server that
initially stores the Person document until the
Domino Directory replicates. Select the server
that registers all new users, and then click OK.
If you do not explicitly define a registration
server, it is, by default: • The local server if it
contains a Domino Directory • The server
specified in NewUserServer setting in the
NOTES.INI file
• The administration server

Field Action
Explicit policy If you already created explicit policies, select
the policy from the list. If you have not created
explicit policies, this field displays “None
Available.”
User Setup Select a profile. The default is none. You can
Profile assign either a policy or a user setup profile,
but you cannot assign both to the same users.
Mail Options Click Mail Options to display the Mail
Registration Options dialog box. Choose one of
the following and complete any required
associated fields: • Lotus Notes (default) —The
Internet address is automatically generated. •
Other Internet —The Internet password is set
by default during registration. Enter a
forwarding e-mail address.

• POP —The Internet address is automatically

generated during registration, and the Internet
password is set by default during registration.
• IMAP —The Internet address is automatically
generated during registration, and the Internet
password is set by default during registration.
• Other —Enter a forwarding e-mail address. •
None Note If you select Other or Other
Internet, you will need to enter a forwarding
address for the user during user registration.
The forwarding address is the e-mail address
to which the user wants their mail sent.

User Click User ID/Password Options Settings to

ID/Password open the Person ID File Settings dialog box. Do
Options any of these: • Person ID folder —Choose a
folder or enter a directory path in which to
store the ID files generated for this user during
registration. • Person password quality —Set a
new password quality for the ID files that are
generated for this user during registration. The
default for a user ID is 8.

Field Action
Click Advanced Options to open the Advanced
Advanced
Person
Options Registration Options dialog box on which you
can specify the following:
• Whether to keep registered users in the
registration
queue
• Whether to attempt to register users with an
error
status from a previous registration attempt
• Whether to prompt for duplicate files
• Whether to search all directories for
duplicate names
• Other registration settings
Click to open the Server Certifier ID File
Server/Certifier
Settings dialog
Registration box on which you can define the directories in
which to
store certifier IDs and server IDs and specify
the
default password quality setting for each.

4. Click OK.
For more information on explicit policies, see the chapter “Using
Policies.” For more information on Advanced Options, see Domino
Administrator 6 Help.
Setting Statistics preferences
You set statistics preferences to enable statistics reporting and statistics
charting. The Statistics section in Administration preferences is also
where you specify the polling and reporting time interval used for
gathering and reporting statistics.
You also enable statistic alarms for use with statistic event generators. If
you create statistics event generators to report alarms, you must enable
statistics alarms.
To set statistics preferences
1. From the Domino Administrator, choose File - Preferences -
Administration Preferences.
2. Click Statistics.
Setting Up and Using Domino Administration Tools 16-11
Administration
3. Complete these fields

Field Action
Generate statistic reports Do one: • Enable the field and
while monitoring or charting then specify, in minutes, how
statistics often to create statistics reports
in the Monitoring Results
database (STATREP.NSF).
Default is 45 minutes. The value
must be greater than the
monitoring poll interval specified
in the Monitoring preferences. •
Disable the field if you do not
want to create statistics reports
or charts.
Check statistic alarms while Do one: • Enable the field to
monitoring or charting report an alarm when a statistic
statistics exceeds a threshold. You must
enable this field to generate a
statistic events. Alarms are
reported to the Monitoring
Results database
(STATREP.NSF). • Disable the
field if you do not want to
generate alarms.
Chart statistic using same Do one: • Enable the field to use
poll interval as monitoring the poll interval specified in the
Monitoring preferences. •
Disable the field to set a
charting interval that is different
than the poll interval. Then
specify a time interval in which
to chart statistics. The default is
20 seconds.

Domino Administrator tabs

General administration tasks are organized by the tabs described in the
following table. Click a tab to display its contents, or use the
Administration menu to navigate among the tabs. For example, to move
from the Files tab to the Replication tab, choose Administration -
Replication.
Tab Use to administer
People & People-related Domino Directory items —such as,
Groups Person documents, groups, mail-in databases, and
policies
Files Databases, templates, database links, and all other
files in the server’s data directory
The Server Current server activity and tasks. This tab has five
tabs sub-tabs: Status, Analysis, Monitoring, Statistics,
and Performance.
Messaging Mail-related information. This tab has two sub-tabs:
Mail and Tracking Center.
Replication Replication schedule, topology, and events
Configuration All server configuration documents —such as, the
Server, Messaging Settings, Configuration Settings,
and Server Connections documents.

People and Groups tab in the Domino Administrator

From the People and Groups tab, you perform these tasks to manage the
Domino Directory:
Register
 new users and groups
Manage
 existing users, groups, mail-in databases, and other
resources
Assign
 policies to users and groups
Assign  roaming options and Internet settings to users
Files tab in the Domino Administrator
From the Files tab, you perform these tasks to manage database folders
and links:
Access
 a folder and one or more files inside the folder
Select
 the type of files to display — for example, display only
databases or only templates
Move or copy a database by dragging it onto a Domino server on the
bookmark bar
Manage databases — for example, compact databases and manage
ACLs
View  disk size and free space on the C drive
Server tabs in the Domino Administrator
There are five Server tabs: Status, Analysis, Monitoring, Statistics, and
Performance.
Status
From the Status tab, you can:
See
 which server tasks are running, stop or restart them, or start new
tasks
See who is connected to the server, including Notes users, browser
and e-mail clients
See  which Notes databases are currently in use
Access  the live remote console of the server
Monitor  the schedule of programs, agents, mail routing and
replication
Analysis
From the Analysis tab, you can:
View,  search, and analyze the log file (LOG.NSF)
Access  the database catalog on the server
Access  the Monitoring Results database (STATREP.NSF)
Manage  Administration Process requests
Monitoring
From the Monitoring tab, you can:
Check  the status of Domino servers
Check
 server availability and sort servers by state or timeline
View
 the current status of tasks running on each server and view
selected statistics
Monitor
 server health status and access server health reports
Statistics
From the Statistics tab, you can see the real-time statistics for the current
status of the Domino system.
Performance
From the Performance tab, you can:
View  statistic charts for server performance in real time
Chart  historical server performance over a selected period of time
Manage  server activity trends
Perform  resource load-balancing among servers
Messaging tabs in the Domino Administrator
There are two messaging tabs.
Mail
From the Mail tab, you can:
Manage
 the mailboxes on the server
Check
 mail
Manage
 shared mail
Monitor
 the log file for routing-related events
Run  reports on messaging use
Tracking Center
From the Tracking Center tab, you can issue tracking requests to track
messages. You must enable the Tracking Center tab in the Web
Administrator.
For more information on enabling the Tracking Center for the Web
Administration, see the topic “Message-tracking in the Web
Administrator” later in this chapter.
Replication tab in the Domino Administrator
From the Replication tab, you can:
View
 the server replication schedule
Check
 the log file for replication events
View replication topology maps related to the server
Configuration tab in the Domino Administrator
From the Configuration tab, you can configure all server options,
settings, and configurations for various subsystem including:
Security

Monitoring

Messaging

Setting Up and Using Domino Administration Tools 16-15
Administration
Policies

Replication

Directory
 services
Off-line
 services
Domino Administrator tools
Most tabs on the Domino Administrator include a set of tools that change
based on the selected tab. For example, the People and Groups tab
includes two tools: one for managing people and one for managing
groups.
To hide or show the Tools panel, click the triangle. To choose a specific
tool, click the triangle to expand or collapse the tools options. Hiding
tools on one tab does not hide tools on other tabs.
You can also access tools using:
Right
 click — Select an object that has an associated tool and right
click. For example, on the People & Groups tab, right-click a Person
document to access the People tools.
Menus
 — For each tab that has tools, the appropriate tools menu
appears in the menu bar. For example, when you click the Files tab,
the Files menu appears.
The following table describes the tools that are on each tab.

Tab Tools
People & Groups •
People Groups
•
Files •
Disk Space Folder
•
• Database
Server - Status • Task
• User
• Ports
• Server
Server - Analysis • Analyze
Messaging • Messaging

Tab Tools
Configuration • Certification
• Registration
• Policies
• Hosted Org
• Server
• Miscellaneous

Web Administrator
If you have a browser and want to manage and view settings for a
Domino server, you can use the Web Administrator to perform most of
the tasks that are available through the Domino Administrator. This
section includes the following information about the Domino Web
Administrator:
Setting
 up the Web Administrator
Setting
 up access to the Web Administrator database
(WEBADMIN.NSF)
Giving
 additional administrators access to the Web Administrator
and assigning roles
Starting
 the Web Administrator
Using  the Web Administrator
Setting up the Web Administrator
The Web Administrator uses the Web Administrator database
(WEBADMIN.NSF). The first time the HTTP task starts on a Web server,
Domino automatically creates this database in the Domino data
directory. However, you need to make sure that the Web browser and
server meet these requirements for the Web Administrator to run.
Web browser requirement
You must use one of these browsers with the Web Administrator:
Microsoft
 Explorer 5.5 on Windows 98, Windows NT® 4, Windows
2000 or Windows XP
Netscape
 4.7x on Windows 98, Windows NT 4, Windows 2000,
Windows XP or on Linux 7.x
For the most current information about supported browsers, see the
Release Notes.
Domino server tasks required
You must have the following Domino server tasks running:
The
 Administration Process (AdminP) server task must be running
on the Web Administrator server.
The Certificate Authority (CA) process must be running on the
Domino 6 server that has the Issued Certificate List database on it to
register users or servers.
The  HTTP task must be running on the Web server so that you can
use a browser to access it.
To set up the Web Administrator
1. Make sure that the server you want to administer is set up as a
Domino Web server and that it is running the HTTP task. The
Domino Web server does not have to be a dedicated server, you can
use it for other server tasks, such as mail routing and directory
services. You can administer only the servers you set up as Domino
Web servers.
2. Set up administrator access to the Web Administrator database
(WEBADMIN.NSF).
For more information on setting up the Domino Web server, see the
chapter “Setting Up the Domino Web Server.”
Windows integration
To take advantage of certain Windows OS integration features, you must
install the Microsoft Windows Management Instrumentation Software
Development Kit (WMI SDK) if you are running NT 4. Windows 2000
automatically includes WMI.
Setting up access to the Web Administrator database
Domino automatically sets up default database security when the Web
Administrator database (WEBADMIN.NSF) is created for the first time.
At that time, all names listed in either the Full Access Administrators or
Administrators fields of the Server document are given Manager access
with all roles to the Web Administrator database. In addition, the HTTP
server task periodically (about every 20 minutes) updates the Web
Administrator database ACL with names that have been added to the
Server document in either the Full Access Administrators or
Administrators fields, but only if the names are not already on the ACL
list
For more information on how the HTTP server task synchronizes names
in the Server document with those on the Web Administrator database
ACL, see “Giving additional administrators access to the Web
Administrator,” later in this chapter.
Default database security
The default ACL settings for the Web Administrator database are listed
below. You do not need to change these settings if the administrator’s
name appears in the Administrators field of the Server document.

Default name Access level

User and group names listed either of these Manager with all
fields on the Server document: Full Access roles
Administrators Administrators

The name of the server Manager

-Default- No access
Anonymous No access
OtherDomainServers No access

Authenticating administrators
You can use either an Internet password or an SSL client certificate to
access the Web Administrator. The Web Administrator uses either
name-and-password or SSL authentication to verify your identity. The
method the Web Administrator uses depends on whether you set up the
server or the Domino Web Administrator database (WEBADMIN.NSF),
or both to require name-and-password or SSL authentication.
To access the Web Administrator database, you must have
name-and-password authentication or SSL client authentication set up on
the server. Name-and-password authentication is enabled for the HTTP
protocol by default.
To use name-and-password authentication, you must have an Internet
password in your Person document. To use SSL client authentication,
you must have a client certificate, and SSL must be set up on the server.
For more information, see the chapters “Setting up Name-and-Password
and Anonymous Access to Domino Servers,” “Setting up Clients for
S/MIME and SSL,” and “Setting up SSL on a Domino Server.”
Giving additional administrators access to the Web Administrator
You can use the Server document as a convenient way to give additional
administrators access to the Web Administrator. To add an administrator
to the Web Administrator database (WEBADMIN.NSF) ACL, simply add
the name to either the “Full Access Administrators” or “Administrators”
field of the Server document. The HTTP server task routinely
synchronizes the names listed in those fields of the Web Server document
with those listed on the Web Administration database ACL. Names that
are not already listed in the ACL are added with Manager access and all
roles. Names that are already listed in the ACL, keep the access granted
to them in the ACL. This preserves custom ACL settings, such as limiting
the ACL roles of a particular administrator, from being overwritten. It
also allows you to restrict administrators from using the Web
Administrator, even though they are listed as administrator in the server
document. If you delete an administrator’s name from the Server
document, the name is also deleted from the Web Administrator
database ACL automatically at the next synchronization.
You can also give administrators access to the Web Administrator
manually by adding them directly to the Domino Web Administrator
database ACL. You can give an administrator full or partial access by
restricting the roles assigned. The role assigned to an administrator
determines which commands are available to the administrator, and
which tabs appear in the Web Administrator client. You cannot restrict
roles when you add administrator access to the Web Administrator using
the Server document. If you add a name using the server document, you
must manually restrict access to the web Administrator through the
Domino Web Administrator database ACL. To prevent an administrator
from access, assign No access in the ACL.
For more information on Web Administrator roles, see the topic
“Administrator Roles in the Web Administrator” later in this chapter.
To update access to the Web Administrator database automatically
1. From the Domino Administrator, click the Configuration tab.
2. Select the Server view, and open the Current Server Document for
the Web Administration server.
3. Select the Security tab.
4. In one of these fields, enter the name of the administrator to whom
you want to give access to the Web Administrator:
Full
 Access Administrators
Administrators

5. Click Save & Close
To update the Web Administrator database ACL list manually
You can manually add an administrator to the Web Administrator
database ACL list.
1. From the browser using the Web Administrator, click the Files tab.
2. Select the Web Administrator database (WEBADMIN.NSF).
3. From the Tools menu, select Database - Manage ACL.
4. Click Add and add the administrator or group name to the ACL of
the Web Administrator database.
5. In the Access field, select Manager.
6. Assign the roles. Assigned roles determine which commands and
tabs appear in the Web Administrator.
Tip To select more than one role, hold down the Shift or Control
key while selecting roles. Selected roles appear highlighted.
7. Do one of the following:
If  the server requires name-and-password authentication, edit
each administrator’s Person document and enter an Internet
password.
If  the server requires SSL client authentication, set up the browser
for SSL.
For more information on Managing ACL roles, see the chapter
“Controlling User Access to Domino Databases.” For more information
on SSL authentication, see the chapter “Setting Up Clients for S/MIME
and SSL.”
Administrator roles in the Web Administrator
By default, the ACL gives Manager access and all roles to users named in
the Administrators and Full Access Administrators fields on the Server
document. However, you can restrict a Web administrator’s access to
parts of the Domino Administrator by limiting the assigned roles. Each
role has a corresponding tab and associated commands. When you
restrict access, you also restrict which tabs appear in the Web
Administrator.
For example, if you assign only the People&Groups role to a Web
Administrator, the People & Groups tab is the only tab that appears when
that administrator uses the Web Administrator. The following table shows
the roles that have been predefined for the Domino Web Administrator.

Role Tab
Files Files
People&Groups People & Groups
Replication Replication
Configuration Configuration
Mail Messaging - Mail
MsgTracking Messaging - Tracking Center
ServerStatus Server - Status
ServerAnalysis Server - Analysis
ServerStatistic Server - Statistic

Role Tab
Files Files
People&Groups People & Groups
Replication Replication
Configuration Configuration
Mail Messaging - Mail
MsgTracking Messaging - Tracking Center
ServerStatus Server - Status
ServerAnalysis Server - Analysis
ServerStatistic Server - Statistic

Starting the Web Administrator

When you start the Web Administrator, it displays the server’s
administration homepage (information about the server and the
administrator using the server). It does not automatically open to a tab,
you must choose a tab to begin using the Web Administrator. To return
to the server administration homepage at any time, click the top left
server icon in the Web Administrator bookmark bar.
To start the Web Administrator
1. Start the HTTP task on the server if it is not already running.
2. From the browser, enter the URL for the Web Administrator
database on the server you want to administer. For example, enter:
http://yourserver.domain.com/webadmin.nsf
Or for SSL, enter:
http://yourserver.domain.com/webadmin.nsf
3. Enter your hierarchical, common name, or short name and your
Internet password.
4. Click one of the tabs to being using the Web Administrator.
16-22 Administering the Domino System, Volume 1
Using the Web Administrator
The Web Administrator is almost identical to the Domino Administrator
with very few exceptions. The user interface looks the same, and most
menu options, dialog and information boxes are identical, although the
Web Administrator may occasionally display additional information. For
example, the Mail tab in the Web Administrator offers additional mail
specific statistics — for example, Mail Routing Schedule, Mail Routing
Statistics, and Mail Retrieval Statistics. This information is available in
the Domino Administrator; however, it is not displayed the same way.
In addition, there is a new Task tool on the Replication and Mail -
Messaging tabs. You can use this tool to issue Tell commands, and to
stop, start, and restart replication, router, and messaging tasks.
The Web Administrator includes most of the Domino Administrator
functionality. However, the Domino Server Monitor and performance
charting are not available in the Web Administrator. And you can restrict
further which commands and tabs are available by restricting the roles
assigned to an administrator. Information on the availability of specific
Web Administrator features and minor changes to how you access a
feature are documented throughout the Domino Administrator help
documentation.
For the most recent information on using the new Domino Web
Administrator, see the Release Notes that shipped with this product or
download the Domino Administrator online help from the Lotus Domino
Administrator Release 6 download page on the Lotus Developer Domain
at http://www.lotus.com/ldd.
Accessing online help
To access online documentation, use the Help button.
Differences using Netscape 4.x
You may notice some minor differences in the appearance or behavior of
the Web Administrator in Netscape 4.x:
Bookmarks
 display in a separate window, not in the same browser
window.
If  a button is disabled, the button name shows a line of stars (****)
instead of the name of the button, dimmed.
The  Tools panel cannot be collapsed. It is always visible.
Frames cannot be resized. If you resize the main window, the entire
Web Administrator reloads.
Setting Up and Using Domino Administration Tools 16-23
Administration
Additional buttons
The Domino Web Administrator includes these buttons that appear at to
the right of the tabs. These do not appear in the Domino Administrator:
Sign
 out — Use this to log out when you cannot or do not want to
close the browser.
Preferences
 — Use this to set Administration preferences.
Help  — Use this to access on-line help documents for the Domino
Administrator.
The mail bookmark displays in the bookmark area only if you have
browsed to your home mail server.
Setting Files preferences for the Web Administrator
You can use the Web Administrator to set Files preferences:
Files preferences
By default, the Files tab in the Domino Administrator displays
information about database files in the following order; however, you
can customize which columns display in the Web Administrator. The
fewer columns you display, the faster the Files panel performs.
Title

File
 Name
Physical
 Path
File  Format
Size 
Space  Used
Max  Size
Quota 
Warning 
Created 
Last  Fixup
Is  Logged
Template  Name
Inherit  From
Type 
Replica  ID
16-24 Administering the Domino System, Volume 1
To set Files preferences
By default, the Web Administrator displays all columns. You can add or
delete columns from the display. Select a column name from the “Use
these Columns” list and then click Add or Remove.
Registering users and servers with the Web Administrator
To use the Web Administrator to register new Notes users, you must use
the Domino server-based certification authority. Any request or task that
requires a certifier ID file — for example, migrate or modify ID — is not
available.
To use the Web Administrator to register users or servers, you must have
Registration Authority (RA) access in the server-based certification
authority (CA). The server that is running the Web Administrator should
also be listed as an RA but that role is not required for the server. If,
however, the server is not listed as an RA, the administrator that is an RA
must open the Administration Requests database and approve the
administration request to register the user. You must assign the RA role
in the Domino Administrator, not in the Web Administrator. To assign
the RA role, use the Modify Certifier tool on the Configuration panel.
You cannot set registration preferences in the Web Administrator. You
must use the registration settings in the CA and in the Registration policy
settings document.
In the Web Administrator, you cannot configure a server for SSL during
the server registration process.
For more information about modifying certifiers, see the chapter “Setting
up a Domino Server-Based Certification Authority.” For more
information about user registration in the Web Administrator, and about
creating and modifying groups, see the chapter “Setting Up and
Managing Notes Users.” For more information about registering a server,
see the chapter “Installing and Setting Up Domino Servers.”
Managing policies with the Web Administrator
The Policy tools on the Configuration and People & Groups tabs in the
Domino Administrator are not available in the Web Administrator.
Therefore, from the Web Administrator, you cannot use the Policy
Assign tool or the Policy Synopsis tool.
If you create policies before you register users, you can assign them to
users and groups during user registration. You can also edit a Notes
user’s Person document and manually assign an explicit policy by
specifying the name of the policy.
Setting Up and Using Domino Administration Tools 16-25
Administration
Working with policy documents
From the Web Administrator, you can use the Policies view in either the
People & Groups or the Configuration tab to add, edit, or delete policy
documents. To add or delete policy documents, use the buttons that
display in the Results pane. In this view, the names of policy documents
are links. To edit one of these documents, click the link for the document
you want to edit.
Using the Web Administrator to delete policy documents is not
recommended because doing so does not initiate the Administration
Process requests required to remove all references to the deleted
document from other policy documents.
If you use the Web Administrator to create Setup or Desktop policy
settings documents, you cannot add the database links used to set up
bookmarks or custom Welcome pages.
For more information about managing policies and policy documents,
see the chapter “Using Policies.”
Using the Web Administrator consoles
The Web Administrator includes two consoles, the Quick Console and
the Live Console, which you access from the Server - Status tab. These
consoles mirror the server console on the Server Status tab of the Domino
Administrator.
Use the Live Console to send commands to a Web server running under
a Server Controller. You can send Controller and shell commands, as
well as Domino server commands. To use the Live Console, you must
install Java Plug-in 1.4 or higher and enable it in your Web browser.
Use the Quick Console to send commands to a Web server that does not
run under a Server Controller. Or use it if you are unable to install or use
the Java Plug-in in your browser.
For more information on using the console in the Web Administrator to
send commands, see the topic “The Server Controller and the Domino
Console,” later in this chapter and the appendix “Server Commands.”
Using the Web Administrator with service providers
Service providers may allow administrators at hosted organizations to
manage users and groups by allowing remote access through the Web
Administrator, with restricted roles. In some cases, the administrator at
the service provider site will assume all responsibilities for managing
users and groups.
16-26 Administering the Domino System, Volume 1
For more information on service providers, see the chapter “Managing a
Hosted Environment.”
Message tracking in the Web Administrator
To use the Web Administrator to trace messages, you must first enable
message tracking.
To enable message tracking
1. From the Web Administrator, click the Configuration tab.
2. Open the Messaging view, and select Settings.
3. Click Edit Message Settings.
4. Select the Message Tracking tab.
5. Under Basics, in the Message tracking field, select Enabled. The
default is Disabled.
6. Under Access Settings, complete these fields:

Field Action
Allowed to track messages Select both of these: • Your
name • LocalDomainServers

Select your name from the

Allowed to track subjects
list

Editing the NOTES.INI file and cleanup script in the Web

Administrator
You must be a Full Access Administrator to edit the NOTES.INI file. You
must have Administrator access or higher to view the NOTES.INI file, or
to edit or view the cleanup script.
For more information on editing the NOTES.INI file, see the appendix
“NOTES.INI File.”
Signing out of the Web Administrator
When you finish using the Web Administrator, close the browser to end
the session or click Sign out to end the session and clear your user name
and password credentials so that unauthorized users cannot access the
browser while the Web Administrator is still running.
The Server Controller and the Domino Console
The Server Controller is a Java® based program that controls a Domino
server. Starting the Server Controller starts the Domino server it controls.
When a server runs under a Server Controller, you can send operating
system commands (shell commands), Controller commands, and Domino
server commands to the Server Controller. For example, from a remote
console, you can use Controller commands to kill Domino processes on a
server that is hung or to start a Domino server that is down.
You can use the Domino Console, a Java-based console, to communicate
with a Server Controller. You can run the Domino Console on any
platform except Apple Macintosh. Using the Domino Console, you can
send commands to multiple servers. The Domino Console doesn’t
require a Notes ID, only a Domino Internet name and password, so you
can connect to servers certified by different certifiers without having
multiple Notes IDs or cross-certificates. You can customize output to the
Domino Console — for example, use local event filters to specify the
types of events the Console displays. You can also log server output to
log files and customize the appearance of the Console.
The Domino Console functions strictly as a server console. Consequently,
the Domino Console doesn’t include the full set of Domino
administration features that are available through the Domino
Administrator and the Web Administrator, and you can’t use it to open
and manage Notes databases.
The files needed to run the Server Controller and to run the Domino
Console are provided with Domino and Notes.
You can also use remote consoles in the Domino Administrator and Web
Administrator to communicate with a Server Controller.
For information on the available Controller commands and on using the
Domino Administrator or Web Administrator to communicate with a
Controller, see the appendix “Server Commands.”
16-28 Administering the Domino System, Volume 1
Starting and stopping the Server Controller
Do the following to start the Server Controller, the Domino server, and
the Domino Console:
1. Shut down the Domino server, if it is running.
2. Start the Server Controller using the same command you normally
use to start the Domino server but append the argument –jc. For
example, if you run a server on Windows NT from the directory
c:\lotus\domino using a shortcut icon on the Desktop, use the
following target for the shortcut:
c:\lotus\domin\nserver.exe -jc
The Server Controller runs in its own window. You can minimize a
Server Controller window, but do not close or kill the window to stop the
Server Controller. Instead, use the Controller Quit command from a
console to stop a Server Controller and the server it controls.
When you run a Server Controller, you no longer have access to the
traditional console at the server. You can communicate only through the
Domino Console or a console in the Domino Administrator or Web
Administrator.
Note You can run the Server Controller as a Windows NT service.
Optional arguments to use when running the Server Controller
Starting the Server Controller using only the argument -jc starts the
Domino Server and the Domino Console along with the Server
Controller. There are two optional arguments you can specify to change
this default behavior: -c and -s.
Use -c to prevent the Domino Console from running when you start the
Server Controller. You might prevent the Console from running on a
slow machine or a machine that is low on memory. If you use this
argument and the Domino server ID requires a password, the Domino
server starts without running its server tasks. To run the server tasks,
you must connect to the Server Controller from a console and specify the
server password when prompted.
Use -s to prevent the server from running when you start the Server
Controller. Use this argument along with -c so that someone who is
directly at the server can start only the Server Controller, and then a
remote administrator can start the server and specify a required server
password remotely from a console.

Example (Windows
Result
NT)
nserver -jc Runs the Server Controller, the server, and
the Domino Console
nserver -jc -c Runs the Server Controller and the server
Runs the Server Controller and the Domino
nserver -jc -s
Console
nserver -jc -c -s Runs only the Server Controller

Starting and stopping the Domino Console

You can run the Domino Console from any machine on which a Domino
server or the Domino Administrator is installed. To use the Domino
Console to communicate with a Domino server, the server must be
running under a Server Controller.
To start the Domino Console
1. Make sure that the Domino server or the Domino Administrator is
installed on the machine.
2. Run the following command directly from the program directory, or
from a directory path that points to the program directory:
jconsole
Note The Domino Console also starts by default when you start a
Server Controller.
For information on using the Domino Console, choose Help - Help
Topics from the Domino Console menu.
To stop the Domino Console
1. From the Domino Console, choose File - Exit.
2. If the Console is currently connected to a Server Controller, when
you see the prompt “Exiting the Console by disconnecting all active
connections. Do you want to continue?” do the following:
a. (Optional) To also stop a Domino server and Domino Server
Controller running locally, select the option “Also, bring down
Domino (if running) and quit the local Server Controller - local
server name.”
b. Click Yes.
Chapter 17
Using Domino with Windows Synchronization
Tools
This chapter explains how to synchronize user and group information in
Windows NT User Manager for Domains, the Windows 2000 Active
Directory®, and in Notes.
Setting up Windows NT User Manager
When you create a new user or group account in Windows NT User
Manager for Domains, you can simultaneously register the user or group
in Notes. For users, this includes creating a Person document, Notes ID,
password, and mail file for the user. For groups, this includes creating a
Group document and, optionally, registering individual group members
as Notes users. You can also register existing Windows NT users or
groups in Notes. In addition, you can delete Notes users or groups when
you remove their user/group accounts. Further, you can synchronize
existing Windows NT users with Notes users for future synchronization
operations such as deleting users.
If you are running a Domino server on Windows NT, you can
synchronize user and group information in Domino and Windows NT.
Then, you can perform many administrative tasks in either Domino or
Windows NT User Manager for Domains, and the effects occur in both
products.
When you use Domino to register or delete a Notes user or delete a Notes
group, you can automatically update User Manager for Domains
(USRMGR.EXE). Conversely, special menu options and dialog boxes
added to Windows NT allow you to specify that additions and deletions
(and name changes for users) made to User Manager user or group
accounts are reflected in the Domino Directory. You can also add existing
Windows NT user or group accounts to the Domino Directory.
17-1
Administration
For example, if you run Notes on Windows NT, you can open User
Manager for Domains and specify that all changes to user accounts
during the session are also recorded in the Domino Directory on a
selected Domino server. You then display the list of existing user or
group accounts and select ones to be added to the Domino Directory.
Then you add, delete, or modify other user accounts while working in
Windows NT. All these changes are automatically made to the Domino
Directory. Plus, a mail file, Notes ID, and common password (shared by
the user’s Notes ID, Notes Internet password, and Windows NT account)
can be created for each new user.
These directory synchronization features let you keep both the Domino
Directory and User Manager current, without having to update both
when either changes. Also, you can manage user and group information
in the Domino Directory and User manager from either Notes or
Windows NT.
To set up Windows NT User Manager, you must complete these
procedures:
1. Enable Notes synchronization features.
2. Synchronize Windows NT and Notes users.
Examples of synchronizing data in Notes and User Manager
Example 1
You have an existing Windows NT network and are deploying Notes for
the first time in your organization. You want to register a large group of
Windows NT users in Domino.
In this example, you change the registration options to be sure users are
registered exactly as you want them to be. When you register the users,
you choose “Register users at once without additional prompts.” This
generates random passwords for the users and stores them in a database
titled New User Passwords (NTSYNC45.NSF). You then distribute these
passwords to users so they can install their Notes workstations. After
installation, users can create new passwords.
17-2 Administering the Domino System, Volume 1
Example 2
You have users who are registered in both Windows NT and Domino.
You want to synchronize their accounts to make administration easier.
To accomplish this, you choose the User synching option in User
Manager. This copies the user account name from Windows NT to the
Network account name field in the user’s Person document. Now that
the products have a common entry, the Notes User Manager Extension
(NUME) program can communicate between them and keep them
synchronized.
Example 3
You already deployed Domino and synchronized Domino with Windows
NT. You want to add users as necessary. Use the Windows NT User
Manager to create a new Windows NT account and simultaneously
register the user in Domino. Use Domino to register a person and
simultaneously create the Windows NT account. You can also
accomplish this task when registering multiple users from a text file. The
default account name in Windows NT is the same as the name in the
“Short name” field of the Person document.
Enabling Notes synchronization operations in Windows NT User
Manager
You must enable Notes synchronization features to make Notes
commands available to you on the Notes menu in Windows NT User
Manager.
Note By default, all synchronization operations are enabled.
1. From the User Manager, choose Notes - Notes Synchronization
Options.

Field Enter
To enable all Notes synchronization operations
Enable all
listed
synchronization under the “Select synchronization operations
to enable”
operations field. Whenever you perform one of the
synchronization
operations in User Manager for Domains, you
are
prompted to decide whether or not to perform
the same
operation in Notes.
Select Choose one of these to enable and disable
synchronization selected Notes synchronization operations: •
operations to “User / Group registration”to register new or
enable existing Windows NT users and groups in
Notes. This option enables the Add Selected
NT User / Group to Notes, Registration Setup,
and Mail / ID Registration Options on the
Notes menu. • “User / Group deletion”to
delete a user or group from Windows NT and
have that user or group deleted from the
Domino Directory. Enables the “Delete / User
Synch Options”command on the Notes menu.
• “User synching”to change a user account
name in User Manager and duplicate that
name change in the Network account name
field of the Person document in the Domino
Directory, allow changes to the user’s full
name and copy the new name to the “User
name” field in the Person document, enable
the Notes menu command “Synch Selected NT
Users with Notes,”and activate the “Set
common password on user synching” field.
To synchronize the Windows NT password and
Set common
the
password on Notes Internet password when you
synchronize users.
user synching (Available only if you selected “User
synching.”)
Prompt to Choose one: • Prompt for all operations
confirm/cancel (default) • Prompt only for user / group
synchronization deletions • Do NOT prompt for any operations
operations

Choose a parsing format that is the most

Name format
compatible with
for full name the name format of the Windows NT domain
list.
parsing Full-name parsing is used to parse Windows
NT full names into Notes name components.
The default is “Firstname Lastname.”
Click to enable registration settings specified
Use
in policies
Policy-based to extend to Windows NT user registration as
well.
registration

3. To save and re-apply the settings in the next User Manager session,
choose Options - Save Settings on Exit.
4. Complete the procedure “Synchronizing Windows NT and Notes
users.”
Synchronizing Windows NT and Notes users
If your system includes Windows NT user accounts that correspond to
Person documents in the Domino Directory, you can keep the
information synchronized between the products. When you synchronize
Windows NT and Person documents, these changes occur:
The
 “Network account name” field on the user’s Person document is
updated with the account name of the Windows NT user.
The full name of the Windows NT user is added to the “User name”
field on the Person document if that name does not already exist in
the names list. Existing full names in the Person document are not
modified.
(Optional)
 The Windows NT password and the Internet password on
the Person document are replaced with a common password that
works for both Windows NT and Domino Web server access. The
Internet password is encrypted when entered in the Person
document.
User synching also takes place when a Windows NT user is renamed in
User Manager and Notes user synching is enabled. In this case, the
“Network account name” field and the “User name” field in the Person
document are updated, but passwords are not synchronized.
User synching does not register a Notes user — that is, a Person
document, Notes ID, and mail file are not created. User synching can
only modify information in an existing Person document.
Note If an error occurs during user synchronization — for example, a
Person document cannot be found for the NT server — an error message
appears. Details on errors/status are also entered in the NT Event
Viewer application log.
If you change the Windows NT user account name or the full name, run
synchronization again. You should also run synchronization if you want
to synchronize the Windows NT password with the Notes password.
User synching is successful if these conditions exist:
The NT user account name matches the name in the “Short name
field” in the Person document.
The  Windows NT full name matches an entry in the “User name”
field in the Person document.
Using Domino with Windows Synchronization Tools 17-5
Administration
The
 Windows NT last name matches the name in the “Last name”
field in the Person document.
The name in the “Network account name” field — if there is one in
the Person document — matches the Windows NT user account
name.
To synchronize Windows NT and Notes users
Synchronizing Windows NT users and Notes users may result in changes
to Person documents and to the Domino Directory.
1. Make sure that you already enabled user synching in Windows NT
User Manager.
2. In the User Manager Username window, select the users you want to
synchronize.
3. Choose Notes - Synch Selected NT Users with Notes.
4. When prompted to continue, click Yes.
5. If you enabled password synching, enter and confirm the password
for the first user you are synchronizing, and then click OK.
6. Enter and confirm passwords for additional users you are
synchronizing, and then click OK.
Setting policy-based registration options for use with Notes
synchronization
Use policy-based registration options to apply registration settings to
multiple users, instead of specifying individual settings for each user,
and use the new registration options available with Lotus Domino 6. The
registration settings are applied to all users registered during the
registration session, thereby making the registration process fast and
simple. Prior to completing this procedure, do one of the following:
Create
 an explicit policy with an associated Registration settings
document
Create
 an organizational policy with an associated Registration
settings document
Note If you have not created the appropriate policy documents prior to
setting the policy-based registration options, you are prompted to do so
during this procedure.
For more information on using policies, see the chapter “Using Policies.”
17-6 Administering the Domino System, Volume 1
For more information on the Notes Synchronization Options, see the
topic “Enabling Notes synchronization operations in Windows NT User
Manager” earlier in this chapter.
To enable this option, select the “Use Policy-based registration” option
on the Notes Synchronization Options dialog box.
1. From the User Manager, choose Notes - Policy-based Registration
Options.
Note If there are no registration policies, you are prompted to create
one now. Choose Yes and create the policy, or choose No.
2. Complete these fields:

Field Action
Registration A registration server for this session, that is,
server the Domino server on which to create Person
documents in the Domino Directory. Users
are automatically assigned the same Domino
domain as that of the selected server. You
must have a properly certified Notes ID and
sufficient access to the specified server to
register Notes users. Default - Local

Administration Enter the new Administration ID of the

ID administrator registering Notes users, and
then enter a password. Click OK.
Use common Supplies a single password for both Windows
password NT and Notes (and the Notes Internet
password, if applicable). You can override this
option for individual users at registration
time. Causes the existing NT password for an
NT user to be replaced with the common
NT/Notes password when users are
registered. This field is not visible when the
existing users are registered with randomly
generated passwords. Default - Selected
Set Internet Sets an Internet password for authenticated
Password in access to the Domino Web server. The
Notes Internet password is encrypted and set into
the Internet password field in the Person
document. This password is mandatory if the
“Internet registration only”option is selected
or if the mail type is Other Internet, POP, or
IMAP. Default - Not selected

Field Action
Certifier name Choose the certifier name to use to certify
users with a Notes certifier ID. Default - No
certifier chosen.

Organizational Choose the name of the organizational policy

policy if one exists. An organizational policy
automatically applies to all users registered in
a particular organizational unit. If there is no
organizational policy, this field displays None.
Non-modifiable field.
Explicit policy Choose an explicit policy to apply to the users
in this registration session. An explicit policy
assigns default settings to individual users or
groups.

Customizing Notes registration for Windows NT users

Each time you register users, you can change the default Windows NT
user registration options or use the default values. If you change the
options, User Manager saves the settings only until you exit the program.
Each time you start User Manager, the settings revert to the defaults.
The “Internet registration only” and “Use common password” settings
affect the fields that display on this dialog box as follows:
 “Use common password” is selected and “Internet registration
If
only” is not selected, the Internet address components fields and the
Certifier ID Information fields display.
If “Use common password” and “Internet registration only” are both
selected, the Certifier ID Information fields do not display.
If  “Use common password” is not selected and “Internet registration
only” is selected, the Certifier ID Information fields do not display.
The Registration Setup menu item is active only if you have not enabled
the “Use policy-based registration” setting in the Notes Synchronization
Options.
To change default Registration Setup options
1. Before changing the default registration options, you must enable
user and group registration.
For more information, see the topic “Enabling Notes synchronization
operations in Windows NT User Manager” earlier in this chapter.
2. From the User Manager, choose Notes - Registration Setup.

Field Enter
Internet Creates Person documents in the Domino
registration only Directory with an Internet password, but user
(No Notes ID or IDs and mail files are not created. Allows
mail file Web or LDAP users to gain authenticated
created) access to the Domino Web server without
running Notes workstation software. Hides
dialog controls related to the Notes ID
(Certified ID, Security Type, Certificate
expiration date) and mail-related dialog
controls, such as the Internet address fields.
Default - Not selected
Use common Supplies a single password for both Windows
password NT and Notes (and the Notes Internet
password, if applicable). You can override
this option for individual users at registration
time. Causes the existing NT password for an
NT user to be replaced with the common
NT/Notes password when users are
registered. This field is not visible when the
existing users are registered with random
generated passwords. Default - Selected

Set Internet Sets an Internet password for authenticated

password in access to the Domino Web server. The
Notes Internet password is encrypted and set into
the Internet password field in the Person
document. This password is mandatory if the
“Internet registration only”option is selected
or if the mail type is Other Internet, POP, or
IMAP. Default - Not set
Registration A registration server for this session, that is,
server the Domino server on which to create Person
documents in the Domino Directory. Users
are automatically assigned the same Notes
domain as that of the selected server. You
must have a properly certified Notes ID and
sufficient access to the specified server to
register Notes users. Default - Local

Administration Enter the new Administration ID of the

ID administrator registering Notes users, and
then enter a password. Click OK.
Profile name Name of the User Setup Profile to be used
when the user is created in Notes. Default -
None specified

Field Enter
Assign new The Notes group to which new Notes users
users to Notes will be added from User Manager. Enabled
group only if Notes groups exist. Default - Not
assigned
Internet domain The last part of the Internet address for each
user registered. This field displays if the Mail
Type selected on the Notes Mail / ID
Registration Options dialog box is Notes, POP,
or IMAP. Default - Current host domain
(example: @acme.com)
Address name Choose the address name format that you
format want to use for Internet mail. This field
displays if the mail type is Notes, POP, or
IMAP.

Separator Choose one: • None • Underscore • Percent •

Equal This field displays if the mail type is
Notes, POP, or IMAP.

Certifier ID To certify users with a different Notes

certifier ID. Click Certifier ID and then enter
another certifier ID and password. Click OK.
This field does not display if Internet
registration only is selected. Default - Current
certifier ID specified in the local NOTES.INI
file ( if one exists)
Security type Choose one: • North American • International
This field does not display if Internet
registration only is selected.

Certificate Date on which the user’s certification expires.

expiration date This field does not display if Internet
registration only is selected. Default - two
years from the current date
Alternate name An alternate language in which to specify a
language user name. If Certifier ID was enabled for
alternate naming and includes alternate
language specifiers, this field displays the
languages you can use for this user name. If
an alternate name has not been added, this
field displays None.

For more information on the User Setup Profile and the alternate name
language, see the chapter “Setting Up and Managing Notes Users.”
To change default Mail / ID Registration options
Mail / ID Registration options are not available if you selected
Internet-only registration in the Registration Setup dialog box.
1. Before changing the default Mail/ID Registration options, enable
user and group registration.
For more information on synchronizing user and group registration,
see the topic “Enabling Notes synchronization operations in
Windows NT User Manager” earlier in this chapter.
2. From the User Manager, choose Notes - Mail/ID Registration
Options.
3. (Optional) To create user mail files on a server other than the local
server, click Mail Server, select another server, and then click OK.
4. Change these settings, and then click OK:

Field Enter
Click to select a mail server to be used as the
Mail Server
default mail
server, and then click OK.
Mail Type Choose one:
• Notes to use Notes mail.
• Other Internet Mail to use Internet mail on a
server that
is not part of your organization. If you choose
this option, Domino does not create a mail file for
the user.
• POP to use POP3 mail to access the mail file on
a
Domino server.
• IMAP to use IMAP mail to access the mail file on
a
Domino server.
• Other to have mail forwarded to a non-Notes
mail
address. No mail file is created.
• None for no mail.
• Default - Notes
Create a mail file in a directory other than the
Mail file
default Mail
directory directory by entering the full path name for a
mail file. This file name applies to the next user
you register. For subsequent users, only the
directory portion of the path is used. You can
specify a directory other than the default.
Default - Mail file in the Notes/data directory
Create mail Create a mail file during Notes user registration
files now Default - Selected
Field Enter
Use the Administration Process to create a mail
Create mail
file after
Notes user registration. An administration
files in
request is
background generated and stored in the Administration
Requests database, then processed as usual.
To limit the size of the mail database. Enter the
Set mail
database
database size, up to 9999MB, in the field that becomes
quota activated
when you select this option.
To notify the administrator when a user’s mailbox
Set warning
is
threshold almost at its maximum size. Enter the threshold
size, up
to 9999MB, in the field that becomes active when
you
select this option.
Create full Select to create a full-text index of the entire
text mail
index database.
Store User
Choose one, both, or neither:
IDs
• In Address Book to store the mail user’s ID in
the
Domino Directory
• In file to store the mail user’s ID in a file
• Choosing neither option results in no ID file
being
created.
Set ID path The path and file name in which to store user
IDs. If you chose Store User IDs in file, you can
select a file other than the one that is displayed.
This button is activated only if you chose In file in
the Store User IDs field. The default is <Data
directory>\ids\people

Using Windows NT to create user accounts and register Notes users

When you create a user account in Windows NT User Manager for
Domains, you can register the new user in Notes at the same time. You
can also register existing Windows NT users in Notes. Registration
typically includes creating a person document, Notes ID, mail file, and a
password. However, users can be registered without mail and Notes ID
files (to gain authenticated access to a Domino Web server without using
the Notes client, for example).
You can register NT users into Notes by using the registration defaults or
by using registration options that you define. If you are using defaults,
the computer on which you are making changes to Windows NT user
accounts must also be a Domino server. This server functions as the
registration server (the server on which the Domino Directory entry is
created) and the mail server (the server that stores the user’s mail file).
To create new Windows NT user accounts and register Notes users
simultaneously
1. Before creating Windows NT user accounts and registering Notes
users, you must:
Make
 sure that Notes User registration is enabled in Windows NT
User Manager.
Customize
 default Notes registration for Windows NT users.
Make
 sure you are a member of the local Administrator Group or
local Account Operator Group in Windows NT.
2. To create new Windows NT user accounts, from the User Manager
select User and proceed as instructed in your Windows NT user
documentation.
3. After you finish creating the Windows NT user accounts, select one
or more users and then click Notes - Add Selected NT Users/Group
to Notes.
4. Click OK to confirm that you are adding your selections to Notes.
5. Complete these fields, and then click OK:

Field Enter
First name, Accept the default names derived from the
middle user’s full
name and last name in Windows NT.
name
The name of the organizational unit the user
Org unit
is
included in. For example, if user John Smith is
part of
engineering, the organizational unit could be
Eng. The user name would be John
Smith/Eng.
Organizational units are useful for
differentiating between users of the same
name. For example, John
Smith/Eng/Acme and John Smith/Doc/Acme,
where
one employee is a member of Engineering
and the other is a member of Documentation.
Each is assigned
a different organizational unit name.
Assigns to the user the same password for
Use common
Notes,
password Windows NT, and Notes Internet. Activates
the Notes password for user name and the
Confirm password fields.
To preserve the existing Windows NT
password, enter that password as the
common password.
If Use common password is not selected,
activates the Notes password for user name
and the Confirm password fields.

Field Enter
The password you are assigning to this user
Notes/Common
when
password for using Notes.
user
name
Confirm Enter the new Notes password for this user
password again.
Enters the Internet address in the user’s
Set Internet
Person
password in document in the Domino Directory. This field
Notes applies only if the user is registered for Notes
mail. Activates the following fields:
• Internet address
 • Internet password for user name
• Confirm Internet password
Internet Accept the default Internet address as derived
address from the Windows NT user name and the
current host
domain —for example, KCarter@domain.com
This field displays if POP, IMAP, or Notes mail
type is selected.
Internet
Enter an Internet password for this user.
password
Confirm Enter the Internet password for this user
Internet again.
password

6. When prompted, do one of the following:

Click
 Begin Registration to register new users immediately. After
registration has begun, click Stop Registration at any time to stop
registration after the current user registration is complete. Any
users not registered remain pending.
Click
 Cancel to register new users later. User information that you
entered is stored until you exit User Manager.
7. To complete the process, click OK.
Note You can also register pending accounts in Notes at any time by
choosing Notes - Register Notes Users Now.
Domino errors have no effect on User Manager. If a Domino or Notes
error prevents a user from being registered in Notes, the user is still
added to User Manager.
Registering existing Windows NT user accounts in Notes
1. Before registering existing Windows NT user accounts in Notes, you
must:
Make
 sure that Notes User registration is enabled in Windows NT
User Manager.
Customize
 default Notes registration for Windows NT users.
17-14 Administering the Domino System, Volume 1
2. In the User Manager Username window, select the user accounts that
you want to register in Notes.
3. Choose Notes - Add selected NT Users/Groups to Notes.
4. If you are registering multiple users, choose one of the following, and
then click OK:
“Prompt
 for the name and password of each user” to enter
information manually for each user.
“Register
 users at once without additional prompts” to use
Windows NT full names as Notes user names and to generate
random Notes passwords in a database titled New User
Passwords (NTSYNC45.NSF). If you choose this option, continue
to Step 6.
5. If you are registering only one user or if you chose to enter user
information manually, complete these fields:

Field Enter
First Name, The default name as derived from the
Middle Windows
Name, Last Name NT full name. You can accept this name or
change
it.
Assigns to the user the same password for
Use common
Notes,
password Windows NT, and Notes Internet. If you are
 registering this user as an Internet Only
user, this
password field supplies the Internet or
common NT/Internet password.
To preserve the existing Windows NT
password, enter that password as the
common password.
The password you want to use, or leave
Notes/Common
blank to
Password for user use a blank password. This field displays if
you
name selected “Use common password.”
Enter the Notes password for this user
Confirm password
again.
Set Internet Enters the Internet address in the user’s
password Person
in Notes document in the Domino Directory. This
field applies only if the user is registered
for Notes mail. Activates the following
fields:
• Internet address
• Internet password for user name
• Confirm Internet password

Field Enter
Internet address Accept the default Internet address as
derived from the Windows NT user name
and the current host
domain —for example,
KCarter@domain.com
This field displays if POP, IMAP, or Notes
mail type is selected. The Internet address
is required for Notes mail routing in Domino
5.0.
Internet password Enter an Internet password for this user.
Enter the Internet password for this user
Confirm Internet
again.
password

6. When User Manager asks if you want to register the new Windows
NT users in Notes, do one of the following:
Click
 Begin Registration to register new users immediately.
Click
 Cancel to register new users later.
7. If you chose “Register users at once without additional prompts” in
Step 4, distribute the passwords to users so they can install their
Notes workstations. After installation, users can create new
passwords.
Note Automatically generated passwords apply only to Notes user IDs
and not to Windows NT or Notes Internet passwords.
To register new users later
If you choose not to register users immediately or if you click Stop
Registration to pause registration, use this method to register the users
later.
1. From User Manager, choose Notes - Register Notes Users Now.
2. Click Begin Registration.
3. Click OK.
Adding Windows NT groups to Notes
When you add an NT group to Notes, you can also create a Group
document in Notes and register individual group members. If the NT
group is a local group and contains global groups as group members,
you can add these global groups to Notes and register individual
members as Notes users. You can modify group membership (based on
the Windows NT group) before adding it to Notes without affecting the
NT group.
To create a new Windows NT group and simultaneously add it to
Notes
1. Before you create a Windows NT group and add it to Notes, you
must:
Make
 sure that Notes user registration is enabled in Windows NT
User Manager.
Customize
 default Notes registration for Windows NT users.
2. Create a new Windows NT group as instructed in the Windows NT
documentation.
3. If prompted, enter the password for your Notes user ID.
4. Select “Create Notes group with the following settings,” complete
these fields, and then click OK:

Field Enter
Name of the corresponding Windows NT
Notes Group Name
group.
Group Type Choose one: • Multi-purpose (default) •
Mail only • Access Control List only •
Deny List only

Description A description of the corresponding

Windows NT group.
Register the users in Group members are registered as Notes
the NT group into users. The Person documents, user IDs,
Notes and mail files are created for the users.
Deselect if you do not want to register
group members as Notes users. Person
documents, user IDs, and mail files are
not created. You can create a Notes
document without registering the group
as Notes users by selecting “Create
Notes group based on the NT group”and
deselecting this option.

Field Enter
Remove from this list those users who are no
Members
longer
members of the group, or add to this list the
names of
new users. User names removed from this list
display in
the Not members list.
Add to this list those users who are not
Not members
members of the
group, or remove from this list user names that
you
want to include in the Members list.

Note If there are global groups in the members list and you want to
add those groups to the Domino Directory, select “Synchronize
groups in Members list with Notes also.”
6. If you are registering group members in Notes, User Manager
prompts you for registration options. Choose one of the following:
“Prompt
 for the name and password for each user” to enter user
information manually for each user.
“Register
 users at once without additional prompts” to use
Windows NT full names as Notes user names and to generate
random passwords. If you choose this option, go on to Step 7.
7. If you chose to manually enter user information in Step 6, complete
these fields, and then click OK:

Field Enter
First name, middle Accept the default names derived from
name the
and last name user’s full name in Windows NT.
Org unit The name of the organizational unit
the user is included in. For example, if
user John Smith is part of engineering,
the organizational unit may be Eng.
The user name would be John
Smith/Eng.
Organizational units are useful for
differentiating between users of the
same name. For example, John
Smith/Eng/Acme and John
Smith/Doc/Acme, where one employee
is a member of Engineering and the
other is a member of Documentation.
Each is
assigned a different organizational unit
name.

Field Enter
Use common password Assigns to the user the same
password for Notes, Windows NT, and
Notes Internet. Activates the Notes
password for user name and the
Confirm password fields. To preserve
the existing Windows NT password,
enter that password as the common
password. If Use common password is
not selected, activates the Notes
password for user name and the
Confirm password fields.
Notes/Common The password you are assigning to this
password for user user.
name
Confirm password Enter the new Notes password for this
user again.
Set Internet password Enters the Internet address in the
in Notes user’s Person document in the Domino
Directory. This field applies only if the
user is registered for Notes mail.
Activates the following fields: •
Internet address
• Internet password for user name •
Confirm Internet password
Internet address Accept the default Internet address as
derived from the Windows NT user
name and the current Notes domain,
for example, KCarter@domain.com
This field displays if POP, IMAP, or
Notes mail type is selected. The
Internet address is required for Notes
mail routing.
Enter an Internet password for this
Internet password
user.
Confirm Internet Enter the Internet password for this
password user again.

8. If User Manager asks if you want to register the new Windows NT

users in Notes, do one of the following:
Click
 Begin Registration to register new users immediately.
Click
 Cancel to register new users later.
9. If you chose “Register users at once without additional prompts” in
the preceding Step 6, distribute the passwords to users so they can
install their Notes workstations. After installation, users can create
new passwords.
Using Domino with Windows Synchronization Tools 17-19
Administration
To add existing Windows NT groups to Notes
1. Before adding existing Windows NT groups to Notes, you must:
Make
 sure that Notes User registration is enabled in Windows NT
User Manager.
Customize
 default Notes registration for Windows NT users.
2. In the User Manager Groups window, select the group account you
want to add to Notes.
3. Choose Notes - Add selected NT Users / Group to Notes.
4. Select “Create Notes group with the following settings” and then
complete these fields and click OK:

Field Enter
Notes Group Name of the corresponding Windows NT
Name group.
Group Type Choose one: • Multi-purpose (default) •
Mail only • Access Control List only • Deny
List only

Description A description of the corresponding

Windows NT group.
Register the users Group members are registered as Notes
in the NT group users. The Person documents, user IDs,
into Notes and mail files are created for the users.
Deselect if you do not want to register
group members as Notes users. Person
documents, user IDs, and mail files are not
created. You can create a Notes document
without registering the group as Notes
users by selecting “Create Notes group
based on the NT group”and deselecting this
option.
Field Enter
Remove from this list those users who are
Members
no
longer members of the group, or add to
this list the names of new users. User
names removed from
this list display in the Not members list.
Add to this list those users who are not
Not members
members
of the group, or remove from this list user
names
that you want to include in the Members
list.

Note If there are global groups in the members list and you want to
add those groups to the Domino Directory, select “Synchronize
groups in Members list with Notes.”
6. If you are registering group members in Notes, User Manager
prompts you for registration options. Select one of the following:
“Prompt
 for the name and password for each user” to enter user
information manually for each user.
“Register
 users at once without additional prompts” to use
Windows NT full names as Notes user names and to generate
random passwords. If you choose this option, continue with Step 7.
7. If you chose to manually enter user information in Step 6, complete
these fields and then click OK:

Field Enter
First name, Accept the default names derived from the
middle user’s
name and last full name in Windows NT.
name
Org unit The name of the organizational unit the user
is included in. For example, if user John
Smith is part of engineering, the
organizational unit may be Eng. The user
name would be John Smith/Eng.
Organizational units are useful for
differentiating between users of the same
name. For example, John Smith/Eng/Acme
and John Smith/Doc/Acme, where one
employee is a member of Engineering and
the other is a member of Documentation.
Each is
assigned a different organizational unit
name.
Assigns to the user the same password for
Use common
Notes,
password Windows NT, and Internet. Activates the
“Notes password for user name”and
“Confirm password” fields.
To preserve the existing Windows NT
password, enter that password as the
common password.
If “Use common password”is not selected,
activates the “Notes password for user
name”and “Confirm password”fields.
Notes password The password you are assigning to this user
for when
user name using Notes.
Confirm Enter the new Notes password for this user
password again.

Field Enter
Set Internet Enters the Internet address in the user’s
password Person document in the Domino Directory.
This field applies only if the user is
registered for Notes mail. Activates these
fields:
• Internet address
• Internet password for user name • Confirm
Internet password
Internet Address Accept the default Internet address as
derived from the Windows NT user name and
the current host domain —for example,
KCarter@domain.com
Internet
Enter an Internet password for this user.
password
Confirm Internet Enter the Internet password for this user
password again.

8. If User Manager asks if you want to register the new Windows NT

users in Notes, do one of the following:
Click
 Begin Registration to register new users immediately.
Click
 Cancel to register new users later.
9. If you chose “Register users at once without additional prompts” in
the prceding Step 6, distribute the passwords to users so they can
install their Notes workstations. After installation, users can create
new passwords.
Using Windows NT User Manager to delete a user or group
When you delete a Person document, the Administration Process on the
Domino server removes all references to the user name.
If you delete a user’s mail file, the Administration Process generates an
“Approve File Deletion” request in the Pending Administrator Approval
view of the Administration Requests database. To delete the mail file, you
must open the request and, in edit mode, click Approve File Deletion.
The entries in the Full name and Short name fields of the Person document
must match the Windows NT full name and user name, respectively.
Notes users will not be deleted if the user’s name is not unique.
To delete a user or group account
You can delete a user or group account from User Manager and
automatically delete the corresponding Person or Group document in the
Domino Directory. You can also automatically delete the user’s mail file.
17-22 Administering the Domino System, Volume 1
1. Before you delete a user account, you must:
Make
 sure that Notes user / group deletion is enabled.
Customize
 default Notes registration for Windows NT users.
2. From the User Manager, choose Notes - Delete / User Synch
Options.
3. Complete these fields, and then click OK.

Field Enter
Select a Notes The name of the server containing the
server Domino
for deleting Directory from which the user or group is
being
users/groups deleted. If you are deleting a group,
continue with
Step 4 without specifying User deletion
options.
User deletion
Choose one:
options
• Don’t delete the mail file
• Delete just the mail file specified in the
Person
record
• Delete mail file specified in Person record
and all
replicas
Select a Notes The name of a local or remote Notes server
server on
for synching which synchronization operations are
users performed.

4. Delete the user or group account as instructed by the Windows NT

documentation.
5. If prompted to delete the user or group from the Domino Directory,
click OK.
Using the Windows NT Performance Monitor to view Domino
You can install the Domino server as a counter within the Windows NT
Performance Monitor. The Performance Monitor lists all numerical
Domino server statistics, including those generated by add-in programs.
You can choose specific statistics to appear in a report or a chart for
analysis. You can also use the Performance Monitor to view the statistics
of a remote server.
For complete information on using the Performance Monitor, see the
Windows NT documentation.
To install Domino as a Performance Monitor counter
1. If you installed the Domino server without selecting the option to
install Performance Monitor, complete the following steps:
a. Run the Domino setup program again and click the Customize
button.
b. Make sure that the install paths are the same as for the original
server installation.
c. Deselect all installation options except for “Notes Performance
Monitor.” This allows you to install only Performance Monitor.
d. After the Install program completes, restart the server.
2. Enter this command at the NT command prompt in the program
directory:
notesreg.bat directory
where directory is the full path to the program directory.
Note If the server or an add-in program running on the server
terminates, stop the Performance Monitor before restarting the server or
add-in program.
To view Domino using the Performance Monitor
1. Click the Performance Monitor icon, or enter this command at the
NT command prompt:
start perfmon
2. Choose Edit - Add To Chart or Edit - Add to Report.
3. In the Object box, select Lotus Notes.
4. In the Instances box, select a Domino statistic you want to include in
a chart or report, then click Add. Repeat for each statistic you want to
add.
Note Domino statistics do not appear as instances in the Performance
Monitor until Domino or an add-in program assigns or updates a
statistic. To force this to happen, initialize statistics on the server — for
example, by typing Show Stat at the server console.
To view Domino error messages in the NT Performance Monitor
To see any error messages related to generating Domino statistics within
the Performance Monitor, look for notestat messages in the Application
Log of the Event Viewer.
17-24 Administering the Domino System, Volume 1
To uninstall the Domino statistic counter from the Performance
Monitor
To remove the Domino statistic counter from the Performance Monitor,
enter this command at the NT command prompt:
unlodctr notestat
Setting up Domino Active Directory synchronization
When the Domino server is installed on a Windows 2000 server, as an
administrator, you typically need to maintain two separate directories for
the same set of people and groups. Maintaining user and group
information involves adding entries to both directories, deleting entries,
ensuring that passwords are the same when users use Notes Single
Logon, coordinating group membership in both directories, and ensuring
that user or group settings, such as e-mail addresses and telephone
numbers, are identical.
Lotus Domino 6 includes a set of tools to make synchronization between
Domino and Active Directory(R) simple and easy. The Active Directory
Domino Upgrade Service (AD DUS) is a tool that you can use with
Active Directory synchronization (ADSync) when you have data in your
Active Directory and you have just installed Domino. AD DUS can
optionally be used to migrate all or a set of your Active Directory users.
After you’ve done that, you can start using ADSync to maintain those
users in Active Directory and in Domino.
For more information on migrating Active Directory users, see the book
Upgrade Guide.
User options are available to register Notes users in Active Directory. In
the Domino Administrator’s user registration interface, there is a
“Windows User Options” button on the Other panel of the Register
Person - New Entry dialog box. You can select options to register a user
in Active Directory at the same time that the user is registered in
Domino. This is essentially the opposite of what ADSync does.
Regardless of the tool with which you register a new user in both
directories, you can use ADSync to synchronize and delete users from
both directories. You can also use ADSync to rename users in both
directories.
For more information on the user options available when registering
Notes users, see the chapter “Setting Up and Managing Notes Users.”
Using Domino with Windows Synchronization Tools 17-25
Administration
You can synchronize Person and Group documents in the Domino
Directory, and user and group accounts in Active Directory. When you
register or delete a Notes user or delete a Notes group, you can
automatically update the Active Directory. Use the Notes
synchronization options to enable the synchronization of all operations.
Conversely, special menu options and dialog boxes added to the Users
and Computers snap-in of the Microsoft Management Console (MMC)
enable you to specify that additions, deletions, and name changes made
to Active Directory user or group accounts be reflected in the Domino
Directory. You can also add existing Active Directory user or group
accounts to the Domino Directory, and synchronize Active Directory and
Domino Directory entries.
These directory synchronization features let you keep both the Domino
Directory and Active Directory current without having to update both
when either changes. Also, you can manage user and group information
in the Domino Directory and the Active Directory through a single
interface of your choice, either Domino or Windows 2000.
You must have a properly certified Notes ID and appropriate access to
make any changes to a Domino Directory from Notes or Windows 2000,
and have the appropriate rights if you are going to use the Domino 6
server-defined certification authority (CA) to certify users on Domino.
Use a Lotus Notes 6 or more recent client, and Lotus Domino 6 or more
recent server as your registration server. You must create policies that
contain registration settings documents, either implicit or explicit, for all
Domino certifiers with which you are going to certify new users. Also,
you must have appropriate rights in the Active Directory allowing you to
add user accounts and synchronize passwords.
To set up Domino Active Directory synchronization
Install the Active Directory domain controller, the Domino server, and
the Domino Administrator on separate machines to improve
performance and enhance security. However, if necessary you may
install any two or all three of these on the same machine.
1. From a Windows 2000 Professional workstation, log into the
Windows domain using a user account with administrative rights.
2. From the Windows 2000 Server CD, install the Windows 2000
Administration Tools Package. From the CD, run
\i386\adminpak.msi.
17-26 Administering the Domino System, Volume 1
Note This file is not on the Windows 2000 Professional workstation
CD. You must install the file from the Windows 2000 Server CD.
Microsoft licensing permits you to install this administrative package
on Windows 2000 Professional workstations.
3. From the Start menu, click Programs - Administrative Tools - Active
Directory Users and Computers, and verify that the workstation has
connected to the domain controller.
4. Install, but do not run, the Domino Administrator.
5. Open a command prompt. From your Notes install directory, type:
regsvr32 nadsync.dll
A message box appears indicating that registration is complete. This
can take up to one minute.
6. Run the Domino Administrator and complete the configuration
process.
7. From the Domino Administrator, create an organizational policy or
an explicit policy and a Registration policy settings document. You
must have at least one policy to use with ADSync.
For more information on policies, see the chapter “Using Policies.”
8. From the Start menu, click Programs - Administrative Tools - Active
Directory Users and Computers. Click the Lotus Domino Options
folder.
9. Right-click Domino Directory synchronization and then choose
Options.
10. Enter your Notes password.
11. Click the Notes Settings tab.
12. Click the Notes Server for Registration button and specify a
registration server. This is typically the administration server of the
Domino Directory.
13. Click OK.
14. Close and restart Active Directory Users and Computers to allow
these changes to take effect.
Enabling the Notes synchronization options
Use the Notes Synchronization Options tab on the Lotus ADSync
Options dialog box to enable or disable Notes/Windows synchronization
features in the Microsoft Management Console (MMC).
1. From the MMC, choose Domino Directory Synchronization.
2. Click Notes Synchronization Options.
Using Domino with Windows Synchronization Tools 17-27
Administration
3. Complete these fields:

Field Action
Enable all Click to enable all Notes
synchronization synchronization operations. All
operations Windows 2000 and Domino Notes
operations will be synchronized.
Select synchronization Click to activate all the fields on this
operations to enable dialog box. When this check box is
not selected, all of the other options
on this dialog box are not enabled.
User/group registration Click this check box to register new
or existing Windows users and
groups in Notes. When you click this
check box the “Synchronize if new
user/group already exists in
Notes”field becomes active.
Synchronize if new Click this check box to prevent the
user/group already synchronization options from
exists in Notes creating is active only if you select
the “User/group registration”check
box.
User/group deletion Click this check box to synchronize
user and group deletions. User and
groups that are selected for deletion
are then deleted from the Windows
2000 Active Directory as well as
from the Domino Directory.
User/group Click this check box to copy the
synchronization values from Active Directory objects
fields to Domino Directory fields,
according to the field mapping
specified in the Field Mapping tab.
Member lists in groups are
synchronized when you enable this
option. Synchronization occurs when
you select a Synchronize menu item,
or click a toolbar button, or after an
Active Directory object is modified.
When you click this check box, these
fields are activated:
• Recertify users on rename • Set
common password on user
synchronization

Field Action
Recertify users on Click to use the Domino
rename Administration Process to rename a
Notes user if the corresponding
Windows 2000 user is renamed. This
field is active only if the “User/group
synchronization”check box is
selected.
Set common password Click to set a new password when you
on user synchronization synchronize users. The password will
be used as the Windows and Notes
Internet password. The Notes User ID
password does not change. This field
is active only if the “User/group
synchronization”check box is
selected.
Prompt to Click to use one of the options for
confirm/cancel confirming or canceling
synchronization synchronization operations. Choose
operations one: • Prompt for all operations -
prompt prior to initiating all
synchronization operations. • Prompt
only for user/group deletions
-prompts only when deleting users or
groups. • Do not prompt for any
operations - no prompts are issued
prior to performing any
synchronization options.

Use CA process for user Click this check box to use the new
ID certification Domino 6 server-based certification
authority (CA) when registering new
users.

4. Click Apply and OK.

For more information on the Domino CA, see the chapter “Setting Up a
Domino Server-Based Certification Authority.”
Specifying Notes settings
Use the Notes Settings tab on the Lotus ADSync Options dialog box to
enable or disable Notes and Windows registration features in the
Microsoft Management Console (MMC).
1. From the MMC, choose Domino Directory Synchronization.
2. Click Notes Settings.

Field Action
Use Registration Click this check box to use the server that
server for all you designated as the Registration server
operations for all synchronization operations and for
deletions. When you deselect this option,
these fields are enabled:

• Notes server for synchronization • Notes

server for deletion
Notes server for Click this check box to open the Choose
registration Server dialog box from which you can select
a Registration server. The registration
server must be a Domino 6 server.
Notes server for Click this check box to open the Choose
synchronization Server dialog box from which you can select
a Synchronization server. All
synchronization operations are done on this
server. This check box is enabled only if the
“Use Registration server for all
operations”check box is not selected.

Notes server for Click this check box to open the Choose
deletion Server dialog box from which you can select
a deletion server. All deletions are
performed on this server. This check box is
enabled only if the “Use Registration server
for all operations”check box is not selected.
Administration ID Click this check box to open the Choose
Notes Administrator ID dialog box in which
you can specify another Notes User ID as
the administrator ID. The initial user ID file
name is taken from current Notes client
settings.
On user deletion Click this check box to specify options for
mail file deletion when the user is deleted.
Choose one:
• Don’t delete mail file —To delete the
Person document but leave the user’s mail
files intact.
• Delete just the mail file specified in the
Person record —To delete only the mail file
specified in the Person document. No
replicas of the mail file are deleted.
• Delete mail file specified in the Person
document and all replicas —Deletes all mail
database replicas on other servers in
addition to the mail file specified in the
user’s Person document.

Field Action
Default certifier Click to specify a certifier that will be used
name during user registration. ADSync uses this
certifier if mapping was not set for a
particular Active Directory container on the
Container Mappings tab.
Default explicit Click to specify the explicit policy (and its
policy related settings) to be applied to users
during user registration.
Register security Click to assign a group type when
groups in Notes registering security groups in Notes. Choose
as one: • Multi-purpose —Use for a group that
has multiple purposes, for example, mail
and ACLs. • Mail only —Use for mailing list
groups. • Access Control List only —Use for
server and database access authentication
only. • Deny List only —Use to control
access to servers. Deny List only is typically
used to prevent terminated employees from
accessing servers, but this type of group can
be used to prevent any user from accessing
particular servers. The Administration
Process cannot delete any member from this
group.
Register Click to assign a group type when
distribution registering distribution groups in Notes.
groups in Notes Choose one: • Multi-purpose —Use for a
as group that has multiple purposes — for
example, mail and ACLs. • Mail only —Use
for mailing list groups. • Access Control List
only —Use for server and database access
authentication only. • Deny List only —Use
to control access to servers. Deny List only
is typically used to prevent terminated
employees from accessing servers, but this
type of group can be used to prevent any
user from accessing particular servers. The
Administration Process cannot delete any
member from this group.

Mapping Active Directory fields with Domino Directory fields

Use the Field Mappings tab on the Lotus ADSync Options dialog box to
map specific Active Directory fields and Person and Group document
fields. Person and Group documents are stored in the Domino Directory.
Mapping is different for the two object classes, “User” and “Group.”
Using Domino with Windows Synchronization Tools 17-31
Administration
You can modify any of the initial mappings, create mappings, or create
Notes field names. When an Active Directory object is created or is
synchronized with Notes, all field values in the mapped Active Directory
object are copied to corresponding fields in the Person or Group
document in the Domino Directory. If necessary, fields are created in the
Person or Group document and existing field values are overwritten.
This is one-way synchronization. No changes are made to the Active
Directory object.
Field Mappings in ADSync, unlike other settings, are different for each
Active Directory domain.
To map fields
1. From the MMC, choose Domino Directory Synchronization.
2. Click Field Mappings.
3. Choose either User or Group in the “Field mappings for Object class”
field.
4. Scroll through the In Active Directory list until you locate the Active
Directory field that you are mapping to a Domino Directory field.
5. Right-click the corresponding In Domino Directory field (it may
appear blank). An editable field appears. Enter the field name or
select one from the list.
6. Continue this process until you have mapped as many fields as
needed.
7. Click Apply and OK.
To allow the new fields to display in the dialog box, close and then
restart the Microsoft Management Console. The new fields appear.
Mapping Active Directory containers to Notes certifiers and policies
Use the Container Mappings tab on the Lotus ADSync Options dialog
box to define the mapping between Active Directory containers and
Notes certifiers and Notes policies. Container mappings are used to
register new users and translate group member names into the correct
Notes format during synchronization. The group members must belong
to an organizational unit that is mapped to a specific Notes certifier.
When initializing, ADSync reads all Active Directory containers, Domino
certifiers, and explicit policies from the Domino Directory on the
registration server. Because Active Directory allows you to create a
hierarchy of organizational units and containers, it makes sense to preserve
that hierarchy in Domino by using different certifiers and policies to
register people from different Active Directory containers. Plan and then
specify mappings between two hierarchies before starting to use ADSync,
17-32 Administering the Domino System, Volume 1
especially if any of those hierarchies are extensive. If you do not specify
mappings, the default certifier name and organizational policy are used.
You can map multiple containers to one policy and/or to one certifier.
When you create or delete Active Directory containers or Notes certifiers
and policies, they can be mapped using the Container Mappings table by
closing and reopening the Microsoft Management Console.
Container Mappings in ADSync differ for each Active Directory domain.
To map containers
1. From the MMC, choose Domino Directory Synchronization.
2. Click Container Mappings.
3. Scroll through the AD Container list until you locate the Active
Directory containers to which you are mapping a particular Notes
certifier and/or a Notes Policy. If you are mapping more than one
container to one policy or certifier, select multiple containers before
choosing a policy or certifier.
4. Right-click the corresponding Notes Certifier field (it may appear
blank). An editable field appears. Enter the certifier name or select
one from the list.
5. Right-click the corresponding Notes Policy field (it may appear
blank). An editable field appears. Enter the policy name or select one
from the list.
6. Continue this process until you have mapped as many containers,
certifiers, and policies as needed.
7. Click Apply and OK.
To allow the new policies and certifiers to display in the dialog box, close
and then restart the Microsoft Management Console. The new policies
and certifiers appear.
Registering new users in Active Directory and in Domino Directory
simultaneously
Before starting any operation in ADSync, review all of the ADSync
settings, especially Notes Settings and Container Mappings.
You can register new users in Notes at the same time that you register
them in the Active Directory, or you can register existing Active Directory
users in Notes. If any of the users or groups being registered already exist
in Notes, and the “Synchronize if new user/group already exists in Notes”
option on the Notes Synchronization Options tab is checked, a duplicate
user or group is not created. Instead, synchronization is performed.
Using Domino with Windows Synchronization Tools 17-33
Administration
Registration uses certifier IDs or the Domino 6 server-based certification
authority (CA). Only certifiers listed in the registration server’s Domino
Directory are used. If you are using certifier IDs, you are prompted for
the path and password, once per certifier per MMC session.
If you create users and groups without additional prompts, all defaults
are used, and the entire registration queue is processed. When users are
created, random passwords are generated and placed in the database,
NTSYNC45.NSF, located in the root directory of the local Notes data
directory.
For information on the fields that display while registering users, consult
your Microsoft documentation.
To register new Windows 2000 users in Domino
1. From the MMC, right-click Users - New - User.
2. Complete the fields on the windows that display.
3. Complete these fields on the Notes registration window:

Fields Action
Register in Click this check box to register this user in the
Domino Windows Active Directory and in the Domino
Directory Directory. Other fields on this dialog box are
enabled when you click this check box.
First name, Enter the user’s first name and last name, and
Middle name, optionally, enter a middle name. Note The
Last name user’s Short name and Internet address are
automatically generated. To change the Short
name or Internet address, click the appropriate
space and enter the new text.

Org unit (Optional) Enter an organizational unit if your

enterprise uses them. For example, if user John
Smith is part of engineering, the organizational
unit may be Eng. The user name would be John
Smith/Eng. Organizational units are useful for
differentiating between users of the same
name. For example, John Smith/Eng/Acme and
John Smith/Doc/Acme, where one employee is
a member of Engineering and the other is a
member of Documentation. Each is assigned a
different organizational unit name.
Choose the certifier to use to certify this user.
Certifier context
Organizational Non-modifiable. Displays the name of the
Policy organizational policy that is assigned if there is
one. If there are no organizational policies, this
field displays None.

Fields Action
Explicit
Choose an explicit policy from the list.
Policy
Click this check box if you want to use one
Use common
password for
password Windows, Notes, and Notes Internet. The
existing Windows password is then replaced by
the password you enter here.
To preserve the existing Windows 2000
password, enter that password as the common
password.
If the Use common password check box is
selected, the Notes password for the user name
field and the Confirm password field are enabled.
Password Enter the new password.
Confirm Enter the same password again to confirm it.
password
Internet
The default Internet address as derived from the
address
Windows 2000 user name and the current Notes
domain
—for example, KCarter@domain.com
Short name The short name by which the user will be known
in in
Notes Notes. By default, the short name consists of the
user’s
 first initial and last name.

4. Click Next.
5. Review the settings you specified for the user you are registering and
click Finish.
Reviewing ADSync operations in the Application Log
You can examine the Windows 2000 event viewer for more information
about any errors that may occur. Look for “NUMEEvent” messages in
the Application Log. All ADSync operations are recorded in the
Application Log.
Registering existing Active Directory users and groups in Notes
There are two procedures available for registering existing Active
Directory users and groups in Notes.
When you are registering user and groups, all groups are registered first.
Registering existing users or groups quickly without prompts
Use this method to register many existing users or groups at one time.
Users and groups are registered using the existing information in the
registration queue so that you are not prompted to enter user-specific or
group-specific information on multiple dialog boxes for every user or
group that you are registering. This is the recommended method for
registering multiple users and groups at one time, but this method can be
used to quickly register an individual user or group.
1. From the MMC, click Users.
2. On the Results pane, right-click the users and/or groups you are
registering and then click Register in Domino. You can choose
multiple users and/or groups and then click Register in Domino
once for all of your selections.
3. Choose “Register users and groups at once without additional
prompts; use defaults.” This button registers users and groups
without prompts.
4. Choose one of these options:

Field Action
If error happens Click this check box to register any users
during or
registration of some groups whose registrations fail on the
users first try.
and/or groups, try to If not selected, users and groups are not
register them later registered if the first attempt fails.
If registration is Click this check box to allow to attempt
canceled to
for some users register any users or groups whose
and/or registrations
groups, try to are canceled on the first try. If not
register selected,
them later users and groups will not be registered if
the first attempt is canceled.
This option is active only if “Prompt for
the name and password of each user,
and for the
name and members of each
group”button is
selected.

5. Click Register Now.

Note You have the option of choosing one of the following if you
decide not to register now:
Click
 Register later to store the users or groups in the registration
queue. You can then register them later.
Click
 Do not register to cancel user registration.
After successful registration in Notes, users and groups are synchronized
with the Active Directory. A progress bar displays during the
registration process.
Registering existing users or groups individually with prompts
Use this method to register users and groups individually. You are
prompted to enter multiple fields of information on multiple dialog
boxes for each user and for each group that you register. This method is
recommended when registering very small numbers of users or groups,
or when you need to modify information for users and groups during the
registration process. This option provides administrators with control
over Notes registration information for each user or group. When used to
register numerous users or groups, this method is time-consuming.
During group registration, for each group you can specify the members
that are to be registered in Notes by clicking the Members button on the
dialog box on which it appears. You are also able to specify a new group
name, description, and group type if you want to modify any of those.
For more information on Active Directory, see the Microsoft Active
Directory documentation or use the Microsoft Active Directory online
help for fields.
1. From the MMC, click Users.
2. On the Results pane, right-click the user or group you are registering
and then click Register in Domino.
3. Choose “Prompt for the name and password of each user, and for the
name and members of each group.” When this option is chosen, the
“If registration is canceled for some users and/or groups, try to
register them later” check box is also active.
4. Choose one of these options:

Field Action
If error happens Click this check box to attempt to
during register at a
registration of some later time, any users or groups whose
users
and/or groups, try to registrations fail on the first try. If not
register them later selected, users and groups are not
registered if
the first attempt fails.
If registration is Click this check box to attempt to
canceled register at a
for some users and/or later time, any users or groups whose
groups, try to register registrations are canceled on the first
them try. If
later not selected, users and groups will not
be
registered if the first attempt is
canceled.
This option is active only if “Prompt for
the
name and password of each user, and
for the name and members of each
group”button is
selected.

5. Click Register Now.

Note You have the option of choosing one of these if you decide not
to register now:
Click
 Register later to store the users or groups in the registration
queue. You can then register them later.
Click
 Do not register to cancel user registration.
6. Complete the fields on all dialog boxes that display for each user or
group.
7. Click Finish when you are done.
For more information on the Notes Registration dialog box that
displays for users, see the topic “Registering new users in Active
Directory and in Domino Directory simultaneously” in this chapter.
For more information on the Notes Registration dialog box that
displays for groups, see the topic “Registering new groups
simultaneously in Active Directory and in Domino Directory” later
in this chapter.
Synchronizing users and groups
Active Directory user and group accounts can be synchronized with the
corresponding Person and Group documents in the Domino Directory.
Synchronizing users facilitates other user synchronization operations,
such as user registration and deletion, which can be initiated through the
Microsoft Management Console (MMC) or Domino. Synchronization also
enables users to have a common password for Windows and for Domino
Web Server access, copies all mapped field values from user or group
objects in Active Directory to corresponding documents stored in the
Domino Directory, and it copies member lists of the groups. The
synchronization server specified in Notes Settings is used for all
synchronization operations.
For more information on Notes Settings, see the topic “Specifying Notes
Settings” in this chapter.
Synchronization is initiated at these times:
After
 the user or group is registered in Domino from the MMC using
ADSync.
When
 one or more users or groups are selected on the results pane of
the MMC and the Synchronize with Domino option is selected from
the context menu or the toolbar.
When  you change any of the properties of the user or group object
and confirm your changes by clicking the OK or Apply buttons.
17-38 Administering the Domino System, Volume 1
During synchronization, ADSync attempts to match the Active Directory
object with an entry in the Domino Directory. If more than one match is
found, ADSync prompts you to specify the match from those that have
been located.
The field mappings that are set in the Field Mappings table designate
which fields are synchronized during synchronization. System fields that
cannot be safely synchronized in two directories are excluded from the
Field Mappings table.
For more information on Field Mappings, see the topic “Mapping Active
Directory fields with Domino Directory fields” in this chapter.
If the “Set common password” check box is checked on the
Synchronization Options tab on the Lotus ADSync Options dialog box,
you are prompted to enter a new password during synchronization. This
changes the Windows password as well as the Notes Internet password
for that user.
For more information on synchronization options, see the topic
“Enabling the Notes synchronization options” topic earlier in this
chapter.
Note Consult your Windows 2000 documentation for information about
running and working with the MMC and the Users and Computers
snap-in.
Registering new groups in Active Directory and in Domino Directory
simultaneously
Before registering new groups, review all of the ADSync settings,
especially the Notes Settings and Container Mappings.
You can register new groups in Notes at the same time you register them
in the Active Directory.
For information on the fields that display while registering groups,
consult your Microsoft documentation.
Using Domino with Windows Synchronization Tools 17-39
Administration
Complete this procedure to simultaneously register a group in Notes and
in Active Directory:
1. From the MMC, right-click Users - New - Groups.
2. Complete these fields on the Notes registration window that
displays:

Fields Action
Register in Click this check box to create a Notes group to
Domino correspond to the Windows group. Deselect to
Directory create the group only in the Active Directory.
When this option is selected, all other fields on
this dialog box are active.
Group name Enter a group name. This field is active only if
you select the “Register in Domino
Directory”check box.

Group type Specifies the purpose of the group and

determines the views in the Domino Directory
where the group name appears: • Multi-
purpose —Use for a group that has multiple
purposes —for example, mail and ACLs. This is
the default.
• Access Control List only —Use for server and
database access authentication only. • Mail only
—Use for mailing list groups. • Deny List only —
Use to control access to servers. Deny List only
is typically used to prevent terminated
employees from accessing servers, but this type
of group can be used to prevent any user from
accessing particular servers. The Administration
Process cannot delete any member of this type
of group. This field is active only if you select
the “Register in Domino Directory”check box.

Description (optional) Enter a description of the group.

Adding members to a group

1. From the MMC, select the name of the group to which you are
adding members.
2. Complete the fields on the Newgroup Properties dialog box. For
more information on completing these fields, refer to the Microsoft
help documentation.
3. Click Apply and OK.
Renaming Active Directory and Notes users and groups
When you rename a user or group in the Active Directory, and there is a
corresponding user in the Domino Directory that was previously
synchronized with its Active Directory counterpart, ADSync renames or
recertifies that user or group accordingly. The server that is used for
synchronizing the Domino Directory with the Active Directory is the
synchronization server that you specify on the Notes Synchronization
Options tab.
When you rename a Notes user or group, all occurrences of that user
name are updated in the Domino Directory and other databases by the
Domino Administration Process on the Domino server.
To rename a user or group in Active Directory and in Domino Notes
1. From the MMC, right-click the name of the user or group you are
renaming, and click Rename.
2. Enter the user’s or group’s new name.
3. Complete the fields in the Rename User/Group wizard. Be sure to
enter the new name in any fields in which you want the name change
to take effect.
4. On the Verification to Rename dialog box, verify that the check box
“Corresponding user or group in Domino Directory” is selected to
change the name in the Domino Directory.
5. Click Yes.
For information on renaming a user in Domino, see the chapter “Setting
Up and Managing Notes Users.”
For information on renaming a group in Domino, see the chapter “Setting
Up and Managing Groups.”
For information on administration requests, see the appendix
“Administration Process Requests.”
Using Domino with Windows Synchronization Tools 17-41
Administration
Deleting Active Directory and Notes users and groups
When you delete a user or group from the Active Directory and there is a
corresponding user or group in the Domino Directory that was
synchronized with it, ADSync removes the Person document or Group
document for that Domino Directory entry using the Administration
Process on the deletion server. You can designate a deletion server and
change user mail file deletion settings in the Notes Settings tab of the
Lotus ADSync Options dialog box.
When you delete a Notes user or group, all references to it are removed
from the Domino Directory by the Domino Administration Process
running on a Domino server. After initiating the deletion, you must
approve the request in the Administration Requests (ADMIN4.NSF)
database on the Domino server.
For more information on deleting users in Domino, see the chapter
“Setting Up and Managing Notes Users.”
For more information on administration requests, see the appendix
“Administration Process Requests.”
Note To use a Notes administrator ID other than the one most recently
used, go to the Notes Settings tab of the Lotus ADSync Options dialog
box and specify another administrator’s ID.
How to delete users from Active Directory and Domino
1. From the MMC, right-click the name of the user you are deleting and
then click Delete.
2. Click Yes at the verification message.
Chapter 18
Planning Directory Services
This chapter describes the Domino directory services features and some
of the planning issues to consider before using them.
Overview of Domino directory services
Domino provides a range of directory service features that are useful for
both small and enterprise companies including:
The
 option to use dedicated directory servers and to use a central
directory architecture
Lightweight
 Directory Access Protocol (LDAP) features
Flexible
 directory access control, including the ability to use an
extended ACL to set access at the form and field level
Tools  for creating and managing entries in the directory
Directory
 features for Notes clients
Features  for multiple-directory environments
Internationalization
 features
Directory  customization features
Using directory servers in a Domino domain
A Domino domain is a network of clients and servers whose users,
servers, connections, and access control information is described in a
single database called the Domino Directory. When you set up the first
server in an organization, Domino creates a Domino domain and a
Domino Directory for the domain. When you add servers to the domain
they pull replicas of the Domino Directory. To create an additional
domain and Domino Directory, you perform a first server setup.
Each Domino domain has at least one administration server for the
Domino Directory. The administration server is responsible for carrying
out Administration Process requests that automate changes to the
18-1
Directory Services
Domino Directory. By default, the first server set up in a domain is the
administration server for the Domino Directory.
You can use directory servers in a Domino domain to dedicate specific
servers to providing directory services. Clients and specialized servers
such as mail and application servers use the directory servers to look up
user, group and similar information.
A directory server might:
 a central directory architecture, store a primary Domino Directory
In
that servers with Configuration Directories access remotely
Run
 the LDAP service
Run  the Dircat task to build and store directory catalogs
Store  replicas of directories that are aggregated into the directory
catalog
Store  replicas of secondary Domino Directories that servers in the
domain access through directory assistance
You can set up Notes clients to use directory servers, rather than their
mail servers, to look up names and addresses.
For information on setting up Notes clients to use directory servers, see
the chapter “Setting Up the Domino Directory.”
Using a central directory architecture in a Domino domain
Prior to this release, companies always used a distributed directory
architecture in which every server in a Domino domain had a full replica
of the domain’s primary Domino Directory. A primary directory contains
all types of documents: documents used to provide directory services
such as Person and Group documents as well as documents used to
configure Domino servers.
In this release, companies can implement a central directory architecture.
In a central directory architecture, a few directory servers in a domain
have a replica of a the primary Domino Directory that contains the entire
contents of the Domino Directory. The other servers in the domain have a
Configuration Directory, a small, selective replica of the Domino
Directory that contains only documents used for Domino configuration.
A server with a Configuration Directory uses a primary Domino
Directory on another server — referred to as a remote primary Domino
Directory — to look up information in Person, Group, Mail-In Database,
and Resource documents, and in any new types of custom documents a
company has added to the directory.
18-2 Administering the Domino System, Volume 1
Enterprise companies that use centralized architectures can benefit from
this feature. A central directory architecture allows for tighter
administrative control over directory management because only a few
directory replicas contain user and group information. In addition,
application and mail servers can run on less powerful machines then the
directory servers require, since the application and mail servers don’t
have to store a primary Domino Directory, which can be the largest
database in a company. If the user and group information in a directory
changes frequently, the servers with Configuration Directories have
immediate access to the changes that critical business applications and
processes require, because they don’t have to wait for the changes to
replicate locally.
To use a central directory architecture you must have adequate network
bandwidth to support the remote primary directory lookups. For
failover, it is also important that at least two servers in a domain are
configured as a remote primary Domino Directory.
For additional information on implementing a central directory
architecture, see the chapter “Setting Up the Domino Directory.”
Planning LDAP features
Lightweight Directory Access Protocol (LDAP) is a standard Internet
protocol for searching and managing entries in a directory. Domino and Notes
provides these LDAP features
The
 LDAP service enables a Domino server to function as an LDAP
directory server and process LDAP requests.
LDAP
 accounts on Notes clients enable Notes users to do LDAP-style
searches for an addresses in LDAP directories.
The  ldapsearch utility enables you to use LDAP search syntax to
search an LDAP directory.
Directory
 assistance can enable a Domino server to use a remote
LDAP directory for client authentication and/or to look up the
members of groups during database authorization.
Planning the LDAP service
A Domino server that runs the LDAP task functions as an LDAP
directory server, ready to process requests from LDAP clients. Such
requests can come from any of the popular Web browser clients that
have built-in LDAP support to retrieve directory information, or from
custom LDAP applications designed to search for and manage directory
information.
Planning Directory Services 18-3
Directory Services
Some of the questions to ask when planning for the LDAP service are:
What
 levels of LDAP client authentication do you want to use?
Anonymous access, enabled by default, allows LDAP clients to
connect without providing names and authentication credentials,
such as password or certificates. Typically you allow LDAP clients
connecting anonymously only read access to the directory.
Should
 you use an extended ACL to control LDAP access to the
directory? An extended ACL provides more granular directory
access control than the database ACL alone supports. If you use an
extended ACL, the database ACL and extended ACL control
Anonymous LDAP search access as well as anonymous access for the
other supported client protocols. If you do not use an extended ACL,
a Configuration Settings document controls Anonymous LDAP
search access.
Should
 you create a full-text index for the Domino Directory? If your
LDAP clients typically use search filters that search for names or mail
addresses, then it’s not necessary to full-text index the directory. If
LDAP clients user other types of search filters, creating a full-text
index for the directory is recommended so the LDAP service can
process these kinds of requests more quickly by searching a full-text
index.
Do  you need to extend the schema to add support for new object
classes or attributes? You may need to extend the schema if your
company has LDAP applications that search for application-specific
information. You can use the Domino LDAP Schema database
(SCHEMA.NSF) to extend the schema, or add forms and fields to the
directory. Using the Schema database is recommended.
For additional information, see the chapters “Setting Up the LDAP
Service” and “Managing the LDAP Schema.”
Planning directory assistance for the LDAP service
You can set up directory assistance on a server that runs the LDAP
service so the LDAP service can extend client LDAP requests to a
secondary Domino Directory or to a remote LDAP directory.
Some of the issues to consider with respect to setting up the LDAP
service to use directory assistance for a secondary Domino Directory
include:
What  access do I want LDAP clients to have to the secondary
Domino Directory? You control LDAP access separately for each
Domino Directory or Extended Directory Catalog the LDAP service
serves.
18-4 Administering the Domino System, Volume 1
 you use a custom LDAP application to administer the directory,
If
the LDAP service allows the application to modify the directory only
if the directory is stored locally on the server running the LDAP
service. If the secondary Domino Directory is stored on a remote
server, the LDAP service can return a referral to that server instead
or processing the LDAP operations itself.
Some of the issues to consider with respect to setting up the LDAP
service to use directory assistance to refer LDAP clients to a remote
LDAP directory include:
The
 LDAP service can never process an LDAP search, add, or modify
request in a remote LDAP directory. It can only refer LDAP clients to
a remote LDAP directory.
By  default the LDAP service can return a given LDAP client a
referral to only one remote LDAP directory. If you want to enable the
LDAP service to return an LDAP client more than one referral so that
an LDAP client can follow up with alternate referral if the directory
server specified in the first referral is unavailable, you must increase
the “Maximum number of referrals setting” for the LDAP service.
You  can specify alternate LDAP directories for referral in one
Directory Assistance document for a remote LDAP directory.
Note The LDAP service, like any Domino Internet protocol server, can
use directory assistance to authenticate its clients using credentials in a
secondary directory, and to use groups in a secondary directory for
database authorization.
For more information, see the topic “Planning directory assistance” later
in this chapter.
Planning LDAP accounts on Notes clients
Notes clients can use LDAP accounts set up in the Personal Address
Book to connect directly to a remote LDAP directory server. Using an
LDAP account, a Notes user can browse the remote LDAP directory and
can search for addresses in the remote LDAP directory when sending
mail.
Planning Directory Services 18-5
Directory Services
Some of the issues to consider before setting up LDAP accounts on Notes
clients are:
Would
 you rather set up directory assistance on Notes clients’ mail
servers or directory servers to provide Notes users with access to a
remote LDAP directory rather than use LDAP accounts? If the Notes
clients run Notes Release 4, you must use directory assistance
because Notes Release 4 clients don’t support the use of LDAP
accounts. You might also use directory assistance to avoid having to
update client LDAP accounts if the remote LDAP directory
configuration changes; if you use directory assistance, you change
only the Directory Assistance document for the remote LDAP
directory if the directory server configuration changes.
What
 settings do you want to use in an LDAP account? For example,
if an LDAP directory server requires a search base, you should
specify a search base in the account. Should you use a simple search
filter that searches only for a cn attribute to locate user entries, or a
more complex search filter that also searches for a mail, uid, sn, or
givenname attribute? If searches of the cn attribute only are adequate
for your needs, using the simple search filter improves the speed of
searches.
Should
 you use Setup policy settings and/or Desktop policy settings
documents to set up and modify the LDAP accounts? This approach
automates the process of creating and updating the accounts.
LDAP accounts for the Bigfoot and VeriSign directories are set up by
default.
The ldapsearch utility
LDAPSEARCH.EXE is a utility that you run from the operating system
prompt that searches any LDAP directory. ldapsearch connects to a
directory server that you specify and returns results according to
specified search criteria. ldapsearch is provided with the Domino server
and the Notes client. This tool uses standard LDAP search syntax so you
can also use it to learn about using LDAP to search an LDAP directory.
For additional information, see the chapter “Using the ldapsearch
Utility.”
Domino does not provide a comparable tool for modifying an LDAP
directory.
18-6 Administering the Domino System, Volume 1
Planning directory access control
Use the database ACL to control the general access that users and servers
have to the Domino Directory. Optionally, use an extended ACL to refine
the general database ACL and further restrict access to specific portions
of the directory. An extended ACL is available for only a Domino
Directory and an Extended Directory Catalog.
Some of the questions to ask when planning directory access control
include:
Do
 you want to assign administrators to specific administration roles
in the Domino Directory? If administrators in your company have
specialized administrative duties, consider assigning the
administrators only to the administration roles in the ACL that
correspond to their duties. If your company administrators do all
administrative tasks, assign them to all of the roles.
Do  you want to use an extended ACL? One of the reasons to use an
extended ACL is to limit cross-organizational access to a directory
that contains information for multiple organizations or
organizational units.
Do
 you want to allow Anonymous access to the directory? By
default, you use the domain Configuration Settings document in the
Domino Directory to control anonymous LDAP search access. By
default, anonymous LDAP users have Read access to a specific list of
attributes.
The Anonymous entry in the directory database ACL by default is
set to No Access and controls anonymous access for all users other
than LDAP users. If you use an extended ACL, then the Anonymous
entry in database ACL, and the extended ACL, then also control
anonymous LDAP access. Typically you give the Anonymous entry
no more than Reader access.
For additional information, see the chapters “Setting Up the Domino
Directory” and “Setting Up Extended ACLs.”
Planning new entries in the Domino Directory
The tools you can use to add entries to the Domino Directory are the
Notes user registration program, migration tools that are integrated with
the Notes user registration program, Domino directory synchronization
tools, and third-party LDAP applications. You can also add an entry
manually, for example you typically add a group entry manually. You
might also develop a custom Notes application to add entries.
Planning Directory Services 18-7
Directory Services
Note In general an entry’s distinguished name is determined by the first
value listed in the FullName field. Domino Group and Server entries are
the exceptions. The ListName field controls the distinguished name of a
Domino Group and the ServerName field controls the distinguished
name of a Domino server. If you add more than one value to a FullName,
ListName, or ServerName field, keep the distinguished name as the first
value.
Notes user registration program
The Notes user registration program, available through the Domino
Administrator and Web Administrator clients, is the traditional method
for adding user entries to the Domino Directory. The registration
program registers users with hierarchical names — names with multiple,
distinguishing components — provided by a certifier. The registration
program can register users with Notes IDs, X.509 certificates, or
passwords, and can register users to use Notes mail, an Internet mail
protocol, or no mail.
Before you register Notes users you should decide on a naming scheme
for the users and create certifiers that reflect that scheme. You should
also use the Policies feature with a Registration policy settings document
to simplify the process of registration by filling in many of the
registration settings automatically.
For more information, see the chapters “Setting Up and Managing Notes
Users” and “Using Policies.”
Directory synchronization tools
If you create a new user or group account in Windows NT User Manager
for Domains or in Active Directory, Domino provides tools you can use
to simultaneously register the user or group in the Domino Directory.
For more information, see the chapter “Using Domino with Windows
Synchronization Tools.”
Migration tools
The Notes user registration program provides migration tools that
convert third-party mail system users or third-party LDAP directory
users to Notes users. Be aware that if you migrate users from an LDAP
directory the migration tools convert the entries from the LDAP directory
into Notes entries with new names based on a certifier specified in the
Notes user registration program.
For more information on migration tools, see the Upgrade Guide.
18-8 Administering the Domino System, Volume 1
Third-party LDAP applications
If you use the LDAP service, you can use an LDAP application to add
entries to the Domino Directory. Because Domino does not provide such
an LDAP application, your company must develop or obtain one to add
entries to the directory in this way. These are some of the issues to keep
in mind if you use an LDAP application to add entries to a Domino
Directory:
You
 must set up the directory to allow LDAP write access.
Enabling
 schema checking for the LDAP service is recommended so
the directory contents conform to the schema and are consistent.
The  distinguished names of entries must be 256 characters or less.
For additional information on using LDAP to add entries, see the chapter
“Setting Up the LDAP Service.”
Planning the management of entries in the Domino Directory
You can use the Domino Administrator, the Web Administrator,
directory synchronization tools, and third-party LDAP applications to
manage entries in the Domino Directory.
Domino Administrator and Web Administrator
The People & Groups tab of the Domino Administrator and Web
Administrator clients provide several tools for managing Domino user
and group entries in the Domino Directory, including tools that:
Rename
 and recertify users
Edit
 user and group entries
Find  user and group entries
Set  policies for user and group entries
Many of these tools invoke the Administration Process to automate these
tasks.
For additional information, see the chapters “Setting Up the
Administration Process” and “Setting Up and Using Domino
Administration Tools.”
Directory synchronization tools
If you modify or delete a Domino user or group, Domino provides tools
you can use to simultaneously carry out the modification or deletion to a
corresponding user or group in Windows NT User Manager for Domains
or in Active Directory,
Planning Directory Services 18-9
Directory Services
For more information, see the chapter “Using Domino with Windows
Synchronization Tools.”
Third-party LDAP applications
The LDAP service allows third-party LDAP applications to modify
directory entries. By default the LDAP service does not allow LDAP
write operations to a directory, so you must set up the directory to allow
them.
Planning directory services for Notes clients
There are a variety of directory services features available to Notes
clients. If there are Notes clients client settings that apply to groups of
Notes users, use policies with Setup or Desktop settings documents to set
up the desired settings on Notes clients automatically.
Personal Address Book
The Personal Address Book is a directory on the Notes client that stores
Contacts created by users — documents containing information about
people with whom the users come in contact and/or send mail — and
that stores mailing lists created by users for sending mail to groups of
people. The Personal Address Book also stores a variety of documents
related to configuration of the Notes client.
For more information, see Lotus Notes 6 Help.
Condensed Directory Catalog
A condensed Directory Catalog, sometimes referred to as a Mobile
Directory Catalog when used on a Notes client, is an optional directory
that aggregates user and group entries from one or more Domino
Directories. A condensed Directory Catalog provides Notes users with a
small, local, organization-wide directory that they can use either off-line
or when connected to the local area network.
For more information, see the chapter “Setting Up Directory Catalogs.”
Type-ahead addressing
Using type-ahead addressing a Notes user enters a few letters in a mail
addressing field and Notes tries too match those letters to a name in a
directory. If Notes finds a match, it enters the completed name in the
addressing field automatically. If a Notes user has a local condensed
Directory Catalog configured, type-ahead addressing does not search a
directory on a server. However pressing F9 to resolve a name will search
for the name in both local and server directories.
18-10 Administering the Domino System, Volume 1
Administrators can use a setting in a Configuration Settings document to
disable type-ahead addressing on a server to reduce network traffic and
improve server performance.
For more information on disabling type-ahead addressing on a server,
see the chapter “Customizing the Domino Mail System.”
Easy location of user and group entries
Notes users can use an addressing tool or a generic search tool to find
easily user and group entries in a directory. When searching a Personal
Address Book or a Domino Directory, these tools provide a
type-ahead-style mechanism to match letters entered by a user to a name
in a directory. Users can choose to view entries in a directory by name,
by Notes name hierarchy, by corporate hierarchy, and by alternate
names (if used).
To search all local Address Books or an LDAP directory accessed using
an LDAP Account document, users can use an LDAP-style search query
to locate entries. For example, users can search for all entries with the last
name “Brown.”
For additional information, see Lotus Notes 6 Help.
Access to server directories
The Notes client has automatic access to the Domino Directory in its
domain. If an administrator sets up directory assistance for a secondary
directory, or sets up a server-based directory catalog, Notes clients can
easily address mail to users and groups in those directories.
In addition, a Notes client can set up LDAP accounts to connect directly
to a remote LDAP directory.
For more information on LDAP account, see the earlier topic “Planning
LDAP accounts on Notes clients.”
Directory servers
Using the “Domino directory server” field on the Servers tab of a
Location document in the Personal Address Book, Notes clients can use
directory servers, rather than mail servers, for directory lookups.
For more information, see the chapter “Setting Up the Domino
Directory.”
Planning Directory Services 18-11
Directory Services
Planning directory services in a multiple-directory environment
Domino provides directory catalogs and directory assistance to help
companies operate in environments with secondary directories. A
secondary directory is any server-based directory that is not a server’s
primary Domino Directory. A secondary directory can be a Domino
Directory for a different Domino domain, a Domino Directory that you
create manually from the PUBNAMES.NTF template that is unaffiliated
with a Domino domain, an Extended Directory Catalog, or a remote
LDAP directory.
Planning directory catalogs
A directory catalog is an optional directory database that can aggregate
entries from multiple Domino Directories into a single database. A
directory catalog provides enterprise-wide directory access via a single
database.
Directory catalogs are either client-based or server-based. Using a
client-based condensed Directory Catalog, often referred to as a Mobile
Directory Catalog, Notes users can access directory information for an
enterprise off-line, when not connected to the network. Servers use
server-based directory catalogs, either a condensed Directory Catalog or
an Extended Directory Catalog, to look up information originating from
a secondary Domino Directory.
Some of the questions to ask when planning directory catalogs are:
Which
 documents and fields should be aggregated into a directory
catalog? Which information you aggregate depends on the type and
purpose of the of directory catalog.
If  your company uses multiple Domino Directories, should you set
up servers to use a directory catalog? The more Domino Directories a
company uses, the more benefit there is to aggregating the
directories in a directory catalog used by servers. An Extended
Directory Catalog, rather than a condensed Directory Catalog, is
recommended for servers.
Do  you want to use a server-based directory catalog for client
authentication? If so, how you enable the use of the directory catalog
for this purpose depends on the type of server-based directory
catalog you use.
If  you plan to use a condensed Directory Catalog, how should the
entries be sorted? You should sort a Mobile Directory Catalog
according to how users typically enter names when addressing mail
so that type-ahead addressing can find the names.
18-12 Administering the Domino System, Volume 1
For additional information on planning directory catalogs, see the
chapter “Setting Up Directory Catalogs.”
Planning directory assistance
Servers use directory assistance to look up information in a secondary
directory — a secondary Domino Directory, an Extended Directory
Catalog, or a remote LDAP directory. Directory assistance provides these
services:
Client
 authentication using credentials in a secondary directory
ACL
 group lookups for database authorization using one secondary
directory
Notes
 mail addressing using a secondary directory
LDAP  service searches of a secondary Domino Directory or
Extended Directory Catalog
LDAP  service referrals to a remote LDAP directory
Some of the questions to ask when planning directory assistance include:
Which  services do you want to enable for each secondary directory?
If  you use a server-based directory catalog, how does it relate to
directory assistance? The answer depends on the type of directory
catalog you use. An Extended Directory Catalog has its own
Directory Assistance document and the source directories that are
aggregated in the directory catalog should not also have separate
Directory Assistance documents. However it’s beneficial to create
Directory Assistance documents for the directories aggregated in a
condensed Directory Catalog.
Do
 you plan to use a secondary directory, Domino or LDAP, for
client authentication? If so, you must specify in the Directory
Assistance document for the directory the user names in the
directory that are allowed to be authenticated (trusted for
authentication). If clients use name-and-password security, configure
in the Server document of the server to which the clients connect the
types of name formats that clients can provide for authentication.
Do  you plan to use a secondary directory to look up groups listed in
database ACLs to verify database access? You can enable one
secondary directory only — Domino or LDAP — for this purpose.
How  many directory assistance databases should you use? You can
create more than one and set of groups of servers to use specific
ones.
In addition, if you are setting up directory assistance for a remote LDAP
directory:
Planning Directory Services 18-13
Directory Services
Does
 the directory server require a search base? If so, enter the
search base in the Directory Assistance document.
Do  you plan to use the LDAP directory for client authentication or
for ACL group authorization? If so, for tighter security, in the
Directory Assistance document, enable SSL and require the remote
directory server to present X.509 certificate.
Is  the remote LDAP directory Active Directory? If so, in the Directory
Assistance document for the directory select LDAP search filters that
work specifically with Active Directory.
For additional information on planning directory assistance, see the
chapter “Setting Up Directory Assistance.”
Comparison of directory catalogs and directory assistance
The following table compares the features that directory catalogs and
directory assistance support

Mobile
Feature Condensed Directory Directory
Directory
Catalog Directory assistanc assistanc
e for e
Catalog secondar for
y remote
on server Domino LDAP
Directory directory
or
Extended
Directory
Catalog
Notes client
Yes Yes Yes Yes
mail
addressing
Notes client Yes Yes Yes No
LDAP-style
searches
Notes client Yes Yes Yes No
directory
browsing
Notes client Yes Yes (if no Yes (if no No
type-ahead Mobile Mobile
addressing Directory Directory
Catalog) Catalog)
Notes client
Yes Yes Yes No
F9
address
resolution
LDAP client No Yes Yes No
search and (search) No
write (write)
operations

Mobile
Feature Condensed Directory Directory
Directory
Catalog Directory assistanc assistanc
e for e
Catalog secondar for
y remote
on server Domino LDAP
Directory directory
or
Extended
Directory
Catalog
LDAP client No No No Yes
referrals
Internet client No Yes Yes Yes
authentication
Group No No Yes Yes
authorization
(enabled for
one
secondary
directory only)

Directory search order

There are a variety of ways to configure directories in a multiple
directory environment. The order in which Notes and Domino search
directories depends on the nature of the search and the configuration of
the directory.
Directory
 search order for Internet client authentication
Directory
 search order for group names in database ACLs
Directory
 search order for LDAP searches
Directory
 search order for a name in a Notes address field
Directory search order for Internet client authentication
To authenticate an Internet client connecting to a Domino server, the
server searches directories for the user name and credentials in the
following order:
1. The server’s primary Domino Directory.
2. A condensed Directory Catalog on the server.
3. All directories defined in the server’s directory assistance database
that:
Have
 a naming rule that is trusted for authentication and that
matches the logon name of the Internet user
Planning Directory Services 18-15
Directory Services
Have
 the directory assistance option “Make this domain available
to: Notes clients and Internet Authentication/Authorization”
enabled.
If there more than one directory with a trusted naming rule that
matches the user name, the server searches the directory with the
most specific matching rule first. If directories have identical trusted
naming rules that match the Internet user name, search orders
assigned to the directories determine the order in which the server
searches them.
Directory search order for group names in database ACLs
When a Internet or Notes user attempts to access a database on a server
and the database ACL includes a group name, the server searches
directories in this order to locate the group to determine if the user is a
member of it:
1. The server’s primary Domino Directory.
2. One directory — LDAP or Notes — configured in the server’s
directory assistance database with the “Group Authorization” option
selected.
Directory search order for LDAP searches
A server running the LDAP service searches directories in the following
order to process LDAP search requests:
1. A server’s primary Domino Directory, unless the primary Domino
Directory is configured in a directory assistance database used by the
server and has the option “Make this domain available to: LDAP
clients” deselected.
2. A condensed Directory Catalog on the server.
3. A Domino Directory or Extended Directory Catalog that is
configured in a server’s directory assistance with the option “Make
this domain available to: LDAP clients” selected.
If an LDAP user doesn’t specify a search base, which is a
distinguished name used to indicate the directory location at which
to begin a search, the LDAP service searches the Domino Directories
and/or Extended Directory Catalog according to the search orders
assigned to the directories. The LDAP service searches directories
with no assigned search orders alphabetically according to their
specified domain names.
If an LDAP user specifies a search base, only directories assigned
naming rules that correspond to the search base are searched. If there
is more than one directory assigned a naming rule that matches, the
18-16 Administering the Domino System, Volume 1
directory with the most specific matching rule is searched first. For
example, if a user specifies the search base “ou=Sales,o=Acme,” the
server first searches a directory with the rule /Sales/Acme, before
searching a directory with the rule */Acme. If directories have
identical naming rules that match the search base specified by the
user, search orders assigned to these directories determine the order
in which the directories are searched.
4. If the search is not successful in any Domino Directory or Extended
Directory Catalog, the LDAP service refers clients to an LDAP
directory enabled for LDAP clients in the directory assistance
database.
If an LDAP user doesn’t specify a search base, the LDAP service does
not return a referral.
If an LDAP user specifies a search base, the server picks an LDAP
directory enabled for LDAP users with a naming rule that matches
the specified search base. If there is no such directory, the server
doesn’t return a referral. If there is more than one such directory, the
server picks the one with the most specific matching rule before
picking one with a less-specific rule. If directories have identical
naming rules that match the search base specified by the user, search
orders assigned to these directories determine the order in which the
LDAP service picks them for referrals.
Directory search order for a name in a Notes address field
When a Notes user enters a user or group name in an address field of a
Notes memo, the Notes client and mail server search directories in the
following order to retrieve the address for the name. If a name is found
during any step, searches continue only if the “Recipient name lookup”
field in the Notes user’s current Location document is set to
“Exhaustively check all address books.”
1. The user’s Personal Address Book.
2. Any local Mobile Directory Catalogs on the client.
For searching to continue to a server, the “Mail file location” field in
the active Location document must be set to “On server.”
Type-ahead searches never continue to a server if there is a local
Mobile Directory Catalog.
3. The primary Domino Directory on the user’s mail server or directory
server.
4. A condensed Directory Catalog on the server.
Planning Directory Services 18-17
Directory Services
5. Directories defined in the server’s directory assistance database that
have the option “Make this domain available to: Notes clients and
Internet Authentication/Authorization” enabled.
If the user enters a common name rather than a hierarchical one, the
server searches all directories according to the search order specified
for the directories.
If the user enters a hierarchical name, only directories assigned
naming rules that correspond to the hierarchical name the user
entered are searched. If there is more than one directory assigned a
naming rule that matches, the directory with the most specific
matching rule is searched first. For example, if a user enters the name
Phyllis Spera/Sales/Acme, the server first searches a directory with
the rule /Sales/Acme, before searching a directory with the rule
*/Acme. If directories have identical naming rules that match the
name entered by the user, search orders assigned to the directories
determine the order in which the directories are searched.
Planning internationalized directory services
Domino and Notes provide the following features to support directory
services in non-English-speaking environments:
Alternate
 names
Corporate
 hierarchies
LDAP  Alternate Language Information documents
Alternate names
The alternate naming feature assigns a Notes user an alternate name
recognizable in the user’s native language, in addition to a primary name
that is internationally recognizable. Users use alternate names to use
their native languages when displaying and working with names in the
Domino Directory.
For additional information, see the chapter “Setting Up and Managing
Notes Users.”
Corporate hierarchies
Companies can create corporate hierarchies to customize the way the
Domino Directory categorizes user entries. For example, companies
might create a corporate hierarchy that categorizes by management level.
You can assign one user to a maximum of four corporate hierarchies.
When Notes users address mail or use the search tool to find people, they
can choose to display the entries according to their corporate hierarchy
assignments, rather than simply by name or by Notes name hierarchy.
18-18 Administering the Domino System, Volume 1
For additional information, see the chapter “Setting Up the Domino
Directory.”
LDAP Alternate Language Information documents
If you use the LDAP service, optionally assign language subattributes to
an attribute to define an alternate language value for the attribute.
For additional information, see the chapter “Setting Up the LDAP
Service.”
Planning directory customization
You can add forms and views to the Domino Directory to accommodate
specific needs of your company. If you use the LDAP service, you can
also use the Domino LDAP Schema database (SCHEMA.NSF) to define
new object classes and attributes to be added to the directory.
Some of the questions to ask when planning directory customization are:
To
 define a new type of entry in the directory, should you use the
Schema database or create a form in the Domino Directory instead?
If you don’t use the LDAP service, you must create a form. If you use
the LDAP service you can use the Schema database to define object
classes and attributes with some LDAP-specific characteristics that
are not available when you create Domino Directory forms. However
only LDAP clients, not Notes and Web clients, can access entries
defined only in the Schema database.
If  you use the LDAP service, are there attributes and object classes
already defined in the Domino LDAP schema that serve your
company’s needs? The schema — the types of directory entries that
are defined for the LDAP service — by default defines many object
classes and attributes which you may be able to use rather than
adding new ones.
If  your company doesn’t use the LDAP service, should you create a
form in such a way that it can represent an LDAP object class? It’s
good practice to create a form that can represent an LDAP object
class, so that if in the future your company uses the LDAP service,
the design requirements are in place.
For additional information, see the chapter “Managing the LDAP
Schema” and the appendix “Customizing the Domino Directory.”
Planning Directory Services 18-19
Directory Services
Directory services terms
central directory architecture
Directory architecture in a Domino domain in which some servers store
Configuration Directories and use primary Domino Directories on
remote servers for lookups.
condensed Directory Catalog
A directory catalog created from the DIRCAT5.NTF template that is
optimized for small size and used primarily on Notes clients.
Configuration Directory
A directory in a central directory architecture that contains only
documents related to Domino configuration.
directory server
A server whose purpose is providing directory services.
directory assistance
A feature used by servers to extend client authentication, name lookups,
and LDAP operations to secondary directories.
directory assistance database
A database created from the DA50.NTF template and used to configure
directory assistance.
directory catalog
An optional directory database that can aggregate entries from multiple
Domino Directories into a single database. There are two kinds of
directory catalogs: condensed Directory Catalogs and Extended
Directory Catalogs.
Directory Assistance document
Document created in a directory assistance database that describes a
secondary directory.
distributed directory architecture
Directory architecture in a Domino domain in which all servers use a
local primary Domino Directory.
Domino Directory
A directory created automatically from the PUBNAMES.NTF template
during first server setup that describes the users, servers, connections,
and access control information for a Domino domain, or a directory
created manually from the PUBNAMES.NTF.
18-20 Administering the Domino System, Volume 1
Domino domain
A network of clients and servers whose users, servers, connections, and
access control information is described in a Domino Directory.
Extended Directory Catalog
A directory catalog used by servers that, to facilitate quick name lookups,
retains the individual documents and the multiple, sorted views
available in the Domino Directory. You create an Extended Directory
Catalog from the PUBNAMES.NTF template. Servers use directory
assistance to locate an Extended Directory Catalog.
extended ACL
An optional directory access control feature available for a Domino
Directory and Extended Directory Catalog used to apply restrictions to
users’ overall directory access.
LDAP schema
A set of rules that defines what can be stored as entries in an LDAP
directory. The Domino LDAP Schema database (SCHEMA.NSF), which
is created from the SCHEMA.NTF template, publishes the schema for a
domain.
LDAP service
The LDAP server task running on a server to process LDAP client
requests.
Lightweight Directory Access Protocol (LDAP)
A standard Internet protocol for accessing and managing directory
information. LDAP is a simpler version of the X.500 protocol that
supports TCP/IP.
Mobile Directory Catalog
Name for a condensed Directory Catalog set up on a Notes client.
Personal Address Book
A directory database on a Notes client created from the
PERNMAMES.NTF template that contains the names and addresses of
users and groups added by Notes users.
primary Domino Directory
The Domino Directory that a server searches first and that describes the
Domino domain of the server.
remote LDAP directory
A directory on a remote LDAP server accessed via directory assistance.
Planning Directory Services 18-21
Directory Services
remote primary Domino Directory
In a central directory architecture, a primary Domino Directory that a
server with a Configuration Directory uses remotely.
secondary directory
Any directory a server uses that is not its primary Domino Directory.
secondary Domino Directory
Any Domino Directory a server uses that is not its primary Domino
Directory.
Chapter 19
Setting Up the Domino Directory
This chapter describes the Domino Directory and explains how to set up
the Domino Directory for a Domino domain.
The Domino Directory
The Domino Directory, which some previous releases referred to as the
Public Address Book or Name and Address Book, is a database that
Domino creates automatically on every server. The Domino Directory is a
directory of information about users, servers, and groups, as well as
custom entries you may add. Registering users and servers in a domain
automatically creates corresponding Person documents and Server
documents in the Domino Directory for the domain. These documents
contain detailed information about each user and server.
The Domino Directory is also a tool that administrators use to manage
the Domino system. For example, administrators create documents in the
Domino Directory to connect servers for replication or mail routing, to
schedule server tasks, and so on.
When a server runs the LDAP service, the Domino Directory is accessible
through the Lightweight Directory Access Protocol (LDAP).
Typically, a Domino Directory is associated with a Domino domain.
When you set up the first server in a Domino domain, Domino
automatically creates the Domino Directory database and gives it the file
name NAMES.NSF. When you add a new server to the domain, Domino
automatically creates a replica of the Domino Directory on the new server.
You can also create a Domino Directory manually from the
PUBNAMES.NTF template and use it as a secondary directory to store,
for example, entries for your Internet users.
To optimize its performance, the Domino Directory has these database
properties enabled by default:
“Document
 table bitmap optimization” to improve the performance of
small view updates — for example, updates of the Connections view.
19-1
Directory Services
“Don’t
 maintain unread marks” to improve database performance
and reduce the size of the database.
For more information on database performance properties, see the
chapter “Improving Database Performance.”
Setting up the Domino Directory for a domain
After you install and set up servers in a Domino domain, perform these
procedures to set up the Domino Directory for the domain.
1. (Optional) Set up a central directory architecture in the domain.
2. Control access to the Domino Directory.
3. (Optional) Categorize users in the domain by corporate hierarchy.
4. (Optional) Set up Notes clients to use a directory server in the domain.
5. (Optional) Customize the Directory Profile.
6. Schedule replication for the Domino Directory.
Using a central directory architecture in a Domino domain
A central directory architecture is an optional directory architecture you
can implement in a Domino domain. This architecture differs from the
traditional distributed directory architecture in which every server in a
domain has a full replica of the primary Domino Directory.
With a central directory architecture, some servers in the domain have
selective replicas of a primary Domino Directory. These replicas, which
are known as Configuration Directories, contain only those documents
that are used to configure servers in a Domino domain, such as Server,
Connection, and Configuration Settings documents. A server with a
Configuration Directory uses a remote primary Domino Directory on
another server to look up information about users and groups and other
information related to traditional directory services.

Provides
 servers with Configuration Directories quick access to new
information because the servers aren’t required to wait for the
information to replicate to them.
Enables
 servers that store Configuration Directories to run on less
powerful machines because they don’t have to store and maintain
the primary Domino Directory.
Provides
 tighter administrative control over directory management
because only a few directory replicas contain user and group
information.
A server with a Configuration Directory connects to a remote server with
a primary Domino Directory to look up information in the following
documents that it doesn’t store locally:
Person 
Group 
Mail-in  Database
Resource 
Any  custom documents you add
For example, to authenticate a user, a server with a Configuration
Directory looks for the user credentials in a Person document in a remote
primary Domino Directory on another server in the domain.
You can set up a Domino Directory as a Configuration Directory when
you set up an additional server in the domain. If a server is already set
up, you can use replication settings for the directory to change a primary
Domino Directory to a Configuration Directory or change a
Configuration Directory to a primary Domino Directory.
Setting Up the Domino Directory 19-3
Directory Services
Planning a central directory architecture for a domain
The central directory architecture is most useful for an enterprise
organization that has a domain with a large Domino Directory. Using a
central directory architecture requires network speeds that make remote
directory lookups feasible. In addition, servers that store primary Domino
Directories that function as remote primaries must have the capacity to
handle the additional workload generated by the remote lookups.
Only an application that does a NAMELookup or similar directory call
can use a Configuration Directory to do a lookup in a remote primary
Domino Directory.
Deciding which servers should use primary Domino Directories
The administration server for the Domino Directory must store a primary
Domino Directory. For failover, at least one other server in the domain
should store a primary Domino Directory. There may be additional
servers that require primary Domino Directories as well, depending on
network bandwidth and stability, server usage patterns and locations,
and so forth. You may want servers that use primary Domino Directories
that function as remote primaries to be within a cluster to provide
failover and workload balancing.
If there is a network congestion point in the domain, at least one server
on each side of the congestion point should have a primary Domino
Directory that functions as a remote primary.
Using a combined central and distributed directory architecture
You can use a hybrid directory architecture within one domain. For
example, suppose at a company’s headquarters there are multiple servers
connected via fast network connections. There are also smaller remote
offices that have limited network bandwidth but are within the same
domain. Servers at corporate headquarters can use the central directory
model that includes a combination of primary Domino Directories and
Configuration Directories, while the remote satellite offices can continue
to use the distributed directory architecture in which each server stores a
primary Domino Directory.
Using a combined primary Domino Directory and Extended
Directory Catalog
Although not a typical configuration, you can integrate an Extended
Directory Catalog with a primary Domino Directory to collect users and
groups from the primary domain and secondary domains into one
directory database. A server that stores a Configuration Directory can
use this combination directory on a remote server as a remote primary
Domino Directory.
19-4 Administering the Domino System, Volume 1
When you use this combination directory, all the users from the
aggregated secondary directories are automatically trusted for
authentication, and all the groups can be used in database ACLs for
database authorization.
For more information on integrating an Extended Directory Catalog with
a primary Domino Directory, see the chapter “Setting Up Directory
Catalogs.”
Managing Domino Directories in a central directory architecture
To manage a central directory architecture, in which there are a
combination of Configuration Directories and primary Domino
Directories in a domain, you can:
Change
 the directory type of a Domino Directory
Control
 how a server finds a remote primary Domino Directory to use
Prevent
 the use of a Domino Directory replica as a remote primary
Show  the primary Domino Directories that servers with
Configuration Directories can use
Changing the directory type of a Domino Directory
The first server set up in a domain is always set up with a primary
Domino Directory. When you set up an additional server in the domain,
you choose whether to set up the replica of the Domino Directory on the
server as a Configuration Directory or as a primary Domino Directory.
The default selection is a primary Domino Directory.
After server setup, you can change the directory type. After you change
directory type, the Administration Process generates a “Store Directory
Type in Server Record” request to change the value of the Directory Type
field on the Basics tab of the Server document.
Changing a primary Domino Directory to a Configuration Directory
Note Do not change the primary Domino Directory on the
administration server to a Configuration Directory.
1. From the Domino Administrator, connect to the server that stores the
replica of the Domino Directory you want to change.
2. Click the Files tab.
3. Select the Domino Directory, and then double-click.
Setting Up the Domino Directory 19-5
Directory Services
4. Choose File - Replication - Settings, and change the replication
settings for the directory as follows:
a. Click Space Savers in the Replication Settings dialog box.
b. Next to Include, select “Configuration Documents only.”
c. Click OK.
5. Use the server command Replicate to replicate the Domino Directory
that has the changed settings with a primary Domino Directory on
another server. Do a push-pull replication.
6. Restart the server that stores the Domino Directory replica you
changed.
Changing a Configuration Directory to a primary Domino Directory
1. From the Domino Administrator, connect to the server that stores the
replica of the Domino Directory you want to change.
2. Click the Files tab.
3. Select the Domino Directory, and then double-click.
4. Choose File - Replication - Settings, and change the replication
settings for the directory as follows:
a. Select Space Savers in the Replication Settings dialog box.
b. Next to Include, select All Fields.
c. Deselect “Documents that meet a selection formula.”
d. Click Yes when you see the following prompt:
“Switching to Folders will clear the current selection formula. Are
you sure you want to do this?”
e. Click OK.
5. Use the server command Replicate to replicate the Domino Directory
that has the changed settings with a primary Domino Directory on
another server. Do a push-pull replication.
6. Restart the server that stores the Domino Directory replica you
changed.
19-6 Administering the Domino System, Volume 1
Controlling how a server finds a remote primary Domino Directory
to use
To locate a remote primary Domino Directory, a server with a
Configuration Directory can use a default logic or can use a directory
replica specified through directory assistance.
The default logic to locate a remote primary Domino Directory
The Directory Servers view in a Domino Directory list the replicas of the
primary Domino Directories in the domain that are available for use as
remote primary directories by servers with Configuration Directories.
The views sort these replicas alphabetically by their server names.
A server that stores a Configuration Directory uses the following logic to
build a list in memory of the five best remote primary Domino Directory
replicas to use. If the first replica in the list is unavailable, the server uses
the next replica in the list, and so on.
1. Look in the replication history and find the remote primary directory
replica with which the server most recently replicated. Then look for
the replica with which it replicated prior to that, and so on.
2. If the list in memory does not yet include five replicas of a remote
primary directory, look for a primary directory replica in the same
Notes named network. If there is more than one such replica, order
them alphabetically by their server names.
3. If the server has not yet located five replicas, refer to the Directory
Servers view to order the remaining remote primary directory replicas
alphabetically by their server names, until there are five primary
directories in the list or until all the primary directories are listed.
Setting up directory assistance to locate a primary Domino
Directory
You can use directory assistance rather than the default logic to control
which remote primary Domino Directory replicas in a domain servers
with Configuration Directories use. For example, if servers with primary
Domino Directories are in a cluster, you can use directory assistance to
use cluster failover to locate the primary Domino Directory replicas.
To create a Directory Assistance document in a directory assistance
database that servers with Configuration Directories use:
1. Make sure you have set up a directory assistance database on servers
with configuration Domino Directories.
2. From the Domino Administrator, connect to a server that is set up to
use the directory assistance database.
3. Click the Configuration tab.
Setting Up the Domino Directory 19-7
Directory Services
4. Expand Directory and select Directory Assistance.
5. Click “Add Directory Assistance.”
6. On the Basics tab, do the following:
a. Next to Domain Type, select Notes.
b. Next to Domain Name, enter the domain of the servers that store
the remote primary Domino Directories. This domain should be
the same domain as that of the servers with configuration
Domino Directories.
c. Next to Search Order, select 1.
d. Next to Group Authorization, select No. A server can always use
groups in a primary Domino Directory replica to authorize
database access, regardless of what you select for this option.
Select No to reserve the use of the Group Authorization option
for a secondary directory.
7. On the Replicas tab do one of the following:
 the servers that store the primary Domino Directories are
If
clustered, to user cluster failover specify one replica within the
cluster. If that replica is unavailable, cluster failover takes effect
automatically. To use cluster failover, specify only one replica in
the cluster.
If the servers that store primary Domino Directories are not
clustered, for failover specify at least two replicas of the primary
Domino Directories to use.
Note A server always trusts the primary Domino Directory for client
authentication, so it is not necessary to enable a trusted rule in the
Directory Assistance document.
For more information on directory assistance, see the chapter “Setting Up
Directory Assistance.”
Preventing the use of a Domino Directory replica as a remote
primary
Do the following to prevent servers with Configuration Directories from
using a specific replica of the Domino Directory as a remote primary.
You can prevent a replica from being used only when servers with
Configuration Directories use the default logic, and not directory
assistance, to locate a remote primary Domino Directory. You might
prevent the use of a specific replica to avoid the use of a server that has
limited connectivity or CPU capacity.
19-8 Administering the Domino System, Volume 1
1. From the Domino Administrator, select the server that stores the
primary Domino Directory.
2. Select the Configuration tab, and select Server - Current Server
Document.
3. Click Edit Server.
4. On the Basics tab, in the Directory Information section, below the
Directory Type field, deselect “Allow this directory to be used as a
remote primary directory for other servers.”
5. Click Save & Close.
Showing the Domino Directory replicas that can function as remote
primaries
The Directory Servers view in the Domino Directory lists the primary
Domino Directories that are in the domain and that have the option “Allow
this directory to be used as a remote primary directory for other servers”
selected on the Basics tab of their Server documents. The Central Directories
view sorts the primary Domino Directory replicas by server name.
1. From the Domino Administrator, in the server pane on the left, select
any server in the domain. If you don’t see the server pane, click the
servers icon.
2. Click the Files tab and open the Domino Directory.
3. Select the view Servers - Directory Servers.
Tip Use the Show Xdir command on a server that uses a Configuration
Directory to show the remote primary Domino Directory replica the
server last used.
Controlling access to the Domino Directory
Do the following to control access to the Domino Directory:
Set
 the Domino Directory ACL to control overall access.
Assign
 administrators to the roles in the Domino Directory ACL that
correspond to their administrative tasks.
(Optional)
 Use the Administrators field to control access to
individual documents.
(Optional)
 Use the extended ACL to set access at the form and field
level.
For information on setting up an extended ACL, see the chapter “Setting
Up Extended ACLs.”
Setting Up the Domino Directory 19-9
Directory Services
Setting overall access levels in the Domino Directory ACL
The Domino Directory, like all Notes databases, has an access control list
(ACL) that controls the overall access that users and servers have. The
following table shows the default name entries in the Domino Directory
ACL and the default access settings for each entry.

Default name entry Access level User type

-Default- Author access without the Unspecified
“Create
documents”privilege or
administration roles
Anonymous No access Unspecified
LocalDomainAdmins Manager access with no Person
administration roles group
LocalDomainServers Manager access with all Server
administration roles except group
PolicyCreator and
PolicyModifier
Server
OtherDomainServers Reader access
group
Serverin the domain on Server
Manager access with all
which the directory was
administration roles
created.
Administratorspecified Manager access with all Person
during server setup administration roles

stricter control over database access, you might change the access for the
-Default- entry to No Access and explicitly add the names of groups of
users to the ACL that you want to allow access.
Note The default access for the -Default- entry allows users only to
change some of the fields in their Person documents.
Using administration roles in the Domino Directory ACL
The Domino Directory ACL includes Creator and Modifier roles that you
assign to administrators so they have the authority to create and edit
specific types of documents. By assigning one or more roles along with
general access levels, you can limit an administrator’s access to some
types of documents but allow greater access to other types of documents.
Roles are useful when groups of administrators have specialized
responsibilities. If all of the administrators in your organization have
identical administrative responsibilities, assign them to all roles.
19-10 Administering the Domino System, Volume 1
The access defined in the ACL by a role never exceeds a general access
level. For example, even if you give the UserCreator role to an
administrator who has Reader access in the ACL, the administrator
cannot use the Create menu to create Person documents.
For more general information on roles in an ACL, see the chapter
“Controlling User Access to Domino Databases.”
Creator roles
Assign creator roles to control who can create documents in the Domino
Directory. To create documents in the Domino Directory, administrators
must have:
The
 “Create documents” privilege
The Creator role that corresponds to the type of document being
created
The following table describes the available Creator roles.

Role Allows
GroupCreator Administrators to create Group documents
NetCreator Administrators to create all documents except
Person, Group, Policy, and Server documents
PolicyCreator Administrators to create Policy documents
ServerCreator Administrators to create Server documents
UserCreator Administrators to create Person documents
Caution Assigning Creator roles does not provide true security because
Domino sometimes ignores Creator roles when administrators add
documents to the directory programmatically. For example, an
administrator who does not have the UserCreator role can still use the
User Registration program to register a user.
Modifier roles
Rather than assigning Editor access which allows administrators to
modify all documents, assign administrators Author access along with
one or more Modifier roles to control the types of documents they can
edit. For example, assign the UserModifier role to administrators who are
responsible for managing users. Unlike Creator roles, Modifier roles are a
true security feature.

Role Allows
GroupModifier Administrators to edit Group documents
NetModifier Administrators to edit all documents except Person,
Group, Policy, and Server documents
PolicyModifier Administrators to edit Policy documents
ServerModifier Administrators to edit Server documents
UserModifier Administrators to edit Person documents

When using Modifier roles, keep in mind the following points:

An
 administrator with Author access and a Modifier role cannot edit
fields assigned the security property “Must have at least Editor
access to use.”
To  delete a document, an administrator must have Author access, the
“Delete documents” privilege, and the appropriate Modifier role.
Modifier
 roles apply only to administrators who have Author access.
Administrators who have Editor access or higher automatically can
modify all documents.
Using the Administrators field to control access to individual
documents in the Domino Directory
Most types of documents in the Domino Directory contain an
Administration tab with an Administrators field on it. To allow an
administrator who has Author access to the directory to modify a single
document, enter the administrator’s name in the Administrators field.
1. From the Domino Administrator open the server that stores the
Domino Directory you want to change.
2. Click the Files tab and open the Domino Directory.
3. Open any document and click Edit.
4. Click the Administration tab.
5. In the Administrators field, enter the names of individual
administrators or the name of a group of administrators who can edit
this document.
6. Click Save & Close.
19-12 Administering the Domino System, Volume 1
Corporate hierarchies
You can categorize a Person document in the Domino Directory by a
corporate hierarchy. When a Notes user clicks the Address button to
select the name in the Person document from a Domino Directory, or
uses the Find People search tool to find the name, the user can view the
name by the assigned Corporate Hierarchy.
You can categorize user names in any way you want in a corporate
hierarchy. For example, you might categorize users by company division:
Marketing
Kaplan, Judy
Spera, Phyllis
Research and development
Burke, Kathy
Murphy, Bob
You can assign a user to up to six subcategories below a top-level
category. For example, the following corporate hierarchy sorts each user
by one subcategory below a top-level company division category.
Marketing
Design
Spera, Phyllis
Planning
Kaplan, Judy
Research and development
Hardware
Burke, Kathy
Software
Murphy, Bob
You can assign a user to up to four corporate hierarchies. For example, in
addition to categorizing a user by company division, you could also
categorize the user by geographic location:
Boston
Spera, Phyllis
Setting Up the Domino Directory 19-13
Directory Services
Marketing
Design
Spera, Phyllis
Categorizing a user by corporate hierarchy
1. From the Domino Administrator, select the server that stores the
Domino Directory to modify.
2. Click the People & Groups tab.
3. Select People, select the user’s Person document, and click Edit
Person.
4. Click the Work/Home tab.
5. Click the Corporate Hierarchy Information tab.
6. (Optional) If you want the user’s name to appear in a specific order
relative to other names categorized in the same way, in the Personal
ranking field, enter a number to indicate the order in which the
user’s name should appear. A user name given a ranking of 1 is
listed before a name with a ranking of 2, and so on. Leave the
Personal ranking field blank to sort the user’s name alphabetically by
last name among other names without a ranking.
7. Below Hierarchy 1, enter categories in the “Level” fields by which to
sort the user’s name. Repeat this step to assign the user to up to three
additional hierarchies.
8. Click Save & Close.
For example, to categorize the user Judy Kaplan this way, with no
personal ranking:
Marketing
Planning
Kaplan, Judy
Philadelphia
Kaplan, Judy
19-14 Administering the Domino System, Volume 1
fill out the Corporate Hierarchy Information tab in her Person document
Setting up Notes clients to use a directory server
You can set up Notes clients to use a different server than their mail
servers for mail addressing. Type-ahead addressing searches a directory
server only when Notes users don’t use Mobile Directory Catalogs.
Directory servers aren’t used for LDAP directory searches initiated by
Notes users.
To use Desktop settings, Setup settings, or a User Setup Profile to
automate the setup:
1. Create a Desktop settings, Setup settings, or User Setup Profile
document in the Domino Directory.
For information, see the chapter “Using Policies.”
2. Enter the name of the directory server in the Directory server field in
the Basics tab of the document.
3. Click Save & Close.
Alternatively, a user can add the name of a directory server manually in
the “Domino directory server” field which is on the Servers tab of a
Location document in the Personal Address Book.
For more information on Location documents, see Lotus Notes 6 Help.
Setting Up the Domino Directory 19-15
Directory Services
Customizing the Directory Profile
Use the Directory Profile to specify miscellaneous settings for the
Domino Directory:
1. From the Domino Administrator, in the server pane on the left, select
the server that stores the replica of the Domino Directory you want
to modify. If you don’t see the server pane, click the servers icon.
2. Click the Files tab.
3. Select the Domino Directory, and then double-click.
4. Choose Actions - Edit Directory Profile.
5. Complete any of these fields, and then click Save & Close.

Field Enter
Domain defined by
The name of the Domino domain for this
this
Domino Directory directory. Domino completes this field
automatically as part of first server
setup.
Condensed server The file name for a condensed Directory
directory catalog for Catalog used by servers in the domain.
As an
domain alternative to using this field, you can
specify the file names for individual
condensed
Directory Catalogs in the “Directory
catalog database name on this
 server”field in the Basics

section of Server documents. Setting up

a directory catalog is optional.
Sort all new groups Choose one: • Yes to display the
by default members of a new group in alphabetical
order. • No (default) to display members
of a group in the order in which you add
them. If you select No, you can still
override this option and alphabetize
members of a specific group.

Use more secure Choose one: • Yes (default) to use

Internet Passwords strong encryption for Internet
passwords. • No to use less secure
encryption available with previous
releases of Domino.

Field Enter
Allow the creation of Choose one: • Yes (default) to allow you
Alternate Language to create Alternate Language
Information Information documents that enable
documents LDAP clients to search for user
information in an alternate language. •
No to prevent the creation of Alternate
Language Information documents.

Enter the names of users who can create

List of administrators
Cross
who are allowed to Domain Configuration documents to
create allow the
Cross Domain Administration Process to submit
requests
Configuration between Domino domains.
documents
in the Administration
Process Requests
database

Scheduling replication of the Domino Directory

Create Connection documents to schedule replication of the Domino
Directory on all servers in the Domino domain. Since the Domino
Directory is central to a Domino system, it’s important to replicate it
frequently. Although the replication schedule you select ultimately
depends on the configuration of the servers in the domain, in general,
replicate the Domino Directory at least every 30 minutes or, if the
directory is large and changes frequently, every 10 to 15 minutes.
Schedule the Administration Requests database (ADMIN4.NSF) to
replicate as frequently as you replicate the Domino Directory. The
Administration Process, which simplifies some administration tasks, uses
the Administration Requests database and the Domino Directory to do its
work. If the Domino Directory is large, create a Connection document to
schedule replication of only the Domino Directory and the
Administration Requests database.
For information on scheduling replication between servers, see the
chapter “Creating Replicas and Scheduling Replication.” For information
on the Administration Process, see the chapter “Setting Up the
Administration Process
Chapter 20
Setting Up the LDAP Service
This chapter describes how to set up a Domino server to use the
Lightweight Directory Access Protocol (LDAP) service.
The LDAP service
LDAP, Lightweight Directory Access Protocol, is a standard
Internet protocol for searching and managing entries in a directory,
where an entry is one or more attributes associated with a
distinguished name. A distinguished name — for example, cn=Phyllis
Spera,ou=Sales,ou=East,o=Acme — is a name that identifies an entry
within a directory tree. A directory can contain many types of entries —
for example, entries for users, groups, devices, and application data.
Commercial Internet clients such as Netscape Mail, Microsoft Internet
Explorer, and Notes clients with LDAP accounts use LDAP to look up
directory information, for example during mail addressing. You can also
develop LDAP applications to search and manage directory contents.
Read about the ldapsearch utility provided with Domino and Notes to
learn about LDAP search syntax.
For information on the ldapsearch utility, see the chapter “Using the
ldapsearch Utility.”
Running the LDAP task on a server enables the LDAP service to process
LDAP client requests.
LDAP service features
The LDAP service supports these features:
Support
 for LDAP v3 and v2 clients
Anonymous
 access, name-and-password authentication, secure
sockets layer (SSL) connections and X.509 certificate authentication,
Simple Authentication and Security Layer (SASL) protocol.
LDAP operations extended beyond the primary Domino Directory to
secondary Domino Directories and to directory catalogs
LDAP  referrals to remote LDAP directories
20-1
Directory Services
Support
 for LDAP search, add, modify, modifyDN, compare, and
delete operations
Two methods for schema extension, and support for schema
publishing and schema checking
LDAP  language tags to support LDAP searches in alternate
languages
Use  of a third-party, LDAP-compliant server — such as the Netscape
Enterprise Server — to authenticate users that have passwords or
X.509 certificates stored in the Domino Directory on a Domino server
running the LDAP service. For information on setting up a
third-party server to use the Domino Directory for client
authentication, see the documentation for the server.
LDAP  searches of document text in databases configured in a
Domain Catalog
In addition to the LDAP service, Domino and Notes offer these LDAP
features:
Notes  client support for LDAP. For more information, see Notes 6
Help.
Command-line  utility, ldapsearch, for searching LDAP directories
Migration  tools that use LDAP to import entries from another LDAP
directory and register the entries in Domino
LDAP  C API Toolkit
How the LDAP service works
When the LDAP task is running on a server, the server can listen for and
process LDAP client requests. By default, the LDAP task runs
automatically on the administration server for the Domino Directory. The
schema daemon spawned by the LDAP task on the administration server
uses the Domino LDAP Schema database to propagate schema changes
to any other servers in the domain that run the LDAP service. The LDAP
task on the administration server for the LDAP service domain Domino
Directory also verifies the directory tree to ensure the LDAP service
complies with the standard LDAP requirement that each part of a
distinguished name has an entry in the directory that represents the
name part as an object class.
For information on the schema daemon, see the chapter “Managing the
LDAP Schema.” For more information on directory tree verification, see
the next topic.
20-2 Administering the Domino System, Volume 1
In addition to using its primary Domino Directory for processing LDAP
requests, the LDAP service can extend LDAP request processing to
directory catalogs and secondary Domino Directories, and can refer
LDAP clients to remote LDAP directories, if processing is unsuccessful in
any Domino Directory or directory catalog.
By default the LDAP task listens for LDAP client requests over TCP/IP
port 389, and accepts both anonymous connections, and connections that
bind using name-and-password security. The LDAP service can also
listen for requests over an SSL port, usually port 636. The LDAP service
can accept requests over the SSL port from anonymous LDAP clients,
and from LDAP clients authenticated using name-and-password security
and/or X.509 certificates.
To search for an entry specified in an LDAP request, the LDAP service
does either a view lookup or a full-text search, depending on the search
filter specified in the request. Views lookups are typically faster than
full-text index searches.
Note The LDAP service always does a full-text search to locate
information in a condensed Directory Catalog set up on the server.
When an LDAP search filter specifies a name or mail attribute, the LDAP
service uses views to quickly locate entries. The PUBNAMES.NTF
template design property for these hidden views has “Universal” with
“Unicode standard sorting” selected for the sort order. Unicode provides
a unique definition for every character an LDAP client can specify
regardless of the language configured on the client. Using Unicode
sorting, the LDAP service can accurately process LDAP requests
specified in different languages when using these views.
If an LDAP search filter searches for an attribute other than a name or
mail attribute, the LDAP service searches the full-text index, if one exists.
If no full-text index exists, the LDAP service uses a view, but the search
will take longer than the full-text index search.
Note The first value in the FullName field defines the distinguished
name for any entry in the Domino Directory except a Domino Group or
Domino Server; the first value in the ListName field defines the
distinguished name for a Domino Group, and the first value in the
ServerName field defines the distinguished name for a Domino Server.
Setting Up the LDAP Service 20-3
Directory Services
The LDAP service and directory tree verification
When the LDAP service starts on the server that is the administration
server for the primary Domino Directory, it displays these messages at
the server console:
LDAP server: "Started verifying Directory Tree on filename"
LDAP server: "Finished verifying Directory Tree on filename"
These messages indicate that the LDAP service is verifying that each part
of a Notes-style distinguished name in a document in the directory has a
separate document to define the name part. If the LDAP service detects
that a part of a name is missing such a corresponding document, it
creates one in a hidden view. Creating an additional document in this
way ensures that LDAP clients can always use subtree searches to find
the original document.
For example, if the distinguished name in a Person document is Phyllis
Spera/Boston/Acme, and there is no Domino Certifier document
registered for the organizational unit Boston, the LDAP service creates an
organizationalUnit document for Boston. Then, an LDAP user can use a
search filter that specifies a search base of “ou=Boston,o=Acme” with the
subtree scope to find the entry cn=Phyllis Spera,ou=Boston,o=Acme.
If the server running the LDAP service is the administration server for a
Domino Directory or Extended Directory Catalog, the LDAP service can
verify the directory tree. The LDAP service does not verify the directory
tree for a Configuration Directory or for a condensed Directory Catalog.
The LDAP service can create three types of documents, depending on
which part of a Notes distinguished name is missing one: country,
organizationalUnit, and organization documents. The LDAP service adds
such a document when:
A Notes user name is registered with a unique organizational unit
that is not controlled by a certifier. In this case, the LDAP service
creates an organizationalUnit document.
A  Notes user name is registered with a country part. In this case, the
LDAP service creates a country document.
An  administrator creates a document manually that contains a
Notes-style distinguished name with an organizational unit or
organization that doesn’t correspond to a Notes certifier document.
In this case, the LDAP service creates an organizationalUnit or an
organization document.
20-4 Administering the Domino System, Volume 1
Directory tree verification applies only to the distinguished names of
documents are added and visible through Notes, since entries added
through the LDAP protocol always have an object class defined for each
distinguished name part.
Running directory tree verification manually
You can run directory tree verification manually, for example if you’ve
added documents to a directory since you last started the LDAP service.
To run directory tree verification manually, enter this command from the
Domino Directory administration server:
Tell Ldap VerifyDIT
Finding the documents that directory tree verification creates
To find the documents created by directory tree verification, use an
LDAP client and specify the following search filter:
"creatorsname=servername"
where servername is the name of the name of the Domino that created the
documents. Specify the name in LDAP format, for example:
"creatorsname=cn=westserver,o=acme"
How the LDAP service forms a value for the mail attribute
To return to value for the mail attribute for a Person, Group, Mail-In
Database, or Resource document, the LDAP service searches for the
following:
1. A fully formed Internet address in one of these fields, in the order
indicated:
a. Internet Address (InternetAddress)
b. Short Name (ShortName) — If the “Internet Address Lookup”
field on Conversions tab of a Global Domain document is
disabled, the LDAP service doesn’t look for a short name.
c. Forwarding address (MailAddress) — “Forwarding address” is
the label for this field for Notes mail users, but the label is
different if another mail system is specified for a user.
2. Rules specified below the “Internet address lookup” field in the
SMTP Address Conversion section on the Conversions tab of a
Global Domain document. If your organization uses more than one
Global Domain document, you must select “Yes” in the “Use as
default Global Domain” field of the Global Domain document you
want to use.
Setting Up the LDAP Service 20-5
Directory Services
3. A DNS domain name retrieved from the operating system of the
machine on which the LDAP service runs. The syntax is:
user's hierarchical name%notesdomain@hostname
For example, Randi
Bowker/Marketing/East/Acme%Acme@acme.com
Note If an extended ACL denies an LDAP access to the LDAP mail
attribute or the corresponding Domino InternetAdress field, the LDAP
service does not follow the above steps to derive an address for the entry
to return to the LDAP user.
The LDAP service and secondary directories
You can set up directory assistance on a server that runs the LDAP
service to:
Process
 LDAP search requests using secondary Domino Directories
and Extended Directory Catalogs. These directories can be either
local or remote to the server running the LDAP service.
Process
 LDAP write requests to secondary Domino Directories and
Extended Directory Catalogs
Refer LDAP clients to remote LDAP directories when searches are
unsuccessful in any Domino Directory or directory catalog.
Use  secondary Domino Directories, Extended Directory Catalogs,
and/or remote LDAP directories to look up the authentication
credentials of LDAP clients connecting to the LDAP service.
Look  up the members of groups used in the access control lists
(ACLs) of the directories served by the LDAP service in one of the
following directories, in addition to the primary Domino Directory:
secondary Domino Directory, Extended Directory Catalog, or remote
LDAP directory.
Prevent  the LDAP service from carrying out LDAP operations in the
primary Domino Directory.
If a server that runs the LDAP service is set up to use a condensed
Directory Catalog, the LDAP service searches the directory catalog
automatically after searching the primary Domino Directory. Note that
an Extended Directory Catalog, rather than a condensed Directory
Catalog, is recommended for use on servers.
For more information, see the chapters “Setting Up Directory Assistance”
and “Setting Up Directory Catalogs.”
20-6 Administering the Domino System, Volume 1
Setting up the LDAP service
Before you set up the LDAP service, make sure you understand TCP/IP
concepts, including DNS host names and IP addressing.
Follow these steps to set up a server to run the LDAP service:
1. The LDAP task runs automatically on the administration server for
the primary Domino Directory. On other servers in the domain, run
the LDAP task manually.
2. If your organization uses more than one Global Domain document,
specify the one that the LDAP service uses to return Internet
addresses to LDAP clients. Open the Global Domain document. In
the “Use as default Global Domain” field, choose Yes.
3. (Optional) Customize the default LDAP service configuration. In
many cases, the LDAP service default settings are adequate.
4. To check whether you set up the LDAP service correctly, use an
LDAP search utility such as ldapsearch provided with Notes and
Domino, to issue a query to the LDAP service.
5. Set up LDAP clients to connect to the LDAP service.
If clients wish to connect to the LDAP service over the Internet,
connect the server that runs the LDAP service to an Internet service
provider (ISP), and register the server’s DNS name and IP address
with the ISP.
For information on troubleshooting problems with the LDAP service, see
the chapter “Troubleshooting.”
Note A server that runs the LDAP service on the Windows platform
should not use the system’s name as the Domino server name.
For more information, see the chapter “Setting Up the Domino
Network.”
Setting Up the LDAP Service 20-7
Directory Services
Starting and stopping the LDAP service
The following table describes the ways to start and stop the LDAP

To do this Perform this task

Start the LDAP service
Edit the ServerTasks setting in the
automatically
when you start Domino NOTES.INI file to include the LDAP
task. Domino adds the LDAP task
to the
ServerTasks setting automatically
on the administration server for a
domain
Domino Directory, or if you select
the option “Directory services
(LDAP services)”during server
setup.
Start the LDAP service
EnterLoad LDAPat the console.
manually
Stop and restart the LDAP Enter Restart Task LDAP at the
service console.
Enter Tell LDAP Quitat the
Stop the LDAP service
console.

For information on the NOTES.INI file and on server commands, see the
appendices.
Preventing the LDAP service on the administration server for the
Domino Directory from processing LDAP client requests
You can prevent the administration server for the Domino Directory
from processing LDAP requests, and leave this processing to another
server or servers in the domain that run the LDAP service. Prevent the
administration server from LDAP request processing, for example, if the
LDAP ports on the administration server conflict with the operating
system. When you disable the LDAP ports on the Domino Directory
administration server, the LDAP service on the server continues to run
the schema daemon and verify the directory tree for the domain, but
does not accept LDAP client requests.
To disable the LDAP ports:
1. Open the Server document of the Domino Directory administration
server.
2. Click Edit Server.
3. Click the Ports - Internet Ports - Directory tab.
4. In the “SSL port status” and “TCP/IP port status” fields, choose
Disabled.
5. Click Save & Close.
20-8 Administering the Domino System, Volume 1
6. If necessary, wait for the change to replicate to the Domino Directory
administration server for the domain, then enter this command on
the Domino Directory administration server to put the changes into
effect:
Restart Task LDAP
The server console displays the message:
"LDAP Server: No ports enabled, listener not started but
control task running to maintain schema."
Disabling the LDAP service in a domain
If you do not want to run the LDAP service on any server in a domain,
you can stop the LDAP service from running on the administration
server for the Domino Directory. Do the following on the administration
server:
1. Add the NOTES.INI setting DisableLDAPOnAdmin=1.
2. Remove LDAP from the ServerTasks NOTES.INI setting.
Customizing the LDAP service configuration
The default LDAP service configuration works without modification, but
you can customize it to suit your needs. The following table describes the
LDAP service configuration settings. In addition to the settings in the
table, there are NOTES.INI settings you can use to configure the LDAP
service.
For more information, see the topic “NOTES.INI settings for the LDAP
service” later in the chapter.
Except where noted in the table, restarting the LDAP task or the Domino
server is unnecessary after changing a setting because the task checks for
setting changes automatically, by default at three-minute intervals. You
can use the NOTES.INI setting LDAPConfigUpdateInterval to change the
interval at which the LDAP service checks for changes to its settings.

For more
Setting Description
information
Port and port Controls the ports LDAP See the topic
security clients can use to connect “Changing the
settings1 to the LDAP service, and LDAP service port
the authentication methods and port security
enabled for each port configuration.”
Default: TCP/IP port 389
enabled for name-and-
password authentication
and for anonymous access
Changing requires
restarting the LDAP task
“Automatically Controls whether the LDAP See the topic
Full Text service creates and “Full-text
Index updates indexing
Domino full-text indexes on the directories served
Domino by
Directory?” 4 Directories it serves the LDAP
service.”
Default: does not create
full-text
 indexes
“Choose fields If the port settings allow See the topic
that anonymous access, “Configuring
anonymous controls which attributes anonymous LDAP
users can anonymous LDAP users can search access to
query via search Changing requires a directory.”
LDAP” 2, 3, restarting the server

“Allow LDAP Controls whether LDAP See the topic

users write users can modify a “Using LDAP to
access” 3 directory Default: LDAP modify a
modifications not allowed directory served
Changing requires by the LDAP
restarting the server service.”

“Rules to Controls how the LDAP

See the topic
follow service
when this responds when it “Configuring how
encounters
directory...” 4 more than one entry or the LDAP service
naming
rule that applies to an responds to
LDAP multiple
add, modify, or compare name matches
when
operation processing write
and
compare
Default: don’t carry out the
operations.”
operation
Controls the maximum
“Timeout” 4 See the topic
time
allowed to process an LDAP “Customizing
search
search processing to
Default: no limit improve LDAP
service
performance.”

For more
Setting Description
information
“Maximum Controls the maximum See the topic
number of number of entries that the “Customizing
entries LDAP service can return in search processing
returned” 4 response to an LDAP to improve LDAP
search Default: no limit service
performance.”
Controls the minimum
“Minimum See the topic
number
characters for of characters users must “Customizing
place search
wildcard before the first wildcard in processing to
search” 4 a
substring search filter improve LDAP
service
Default: 1
performance.”
“Allow Controls whether LDAP See the topic
Alternate users can do alternate “Enabling LDAP
Language language searches Default: alternate
Information not allowed language
processing” 4 searches.”
“Enforce Controls whether directory See the topic
schema?” 4 modifications through LDAP “Enabling or
must conform to the disabling
schema Default: schema schema-
enforced checking.”
“DN Required Controls whether the LDAP See the topic
on Bind?” 4 service requires clients to “Requiring
log on with distinguished distinguished
names for name-and- logon names for
password authentication LDAP name-and-
Default: distinguished password
logon names not required security.”

“Encode Controls whether the LDAP See the topic

results in service returns results in “Configuring
UTF8 for UTF8 to LDAP v2 clients. character
LDAP-v2 Default:Returns results in encoding for
clients?” 4 UTF8 to v2 clients LDAP V2 clients.”
Controls the maximum
“Maximum See the topic
number
number of of directory server referrals “Configuring the
referrals” 4 the LDAP service can number of
return to a client Default: 1 referrals the
LDAP service can
return.”
“Activity Controls the size of the See the topic
Logging information Activity “Limiting the
truncation Logging can log for an amount of
size” 4 LDAP Add or Modify attribute
operation Default: 4096 information
bytes logged for LDAP
Add and LDAP
Modify activity.”

1Set in the Server document of each server that runs the LDAP service. To
configure authentication options for the ports enabled in a Server
document, you can instead use a Directory Site document. Using the site
document to configure authentication options is required in a hosted
organization environment.
2 Alternatively, use the database ACL/extended ACL to specify

anonymous LDAP search access.

3 Set in the domain Configuration Settings document of each Domino

Directory and Extended Directory Catalog the LDAP service serves. Each
directory can have different settings.
4 Set in the domain Configuration Settings document of the primary

Domino Directory of the servers that run the LDAP service in a domain.
Setting applies to the LDAP service running on any server in the domain.
For information on the “Activity Logging truncation size” setting, see the
chapter “Setting Up Activity Logging.” For information on the “Enforce
schema?” setting, see the chapter “Managing the LDAP Schema.”
Changing the LDAP service port and port security configuration
By default, LDAP clients can connect to the LDAP service over TCP/IP
port 389, anonymously or using name-and-password authentication. By
default, LDAP clients cannot connect using SSL.
Note To authenticate using name-and-password security some LDAP
clients, for example Netscape Mail, Microsoft Internet Explorer, and
Notes clients with LDAP accounts, first do an anonymous search to
retrieve the distinguished names used for the authentication, so that
users don’t have to specify the distinguished names themselves. To
enable such clients to authenticate using names and passwords, you
must enable anonymous access, as well as name and password
authentication, for the LDAP service port the clients use to connect. You
must also allow anonymous read access to the attribute(s) the clients use
to search the directory anonymously to retrieve the distinguished names.
Attributes typically searched for are cn, uid, sn, givenname, or mail.
Follow these steps to change the LDAP service port and port security
configuration on a specific server that runs the LDAP service:
1. From the Domino Administrator, click the Configuration tab.
2. In the left pane, expand Server and open the Server document for the
server that runs the LDAP service.
3. Click Edit Server.
4. Click the Ports - Internet Ports - Directory tab.
20-12 Administering the Domino System, Volume 1
Note If you are administering a hosted organization environment,
an asterisk (*) in the following tables indicates options you must
specify instead in a Internet Site document. In a non-hosted
organization environment, you can use the Internet Site document,
but you aren’t required to.
For information on using Internet Site documents, see the chapter
“Installing and Setting Up Domino Servers.”
5. To change the TCP/IP port configuration for the LDAP service,
complete these fields:

Field Enter
Choose 389 (default) to use the industry
TCP/IP port
standard port for
number LDAP connections over TCP/IP. You can specify
a
different port, but 389 works in most
situations.
TCP/IP port Choose one: • “Enabled”(default) to allow LDAP
status clients to connect to the server without using
SSL. • “Redirect to SSL”to direct LDAP clients
connecting without using SSL to use SSL
instead. The LDAP service returns a message to
LDAP clients indicating that they must connect
over SSL. • “Disabled”to prevent LDAP clients
from connecting using the TCP/IP port.

Enforce Choose one: • Yes to apply the “Access

server access server”and “Not access server” settings set in
settings the Server Access section on the Security tab of
this Server document to authenticated LDAP
clients connecting to the LDAP service over the
TCP/IP port. • No (default) to specify that the
LDAP service ignore the Server Access settings.

Authentication If the “TCP/IP port status”field is set to

options: Enabled, choose one: • Yes (default) to allow
Name & LDAP clients to use name-and-password
Password* authentication when connecting using the
TCP/IP port. • No to prevent LDAP clients from
using name-and-password authentication when
connecting using the TCP/IP port.
Authentication If the “TCP/IP port status”field is set to
options: Enabled, choose one: Yes (default) to allow
Anonymous* LDAP clients to connect anonymously using the
TCP/IP port. No to prevent LDAP clients from
connecting anonymously using the TCP/IP port.

For more information on server access settings, see the chapter

“Controlling Access to Domino Servers.” For more information on
the authentication options, see the chapter “Setting Up
Name-and-Password and Anonymous Access to Domino Servers.”
6. To change the SSL port configuration for the LDAP service, complete
these fields:

Field Enter
Choose 636 (default) to use the industry
SSL port
standard port
number for LDAP connections over SSL. You can specify
a
different port, but 636 works in most
situations.
SSL port
Choose one:
status
• “Enabled”to allow LDAP clients to connect to
the
LDAP service over SSL.
• “Disabled”(default) to prevent LDAP client
connections over SSL.
Authentication If “SSL port status”is set to Enabled, choose
options: one: • Yes to allow LDAP clients to use client
Client certificate authentication when connecting. •
certificate* No (default) to prevent the LDAP service from
using client certificate authentication.

Authentication If the “SSL port status”field is set to Enabled,

options: choose one: •Yes to allow LDAP clients to use
Name & name-and-password authentication when
password* connecting to the LDAP service over SSL. • No
(default) to prevent LDAP clients from using
name-and-password authentication over SSL.

Authentication If the “SSL port status”field is set to Enabled,

options: choose one: • Yes (default) to allow LDAP
Anonymous* clients to connect to the LDAP service
anonymously over SSL. • No to prevent
anonymous SSL connections.

“Setting Up Clients for S/MIME and SSL” and “Setting Up

Name-and-Password and Anonymous Access to Domino Servers.”
7. Click Save & Close.
8. If you made the changes on a different server than the one for which
you are configuring the LDAP service, replicate the changes to the
server that runs the LDAP service.
9. Enter the following command on the server that runs the LDAP
service to put the changes into effect:
Restart Task LDAP
20-14 Administering the Domino System, Volume 1
Full-text indexing directories served by the LDAP service
The LDAP services uses hidden views in a Domino Directory or
Extended Directory Catalog to search for entries when LDAP users
specify names or mail addresses in a search filters. When LDAP users
specify other attributes as search criteria, the LDAP service searches the
full-text index, if one is created. If your LDAP users search on attributes
other than names or mail addresses, create a full-text index for the
directories the LDAP service serves to improve the speed of these types
of searches.
Note The LDAP service always searches the full-text index to find
information in a condensed Directory Catalog set up on the server.
You can configure the LDAP service so that the Indexer creates full-text
indexes automatically on the Domino Directories the LDAP service
servers. To enable or disable automatic creation of a full-text indexes on
the Domino Directories and Extended Directory Catalogs the LDAP
service serves:
1. From the Domino Administrator, open the server that runs the LDAP
service, or a server in the same domain as the one that runs the
LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select
Settings.
4. Do one of the following:
If you see the prompt “Unable to locate a Server Configuration
document for this domain. Would you like to create one now?” click
Yes, then click the LDAP tab on the document.
If you do not see the prompt, click “Edit LDAP Settings.”
5. Next to “Automatically Full Text Index Domino Directory?” choose
one:
Yes
 to enable the LDAP service to create and update full-text
indexes automatically
No  (default) to prevent the LDAP service from creating and
updating full-text indexes automatically.
6. Click Save & Close.
7. If you selected No to disable this feature, you must delete manually
any full text index(s) you want to remove.
Setting Up the LDAP Service 20-15
Directory Services
Configuring anonymous LDAP search access to a directory
If the TCP/IP and/or SSL port configuration for the LDAP service allows
anonymous LDAP access, use one of these tools to specify which
information anonymous LDAP users can search in a Domino Directory
or an Extended Directory Catalog served by the LDAP service:
Domain
 Configuration Settings document
Database
 ACL/extended ACL
You specify anonymous search access separately for each directory the
LDAP service serves.
Note Always use the directory database ACL, optionally with an
extended ACL, to control directory access for authenticated LDAP users,
and to prevent anonymous LDAP users from modifying the directory.
Domain Configuration Settings document
The “Choose fields that anonymous users can query via LDAP” setting
on the LDAP tab of a domain Configuration Settings document in a
Domino Directory or Extended Directory Catalog is the default method
used to determine search access for anonymous LDAP users. The LDAP
service uses the default settings in this document as the default
anonymous search access, even if you do not create the document.
You can modify the “Choose fields that anonymous users can query via
LDAP” setting to customize search access for anonymous LDAP users.
Database ACL/Extended ACL
You can use the database ACL along with an extended ACL to define
anonymous LDAP search access to a directory, rather than use the
domain Configuration Settings document.
For information on extended ACLs, see the chapter “Setting Up
Extended ACLs.”
Choosing which method to use
The database ACL/extended ACL is a more flexible method of
controlling anonymous LDAP search access than the domain
Configuration Settings document. For example, when you use the
domain Configuration Settings document to allow or deny access to an
attribute, the access applies to all entries that contain the attribute.
However, when you use the database ACL/extended ACL, you can deny
access to an attribute contained in entries at a particular branch of the
directory tree, but allow access to the same attribute contained in entries
located at other branches. Or you can deny access to the attribute in a
particular type of entry throughout the directory, but allow access to it in
another type of directory entry.
20-16 Administering the Domino System, Volume 1
However, there are implications to using extended access that don’t apply
to the use of the domain Configuration Settings document. For example,
after you enable extended access, you can make directory changes only on
a directory replica located on a Lotus Domino 6, and not on a server from
a previous release of Domino. The database ACL/extended ACL method
also causes database security to be enforced for Notes namelookups, such
as type-ahead lookups. If the domain Configuration Settings document
method is adequate for your needs, it may make sense to use it instead.
Anonymous LDAP search access and upgrades from previous
releases
If you upgrade a server from a previous release to Lotus Domino 6, the
LDAP service uses the LDAP anonymous access configuration from the
previous release. If you create or edit the domain Configuration Settings
document after updating the directory with the Lotus Domino 6
PUBNAMES.NTF design, the list of attributes allowed for anonymous
access include the following attributes not listed in previous releases:

Attribute Attribute Attribute Attribute

altServer ditContentRules namingContexts subschemasubentry
attributeTypes extendedAttributeInfo o supportedControl
c extendedClassInfo objectClass supportedExtension
cn l objectClasses supportedLDAP
Version
createTimestamp ldapSyntaxes ou supportedSASL
Mechanisms
creatorsName modifiersName st vendorname
dc modifyTimestamp street vendorversion

These attributes were not listed listed in previous releases because you
could not prevent anonymous LDAP access to them — in previous
releases anonymous LDAP users always had search access to these
attributes. In Lotus Domino 6, you can deny anonymous LDAP search
access to the attributes above, although they are allowed for anonymous
search access by default to be consistent with the anonymous search
behavior of previous releases.
Using the domain Configuration Settings document to customize
anonymous LDAP search access to a directory
To use the domain Configuration Settings document to customize
anonymous LDAP search access to a specific Domino Directory or
Extended Directory Catalog served by the LDAP service, first open the
document, then configure anonymous search access.
Step 1: Open the domain Configuration Settings document in the
directory
To open the domain Configuration Settings document for the primary
Domino Directory:
1. From the Domino Administrator, open a server within the domain
that runs the LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select Settings.
4. Do one of the following:
If you see the prompt “Unable to locate a Server Configuration
document for this domain. Would you like to create one now?” click
Yes, then click the LDAP tab on the document.
If you do not see the prompt, click “Edit LDAP Settings.”
To open the domain Configuration Settings document for a secondary
Domino Directory or an Extended Directory Catalog:
To open the domain Configuration Settings document in a Domino
Directory that is not the directory for a domain, or to open the document
in an Extended Directory Catalog:
1. From the Domino Administrator, open the directory.
2. Select the Servers - Configurations view.
3. If you do not see a domain Configuration Settings document in the
view, a document named * - [All Servers], skip to step 4. If you do
see this document, do the following:
a. Open the document
b. Click the LDAP tab.
c. Click Edit Server Configuration.
4. If you do not see a domain Configuration Settings document in the
view, create one by doing the following:
a. Click Add Configuration.
b. On the Basics tab select Yes next to “Use these settings as the
default settings for all servers.”
c. Click the LDAP tab.
Step 2: Customize anonymous LDAP search access to the directory
After you have opened the domain Configuration Settings document for the
directory, follow these steps to customize anonymous LDAP search access:
1. Next to “Choose fields that anonymous users can query via LDAP”
select “Select Attribute Types” to open the LDAP Attribute Type
Selection dialog box.
The “Queriable Attribute Types” box at the right of the dialog box
shows the attributes anonymous LDAP users can access.
2. To add an attribute to the “Queriable Attribute Types” box to allow
anonymous LDAP users to access the attribute:
a. In the Object Classes box, select an object class that contains the
attribute.
b. Click “Display Attributes” to display in the “Selectable Attribute
Types” box all the attributes defined for the selected object class(es).
c. Select the attribute in the “Selectable Attribute Types” box that
you want to allow anonymous LDAP users to access, and click
Add to add the attribute to the “Queriable Attribute Types” box.
You can select more than one attribute.
Or, to add all the attributes listed in the “Selectable Attribute
Types” box, click Add All.
When you allow anonymous access to an attribute, the access applies
to all object classes for which that attribute is defined.
3. To remove an attribute from the “Queriable Attribute Types” box to
prevent anonymous LDAP users from accessing the attribute, select
the attribute and click Remove. Or, to remove all attributes, click
Remove All.
Tip To revert the “Queriable Attribute Types” box to the attributes
the LDAP service allows for anonymous LDAP access by default,
click “Use Default Values.”
4. Click OK to close the LDAP Attribute Type Selection dialog box.
5. Click Save & Close to save the changes in the Configuration Settings
document.
6. Do the following for each server in the domain that runs the LDAP
service:
a. If you made the changes to a Domino Directory replica on a
different server, replicate the changes to the server.
b. Enter the following command on the server to put the changes
into effect:
Converting the default anonymous access settings to database ACL
and extended ACL settings
As soon as you select the advanced ACL option “Enable Extended
Access” for a directory served by the LDAP service, the “Choose fields
that anonymous users can query via LDAP” setting stops controlling
anonymous LDAP search access and is no longer visible in the domain
Configuration Settings document.
To convert the default anonymous search access settings set in the
domain Configuration Settings document to database ACL and extended
ACL settings for a Domino Directory or Extended Directory Catalog, do
the following:
1. Make sure you have read thoroughly the documentation on
Extended ACLs.
For more information, see the chapter “Setting Up Extended ACLs.”
2. Open the directory and select “Enable Extended Access” in the
Advanced tab of the database ACL.
3. On the Basics tab of the ACL, give the Anonymous entry Reader
access.
4. Click Extended Access and set the access as follows:
5. Select / (root) as the target.
6. Add Anonymous as a subject at / (root).
7. Leave “This container and all descendants” selected as the scope.
8. For the default privileges, click Allow Browse and click Deny Create,
Delete, Read, and Write.
9. Click Form and Field Access.
10. Next to Schema, select Domino.
11. In the Forms box, select Person.
12. With the Person form still selected, select each of the following fields
in the Fields box, and for each field click Allow Read:
AltFullName
Certificate
FirstName
InternetAddress
LastName
Location
MailAddress
20-20 Administering the Domino System, Volume 1
MailDomain
O
OfficeCity
OfficeCountry
OfficeState
OU
PublicKey
ShortName
Street
Type
UserCertificate
13. In the Forms box, select Group.
14. With the Group form still selected, select each of the following fields
in the Fields box, and for each field click Allow Read:
InternetAddress
MailDomain
Members
Type
15. Next to Schema, select LDAP.
16. In the Object Classes box, select dominoPerson.
17. With the dominoPerson object class still selected, in the Attributes
box select cn and click Allow Read.
18. Click OK twice, and when you see the prompt “Save changes before
exiting?” Click Yes.
Note If you disable “Enable Extended Access” in a directory ACL, the
default settings in the “Choose fields that anonymous users can query via
LDAP” setting in the domain Configuration Settings document resume
control of anonymous LDAP search access for the directory.
Setting Up the LDAP Service 20-21
Directory Services
Using LDAP to modify a directory served by the LDAP service
By default, the LDAP service does not allow LDAP clients to modify the
directories the LDAP service serves. However, you can enable LDAP
write access for any of the following directories to allow LDAP users
with the required database access to modify the directories:
Primary
 Domino Directory of the LDAP service
Secondary
 Domino Directory or Extended Directory Catalog the
LDAP services serves
You control LDAP write access separately for each directory. For
example, you could enable write access for the primary Domino
Directory, and leave write access disabled for an Extended Directory
Catalog.
Note You cannot enable LDAP write access to a condensed Directory
Catalog served by the LDAP service.
Keep the following points in mind if you enable LDAP write access for a
directory:
1. Domino does not provide a tool for doing LDAP write operations,
you must develop or obtain one.
2. If you allow LDAP write access, use the directory database ACL, and
optionally, extended ACL, to control the directory changes that
LDAP users can make.
3. Enable schema checking for the LDAP service to require that
directory changes made via LDAP conform to the directory schema.
By default schema checking is disabled, if you allow LDAP write
operations, enabling it is recommended to maintain consistent
directory contents.
4. The Administration Process server task doesn’t respond to LDAP
write operations. For example, if an LDAP user deletes a Person
document, the Administration Process can’t delete the associated
user name from database ACLs.
5. The LDAP service can carry out an LDAP write operation in a
secondary Domino Directory or Extended Directory Catalog only if
that directory is stored locally on the server that runs the LDAP
service. If the LDAP service receives a write operation request for a
Domino Directory on a remote server, it sends an LDAP referral to
the client. The LDAP service refers the client to the administration
server for the directory. If there is no administration server specified,
it refers the client to the remote server that stores the directory. The
client must then follow the referral itself.
20-22 Administering the Domino System, Volume 1
Note If you enable LDAP write access to a secondary Domino
Directory, do not use a condensed Directory Catalog that aggregates
that directory on a server that runs the LDAP service.
6. The distinguished names of directory entries are limited to 256
characters. Distinguished names do not have to conform to the
standard Notes naming model of organizational unit (ou),
organization (o), and country (c). For example, distinguished names
such as these are acceptable:
dn:
 cn=Jay Walker + uid=123456,u=Sales,o=Widget Inc.,c=GB
dn:
 foo=Bar, o=Acme
dn: cn=L. Eagle,o=Sue\, Grabbit and Runn,c=GB
Names such as these are recommended primarily for entries that are
accessed through LDAP only, since Notes users may find them
confusing.
7. Prior to doing batch adds of 100 or more directory entries, you can
use the NOTES.INI setting LDAPBatchAdds to process the additions
more quickly. Disable the setting when the batch adds are complete.
8. You can’t modify the value of an entry’s structural object class
attribute.
Enabling or disabling LDAP write access to a directory served by
the LDAP service
By default, the LDAP service does not allow LDAP clients to modify the
directories the LDAP service serves. If you enable directory changes to be
made via LDAP, the directory database ACL and, optionally, an
extended ACL, control the extent to which authenticated and anonymous
LDAP users can modify directory entries. For example, an LDAP user
with Editor database ACL access can modify all entries, whereas an
LDAP user with only Author database ACL access and the UserModifier
role can modify only Person entries and not other entries.
To enable or disable LDAP write access to the primary Domino Directory
of the LDAP service, or to a secondary Domino Directory or Extended
Directory Catalog the LDAP service serves:
1. From the Domino Administrator, open the directory for which you
want to enable write access.
2. Select the Servers - Configurations view.
Setting Up the LDAP Service 20-23
Directory Services
3. If you do not see a domain Configuration Settings document in the
view, a document named * - [All Servers], skip to step 4. If you see
this document, do the following:
a. Open the document
b. Click the LDAP tab.
c. Click Edit Server Configuration.
4. If you do not see a domain Configuration Settings document in the
view, create one by doing the following:
a. Click Add Configuration.
b. On the Basics tab select Yes next to “Use these settings as the
default settings for all servers.”
c. Click the LDAP tab.
Tip If you are enabling write access for the primary Domino
Directory in the domain, a shortcut for steps 2-4 is: from the Domino
Administrator open the server that stores the directory; click the
Configuration tab; in the left pane expand Directory, then LDAP, and
then select Settings; click Edit LDAP Settings.
5. Next to “Allow LDAP users write access” choose one:
Yes
 to allow directory changes via LDAP.
No  (default) to prevent directory changes via LDAP.
6. Click Save & Close.
7. For each server in the domain that runs the LDAP service, do the
following:
a. If you made the changes to a Domino Directory replica on a
different server, replicate the changes to the server.
b. Enter the following command on the server to put the changes
into effect:
Restart Server
8. If you enabled LDAP write access, set up the database ACL, and
optionally extended ACL, to specify the directory contents that
LDAP users can modify.
For more information, see the chapters “Setting Up the Domino
Directory” and “Setting Up Extended ACLs.”
9. Configure how the LDAP service responds when it finds more than
one occurrence of a name specified in an LDAP write operation.
20-24 Administering the Domino System, Volume 1
Configuring how the LDAP service responds to multiple name
matches when processing write and compare operations
The LDAP service uses its “Rules to follow when this directory is the
primary directory and there are multiple matches on the distinguished
name being compared/modified” setting to determine how to responds
in either of these situations:
 receives an LDAP modify, modify DN, delete, or compare request
It
and finds more than one entry, within one directory or across
directories, with a distinguished name that matches the one specified
in the request.
It receives an LDAP add request and finds more than one Domino
Directory enabled for LDAP clients in its directory assistance
database with a directory assistance naming rule that most
specifically matches the distinguished name specified in the request.
Note that if there is no Domino Directory enabled for LDAP clients in
directory assistance with a rule that matches the distinguished name
specified in an add operation, the LDAP service adds the entry to its
primary Domino Directory. If there is only one Domino Directory
enabled for LDAP clients in directory assistance with a rule that
matches the distinguished name specified in an add operation, the
LDAP service adds the entry to that directory.
For more information on the LDAP service and directory assistance, see
the chapter “Setting Up Directory Assistance.”
To specify the “Rules to follow when this directory is the primary
directory and there are multiple matches on the distinguished name
being compared/modified” for all servers in the domain that run the
LDAP service:
1. From the Domino Administrator, open the server that runs the LDAP
service, or a server in the same domain as the one that runs the
LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select
Settings.
4. Do one of the following:
If you see the prompt “Unable to locate a Server Configuration
document for this domain. Would you like to create one now?” click
Yes, then click the LDAP tab on the document.
If you do not see the prompt, click “Edit LDAP Settings.”
Setting Up the LDAP Service 20-25
Directory Services
5. In the “Rules to follow when this directory is the primary directory
and there are multiple matches on the distinguished name being
compared/modified” field, choose one to specify how the LDAP
service responds in the two situations described above:

“Rules to
Results
follow...”setting
Prevents the operation from occurring.
“Don’t modify any”
The
(default) LDAP service returns an error, and you
can
investigate the duplicate names/naming
 rules.
Carries out the LDAP modify, delete,
“Modify first match”
• or
compare operation on the first entry
encountered in a directory enabled for
LDAP
write operations that matches the
distinguished name specified in the
operation.
Carries out the LDAP add operation in
•
the
Domino Directory configured in
directory
assistance database that is enabled
for LDAP
write operations and has the most
specific
matching rule and the lowest search
order
“Modify all Carries out the LDAP modify, delete,
•
matches” or
compare operation on all the entries
encountered that match the
distinguished
name specified in the operation.
Carries out the LDAP add operation in
•
all the
Domino Directories configured in the
directory assistance database with a
matching
rule that most specifically matches the
distinguished name specified in the
add
operation, and that are enabled for
LDAP
write operations.

6. Click Save & Close.

Examples of the "Rules to follow..." setting and LDAP add
operations
Assume the LDAP service uses directory assistance to serve secondary
Domino Directories in Domains B, C, and D, in addition to its primary
Domino Directory. These secondary directories are stored locally on the
server running the LDAP service and are configured in the directory
assistance database as follows:

Domain Naming rule Search order

Domain B */*/*/*/*/* 1
Domain C */*/*/*/*/* 2
Domain D */*/*/DomainD/Acme* 3

Note If a directory is stored on a remote server, the LDAP service can

send an LDAP referral to the client but cannot process the add operation
remotely itself.
For more information, see the chapter “Setting Up Directory Assistance.”
The following table provides examples of how the LDAP service
processes add operations as a result of the above directory assistance
configuration and different selections for the “Rules to follow when this
directory is the primary directory and there are multiple matches on the
distinguished name being compared/modified” LDAP service setting.

“Rules Directory
Name of entry being added Explanation
to or
follow... directorie
” s to
setting which
entry
added
N/A cn=Kate Domain D Domain D
Power,ou=DomainD,o=Acme directory is
the only
directory
with a rule
that
most
specifically
matches a
name
added
cn=John
Modify Domain B Rules for
Ashby,ou=DomainC,o=Acme
first Domain B
and C
both match
match
the
name being
added;
entry added
to
Domain B
because it
has
lower
search
order than
Domain C.
cn=John Domains
Modify Rules for
Ashby,ou=DomainC,o=Acme B
all &C Domain B
and C
both match
matches
the
name being
added;
entry added
to both
directories.
cn=John
Don’t None Rules for
Ashby,ou=DomainC,o=Acme
modify Domain B
and C
both match
any
the
name being
added;
entry not
added.
Customizing search processing to improve LDAP service
performance
To improve the performance of the LDAP service, you can choose
options to customize how the service processes searches. These settings
apply to all servers in a domain that run the LDAP service.
“Timeout” and “Maximum number of entries returned”
By default, LDAP service takes as long as necessary to process searches,
and returns all entries it finds that match the search criteria. If LDAP
service performance is slow, consider using the “Timeout” and
“Maximum number of entries returned” fields on the LDAP tab of a
domain Configuration Settings document to set limits on the length of
searches and the number of entries returned. If the LDAP client that
sends a request also specifies limits, whichever setting is lower takes
precedence.
“Minimum characters for wildcard search”
Specify the minimum number of characters that users must place before
the first wildcard in a search filter when the wildcard is combined with a
substring. The default is 1 character. If you increase this value, users
must provide more specific substring search filters, and as a result, the
LDAP service searches fewer entries and processes the searches more
quickly. If LDAP service performance is slow, consider increasing the
minimum characters required for wildcard searches to 2.
If a filter begins with a wildcard followed by a substring, the LDAP
service removes the initial wildcard (unless “Minimum characters for
wildcard search” is set to 0), then uses what remains as the search filter.
For example, if the option is set to 2 and a user specifies the filter sn=*br*,
the LDAP service uses the filter br* to process the search. However, if a
user specifies the filter *b*, the LDAP service rejects the search request
because after the first wildcard is removed, b*, which is the remaining
search filter, contains only one character before the (now) first wildcard.
Note The “Minimum characters for wildcard search” option doesn’t
apply to search filters that use only a wildcard as a value, for example, a
search filter such as sn=* is always allowed. Because this kind of filter
searches only for the presence of an attribute, not for an attribute value, it
does not have the search performance implications associated with
wildcards in substring searches. To control the number of entries
returned as the result of a presence search filter, use the “Maximum
number of entries returned” option to set a maximum number of entries
that the LDAP service can return.
Specifying settings to improve LDAP service search performance:
1. From the Domino Administrator, open a server that runs the LDAP
service, or a open a server in the same domain as one that runs the
LDAP service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select
Settings.
4. Do one of the following:
If you see the prompt “Unable to locate a Server Configuration
document for this domain. Would you like to create one now?” click
Yes, then click the LDAP tab on the document.
If you do not see the prompt, click “Edit LDAP Settings.”
5. Change settings in any of these fields:

Field Enter
The maximum time, in seconds, allowed
Timeout
for
LDAP client searches; default is 0. For
 example,
specify 60.
The maximum number of directory
Maximum number of
entries the
entries returned LDAP service returns to LDAP clients as
search
results; default is 0, meaning that there
is no limit. For example, specify 100.
Minimum characters The minimum number of characters that
for must
wildcard search precede the first wildcard in a search
filter when the wildcard is combined with
a substring; default is 1.

Enabling LDAP alternate language searches

RFC 2596 defines language tags that you can append to an attribute to
define an alternate language value for the attribute. For
example,“givenName;lang-fr=Etienne” defines Etienne as a french value
for the givenName attribute. The LDAP service supports language tags.
Many LDAP clients do not support language tags in search queries. Such
LDAP clients can specify, for example, “givenName=Etienne” to find an
entry with “givenName;lang-fr=Etienne” defined.
To enable LDAP alternate language searches, configure the LDAP service
to allow them, and add the language tags to entries. Use an Alternative
Language Information document in the Domino Directory to add
language tags to a Person document. Use LDAP add and modify
operations to add language tags to any other type of entr
Configuring the LDAP service to allow LDAP alternate language
searches
Follow these steps to allow all servers in a domain that run the LDAP
service to process LDAP alternate language searches:
1. In the Directory Profile, enable support for LDAP alternate language
searches:
a. From the Domino Administrator, open the primary Domino
Directory of the server that runs the LDAP service:
b. Choose Actions - Edit Directory Profile.
c. In the “Allow the creation of Alternate Language Information
documents” field, choose Yes.
d. Click Save & Close.
2. In the domain Configuration Settings document, enable support for
LDAP alternate language searches:
a. From the Domino Administrator, open the server that runs the
LDAP service, or a open a server in the same domain as the one
that runs the LDAP service.
b. Click the Configuration tab.
c. In the left pane, expand Directory, then LDAP, and then select
Settings.
d. Do one of the following:
If you see the prompt “Unable to locate a Server Configuration
document for this domain. Would you like to create one now?”
click Yes, then click the LDAP tab on the document.
If you do not see the prompt, click “Edit LDAP Settings.”
e. In the “Allow Alternate Language Information processing” field,
choose Yes.
f. Click Save & Close.
Using an Alternative Language Information document to define
language subattributes for a Person document
To add LDAP language tags for a specific language to a Person
document (dominoPerson entry), create an Alternative Language
Information document that is associated with the Person document. The
Alternative Language Information document contains a subset of the
fields in the Person document, for which you assign values in the
alternate language. You can create multiple Alternative Language
Information documents for one Person document. You can create
Alternative Language Information documents in any Domino Directory
that the LDAP service serves.
To add LDAP language tags for a specific language to a Domino Person
document:
1. From the Domino Administrator, open the Domino Directory that
contains the Person document.
2. Click the People & Groups tab.
3. Select People, and open the Person document to which you want to
add the language tags.
4. Choose Actions - Add Alternate Language Information.
5. Click the Basics tab, and do the following:
a. In the Language field, select the language to use.
b. Enter values in the selected language for any of the other fields in
the Basic tab.
Note The User name (FullName) field is inherited from the Person
document. LDAP uses this as the distinguished name that identifies
the person, and you can’t create an alternate language version of it.
6. Click the Work/Home tab, and enter values in the selected language
for any of the fields in the Work, Home, and Corporate Hierarchy
tabs.
For information on Corporate Hierarchies, see the chapter “Setting
Up the Domino Directory.”
7. Click Save & Close.
Viewing Alternative Language Information documents
To view the Alternative Language Information documents associated
with Person documents:
1. From the Domino Administrator, click the Files tab, and open the
Domino Directory.
2. Expand the People view, and select the Alternate Languages view.
Requiring distinguished logon names for LDAP name-and-password
security
To conform to RFCs 2251 through 2254, you can use the LDAP service
option “DN Required on Bind?” to require that an LDAP client that binds
using name-and-password security to any LDAP service running in the
domain use their fully qualified LDAP distinguished name as their
LDAP client logon name. In a Person document in the Domino Directory,
the distinguished name is the first value in the FullName field, labeled
User Name. By default, the LDAP service doesn’t require an LDAP client
to use the distinguished name as a logon name.
To add LDAP language tags for a specific language to a Domino Person
document:
1. From the Domino Administrator, open the Domino Directory that
contains the Person document.
2. Click the People & Groups tab.
3. Select People, and open the Person document to which you want to
add the language tags.
4. Choose Actions - Add Alternate Language Information.
5. Click the Basics tab, and do the following:
a. In the Language field, select the language to use.
b. Enter values in the selected language for any of the other fields in
the Basic tab.
Note The User name (FullName) field is inherited from the Person
document. LDAP uses this as the distinguished name that identifies
the person, and you can’t create an alternate language version of it.
6. Click the Work/Home tab, and enter values in the selected language
for any of the fields in the Work, Home, and Corporate Hierarchy
tabs.
For information on Corporate Hierarchies, see the chapter “Setting
Up the Domino Directory.”
7. Click Save & Close.
Viewing Alternative Language Information documents
To view the Alternative Language Information documents associated
with Person documents:
1. From the Domino Administrator, click the Files tab, and open the
Domino Directory.
2. Expand the People view, and select the Alternate Languages view.
Requiring distinguished logon names for LDAP name-and-password
security
To conform to RFCs 2251 through 2254, you can use the LDAP service
option “DN Required on Bind?” to require that an LDAP client that binds
using name-and-password security to any LDAP service running in the
domain use their fully qualified LDAP distinguished name as their
LDAP client logon name. In a Person document in the Domino Directory,
the distinguished name is the first value in the FullName field, labeled
User Name. By default, the LDAP service doesn’t require an LDAP client
to use the distinguished name as a logon name.

Field Enter
Inherit Default Select to inherit default account
Accounts settings from
Settings from Parent parent.
Enforce Default Select to enforce default account
Accounts settings in
Settings in Children children.
A descriptive name for the LDAP
Account Names
service
account; users see this name in the
list of
directories the client can search. If
you
specify more than one account —for
example, an account for another
Internet
service —separate account names
with
commas (,).
The host name of the server running
Server Addresses
the
LDAP service —for example,
ldap.acme.com.
Protocols LDAP
Use SSL Connection Yes to use SSL; otherwise, No.

5. Click Save & Close.

Setting Up the LDAP Service 20-35
Directory Services
LDAP client authentication
To authenticate LDAP clients, the LDAP service can look up the clients’
distinguished names and passwords/certificates in any of the following
directories:
Primary
 Domino Directory
Extended
 Directory Catalog
Condensed
 Directory Catalog on server (passwords only
recommended)
Secondary
 Domino Directory
Remote  LDAP directory
The primary Domino Directory of the server running the LDAP service is
trusted for client authentication automatically. You must explicitly trust
other directories for client authentication.
For additional information, see the chapters “Setting Up Directory
Catalogs,” “Setting Up Directory Assistance,” “Setting Up
Name-and-Password and Anonymous Access to Domino Servers,” and
“Setting Up Clients for S/MIME and SSL.”
Using LDAP to search a Domain index
If the LDAP service is running on a server that stores a Domain Index,
you can develop an LDAP application to search the Domain Index for all
documents that contain a specific text string and then return specific
attributes of these documents. Use this search query format:
"(&(ObjectClass=Document)(Object=*xxx*))" attributes
where:
xxx represents the text string to search for
attributes are any of these attributes to retrieve:
cn

url

doctitle

docauthor

docsummary

dbheading 
dbcategories
dbtitle 
20-36 Administering the Domino System, Volume 1
For example, the following query searches for all documents that contain
the text “HR policies” and then returns the cn, url, doctitle, docauthor,
and dbtitle values for those documents:
"(&(ObjectClass=Document)(Object=*HR policies*))" cn url
doctitle docauthor dbtitle
You can use operators with the Object attribute search filter. For
example, to find all documents that contain both the text “HR policies”
and the text “1999” and then return the same set of attributes as the
example above, use this query:
"(&(ObjectClass=Document)(&(Object=*HR
policies*)(Object=*1999*)))" cn url doctitle docauthor
dbtitle
To search the text of a database, you must have at least Reader access in
the ACL of the source database.
Monitoring the LDAP service
Use these methods to monitor the LDAP service:
Show
 the current LDAP service configuration settings
Show
 statistics related to LDAP service port activity
Showing the current LDAP service configuration settings
To show the current status of:
The
 settings for the LDAP service that are controlled through the
domain Configuration Settings document.
The
 LDAP service port settings in the Internet Ports section of the
Server document.
LDAP Activity Logging
enter this server command on a server that runs the LDAP service:
Tell Ldap Showconfig
To show the status of the above settings as well as the status of the LDAP
service settings controlled through the NOTES.INI file, enter this server
command:
Tell Ldap showconfig debug
Setting Up the LDAP Service 20-37
Directory Services
Showing statistics related to LDAP service port activity
You can see statistics about LDAP service port activity related
specifically to LDAP operations, and also network statistics related to
general network activity over the LDAP service ports. You can use the
Show Stat command to see statistics.
Note Each statistic listed in the following tables begins with the prefix
LDAP. but the tables omit the prefix. For example, the statistic
LDAP.Total LDAP Connections is shown as Total LDAP Connections.
Statistics related to LDAP operations
The following statistics relate to connections made using LDAP. Statistics
calculation begins at LDAP service startup.

Statistic Description
Total LDAP
Number of LDAP connections
Connections
Simple LDAP Number of LDAP connections using name-
Connections and-password authentication
Anonymous LDAP Number of anonymous LDAP connections
Connections
Strong Authentication Number of LDAP connections using X.509
Connections client certificate authentication
Failed LDAP
Number of LDAP connections that failed
Connections
Number of LDAP search requests
Total LDAP Searches
processed
Longest LDAP Search Longest amount of time taken to
time successfully complete an LDAP search
request that has been received so far. This
statistic does not include LDAP searches
that fail with any error.
Average LDAP Search Average amount of time taken to process
time LDAP search requests received so far. The
value includes time taken to process
search requests that fail, and so on
occasion it may exceed the Longest LDAP
Search time value.
Longest LDAP Search Longest amount of time to receive an
request LDAP search request
Number of LDAP modify requests
Total LDAP Modifies
processed
Number of LDAP compare requests
Total LDAP Compares
processed
Total LDAP Adds Number of LDAP add requests processed
Total LDAP Deletes Number of LDAP delete requests processed
Total LDAP ModifyDNs Number of modifyDN requests processed

Statistic Description
Total LDAP Extended Number of requests to extend the schema
Operations processed
Total LDAP Abandons Number of abandon requests processed
Total LDAP Searches Number of requests to search the
for Subschema subschema processed
Total LDAP Searches Number of requests to search the root DSE
for Root DSE processed
Total LDAP Referrals Number of referrals to remote LDAP
returned directories returned
Total LDAP Searches Number of requests to search the Domain
on Domain Catalog Catalog processed
Total LDAP Search Number of entries returned from search
Entries Returned requests
Total LDAP Search
Total time spent processing LDAP searches
time
Shows whether the LDAP service is
Server.Running
running

Statistics for network activity on the LDAP service ports

The following statistics relate to network activity over the LDAP service
ports since Domino server startup. These statistics can reflect network
activity that does not involve the LDAP protocol, for example activity
resulting from telnet requests.

Statistic
Sessions.Inbound.Accept.Queue
Sessions.Inbound.Active
Sessions.Inbound.Active.SSL
Sessions.Inbound.BytesReceived
Sessions.Inbound.BytesSent
Sessions.Inbound.Peak
Sessions.Inbound.Peak.SSL
Description
Number of new connections
waiting to be serviced by
threadpool
Number of currently running
inbound TCP/SSL connections
Number of currently running
inbound SSL connections
Number of bytes received by all
inbound TCP/SSL connections
Number of bytes sent by all
inbound TCP/SSL connections
Maximum number of concurrent
inbound TCP/SSL connections
Peak number of concurrent
inbound SSL connections

Statistic Description
Sessions.Inbound.Total Number of all TCP/SSL inbound
connections since server
started
Sessions.Inbound.Total.SSL Number of all SSL inbound
connections since server
started
Total number of failed inbound
Sessions.Inbound.Total.SSL.Bad_
SSL handshakes since server
Handshake
started
Sessions.Outbound.Active Number of currently running
outbound TCP/SSL connections
Sessions.Outbound.Active.SSL Number of currently running
outbound SSL connections
Sessions.Outbound.BytesReceived Number of bytes received by all
outbound TCP/SSL connections
Sessions.Outbound.BytesSent Number of bytes sent by all
outbound TCP/SSL connections
Sessions.Outbound.Peak Maximum number of concurrent
outbound TCP/SSL connections
Sessions.Outbound.Peak.SSL Maximum number of concurrent
outbound SSL connections
Sessions.Outbound.Total Number of all TCP outbound
connections since server
started
Sessions.Outbound.Total.SSL Number of all SSL outbound
connections since server
started
Total number of failed outbound
Sessions.Outbound.Total.SSL.Bad
SSL handshakes since server
_Handshake
started
Sessions.Threads.Busy Total number of running
threads servicing network IO
requests
Sessions.Threads.Idle Total number of idle threads
waiting to service network IO
requests
Current number of threads in
Sessions.Threads.InThreadPool
threadpool
Peak number of threads in
Sessions.Threads.Peak
threadpool

NOTES.INI settings for the LDAP service

The following table contains the NOTES.INI settings that pertain
specifically to the LDAP service.
For more information on these settings, see the “NOTES.INI File”
appendix.
Note If you use the Set Configuration command to specify a setting, the
LDAP service detects the change automatically within three minutes, by
default.

Setting Description
Disables the LDAP service for a
DisableLDAPOnAdmin
domain
LDAPBatchAdds To speed processing of batch LDAP
adds to the Domino Directory,
specifies that the LDAP service
immediately updates only the
($LDAPRDNHier) view to reflect the
changes
LDAPConfigUpdateInterval Specifies how often the LDAP service
checks for and puts into effect
changes to its configuration settings
LDAPGroupMembership Controls how the LDAP service
responds to searches of Domino
“Mail only”groups and to searches of
groups without a GroupType
attribute value
LDAPNotesPort Specifies the name of the Notes
network for TCP/IP used by the LDAP
service on a partitioned server or by
the LDAP service on a single server
that uses more than one Notes port
for TCP/IP
LDAPPre55Outlook
Schema_Daemon_Breaktime
Schema_Daemon_Idletime
When the LDAP service receives a
search query that specifies country
(c=xx) as a search base, specifies
that it convert the search base to
root (“”) to accommodate pre 5.5
Microsoft Outlook Express client
behavior
Specifies how often (in seconds) the
schema daemon checks the status of
the LDAP task to see if it should shut
down
Specifies how long (in minutes) the
schema daemon spawned by the
LDAP service remains idle after it
finishes its tasks

Setting Description
Specifies how often (in hours) the
Schema_Daemon_Reloadtime
schema
daemon spawned by the LDAP
service on the
Domino Directory administration
server loads
schema changes made using
Domino Directory
forms into memory
Specifies how often (in hours) the
Schema_Daemon_Resynctime
schema
daemon spawned by the LDAP
service on the
Domino Directory administration
server
updates the Domino LDAP Schema
database
when its in-memory schema differs
from the
schema published in the Schema
database

RFCs supported by the LDAP service

The Domino LDAP service supports the RFCs described in the following
table.

RFC Description
207 Definition of an X.500 Attribute Type and an Object Class to
9 Hold Uniform Resource Identifiers
222
Simple Authentication & Security Layer (SASL)
2
225
Lightweight Directory Access Protocol (v3)
1
225 Lightweight Directory Access Protocol (v3) Attribute Syntax
2 Definitions
225 Lightweight Directory Access Protocol (v3) UTF-8 String
3 Representation of Distinguished Names
225
The String Representation of LDAP Search Filters
4
225
The LDAP URL Format
5
225 A Summary of the X.500 (96) User Schema for use with
6 LDAPv3
259
Use of Language Codes in LDAP
6
279
Definition of the inetOrgPerson LDAP Object Class
8

Chapter 21
Managing the LDAP Schema
This chapter defines the term LDAP schema and provides information
about the Domino LDAP schema and how to extend it.
LDAP schema
A directory entry contains information about a particular entity, for
example, a person or a group, and is associated with a distinguished
name. An LDAP schema is a set of rules that define what can be stored as
entries in an LDAP directory. Each LDAP directory has a default schema,
which organizations can customize, or “extend,” by adding elements to it.
The elements of a schema are attributes, syntaxes, and object classes.
LDAP directory servers provide the ability to enforce the schema to
ensure that directory changes made using LDAP operations conform to it.
Attributes
An attribute defines a piece of information that directory entries contain.
For example, some common attributes for entries related to people are cn
(common name), telephoneNumber, and userPassword.
An attribute is either mandatory or optional for a particular type of
entry. When an attribute is mandatory and directory administrators use
schema-checking to enforce the schema, administrators must provide a
value for the attribute when they add or modify the entries using LDAP
operations. An attribute can be defined to allow multiple values.
Multiple types of directory entries can use the same attribute.
Object classes
An object class defines a set of attributes for a type of directory entry.
Two or more object classes in an object class hierarchy define the
attributes for a type of entry. An object class inherits attributes from all
object classes above it in the hierarchy and then adds attributes of its
own; for example:
Object class 1: adds attribute A
Object class 2: inherits A; adds B, C, D
Object class 3: inherits A, B, C, D; adds E, F
There are three types of object classes: abstract, structural, and auxiliary.
21-1
Directory Services
Abstract object classes
An abstract object class defines an attribute or set of attributes that all
object classes in an object class structure inherit. Every object class
structure must have an abstract object class as the top-level object class.
A default LDAP schema typically uses the abstract object class top. top
includes only one attribute, objectClass, which defines an object class for
each entry in the directory.
Structural object classes
A structural object class defines a type of entry in an LDAP directory.
Examples of standard LDAP structural object classes are person,
organizationalPerson, and inetOrgPerson. An object class structure must
include at least one structural object class.
Auxiliary object classes
An auxiliary object class adds attributes to another object class, usually a
structural object class. An auxiliary object class is useful for defining a set
of attributes used by multiple object classes. An auxiliary object class
usually inherits from the abstract object class top. Object classes can’t
inherit attributes from an auxiliary object class. Instead, you must add an
auxiliary object class to each object class that uses it.
Syntaxes
A syntax defines the data format in which an attribute value is stored.
Directory String, Integer, and JPEG are examples of standard LDAP
syntaxes.
The Domino LDAP schema
The default Domino LDAP schema includes:
Domino-specific
 schema elements defined by the default forms in the
Domino Directory
All LDAP-standard schema elements defined in RFCs 2252, 2256,
2798, 2247, and 2739. The LDAP service uses the file
LSCHEMA.LDIF to build these elements in the default schema.
You can extend the schema to add custom schema elements that your
organization needs.
To see detailed information about the Domino LDAP schema, open the
Domino LDAP Schema database (SCHEMA.NSF) on any server that runs
the LDAP service.
21-2 Administering the Domino System, Volume 1
For information relating to upgrading the LDAP schema, see the Upgrade
Guide.
How an LDAP object class relates to a Domino form
An LDAP object class is similar to a form in the Domino Directory, in
that each defines a set of information for a directory entry. A Dominospecific
object class — whose name usually begins with domino — always
maps to a form in the Domino Directory. For example, the object class
dominoPerson maps to the form Person, and the object class dominoGroup
maps to the form Group.
An object class that is not specific to Domino, for example a standard
LDAP object class defined in the LSCHEMA.LDIF file, maps to a
form only if you create such a form. For example, the object class
residentialPerson is part of the default Domino LDAP schema, but it has
no corresponding form in the Domino Directory. Therefore by default
you can use only LDAP operations to add, search, and modify,
residentialPerson entries. To give Notes and Web users access to these
entries, you must you create a corresponding form following a specific
procedure. If you create a corresponding form, residentialPerson entries
are created as documents that are visible to Notes and Web users.
For instructions on creating a form in the Domino Directory that
corresponds to an object class, see the appendix “Customizing the
Domino Directory.”
Domino forms that are not defined as object classes in the default
Domino LDAP schema
The following forms in the Domino Directory are not defined as object
classes in the schema because their designs do not include a field that
defines a distinguished name:
CrossCertificate

Location

Server\Configuration
 Settings
Server\Connection

Server\Holiday

Server\Domain

Server\User  Setup Profile
Managing the LDAP Schema 21-3
Directory Services
How an LDAP attribute relates to a Domino field
An LDAP attribute is similar to a field in the Domino Directory in that
each define a piece of information about a directory entry. An LDAP
attribute defined for a Domino-specific object class always maps to a
field in a form in the Domino Directory. The name of the attribute and
the name of the field may not be identical. This difference occurs when a
preexisting field in Domino has a purpose similar to an LDAP-standard
attribute. For example, the LDAP attribute uid maps to the Domino field
ShortName.
By default, an attribute that is not Domino-specific does not map to a
visible field in the Domino Directory.
LDAP-standard attributes on Domino forms
If a Domino object class inherits from an LDAP-standard object class, the
fields that represent the inherited attributes may be hidden in the
Domino Directory document. For example, the dominoPerson object class
inherits the attribute employeeNumber from the LDAP-standard object
class inetOrgPerson. However, the field employee number is only
apparent when you select a Person document, choose Edit - Properties,
and select the second tab in the Document properties box to see a listing
of all the fields. You can add the field to the $PersonInheritableSchema
subform to make the field visible.
How an LDAP syntax relates to a field type
There are some syntaxes in the default Domino LDAP schema that map
to Domino field types. For example, the LDAP syntax Integer maps to the
field type Number. To see whether a syntax maps to a Domino field, find
the document for the syntax in the Schema database (SCHEMA.NSF),
and compare the LDAP name field to the Notes mapping field.
Object class hierarchy for dominoPerson object class
The dominoPerson object class, which maps to the Person form in the
Domino Directory, is part of this object class hierarchy:
top
person
organizationalPerson
inetOrgPerson
dominoPerson
21-4 Administering the Domino System, Volume 1
Object class hierarchy for dominoGroup object class
The dominoGroup object class, which maps to the Group form in the
Domino Directory, is part of this object class hierarchy:
top
groupOfNames
dominoGroup
The schema daemon
When the LDAP service runs on a server, it spawns a schema daemon
that runs at regular intervals. The schema daemon running on the
administration server for the Domino Directory implements schema
changes and propagates the changes to other (subordinate) servers in the
domain that run the LDAP service. The schema daemon running on each
subordinate server updates its LDAP service with the schema changes
propagated from the administration server. The Domino LDAP Schema
database (SCHEMA.NSF) is the vehicle for propagating the schema
changes.
The schema daemon ensures that each LDAP service running in the
domain uses a schema that is up-to-date and consistent across servers.
The schema daemon runs when the LDAP service first starts, and then
after that at 15-minute intervals by default.
For information on NOTES.INI settings that are available to control the
schema daemon, see the topic “NOTES.INI settings related to the schema
daemon” later in this chapter.
The LDAP service runs by default on the administration server for the
Domino Directory. The schema daemon spawned by the LDAP service
on the administration server does the following to maintain the schema
for the domain:
1. Creates the Domino LDAP Schema database (SCHEMA.NSF) from
the SCHEMA.NTF template (the first time the schema daemon runs
in this release, and subsequently if the Schema database is ever
deleted).
Note Be sure the administration server for the Domino Directory is
the first server in the domain you upgrade to Lotus Domino 6 so that
it is the server that first creates the Schema database.
Managing the LDAP Schema 21-5
Directory Services
2. Builds the schema for the domain into memory by loading
information from the following files:
LDAP-standard
 schema elements from the local LSCHEMA.LDIF
file — these elements do not change.
Forms
 and fields from the primary Domino Directory, which
supply the Domino-specific schema elements, and optionally,
extended schema elements added as forms and fields. For
performance reasons, this step is done only once every 24 hours
by default. You can use the NOTES.INI setting
Schema_Daemon_Reloadtime to change the default interval.
Schema
 elements from the Extended Documents view of its local
Domino LDAP Schema database.
Note If the schema daemon finds the same schema element defined
in more than one of these files, it uses this order of precedence to
determine which definition to use: 1) LSCHEMA.LDIF, 2) Domino
Directory, 3) Schema database.
3. The first time it runs, publishes the schema in memory to disk in the
All Schema Documents view of the Schema database. Subsequently,
it compares its in-memory schema to the on-disk schema published
in the Schema database, and if the two schemas are different, the
daemon updates the All Schema Documents view of the Schema
database with the more recent in-memory schema. For performance
reasons, this step is done only once every 24 hours by default. You
can use the NOTES.INI setting Schema_Daemon_Resynctime to
change the default interval.
4. Replicates its local Schema database with replicas on subordinate
servers that run the LDAP service if the contents of the two replicas
are different. This replication occurs without the use of Connection
documents immediately after step 3 is complete. If a subordinate
server does not yet have a local replica of the Schema database, the
schema daemon on the administration server creates one on the
subordinate server.
The schema daemon on each subordinate server in the domain that run
the LDAP service does the following:
1. Replicates information from the replica of the Schema database on
the administration server for the Domino Directory to its local
Schema database if the two replicas are different.
If the subordinate server doesn’t yet have a local replica of the
Schema database and the administration server is running, it pulls a
replica from the administration server. If the administration server is
unavailable, the subordinate server uses a local LSCHEMA.LDIF file
21-6 Administering the Domino System, Volume 1
and Domino Directory forms to determine the schema until the
administration server is available.
2. The first time it runs, loads the schema published on disk in the All
Schema Documents view of its local Schema database into memory.
Subsequently, it compares its in-memory schema to the on-disk
schema published in its local Schema database. If the two are
different, updates its in-memory schema with the more recent
schema published in the local Schema database.
Tip Use the server command Tell LDAP ReloadSchema to manually
initiate the steps described above.

Domino LDAP Schema database

The schema daemon spawned by the LDAP service running on the
administration server for the Domino Directory creates the Domino
LDAP Schema database (SCHEMA.NSF). Subordinate servers within the
domain that run the LDAP service automatically get a replica of this
database. The Schema database is the vehicle used to propagate schema
changes to all the servers in the domain that run the LDAP service.
Administrators use the Schema database to learn about the schema and
to extend the schema. Administrators can access the Schema database
from a Lotus Notes Release 5, Lotus Notes 6, or Web browser client, and
can use the Schema database to extend the schema from a Lotus Notes 6
or Web browser client.
SCHEMA.NSF replaces the Domino Release 5 SCHEMA50.NSF database.
For more upgrade information, see the Upgrade Guide.
Views in the Schema database
The Domino LDAP Schema database (SCHEMA.NSF) includes these
views:
All
 Schema Documents
Extended
 Documents
Pending
 Documents
Draft  Documents
Each of these views included sub-views for object classes, attributes, and
syntaxes.
All Schema Documents view
The All Schema Documents view contains a document for each element
defined in the schema. It also contains documents for draft schema
elements awaiting administrator approval and pending schema elements
awaiting processing by the schema daemon on the administration server
for the Domino Directory.
Extended Documents view
The Extended Documents view shows a document for each extended
object class, attribute, and syntax added using the Schema database and
incorporated into the schema by the schema daemon running on the
administration server for the Domino Directory.
The Extended Documents view does not show schema extensions made
by adding forms and fields to the Domino Directory. Only the All
Schema Documents view shows new schema elements defined by new
Domino Directory forms and fields.
Pending Documents view
The Pending Documents view shows a document for each object class,
attribute, and syntax that an administrator has added using the Schema
database and approved that is awaiting processing by the schema
daemon on the administration server for the Domino Directory.
In the All Schema Documents view, a green check mark icon indicates a
pending schema element.
Draft Documents view
The Draft Documents view shows a document for each new object class,
attribute, and syntax that an administrator has added using the Schema
database, but has not yet approved.
In the All Schema Documents view, an hourglass icon indicates a draft
schema element.
21-8 Administering the Domino System, Volume 1
Using the Schema database to view the schema
The Domino LDAP Schema database (SCHEMA.NSF) contains
information about each attribute, syntax, and object class defined in the
schema. You can also retrieve the entire schema by doing an LDAP
search of the schema entry; however the Schema database provides
schema information in a easy-to-read format.
Viewing information about an attribute defined in the schema
1. Open the Schema database (SCHEMA.NSF) on any server in the
domain that runs the LDAP service.
2. Select the All Schema Documents - LDAP Attribute Types view.
3. Open a document to view information about a specific attribute. Any
document without an icon next to it in the view is an attribute
defined in the schema.
For information about the fields in Attribute documents, see the topic
“Using the Schema database to add an attribute to the schema” later in
this chapter.
Viewing information about an object class defined in the schema
1. Open the Schema database (SCHEMA.NSF) on any server in the
domain that runs the LDAP service.
2. Select the All Schema Documents - LDAP Object Classes view.
3. Open a document to view information about a specific object class.
Any document without an icon next to it in the view is an object class
defined in the schema.
Tip To determine which object classes use a particular attribute, do a
full text search for the attribute from the All Schema Documents - LDAP
Object Classes view.
For information about the fields in Object Class documents, see the topic
“Using the Schema database to add an object class to the schema” later in
this chapter.
Viewing information about a syntax defined in the schema
1. Open the Schema database (SCHEMA.NSF) on any server in the
domain that runs the LDAP service.
2. Select the All Schema Documents - LDAP Syntaxes view.
3. Open a document to view information about a specific syntax. Any
document without an icon next to it in the view is a syntax defined in
the schema.
For information about the fields in Syntax documents, see the topic “Using
the Schema database to add a syntax to the schema” later in this chapter.
Managing the LDAP Schema 21-9
Directory Services
Methods for extending the schema
Extending the schema refers to adding elements to the schema, usually
object classes and attributes. The default schema comes with many object
classes and attributes that are ready to be used for entries. Before you
extend the schema, see if there are existing elements in the default
schema that you might use instead of extending the schema. For
example, if you need an additional attribute for the dominoPerson object
class, evaluate if you can use an attribute already defined for
dominoPerson.
If the default schema does not contain the attributes you need, add
custom elements.
There are two methods available for extending the schema: using the
Domino LDAP Schema database (SCHEMA.NSF) or using the Domino
Directory to add forms and fields.
Note Modifying the file LSCHEMA.LDIF that is provided with Domino
is not supported as a method for extending the schema. This file is used
to define the LDAP-standard object classes in the default Domino LDAP
schema.
Schema database
You can use the Domino LDAP Schema database (SCHEMA.NSF) to
extend the schema. The Schema database:
Provides
 an easy-to-use interface for extending the schema
Has
 built-in error checking that ensures valid schema elements
Supports
 the creation of draft schema elements, which you can
consider and modify before approving them as part of the schema
Simplifies
 the creation of object class hierarchies
Allows  you to assign object identifiers (OIDs) associated with your
organization to the elements you add
Allows  you to define LDAP characteristics for attributes, such as
matching rules, and to define any standard LDAP syntax for an
attribute.
An object class that you add to the schema using the Schema database
does not map to a form in the Domino Directory. Therefore, to add
entries defined by these schema elements to the directory, administrators
must use LDAP operations, and the entries are accessible only via LDAP,
and are not visible to Notes and Web users.
21-10 Administering the Domino System, Volume 1
Domino Directory
You can extend the schema by adding forms, subforms, and fields to the
Domino Directory. This method allows Notes and Web users to create
and view entries that use the new schema elements as documents, while
also enabling LDAP user access to the entries. This method is more time
consuming than using the Schema database, and must be done carefully
to avoid mistakes in schema definition.
For information on using the Domino Directory to extend the schema, see
the appendix “Customizing the Domino Directory.”
Guidelines for extending the schema
Regardless of the method you use to extend the schema, follow these
guidelines:
1. See if there is an object class, attribute, or syntax defined in the
default schema you can use rather than adding a new one.
2. Don’t define multiple attributes to store the same type of
information. Instead add one attribute, and define the attribute in an
auxiliary object class that multiple structural object classes use.
3. Don’t edit existing schema elements. For example, don’t remove
attributes from, or add attributes to, an existing object class. You can
delete a custom object class that is no longer needed as long as you
are sure no one is using it.
4. When possible, create object classes that define attributes as optional
rather than mandatory, so the schema is flexible.
5. After you extend the schema, configure LDAP access to the new
schema elements. For example, if you want anonymous LDAP users
to access a new attribute, make sure you enable the attribute for
anonymous access.
For more information on controlling LDAP access, see the chapter
“Setting Up the LDAP Service.”
Extending an existing object class
How you add attributes to an object class in the default schema depends
on whether or not the attributes should apply to another object class as
well. If the attributes apply to only one object class, add the attributes to
a new structural object class and have the new object class inherit from
the object class you want to extend. For example, to extend object class A
which is part of the default schema, add attributes to a new structural
object class, B, and define object class B to inherit from A.
Managing the LDAP Schema 21-11
Directory Services
If the attributes will apply to more than one structural object class, add
them to a new auxiliary object class and then add the auxiliary object
class to each structural object class that will use the attributes.
For example, suppose you want to add the same attributes to object
classes A and B, both part of the default schema. Add the attributes to a
new auxiliary object class C, then add C to A and B.
Note To add a new type of entry to the directory, typically you create a
new structural object class that inherits from top.
Registering an object identifier (OID) for you organization
When you use the Domino LDAP Schema database to add a new element
to the schema, you must specify an OID for the element. To do this, your
organization should have a registered OID prefix which is used as the
root of all the OIDs you assign to your schema elements. An OID is a
unique series of numbers assigned to a schema element. For example, in
the Domino schema, the dominoPerson object class has the following
OID assignment:
2.16.840.1.113678.2.2.2.1.1.
A registered OID prefix begins with one of the following numbers:
0 if assigned by the International Telecommunication Union (ITU)
1  if assigned by the International Organization for Standardization
(ISO)
2  if assigned jointly by the ITU and ISO.
This number is then followed by a series of numbers that uniquely
identify an organization.
When you create a schema element, assign it the OID prefix registered
for your organization, followed by an additional number that uniquely
identifies the element within the schema.
For more information on OID’s or to request a prefix for your
organization, go to the IANA (Internet Assigned Numbers Authority)
Web site: http://www.iana.org.
21-12 Administering the Domino System, Volume 1
Extending the schema using the Schema database
You can use the Domino LDAP Schema database to extend the schema
by:
Adding
 attributes to the schema
Adding
 object classes to the schema
Adding
 syntaxes to the schema
When you use the Schema database to create a new schema element, you
first create a draft document for the element. You approve the draft
document when you are ready, and the document then moves from the
Draft Documents view to the Pending Documents view, where it awaits
processing by the Schema daemon on the administration server for the
Domino Directory. The Schema daemon on the administration server
incorporate the changes into the schema and publishes them in the
Schema database. The Schema database then replicates to subordinate
servers in the domain that run the LDAP service.
To use the Schema database to extend the schema, you must use one of
the following clients:
Lotus
 Notes 6
Lotus
 Domino Adminstrator 6
Netscape
 Navigator with Java applets and Java scripts enabled
Microsoft
 Internet Explorer with Java applets and Java scripts
enabled
Using the Schema database to add an attribute to the schema
You can use the Domino LDAP Schema database (SCHEMA.NSF) to add
an attribute to the schema:
1. Make sure you have Manager access to the Schema database.
2. Open the Schema database (SCHEMA.NSF) on any server in the
domain that runs the LDAP service.
3. Select the All Schema Documents view, then click New Document -
Add Attribute Type.
4. Complete these fields on the Basics tab:
For more information, see RFCs 2252 and 2256.

Field Action
LDAP name Enter a name for the attribute. The name can
contain only ASCII characters and hyphens. Do
not include a space in the name.
OID Enter the object identifier.
Syntax name Select a syntax defined in the schema for the
new attribute, then click OK. The Syntax type
field automatically displays the OID for the
selected syntax.
Description (Optional) Enter a description for the attribute.
Equality (Optional) Select a matching rule to apply
match when the equality operator is used to search
for this attribute.
Ordering (Optional) Select a matching rule to apply
match when an ordering operator is used to search for
this attribute.
Substrings (Optional) Select a matching rule to apply
match when a substring operator is used to search for
this attribute.
Single valued Choose one: • Yes to allow more than one
value for the attribute (default) • No to allow
only one value

Collective Choose one:

• Yes to allow the values for this attribute to be
shared • No to prevent values from being
shared (default)
No user Choose one: • Yes to prevent users from
modification modifying the values • No to allow users to
modify values (default)

5. Click Save & Close. A draft document for the new attribute appears
in the Draft Documents - Draft Attribute Types view.
6. Complete the procedure “Approving draft schema documents in the
Schema database.”
Using the Schema database to add an object class to the schema
You can use the Domino LDAP Schema database (SCHEMA.NSF) to add
an object class to the schema.
1. Make sure you have Manager access to the Schema database.
2. Open the Schema database on any server in the domain that runs the
LDAP service.
3. Select the All Schema Documents view, then click New Document -
Add Object Class.
4. Complete these fields on the Basics tab:
5. Click Save & Close. A draft document for the new object class
appears in the Draft Documents - Draft Object Classes view.
6. Compete the procedure “Approving draft schema documents in the
Schema database.”

Field Action
LDAP name Enter a name for the object class.
OID Enter the object identifier.
Object Class Type Select the type of object class.
Superior Object
(Optional) Select the object class that is
Class
immediately superior to this one in the
object class
structure.
(Optional) If this is a structural object
Auxiliary Object
class, select
Classes each auxiliary object class to use with this
object
class.
(Optional) Enter a description for the object
Description
class.
Mandatory Select the attributes that are required to
attributes have values.
You can’t remove mandatory attributes
displayed that are inherited from a superior
object class.
Optional Select any attributes that may, but are not
Attributes required to, have values.
You can’t remove optional attributes
displayed that are inherited from a superior
object class.

Using the Schema database to add a syntax to the schema

You can use the Domino LDAP Schema database (SCHEMA.NSF) to add
a syntax to the schema:
1. Make sure you have Manager access to the Schema database.
2. Open the Schema database on any server in the domain that runs the
LDAP service.
3. Select the All Schema Documents view, then click New Document -
Add Syntax.
4. Complete these fields on the Basics tab:
For more information on syntaxes, see RFC 2252.
5. Click Save & Close:
6. Complete the procedure “Approving draft schema documents in the
Schema database

Field Action
LDAP name Enter a name for the syntax type.
OID Enter the object identifier.

Approving draft schema elements in the Schema database

When you use the Domino LDAP Schema database (SCHEMA.NSF) to
add a schema element, the Draft Documents and All Schema Documents
views display a draft document for the element. Follow these steps to
approve draft schema elements to move them to the Pending Documents
view, so the schema daemon on the administration server for the Domino
Directory can incorporate them into the schema:
1. Make sure you have Manager access to the Schema database.
2. Open the Schema database on any server in the domain that runs the
LDAP service.
3. Look at the Draft Documents views to see a draft document for each
schema element added but not yet approved.
4. Review the draft documents, and make any final changes.
5. When you are ready to approve the changes, do one of the following:
To
 approve only selected draft documents, select a specific Draft
Documents view, select the draft documents you are ready to
approve, and click Approve - Approve Selected Drafts.
To  approve all draft documents, select any Draft Documents view,
and click Approve - Approve All Drafts.
The documents you approve move to the Pending Documents views. If
you used a replica of the Schema database on a subordinate server to
approve the schema documents, the documents in the Pending
Documents views must replicate to the administration server for the
Domino Directory. When the schema daemon next runs on the
administration server it verifies the elements in the Pending Documents
views and then publishes them in the Schema database. The updated
Schema database then replicates to subordinate servers in the domain
that run the LDAP service.
21-16 Administering the Domino System, Volume 1
Checking the status of approved schema elements in the Schema
database
Every 15 minutes (by default) the schema daemon on the administration
server for the Domino Directory looks for approved schema changes in
the Pending Documents views of the Domino LDAP Schema database.
To check the status of pending schema changes in the Schema database:
1. Open the Schema database (SCHEMA.NSF) on the administration
server for the Domino Directory.
2. Open the Extended Documents view — any documents here represent
schema elements that have been incorporated into the schema.
3. Open the Pending Documents view — any documents here represent
schema elements the schema daemon has not yet incorporated into
the schema.
Tip Use the Tell LDAP Reloadschema server command on the
administration server for the Domino Directory to manually initiate
processing of the schema changes in the Pending Documents view rather
than wait for the schema daemon to run on schedule.
Deleting schema elements from the Schema database
If you use the Domino LDAP Schema database (SCHEMA.NSF) to add
an element to the schema, you can delete that element if it is no longer
needed. After you delete an element, entries already in the directory with
values for the deleted element remain, but LDAP add and modify
operations can no longer specify the deleted element if schema-checking
is enabled.
Note that deleting an object class does not delete the attributes defined
for the object class. If you want to delete the attributes, you must do so
separately.
To delete an attribute, object class, or syntax shown in the Extended
Documents, Draft Documents, or Pending Documents view of the
Schema database:
1. Make sure you have Manager access in the database ACL with the
“Delete documents” privilege.
2. Open the Schema database on the administration server for the
Domino Directory.
3. Open the Extended Documents, Draft Documents, or Pending
Documents view that contains the schema element to be deleted.
4. Delete the schema element.
Managing the LDAP Schema 21-17
Directory Services
5. If you deleted a document from the Extended Documents view, on
the administration server for the Domino Directory restart the LDAP
task, so the schema daemon loads the schema changes into memory:
Restart Task LDAP
6. If you deleted a document from the Extended Documents view and
the LDAP service also runs on a subordinate server in the domain,
after the Schema database changes replicate to the subordinate
server, restart the LDAP task on the subordinate server:
Restart Task LDAP
Schema-checking
When schema-checking is enabled the LDAP service carries out LDAP
and and modify operations only if the operations conform to the schema.
Schema checking is enabled by default and it’s best to keep this default
behavior if you allow write access to a directory so you have better
control over the contents of a directory. When schema-checking is
enabled the LDAP service does the following to check that LDAP add
and modify operations comply with the schema:
Verifies
 that each object class specified in an LDAP add operation is
defined in the schema.
Verifies
 that attributes specified in LDAP add and modify operations
are associated with valid object classes for the entry.
Verifies
 that during an LDAP add operation all mandatory
attribute(s) required by the object classes for the entry are provided.
If any of these checks fail, the LDAP service aborts the operation and
returns the message, “Object Class Violation.”
Schema-checking is done only for LDAP add and modify operations and
not when Notes and Web users add and change documents in a Domino
Directory.
Note Whether or not you enforce schema-checking, the LDAP service
requires that each directory tree component specified in a distinguished
name during an add or modify DN operation corresponds to an entry in
the directory. For example, to add an entry with the distinguished name
“uid=JDoe, o=Acme,” there must be an entry in the directory for
o=Acme.
21-18 Administering the Domino System, Volume 1
Schema-checking and directory assistance
The schema defined for the domain of the server running the LDAP
service is the basis for schema-checking. If the LDAP service uses
directory assistance to serve a secondary Domino directory or Extended
Directory Catalog for which LDAP write operations are enabled, the
LDAP service uses the schema defined for its own domain to determine
whether or not to allow write operations in the directory served through
directory assistance.
Enabling or disabling schema-checking
To disable or enable schema-checking for all the servers in the domain
that run the LDAP service:
1. From the Domino Administrator, open a server that runs the LDAP
service, or a server in the same domain as one that runs the LDAP
service.
2. Click the Configuration tab.
3. In the left pane, expand Directory, then LDAP, and then select
Settings.
4. Do one of the following:
If you see the prompt “Unable to locate a Server Configuration
document for this domain. Would you like to create one now?” click
Yes, then click the LDAP tab on the document.
If you do not see the prompt, click “Edit LDAP Settings.”
5. In the “Enforce schema?” field, choose one:
Yes,
 to enable schema-checking (default)
No, to prevent schema-checking
6. Click Save & Close.
Searching the root DSE and schema entry
The LDAP service supports schema-publishing, which means the
directory includes a schema entry that you can use to retrieve the
directory schema. Use the ldapsearch utility provided with Notes and
Domino or use another LDAP V3-compliant LDAP search tool to search
the root directory server entry (DSE) to determine the name of this
schema entry and to retrieve other information about the Domino LDAP
directory — for example, to retrieve the LDAP versions, extensions, and
controls supported.
Managing the LDAP Schema 21-19
Directory Services
For information on using the ldapsearch utility to search an LDAP
directory, see the chapter “Using the ldapsearch Utility.”
When you search the root DSE or the schema entry you can specify
whether to return values for operational attributes. An operational
attribute is an attribute that is used for directory administration.
Searching the root DSE
To search the root DSE, use one of the following ldapsearch commands:
To return the values of all attributes, specify one of the following:
ldapsearch -h hostname -b "" -s base "(objectclass=*)"
ldapsearch -h hostname -b "" -s base "(objectclass=*)" * +
To return only the values of non-operational attributes, specify:
ldapsearch -h hostname -b "" -s base "(objectclass=*)" *
To return only the values of operational attributes, specify:
ldapsearch -h hostname -b "" -s base "(objectclass=*)" +
Searching the schema entry
To search the schema entry to retrieve the directory schema, use one of
the following ldapsearch commands.
To return only the values of non-operational attributes, specify:
ldapsearch -h hostname -b "cn=schema" -s base
"(objectclass=subschema)" *
To return only the values of operational attributes, specify:
ldapsearch -h hostname -b "cn=schema" -s base
"(objectclass=subschema)" +
To return the values of all attributes, specify:
ldapsearch -h hostname -b "cn=schema" -s base
"(objectclass=subschema)" * +
The easiest way to see the schema is to open the All Schema Documents
views in the Domino LDAP Schema database (SCHEMA.NSF).
Setting Description
Disables the LDAP service for a
DisableLDAPOnAdmin
domain
Schema_Daemon_Breaktime Specifies how often (in seconds)
the schema daemon checks the
status of the LDAP task to see if it
should shut down
Schema_Daemon_Idletime Specifies how long (in minutes) the
schema daemon remains idle after
it finishes its tasks
Schema_Daemon_Reloadtime Specifies how often (in hours) the
schema daemon on the
administration server for the
Domino Directory loads into
memory schema changes made
using Domino Directory forms
Schema_Daemon_Resynctime Specifies how often (in hours) the
schema daemon on the
administration server for the
Domino Directory updates the
Domino LDAP Schema database
when its in-memory schema differs
from the schema published in the
Schema database

Chapter 22
Using the ldapsearch Utility
This chapter describes how to use the ldapsearch utility to search an
LDAP directory.
Using the ldapsearch utility to search LDAP directories
Domino and Notes provide a command-line search utility,
LDAPSEARCH.EXE, that you use to search entries in any LDAP
directory. ldapsearch connects to a directory server and returns results
that match search criteria you specify.
ldapsearch is available on Domino server and Notes client platforms.
Note To use this tool, the NOTES.INI file must be included in your
system’s path statement.
To use ldapsearch, enter the following command from the Domino or
Notes program directory:
ldapsearch parameters searchfilter attributes
Where:
parameters
 are case-sensitive command-line parameters.
searchfilter
 is a required search filter that specifies the attributes for
which to search.
attributes
 are the attributes to return. Separate attributes with spaces.
If you don’t specify one or more attributes to return, ldapsearch
returns all attributes from entries that match the search filter.
You do not have to use ldapsearch from a machine that runs the Domino
LDAP service.
Note If you have a local condensed Directory Catalog that is encrypted,
to run ldapsearch from the Notes program directory, you must specify
the password associated with the Notes ID used to do the encryption.
22-1
Directory Services
Table of ldapsearch parameters
The following table describes the case-sensitive parameters you can use
with ldapsearch.
NOTES.INI settings related to the schema daemon
The following table contains the NOTES.INI settings that pertain to the
schema daemon.
For more information on these settings, see the “NOTES.INI File”
appendix.

Paramete
Use to
r
-? Print help on using ldapsearch.
-a deref Specify alias de-referencing. Enter never, always,
search, or find. Never is the default if you don’t use this
parameter.
Retrieve only attribute names, not the values for the
-A
attributes.
-b base Specify a distinguished name to use as the starting
dn point for beginning the search. Use quotation marks to
specify the value — for example:
“ou=West,o=Acme,c=US” You must use this parameter
if the server you’re searching requires you to specify a
search base. Otherwise, it is optional. Optionally use -s
along with -b to determine the scope of the search.
Without -s, -b searches the entry specified as the
starting point and all descendants of the entry.
-B Allow printing of non-ASCII values
-D bind Specify a distinguished name that the server uses to
dn authenticate you. The name must correspond to an
entry in the directory and must have the necessary
access to search the directory. Specify the name in
quotation marks —for example: “cn=Directory
Manager,o=Acme,c=US” If you don’t use this
parameter, the connection to the server occurs
anonymously. You must use -D if the server doesn’t
allow anonymous connections. Along with -D, you must
use the -w parameter to specify a password associated
with the distinguished name.
-f file Specify a file that contains search filters to use —for
example, -f filters. Place each search filter on a
separate line. ldapsearch performs one search for each
line. Optionally specify a filter pattern. For example,
specify -f filters “cn=%s”and enter a common name
value on each line in the file.
-F sep Print seprather than equal sign (=) between attribute
names and values. Use this parameter, for example, if
a tool that reads the ldapsearch output expects a
different separator.
-h host Specify the host name of the server to which you’re
name connecting — for example, -h server.acme.com.

Paramete
Use to
r
-l Specify a time limit (in seconds) for the search to
timelimit complete. If you do not specify this parameter or if you
specify a limit of 0, searches can take an unlimited
amount of time. ldapsearch never waits longer than a
search time limit set on the server, however.
-L Specify that the output is in LDIF format. LDIF format
uses a colon (:) as the attribute delineator rather than
an equal sign (=). LDIF is useful for adding or
modifying many directory entries at once. For example,
you can import the contents of the output into an
LDAP-compliant directory.
-M Manage referral objects as normal entries so that
ldapsearch returns attributes for the referral entries
themselves, rather than for the entries referred to.
-n Show how a search would be performed, but do not
actually perform the search.
-p port Specify the port that the server uses. If you don’t use
this parameter, ldapsearch uses port 389.
-R Do not automatically follow search references returned
by the server. Note that a Netscape Directory server
uses the term referrals for search references.
-s scope Specify the scope of the search when you use the -b
parameter: • base —to search only the entry specified
with the -b parameter • onelevel —to search only the
immediate children of the entry specified with the -b
parameter but not the entry itself • subtree —to search
the entry specified with the -b parameter and all of its
descendants. This is the default behavior when you use
-b without -s. The order in which you specify -b and -s
is unimportant.

-S
Sort the results by a specified attribute.
attribute
-z Specify the maximum number of entries to return. If
sizelimit you don’t specify this parameter or if you specify a limit
of 0, an unlimited number of entries are returned.
ldapsearch never returns more entries than the server
allows, however.
-u Specify that ldapsearch return distinguished names in a
user-friendly format.
-v Specify that ldapsearch run in verbose mode.
-w Specify the password associated with a distinguished
password name used with the -D parameter.
-x Use with -S to specify that that LDAP server sorts the
results before returning them. If you use -S without -x,
ldapsearch sorts the results.

Using search filters with ldapsearch

You must use a search filter to specify the attributes for which to search.
The syntax for a search filter is:
"<attribute> <operator> <value>"
For example, this search filter finds all entries containing Smith as the
value for the sn (surname) attribute:
"sn=Smith"
You can specify any attribute stored in a directory in a search filter. The
following are common attributes used to search for entries about people:
cn — a person’s common name
sn  — a person’s last name
telephonenumber
 — a person’s telephone number
l — a person’s geographic location
You can specify search filters on the ldapsearch command line, or you
can specify them in a file and use the ldapsearch parameter -f to refer to
the file. If you use a file, specify each search filter on a separate line.
Note you can include language tags in a search filter if the LDAP
directory, such as the Domino Directory, supports them. For example:
"givenName;lang-fr=Etienne"
Multiple search filters with boolean operators
You can use multiple search filters and boolean operators. Use this
syntax:
"(operator(filter)(filter))"
For example, use this search filter to find entries with the surname
Browning and the location Dallas.
"(&(sn=Browning)(l=Dallas))"
You can nest boolean operators. For example, use this search filter to find
entries with the surname caneel or givenname alfred in the mail domain
MDN:
"(&(maildomain=MDN)(|(sn=caneel)(givenname=alfred)))"
Table of operators used in ldapsearch search filters
The following table describes the operators you can use in a search filter.

Operator Use to Example

Find entries that
= “cn=John Browning”
contain an
attribute with a value
equal to a
specified value
= Find entries that
“cn=John*”
<string>*<string> contain an
attribute with a value
equal to a “cn=J*Brown”
specified substring
Find entries that
“cn>=D”
>= contain an
attribute with a value
that is
numerically or
alphabetically greater
than or equal to a
specified value
Find entries that
“roomNumber<=300”
<= contain an
attribute with a value
that is
numerically or
alphabetically less
than or equal to a
specified value
Find entries that
=* “sn=*”
contain a value
for a specified
attribute,
regardless of the
attribute value.
Find entries that
~= “sn~=Brning”could
contain an
attribute with a value return sn=Browning
approximately equal
to a specified
value.
Find entries that meet
& “(&(cn=John
the criteria
specified in all search Browning)(l=Dallas))”
filters
Find entries that meet
| “(|(cn=John
the criteria
specified in at least Browning)(l=Dallas))”
one specified
search filter
! Find entries that do “(!(cn=John
not meet the
criteria specified in Browning)(l=Dallas))”
any search
filter

Using ldapsearch to return operational attributes

You can use the plus sign (+) with ldapsearch to return all the
operational attributes for entries. Operational attributes are attributes
used for directory administration, and a directory server only returns
them if you request them.
Using the ldapsearch Utility 22-5
Directory Services
For example, to return all operational attributes for entries with the
common name John Brown specify:
ldapsearch -h host "cn=John Brown" +
You can use the + syntax only with the directory servers that support the
syntax, such as the Domino LDAP service.
To return a specific operational attribute only, specify the attribute.
Examples of using ldapsearch
The following table provides examples of using the ldapsearch utility.

Search Command
All entries on host
ldapsearch -h ldap.acme.com
ldap.acme.com
using port 389, and return all “objectClass=*”
attributes and values
Same as above, but return
ldapsearch -A -h ldap.acme.com“
only
attribute names objectClass=*”
All entries on host ldapsearch -a always -h
ldap.acme.com ldap.acme.com
using port 389, return all “objectClass=*”
attributes,
and de-reference any aliases
found
All entries on host
ldapsearch -h ldap.acme.com
ldap.acme.com
using port 389, and return “objectClass=*”mail cn sn
givenname
attributes=mail, cn, sn,
givenname
ldapsearch -b
(cn=Mike*) under base
“ou=West,o=Acme,c=US”
“ou=West,o=Acme, c=US”on -h ldap.acme.com “(cn=Mike*)”
host
ldap.acme.com using port 389,
and
return all attributes and values
One level on host ldapsearch -s onelevel -h
ldap.acme.com ldap.acme.com
using port 389, and return all “objectClass=*”
attributes and values
Same as above, but limit scope ldapsearch -s base -h
to ldap.acme.com
base “objectClass=*”
All entries on host
ldapsearch -l 5 -h ldap.acme.com
ldap.acme.com
using port 389; return all “objectClass=*”
attributes
and values; do not exceed the
time
limit of five seconds
All entries on host
ldapsearch -z 5 -h ldap.acme.com
ldap.acme.com
using port 389; return all “objectClass=*”
attributes
and values; do not exceed the
size
limit of five

Search Command
All entries on host
ldapsearch -h ldap.acme.com -D
ldap.acme.com
using port 389, binding as “cn=john doe,o=acme”-w
user password -L
“cn=John Doe,o=Acme”with a “objectClass=*”
password of “password”, and
return
all attributes and values in
LDIF
format
Search the host ldapsearch -h ldap.acme.com“-s
ldap.acme.com using base
port 389. All attributes that -b ”cn=john
doe,o=acme“objectClass=*”
anonymous are allowed to see
are
returned for the entry
“cn=John
Doe,o=Acme”
ldapsearch -h bluepages.ibm.com
All entries on a different host,
-p 391
bluepages.ibm.com, which is “objectClass=*”
configured to listen for LDAP
requests on port 391
Search bluepages.ibm.com on ldapsearch -h bluepages.ibm.com
port -p 391
391. Doing a subtree search -b “o=ibm”-l 300 -z 1000
(default)
starting in the organization “(&(objectclass=Person)(|(cn=jerry
“o=ibm”
for any object type of Person seinfeld*)(givenname=jerry
who
also has an attribute that seinfeld*)(sn=jerry seinfeld*)
matches (mail=jerry
any one of the attributes seinfeld*)))”cn
found in the
OR filter. There is a timeout
value of
300 seconds and the
maximum
number of entries to return is
set to
1000. And only the DN
(default) and
CN will be returned. (This is a
common filter for Web
applications).
Search bluepages.ibm.com on ldapsearch -h bluepages.ibm.com
port -p 391
391 starting at the base entry -b “cn=HR Group,ou=Asia,o=IBM”-
s
“cn=HR base -l 300
Group,ou=Asia,o=IBM” “(objectclass=*)”member
with a time limit of 300
seconds and
asking for all the members of
this
entry. (Another common filter
in
Web applications to determine
group membership).

Chapter 23
Setting Up Directory Assistance
This chapter describes directory assistance and how to set up and
monitor directory assistance in your organization.
Directory assistance
Directory assistance is a feature a server can use to look up information
in a directory other than a local primary Domino Directory
(NAMES.NSF). You can configure directory assistance to use a particular
directory for any of these services:
Client
 authentication
Group
 lookups for database authorization
Notes mail addressing
LDAP  service searches or referrals
You can set up directory assistance for a remote LDAP directory or a
Domino directory. A remote LDAP directory can be any remote
LDAP-compliant directory, either one on a foreign LDAP directory
server or one on a Domino server that runs the LDAP service.
A Domino directory is a directory created form the PUBNAMES.NTF
template and accessed via NAMELookup calls. Servers can use directory
assistance to do lookups in either local or remote replicas of a Domino
directory. A Domino directory configured for directory assistance can be
a secondary Domino Directory, an Extended Directory Catalog, or a
primary Domino Directory.
A secondary Domino Directory is any Domino Directory that is not a
server’s primary Domino Directory. A secondary Domino Directory can
be a directory associated with another Domino domain. A secondary
Domino Directory can also be a Domino Directory created manually
from the PUBNAMES.NTF template that is not associated with a Domino
Domain, used, for example, to store and track Web user information.
23-1
Directory Services
An Extended Directory Catalog contains documents aggregated from
multiple secondary Domino Directories. A server must use directory
assistance to look up information in an Extended Directory Catalog,
unless you integrate the Extended Directory Catalog directly into the
primary Domino Directory.
For more information, see the topic “Directory assistance for an Extended
Directory Catalog” later in this chapter.
The primary Domino Directory is the directory a server searches first that
describes the Domino domain of the server. You can set up directory
assistance for a primary Domino Directory, usually to specify which
replicas of primary Domino Directories that servers with Configuration
Directories can use.
For more information, see the topic “Directory assistance for the primary
Domino Directory” later in this chapter.
For information on upgrading directory assistance from Domino Release
4.6 to Domino 6, see the Upgrade Guide.
How directory assistance works
To configure directory assistance, you create a directory assistance
database from the template DA50.NTF, and replicate it to the servers that
will use it. A Server must have a local replica of a directory assistance
database to use directory assistance. Then you add the database file
name to the “Directory Assistance database name” field in the Domino
Directory Server documents of these servers.
You create a Directory Assistance document in the directory assistance
database to describe a particular directory and how it will be used, and
to define how to connect to the directory and to find alternate replicas for
failover. To set up directory assistance for a Domino Directory or an
Extended Directory Catalog — you select “Notes” in the “Domain type”
field in the Directory Assistance document. To set up directory assistance
for a remote LDAP directory, you select “LDAP” in the “Domain type”
field. You use one Directory Assistance document to configure all the
services for a directory and its replicas.
23-2 Administering the Domino System, Volume 1
Each server process that provides directory services and detects a local
directory assistance database configuration loads directory information
configured in the directory assistance database into an internal memory
table. During server startup and thereafter at five-minute intervals each
server process checks for changes to the directory assistance database
configuration and if found, each process reloads its internal memory
table to reflect the changes.
To look up names in a Domino Directory or an Extended Directory
Catalog, a server uses NAMELookup calls. To look up names in a remote
LDAP directory, a server uses a gateway feature that translates
NAMELookup calls to LDAP operations, and then translates LDAP
operations back to NAMELookup calls — a Domino server doesn’t have
to run the LDAP service to use a remote LDAP directory for directory
services.
Directory assistance services
Before you set up directory assistance, read about the services directory
assistance can provide:
Client
 authentication
Group
 lookups for database authorization
Notes
 mail addressing
LDAP  service searches and referrals
Directory assistance and client authentication
To authenticate a user who is accessing a database on a Domino server
via any of the supported Internet protocols — Web (HTTP), IMAP, POP3,
or LDAP — a server can look up the users’ credentials in a directory that
is configured in its directory assistance database. Servers can use X.509
certificate security or name-and-password security for the authentication.
To allow a server to use a directory for Internet client authentication that
is configured in a directory assistance database, do the following in the
Directory Assistance document for the directory:
On
 the Basics tab, next to “Make this domain available to,” select
“Notes clients and Internet Authentication/Authorization.”
On  the “Naming Contexts (Rules)” tab, enable at least one rule that
corresponds to the distinguished names of the users in the directory
to be authenticated, and next to “Trusted for Credentials,” select Yes.
Setting Up Directory Assistance 23-3
Directory Services
For example, if your organization registers Web users in a foreign LDAP
directory, when a Web user attempts to access a database on a Domino
Web server, the server can connect to the remote foreign LDAP directory
server to look up the user name and password to do the authentication.

Note A server can always use a Domino directory in the

directory
assistance database for client authentication if the directory is assigned
the same domain as the server’s domain, regardless of what selections
you make in these two fields.
For more information on creating rules that are trusted for credentials,
see the topic “Trusted naming rules” later in the chapter.
For information on specifying a domain name for a directory in a
Directory Assistance document, see the topic “Directory assistance and
domain names” later in the chapter.
Note You use an Internet Site document or the Ports - Internet Ports tab
of the Server document to control the types of client authentication an
Internet protocol server allows.
Names accepted for name-and-password authentication
If a server uses name-and-password security to authenticate Internet
clients, you select the types of names that the server can accept from
clients. On the Security - Internet Access tab of the Server document in
the primary Domino Directory, select “More name variations with lower
security” or “Fewer name variations with higher security” (the default).
The selection applies to name and password authentication using any
directory, including the primary Domino Directory.
Though a server can accept a name other than a distinguished name from
a client to search for a user’s entry in a directory, it is always the user’s
distinguished name in the directory entry that the server compares to
trusted rules in the Directory Assistance document to determine whether
to authenticate the client. For example, suppose a user is registered in a
directory with the distinguished name cn=alice browning,o=Acme, but
23-4 Administering the Domino System, Volume 1
the user configures the name alice browning on the client. During
authentication, the server searches for an entry that contains the name
alice browning. When it finds the entry, it can only authenticate the client
if “cn=alice browning,o=acme” matches a trusted naming rule for the
directory.
A user’s distinguished name is also used as the basis for access control in
Domino, so you should use users’ distinguished names in database
ACLs, in groups used in database ACLs, in access lists in Server
documents, and in Web server File Protection documents.
For more information on name-and-password security, see the chapter
“Setting Up Name-and-Password and Anonymous Access to Domino
Servers.”
Encountering duplicate names during client authentication
If a server finds more than one directory entry containing the name
presented by the client that corresponds to a valid distinguished name
for authentication, within one directory or across directories, the server
authenticates the client using the entry with the valid password or X.509
certificate. If more than one such entry has a valid password or X.509
certificate and the same distinguished name, the server authenticates the
user using the first password or X.509 certificate it finds.
Consistent client names and passwords across protocols
If Domino servers authenticate a client over more than one Internet
protocol, for ease of directory administration, create one directory entry
for the client with one name and password that applies to all the
protocols. Then set up the client to use the same name and password for
all protocols.
For example, if a client connects to Domino over HTTP for Web browsing
and over LDAP for directory services, create one directory entry for the
cllient with a name and password, and set up the client to use the name
and password for both types of connections.
Features available for client authentication using a remote LDAP
directory
The following features are available specifically for client authentication
using a remote LDAP directory:
Configurable
 search filters to control the search filter used to look up
names in the remote LDAP directory
LDAP-to-Domino
 name mapping to enable users to authenticate
using Notes distinguished names rather than LDAP distinguished
names.
Setting Up Directory Assistance 23-5
Directory Services
For more information, see the topics “Configuring search filters in a
Directory Assistance document for a remote LDAP directory” and
“Using Notes distinguished names in a remote LDAP directory” later in
the chapter.
Notes client authentication
By default, when a server authenticates a Notes client it does not use
information in Domino Directory Person documents. However, if you
enable the option “Compare Notes public keys against those stored in
Directory” on the Basics tab of the server’s Server document, the server
authenticates a Notes user only if the public key presented by the Notes
client matches the public key in the user’s Person document.
If a Notes user who connects to a server to authenticate is registered in a
secondary Domino Directory rather than the server’s primary Domino
Directory, and the “Compare Notes public keys against those stored in
Directory” option is enabled for the server to which the user connects,
you must select the option “Make this domain available to: Notes clients
and Internet Authentication/Authorization” on a Directory Assistance
document to allow a server to do the public key comparison. This
Directory Assistance document can be for:
The
 secondary Domino Directory in which the Notes user is
registered
An  Extended Directory Catalog that aggregates the secondary
Domino Directory in which the Notes user is registered.
Directory assistance and group lookups for database authorization
When a database access control list (ACL) includes a group located in a
server’s primary Domino Directory, the server automatically can look up
the members of that group when authorizing a user’s database access.
You can store groups used for database authorization in one directory in
addition to the primary Domino Directory. This one additional directory
can be a secondary Domino Directory, an Extended Directory Catalog, or
a remote LDAP directory. Note that if the primary Domino Directory and
the one additional directory both contain a group used for database
authorization with the same name, a server uses the group in the
primary Domino Directory.
To use one additional directory for group authorization, do the following
in the Directory Assistance document for the directory:
On
 the Basics tab, next to “Make this domain available to,” select
“Notes clients and Internet Authentication/Authorization.”
On  the Basics tab, next to “Group Authorization,” choose Yes.
23-6 Administering the Domino System, Volume 1
The following figure illustrates looking up groups used for database
authorization in a remote secondary Domino Directory.
Tip Enable “Group Authorization” for an Extended Directory Catalog
effectively enables you to store groups used for database authorization in
multiple secondary Domino Directories, as long as you aggregate the
directories into the directory catalog.
A server verifies a client’s access to a database after the client
authentication process is complete. You can use different directories for
client authentication and group authorization. For example, you can use
a remote LDAP directory for client authentication, and an Extended
Directory Catalog to look up groups during database authorization.
Note When you enable Group Authorization for a remote LDAP
directory, you can select a custom search filter for servers to use for
searching the groups.
For more information, see the topic “Configuring search filters in a
Directory Assistance document for a remote LDAP directory” later in the
chapter.
Nesting groups used for database authorization
When authorizing database access, a server can search a group that is
nested in a group listed in a database ACL, and search a group nested in
the nested group, and so on, as long as all of the groups are located in the
same directory.
If you enable “Group Authorization” for a secondary Domino Directory
or an Extended Directory Catalog, a server always searches nested
groups in the directory. If you enable “Group Authorization” for a
remote LDAP directory, use the “Nested group expansion” option to
control whether a server searches nested groups. Choose Yes (the
default) to search nested groups, or No to prevent nested group searches.
Setting Up Directory Assistance 23-7
Directory Services
If there are many nested groups, selecting No can improve search
performance.
The restrictions on the location for groups used for database
authorization do not apply to groups used for other purposes. For
example, the Router can search groups in any directory configured for
directory assistance, and can search nested groups even when the nested
groups are located in different directories than their parents.
Directory assistance and Notes mail addressing
You can set up directory assistance on Notes users’ mail servers or
directory servers to enable the users to address mail easily to users in a
directory that is not the Domino Directory for their Domino domain. To
enable a directory to be used for Notes mail addressing, on the Basic tab
of the Directory Assistance document for the directory, next to “Make
this domain available to,” select “Notes clients and Internet
Authentication/Authorization.”
Notes mail addressing using a Domino Directory or Extended
Directory Catalog
To enable Notes users to address mail easily to Notes users registered in
a secondary Domino Directory or to users that have entries aggregated
into an Extended Directory Catalog, you can set up directory assistance
for the directory on the users’ mail servers or directory servers. Then, a
Notes user can:
Use
 the “Select Addresses” dialog to browse and select names from
the directory, if the “Mail file location” field in the active Location
document is set to “On server.”
Enter
 a name of a user or group from the directory and have
type-ahead use directory assistance to find a matching name if the
“Recipient name type-ahead” field in the user’s active Location
document is set to “Local then server.”
Press
 F9 to resolve the address of a user name from the directory; if
the Notes user doesn’t resolve the address, either the Notes client
uses directory assistance to resolve the address when the user sends
the mail or, if the client doesn’t resolve the address, the Router uses
directory assistance to resolve the address.
The Router also uses directory assistance when routing mail.
For more information on Location documents, see Notes 6 Help.
Note that if a Notes user uses a local Mobile Directory Catalog that
aggregates secondary Domino Directories, name and address lookups of
users in a secondary Domino Directory can occur locally on the client
23-8 Administering the Domino System, Volume 1
without the use of directory assistance. Note that type-ahead addressing
never extends to a server on a Notes client set up to use a Mobile
Directory Catalog.
Note A server can always use a Domino directory in the directory
assistance database for Notes mail addressing if the domain specified for
the directory is the same domain as the primary domain for the server;
this is true regardless if you select “Make this domain available to: Notes
clients and Internet Authentication/Authorization.”
Notes mail addressing using a remote LDAP directory
To enable Notes users to address mail easily to users registered in a
remote LDAP directory, you can set up directory assistance for the
directory on the users’ mail servers or directory servers. Then, a Notes
user can press F9 to resolve an address for a name from the LDAP
directory entered in an addressing field of a Notes message. If the user
doesn’t resolve the address, either the Notes client uses directory
assistance to resolve the address when the user sends the mail or, if the
client doesn’t resolve the address, the Router uses directory assistance to
resolve the address. A Notes client doesn’t use type-ahead addressing to
find names in a remote LDAP directory, and Notes users can’t use the
“Select Addresses” dialog box to browse and select names from a remote
LDAP directory.
LDAP accounts compared to directory assistance for Notes mail
addressing using a remote LDAP directory
A Notes client can use an LDAP account in the Personal Address Book to
connect directly to a remote LDAP directory server, without using
directory assistance. Using an LDAP account, a Notes user can search for
addresses in a remote LDAP directory using LDAP-style search queries.
Configure directory assistance to use a remote LDAP directory for Notes
mail addressing, rather than use LDAP accounts if there are users with
Notes Release 4 clients, since these clients don’t support LDAP Accounts.
You might also use directory assistance rather than LDAP Accounts to
avoid having to maintain the LDAP Accounts, for example, if the remote
LDAP directory configuration changes in some way.
For more information on creating accounts in the Personal Address Book,
see Notes 6 Help.
Choosing a preferred mail format for Notes mail addressing using a
remote LDAP directory
If you set up directory assistance so that Notes users can address mail to
users in a remote LDAP directory, use the “Preferred mail format”
option on the LDAP tab of the Directory Assistance document for the
Setting Up Directory Assistance 23-9
Directory Services
LDAP directory to select the format of the mail address for Notes clients
to use:
Keep
 the default selection, “Internet Mail Address,” to use the
Internet mail format, for example, jdoe@acme.com, which is the
format used in previous Notes/Domino releases.
Select
 “Notes Mail Address” to use Notes-style addressing, for
example, John Doe/Acme@Acme.
If you select “Notes Mail Address” user entries in the remote LDAP
directory must have values for the mailDomain attribute. Typically the
“Notes Mail Address” option is used only in some cases if the remote
LDAP directory is a Domino Directory.
Directory assistance for the LDAP service
If a Domino server runs the LDAP service, you can:
Set
 up directory assistance for a Domino Directory or Extended
Directory Catalog so that the LDAP service uses the directory to
process LDAP client operations.
Set up directory assistance for a remote LDAP directory so that the
LDAP service can refer LDAP clients to the directory when a search
is unsuccessful in any Domino Directory or Extended Directory
Catalog.
Processing LDAP operations using a secondary Domino Directory
or Extended Directory Catalog
The LDAP service can use a secondary Domino Directory or an Extended
Directory Catalog to process LDAP client requests if there is a Directory
Assistance document for the directory in a directory assistance database
that the LDAP service uses, and “LDAP Clients” is selected in the “Make
this domain available to” field on the Basics tab of the document. To
prevent the LDAP service from using a Domino Directory or Extended
Directory Catalog when processing LDAP client requests, do not select
“LDAP Clients” in the Directory Assistance document for the directory.
Naming rules configured for the directories affect which of the
directories the LDAP service uses.
You control LDAP client access separately for each directory that the
LDAP services uses. For example, you can allow anonymous LDAP users
to access specific attributes in one directory, but not in another.
If the Domino Directory or Extended Directory Catalog is remote, the
remote server does not have to run the LDAP service. To process an
LDAP search request using a remote directory, the directory ACL on the
remote server must give the server running the LDAP service Reader
23-10 Administering the Domino System, Volume 1
access through a “Server group” or “Server” user type entry if either of
the following is true:
The
 search request comes from an authenticated LDAP client
Extended
 access is enabled on the directory.
Servers typically have this required access through the
LocalDomainServers and OtherDomainServers groups default access in
the directory ACL.
The LDAP service does not process write operations to a remote Domino
Directory or Extended Directory Catalog. Instead, it returns the client an
LDAP referral to the administration server for the directory, or if there is
no administration server, the server that stores the remote replica
specified in the directory assistance database. This referral occurs
regardless if the remote server runs the LDAP service.
For more information on how naming rules for Domino Directories and
Extended Directory Catalogs configured in the directory assistance
database affect the LDAP service, see the topic “Naming rules and the
LDAP service” later in the chapter. For information on controlling LDAP
access to a directory, see the chapter “Setting Up the LDAP Service.”
Note You can also use directory assistance to prevent the LDAP service
from searching its primary Domino Directory.
For more information, see the topic “Using directory assistance to
prevent the LDAP service from searching the primary Domino
Directory” later in the chapter.
LDAP service referrals to a remote LDAP directory
If the LDAP service can’t find information for which an LDAP client is
searching in the primary Domino Directory, a condensed Directory
Catalog, or a Domino Directory or Extended Directory Catalog
configured in a directory assistance database, it can refer the client to a
remote LDAP directory. In the Directory Assistance document for the
remote LDAP directory on the Basics tab, next to “Make this domain
available to,” select “LDAP Clients”. To prevent the LDAP service from
referring clients to the directory, do not select “LDAP Clients”.
To return a referral, the Domino LDAP service uses information in the
Directory Assistance document for the remote LDAP directory. The
referral is compliant with LDAP v3 and includes:
The
 URL hostname for the LDAP directory server
The base distinguished name configured for the directory in the
Directory Assistance document.
The  port the LDAP directory server uses
Setting Up Directory Assistance 23-11
Directory Services
Note that when returning a referral, the Domino server running the
LDAP service never connects to the remote LDAP directory server.
Some LDAP clients can accept more than one referral so that if the host
name specified in one referral is unavailable, the client can attempt to use
another. By default, for a given search, the LDAP service can refer an
LDAP client to only one remote LDAP directory host name. If there are
LDAP clients that use the LDAP service that can accept more than one
referral, you can use the LDAP service configuration setting “Maximum
number of referrals” to increase the number of referrals that the LDAP
service can return.
For information on how naming rules affect which host names the LDAP
service refers to clients, see the topic “Naming rules and the LDAP
service” later in the chapter.
Directory assistance concepts
Before you set up directory assistance, read about these directory
assistance concepts:
Naming
 contexts (rules)
Domain
 names
Directory
 failover
Directory
 assistance for an Extended Directory Catalog
Directory
 assistance in conjunction with a condensed Directory
Catalog
Directory  assistance for the primary Domino Directory
Number  of directory assistance databases
Directory assistance and naming rules
When you configure directory assistance for a directory, you define at
least one naming rule that corresponds to the names of users in the
directory. Naming rules are based on the X.500 distinguished name
model. This model uses a directory tree name hierarchy of country (c),
organization (o), and organizational unit (ou) to divide names into parts
that together represent unique locations in the directory tree. This is also
the naming model Domino and Notes have traditionally used.
23-12 Administering the Domino System, Volume 1
Each directory assistance naming rule includes six parts, with each part
containing one of the following:
The
 name of a specific directory tree branch, for example, the
organization Acme or the organizational unit Sales.
An  asterisk (*) to represent all branches at a specific level in the
directory tree name hierarchy
A  null character (nothing or a single space) to exclude all branches at
a specific level in the directory tree name hierarchy
It’s common to assign an all-asterisk rule to a directory (*/ */ */ */ */
*/ *) to represent all names in a directory. However if directories
configured in directory assistance use discrete name hierarchies, then it’s
useful to define rules for the directories that corresond to the hierarchies,
so servers can target a specific directory when searching for specific
names.
For example, assume Directory A and Directory B are both configured in
a directory assistance database. Names in Directory A fall under o=acme,
c=us so you specify the rule, */ */ */ */ acme/us for it, and the names
in Directory B fall under o=acme,c=fr so you specify the rule */ */ */ */
acme/fr for it. To find the name cn=jack brown,o=acme,c=fr, a server
searches only Directory B, and not Directory A, and to find the name
cn=joan brown,o=acme,c=us, a server searches only Directory A and not
Directory B.
This type of targeted directory search can occur when:
A  server looks for a hierarchical name in a Notes message address
field to resolve the address
A  server running the LDAP service processes an LDAP client search
operation that specifies a search base.
A  server running the LDAP service processes an LDAP client add,
delete, modify, or compare operation.
A  server looks for a hierarchical logon name an Internet client passes
when logging on to the server to initiate authentication.
For more information on how naming rules affect the LDAP service, see
the topic “Naming rules and the LDAP service” later in the chapter.
To find a flat name, a name without distinguishing parts, or to process an
LDAP search request that doesn’t specify a search base, a server ignores
naming rules and, and searches directories according to search orders
specified for the directories in the Directory Assistance documents.
Setting Up Directory Assistance 23-13
Directory Services
Note Some LDAP directories do not use the country (c), organization
(o), and organizational unit (ou) naming model. If you set up directory
assistance for an LDAP directory such as this, use an all-asterisk naming
rule for the directory.
Trusted naming rules
When an Internet client passes a logon name to a server to initiate
authentication, the server looks for the name in a directory configured in
the directory assistance database only if the directory has at least one
configured naming rule that is “Trusted for Credentials” — known as a
trusted rule. If the client logon name is hierarchical, the server looks for
the name only in directories with a trusted rule that matches the client
logon name, in addition to the primary Domino Directory. If the client
logon name is flat, for example John Smith, then the server looks for the
name in all directories with a trusted rule.
When a server finds the client logon name in a user entry in a directory,
the server compares the distinguished name assigned to the user entry to
the trusted rule(s) defined for the directory. The server only
authenticates the client if the distinguished name matches a trusted rule.
If you use a remote LDAP directory for client authentication and add
Notes distinguished names to the directory, the Notes distinguished
names, not the original LDAP distinguished names, must match a trusted
rule for the directory.
For more information on using Notes names in a remote LDAP directory,
see the topic “Using Notes distinguished names in a remote LDAP
directory” later in the chapter.
Examples of naming rules
The following table provides examples of naming rules, illustrating how
each rule includes or excludes names such as:
Marilyn
 Jenkins/Omega
Alan
 Jones/Sales/East/Acme/US
Randi
 Bowker/Marketing/East/Acme/US
Cheryl Lordan/IS/West/Acme/US
Derek  Malone/Accounting/West/Acme/US
Deborah  Jones/West/Acme/US
Karen  Lessing/West/Acme/DE

Rule Includes Excludes

All names in the
*/*/*/*/*/* No names
directory
/ / */ Alan Jones/Sales/ Marilyn Jenkins/Omega
*/Acme/* East/Acme/US Randi
Bowker/Marketing/
East/Acme/US Cheryl
Lordan/IS/
West/Acme/US Derek
Malone/Accounting/
West/Acme/US
Deborah Jones/West/
Acme/US Karen
Lessing/West/ Acme/DE

/ / */West/ Cheryl Lordan/IS/West/ Marilyn Jenkins/Omega

Acme/* Acme/US Derek Alan Jones/Sales/East/
alone/Accounting/West/ Acme/US Randi
Acme/US Deborah Bowker/Marketing/
Jones/West/ Acme/US East/Acme/US
Karen Lessing/West/
Acme/DE

/ / /West/ Deborah Jones/West/ Marilyn Jenkins/Omega

Acme/* Acme/US Karen Alan Jones/Sales/East/
Lessing/West/ Acme/DE Acme/US Randi
Bowker/Marketing/
East/Acme/US Cheryl
Lordan/IS/West/
Acme/US Derek
Malone/Accounting
/West/Acme/US

Rule Includes Excludes

/ / */West/ Karen Lessing/West/ Marilyn Jenkins/Omega
Acme/DE Acme/DE Alan Jones/Sales/
East/Acme/US Randi
Bowker/Marketing/
East/Acme/US Cheryl
Lordan/IS/West/
Acme/US Derek
Malone/Accounting/
West/Acme/US Deborah
Jones/West/ Acme/US

/ /IS/West/ Cheryl Lordan/IS/West/ Marilyn Jenkins/Omega

Acme/* Acme/US Alan Jones/Sales/East/
Acme/US
Randi
Bowker/Marketing/
East/Acme/US
Derek
Malone/Accounting/
West/Acme/US
Deborah Jones/West/
Acme/US
Karen Lessing/West/
Acme/DE

How naming rules relate to directory search orders

To look up a name that corresponds to a naming rule defined in more
than one Directory Assistance document, or to look up a flat name that
doesn’t have distinguishing parts, directory assistance uses the
configured search orders for the directories to decide which directory to
use, or which directory to use first.
For example, if the Directory Assistance documents for directory A and
directory B are assigned search orders of 2 and 1, respectively, and both
documents contain only an all-asterisk rule, then directory assistance
searches directory B before directory A.
The Directory Assistance view in the directory assistance database sorts
Directory Assistance documents by their specified search order.
If you don’t specify a search order, or if you assign the same search order
to two directories, directory assistance searches the directories in
alphabetical order, according to the value specified in the “Domain
name” field of the Directory Assistance document.
For more information on how Notes and Domino search multiple
directories, see the chapter “Planning Directory Services.”
Naming rules and the LDAP service
Naming rules affect how the LDAP service processes LDAP search
operations and LDAP write and compare operations. Naming rules also
define naming contexts for the LDAP service.
For information on directory assistance and the processing of LDAP
service write and compare operations, see the chapter “Setting Up the
LDAP service.” For more information on how the LDAP service uses
directory assistance, see the topic “Directory assistance for the LDAP
service” earlier in the chapter.
How naming rules affect LDAP search operations
An LDAP client can specify a search base when searching a directory. A
search base limits the scope of a search by specifying a point in the
directory tree at which to begin. You use naming rules to define a search
base for a directory. If an LDAP client specifies a search base, the LDAP
service searches a Domino Directory or Extended Directory Catalog
configured in the directory assistance only if the directory has a naming
rule that matches the search base. For example, if an LDAP client
specifies the search base ou=sales,o=acme, the LDAP service searches
only Notes directories that have rules such as:
*/ */ */ */ */ *
*/ */ */ */ acme/ *
*/ */ */ sales/ acme/ *
but not Notes directories with rules such as:
*/ */ */ mktg/ acme/ *
*/ */ */ */ org2/ *
*/ */ */ */ acme/ us
Note You can’t define a search base for the primary Domino Directory.
If the LDAP service can’t find the information for which an LDAP client
is searching in its primary Domino Directory, a condensed Directory
Catalog, or a Domino Directory or Extended Directory Catalog
configured in a directory assistance database, it can refer the client to a
remote LDAP directory.
By default, the LDAP service can refer a client to one LDAP directory
only. If the client specifies a search base, the LDAP service refers the
client only to an LDAP directory that is enabled for LDAP clients and has
Setting Up Directory Assistance 23-17
Directory Services
a naming rule that matches the search base. If there is more than one
such directory, the LDAP service refers the client to the one with the
lowest search order.
If the client doesn’t specify a search base, the LDAP service refers the
client to an LDAP directory that is enabled for LDAP clients, and if there
is more than one, it refers the client to the one assigned the lowest search
order.
If there is more than one host name specified in the Directory Assistance
document for the LDAP directory that the LDAP service picks for a
referral, the LDAP service refers the client to the first host name listed.
If you increase the number of referrals the LDAP service can return to a
client, the LDAP service follows the logic described above to pick the
first directory referral. If there is more than one host name specified in
the Directory Assistance document for this directory, the LDAP service
uses the additional host name(s) as the additional referral(s), up to the
maximum number of referrals the LDAP service configuration allows. If
there is no additional host name specified for the first directory picked
for referrals, then LDAP service can refer the client to an LDAP directory
with a different Directory Assistance document.
Naming rules as LDAP naming contexts
Some LDAP client applications, for example the IBM WebSphere®
Application Server, can discover naming contexts configured for an
LDAP directory server by searching the directory server’s root directory
server entry (DSE). When an LDAP user doesn’t specify a search base,
these applications can use the naming contexts configured on the server
to contruct one to apply to the LDAP client searches.
The LDAP service uses naming rules configured in the directory
assistance database to define naming contexts in its root DSE.
Directory assistance and domain names
When you configure directory assistance for a directory you must
configure a domain name for the directory that is unique within the
directory assistance database. You use the “Domain name” field on the
Basics tab of a Directory Assistance document to configure a directory’s
domain name.
If the directory is a remote LDAP directory, make up a unique domain
name for the directory that is not the name of any Domino domain.
23-18 Administering the Domino System, Volume 1
If the directory is the Domino Directory for a Domino domain — Domino
server setup created it — specify the name of the directory’s Domino
domain.
If you created the directory manually from the PUBNAMES.NTF
template, and so it is not associated with a Domino domain — for
example the directory is an Extended Directory Catalog, or a Domino
Directory used to track Web user information — do one of the following
to specify a domain name for the directory:
 you want servers with Configuration directories to use the
If
directory as their remote primary Domino Directory, specify the
Domino domain of the servers with the Configuration directories.
If servers won’t use the directory as a remote primary Domino
Directory, make up a unique domain name for the directory.
Note If the domain name you specify for a Domino Directory or
Extended Directory Catalog is the same as the domain of the servers that
use the directory assistance database, the servers can use the directory
automatically for client authentication, group lookups for database
authorization, and Notes mail addressing, regardless if you select “Make
this domain available to: Notes clients and Internet
Authentication/Authorization.” In addition, servers search a directory in
the same domain first, regardless of the search order specified for the
directory.
Directory assistance and failover for a directory
When you set up directory assistance for a directory, you can configure
failover for the directory.
Failover
 for a Domino Directory or Extended Directory Catalog
Failover
 for a remote LDAP directory
Setting Up Directory Assistance 23-19
Directory Services
Directory assistance and failover for a Domino Directory or
Extended Directory Catalog
When you set up directory assistance for a Domino Directory or
Extended Directory Catalog, on the Replicas tab of the Directory
Assistance document you specify the replicas of the directory for
directory assistance to use. When you specify replicas in a Directory
Assistance document for a Domino Directory or Extended Directory
Catalog:
Configure
 directory failover, so that if one replica is unavailable,
directory assistance has at least one alternate replica it can try to use.
Directory assistance can use one of two methods to fail over to an
alternate replica of a Domino Directory or Extended Directory
Catalog: directory assistance failover, the failover method also
available in previous releases, or cluster failover, a failover capability
new in this release in the context of directory assistance.
Make
 sure servers that use the directory assistance database have
fast network access to the directory replicas you specify. Fast
network access to replicas is particularly important if servers use a
directory to look up groups for database authorization.
Make  sure servers that do remote lookups to a replica have access to
the server that stores the replica, and have at least Reader access in
the directory access control list (ACL).
If  a directory is used for Notes mail addressing, make sure the Notes
users that use the feature have at least Reader access in the directory
ACL, so they can browse the directory. If Extended Access is enabled
for a directory, then the users must also have at least Reader access
to use typeahead or F9 address resolution.
The directory assistance failover method
Servers can use the directory assistance failover method, rather than
cluster failover method, to find an available replica of a Domino
Directory or Extended Directory Catalog. To use the directory assistance
failover method, on the Replicas tab of the Directory Assistance
document for the directory, specify up to five replicas of the directory
that are potentially available for use.
When a server starts up, directory assistance searches for an available
replica among the replicas you have specified. If directory assistance
cannot find an available replica during server startup, in five minutes it
attempts to locate an available replica again, continuing this attempt at
five-minute intervals until successful.
23-20 Administering the Domino System, Volume 1
Once directory assistance finds an available replica at server startup, it
continues to use the replica unless the replica becomes unavailable, at
which point failover occurs and directory assistance looks for an
alternate replica. When a replica is unavailable for any reason, directory
assistance continues to use the alternate replica, even after the previously
unavailable replica becomes available.
Directory assistance finds that a replica is unavailable if it attempts to
access the replica during server startup, or during normal server
operation when it processes a client lookup request. A directory replica is
unavailable to directory assistance if:
The
 server that stores the replica is unavailable, for example, the
server is down or there is a network connectivity problem.
A  view in the replica required for directory lookups is locked
because the server that stores the replica is rebuilding the view.
A  replica no longer exists because it has been deleted.
Note Directory assistance run on servers running Domino Release 5.0.9
or earlier do not fail over when locked out of a view. To have this
failover capability in a mixed Lotus Domino 6/Lotus Domino Release 5
environment, upgrade Domino Release 5 servers to at least Lotus
Domino Release 5.0.10.
At server startup and during failover, directory assistance looks for an
available replica from the list of replicas specified in the Directory
Assistance document as follows:
1. Looks for a local replica.
2. Looks for a replica within the same Notes named network; if there is
more than one, looks in the order in which the Directory Assistance
document lists them.
3. Looks for a replica within the same Domino Domain; if there is more
than one, looks in the order in which the Directory Assistance
document lists them.
4. Looks for a replica it hasn’t looked for yet.
The cluster failover method for directory assistance
If replicas of a Domino Directory or Extended Directory Catalog
configured in the directory assistance database are on servers that are
members of a cluster, you can set up directory assistance to use cluster
failover and workload balancing instead of the directory assistance
failover method. To use cluster failover and workload balancing, in the
Replicas tab of the Directory Assistance document for the directory
specify only one of the directory replicas that is within the cluster. Be
sure to specify only one replica; if you specify more than one, directory
Setting Up Directory Assistance 23-21
Directory Services
assistance ignores cluster failover, and instead uses the directory
assistance failover method described above to find an available replica.
Cluster failover is particularly useful in environments with centralized
directory services. For example, you can configure cluster failover in a
Directory Assistance document for a remote primary Domino Directory,
so that servers with Configuration Directories use cluster failover to find
an available replica of the remote primary directory.
Directory assistance and failover for a remote LDAP directory
To provide failover in the event that a remote LDAP directory configured
in directory assistance is unavailable, on the LDAP tab of the Directory
Assistance document for the remote LDAP directory, enter more than
one host name in the Hostname field. Separate hostnames with commas.
If the first LDAP directory server specified is unavailable, a Domino
server attempts to use the next one listed, and so on.
The configuration selections made in the Directory Assistance document
apply to each host name specified in the Hostname field except for the
value specified in the Port field. You can specify a port for a hostname
that is different than the port specified in the Port field by adding a colon
(:) followed by a port number after the hostname. For example, you can
enter the following in the Hostname field:
ldap1.acme.com:390, ldap2.acme.com:391
Directory assistance for an Extended Directory Catalog
Unless you integrate an Extended Directory Catalog directly into a
server’s primary Domino Directory, a server uses directory assistance
look up information in an Extended Directory Catalog.
When you create a Directory Assistance document for an Extended
Directory Catalog, the following selections are the important ones to
consider:
1. On the Basics tab, next to Domain type, select Notes.
2. On the Basics tab, next to Domain name, make up a unique domain
name. Or, if the Extended Directory Catalog functions as a remote
primary Domino Directory used by servers with Configuration
Directories, specify the domain of the servers with the Configuration
Directories.
3. If there are other Directory Assistance documents in the database, on
the Basics tab, next to Search order, typically you should specify a
search order of 1.
23-22 Administering the Domino System, Volume 1
4. On the Basics tab, next to “Group Authorization,” select Yes if you
want servers to use groups aggregated in the Extended Directory
Catalog for authorizing database access. You can choose this option
for only one directory in the directory assistance database. Choose
the option for an Extended Directory Catalog if you want serves to
be able to use groups from any of the aggregated directories for
database authorization.
5. To trust all the directories aggregated in the Extended Directory
Catalog for Internet client authentication, on the “Naming contexts
(Rules)” tab, include a rule that is “Trusted for Credentials.” If you
want to trust some Domino Directories for client authentication, but
not others, you can create one Extended Directory Catalog that
aggregates the trusted directories and a second that aggregates
untrusted directories. Then create a separate Directory Assistance
document for each Extended Directory Catalog, and enable “Trusted
for Credentials” only in the document for the directory catalog you
want servers to trust for authentication.
6. In the replicas tab, be sure to configure failover for the Extended
Directory Catalog.
For information on all the fields in a Directory Assistance document for a
Domino Directory or Extended Directory Catalog, see the topic “Creating
a Directory Assistance document for a Domino Directory or Extended
Directory Catalog” later in the chapter.
Note When servers use an Extended Directory Catalog, to optimize
lookup performance, remove any Directory Assistance documents that
exist for the directories aggregated in the directory catalog. For example,
if you aggregate Directory A into an Extended Directory Catalog, if there
is a Directory Assistance document for Directory A, remove the
document.
For more information on Extended Directory Catalogs, see the chapter
“Setting Up Directory Catalogs.”
Setting Up Directory Assistance 23-23
Directory Services
Directory assistance in conjunction with a condensed Directory
Catalog
Condensed Directory Catalogs are optimized for small size and client
use. Although a server can use a condensed Directory Catalog, under
most circumstances it’s best for a server instead to use an Extended
Directory Catalog.
For information on the advantages to servers’ using an Extended
Directory Catalog rather than a condensed Directory Catalog, see the
chapter “Setting Up Directory Catalogs.”
If you do set up servers to use a condensed Directory Catalog, you may
also want to set up directory assistance for the individual Domino
Directories aggregated into the directory catalog, so that:
A server can use directory assistance to look up information not
aggregated in the condensed Directory Catalog.
A  server can trust a particular aggregated directory, but not all
aggregated directories, for client authentication.
Note Do not create a Directory Assistance document for a condensed
Directory Catalog itself, only for the directories aggregated into the
directory catalog.
Using directory assistance to look up information not aggregated
into a condensed Directory Catalog
While you always aggregate fields containing mail addressing
information into a condensed Directory Catalog to support the common
task of looking up users’ mail addresses, typically you would not
aggregate fields containing information such as the following, because
this would make the directory catalog too large:
X.509
 certificates used for client authentication
Information
 LDAP clients only occasionally search for
Notes  users’ public keys used to send encrypted mail
Instead, set up directory assistance for a Domino Directory aggregated
into the directory catalog, so servers can use directory assistance to look
up the missing information directly in the Domino Directory. Each entry
in a condensed Directory Catalog includes the replica ID of the Domino
Directory from which the entry was derived and the UNID for the entry,
a unique ID associated with a replicated document. In the cases where
the condensed Directory Catalog doesn’t aggregate a field being
searched for, a server uses this directory catalog information and
information available through directory assistance to access quickly the
23-24 Administering the Domino System, Volume 1
complete entry in the Domino Directory. Searching a Domino Directory
by keying off entries in a condensed Directory Catalog is faster than
using directory assistance alone to locate and search the Domino
Directory.
If you aggregate a Domino Directory into a condensed Directory Catalog,
and you don’t also set up directory assistance for the directory itself, a
server can’t use the directory to look up information omitted from the
Directory Catalog.
If you set up directory assistance for a Domino Directory but do not
aggregate the directory into a condensed Directory Catalog, a server can
use directory assistance to search the Domino Directory after searching
the directory catalog.
Note If a Domino Directory is aggregated into a condensed Directory
Catalog, but particular entry from the directory is not aggregated, for
example a selection formula excludes the entry, servers cannot use
directory assistance to look up the missing entry directly in the Domino
Directory.
Using directory assistance trust for client authentication one or
some directories aggregated into a condensed Directory Catalog
To indicate that a server should trust for client authentication all
directories aggregated into a condensed Directory Catalog, select the
option “Trust the server based condensed directory catalog for
authentication with internet protocols” on the Basics tab of the server’s
Server document in the Domino Directory. In this case, directory
assistance is not required to indicate trust.
However to tell a server to trust for client authentication only one or
some directories aggregated in a condensed Directory Catalog, create a
Directory Assistance document in a directory assistance database for
each of the aggregated Domino Directories to be trusted. In the Directory
Assistance document for each such directory, do the following:
On
 the Basics tab, next to “Make this domain available to,” select
“Notes clients and Internet Authentication/Authorization.”
On  the “Naming Contexts (Rules)” tab enable at least one rule that
corresponds to the names to be authenticated, and select “Trusted for
Credentials” for the rule.
On  the “Replicas” tab include the replica of the Domino Directory
that the Dircat task uses to aggregate the directory into the
condensed Directory Catalog. Note that you do not include the
replica of the directory catalog.
Setting Up Directory Assistance 23-25
Directory Services
Note You are not required to store user passwords, and you shouldn’t
store X.509 certificates, in a condensed Directory Catalog. Instead you
can set up directory assistance for the secondary Domino Directories that
are aggregated to enable servers to find the passwords/X.509 certificates.
Directory assistance for the primary Domino Directory
A server with a local replica of its primary Domino Directory searches
the directory automatically without the use of directory assistance. You
can configure directory assistance for the primary Domino Directory of
servers that use a directory assistance database to:
Tell
 servers with Configuration Directories that use the directory
assistance database how to locate a remote replica of the primary
Domino Directory.
Prevent
 the LDAP service from searching the primary Domino
Directory.
If multiple domains use replicas of one directory assistance database, you
might also create a Directory Assistance document for the primary
Domino Directory so that servers in other domains that use the directory
assistance database can do lookups in the directory.
Note You cannot prevent a server from using its primary Domino
Directory for Notes mail addressing, client authentication, or group
lookups for database authorization. A server can always use a primary
Domino Directory for these purposes, regardless of the options you select
for the directory in the Directory Assistance document.
Using directory assistance to control which remote replicas of a
primary Domino Directory servers with Configuration Directories
can use
A Configuration Directory is a small, selective replica of a domain
Domino Directory that contains only Domino configuration information.
A server with a Configuration Directory looks up information related to
directory services, such as information in user and group documents, in a
full replica of the domain primary Domino Directory on a remote server.
You can create a Directory Assistance document for the primary Domino
Directory in a directory assistance database used by servers with
Configuration Directories. Do this to specify which replicas of a remote
primary Domino Directory the servers potentially can use. This step isn’t
required — if you do not use directory assistance, a server with a
Configuration Directory uses a default, built-in logic, to find a remote
replica of a primary Domino Directory to use.
23-26 Administering the Domino System, Volume 1
For more information on Configuration Directories and on the default
logic used to find a remote primary Domino Directory, see the chapter
“Setting Up the Domino Directory.”
If you set up directory assistance to control which remote replicas of the
primary Domino Directory servers with Configuration Directories can
use, the key options to select in the Directory Assistance document are
the following ones.
On the Basics tab:
Next
 to “Domain Type” select Notes.
Next
 to “Domain Name” enter the domain of the servers with the
Configuration Directories.
Next  to “Group Authorization” select No. A server can use groups
located in a primary Domino Directory replica to authorize database
access even when you select No because a primary Domino
Directory is always trusted for this purpose. Since you can select Yes
for only one directory in the directory assistance database, select No
to reserve the use of “Group Authorization” for another directory in
the directory assistance database.
For more information on the “Group Authorization” feature, see the
topic “Directory assistance and group lookups for database
authorization” earlier in this chapter.
On the Replicas tab, make sure to configure failover for the directory.
For more information, see the topic “Directory assistance and failover for
a Domino Directory or Extended Directory Catalog” later in this chapter.
For complete information on all the configuration fields in a Directory
Assistance document for a Domino Directory or Extended Directory
Catalog, see the topic “Creating a Directory Assistance document for a
Domino Directory or Extended Directory Catalog” later in this chapter.
Using directory assistance to prevent the LDAP service from
searching the primary Domino Directory
You can set up directory assistance for the primary Domino Directory to
prevent a server that runs the LDAP service from using the primary
Domino Directory when processing LDAP requests. For example, you
might want the LDAP service to use a secondary Domino Directory, but
not the primary Domino Directory.
The primary Domino Directory from which you exclude LDAP searches
can be local, or can be remote if the server running the LDAP service has
a Configuration Directory.
Setting Up Directory Assistance 23-27
Directory Services
If you set up directory assistance to prevent LDAP searches of the
primary Domino Directory, the key options to select in the Directory
Assistance document are the following ones.
For complete information on all the configuration fields in a Directory
Assistance document for a Domino Directory, see the topic “Creating a
Directory Assistance document for a Domino Directory or Extended
Directory Catalog” later in the chapter.
On the Basics tab:
1. Next to “Domain Type” select Notes.
2. Next to “Domain Name” enter the domain of the servers that run the
LDAP service.
3. Next to “Make this domain available to” deselect “LDAP Clients.”
4. Next to “Group Authorization” select No to reserve the use of
“Group Authorization” for another directory in the directory
assistance database.
For more information on the “Group Authorization” feature, see the
topic “Directory assistance and group lookups for database
authorization” earlier in this chapter.
On the Replicas tab, do one of the following:
 all the servers that use the directory assistance database are within
If
one domain and use a local primary Domino Directory, you have to
specify only one replica. Directory assistance requires the replica
specification to load properly, but the servers always do lookups in
their local primary Domino Directory replicas, regardless of the
replica you specify. An easy method is specifying an asterisk in the
(*) in the Server Name field, and a file name in the Domino Directory
File Name field, for example, NAMES.NSF
If the server running the LDAP service has a Configuration
Directory, complete the Replicas tab to indicate which replicas of the
remote primary Domino Directories to use.
For more information on specifying replicas, see the topic “Directory
assistance and failover for a Domino Directory or Extended Directory
Catalog” earlier in the chapter.
23-28 Administering the Domino System, Volume 1
Number of directory assistance databases
Before you set up directory assistance, plan how many directory
assistance databases to use. You can create and configure one directory
assistance database that all or most servers use. Or you can create more
than one directory assistance database, with groups of servers — for
example servers within a domain — each using specific ones. All the
servers that use a particular directory assistance database must use a
directory configured in the database for the same services. If groups of
servers require the use of different directories or services, create a
separate directory assistance database for each group of servers to use.
For example, suppose all servers use an Extended Directory Catalog, but
one group of servers only use, in addition, a remote LDAP directory for
client authentication. You would set up a separate directory assistance
for that group of servers that contains Directory Assistance documents
for both the directory catalog and the LDAP directory. For the other
servers, create a directory assistance database configured for the
directory catalog only.
Setting up directory assistance
To set up directory assistance in a Domino domain, complete these
procedures.
1. Create and replicate a directory assistance database.
2. Set up servers to use the directory assistance database.
3. Create a Directory Assistance document for each Domino Directory
or Extended Directory Catalog for which you want to provide
directory assistance.
4. Create a Directory Assistance document for each remote LDAP
directory for which you want to provide directory assistance.
For information on troubleshooting problems with directory assistance,
see the chapter “Troubleshooting.”
Setting Up Directory Assistance 23-29
Directory Services
Creating and replicating a directory assistance database
Create a directory assistance database on one server, and then create a
replica of the database on each server in the domain that will use it for
directory assistance. A server can use one directory assistance database
only.
1. From the Domino Administrator, create the database:
a. Choose File - Database - New to open the “New Database” dialog
box.
b. Enter the name of the server on which to create the database.
c. Enter a title for the database — for example, Directory
Assistance. You can enter any title.
d. Enter a file name for the database — for example, DA.NSF. You
can enter any file name with the extension .NSF.
e. Click “Show advanced templates.”
f. Click Template Server and select a server that stores the
Directory Assistance template (DA50.NTF).
g. Select the Directory Assistance template (DA50.NTF) from the
list of templates.
h. Keep “Inherit future design changes” selected.
i. Click OK.
2. Create a replica of the directory assistance database on each server
that will use it.
Tip Using the same file name and path for the replicas on each
server makes it easy to use the Administration Process to add the file
name and path to Server documents.
For more information on replication, see the chapter “Creating
Replicas and Scheduling Replication.”
3. Create Connection documents to schedule replication of the database
to all the servers that will use it.
4. Continue to the procedure “Setting up servers to use a directory
assistance database.”
Setting up servers to use a directory assistance database
After you create a directory assistance database and replicate it to
servers, set up the servers to use the database. To set up a server to use a
directory assistance database, add the file name of the server’s replica of
the database to the “Directory assistance database name” field of the
server’s Server document in the primary Domino Directory.
23-30 Administering the Domino System, Volume 1
Use the Administration Process to automate adding a directory
assistance database file name to multiple Server documents — the
Administration Process creates a “Set Directory Assistance Field” request
to add the file name. Or enter the file name of the directory assistance
database to Server documents manually.
Using the Administration Process to add the directory assistance
database file name to multiple Server documents
To use the Administration Process to add a directory assistance database
file name to multiple Server documents:
1. Make sure that you:
Created
 and replicated the directory assistance database
Have
 either Author access and the ServerModifier role, or Editor
access in the ACL of the Domino Directory to which you will add
the file names.
Have
 set up the Administration Process
2. From the Domino Administrator, click the Configuration tab.
3. Next to “Use Directory on,” select the administration server for the
Domino Directory.
4. In the left pane, expand Server - All Server Documents.
5. Select the Server documents for all servers that use the same file
name for the directory assistance database. A check mark appears
next to each document.
6. Choose Actions - Set Directory Assistance Information.
7. Enter the file name that you gave to the directory assistance database
on these servers — for example, DA.NSF. If the directory assistance
database is in a subdirectory under the data directory, include the
path relative to the data directory — for example,
DIRECTORIES\DA.NSF.
8. Click OK.
9. When you see the dialog box stating “Request has been submitted,”
click OK again.
10. Use the command “tell adminp process interval” to force processing
of the “Set Directory Assistance Field” request, or wait until the
Administration Process processes the request when it next processes
interval requests.
For more information, see the appendix “Server Commands.”
11. Replicate the modifed Domino Directory to the servers that will use
the directory assistance database.
Setting Up Directory Assistance 23-31
Directory Services
12. Restart the servers so they detect the directory assistance database
file names in their Server documents.
13. Continue to one or both of these procedures:
Creating
 a Directory Assistance document for a Domino directory
Creating
 a Directory Assistance document for a remote LDAP
directory
Entering the directory assistance database file name to a Server
document manually
1. Make sure that you:
Created
 and replicated the directory assistance database
Have  either Author access and the ServerModifier role, or Editor
access in the ACL of the Domino Directory to which you will add
the file names.
2. From the Domino Administrator, click the Configuration tab.
3. Next to “Use Directory on,” select the server whose Domino
Directory you want to modify.
4. In the left pane, choose Server - All Server Document.
5. Select a specific Server document, and then click Edit Server.
6. In the “Directory Assistance database name” field in the “Directory
Info” section on the Basics tab, enter the file name that you gave to
the replica of the directory assistance database on this server — for
example, DA.NSF. If the directory assistance database is in a
subdirectory under the data directory, include the path relative to
the data directory — for example, DIRECTORIES\DA.NSF.
7. Click Save & Close.
8. If the Domino Directory you changed is not the replica of the server
whose directory assistance database file name you specified,
replicate the updated Domino Directory to the server.
9. Restart the server so it detects the directory assistance database file
name now in its Server document.
10. Continue to one or both of these procedures:
Creating
 a Directory Assistance document for a Domino directory
Creating
 a Directory Assistance document for a remote LDAP
directory
23-32 Administering the Domino System, Volume 1
Creating a Directory Assistance document for a Domino Directory or
Extended Directory Catalog
To set up directory assistance for a Domino Directory or an Extended
Directory Catalog, create a Directory Assistance document for the
directory in the directory assistance database as follows:
Note Do not create a Directory Assistance document for a condensed
Directory Catalog.
1. Make sure you have read about directory assistance services and
concepts.
2. Make sure that you have created and replicated a directory
assistance database and have set up servers to use it.
3. From the Domino Administrator, choose File - Open Server, and
select a server that you have set up to use the directory assistance
database.
4. Click the Configuration tab.
5. In the left pane, expand Directory - Directory Assistance. If you see
“Server Error: File does not exist,” the server you selected in step 3 is
not set up to use the directory assistance database.
6. Click Add Directory Assistance.
7. On the Basics tab, complete these fields:

Field Enter
Domain
Choose Notes.
type
Domain The name of the Domino domain associated with
name the directory. If the directory isn’t associated with
a Domino domain because you created it manually
rather than through server setup, make up a
unique domain name for it. For more information,
see the topic “Directory assistance and domain
names.”
Company (Optional) The name of the company associated
name with this directory. Multiple Directory Assistance
documents can use the same company name.
Search (Optional) A number affecting the order in which
order servers search this directory relative to other
directories configured in the directory assistance
database. For more information, see the topic
“How naming rules relate to directory searcher
orders.”

Field Enter
Make this Choose one or both: • “Notes Clients and
domain Internet Authentication/Authorization” • “LDAP
available to Clients” Choose “Notes Clients and Internet
Authentication/Authorization”to use the directory
for Notes mail addressing, Internet client
authentication, or to look up the members of
groups for database authorization. By default,
the option is enabled. To prevent servers from
using the directory for these services, do not
choose this option. If the domain specified in the
“Domain name”field is the same Domino domain
(the primary domain) of the servers that use
directory assistance, the servers use the
directory for these three services automatically,
even if you do not choose this option. Choose
“LDAP Clients”to enable the LDAP service
running on servers to search the directory when
processing LDAP requests. By default, the option
is enabled. To prevent the LDAP service from
searching the directory, do not choose this
option. Fore more information, see the topic
“Directory assistance services.”

Group Choose one: • Yes to search the members of

Authorization groups in the directory when authorizing
database access. You must also select “Make this
domain available to: Notes Clients and Internet
Authentication/Authorization.” • No (default) to
prevent searching the members of groups in the
directory when authorizing database access. You
do not have to enable a rule that is “Trusted for
Credentials.” Enable this option in only one
Directory Assistance document, Notes or LDAP,
in the directory assistance database. If the
domain specified in the “Domain name”field is
the same Domino domain (the primary domain)
of the servers that use directory assistance, the
servers use the directory to look up groups for
database authorization automatically, even if
you choose No for this option. For more
information, see the topic “Directory assistance
and group lookups for database authorization.”

Choose Yes to enable directory assistance for

Enabled
this directory.

8. Click the Naming Contexts (Rules) tab, and for each rule you want to
define, complete the following fields. By default, an all-asterisk rule
is enabled with “Trusted for Credentials” set to No.

Field Enter
N.C. # A naming context (rule) that describes names in
the directory. For more information, see the topic
“Directory assistance and naming rules.”
Enabled Choose one:

• Yes to enable a rule • No to disable a rule

Trusted for Choose one: • Yes to allow servers to use
Credentials credentials in this directory to authenticate
Internet clients whose distinguished names in the
directory correspond to the rule. • No (default) to
prevent servers from using this directory to
authenticate Internet clients whose distinguished
names correspond to the rule. For more
information, see the topic “Trusted naming rules.”
If the domain specified in the “Domain name”field
on the Basics tab is the same Domino domain (the
primary domain) of the servers that use directory
assistance, the servers trust all user names in the
directory for client authentication, even if you do
not choose this option.

9. Click the Replicas tab. Use either the “Database links” field or the
“Replica#” fields to specify replicas of the directory for servers to
use. If you make any entry in a Replica# field, then directory
assistance ignores all entries in the “Database links” field.
To set up directory assistance to use cluster failover to locate an
available replica of the directory, specify only one replica of the
directory within the cluster.
For more information on failover, see the topic “Directory assistance
and failover for a Domino Directory or Extended Directory Catalog.”

Field Enter
Databas For each replica you want to specify: • Open the
e links replica of the directory, and choose Edit - Copy As
Link - Database Link. • Select the “Database
links”field, and choose Edit - Paste. Using database
links may delay server startup. When you restart a
server that uses directory assistance, server tasks
retrieve database information from the remote
servers to which the links refer. Use database links
only if the servers to which the links refer are
consistently available.
Replica The server name and file name of a replica of the
# directory —for example:
Server Name: Mail1/West/Acme
Domino Directory File Name: EASTNAMES.NSF
Selected Enabled next to each replica you specify.

10. Click Save & Close.

Shortcut for specifying local replicas of a Domino Directory or
Extended Directory Catalog in a Directory Assistance document
You can enter an asterisk (*) in the Server Name field on the Replicas tab
of a Directory Assistance document for a Domino Directory or Extended
Directory Catalog to indicate that directory assistance should first look
on its local server for a replica of the directory. This feature is useful in
an environment where multiple servers use directory assistance to search
local replicas of a directory with the same file name. Use an asterisk to
represent all the servers that have local replicas of the directory with the
same file name, rather than specifying each server individually in its own
Server Name field.
For example, if servers A, B, C, and D each store local replicas of the
directory ACMEWEST.NSF configured for directory assistance, use an
asterisk to specify only one Server Name/Directory Filename entry in the
Directory Assistance document for ACMEWEST.NSF:
Server Name Directory Filename
* ACMEWEST.NSF
If you do not enter an asterisk, you muse make these four Server
Name/Directory Filename entries:

Server Name Directory Filename

Server A ACMEWEST.NSF
Server B ACMEWEST.NSF
Server C ACMEWEST.NSF
Server D ACMEWEST.NSF

the directory, add at least one explicit Server Name/Directory Filename

entry in the Directory Assistance document for these servers to use. If
you use the directory assistance failover method, specify at least one
explicit Server Name/Directory Filename entry for servers with local
replicas to use as an alternate in the event the replica is unavailable.
Note Do not use * in the Server Name field in a Directory Assistance
database that Lotus Domino Release 4 servers use. Instead, create a
separate Directory Assistance database that uses explicit server names
for Release 4 servers to use.
Creating a Directory Assistance document for a remote LDAP
directory
To set up directory assistance for a remote LDAP directory, create a
Directory Assistance document for the directory in a directory assistance
database as follows: Make sure you have read about directory assistance
services and concepts.
1. Make sure you have created and replicated a directory assistance
database, and have set up servers to use it.
2. If you are using the remote LDAP directory for any purpose other
than LDAP service referrals, use the TCP/IP ping utility to test that
the Domino servers that will use the LDAP directory can connect to
the remote LDAP directory server.
3. From the Domino Administrator, choose File - Open Server, select a
server that you have set up to use the directory assistance database,
and click OK.
4. Click the Configuration tab.
Setting Up Directory Assistance 23-37
Directory Services
5. In the left pane, expand Directory - Directory Assistance. If you see
“Server Error: File does not exist,” the server you selected in step 4 is
not set up to use the directory assistance database.
6. Click Add Directory Assistance.
7. On the Basics tab, complete these fields:

Field Enter
Domain
Choose LDAP.
type
Domain A domain name of your choice that is different
name from the
domain name specified for any other Directory
Assistance
document - Notes or LDAP - in the directory
assistance
database. For more information, see the topic
 “Directory
assistance and domain names.”
(Optional) The name of the company associated
Company
with this
directory. Multiple Directory Assistance documents
name
can use
the same company name.
Search (Optional) A number affecting the order in which
order servers
search or refer LDAP clients to this directory
relative to
other directories configured in the directory
assistance
database. For more information, see the topic
“How
naming rules relate to directory search orders.”
Make this Choose one or both: • “Notes clients and Internet
domain Authentication/Authorization”to use this LDAP
available directory for Notes mail addressing, Internet client
to authentication, or to look up the members of
groups for database authorization. • “LDAP
Clients”to enable a server running the LDAP
service to refer LDAP clients to this LDAP directory.
For more information, see the topic “Directory
assistance services.”

Field Enter
Group Choose one: • Yes to search the members of
Authorization groups in this LDAP directory when authorizing
database access. • No (default) to prevent
searching the member of groups in the directory
when authorizing database access. Choose Yes
for only one directory, Notes or LDAP, configured
in the directory assistance database. You do not
have to enable a rule that is “Trusted for
Credentials.” If you select Yes, in the “Nested
group expansion”field that appears choose one:
• Yes (default) to search nested groups —groups
that are members of groups listed in database
ACLs. • No to search only the members of
groups listed in database ACLs, and not the
members of groups nested within those groups.
For more information on group authorization,
see the topic “Directory assistance and group
lookups for database authorization.”

Choose Yes to enable directory assistance for

Enabled
this LDAP
directory.

8. On the Naming Contexts (Rules) tab, for each rule you want to define
for the directory, complete the following fields. By default, an
all-asterisk rule is enabled with “Trusted for Credentials” set to No.

Field Enter
N.C. # Enter a naming context (rule) that describes the
user names in the LDAP directory. For more
information, see the topic “Directory assistance
and naming rules.”
Enabled Choose one:
• Yes to enable a rule
• No (default) to disable a rule
Trusted for Choose one: • Yes to allow servers to use
Credentials credentials in the LDAP directory to authenticate
Internet clients whose distinguished names in the
directory correspond to the rule.

• No (default) to prevent servers from using this

directory to authenticate Internet clients whose
distinguished names in the directory correspond to
the rule. For more information, see the topic
“Trusted naming rules.”

9. On the LDAP tab, complete these fields:

Field Enter
Hostname The host name for the remote LDAP directory
server —for example, ldap.acme.com. A
Domino server uses this host name to connect
to the remote LDAP directory server, or to refer
LDAP clients to the LDAP directory.
Enter an additional host name or host names so
that a
Domino server can use an alternate LDAP
directory server if the directory server
represented by the first host name specified is
unavailable. Separate host names with
commas.
If you specify more than one directory server
and each listens on a different port, specify the
ports after the host names. For example:
ldap1.acme.com:390, ldap2.acme.com:391
For more information, see the topic “Directory
assistance and failover for a remote LDAP
directory.”
(Optional) Below “Optional Authentication
Optional
Credential”
Authentication enter a user name and a password for a
Domino server to
Credential present when it connects to the remote LDAP
directory server. The LDAP directory server
uses the name and
password to authenticate the Domino server. If
you don’t
specify a name and password, a Domino server
attempts to connect anonymously.
For more information, see the topic “Specifying
a name and password for Domino servers in a
Directory
Assistance document for a remote LDAP
directory.”
A search base, if the LDAP directory server
Base DN for
requires one.
search For example:
o=Ace Industry
 o=Ace Industry,c=US

Field Enter
Hostname The host name for the remote LDAP directory
server —for example, ldap.acme.com. A
Domino server uses this host name to connect
to the remote LDAP directory server, or to refer
LDAP clients to the LDAP directory.
Enter an additional host name or host names so
that a
Domino server can use an alternate LDAP
directory server if the directory server
represented by the first host name specified is
unavailable. Separate host names with
commas.
If you specify more than one directory server
and each listens on a different port, specify the
ports after the host names. For example:
ldap1.acme.com:390, ldap2.acme.com:391
For more information, see the topic “Directory
assistance and failover for a remote LDAP
directory.”
(Optional) Below “Optional Authentication
Optional
Credential”
Authentication enter a user name and a password for a
Domino server to
Credential present when it connects to the remote LDAP
directory server. The LDAP directory server
uses the name and
password to authenticate the Domino server. If
you don’t
specify a name and password, a Domino server
attempts to connect anonymously.
For more information, see the topic “Specifying
a name and password for Domino servers in a
Directory
Assistance document for a remote LDAP
directory.”
A search base, if the LDAP directory server
Base DN for
requires one.
search For example:
o=Ace Industry
o=Ace Industry,c=US

Field Enter
Channel Choose one: • SSL (the default) to use SSL when
encryption a Domino server connects to the remote LDAP
directory server • None to prevent SSL from being
used. Keep SSL selected in the “Channel
encryption”field if you use the remote LDAP
directory for client authentication or to look up
the members of groups for database
authorization.

If you choose SSL, make selections in these

associated fields:
 • “Accept expired SSL certificates” • “SSL protocol
version” • “Verify server name with remote
server’s certificate” For more information, see the
next topic “Configuring SSL in a Directory
Assistance document for a remote LDAP
directory.”

Port The port number Domino servers use to connect

to the remote LDAP directory server. • If you
choose SSL in the “Channel encryption”field, the
default port is 636. • If you choose None in the
“Channel encryption”field, the default port is 389.
If the LDAP directory server doesn’t use one of
these default ports, enter a different port number
manually.

Timeout The maximum number of seconds allowed for a

search of the remote LDAP directory; default is 60
seconds. If the remote LDAP directory server also
has a timeout setting, the lower setting takes
precedence.
Maximum The maximum number of entries the LDAP
number of directory server can return for a name for which a
entries Domino server searches. If the LDAP directory
returned server also has a maximum setting, the lower
setting takes precedence. If the LDAP directory
server times out, it returns the number of names
found up to that point. Default is 100.

Field Enter
Dereference Choose one to control the extent to which alias
alias on dereferencing occurs during searches of the
search remote LDAP directory: • “Never”

• “Only for subordinate entries” • “Only for

search base entries” • “Always”(default) If
aliases aren’t used in the LDAP directory,
selecting “Never”can improve search
performance. For more information, see the
topic “Configuring alias dereferencing in a
Directory Assistance document for a remote
LDAP directory.”

Preferred To specify the format of addresses from the

mail format directory to be used in Notes mail, choose one:
• “Notes Mail Address”
• “Internet Mail Address”(default) For more
information, see the earlier topic “Notes mail
addressing using a remote LDAP directory.”
Attribute to (Optional) If a Domino server uses the remote
be used as LDAP directory for client authentication or for
Notes database authorization, optionally map
Distinguished users’LDAP directory distinguished names to
Name corresponding Notes distinguished names. For
information, see the topic “Using Notes
distinguished names in a remote LDAP
directory.”
Type of
search filter
to use
Choose one to control which LDAP search filters
are used to search the directory: • “Standard
LDAP”(default) • “Active Directory” • “Custom”
“Standard LDAP”works in most situations.
For more information, see the topic “Configuring
search filters in a Directory Assistance document
for a remote LDAP directory.”

10. Click Save & Close.

11. If you changed the Group Authorization field:
a. Wait for the change to replicate to all the servers that use the
directory assistance database, or force the replication.
b. Use the Restart Server console command to stop and restart each
server that uses directory assistance for group authorization, so
each server detects the change.
Configuring SSL in a Directory Assistance document for a remote
LDAP directory
If a Domino server uses a remote LDAP directory to look up credentials
during Internet client authentication, or to look up the members of
groups during database authorization, specify that the server use SSL to
connect to the LDAP directory server. Specify SSL so there are secure
communications between the Domino server and the LDAP server, and
so that the Domino server can use an X.509 certificate to verify the
remote LDAP directory server’s identity.
To use SSL, select SSL in the “Channel encryption” field on the LDAP tab
of the Directory Assistance document for the remote LDAP directory.
When you select SSL, you must also make selections for three associated
fields:
“Accept
 expired SSL certificates”
“SSL
 protocol version”
“Verify
 server name with remote server’s certificate”
"Accept expired SSL certificates"
In the “Accept expired SSL certificates” field choose one:
Yes  (the default) to accept a certificate from the LDAP directory
server, even if the certificate has expired.
No,  to reject an expired certificate, to provide tighter security.
"SSL protocol version"
In the “SSL protocol version field,” select the version number of the SSL
protocol to use, as follows:

SSL protocol
Description
version
V2.0 only Allows only SSL 2.0 connections.
Attempts an SSL 3.0 connection. If the
V3.0 handshake
connection fails
and the requestor detects SSL 2.0, attempts to
use SSL 2.0
to connect.
V3.0 only Allows only SSL 3.0 connections.
Attempts an SSL 3.0 connection, but starts with
V3.0 with V2.0
an SSL 2.0
handshake handshake, which displays relevant error
messages.
Makes an SSL 3.0 connection if possible. Choose
“V3.0
and V2.0 handshake”to receive V2.0 error
 messages that
may occur during a connection attempt. These
error
messages can provide information about
compatibility
problems found during the connection.
Negotiated Allows SSL to determine the protocol version and
handshake.

“Verify server name with remote server’s certificate”

In the “Verify server name with remote server’s certificate” field, choose
one:
Enabled
 (the default)
Disabled

Choose Enabled to require that the subject line of the remote server’s
certificate include the LDAP directory server host name. For this option
to work properly, the subject line in the remote server’s certificate must
include its DNS host name. Keep the option enabled if you are sure that
the X.509 certificate of the remote LDAP directory server contains the
remote server’s host name in the appropriate format.
The Domino CA and some other CAs provide a dialog box into which
users enter the subject line when requesting a certificate. For example,
the Domino CA prompts each user to enter the remote server’s
information — such as, the common name, organizational unit name,
organization name, state (or province), and country name. The Domino
CA places this information in the subject line and adds the appropriate
prefix (cn=, ou=, o=, and so on) to each field. If you used a Domino CA to
create the remote server’s certificate, enter the remote server’s host name
in the common name field when using the “Verify server name with
remote server’s certificate” option. For example, the Domino CA allows
users to enter the following valid subject lines (mailserver.acme.com is
the server’s DNS host name):
cn=mailserver.acme.com, ou=sales, ou=marketing, o=acme, st=mass,
c=us
cn=mailserver, ou=sales - mailserver.acme.com o=acme, st=mass,
c=us
To ensure that users enter the DNS host name properly, recommend that
they enter it as the common name (cn=) when they request a certificate
from the Domino CA. Other CAs may have different dialog boxes for
entering the subject line; users must follow these dialog boxes to enter
the remote server’s DNS host name.
Specifying a name and password for Domino servers in a Directory
Assistance document for a remote LDAP directory
In the “Optional Authentication Credential” section on the LDAP tab of a
Directory Assistance document for a remote LDAP directory you can
enter a distinguished user name and a password. If a Domino server
connects to the remote LDAP directory server, it presents the name and
password so the remote LDAP directory server can authenticate the
Domino server.
If you don’t specify a name and password, a Domino server attempts to
connect to a remote LDAP directory server anonymously. You must
specify a name and password if the remote LDAP directory server does
not allow anonymous access.
Enter a distinguished name in the Username field, and a password in the
Password field. The name and password must correspond to a valid
name and password in the remote LDAP directory. Enter the
distinguished name in LDAP format, for example cn=domino
server,o=acme.
The Username and Password fields are encryptable fields. Do the
following to encrypt the fields to limit which Domino administrators and
servers can read their contents:
1. Create a secret encryption key.
2. Use the secret encryption key to encrypt the Directory Assistance
document.
3. Distribute and merge the encryption key only into the ID files of
administrators and Domino servers who should read the user name
and password.
Only administrators and servers with the secret encryption key can read
the user name and password. Any Domino server that connects to the
remote LDAP directory server or that replicates changes to the directory
assistance database requires the encryption key.
For information on creating and using secret encryption keys, see the
book Application Development with Domino Designer.
Configuring search filters in a Directory Assistance document for a
remote LDAP directory
If servers use directory assistance to search a remote LDAP directory, you
can use the field “Type of search filter to use” in the Directory Assistance
document for the directory to control which LDAP search filters are used
to search the directory. The following choices are available.

Search filter
Description
option
Standard Uses standard LDAP search filters that work with
LDAP most
LDAP directory servers, including Domino, IBM
(Default)
Directory
Server, Netscape/iPlanet Directory Server
Active
Uses predefined search filters that work with Active
Directory
Directory servers. Select this option if the remote
LDAP
directory is Active Directory.
Custom Use to define your own search filters.

Note The Active Directory search filter option replaces the Release 5
NOTES.INI setting WebAuth_AD_Group, which allowed for searches of
Active Directory groups.
Defining custom search filters
You might need to define custom search filters if searches are not
returning results or are returning results for the wrong entries. This
situation can occur if the remote LDAP directory server uses a
non-standard schema.
Selecting “Custom” in the “Type of search filter to use” field displays the
following three fields used to define the custom search filters.

Custom
Description
search
filter field
Mail Filter If directory assistance is set up so that Notes users
can look up mail addresses in the directory, specify a
search filter to use to look up the names in the
directory. Leave the field blank to use the following
default search filter:
(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)
(givenname=%a))))
Authentication Specify a search filter to use to search for the names
 of users
Filter when using the remote LDAP directory for client
authentication. Leave the field blank to use the
following default search filter:
(|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(sn=%z)
(givenname=%a))))

Custom
Description
search
filter field
Authorization Specify a search filter to use to look up the members of
Filter groups for Notes database authorization. Leave the field
blank to use the following default search filter:
(|(&(objectclass=groupOfUniqueNames)(UniqueMember=%*
))(&(objectclass=groupOfNames)(Member=%*)))

To define custom search filters, you should be familiar with valid search
filter syntax described in RFCs 2251 and 2254.
Syntax for custom LDAP search filters
To define a custom search filter, insert parameters into standard LDAP
search filters to represent a part of the names being searched for.

Name Parameter to
Defined as Example of name
part insert to
part (in bold) represent name
part
First The set of
%a
name characters AlexM Davidson
from the first
character
to the first space
or punctuation
Last The set of
%z
name characters Alex M Davidson
from the last
space or
punctuation to the
last character
Alex M
Whole The entire name %*
Davidson
name
Local Local part of an
amd@acme.com %l
part RFC
822 mail address
Domain part of an amd@acme.com %d
Domain
RFC 822 mail
part
address

Name
Search filter used to search for
searched Search filter formula in
the
for
Directory Assistance name
document
Alex M
(|(gn=%a)(sn=%z)(cn=%*)( (|(gn=Alex)(sn=Davidson)(cn=
Davidson
mail=%l)) Alex M Davidson)(mail=“”))
amd (EmpID=%*) (EmpID=amd)
amd (EmpID=%z) (EmpID=“”)
amd (mail=%*@acme.com) (mail=amd@acme.com)

Name searched Search filter formula Search filter used to

for in Directory search for the name
Assistance document
amd (mail=%*@*) (mail=amd@*)
amd@acme.com (mail=*@%d) (mail=*@acme.com)
amd@acme.com (mail=%*) (mail=amd@acme.com)
amd@acme.com (uid=%l) (uid=amd)
blue (color=%*) (color=blue)

Configuring alias dereferencing in a Directory Assistance document

for a remote LDAP directory
An alias entry in an LDAP directory is an entry that points to another
entry. Searching the entry an alias entry points to is known as
dereferencing an alias. Dereferencing aliases can cause poor search
performance for some LDAP directories. Select one of the following
options in the “Dereference alias on search” field in a Directory Assistance
document for an LDAP directory to control the extent to which alias
dereferencing occurs when searching the remote LDAP directory.

Option Description
Never dereference alias entries. If there are no
Never
alias
entries in the LDAP directory that require
dereferencing,
choose this option to improve search
performance.
Only for Dereference alias entries subordinate to a
subordinate specified
entries search base, but do not dereference an alias
search base
entry.
Only for search Deference an alias entry for a specified search
base base, but
entries do not dereference alias entries subordinate to
the search
base.
Always dereference aliases. This selection is the
Always
default,
and the Release 5 behavior.

Example of alias dereferencing

Suppose an LDAP directory has these entries:
o=Acme1
o=Acme2 (alias entry that points to o=Acme1)
cn=John Doe, o=Acme1
cn=John Doe, o=Acme2 (alias entry that points to cn=John Doe,
o=Acme1)
The following table describes which of these entries are returned for a
subtree search of o=Acme 2 (o=Acme2 and subordinate entries) for each
“Dereference alias on search” option.
Option Entries returned
Never
o=Acme2 cn=John Doe, o=Acme2

Only for subordinate

entries o=Acme2 cn=John Doe, o=Acme1

Only for search base

entries o=Acme1 cn=John Doe, o=Acme2

Always
o=Acme1 cn=John Doe, o=Acme1

Using Notes distinguished names in a remote LDAP directory

You can set up directory assistance for a remote LDAP directory so that a
Domino server:
Uses
 a Notes distinguished name rather than an LDAP distinguished
name for Internet client authentication
Accepts
 the Notes distinguished name in database ACLs, and in
groups used in database ACLs, for database access authorization.
This feature allows organizations that migrate users from a Domino
Directory to a remote LDAP directory to continue to use the original
Notes distinguished names for users. This feature is also useful as a way
to hide complex LDAP distinguished names from users.
To set up this feature, you add an attribute for storing Notes name values
to the user entries in the LDAP directory, and then add the Notes
distinguished names as values for the attributes. Then you specify the
attribute you use for the Notes names in a Directory Assistance
document for the LDAP directory.
Once you have set up this feature, clients can authenticate using either
their Notes distinguished names or their original LDAP distinguished
names. Database ACLs, Server document access control fields, access
control groups, and Web server File Protection documents can use only
the Notes distinguished name
To set up the use of Notes distinguished names:
1. Add the Notes distinguished names to the LDAP directory:
a. In the remote LDAP directory, choose an attribute for storing the
values of the Notes names in the LDAP directory user entries.
The syntax for the attribute must be DN. You can create a new
attribute, or use an existing one already defined in the schema.
b. Add Notes names as values for the selected attribute to the
remote LDAP directory user entries.
Domino
 doesn’t provide a tool to add the names — use a tool
that is available to you.
Use  the LDAP format for the Notes name value. For example,
use cn=John Doe,o=Acme and not John Doe/Acme or cn=John
Doe/o=Acme.
You  can use any distinguished name value, although a
distinguished name with multiple parts is recommended
because it provides better security.
2. Set up directory assistance to use the Notes distinguished names:
a. If you haven’t created a Directory Assistance document for the
LDAP directory, create one.
b. On the LDAP tab of the Directory Assistance document, in the
“Attribute to be used as Notes distinguished name” field, add
the name of the attribute used in the LDAP directory to store the
Notes names.
c. On the “Naming contexts (rules) tab” of the Directory Assistance
document, make sure there are rules that are “Trusted for
Credentials” that match the Notes distinguished names and the
LDAP distinguished names. If you do not use an all-asterisk
trusted rule and the Notes and LDAP names use different name
hierarchies, configure a trusted rule to represent each hierarchy.
d. Save the Directory Assistance document.
3. Add the Notes distinguished names as necessary to database ACLs,
Server document access control fields, access control groups, and
Web server File Protection documents. Use the Notes format for the
name, for example John Doe/Acme or cn=John Doe/o=Acme and
not the LDAP format cn=John Doe,o=Acme.
Note If you enable this feature and some user entries in the LDAP
directory do not have a value for the Notes distinguished name attribute,
then the users must specify their LDAP distinguished names to
authenticate, and Domino database ACLs and other access control lists
must use the LDAP distinguished name
Example of using Notes distinguished names in a remote LDAP
directory
Acme corporation uses the LDAP distinguished name
uid=675894,ou=boston,o=airius.com for a particular user in a remote
LDAP directory. For the same user Acme uses the name Jack
Johnson/Boston/Acme in Notes database ACLs and in groups used in
database ACLs. The Domino server uses directory assistance to look up
user credentials for client authentication in the remote LDAP directory.
An Acme administrator does the following to configure the use of the
Notes distinguished name for client authentication and for database
access control:
1. In the remote LDAP directory, the administrator adds an attribute
called notesname to the user entry for uid=675894,ou=boston,o=airius,
and gives the attribute the value cn=Jack
Johnson,ou=Boston,o=Acme.
2. On the LDAP tab of the Directory Assistance document for the LDAP
directory, the administrator adds the attribute notesname to the field
“Attribute to be used as Notes distinguished name.”
3. On the “Naming contexts (rules)” tab of the Directory Assistance
document, the administrator specifies an all-asterisk trusted rule.
The user can then use any of the following names as the client logon
name for authentication:
cn=Jack
 Johnson/ou=Boston/o=Acme
cn=Jack
 Johnson,ou=Boston,o=Acme
Jack  Johnson/Boston/Acme
uid=675894,ou=boston,o=airius

675894 
The Notes name Jack Johnson/Boston/Acme is used in database ACLs
and groups.
Directory assistance examples
Example
 of directory assistance for one secondary Domino Directory
Example
 of directory assistance for an Extended Directory Catalog
Example
 of directory assistance for an Extended Directory Catalog
and a remote LDAP directory
Example of directory assistance for one secondary Domino
Directory
Company X uses two domains, Domain A and Domain B. Each domain
creates its own directory assistance database that has a Directory
Assistance document for the other domain’s Domino Directory, so that
users from each domain can address mail easily to users in the other
domain, and so servers in each domain can search groups in the other
domain’s directory when authorizing database access. If servers in both
domains instead used replicas of one directory assistance database that
included documents for both directories, they could enable only one of
the domain directories for group authorization.
Network connections between domains are slow, so the company creates
replicas of the Domain B directory on two Domain A servers for servers
in Domain A to use, and creates replicas of the Domain A directory on
two Domain B servers for servers in Domain B to use.
The following table shows the settings for the Domain B Directory
Assistance document in the directory assistance database that servers in
Domain A use. Domain B uses a similar document for the Domain A
directory in its directory assistance database.

Contents Comments
Basics tab
Domain type Notes —
Domain
Domain B —
name
Company A
Company —
name
Search order None —
Make this Selected for: • Notes Clients Enables Domain A
domain & Internet servers to use the
available to Authentication/Authorization Domain B directory
•LDAP Clients for all directory
assistance services.
Group Yes Allows Domain A
Authorization servers to to look up
groups in the Domain
B directory when
authorizing database
access.
Enabled Yes —

Contents Comments
Naming contexts (rules) tab
N.C.1: */ */ */ */ */ * Enabled - Enables Domain A
Yes Trusted for Credentials - servers to search all
Yes names in the
directory. “Trusted
for Credentials”
selected to allow
servers to
authenticate all
Internet users
registered in the
directory.
Replicas tab
Replica1: Server Name: More than one replica
Server1/DomainA Directory of the Domain A
Filename: DOMANAMES.NSF directory is specified,
indicating that the
directory assistance
method of failover is
used to find an
available replica.
Server Name: Same comments as
Replica2
Server2/DomainA above.
Directory Filename:
DOMANAMES.NSF

Example of directory assistance for an Extended Directory Catalog

Company Y uses three domains, Domain A, Domain B, and Domain C.
Rather than setting up directory assistance to search each domain
Domino Directory individually, the company builds an Extended
Directory Catalog that aggregates all three domain directories. Using this
approach, Notes users can use one directory to browse for names
registered in any domain directory, servers can use one directory to look
up names from any domain, for example, when routing mail, and servers
can look up the members of groups aggregated from any of the three
directories when authorizing database access.
The company creates replicas of the Extended Directory Catalog on two
servers in Domain A that are members of a cluster. Network connections
between domains are fast, so servers in Domains B and C use the replicas
of the directory catalog on the Domain A servers.
Administrators from each domain want local control of the directory
assistance database, so each domain creates and uses its own directory
assistance database.
The following table shows the settings for the Directory Assistance
document for the Extended Directory Catalog that is in each domain’s
directory assistance database.

Contents Comments
Basics tab
Domain type Notes —
Made-up name that
Domain name EDC
does
not correspond to an
actual
domain name.
Company name Company Y —
Search order None —
Make this Notes Clients & Allows servers to use
domain • Internet the
available to Authentication/ Extended Directory
Authorization Catalog for all
directory
• LDAP Clients assistance services.
Allows servers to look
Group Yes
up
Authorization groups in the
Extended Directory
Catalog when
authorizing database
access.
Enabled Yes —
Naming contexts (rules) tab
N.C.1: */ */ */ */ */ * Enabled Allows servers to
- Yes Trusted for search all names in
Credentials - Yes the Extended
Directory Catalog.
“Trusted for
Credentials” selected
to allow servers to
authenticate all
Internet users with
Person documents
that are aggregated in
the directory catalog.
Replicas tab
Replica1: Server Name: Server1/DomainA is a
Server1/DomainA member of a cluster.
Directory Filename: Only one replica of
EDC.NSF the Extended
Directory Catalog in
the cluster is specified
so that cluster failover
is used to find an
available replica.

Example of directory assistance for an Extended Directory Catalog

and a remote LDAP directory
Company Z uses three domains, Domain A, Domain B, and Domain C.
The company builds an Extended Directory Catalog that aggregates all
three domain Domino Directories. Network connections between
domains are slow, so Company Z replicates the Extended Directory
Catalog to strategic servers in each domain. In Domain A, the directory
catalog is replicated to two servers that are members of a cluster.
Domino servers in Domain A register Internet users in a remote Active
Directory server which they use to authenticate the users. Domain A
creates its own directory assistance database because only Domain A
servers use the remote Active Directory.
The following tables show the settings in the Directory Assistance
documents for the Extended Directory Catalog and for the remote Active
Directory server in the directory assistance database that Domain A
servers us
Directory Assistance document for the Extended Directory Catalog

Contents Comments
Basics tab
Domain type Notes —
Domain name EDC Made-up name that
does not correspond
to an actual domain
name in Domino.
Company name Company Z —
Search order 1 Causes Domain A
servers to search the
Extended Directory
Catalog before the
remote Active
Directory.
Make this • Notes Clients &
domain available Internet
to Authenticatoin/
Authorization
• LDAP Clients
Yes Group Allows servers to use
Authorization groups from any of
the directories
aggregated into the
directory catalog for
database
authorization.
Enabled Yes —

Contents Comments
Naming contexts (rules) tab
Allows servers to
N.C.1: */ */ */ */ */ *
search all
entries in the
Enabled - Yes directory.
Trusted for Credentials “Trusted for
- Credentials”
No set to “No”to prevent
the Extended Directory
Catalog
from being used for
Internet client
authentication, and
allow
only the remote Active
Directory to be used
for this
purpose.
Replicas tab
Replica1: Server Name: Server1/DomainA is a
Server1/DomainA member of a cluster.
Only
one replica of the
Directory Filename:
Extended
Directory Catalog in
EDC.NSF
the
cluster is specified so
that
cluster failover is used
to
find an available
replica.

Directory Assistance document for the remote LDAP Directory

Contents Comments
Basics tab
Domain type LDAP —
Made-up name that
Domain name ActiveDir
does
 not correspond to an
actual
domain name in
Domino.
Company
Company Z —
name
Causes Domain A
Search order 2
servers
to search the remote
Active
Directory after the
Extended Directory
Catalog.
Make this Domain A does not
Notes Clients & Internet
domain want its
available to Authentication/Authorization LDAP service to refer
LDAP clients to the
Active
Directory, so it does
not select the “LDAP
Clients”
option.

Contents Comments
Group No. Since Domain A
Authorization servers look up groups
used for database
authorization in the
Extended Directory
Catalog, they cannot
use the remote Active
Directory for this
purpose too. All groups
used for database
authorization are
stored in the Domain A
primary Domino
Directory and in the
domain directories that
are aggregated into
the Extended Directory
Catalog.
Enabled Yes. —
Naming contexts (rules) tab
N.C.1: */ */ */ */ */ * Enabled - The distinguished
Yes Trusted for names of the users
Credentials - Yes registered in the Active
Directory do not
correspond to the
Notes naming
convention of
organizational unit
(ou), organization (o),
and country (c). So
Company Z must use
an all-asterisk rule to
represent the
distinguished names of
these users. “Trusted
for Credentials”is
enabled for the naming
context (rule) so that
Domain A can use the
user entries in Active
Directory for Internet
client authentication.

Contents Comments
LDAP tab
To provide failover,
Hostname ldap1.companyz.com,
two
ldap2.companyz.com Active Directory
servers are specified,
each with replicas of
the directory and with
the same LDAP
configurations.
Optional Username: cn=john doe, —
Authentication cn=recipients, dc=east,
Credential dc=acme, dc=com
Password: adminspass
Base DN for cn=recipients, dc=east, —
search dc=acme, dc=com
Since DomainA servers
Channel Yes
use
encryption the Active Directory for
client authentication,
Company Z selects the
“Channel
Encryption”so that
Domino servers can
use a Secure Sockets
Layer (SSL) certificate
to verify the Active
Directory server’s
identity.
Port 636 Necessary for SSL
connections.
Accept expired Yes —
SSL
certificates
SSL protocol Negotiated —
version
Verify server Yes —
name with
remote
server’s
certificate
Timeout 60 —
Maximum 100 —
number of
entries
returned

Contents Comments
Dereference Never The Active Directory
alias on search server does not use
alias dereferencing so
Company Z selects
Never to improve
search performance.
Preferred mail Internet Mail Address —
format
Attribute to be notesname Company Z uses
used as Notes Notes-style
Distinguished distinguished names,
Name rather than the original
LDAP names of the
users in the Active
Directory, for client
authentication and in
Notes database ACLs.
The specified attribute,
notesname, is defined
in Active Directory as
the attribute to store
the Notes name.
Company Z uses its
own tool to add Notes-
style distinguished
names as values for
the notesname
attribute in user
entries.
Type of search Active Directory Ensures that the
filter to use Domain A servers use
LDAP search filters
that are customized
for Active Directory
searches.
Monitoring directory assistance
To monitor directory assistance:
Use
 the Show Xdir command to display information about all the
directories a server uses for directory services.
View
 these directory assistance statistics, which a server begins
calculating at startup:

Statisic Description
Number of times directory
Database.DAReloadCount
assistance
reloaded because of changes to
the directory
assistance database.
Number of times directory
Database.DARefreshServer
assistance
InfoCount refreshed because of changes to
Server
documents in the Domino
Directory.
Number of times directory
Database.DAFailoverCount
assistance failed
over to an available replica.

Chapter 24
Setting Up Directory Catalogs
This chapter describes how to set up and manage directory catalogs.
Directory catalogs
A directory catalog is an optional directory database that typically
contains information aggregated from multiple Domino Directories.
Clients and servers can use a directory catalog to look up mail addresses
and other information about the people, groups, mail-in databases, and
resources throughout an organization, regardless of the number of
Domino domains and Domino Directories the organization uses. A
directory catalog includes the type of information that is important for
directory services, and excludes other types of information that are part
of a Domino Directory, for example Domino configuration information,
such as information in Connection documents.
You use a directory catalog in conjunction with, rather than instead of,
the primary Domino Directory and the Personal Address Book. A server
searches its primary Domino Directory, and a Notes client searches its
Personal Address Book, before searching a directory catalog.
There are two types of directory catalogs: condensed Directory Catalogs
and Extended Directory Catalogs. Condensed Directory Catalogs use a
unique design based on the DIRCAT5.NTF template that enables them to
be extremely small. Condensed Directory Catalogs are designed for use
on Notes clients. A condensed Directory Catalog on a Notes client is also
known as a Mobile Directory Catalog.
Extended Directory Catalogs use the same design as the Domino
Directory, which is based on the PUBNAMES.NTF. They are larger than
condensed Directory Catalogs, but are the recommended directory
catalog for server use because they allow faster and more flexible
directory lookups.
Servers can use a directory catalog for mail addressing, for processing
LDAP service operations, to look up client authentication credentials,
and to look up the members of groups in database ACLs when
authorizing users’ database access.
Condensed Directory Catalogs
You create a condensed Directory Catalog from the Directory Catalog
template (DIRCAT5.NTF). Condensed Directory Catalogs are designed
to be small enough to fit on Notes clients. For example, several Domino
directories that together contain more than 350,000 users and total 3GB in
size, when aggregated in a condensed Directory Catalog are likely to be
only about 50MB. In general, each user and group entry is slightly more
than 100 bytes. Condensed directory catalog are designed primarily for
use on Notes clients.
To achieve its small size, a condensed Directory Catalog uses a unique
design that combines multiple documents from the Domino Directories
into single documents in the directory catalog, and that limits the number
of sorted views available for lookups.
Aggregate documents
One reason a condensed Directory Catalog is small is it combines many
entries from the source Domino Directories into single aggregate
documents. A single Directory Catalog aggregate document can contain
up to 250 source directory entries, although on average the maximum is
about 200. This means that a condensed Directory Catalog needs to use
only about 1000 aggregate documents to store information from 200,000
documents in the source Domino Directories.
Limited number of views
A condensed Directory Catalog is also small because it contains only a
few, small views. By contrast a Domino Directory and an Extended
Directory Catalog have multiple, typically large views.
$Users view This is the one view used in a condensed Directory
Catalog for name lookups. When you configure the directory catalog
you choose how to sort this view, either by distinguished name, by
last name, or by alternate name. To find names that don’t correspond
to the selected sort order, a full-text search is done of the directory
catalog rather than a view lookup.
You shouldn’t open the aggregate documents in the $Users view
manually; these documents are not intended for viewing, and it can
take a considerable amount of time to format them for that purpose.
$Unid view This view contains information needed by the Dircat
task to replicate the source directory entries into the directory
catalog. The $Unid view isn’t created on replicas of the directory
catalog, which further reduces the directory catalog size.
$PeopleGroupsFlat view This view displays directory names when
Notes users click the Address button to browse directories.
24-2 Administering the Domino System, Volume 1
Configuration view This view shows the Configuration document
that contains the directory catalog configuration settings.
Users view This is a view that users can open and programs can
access to see the names included in the directory catalog. This view is
not stored on disk but is instead built as needed.
Design changes
In general, you should not change the database design of a condensed
Directory Catalog. One exception is changing the name of the Users
view; you can change the name of this view, as long as you keep the
original view name, Users, as an alias.
Application access
Notes applications can use these methods to access a condensed
Directory Catalog programmatically:
NAMELookup
 calls to the $Users view
NAMEGetAddressBooks
 calls, if you use the NOTES.INI setting
Name_Include_Ed=1.
NIFFindByKey,
 NIFReadEntries, and NIFOpenNote calls.* You can’t
use NSFNoteOpen to open notes passed back from NIFReadEntries;
you must call NIFOpenNote instead.
LotusScript
 methods*
@NameLookup
 function
*Can access the Users view but not the $Users view.
In addition, LDAP applications can search a condensed Directory
Catalog used by a server that runs the LDAP service.
Benefits of condensed Directory Catalogs on clients (Mobile
Directory Catalogs)
Condensed Directory Catalogs on Notes clients, also called Mobile
Directory Catalogs, are useful to organizations that use one or multiple
Domino Directories. Although Notes users’ mail or directory servers can
do lookups in Domino Directories on behalf of Notes users, using
condensed Directory Catalogs on Notes clients instead offers these
benefits:
Notes
 users have access to one local, corporate-wide directory, even
when their clients are disconnected from the network.
When
 they address mail, users can press F9 to verify quickly the
address of anyone in the organization.
Setting Up Directory Catalogs 24-3
Directory Services
Users
 can flag mail for encryption when using clients that are
disconnected from the network. The clients look up the public key
and encrypt the mail when the users connect to the network and
send the mail.
Groups
 are included in a directory catalog by default, so users can
send mail to groups. However, to minimize the size of the directory
catalog, the members of the groups are not included by default, so
users’ mail servers or directory servers must be able to look up the
members of the groups.
Type-ahead
 name resolution it instantaneous because type-ahead
searches the local directory catalog. Type-ahead searches never
extend to a server when there is a directory catalog configured
locally on the client.
Users  can use the detailed search feature available for Local Address
Books to search the directory catalog. For example, if a user wants to
send mail to someone by the name of Robin at the Los Angeles
location but doesn’t remember Robin’s last name, the user can search
for “First name” Robin and “Location” Los Angeles to retrieve the
name from the directory catalog.
Users  can use the Mail Address dialog box to open and scroll
through the names in the directory catalog.
Using  Soundex, users can enter phonetic spellings to search for
names they don’t know how to spell.
Network  traffic is reduced because name resolution occurs locally on
the client, rather than on a server.
Directory catalogs on servers compared to directory assistance for
individual Domino Directories
A server can do lookups directly in a secondary Domino Directory using
directory assistance, or can do lookups in a directory catalog that
aggregates information from the secondary Domino Directory. There are
several advantages to servers doing lookups in a directory catalog, rather
than in individual Domino Directories:
A server can look up information more quickly by searching one
directory database rather than multiple databases — the more
secondary directories you aggregate in a directory catalog, the
greater this advantage.
24-4 Administering the Domino System, Volume 1
 there are multiple Person documents with the same name in one
If
directory or across directories, you can remove the duplicates from
the directory catalog. The Dircat task then aggregates the first Person
document with the name that is encountered, which avoids name
ambiguity problems, for example, the Router failing to deliver mail
because it finds more than one occurrence of a name.
A  directory catalog excludes most or all Domino administration
information that is part of a Domino Directory that is not of interest
to users. You can also filter out other information in a Domino
Directory from a directory catalog. For example, an administrator
can exclude specific fields, or use a selection formula to exclude
documents that don’t match specified criteria.
Notes
 users without local condensed Directory Catalogs, can browse
one directory, rather than multiple, individual secondary Domino
Directories.
The advantage to doing lookups in individual secondary Domino
Directories is there is no need to build, maintain, and replicate a
directory catalog. Instead you create and replicate only a small directory
assistance database.
Setting up servers to use directory catalogs is useful for organizations
that use multiple Domino Directories, for example, organizations with
multiple Domino domains.
Extended Directory Catalogs
You can set up servers to use an Extended Directory Catalog. You create
an Extended Directory Catalog from the PUBNAMES.NTF template, the
same template used to create the Domino Directory. An Extended
Directory Catalog combines advantages of a Domino Directory and a
condensed Directory Catalog. It aggregates entries from multiple
Domino directories into a single directory database as does the
condensed Directory Catalog, but it retains the individual documents
and the multiple, sorted views available in the Domino Directory to
facilitate quick name lookups.
Although you can set up servers to use a condensed Directory Catalog,
there are several advantages to using an Extended Directory Catalog
instead.
Multiple views
The Extended Directory Catalog uses the same design as the Domino
Directory, so it includes multiple views that sort names in different ways.
Regardless of the format of a name, there’s a view in the Extended
Setting Up Directory Catalogs 24-5
Directory Services
Directory Catalog that a server can use to quickly find the name. A
condensed Directory Catalog has one view used for lookups, which you
choose how to sort when you configure it. To look up a name in a
condensed Directory Catalog that doesn’t correspond to the selected sort
order, the server uses the full-text index to search for the name, which
takes longer than a view search.
Using an Extended Directory Catalog on servers that route mail is a
particular advantage, because a mail server can use views to quickly find
an address regardless of the address format. When a mail server uses a
condensed Directory Catalog, mail routing can back up if the Router uses
the full-text index to look up addresses, for example, some Internet
addresses, that don’t correspond to the selected sort order.
When a Notes user with a condensed Directory Catalog on the client
sends mail to a group, if the client’s directory catalog doesn’t contain the
members of the group, there can be a delay while a server does a full-text
search of a condensed Directory Catalog to look up the members. Delays
when sending mail to groups are not an issue if mail servers use
Extended Directory Catalogs.
Ease of application access
Applications can access information in an Extended Directory Catalog as
easily as they can in a Domino Directory. Application access to a
condensed Directory Catalog however is restricted by the nature of the
aggregate documents and the number of views.
Multiple-view, enterprise directory
Users can open an Extended Directory Catalog and see an enterprise-wide
directory with multiple views that sort by entry type. In a condensed
Directory Catalog, there is only one view to display the different types of
entries.
Groups for database authorization
Servers can use groups in only one directory configured in a directory
assistance database, in addition to the primary Domino Directory for
authorizing database access. Using an Extended Directory Catalog for
this purpose, effectively allows servers to use groups in any secondary
Domino Directory aggregated in the directory catalog for database access
control.
Remote lookups
Servers use Directory Assistance to locate an Extended Directory
Catalog, so you need to replicate the Extended Directory Catalog only to
two or a few strategic servers to which the Directory Assistance database
then points. You can configure failover so that if one replica of the
directory catalog is unavailable, servers can use an alternate.
24-6 Administering the Domino System, Volume 1
Each server that uses a condensed Directory Catalog requires a local
replica of the directory catalog, which makes its smaller size less of an
advantage overall.
Administrator control over rebuilds
Rebuilding a directory catalog removes all of the existing aggregated
information, and then re-aggregates the information from the source
Domino Directories. Since this process is time consuming, the Dircat task
only rebuilds an Extended Directory Catalog when an administrator
indicates. Changing almost any field in the configuration document for a
condensed Directory Catalog, by contrast, triggers the Dircat task to
rebuild the directory catalog automatically.
Extended ACL and LDAP access control settings
You can use an extended ACL to refine the overall database access to an
Extended Directory Catalog. For example, you can deny access to
sensitive fields, to entire documents associated with a particular part of a
name hierarchy, and so forth. An extended ACL on an Extended
Directory Catalog is independent of any Extended ACLs set on the
individual source Domino Directories.
You can also create a Configuration Settings document in an Extended
Directory Catalog and use access control settings on the LDAP tab of the
document to control anonymous LDAP search access to the directory
catalog.
These access control features are not available for a condensed Directory
Catalog.
Native documents
You can add documents manually to an Extended Directory Catalog, in
addition to aggregating documents through Dircat task processing. These
“native” documents that originate in the database are not affected by
Dircat task processing. You cannot add native documents to a condensed
Directory Catalog.
Full-text index advantages
An Extended Directory Catalog has multiple, sorted views, so in general
no full-text index is required for lookups, which helps minimize disk
space usage. A full-text index is required, however, if you want the
LDAP service to use an Extended Directory Catalog to process searches
that use search filters based on something other than names or mail
addresses.
A full-text index is always required for a condensed Directory Catalog.
Setting Up Directory Catalogs 24-7
Directory Services
If you choose to create a full-text index on an Extended Directory
Catalog, users can do full-text searches of it from the Notes client. Users
can’t do full-text searches of a condensed Directory Catalog from the
Notes client.
One server using more than one
A server can use more than one Extended Directory Catalog, for example
one that aggregates directories that are trusted for Internet client
authentication, and another that aggregates directories that are not
trusted for client authentication.
A server can use one condensed Directory Catalog only.
Integration into a primary Domino Directory
Because an Extended Directory Catalog uses the same design as a
Domino Directory, you can build an Extended Directory Catalog directly
into the primary Domino Directory for a domain, so that one directory
contains the information for an entire enterprise.
Server documents
You can aggregate Server documents into an Extended Directory
Catalog, but not a condensed Directory Catalog.
Overview of directory catalog setup
To set up a directory catalog, you first create a directory catalog
database. You use the PUBNAMES.NTF template to create an Extended
Directory Catalog and the DIRCAT5.NTF template to create a condensed
Directory Catalog. In the directory catalog database you create a
configuration document in which you indicate which Domino Directories
— known as the source Domino Directories — to aggregate, which
information from them to aggregate, and other options.
For information on creating and completing a directory catalog
configuration document, see the next topic “Planning directory catalogs”
as well as the topics “Setting up a condensed Directory Catalog” and
“Setting up an Extended Directory Catalog” later in the chapter.
After you complete the configuration document, you run the Directory
Cataloger task (Dircat task) to build the directory catalog. A server that
runs the Dircat task is referred to as a Dircat server, and typically there is
one Dircat server dedicated to aggregating directory catalogs. The Dircat
task replicates information from the Domino Directories indicated in the
configuration document, and then combines — aggregates — the entries
into the directory catalog. After the directory catalog is built, you then
24-8 Administering the Domino System, Volume 1
continue to run the Dircat task at regular intervals to keep the
information in the directory catalog current with the information in the
source Domino Directories. The Dircat task can build and maintain
multiple directory catalogs.
After the Dircat task has built a directory catalog, you set up clients
and/or servers to use the directory catalog. You can automate setting up
a condensed Directory Catalog on clients by using a Setup policy settings
document or a Desktop policy settings document. This process replicates
the directory catalog to the client, and adds the directory catalog file
name to “Local address books” field in the User Preferences dialog for
mail.
To set up a server to use an Extended Directory Catalog, you set up the
server to use a directory assistance database, and then create a Directory
Assistance document in the database for the Extended Directory Catalog.
To set up a server to use a condensed Directory Catalog, you specify the
file name of the directory catalog in either the servers’ Server document,
or in the Domino Directory Profile.
Planning directory catalogs
When planning directory catalogs, consider the following issues:
Directory
 catalogs and client authentication
Directory
 catalogs and Notes mail encryption
Picking
 the server(s) to run the Dircat task
Specifying
 the Domino Directories for the Dircat task to aggregate
Controlling
 which information is aggregated in a directory catalog
Planning  issues specific to Extended Directory Catalogs
Planning  issues specific to condensed Directory Catalogs
Full-text  indexing directory catalogs
Multiple  directory catalogs
Directory catalogs and client authentication
When an Internet client logs on to a server to authenticate, the server can
look up the client name in the directory catalog to find the client
credentials for authentication.
Setting Up Directory Catalogs 24-9
Directory Services
Using an Extended Directory Catalog for client authentication
To allow a server to use an Extended Directory Catalog to look up client
names for authentication, in the Directory Assistance document for the
Extended Directory Catalog, enable a rule that is trusted for credentials.
In addition, if you don’t aggregate all fields from documents as
recommended, you must make sure to aggregate the fields required for
the authentication. For example, to use name-and-password security,
aggregate the HTTPPassword field from Person documents. Or to use
X.509 certificate security, aggregate the userCertificate field.
If you want servers to use some secondary Domino Directories for
Internet client authentication but not others, you can create one Extended
Directory Catalog that aggregates the Domino Directories to use for
authentication, and another that aggregates the other Domino
Directories. Then create a Directory Assistance document for each
Extended Directory Catalog, and enable a rule that is trusted for
credentials only in the one that aggregates the directories to be used for
authentication.
Using a condensed Directory Catalog for client authentication
To enable a server to look up authentication credentials for any user
name aggregated in a condensed Directory Catalog, select the option
“Trust the server based condensed directory catalog for authentication
with internet protocols” on the Basics tab of the server’s Server document
in the Domino Directory.
To allow a server to look up credentials for user names from only one or
some of the source Domino Directories aggregated into a condensed
Directory Catalog, do not select the above option. Instead, create a
directory assistance database on the server. In the database, create a
Directory Assistance document for each aggregated Domino Directory
you want to use for authentication. In each Directory Assistance
document, enable a rule that is trusted for credentials.
If you use name-and-password security for Internet client authentication,
you can store the passwords in the condensed Directory Catalog. To do
this, aggregate the HTTPPassword field from Person documents. In this
case, a server looks up the passwords in the directory catalog, and
doesn’t require directory assistance to look them up in the source
Domino Directories.
If you use X.509 certificates for client authentication, storing the
certificates in a condensed Directory Catalog isn’t recommended due to
their size. Instead, set up directory assistance to look up the certificates
directly in the source Domino Directories. Similarly, servers can use
directory assistance to look up passwords in the source Domino
24-10 Administering the Domino System, Volume 1
Directories, rather than aggregating the passwords into the directory
catalog, as a way to keep the condensed Directory Catalog small.
When you don’t store passwords and X.509 certificates in a directory
catalog, using the directory catalog and directory assistance in
conjunction is quicker than using directory assistance alone, because only
one database, the directory catalog, needs to be used to find a name.
For more information on using directory assistance in conjunction with a
directory catalog for client authentication, see the chapter “Setting Up
Directory Assistance.”
Directory catalogs and Notes client authentication
By default, when a Notes client logs on to a server, the server does not
look up information in Domino Directory Person documents during the
client authentication process. However, if the option “Compare Notes
public keys against those stored in Directory” is enabled in the server’s
Server document, then the server must be able to look up public key
information in Person documents to authenticate Notes clients. If there
are Notes users who use a server with this option enabled who are not
registered in the server’s primary Domino Directory, servers can use a
directory catalog that it trusts for credentials, to look up names to do the
public key comparison.
Scenarios for using directory catalogs for client authentication
The following table describes various ways to configure directory
catalogs on servers to support client authentication, depending on the
type of directory catalog you are using and the extent to which you want
servers to trust the aggregated Domino Directories for authentication.
The scenarios assume the following:
S1,
 S2, S3, and S4 are the names of the servers in a domain
A,  B, C, and D are the names of the Domino Directories for each of
the organization’s four domains.
Each name in A, B, C, and D is part of one of the following
namespaces: west/acme, east/acme, north/acme, south/acme.
Namespaces overlap across A, B, C, and D.
DA  = Directory Assistance
EDC  = Extended Directory Catalog
CDC  = Condensed Directory Catalog on server

Authentication How to accomplish

How to accomplish with
goal with
Extended Directory condensed Directory
Catalog(s)
Catalog(s)
S1, S2, S3, S4 Aggregate A, B, C, Aggregate A, B, C, and
trust and D
all names in A, D into one EDC. into one CDC used by
B, Create all
C, D for one DA database servers. In the Server
used
authentication. by all servers. documents for each
Create server,
one DA document enable the option
 for “Trust the
the EDC with the server based
condensed
*/*/*/*/*/*
directory catalog for
naming
rule enabled and authentication with
internet
trusted for protocols.”
credentials.
S1, S2, S3, S4 Same as above Same as above except
trust except do not
no names in A, do no enable a rule enable “Trust the
B, that server
C, D for is trusted for based condensed
credentials directory
authentication. in the DA document catalog for
for authentication
the EDC. with internet
protocols”in
the Server documents.
S1, S2, S3, S4 Aggregate A and B Aggregate A, B, C, and
trust all names into EDC1, and D into one CDC used by
in A and B for aggregate C and D all servers. Do not
authentication, into EDC2. Create enable the option
but no names one DA database “Trust the server based
in C and D. used by all servers. condensed directory
Create a DA catalog for
document for EDC1 authentication with
with the internet protocols”in
*/*/*/*/*/* the Server documents.
naming rule Create one DA
enabled and trusted database used by all
for credentials. the servers. Create
Create a DA separate DA documents
document for EDC2 for A, B, C, and D. In
with the the DA documents for A
*/*/*/*/*/* and B, enable the rule
naming rule */*/*/*/*/* and trust
enabled but not the rule for credentials.
trusted for In the DA documents
credentials. for C and D, do not
trust any rule for
credentials.

Authentication How to accomplish

How to accomplish with
goal with
Extended Directory condensed Directory
Catalog(s)
Catalog(s)
S1, S2, S3, S4 Aggregate A, B, C, Aggregate A, B, C, and
trust only and D into one D into one CDC used by
names ending EDC. Create one DA all servers. Do not
in west/acme database used by enable the option
or east/acme, all servers and “Trust the server based
regardless of create one DA condensed directory
which Domino document for the catalog for
Directory EDC. In the DA authentication with
contains the document, create internet protocols”in
name. the rule the Server documents.
*/*/*/west/acme/* Create one DA
and the rule database used by all
*/*/*/east/acme/* the servers. Create
and enable trusted separate DA documents
for credentials for for A, B, C, and D. In
both rules. Do not each DA document,
trust any other create the rule
naming rule for */*/*/west/acme/* and
credentials. the rule
*/*/*/east/acme/* and
enable trusted for
credentials for both
rules. Do not trust any
other naming rule in
any of the DA
documents for
credentials.
S1 & S2 trust Aggregate A and B Aggregate A and B into
and use only into EDC1. Create a CDC1 and set up S1
names in A and DA database, DA1, and S2 to use CDC1.
B. S3 & S4 and in it create a Enable the option
trust and use DA document for “Trust the server based
only names in EDC1 with the condensed directory
C and D. */*/*/*/*/* catalog for
naming rule authentication with
enabled and trusted internet protocols”in
for credentials. Set the S1 and S2 Server
up S1 and S2 to documents. Aggregate
use DA1. C and D into
Aggregate C and D CDC2 and set up S3
into EDC2. Create and S4 to use CDC2.
another DA Enable the option
database, DA2, and “Trust the server based
in it create a DA condensed directory
document for EDC2 catalog for
with the authentication with
*/*/*/*/*/* internet protocols”in
naming rule the S3 and S4 Server
enabled and trusted documents.
for credentials. Set
up S3 and S4 to
use DA2.

Directory catalogs and Notes mail encryption

When Notes users send encrypted mail to users registered in secondary
Domino Directories, servers can use an Extended Directory Catalog to
look up the public keys of the recipients to encrypt the mail. Even off-line
Notes users with condensed Directory Catalogs can flag mail for
encryption; then when they reconnect to the network to send the mail,
the clients look up the public keys in the Extended Directory Catalog.
Storing public keys in a condensed Directory Catalog isn’t recommended
because it greatly increases its size. Instead, set up directory assistance
for the aggregated Domino Directories so servers can look up the public
keys in them.
Servers do not have to trust a directory catalog or a Domino Directory for
credentials to use the directory to look up public keys for mail
encryptio
Picking the server(s) to run the Dircat task
The Dircat task (Directory Cataloger) is the server task that initially
aggregates information from source Domino Directories into a directory
catalog, and then continues to run at scheduled intervals to update the
directory catalog to reflect changes to the source Domino Directories, or
to the directory catalog configuration. The Dircat task aggregates both
condensed Directory Catalogs and Extended Directory Catalogs.
A server that runs the Dircat task (a Dircat server) should:
Have
 enough disk space to store local replicas of the source Domino
Directories that are aggregated, if you choose to store the directories
locally on the server, rather than have the server access them over
the network.
Have
 enough disk space to store the resulting aggregated directory
catalog(s) and full-text indexes. Only condensed Directory Catalogs
have full-text indexes by default.
Be  able to replicate the directory catalog(s) it aggregates to any
servers and clients that will use them.
Typically it’s best to run the Dircat task to build and maintain a directory
catalog on a server in one domain, and then replicate the directory
catalog to servers throughout an organization that need to use the
directory catalog. Using this approach, rather than having each domain
build an maintain its own version of the directory catalog, is beneficial
because only one server then does the CPU-intensive Dircat processing of
24-14 Administering the Domino System, Volume 1
the directory catalog. Aggregate the primary Domino Directory of the
domain in which you build the directory catalog so that servers in other
domains can use the directory catalog to look up information from the
directory.
The Dircat task on one server can process more than one directory
catalog. The Dircat task is single-threaded so it processes directory
catalogs sequentially rather than simultaneously. Because Dircat is a
CPU-intensive task, it’s often beneficial to dedicate one server solely to
Dircat processing.
Allowing only one server to aggregate a directory catalog
You can run the Dircat task on more than one server, with each server
aggregating separate directory catalogs. Dircat tasks running on separate
servers should never aggregate the same directory catalog, however,
because doing so causes replication conflicts in the directory catalog.
When you configure a directory catalog, choose the option “Restrict
aggregation to server” in the configuration document for the directory
catalog to specify the name of the one server that can aggregate that
directory catalog. If you complete this field, when someone tries to run
the Dircat task against a replica of the directory catalog on a server not
specified in the configuration document, the server aborts the Dircat task
and returns the message “Aggregation of this catalog can only be done
by servername.”
Specifying the Domino Directories for the Dircat task to aggregate
The “Directories to include” field in a directory catalog configuration
document is the field you use to indicate which source Domino
Directories the Dircat task aggregates. The Dircat task runs on the
replicas of the directories specified in the order in which you list them in
the “Directories to include” field. Use commas to separate source
directory file names.
If you enable the option “Remove duplicate users,” if a user’s
distinguished name is found in more than one Person document, the
Dircat task aggregates information from only the first Person document
with the name the Dircat task encounters, according to the order in
which the source directories are listed in the “Directories to include”
field.
As the following table shows, you can store a source Domino Directory
locally on a Dircat server, or on a remote server that the Dircat server
accesses over the network. It’s best to store the source directory replicas
locally for high availability and quick access. If you store replicas of the
Setting Up Directory Catalogs 24-15
Directory Services
source directories locally, make sure to keep them up-to-date by
regularly replicating with the replicas on the remote servers.
If a Dircat server accesses the source Domino Directories over the
network, it must have certifiers in common with the servers that store the
remote directories, or must be cross-certified with those servers.

Location of source
Enter
Domino
Directory
The file name —for example,
Locally
EASTNAMES.NSF
The file name, preceded by the linked
Locally in a linked
directory —
directory for example, DIRECTORIES\EASTNAMES.NSF
Over the network on
The file name and path —for example,
a
mapped drive U:\DIRSERVER\NAMES.NSF
Over the network The file name in this syntax: portname!!!
through Domino servername!!filename where: • portname is
the name you gave to the port • servername
is the hierarchical name of the server that
stores the directory • filename is the file
name for the directory on the server For
example: TCPIP!!!DIRSERV/EAST/ACME!!
NAMES.NSF If you don’t care which port is
used, omit the port, for example:
DIRSERV/EAST/ACME!!NAMES.NSF Note
The server running the Dircat task must
have a certifier in common with the remote
server, or be cross-certified with that server.

Controlling which information is aggregated into a directory

catalog
Read these topics to learn about controlling which information the Dircat
task aggregates into a directory catalog:
Types
 of documents the Dircat task can aggregate
Removing
 duplicate user entries
Choosing
 the types of groups to aggregate
Using  a selection formula
Choosing  the fields to aggregate
24-16 Administering the Domino System, Volume 1
Types of documents the Dircat task can aggregate
The Dircat task can aggregate information only from the following
Domino Directory documents:

Aggregated by
Document type Option(s) in configuration
default?
document that affect
aggregation of
the document
“Additional fields to
Person Yes
include”
“Remove duplicate users”
“Selection Formula”
“Additional fields to
Group Yes (Mail and
include”
Multi-purpose types “Group types” “Selection
only, by default) Formula”
Mail-in “Additional fields to
Yes
Database include”
“Include Mail-in Databases”
“Selection Formula”
“Additional fields to
Resource* Yes
include”
“Selection Formula”
Server “Additional fields to
No
(Extended include”
Directory
Catalog “Include Servers”
only) “Selection Formula”
Custom “Additional fields to
No
documents include”
you’ve added to
a “Selection Formula”
Domino
Directory

*Users can’t use a condensed Directory Catalog to reserve resources, only to

view them.
Note The Dircat task does not aggregate documents that contain
Readers lists by default. Use the NOTES.INI setting
Dircat_Include_Readerslist_Notes to aggregate documents that contain
Readers lists.
Setting Up Directory Catalogs 24-17
Directory Services
Removing duplicate user entries from a directory catalog
If there are multiple Person documents with the same distinguished
name in the source Domino Directories that are aggregated into a
directory catalog, the “Remove duplicate users” field in a directory
catalog configuration document controls whether to aggregate
information from all of the Person documents, or just the first one the
Dircat task encounters. Choose one:
Yes
 (default) to aggregate information from only the first Person
document encountered by the Dircat task, according to the order in
which you list the directories in the “Directories to include” field in
the directory catalog configuration document.
No  to aggregate information from multiple Person documents with
the same name.
If there are occurrences of more than one Person document with the
same distinguished name, and the multiple documents really represent
one user, keep “Remove duplicate users” selected so that:
Notes
 users aren’t required to choose between duplicate entries in
the “Ambiguous Name” dialog box when they resolve the mail
address for the name.
The Router doesn’t encounter duplicates names that prevents it from
delivering mail.
The “Remove duplicate users” field does not apply to Group documents.
To distinguish between different groups with the same name in multiple
directories, the Dircat task uses the “Domain defined by this Domino
Directory” field in the Directory Profile of the source Domino Directories
to append the domain to all group names.
Removing duplicate user entries from an Extended Directory
Catalog to improve Dircat performance
You can reduce the time it takes the Dircat task to run on an Extended
Directory Catalog by selecting “No” to retain all entries with duplicate
names. Doing so keeps the Dircat task from building a particular view
required for the removal of entries with duplicate names. Retaining
entries with duplicate names does not result in a similar performance
gain for a condensed Directory Catalog.
Deleting Person documents from the source Domino Directories
when “Remove duplicate users” is selected
If you choose the “Remove duplicate users” option, and later remove a
Person document from a source Domino Directory that is the one
aggregated into the directory catalog, the Dircat task removes the
24-18 Administering the Domino System, Volume 1
corresponding user entry from the directory catalog the next time it runs,
so the name is longer be found in the directory catalog.
To cause the Dircat task to add the user entry back into the directory
catalog, make a minor change to a remaining Person document in one of
the source Domino Directories for the user. The next time Dircat runs, it
then aggregates information from the remaining Person document into to
the directory catalog. You can also correct the problem by clicking the
“Clear History” button in the directory catalog configuration document,
although this approach isn’t recommended because it causes a rebuild
the entire directory catalog.
For example, if Source Directory A and Source Directory B both contain a
Person document with the name Phyllis Spera/Acme, if “Remove
duplicate users” is enabled and Directory A is listed first in the
“Directories to include” field, when the Dircat tasks runs, it includes only
the entry from Directory A. If someone then removes the Person
document from Directory A, the name Phyllis Spera/Acme is removed
from the directory catalog the next time Dircat runs. To add the name
back, make a small change to the remaining Person document in
Directory B, so the Dircat task adds the name back to the directory
catalog the next time it runs.
Choosing the types of groups to aggregate in a directory catalog
The “Group types” directory catalog configuration option controls which
types of groups the Dircat task aggregates. Choose one of the following:
“Mail
 and Multi-purpose” (default) to aggregate only these two
types of groups from all of the directories listed in the “Directories to
include” field.
“Mail
 Only” to aggregate only “Mail only” groups from all of the
directories listed in the “Directories to include” field.
“All” to aggregate all types of groups from all the directories listed in
the “Directories to include” field.
“All  in first directory only” to aggregate all types of groups, but only
those from the first directory listed in the “Directories to include”
field.
“None”
 to exclude all groups.
If your organization uses a Notes application to look up the members of
“Access Control List only,” “Servers only,” or “Deny List Only” groups
in an Extended Directory Catalog or a condensed Directory Catalog used
by servers, choose “All” or “All in first directory only” to add these types
of groups to the directory catalog.
Setting Up Directory Catalogs 24-19
Directory Services
If the directory catalog you are configuring is an Extended Directory
Catalog servers use to look up groups to authorize users’ database
access, and these groups in the source Domino Directories are defined as
“ACL only” groups, choose “All” or “All in first directory only” to
ensure the groups are aggregated.
LocalDomainServers and OtherDomainServers groups
The Dircat task doesn’t aggregate the LocalDomainServers and
OtherDomainServers groups into a directory catalog because the servers
listed in these groups can’t be used for mail addressing, and because
excluding them improves performance of the Dircat task.
All groups aggregated as Multi-purpose groups, by default
By default, all groups aggregated into a directory catalog are assigned
the type “Multi-purpose.” For example, by default, a “Mail only” group
in a Domino Directory becomes a “Multi-purpose” group in the directory
catalog. To keep the correct group type definition for groups in a
directory catalog, add the GroupType field to the directory catalog
configuration.
For more information, see “Choosing which fields to aggregate in a
directory catalog.”
Using a selection formula in a directory catalog configuration
document
Use the “Selection Formula” field in a directory catalog configuration
document to aggregate only documents defined by a selection formula.
For example, to aggregate only Person documents with a value of
“Atlanta” in the Location field, aggregate all Group documents, and
exclude all other documents, use the following selection formula:
SELECT (Form = “Person” & Location = “Atlanta”) | (Form = “Group”)
Or to aggregate only Person documents for people assigned to a specific
mail server, use a selection formula such as:
SELECT (Form = “Person” & MailServer = “MailServer1”)
The “Selection Formula” field replaces the replication setting “Receive
only a subset of the documents” - “Documents that meet a selection
formula” used in other databases. Keep in mind that a selection formula
applies to all the aggregated directories, so the formula should be valid
for all of them. Note that you can’t use a selection formula to aggregate
documents that are never aggregated into a directory catalog. For
example, you can’t use a selection formula to aggregate Server
Configuration documents or Server Connection documents.
24-20 Administering the Domino System, Volume 1
For more information on selection formulas, see Domino Designer 6
Help.
How a selection formula interacts with the “Group types” option
The “Group types” field in a directory catalog configuration document
controls the types of groups that the Dircat task aggregates into a
directory catalog. If you use a selection formula and you want to
aggregate groups, you must select the groups as part of the selection
formula as well as use the “Group types” field to indicate which types of
groups to aggregate. For example, to aggregate only Person documents
with a Location of Atlanta, and only Mail and Multipurpose groups:
Use
 this selection formula: SELECT (Form = “Person” & Location =
“Atlanta”) | (Form = “Group”)
Select
 the “Group Type” option “Mail and Multi-purpose.”
A selection formula can select only the types of groups indicated by the
“Group types” option.
How a selection formula interacts with the “Include Servers” option
The “Include Servers” field in a directory catalog configuration document
for an Extended Directory Catalog controls whether the Dircat task
aggregate Server documents. If you use a selection formula that includes
Server documents, you must select the Server documents as part of the
selection formula as well as select Yes in the “Include Servers” field.
You cannot aggregate Server documents into a condensed Directory
Catalog.
How a selection formula interacts with the “Include Mail-In
Databases” option
The “Include Mail-In Databases” option in a directory catalog
configuration document controls whether to aggregate Mail-In Database
documents. If you use a selection formula that includes Mail-In
Databases documents, you must select the Mail-In Database documents
as part of the selection formula, as well as select Yes for the “Include
Mail-In Databases” option.
Setting Up Directory Catalogs 24-21
Directory Services
Choosing which fields to aggregate in a directory catalog
By default, a directory catalog aggregates the following fields from the
documents supported for aggregation

Field aggregated by
Documents that use the field
default
FullName1 Person, Mail-In Database, Resource
ListName1 Group
Type1 All
FirstName Person
MiddleInitial Person
LastName LastName
Location Person
MailAddress Person
Shortname Person
Person, Group, Mail-In Database,
MailDomain
Resource
Person, Group, Mail-In Database,
InternetAddress
Resource
MessageStorage Person, Mail-In Database
Members2 Group
AltFullName2 Person
AltFullNameLanguage2 Person

1Required fields that ensure that each document aggregated in the directory
catalog has a known name and type
2Aggregated by default only in an Extended Directory Catalog

Use the “Additional fields to include” field in a directory catalog

configuration document to aggregate additional fields into a directory
catalog. To avoid making a mistake, use Domino Designer to copy and
paste the fields from forms in the Domino Directory template. Be sure to
copy the field itself, not the field label — for example, copy the field
OfficePhoneNumber, not the label Office phone.
If you use a directory catalog configuration option to exclude a particular
type of document, that document isn’t aggregated even if you specify a
field from the document in the “Additional fields to include” field. For
example, if you choose “None” next to the “Group types” option, the
Dircat task does not aggregate group documents, even if the Members
field is listed in the “Additional fields to include” field.
Guidelines for modifying the “Additional fields to include” field
Follow these general guidelines when modifying the “Additional fields
to include” configuration field:
Do
 not remove the fields aggregated by default because these field
selections are the optimum ones for mail addressing.
In  an Extended Directory Catalog, aggregating all fields is
recommended, since there is no way for servers to use directory
assistance to look up missing information directly in the full Domino
Directories themselves that are aggregated. To aggregate all fields
from the aggregated documents, including custom documents added
to a Domino Directory, leave the “Additional fields to include” field
blank. If you don’t aggregate all fields, then follow the guidelines
described in the following table.
In  a condensed Directory Catalog, aggregate as few fields as
possible, to keep the directory catalog small. When possible avoid
aggregating fields that change frequently, since doing so requires
Domino frequently to update entries in the directory catalog and
replicate the changes to other replicas of the directory catalog.
If  the LDAP service searches an Extended Directory Catalog or
condensed Directory Catalog on a server, consider aggregating fields
that are not part of the default configuration if LDAP clients
frequently search for these fields.
If  you use a subform to customize a Domino Directory template, you
can add fields from the subform to the “Additional fields to include”
field. If you are adding custom fields to a condensed Directory
Catalog, you must first copy and paste the subform from the Domino
Directory into the Directory Catalog database that the Dircat task
runs against.
Setting Up Directory Catalogs 24-23
Directory Services
In addition to the above general guidelines, follow these more specific
guidelines:

Condensed
Field to add Extended Condensed
Directory
Catalog used Directory Directory
by Catalog Catalog
clients used by servers
(Optional) (Required)
Members field (from (Required)
Add Allows
Group documents) only to allow Allows Notes Notes clients
Notes and
users who are clients and servers to look
not up
connected to servers to look the members of
the
network to
up the members groups from
look up
free time of groups from secondary
 schedules
of other secondary Domino
users. Note
that adding Domino Directories.
the
Members Directories.
fields is
not generally
recommended
because it
increases
the directory
catalog size
and requires
more
replication.
Use a server
directory
catalog or
directory
assistance to
provide a way
for servers to
look up the
members of
groups from a
secondary
Domino
Directory.
(Optional)
AltFullName, (Recommended) (Recommended)
Add if
AltFullNameLanguage users in the Include this Include this field
(from Person directory field even if no even if no
catalog
documents) use alternate certified certified
names alternate
in their alternate names names are used
certificates. in
are used in your your
organization; organization;
then
then if alternate if alternate
certified names certified names
are put into use are put in use
later, no later, no
directory
directory catalog rebuild
is
catalog rebuild necessary.
is necessary.

Condensed
Field to add Extended Condensed
Directory
Catalog used Directory Directory
by Catalog Catalog
clients used by
servers
HTTPPassword Not (Optional) Add
(Optional) Add
(from recommended to
Person to enable enable servers
documents) to
 servers to look look up
Internet
up Internet passwords in
the
passwords in directory
catalog
the directory for Internet
client
catalog for authentication.
Internet client
authentication.
UserCertificate Not
(Optional) Add Not
(from recommended
Person to enable recommended
documents) servers to look
up X.509
certificates in
the directory
catalog for
Internet client
authentication.

Full-text indexing directory catalogs

A condensed Directory Catalog should have a full-text index, but a
full-text index on an Extended Directory Catalog is optional.
Full-text indexing condensed Directory Catalogs
Since a server uses full-text searches rather than view lookups to find any
of the following information in a condensed Directory Catalog, it’s
important that the directory catalog has a full-text index:
Names
 that don’t correspond to the selected sort order for the
directory catalog
Any information requested by an LDAP search when the LDAP
service searches a condensed Directory Catalog
Soundex
 fields
When you replicate a condensed Directory Catalog, the replica you
create is full-text indexed automatically. However, if you use the file
system to make a copy of a condensed Directory Catalog, the copy is not
full-text indexed. If you delete a full-text index from a condensed
Directory Catalog, you must re-create the index manually.
If only clients use a condensed Directory Catalog, conserve disk space by
deleting full-text indexes on any server replicas.
Users cannot directly full-text search condensed Directory Catalogs.
Full-text indexing Extended Directory Catalogs
It’s generally not necessary to full-text index Extended Directory
Catalogs, because servers rely primarily on view searches to look up
information in them. An exception is if a server running the LDAP
service uses an Extended Directory Catalog; in this case, create a full-text
index for the directory catalog if LDAP users use something other than
names in search filters, since these types of LDAP searches use the
full-text index.
Planning issues specific to Extended Directory Catalogs
Consider these issues when planning an Extended Directory Catalog:
Extended
 Directory Catalog size
Extended
 Directory Catalogs and directory assistance
Extended
 Directory Catalogs and group lookups for database
authorization
Integrating
 an Extended Directory Catalog into a primary Domino
Directory
Extended Directory Catalog size
Since the Extended Directory Catalog contains the views that are in a
standard Domino Directory and combines multiple Domino Directories
into one database, it typically is very large. If you aggregate all fields as
recommended, an Extended Directory Catalog is about the size of all the
aggregated Domino Directories combined. Don’t replicate the database
to Notes clients and use as few replicas on servers as feasible.
Extended Directory Catalogs and directory assistance
Unless you integrate an Extended Directory Catalog into a server’s
primary Domino Directory, a server must use directory assistance to look
up information in an Extended Directory Catalog, and to determine
whether to use an Extended Directory Catalog for client authentication
and/or group lookups for database authorization.
24-26 Administering the Domino System, Volume 1
After you create a Directory Assistance document for an Extended
Directory Catalog in a directory assistance database, to optimize look up
performance, remove any Directory Assistance documents for the
individual Domino Directories aggregated into the directory catalog.
Make sure to aggregate all the fields that need to be searched because
once servers search an Extended Directory Catalog they cannot use
directory assistance to access the source Domino Directories directly to
retrieve field values that are not aggregated, as can occur with a
condensed Directory Catalog.
You can set up a server to use more than one Extended Directory Catalog
by creating a Directory Assistance document for each one.
For more information on setting up directory assistance for an Extended
Directory Catalog, see the chapter “Setting Up Directory Assistance”
Extended Directory Catalogs and group lookups for database
authorization
You can use the groups in one directory configured in a Directory
Assistance database, in addition to the primary Domino Directory, to
authorize database access for Internet and Notes clients. When group
authorization is enabled for a directory, if a server finds groups in a
database ACL, it can look up the members of the groups to verify a
user’s access to a database. The one directory enabled for group
authorization can be an Extended Directory Catalog, which effectively
allows servers to use groups from any of the source Domino Directories
for database access control.
Select the option “Group authorization” in the Directory Assistance
document for the Extended Directory Catalog to enable this feature. If
you enable group authorization for an Extended Directory Catalog, you
cannot enable it for any other directory, Notes or LDAP, configured in
the directory assistance database.
If you enable “Group authorization” for an Extended Directory Catalog,
and groups used for database access control in the directory catalog
contain groups as members — nested groups — a server only looks up
names in the nested groups if the nested groups are located in the
Extended Directory Catalog.
Note A server cannot use groups aggregated in a condensed Directory
Catalog for database authorization.
Setting Up Directory Catalogs 24-27
Directory Services
Integrating an Extended Directory Catalog into a primary Domino
Directory
You can build an Extended Directory Catalog into an existing primary
Domino Directory so that servers and users within the domain can use
one, integrated corporate directory. Rather than create a new database
from the PUBNAMES.NTF template in which to add the directory
catalog configuration document and aggregate documents, instead create
the configuration document in the primary Domino Directory
(NAMES.NSF). All the original documents in the NAMES.NSF are
retained, and the Dircat task adds documents aggregated from other
Domino Directories into the database.
When you integrate an Extended Directory Catalog into a primary
Domino Directory, a server within the domain of the primary Domino
Directory searches the aggregated information automatically as part of
its primary Domino Directory search, and so the use of directory
assistance isn’t required. Person documents that the Dircat task
aggregates are trusted for client authentication, and Groups documents
that are aggregated can be used automatically for database authorization.
Servers outside the domain of the Domino Directory into which the
Extended Directory Catalog is aggregated can use directory assistance to
access the integrated directory. From the perspective of these servers, the
integrated directory is a secondary directory that is searched after their
primary Domino Directory; these servers only trust the integrated
directory for client authentication, and can only use groups in the
integrated directory for database authorization, if you set up the
Directory Assistance document for the directory to allow this.
Dircat task processing affects only the documents the Dircat task
aggregates from other Domino Directories, and not native documents
that originate in NAMES.NSF. For example, rebuilding an Extended
Directory Catalog that is integrated into a primary Domino Directory
does not have any effect on the native documents.
You can remove an Extended Directory Catalog that is integrated into a
primary Domino Directory by deleting the directory catalog
configuration document, and then rebuilding the Extended Directory
Catalog by running the dircat on it with the -r switch. Any native
documents created outside of the aggregation process remain.
24-28 Administering the Domino System, Volume 1
Planning issues specific to condensed Directory Catalogs
Consider these issues that are specific to planning a condensed Directory
Catalog:
Deciding
 how to sort entries
Deciding
 whether to support Soundex seaches
Using
 performance settings
Replicating
 a condensed Directory Catalog
You can set up a condensed Directory Catalog on a server to work in
conjunction with directory assistance. For example, you can set up
directory assistance to look up information directly in a Domino
Directory when the information isn’t aggregated into a condensed
Directory Catalog. For information, see the chapter “Setting Up Directory
Assistance.”
Deciding how to sort entries in a condensed Directory Catalog
One of the reasons condensed Directory Catalogs are small is they don’t
contain multiple, sorted views for lookups as a Domino Directory and an
Extended Directory Catalog do. Instead, these types of directory catalogs
provide only one option for sorting names, determined by the “Sort by”
field in a Directory Catalog Configuration document. The choices are:
Distinguished
 name (default) - sorts entries by the Notes
distinguished name, first name, followed by last name.
Last
 name - sorts entries by last name
Alternate
 Fullname - sorts entries by certified alternate names
The “Sort by” option is unnecessary and isn’t available for an Extended
Directory Catalog because this type of directory catalog retains the
multiple sorted views available in a Domino Directory.
Note Always keep the default “Sort by” selection, “Distinguished
name,” if servers use the condensed Directory Catalog.
How the “Sort by” selection affects type-ahead addressing on Notes
clients
Type-ahead addressing is a feature that assists Notes users with mail
addressing. As a user begins typing a name when addressing mail,
type-ahead searches for the name in order to fill in the name
automatically for the user.
The Notes client only uses type-ahead addressing to look up a name in a
condensed Directory Catalog if the user types the name in a way that
corresponds to the “Sort by” selection. For example, if the selected “Sort
Setting Up Directory Catalogs 24-29
Directory Services
by” format is “Distinguished name,” type-ahead looks up the name in a
condensed Directory Catalog only when a user types the first name
before the last name. Or, if the “Sort by” format is set to “Last name,”
type-ahead looks up the name only when a user types the last name
before the first name.
Make sure your “Sort by” selection corresponds to the way in which
type-ahead is typically used in your organization. For example in large,
enterprise organizations, users often address mail by entering the
recipients’ last names, in which case the Sort by selection should be set to
Last name.
You can create more than one condensed Directory Catalog, each with a
different “Sort by” selection to accommodate different styles of
type-ahead use.
Note If there is a condensed Directory Catalog on a Notes client,
type-ahead never searches a directory on a server, even if the client
Location document is set to “Recipient name” type-ahead - Local then
Server.
How the “Sort by” selection affects browsing a directory catalog
The “Sort by” selection in a condensed Directory Catalog also determines
how names are sorted when users open the directory catalog, for
example when using the “Select Addresses” dialog box to browse the
directory catalog.
Supporting Soundex searches of a condensed Directory Catalog
Use the “Use Soundex” field in a directory catalog configuration
document for a condensed Directory Catalog to control whether the
directory catalog supports Soundex lookups. Choose Yes (default) to
support Soundex lookups, or No to omit support for Soundex lookups.
Soundex allows Notes users to use phonetic spellings to search for
names. Supporting Soundex lookups increases the size of the directory
catalog by about 4 bytes for every entry. Soundex is not effective for
finding names in non-Latin characters.
This field is not available in a configuration document for an Extended
Directory Catalog, since minimizing the size of an Extended Directory
Catalog is not a typical goal.
Using performance settings in a condensed Directory Catalog
Directory catalog performance settings in the Advanced tab of a
configuration document for a condensed Directory Catalog are “Packing
density” — that is, how many source Domino Directory entries can be
combined in one directory catalog aggregate document — and
24-30 Administering the Domino System, Volume 1
“Incremental fields” — that is, how and when the Dircat task updates
changes to fields in the aggregate documents. The default directory
catalog performance settings work fine in most situations.
Note Change these settings only on a condensed Directory Catalog used
only by servers, and not on a condensed Directory Catalog used by
clients.
These settings are irrelevant and unavailable for an Extended Directory
Catalog which doesn’t combine multiple source Domino Directory
entries into aggregate documents.
Packing density
The packing density is the number of entries from a source Domino
Directory that can be stored in one aggregate document in the condensed
Directory Catalog. 255 is the maxium packing density and the default. If
full-text searching is frequently used to search a server directory catalog,
for example if the LDAP service uses the directory catalog, and these
searches of the directory catalog are slow, you can decrease the packing
density to improve performance of these searches.You might also
decrease the packing density to reduce the odds that a particular
aggregate document needs to replicate.
Incremental fields
Because a single field in an aggregate document contains values for the
field from many of the source Domino directories, it’s likely that at any
one time every field in the aggregate document might require updating
and, therefore, would need to replicate. To manage changes to fields in a
condensed Directory Catalog, the Dircat task, by default, uses an
incremental merge process that stores the changes in temporary fields in
aggregate documents until, by default, 5 percent of the total entries from
the source Domino Directories change. Then the Dircat task merges the
changes stored in the temporary fields into the permanent fields in the
aggregate documents and deletes the temporary fields. This process
occurs somewhat randomly over a period of time so that at any time,
only a few aggregate documents need to replicate. When the directory
catalog on the server running the Dircat task replicates, only the updated
fields replicate. This incremental replication results in improved
replication performance, especially when replication occurs over a
dial-up connection.
The alternative to incrementally merging fields is to make changes as
they occur directly in the original fields in aggregate documents.
Disabling incremental merging provides some modest gains in search
performance. However, if replication with the source Directory Catalog
occurs over dial-up connections, keep incremental merging enabled.
Setting Up Directory Catalogs 24-31
Directory Services
Next to the Incremental fields option in a configuration document for a
condensed Directory Catalog, Choose Yes (the default) to use
incremental merging and temporarily store field changes in duplicate
fields in aggregate documents to optimize replication performance. Or
choose No to immediately makes changes in the original fields in the
aggregate documents.
Merge factor
The Merge factor option in a configuration document for a condensed
Directory Catalog is a value representing the percent of total field
changes that must occur before Domino merges the changes stored in
duplicate fields into the original fields in aggregate documents; default is
5 percent.
This field applies only when “Incremental fields” is set to Yes.
Note We don’t recommend changing this setting.
Replicating a condensed Directory Catalog
There are many fields combined in each aggregate document in a
condensed Directory Catalog, and for this reason aggregate documents
frequently change and require replication. Schedule replication between
a server that builds a directory catalog and other servers that have
replicas to occur at least several times a day to keep up with changes in
the aggregate documents.
Notes clients should replicate local condensed Directory Catalog with a
replica on a server either daily or weekly, depending on whether the
clients have fast connections to the server. It’s best for clients that connect
on the road over dial-up connections to wait to replicate a directory
catalog until a fast connection is available.
Give all servers that are not Dircat servers, as well as all clients, only
Reader access (the default) to a condensed Directory Catalog, to prevent
the clients/servers from being able to replicate changes to the replica on
a Dircat server.
24-32 Administering the Domino System, Volume 1
Multiple directory catalogs
You can set up Notes clients to use more than one condensed Directory
Catalog, set up servers to use more than one Extended Directory Catalog,
and set up groups of clients or servers to use separate directory catalogs.
Setting up Notes clients to use more than one condensed Directory
Catalog
You can set up a Notes client to use more than one condensed Directory
Catalog. For example, you can set up two condensed Directory Catalogs
on Notes clients, one that sorts entries by distinguished name (first name,
then last name), and another that sorts entries by last name. Then,
type-ahead addressing can locate names regardless of whether users
begin addressing mail using first names or last names.
For more information on type-ahead addressing and directory catalogs,
see “Deciding how to sort entries in a condensed Directory Catalog.”
Setting up servers to use more than one Extended Directory Catalog
You can set up a server to use more than one Extended Directory
Catalog. For example, suppose you want all servers to use directories A,
B, C, D, and E, but to trust only directories A and B for client
authentication. You can aggregate A and B in an Extended Directory
Catalog that is trusted for authentication, and aggregate C, D, and E in
another Extended Directory Catalog that is not trusted it for
authentication.
Note A server can use one condensed Directory Catalog only.
Setting up groups of clients and servers to use different directory
catalogs
You can create multiple directory catalogs, and set up groups of clients
or servers to use specific ones. For example, if user group 1 sends mail
only to users registered in directories A, B, and C, and user group 2
sends mail only to users registered in directories D and E, you can create
a client-based condensed Directory Catalog that aggregates A, B, and C
for group 1 to use, and create another condensed Directory Catalog that
aggregates D and E for group 2 to use.
You can set up servers to use specific Extended Directory Catalogs or
condensed Directory Catalogs in a similar manner.
Setting Up Directory Catalogs 24-33
Directory Services
Overview of setting up a condensed Directory Catalog
The following tables describe the databases, documents, and fields you
use to set up a condensed Directory Catalog, in the order in which you

Document/ Field(s)/Tab(s Purpose Used for

Database ) an
Extende
 d
Directory
Catalog
too?
Directory Profile Associates groups in
“Domain Yes
of the
each Domino defined by this directory with a
domain to
Directory to be Domino distinguish between
aggregated in Directory”on different groups with
the the
directory the Basics tab same name in more
catalog than
one Domino
Directory
Directory Used for directory
All fields No
Catalog catalog
Configuration configuration
document in
database
created
from
DIRCAT5.NTF
Domino Provides the Dircat
All fields in the Yes
Directory task
Server Server Tasks - with the file name(s)
document of of the
Dircat server Directory local directory
that catalog(s)
builds the Cataloger tab to aggregate and a
directory
catalog schedule for running

Additional configuration to set up a condensed Directory Catalog

on clients

Document/Databas Field(s)/Tab(s Purpose Used for

e ) an
Extende
d
Directory
Catalog
too?
Sets up a
Desktop policy “Mobile No
condensed
settings document directory Directory
Catalog
and/or Setup policy catalogs”field automatically on
Notes
settings document on the clients
Databases
in Domino tab
Directory in which
clients are
registered

Additional configuration to set up a condensed Directory Catalog

on servers
Document/ Field(s)/Tab(s Purpose Used for
Database ) Extende
d
Directory
Catalog
too?
Domino Specifies the file
“Name of No
Directory name of a
Server condensed server’s local
document of condensed
each server directory
Directory Catalog
that catalog
uses the on this server”
condensed
Directory field on Basics
Catalog tab
Directory Specifies the file
“Directory No
Profile name of
document in catalog file servers’local
the name condensed
Domino for domain” Directory Catalogs if
Directory there
of the servers field on Basics is no file name
that specified in
use the tab Server documents
condensed
Directory
Catalog
Domino “Trust the Indicates whether a
No
Directory server server
Server based should trust all user
document of condensed entries
each server directory in its condensed
that catalog Directory
uses the for Catalog for client
condensed
Directory authentication authentication1
Catalog
with internet
protocols”field
on the Basics
tab

1Can use directory assistance instead to trust for client authentication only some
rather than all of the aggregated directories
Setting up a condensed Directory Catalog
When you finish planning a condensed Directory Catalog, follow these
steps to set it up:
Step 1: Verify that each Domino Directory has a defined domain
Each Domino Directory aggregated in a directory catalog should have a
domain defined in its Directory Profile. The Dircat task appends the
domain name to the names of groups in the directory catalog, to
distinguish between groups in different directories with the same name.
Do the following for each Domino Directory you will aggregate into the
directory catalog:
1. Open a Domino Directory.
2. Choose Actions - Edit Directory Profile.
3. Make sure the field “Domain defined by this Domino Directory”
contains a valid domain name. This field is usually filled in
automatically.
4. Click Save & Close.
Step 2: Create the condensed Directory Catalog database
1. Choose File - Database - New.
2. Next to Server, select the Dircat server you picked to aggregate the
directory catalog.
3. Next to Title, enter a title for the directory catalog, for example
Condensed Directory Catalog.
4. Next to Filename, enter a file name for the catalog, for example
CDC.NSF.
5. Select “Create full text index for searching.”
6. Click “Show advanced templates.”
7. Below “Template server,” select a server that stores the Directory
Catalog template, and then click OK.
8. Select the Directory Catalog template (DIRCAT5.NTF). Do not select
the Catalog (V6) template (CATALOG.NTF).
9. Click OK.
Note Keep the - Default - entry in the database access control list
(ACL) set to Reader.
Step 3: Create the directory catalog configuration document and run
the Dircat task:
1. In the database you created, choose Create - Configuration.
2. Complete the following fields in the Directory Catalog Configuration
document:
Note The “Directories to include” field is the only field you must
complete. In many situations you can accept the default values in the
other fields. However, read the complete descriptions of the fields
before you run the Dircat task to build the directory catalog.

Fields in Basics
Description
tab
Directories to Specifies which Domino Directories the
include Dircat task aggregates, and the order in
which it processes the
directories. For more information, see the
earlier
topic “Specifying the Domino Directories for
the Dircat task to aggregate.”
Additional fields Specifies which fields from Domino
to Directories to
include aggregate. For more information, see the
earlier topic
“Choosing which fields to aggregate in a
directory
catalog.”
Specifies how to sort entries in the directory
Sort by
catalog.
For more information, see the earlier topic
“Deciding
how to sort entries in a condensed Directory
Catalog.”
Specifies whether to support Soundex
Use Soundex
lookups. For
more information, see the earlier topic
“Supporting
Soundex searches of a condensed Directory
Catalog.”
Remove Specifies whether to aggregate multiple user
duplicate entries
with the same name. For more information,
users
see the
 earlier topic “Removing duplicate user
entries from
a directory catalog.”
Specifies which types of groups to
Group types
aggregate. For
more information, see the earlier topic
“Choosing
the types of groups to aggregate in a
directory
catalog.”
Specifies whether to aggregate Mail-In
Include Mail-in
Database
Databases documents. Default is Yes. Consider setting
to No if
the directory catalog is used only on clients,
since
Notes users don’t typically send mail to Mail-
In
Databases.
Restrict (Recommended) Specifies the one Dircat
aggregation server that
to this server can aggregate this directory catalog. For
more
information, see the earlier topic “Allowing
only one
server to aggregate a directory catalog.”
(Optional) Specifies the names of people to
Send Directory
receive
Catalog reports Directory Catalog status reports. For more
to:
information, see the later topic “Mailing
Directory
Catalog reports.”

Fields in Advanced
Description
tab
Version Read only field that can increment after a
Domino upgrade.
Selection formula (Optional) Specifies a selection formula to
control which documents are aggregated.
For more information, see the earlier topic
“Using a selection formula in a directory
catalog configuration document.”
Total number of Read-only field that shows the total
people/group/mail- number of entries aggregated from
i n databases and Domino Directories after the Dircat task
runs.
resources
Packing density Specifies the maximum number of Domino
Directory entries that can be aggregated
into each aggregate document. You
usually do not have to change the default
setting. Do not change the default setting
if clients use local replicas of the directory
catalog. For more information, see the
earlier topic “Using performance settings
in a condensed Directory Catalog.”
Incremental fields Specifies whether changed fields are
stored in a temporary location. You usually
do not have to change the default setting.
Do not change the default setting if clients
use local replicas of the directory catalog.
For more information, see the earlier topic
“Using performance settings in a
condensed Directory Catalog.”

Merge factor If Incremental fields is enabled, controls

the percent of total field changes that
must occur before original fields in
aggregate documents are updated. You
usually do not have to change the default
setting. Do not change the default setting
if clients use local replicas of the directory
catalog. For more information, see the
earlier topic “Using performance settings
in a condensed Directory Catalog.”
Replication history Shows the date and time when the Dircat
task last replicated the aggregated
directories. Click Clear History to do a full
rebuild of the directory catalog. Do not
click Clear History unless you understand
Dircat rebuilds. For more information, see
the later topic “The Dircat task.”

3. Click Save and Close.

4. Run the Dircat to build the condensed Directory Catalog. For more
information, see the topic “Running the Dircat task.”
Step 4: Set up clients to use the condensed Directory Catalog
Use Desktop policy settings or Setup policy settings to automate setup of
a condensed Directory Catalog on Notes clients. The automated setup
creates a replica stub (an empty replica) of the directory catalog on the
clients, with a replication schedule enabled to a replica of the directory
catalog on a server that you specify. When the client replicates with a
replica of the directory catalog on a server, a full-text index is created on
the client replica after replication is complete. The automated setup
process also adds the file name of the condensed Directory Catalog to the
“Local address books” field in user preferences for mail, after the file
name of the Person Address Book.
If you don’t automate the directory catalog setup, you must create the
replica and add the file name to clients manually.
Note User Setup Profiles used in Lotus Domino Release 5 for automated
directory catalog setup continue to work in Lotus Domino 6.
To automate setup of a condensed Directory Catalog on clients:
1. (Optional) Create a replica of the condensed Directory Catalog on
other servers. Then users have more choice of servers to use when
they replicate to update their local replicas of the directory catalog.
Domino creates a full-text index automatically on the replicas you
create.
2. If you haven’t already done so, create a Desktop policy settings
document or a Setup policy settings document to use to use to
automate setup of the directory catalog. Make sure you understand
how to set up policies before you create a Desktop or Setup settings
document.
For information, see the chapter “Using Policies.”
3. From the Domino Administrator, click the Files tab, and open a
replica of the directory catalog.
4. Choose Edit - Copy As Link - Database Link, then close the directory
catalog.
5. Open the Desktop policy settings document or Setup policy settings
document you want to use to automate setup of the condensed
Directory Catalog on clients.
6. Click the Databases tab, and then click the “Mobile directory
catalogs” field.
Setting Up Directory Catalogs 24-39
Directory Services
7. Choose Edit - Paste to past the directory catalog database link into
the “Mobile directory catalogs” field.
8. Click Save & Close.
Note Notes users should do pull replications regularly with up-to-date
replicas of the directory catalog on servers.
Step 5: Set up servers to use the condensed Directory Catalog
Note In general it’s better for a server to use an Extended Directory
Catalog rather than a condensed Directory Catalog.
To set up a server to use a condensed Directory Catalog:
1. Create a replica of the built directory catalog on the server. Set up
replication between the server and the Dircat server so that this
server’s replica of the directory catalog is kept up-to-date.
2. If necessary, from the Domino Administrator choose File - Open
Server, to open the server you are setting up to use the directory
catalog.
3. Click the Configuration tab.
4. In the left pane, expand Server - Current Server Document.
5. Click Edit Server.
6. On the Basics tab, in the “Name of condensed directory catalog on
the server” field, enter the file name of the directory catalog replica
you created on this server. If multiple servers use the same file name
for their local replicas of the directory catalog, see the Tip below for a
quick way to specify the file name.
7. (Optional) To allow the server to use all user names aggregated in
the condensed Directory Catalog for client authentication, on the
Basics tab of the Server document select “Trust the server based
condensed directory catalog for authentication with internet
protocols.” If you don’t want to trust the entire directory catalog for
authentication, do not select this option.
Note To specify instead that the server trust for authentication
names from only one or some of the directories aggregated in the
directory catalog, in a directory assistance database used by the
server, create a Directory Assistance document for each aggregated
Domino Directory to trust that has a trusted rule enabled.
For more information, see the topic “Using a condensed Directory
Catalog for client authentication” earlier in the chapter, and also the
chapter “Setting Up Directory Assistance.”
8. Click Save & Close
24-40 Administering the Domino System, Volume 1
9. If necessary, wait for the Domino Directory changes to replicate to
the server. Or force the replication.
10. Use the Restart Server command to Restart the server so it detects the
changes to the Server document.
Tip If multiple servers use the same file name for their local replicas of
the condensed Directory Catalog, you can specify that file name once in
the Directory Profile of the domain Domino Directory, rather than
multiple times in individual Server documents. To use the Directory
Profile method, from the Domino Directory for the servers that will use
the directory catalog, choose Actions - Edit Directory Profile and add the
directory catalog file name to the “Directory catalog database name for
domain” field. Then a server that doesn’t have a directory catalog file
name entered in its Server document uses the Directory Profile to find its
local replica of the condensed Directory Catalog.
Overview of setting up an Extended Directory Catalog
The following table describes the databases, documents, and fields used
to set up an Extended Directory Catalog, in the order in which you use
them.

Document/Databas Field(s)/Tab(s Purpose Used for a

e ) condense
d
Directory
Catalog
too?
Associates
Directory Profile of “Domain Yes
groups in the
each Domino defined by this directory with a
domain to
Directory to be Domino distinguish
between
aggregated in the Directory” different
groups with the
Directory Catalog field on the same name in
more than one
Basics tab Domino
Directory
Used for
Extended Directory All directory No
catalog
Catalog document configuration
in
Database created
from
PUBNAMES.NTF
Yes Provides
Domino Directory All fields in the Dircat task
with
Server document of Server Tasks - the file
name(s) of the
local
the Dircat server Directory directory
that catalog(s) to
builds and updates Catalog tab aggregate and
a schedule for
the directory running
catalog

Document/Databas Field(s)/Tab(s Purpose Used for a

e ) condense
d
Directory
Catalog
too?
Provides a
Directory Assistance All fields No
server with the
document in related to a location of the
Extended
Directory
Directory assistance Notes
Catalog and
database used by Directory indicates
whether to
trust the
each server that Assistance lookups for
uses client
the directory document authentication
catalog and group
authorization1
Allows a server
Server document in “Directory No
to use
the Domino Assistance directory
assistance1
Directory of each database
server that uses the name”field on
directory catalog the Basics tab.

1Unnecessary if the Extended Directory Catalog is built directly into the

primary Domino Directory
Setting up an Extended Directory Catalog
When you finish planning an Extended Directory Catalog, follow these
steps to set it up:
Step 1: Verify that each Domino Directory has a defined domain
Each Domino Directory aggregated in a directory catalog should have a
domain defined in its Directory Profile. The Dircat task appends the
domain name to the names of groups in the directory catalog, to
distinguish between different groups with the same name in more than
one Domino Directory.
Do the following for each Domino Directory you will aggregate into the
directory catalog:
1. Open the Domino Directory.
2. Choose Actions - Edit Directory Profile.
3. Make sure the field “Domain defined by this Domino Directory”
contains a valid domain name. This field is usually filled in
automatically.
4. Click Save & Close.
Step 2: Create the Extended Directory Catalog database:
Note If you will integrate an Extended Directory Catalog into a primary
Domino Directory, skip this step.
1. Choose File - Database - New.
2. Next to Server, select the Dircat server you picked to aggregate the
directory catalog.
3. Next to Title, enter a title for the directory catalog, for example
Extended Directory Catalog.
4. Next to Filename, enter a file name for the directory catalog, for
example EDC.NSF. Do not use the file name NAMES.NSF.
5. Select “Show advanced templates.”
6. Below Template server, select a server that stores the Domino
Directory template.
7. Select the Domino Directory template (PUBNAMES.NTF).
8. Keep “Inherit future design changes” selected.
9. Click OK.
Step 3: Create the Extended Directory Catalog configuration
document and run the Dircat task:
1. Open the database you created in Step 2.
Note To integrate the Extended Directory Catalog into a primary
Domino Directory, open that primary Domino Directory instead.
2. Choose Create - Extended Directory Catalog. Complete the following
fields in the Configuration document. Read the complete descriptions
of the fields before you run the Dircat task to build the directory
catalog.

Description
Fields in Basics tab
Specifies which Domino Directories the Dircat
Directories to
task
include aggregates, and the order in which it
processes the directories. For more
information, see the earlier
topic “Specifying the Domino Directories for
the
Dircat task to aggregate.”
Additional fields Specifies which fields from Domino
to Directories to
include aggregate. Aggregating all fields is
recommended.
To aggregate all fields, leave the “Additional
fields to
include”field blank by deleting all fields from
it. For
more information, see the earlier topic
“Choosing
which fields to aggregate in a directory
catalog.”

Description
Remove
Specifies whether to aggregate multiple user
duplicate
entries with the same name. For more
users
information,
see the earlier topic “Removing duplicate
user entries from a directory catalog.”
Group types Specifies which types of groups to aggregate.
For more information, see the earlier topic
“Choosing the types of groups to aggregate
in a
directory catalog.”
Specifies whether to aggregate Mail-In
Include Mail-in
Database
Databases documents. Default is Yes.
Specifies whether to aggregate Server
Include Servers
documents.
Default is No.
Restrict (Recommended) Specifies the one Dircat
aggregation server
that can aggregate this directory catalog. For
to server
more
information, see the earlier topic “Allowing
only
one server to aggregate a directory catalog.”
Send (Optional) Specifies the names of people to
Aggregation receive
reports to: Directory Catalog status reports. For more
information, see the later topic “Mailing
Directory
Catalog reports.”
Fields in Advanced tab
Version Read-only field that can increment after the
DIRCAT5.NTF template is upgraded. Used
only for
internal purposes.
Selection (Optional) Specifies a selection formula to
formula control which documents are aggregated.
Click Check Syntax to verify that the syntax
specified in a selection formula is valid.
For more information, see the earlier topic
“Using a selection formula in a directory
catalog configuration document.”
Replication Shows the date and time when the Dircat
history task last replicated the aggregated
directories
Click Clear History to do a full rebuild of the
directory catalog. Do not click Clear History
unless you understand Dircat rebuilds. For
more information, see the later topic “The
Dircat task.”

3. Click Save & Close to save the configuration document.

4. Run the Dircat task to build the directory catalog. For information,
see the later topic “Running the Dircat task.”
Step 4: Create at least one replica of the Extended Directory Catalog
Create at least one replica of the directory catalog on another server for
performance and failover benefits. Make sure replication occurs between
the server(s) with the replica(s) and the Dircat server, so the replicas of
the directory catalog are kept up-to-date.
Step 5: Set up servers to use the Extended Directory Catalog
To set up a server to use an Extended Directory Catalog, create a
Directory Assistance document for the Extended Directory Catalog in a
directory assistance database the server uses.
For information, see the topic “Extended Directory Catalogs and
directory assistance” earlier in the chapter, and the chapter “Setting Up
Directory Assistance.”
Note If you integrate the Extended Directory Catalog into a primary
Domino Directory, steps 4 and 5 are unnecessary.
The Dircat task
When the Dircat task runs it can do one of these things to a directory
catalog: build it, update it, partially rebuild it, or fully rebuild it. The first
time the Dircat task runs on a directory catalog it builds it. Subsequently,
the Dircat task usually updates a directory catalog, which means it checks
for changes to the contents of fields in the source Domino Directories, and
then makes the appropriate changes to the directory catalog.
Full rebuilds
If you change any of the following fields in a directory catalog
configuration document, the Dircat task must do a full rebuild of the
directory catalog to incorporate the indicated changes into the directory
catalog:
Directories
 to include
Additional
 fields to include
Sort  by (condensed directory catalog)
Use  Soundex (condensed directory catalog)
Remove  duplicate users
Group  types
Include  Mail-in Databases
Include  Servers (Extended Directory Catalog)
Selection  Formula
When the Dircat task does a full rebuild, it completely re-aggregates of
all the configured source Domino Directories, similar to what occurs
during the initial build of the directory catalog. For example, if you add a
field to the “Additional fields to include” field to aggregate an additional
field, that field isn’t aggregated until the Dircat task does a full rebuild of
the directory catalog. A full rebuild is a much longer process then an
update. After a full rebuild, there must also be a full replication of the
directory catalog to the servers and clients that use it, which can be time
consuming, especially for replication of condensed Directory Catalogs.
When you change one of the above fields in a configuration document
for a condensed Directory Catalog, the next time the Dircat task runs, it
automatically does a full rebuild. When you change one of these fields in
a configuration document for an Extended Directory Catalog, the Dircat
task does not do a rebuild automatically. Instead, you must initiate the
rebuild by running the Dircat task with the -r switch against the
Extended Directory Catalog, or by clicking the Clear History button on
the Advanced tab of the directory catalog configuration document.
Note Dircat processing of changes to the “Directories to include” field
in a configuration document for an Extended Directory Catalog causes a
partial rebuild, rather than a full rebuild, that processes only directories
affected by the change.
Partial rebuilds
If the replica of a source Domino Directory the Dircat task uses is deleted,
and then replaced with a file operating system copy with the same
replica ID, then the Dircat task does a partial rebuild, which involves
comparing all documents in the new file system copy of the Domino
Directory to the corresponding contents in the directory catalog to look
for changes. The Dircat task also does a partial rebuild if the Fixup task
deletes corrupted documents from a source Domino Directory which are
then replaced through replication. A partial rebuild is a longer process
than an update, but takes less time than a full rebuild.
24-46 Administering the Domino System, Volume 1
Running the Dircat task
Run the Dircat task to build a directory catalog initially. Then continue to
run the task at scheduled intervals to keep the contents of the directory
catalog synchronized with the contents of the source Domino Directories
and to keep the directory catalog synchronized with the directory catalog
configuration selections.
Always run the Dircat task on one server to build and update a
particular directory catalog. If you run the Dircat task on more than one
server against the same directory catalog, replication conflicts occur. Use
the field “Restrict aggregation to server” in a directory catalog
configuration document to ensure that the Dircat task on only one server
can process a particular directory catalog.
Running the Dircat task on schedule
Schedule the Dircat task on a Dircat server to run at regular intervals by
doing the following:
1. Make sure there is a directory catalog database with a completed
configuration document.
2. From the Domino Administrator, click the Configuration tab.
3. Expand Directories - Directory Cataloger, and choose Settings.
4. Click the Server Tasks tab, then the Directory Cataloger tab.
5. Complete these fields, and then click Save & Close:

Field Enter
Directory The file name(s) of the directory catalog(s) the
Catalog Dircat
filenames task should process. Separate multiple file
names with
commas.
Schedule Select Enabled.
A time range or one or more specific times to
Run Directory
update
Catalog the source directory catalog. Separate multiple
time
entries with commas (,).The default is the
aggregator at
range
08:00 AM to 10:00 PM.
Repeat A number representing the minutes between
interval of updates
that are scheduled during a time range. The
default
is 360 minutes (every 6 hours). Consider
reducing
this interval to have the Dircat task run every
60 or
120 minutes.
The days of week to run the Dircat task. The
Days of week
default is
daily.

Running the Dircat task manually

To run the Dircat task manually on a Dircat server, issue this server
command:
load dircat dc.nsf
where dc.nsf is the file name of a local directory catalog on the server.
You can do a full rebuild of a directory catalog. Keep in mind that a full
rebuild removes and recreates all the aggregated documents so that the
first replication after the rebuild will require a full replication of the
database.
To do a full rebuild of a directory catalog, you can run the dircat task
against the directory catalog using the -r switch, for example:
load dircat dc.nsf -r
Or you can do a full rebuild by clicking the Clear History button on the
advanced tab of the directory catalog configuration document.
Pausing the Dircat task
Before you shut down a server that is in the middle of Dircat processing,
pause the Dircat task. When you pause the Dircat task, the Dircat task
finishes aggregating the directory catalog it is currently running on and
then goes idle. if you don’t pause the Dircat task before server shutdown,
the Dircat task must reaggregate the directory catalog it was processing
at the time of server shutdown from the beginning.
To pause the Dircat task, enter this server command:
Tell Dircat Pause
You can then shut down the server. Or, to resume Dircat processing,
enter this server command:
Tell Dircat Resume
Opening the configuration document for a directory catalog
To open the configuration document for a directory catalog:
1. From the Domino Administrator, open the Dircat server or another
server with a replica of the directory catalog. To open a configuration
document for a condensed Directory Catalog, make sure the Basics
tab of the Server document includes the directory catalog file name.
2. Click the Configuration tab.
3. Expand Directory in the left pane.
4. Do one of the following:
To
 see the configuration document for a condensed Directory
Catalog, choose Directory Catalog.
To see the configuration document for an Extended Directory
Catalog, choose Extended Directory Catalog.
Note Change a directory catalog configuration document on the Dircat
server that aggregates the directory catalog.
Monitoring directory catalogs
Mailing
 Directory Catalog reports
Using
 other directory catalog monitoring tools
Mailing Directory Catalog reports
A directory catalog stores an agent called Directory Catalog Status
Report. A server can use this agent to mail in your name a Directory
Catalog report once a week to users you specify in a directory catalog
configuration document.
A Directory Catalog report includes the following:
A database link to the replica of the directory catalog on the Dircat
server for the directory catalog, and information about this directory
catalog including its database title, server location and file path, size,
number of entries, and configuration settings; the agent derives this
information from the Dircat task.
A  database link to each source Domino Directory used the Dircat
task uses to aggregate into the directory catalog, and information
about each directory including the database title, server location and
file path, size, and date last updated in the directory catalog.
The size of the directory catalog as a percentage of the combined size
of the Domino Directories aggregated into it.
To mail Directory Catalog reports:
1. Open the configuration document for the directory catalog.
2. Specify the name(s) of users to receive the reports; separate multiple
names with commas:
For  a condensed Directory Catalog, enter the name(s) in the field
“Send Directory Catalog reports to.”
For  an Extended Directory Catalog, enter the name(s) in the field
“Send Aggregation reports to.”
Setting Up Directory Catalogs 24-49
Directory Services
3. When prompted, select the name of the server that should run this
agent to mail the reports on your behalf. You must have “Run
restricted LotusScript/Java agents” access to the server you pick.
4. Click Save & Close.
Using other directory catalog monitoring tools:
Use
 the NOTES.INI setting Log_DirCat=1 to display additional
information to the server console when the Dircat task runs. This
includes when the task starts and finishes, what directory it’s
aggregating, the domain name of the directory, and how many
entries were processed. For more verbose information, including the
names of all the entries that are processed, you can set log_dircat=3.
However, this setting may slow performance and fill up the server
log file, so its use is not recommended.
Use the Show Xdir command to show information about the
directory catalogs and other directories that a server uses.
If  you’ve configured the Dircat task to run on schedule, use the Show
Schedule command to see when the task is next scheduled to run.
Chapter 25
Setting Up Extended ACLs
This chapter describes how to set up and manage an extended access
control list (ACL), which is an access control feature available for a
Domino Directory and an Extended Directory Catalog.
Extended ACL
An extended access control list (ACL) is an optional directory
access-control feature available for a directory created from the
PUBNAMES.NTF template — a Domino Directory or an Extended
Directory Catalog. An extended ACL is tied to the database ACL, and
you access it through the Access Control List dialog box using a Notes 6
or Domino Administrator 6 client. You use an extended ACL to apply
restrictions to the overall access the database ACL allows a user — you
cannot use it to increase the access the database ACL allows. Use an
extended ACL to set access to:
All
 documents with hierarchical names at a particular location in the
directory name hierarchy, — for example all documents whose
names end in OU=West/O=Acme.
All documents of a specific type, — for example all Person
documents
A  specific field within a specific type of document
A  specific document
An extended ACL allows you to:
Delegate
 your Domino administration, for example, allow a group of
administrators to manage only documents named under a particular
organizational unit.
Set  access to precise portions of the directory contents.
25-1
Directory Services
Set
 access to documents and fields easily and globally at one source,
rather than requiring you to control access through features such as
multiple Readers and Authors fields.
Control
 the access of users who access the directory through any
supported protocol: Notes (NRPC), Web (HTTP), LDAP, POP3, and
IMAP.
For information on using Extended ACLs in a multi-release environment,
see the book Upgrade Guide.
Note Server processes such as the Router task do not enforce extended
ACL restrictions. However, in the case of the Router task specifically, you
can prevent some users from sending mail to a group by editing the
Readers field for the group and including only the names of users you
want to allow to send mail to the group. When users omitted from the
Readers field attempt to send mail to the group, the Router won’t deliver
the mail.
For more information, see the chapter “Customizing the Domino Mail
System.”
How other database security features restrict extended ACL
access
settings
The access set for a user in an extended ACL can never exceed the access
the database ACL, including the database ACL privileges and roles,
allows the user. For example, if the database ACL allows a user only
Reader access, you can’t use the extended ACL to allow Write access. Or
if a user is omitted from the database ACL User Creator role, you can’t
use the extended ACL to allow the user Create access to Person
documents.
Access set through a security feature in the database design also restricts
the access you can specify in an extended ACL. For example, if a Readers
field on a particular form prevents a user from reading fields in
documents created with that form, giving a user Browse access to the
form in the extended ACL does not override the access specified in the
Readers field.
25-2 Administering the Domino System, Volume 1
Elements of an extended ACL
To set up an extended ACL, you use the “Extended Access at target”
dialog box, which you open from the database Access Control List dialog
box. The elements of an extended ACL are:
Access
 settings — the allowed access
Subjects
 — the users and groups whose access you control
Targets
 — categories of documents or specific documents to which
access settings apply
Extended ACL access settings
There are several access settings you use to control a subject’s access to
an extended ACL target. For each access setting you choose Allow or
Deny. You can leave an access setting unchecked, but if you do, other
subjects in the extended ACL or database ACL determine whether the
subject is allowed or denied the access. It’s better to select Allow or Deny
to help ensure you get the access control results you expect.
Access settings apply to existing documents at a selected target. If the
selected target is a category of documents, access settings also apply to
documents added to the category in the future.
An extended ACL cannot restrict the access of a user with Manager
database access or an administrator with “Full Access administrators”
access to a server (controlled through the Server document in the
Domino Directory.) An extended ACL also cannot prevent a user with
Designer or Manager database access from modifying the directory
design.
Note For ease of reading, this topic uses the terms document, field, and
form. If an extended ACL will control LDAP access, apply the
LDAP-equivalent terms instead: entry, attribute, and object class.
The following access settings control access to a document as a whole:

Access setting Tasks allowed

Browse Allows a user to access a document.
Create Allows a user to create a document.
Delete Allows a user to delete a document.

The following access settings control access to a field within a document:

Access
Tasks allowed
setting
Allows a user to read a field. The user must also have
Read
Browse
access to the document.
Write Allows a user to modify a field.

When more than one type of document uses a particular field, you
control access to the field separately for each type of document.
If you are controlling the access of Notes and Web users, be aware of the
following issues. These issues do not apply to access through other
means, such as LDAP access or Notes application access, except where
indicated.
 you deny a Notes or Web user access to a field in a document,
If
when the user opens the document, the document does not show the
field and the text (TRUNCATED) shows in the tab of the document.
In addition, the user is unable to edit the document, even if the user
has write access to the fields in it.
 you deny a Notes or Web user access to a field in a document that
If
a view uses to sort the document, the name of the document is blank
in the view. The user can still select the document to open it.
To delete a document, a Notes or Web user must be able to see the
document in a view. To see a document requires Browse access to the
document.
To  create a document, a Notes or Web user or a Notes application
must have Create access to the document as well as Write access to
the fields to which the user/application will add values.
Administer access
Grant Administer access to allow someone with Designer or Editor
access in the database ACL to modify access settings at an extended ACL
target. Someone with Manager access in the database ACL can modify an
extended ACL without having Administer access. Grant Administer
access to allow someone to manage access to documents under a target
category without granting the person Manager access in the database
ACL. A user with Editor or Designer access in the database ACL does
not have the Administer access by default; you must grant the user that
access explicitly. You grant someone Administer access to a target
category and not to a specific document.
Note You can give a Domino 6 server Administer access to a selected
target category. This access enables the server to be an extended
administration server whose Administration Process manages
documents below the selected target category.
For more information, see the chapter “Setting Up the Administration
Process.”
Default access compared to form-specific access
When you set a subject’s access to a selected target, you specify default
access settings that generally apply to all types of documents at the
selected target. Then you can also set form-specific access settings that
are different than the default access settings. For example, by default you
can deny a subject Browse and Read access, but then allow Browse access
to Person and Group documents and Read access to the fields in those
documents.
Default access
You use the “Extended Access at target” dialog box to set a subject’s
default access to a target. The following figure shows default access set to
Deny all for the -Default- subject at / (root)

Form-specific access
You click Form and Field Access from the “Extended Access at target”
dialog box to use the “Form and Field access at target” dialog box to set
form-specific access settings that are exceptions to the selected subject’s
default access at the selected target. The following figure shows access
set for the Person form for the -Default- subject at / (root):
 Note The Administer access setting is
available only as a default access
setting, and not as a form-specific access setting.
Displaying LDAP attributes and object classes when setting
form-specific access
Use the Schema option in the “Form and Field access at target” dialog
box to control whether the dialog box shows the directory contents in
terms of LDAP object classes and attributes or in terms of Domino forms
and fields. Domino is selected by default, meaning the dialog box shows
Domino forms and fields. To show LDAP object classes and attributes,
select LDAP next to the Schema option.
When you set a subject’s access to a form or field, the access setting
automatically applies to the corresponding LDAP object class or
attribute, if there is one. Similarly, if you set a subject’s access to an object
class or attribute, the access also applies to the corresponding form or
field if there is one.
25-6 Administering the Domino System, Volume 1
For example, if you deny a subject Read access to the InternetAddress
field of a Person form when Domino is selected as the Schema option, the
subject is also denied LDAP Read access to the mail attribute of the
dominoPerson object class that shows when LDAP is selected as the
Schema option. If the Schema option is set to LDAP and you deny a
subject Read access to the mail attribute of the dominoPerson object class,
the subject is also denied Read access to the InternetAddress field of a
Person form that shows when the Domino is selected as a Schema option.
Some object classes and attributes that the “Form and Field access at
target” dialog box displays when you select LDAP as the Schema option
do not correspond to forms and fields and are useful only for controlling
LDAP access. For example, the object class residentialPerson does not
correspond to a form. Similarly, some forms and fields that the dialog
box displays when you select Domino as the Schema option do not
correspond to LDAP object classes and attributes and are useful only for
controlling Notes or Web user access. For example, the form
DirectoryProfile does not correspond to an object class.
Note Domino uses the Domino LDAP Schema database
(SCHEMA.NSF) to generate the LDAP object classes and attributes that
display when you choose LDAP for the Schema option in the dialog box.
So to use the LDAP schema option, the directory for which you are
setting access must be located on a server that runs the LDAP service. If
you extend the schema, you can use the extended ACL to control access
to the new object classes and attributes.
For more information on the LDAP schema, see the chapter “Managing
the LDAP Schema.”
Precedence rules used to resolve access conflicts at a target
When you select a target in the “Extended Access at: target” dialog box,
by default the dialog box shows all the subjects in the extended ACL
with access settings to the target. Included are subjects whose access is
set at and inherited from a higher target through the scope “This
container and all descendants.” (You can select “Show Modified” to see
only the subjects with access set directly at the target.)
More than one subject that is shown at a selected target can apply to a
particular user. For example, a user might be a member of two groups,
both of which have access set to the target O=Acme. The following
precedence rules are applied to determine the access a user has to a
target when there are multiple subjects that apply to the user at the
target.
Note Even after precedence rules are applied, a user’s access can never
exceed the access the database ACL allows the user.
Setting Up Extended ACLs 25-7
Directory Services
1. Access set for a subject with the scope “This container only” take
precedence over access set for a subject with the scope “This
container and all descendants” regardless of subject type. For
example, the access set for the subject */Acme and the scope “This
container only” takes precedence over the access set for the subject
Kathy Brown/Acme and the scope “This container and all
descendants.”
2. Among subjects with the same scope, access for a more-specific type
of subject take precedence over access for a less-specific type of
subject. The order of subject specificity, from most specific to least
specific, is:
a. Individual user or server
b. Self
c. Group
d. A wildcard, — for example */Acme
e. -Default-
For example, the access set for Kathy Brown/Acme with the scope
“This container and all descendants” takes precedence over the
access set for the group Admins/Acme with the scope “This
container and all descendants”.
3. When evaluating more than one group subject or more than one
wildcard subject, the access settings of the subjects are combined,
with Deny access taking precedence over Allow access. For example,
if the group Admins/Acme denies Write access and allows all other
access, and the group Managers/Acme denies Create access and
allows all other access, users that are members of both groups are
denied Write and Create access and allowed all other access.
Tip To determine a user’s effective access to an extended ACL target
after extended access settings and database access are evaluated, select
the target in the “Extended Access at target” dialog box, then click
Effective Access.
For more information on using the Effective Access tool, see the topic
“Showing a subject’s effective access to an extended ACL target” later in
the chapter.

Combined
Subject 1 Subject 2 Rule
access (can
never exceed applie
the access d
granted in the
database
ACL)
Subject: */Acme Subject: */Acme Rule 1 Allow:
Scope: “This Scope: “This Create, Delete,
container and all container only” Write Deny:
descendants” Allow: Create, Read, Browse
Allow: Read, Delete, Write
Browse Deny: Deny: Read,
Create, Delete, Browse
Write
Subject:
Subject: */Acme Allow: All Rule 2
Admins/Acme
group Scope: “This
container
Scope: “This and all
container descendants”
and all
Deny: All
descendants.”
Allow: All
Subject:
Subject: Deny: All Rule 3
Admins/Acme
group Managers/Acme
Scope: “This group
container
and all Scope: “This
descendants” container
Allow: Read, and all
Browse descendants”
Deny: Create, Allow: Create,
Delete, Delete,
Write Write
Deny: Read,
Browse

Extended ACL subject

An extended ACL subject is a name for which you are setting access to a
selected extended ACL target. To add a subject to an extended ACL, you
select the target and then click Add below the People, Servers, Groups
box in the “Extended Access at target” dialog box.
The following figure shows an example of the -Default- subject selected
at the / (root) target.

You can specify any of the following as

subjects in an extended ACL:
Individual
 user or server
Group

Wildcard
 that represents documents at a specific location in the
directory name hierarchy, for example, */West/Acme
Anonymous

-Default-

Self 
With the exception of Self, these are the same types of entries that are
acceptable in a database ACL.
For more information on the database ACL, see the chapter “Controlling
User Access to Domino Databases.”
You specify more than one subject at a target to give each subject its own
access to the target. For example the group Admins/West/Acme and the
group Admins/East/Acme might each have access set at the / (root)
target. You can also add the same subject at multiple targets, to give the
subject different access to each target.
If the database ACL and an extended ACL both list a particular subject,
Administration Process requests can rename or delete the subject in the
extended ACL, as well as in the database ACL.
25-10 Administering the Domino System, Volume 1
Anonymous as subject
As in the database ACL, the subject Anonymous controls the access of all
users and servers that access a server without first authenticating.
Anonymous access applies to access via all the supported protocols.
Self as a subject
The subject Self is available only for an extended ACL and not the
database ACL. At a target category only, you can use Self to define the
access that all users have to their own documents that fall under the
target category. A user’s own document is one with a distinguished
name that matches a distinguished name presented by the user. Use Self
so that you can use one subject to control all users’ access to their own
documents at a target category.
-Default- as a subject
Adding and setting access for the -Default- subject at a target is optional.
If you set access for -Default- at a target, all users and servers whose
access is not determined by another subject at the selected target get the
access set for -Default-. If you add the -Default- subject to a target and
you want some users to have different access to the target than the
-Default- access, add a subject or subjects that represent those users to the
target with the desired access.
Lotus Domino 6 servers as subjects
In general an extended ACL can’t restrict the access of a Domino 6
server. The exception is granting a Domino 6 server Administer access to
a target category that represents a particular location in the directory
name hierarchy. Doing so allows the server to be an extended
administration server that can carry out Administration Process requests
for documents under the selected target category.
For more information, see the chapter “Setting Up the Administration
Process.”
Advantages to using subjects that represent a group of users
When possible use subjects that represent groups of users — -Default-,
Self, groups, wildcard subjects — rather than use individual users as
subjects. For example, set access for the group Admins/Acme, rather
than setting access for Acme administrators individually. When you use
subjects that represent groups of users you minimize the number of
subjects in the extended ACL to add and manage and you optimize
access-checking performance.
Setting Up Extended ACLs 25-11
Directory Services
Extended ACL target
You select a target to specify either a category of documents or a specific
document to which you are controlling a subject’s access. Selecting a
category of documents as a target is recommended because you can set
access to multiple documents at once and because the access applies to
documents added to the category in the future. You use the Target box in
the “Extended Access at target” dialog box to select a target. You can set
access for more than one subject at a target.
The following figure shows the / (root) target selected in the “Extended
Access at target” dialog box. By default you can see only the document
categories in the Target box and not individual documents. Deselect
“Show only containers” to see the documents below the categories.

How the Target box categorizes

documents
The target box categorizes documents by their names. The top category
in the Target box is / (root). Access set at / (root) applies by default to all
the documents in the directory because documents subcategorized below
/ (root) inherit the access set at / (root) by default. The Target box
subcategorizes documents that have hierarchical names defined by a
FullName, ListName, or ServerName field below / (root) by their
location in the directory name hierarchy. For example, the Target box
categorizes Person documents containing the names CN=Alan
25-12 Administering the Domino System, Volume 1
Jones/O=Acme, CN=Derek Malone/OU=East/O=Acme, and CN=Karen
Lessing/OU=West/O=Acme as follows:
/ (root)
O=Acme
Alan Jones/Acme
OU=East
Derek Malone/East/Acme
OU=West
Karen Lessing/West/Acme
For a document to be categorized by name hierarchy in a subcategory
below / (root) its name must contain more than just one part. For example
a Person document whose name is defined by a certifier is subcategorized
in a category below / (root). In addition, the name of the document must
be stored in a field called FullName, ListName, or ServerName. The
ListName field stores the names of Domino Group documents, the
ServerName field stores the names of Domino Server documents, and the
FullName field stores the names of other types of documents, for example
Domino Person, Certifier, and Policy documents.
A document with a flat name — a name with only one part —, or a
document with a name specified in a field other than FullName,
ListName, or Servername, is categorized directly under / (root). The
Target box does not show the documents under / (root) that are named
through a field other than FullName, ListName, or ServerName. You can
set access to these types of documents through the / (root) target, but
cannot set access to an individual one. For example, the names of
Holiday and Connection documents are not controlled through a
FullName, ListName, or ServerName field, so you cannot see or select
these documents under / (root). However, when you set access at /
(root), the access applies to the documents.
Advantages to using categories rather than single documents as
targets
You can select a specific document as a target at which to set a subject’s
access, however selecting a target category is recommended instead.
When you select a target category, by default you are automatically
setting access to all the documents immediately below the selected
category as well as to documents below subcategories of the selected
category so you minimize the number of times the subject appears in the
extended ACL. For example, by setting a subject’s access at the target
Setting Up Extended ACLs 25-13
Directory Services
O=Acme, the access by default automatically applies to all documents
below O=ACME and any organizational units below, such as OU=West
and OU=East.
Domino can verify a subject’s directory access more quickly when there
are fewer occurrences of the subject in an extended ACL than when there
are many. In addition, when you use categories as targets it’s easier to
manage the extended ACL because there are fewer subjects to track.
To take full advantage of using categories as targets, you may want to
specify hierarchical names for documents that have flat names in a
FullName, ListName, or ServerName field so the Target box can
subcategorize them under an appropriate location in the directory name
hierarchy. For example, Group documents often have flat names, and in
this case the Target box categorizes them directly below / (root), so you
may want to change the names of such Group documents to hierarchical.
The following documents usually have hierarchical names defined in a
FullName, ListName, or ServerName field and are therefore
subcategorized below / (root) under at the appropriate location in the
directory name hierarchy.
Person
 documents
Server
 documents
Certifier
 documents
Policy  documents
Target scope
When you select a category as a target in the Target box, you use the
Scope of Target box to specify whether a subject’s access settings apply
only to documents at that category or also to documents under
subcategories as well. Keep “This container and all descendants” (the
default) selected to apply the subject’s access settings to documents
under the selected target category as well as to documents under
subcategories. Select “This container only” to apply the subject’s access
settings to documents under the selected target category only.
25-14 Administering the Domino System, Volume 1
The following figure shows the target scope “This container and all
descendants” selected for the subject Admins/Acme at the / (root) target.

You select a scope for each subject with

access at a target category.
Example of using “This container and all descendants” as a target
scope
Suppose you want users who access the database through the -Defaultentry
to see any Person and Group document in the directory but no
other type of document. You could do the following:
Give
 the -Default- subject Reader access in the database ACL.
In  the extended ACL, add the -Default- as the subject at / (root) and
deny it all access by default, but allow it Browse and Read access to
the Person and Group forms.
Keep “This container and all descendants” as the scope to apply the
access settings to the entire directory.

Example of using “This container only” as a target scope

Suppose the names of documents in your company fall under the
organization O=Acme or one of the organizational units OU=East or
OU=West. You want to deny the group Admins/Acme all access to
documents in the directory except documents at O=Acme. You want to
allow the group all access to documents at O=Acme. You could give the
group Admins/Acme Editor access in the database ACL with all
database ACL privileges and administration roles. At / (root) deny
Admins/Acme all access and select “This container and all descendants.”
At O=Acme allow Admins/Acme all access and select “This container
only” as the scope. Admins/Acme deny access set at / (root) continues to
apply to OU=East and OU=West.

Adding a subject twice to a target

category with different target
scopes
Although not typically done, you can add one subject two times to one
target category with different access settings. Add the subject to the
target category and specify access for the scope “This container only.”
Add the subject again to the same target category and specify access for
the scope “This container and all descendants.” Using this approach, you
can use one subject entry to set a subject’s access to multiple target
subcategories, rather than setting the subject’s access separately at each
subcategory.
For example, suppose you want to allow members of the group
Admins/Acme full access to documents categorized directly under
O=Acme. You also want to allow members of the group to browse and
read documents categorized under OU=East and OU=West, but want to
prevent them from creating, deleting, writing, and setting extended
access settings for these documents. You want to deny the group access
to all other documents. To accomplish this you could do the following:
Add
 Admins/Acme to the database ACL with Editor access and all
privileges and administration roles.
Add Admins/Acme as a subject at / (root), deny all access and select
the scope “This container and all descendants.”
Add  Admins/Acme to O=Acme, allow all access and select the scope
“This container only.”
Setting Up Extended ACLs 25-17
Directory Services
Add
 Admins/Acme to O=Acme again, allow only Browse and Read
access and deny all other access and select the scope “This container
and all descendants.”
Assuming there are no other subjects in the extended ACL that control
access for the members of the Admins/Acme group, precedence rules
determine that the access set for Admins/Acme at O=Acme with the
scope “This container only” controls Admins/Acme’s access to the
documents directly under O=Acme. The access set for Admins/Acme at
O=Acme with the scope “This container and all descendants” controls
Admins/Acme’s access to the documents subcategorized under OU=East
and OU=West below O=Acme.
The following figure illustrates these access settings.
The following figure illustrates these access settings.

Extended ACL examples

Example
 1
Example
 2
Extended ACL: example 1
The Acme company uses this name hierarchy within its Domino
Directory: the organization O=Acme, and two organizational units below
it, OU=Sales and OU=Engineering. The Acme company wants to prevent
users registered under OU=Sales from accessing documents within
OU=Engineering, and wants to prevent users registered under
OU=Engineering from accessing documents within OU=Sales. Acme
does the following to accomplish these security goals:
1. Sets the -Default- access in the Domino Directory database ACL to
Reader.
2. Denies the subject */Sales/Acme all access to the target
OU=Engineering.
3. Denies the subject */Engineering/Acme all access to the target
OU=Sales.
Extended ACL: example 2
The Acme company uses one Domino domain. The directory name
hierarchy within the Domino Directory consists of the organization
O=Acme, and two organizational units below that, OU=West and
OU=East. The Acme Domino Directory includes three groups of
administrators:
The
 Admins/Acme group, responsible for managing documents
throughout the directory.
The Admins/West/Acme group, responsible for managing
documents that fall under OU=West and that have names ending in
West/Acme.
The  Admins/East/Acme group, responsible for managing
documents that fall under OU=East and that have names ending in
East/Acme.
Security goals
To establish security, Acme has these goals:
1. Allow members of the Admins/Acme group to:
Have  full access to all documents in the directory
Manage  access at any target in the extended ACL
Setting Up Extended ACLs 25-19
Directory Services
2. Allow members of the Admins/West/Acme group to:
Read
 all fields in all documents in the directory
Create,
 modify, and delete only documents that fall under OU=West
Manage
 the extended ACL at the OU=West target
3. Allow members of the the Admins/East/Acme group to:
Read  all fields in all documents in the directory
Create,  modify, and delete only documents that fall under the
OU=East
Manage  the extended ACL for the OU=East target.
4. Allow authenticated users not in any of the administration groups to
browse and read only Person, Group, and Resource documents
throughout the database but not other documents, and prevent these
users from creating, deleting, and modifying any documents.
5. Prevent anonymous users from accessing the directory.
How Acme achieve its goals
The following tables describe how Acme sets up the Domino Directory
database ACL and the extended ACL to accomplish its security goals.
Database ACL

Subject Access Description

-Default- Reader Required to allow non-
administrators to browse and
read Person, Group, and
Resource documents
Admins/Acme • Manager Delete Allows members of
group • All Admins/Acme to manage all
• administration documents and the entire
roles extended ACL —no extended
ACL settings needed
Admins/West • Editor Create, Required to allow members of
/Acme group • Delete All Admins/West/Acme to create,
• administration modify, delete, and manage
roles the extended ACL for
West/Acme documents
Admins/East/ • Editor Create, Required to allow members
Acme group • Delete All Admins/East/Acme to create,
• administration modify, delete, and manage
roles the extended ACL for
East/Acme documents
Anonymous No Access Prevents anonymous users
from accessing any
information in the directory.
No extended ACL settings
needed

Subject Access This Description

container
and all
descendants
?
-Default- Default: • Yes Allows non-
Deny all administrators to
Person, read only Person,
Group, and Group, and
Resources: • Resource
Allow: documents
Browse, Read
• Deny:
Create,
Delete, Write,
Administer
Admins/West/ Default: • Yes Prevents members
Acme group Allow: of the
Browse, Read Admins/West/Acme
• Deny: group from
Create, modifying
Delete, Write, documents at the /
Administer (root) and O=Acme
targets
Admins/East/ Default: • Yes Prevents members
Acme group Allow: of the
Browse, Read Admins/East/Acme
• Deny: group from
Create, modifying
Delete, Write, documents at the /
Administer (root) and O=Acme
targets

OU=West target in extended ACL

This
Subject Access container Description
and
all
descendants
?
Admins/West/ Default: Yes Allows members of
Acme group • Allow all Admins/West/Acme
to have full access
to
 documents under
OU=West

This
Subject Access container Description
and
all
descendants
?
Admins/East/ Default: Yes Allows members of
Acme group • Allow all Admins/East/Acme
to have full access
to
documents under
OU=East

Extended ACL guidelines

Plan an extended ACL on paper before you implement it. After you have
planned the extended ACL on paper, test it in a non-production
environment before deploying it. When planning an extended ACL use a
sparse access control model that minimizes the number of extended ACL
subjects you specify:
Use
 categories as targets — / (root) or subcategories below / (root)
— rather than individual documents. To subcategorize documents
below / (root), you may have to give some documents, for example
Group documents, hierarchical names manually.
As  a general rule use the default target scope “This container and all
descendants” as the target scope to extend subjects’ access to target
subcategories.
Use  names that represent groups of users — Self, groups, wildcard
subjects, -Default- — as subjects rather than the names of
individuals.
When you use a sparse access control model Domino can check extended
ACL access settings quickly and you can manage extended ACL access
settings easily.
Setting up and managing an extended ACL
Follow these procedures to set up and manage an extended ACL:
Enable
 extended access
Set
 a subject’s access to a target
Modify
 or remove a subject’s access setting at a target
Show  a subject’s effective access to a target
Use  the history log to monitor changes to an extended ACL
Disable  extended access
For information on troubleshooting extended ACLs, see the chapter
“Troubleshooting.”
25-22 Administering the Domino System, Volume 1
Enabling extended access
To set up an extended ACL for a Domino Directory or Extended
Directory Catalog, you must enable extended access for the database.
Before you enable extended access, make sure you understand the
implications of doing so:
Enabling
 extended access may take a few minutes on a very large
directory database. The Notes or Domino Administrator client is
unavailable for other purposes during this process.
To  ensure that the database replicates properly, extended access
requires use of the advanced database ACL option “Enforce a
consistent Access Control List across all replicas.”
After
 you enable extended access, you can’t make changes to the
database on a server running an earlier release because the changes
can’t replicate to a Domino 6 server. If you enable extended access,
you must make directory changes only to a replica on a Domino 6
server.
Enabling
 extended access enforces the database ACL, extended ACL,
and Readers and Authors fields for Notes clients looking up names
in the directory. For example, if you enable extended access, then
Notes users who are addressing mail must have at least Reader
access in the database ACL to use type-ahead addressing or F9
address resolution against the directory. Or a Notes application that
calls NAMELookup functions to search the directory must have the
necessary database access to carry out the operation.
Enabling
 extended access enforces the database ACL and extended
ACL for anonymous LDAP searches of the directory. Enabling
extended access removes the anonymous LDAP access settings from
the domain Configuration Settings document, and they remain
removed unless you disable extended access at a later point. By
default the directory database ACL gives Anonymous users No
Access, so if you want LDAP users to search the directory
anonymously, you must change the access for the Anonymous entry
if you enable extended access.
For more information on converting anonymous LDAP access settings in
a domain Configuration Settings document to database ACL and
extended ACL settings, see the chapter “Setting Up the LDAP Service.”
Caution Do not enable extended access if you have any uncertainty
about doing so.
Setting Up Extended ACLs 25-23
Directory Services
To enable extended access for a Domino Directory or Extended Directory
Catalog:
1. Open the database, and choose File - Database - Access Control.
2. Make sure you have Manager access in the database ACL.
3. Click Advanced, and then select “Enable Extended Access.”
4. At this prompt, click Yes to continue:
“Enabling extended access control enforces additional security
checking. See Domino Administrator Help for more details. Do you
want to continue?”
5. At this prompt, which appears only if the advanced database ACL
option “Enforce a consistent Access Control List across all replicas” is
not yet enabled, click Yes:
“Consistent access control must be enabled first. Do you want to
enable it now?”
6. At this prompt, click OK:
“If more than one administrator manages extended access control
for this database, enable document locking on the database to avoid
conflicts.”
7. Click OK in the Access Control List dialog box.
8. At this prompt, click OK:
“Enabling extended access control restrictions. This may take a
while.”
9. Look at the status bar on the client to see the status of this process.
Setting a subject’s access to an extended ACL target
To set a subject’s access to an extended ACL target in a Domino
Directory or an Extended Directory Catalog, follow these steps:
1. Review the guidelines for setting up an extended ACL.
2. Open the Domino Directory or Extended Directory Catalog.
3. Make sure you have enabled extended access for the directory.
4. If more than one administrator manages the extended ACL, enable
the advanced database property “Allow document locking.”
Document-locking ensures that only one administrator can modify
the extended ACL at a time.
a. Choose File - Database - Properties
b. Select “Allow document locking.”
For more information on locking documents, see Notes 6 Help.
25-24 Administering the Domino System, Volume 1
5. Choose File - Database - Access Control to open the Access Control
List dialog box. Make sure you have one of the following:
Manager
 access.
Editor
 or Designer access and the Administer extended ACL
access to the target for which you are setting the subject’s access.
Either a database manager or someone with Administer access to
the target must give you this access.
6. With Basics selected, click Extended Access.
7. In the Target box at the left of the “Extended Access at target” dialog
box, expand target categories as necessary and select the target.
For information, see the topic “Extended ACL target” earlier in the
chapter.
Tip Below the Target box, deselect “Show only containers” to show
the documents under each target category. Select the option to show
only the target categories. You can choose a single document as a
target, but doing so is discouraged.
8. Next to “People, Servers, Groups” below the Access List box, select
one:
Show  Modified — to show only subjects whose access to the
selected target is set at the target.
Show  All — (default) to show subjects whose access to the
selected target is set at a higher target using the “This container
and all descendants” scope, as well as to show subjects whose
access to the selected target is set at the target.
9. To add the subject for which you are setting access to the selected
target, do one:
Click  Add - Name and type or select a subject name, then click
OK. If the subject is a user, server, or group that is not in the
directory for which you are controlling access, this prompt
appears: “Subject can not be found in the directory. To continue,
please specify the subject’s type: Person, Server, Group.” Select
one of the options presented, then click OK.
Click  Add - Default to add the subject -Default-.
Click  Add - Self to add the subject Self.
Click  Add - Anonymous to add the subject Anonymous.
If a subject’s access to the selected target is set at a higher target
through the scope “This container and all descendants” and you
add the subject to the selected target with new access settings, the
new access settings then control the subject’s access to the selected
target.
Setting Up Extended ACLs 25-25
Directory Services
For more information on extended ACL subjects, see the topic
“Extended ACL subject” earlier in the chapter.
10. Below the Scope of Target box at the top, right of the “Extended
Access at target” box, select one of the following to specify the scope
of the subject’s access at the selected target.
This
 container and all descendants (default) — to apply the
subject’s access to the selected target and to all targets
subcategorized below it.
This
 container only — to apply the subject’s access to the selected
target only and not to targets subcategorized below it.
For more information, see the topic “Target scope” earlier in the
chapter.
Note If you selected a single document as a target in Step 7, the
“This container and all descendants” option is not available.
11. Below the Attributes section at the right of the “Extended Access at
target” box, for each of the following select Allow or Deny to set the
selected subject’s default access to the selected target.
Browse

Create

Delete 
Read 
Write 
Administer 
For more information, see the topics “Extended ACL access settings”
and “Default access compared to form-specific access” earlier in the
chapter.
12. (Optional) Set form-specific access to make exceptions to the default
access.
13. Click OK to save the extended ACL changes and close the “Extended
Access at target” box.
Setting a subject’s form-specific access to an extended ACL target
When you set a subject’s access to an extended ACL target, you can use
this optional procedure to make exceptions to the subject’s default access
to the selected target and set access differently to documents created
from a specific form.
25-26 Administering the Domino System, Volume 1
For each form for which you want to set different access than the
subject’s default access set for the selected target, do the following:
1. Select the subject for which you are setting access in the “Extended
Access at target” dialog box and click “Form and Field Access” to
open the “Form and Field access at target” dialog box. The dialog box
shows the forms in the directory in the Forms box. When you select a
form in the Forms box, the Fields box shows only the fields in the
selected form.
2. (Optional) To set the “Form and Field Access at target” dialog box to
display LDAP object classes and attributes rather than forms and
fields, next to Schema select LDAP. This option works only if you are
setting access to a directory on a server running the LDAP service.
For more information, see the topic “Displaying LDAP attributes and
object classes when setting form-specific access” earlier in the chapter.
3. (Optional) To look at the subject’s default access to the selected target
you previously specified in the “Extended access at target” dialog box.
a. Below the Forms box, select the -Default- entry and look at the
default Browse, Create, and Delete access settings. Optionally,
modify these default access settings. The changes will show in
the “Extended access at target” dialog box when you close the
“Form and Field Access at target” dialog box.
b. With the -Default- entry still selected in the Forms box, look at the
-Default- entry in the Fields box to see the default Read and Write
access. Optionally, modify these default access settings . The
changes will show in the “Extended access at target” dialog box
when you close the “Form and Field Access at target” dialog box.
4. In the Forms box, select the form for which you want to set access.
Notice that the Fields box changes to show only the fields on the
selected form.
5. In the Forms box, set the desired Browse, Create, and Delete access
settings for the selected form.
6. To set the subject’s Read and Write access to all fields in the selected
form:
a. Keep the form for which you are setting access selected in the
Forms box.
b. Select -Default- in the Fields box.
c. Set the subject’s general Read and Write access to the fields on
the selected form.
Setting Up Extended ACLs 25-27
Directory Services
7. To set the subject’s Read and Write access to a specific field in the
selected form:
a. Keep the form for which you are setting access selected in the
Forms box.
b. Select the field in the Fields box.
c. Set the subject’s Read and Write access to the selected field. These
settings take precedence over the settings specified in step 6.
8. (Optional) To show the form-specific access you have set:
a. Above the Forms box, select Show - Modified. Notice that Show -
Modified is also selected above the Fields box.
b. Select a form listed in the Forms box to see the access set
specifically for that form.
c. With the form still selected, look at the Fields box to see the fields
on the form for which you’ve set access.
9. When you’ve finished setting form-specific access, click OK to close
the “Form and Field access at target” dialog box.
10. Continue to Step 13 in the procedure “Setting a subject’s access to an
extended ACL target.”
Modifying or removing a subject’s access settings at an extended
ACL target
You can modify a subject’s access to an extended ACL target. You can
also remove a subject from a target to remove the subject’s access settings
for the target.
To modify a subject’s access to an extended ACL target
To modify a subject’s set at an extended ACL target, follow the steps
described in the topic “Setting a subject’s to an extended ACL target,”
except in step 9 select the subject rather than add it.
Note that if you select a subject in the “Extended access at target” dialog
box and the subject’s access settings are grayed out, check that you have
the access required to change the settings: Manager access in the
database ACL or Editor access in the database ACL with Administer
access to the selected target.
25-28 Administering the Domino System, Volume 1
If you have the required access to make the change and the subject’s
access settings are grayed out, the subject’s access to the selected target is
set at a higher target with the scope “This container and all descendants.”
In this case you can do one of the following:
 the selected target, click Add to add the subject to the selected
At
target and set different access for the subject at the target. The new
access to the selected target overrides the access set at the higher
target. If you choose the scope “This container and all descendants”
the new access applies to all documents subcategorized below the
selected target as well. If you choose the scope “This container only,”
documents categorized immediately below the selected target get the
new access settings, but documents under subcategories of the selected
target continue to have the access settings specified at the higher
target.
Select
 the higher target, select the subject at the higher target, and
change the access. The changes apply to documents directly under the
higher target and to documents below all subcategories of the higher
target, including the target for which the subject’s access is grayed out.
To remove a subject’s access settings from an extended ACL target
Remove a subject from an extended ACL target to remove the access
settings specified for the subject at the target.
1. Make sure you have one of the following levels of access:
Manager
 access in the database ACL.
Editor
 or Designer access in the database ACL and Administer
extended ACL access to the target from which you are removing
the subject. A database manager or someone with the Administer
access to the target must give you this access.
2. Open the database with the extended ACL, and choose File -
Database - Access Control.
3. With Basics selected, click Extended Access.
4. In the Target box at the left of the “Extended Access at target” box,
select the target from which you want to remove the subject.
For information, see the topic “Extended ACL target” earlier in the
chapter.
5. In the Access List box, select the subject that you want to remove,
and click Remove.
6. Click OK and when you see the prompt “Save changes before
exiting?” Click Yes to save the changes and close the “Extended
access at target” dialog box.
7. Click OK to close the Access Control List dialog box.
Setting Up Extended ACLs 25-29
Directory Services
Showing a subject’s effective access to an extended ACL target
You can determine the effective access a subject has to a target in an
extended ACL. The effective access is the actual access a subject has to a
target after the database ACL and extended ACL access settings and
conflicts are evaluated.
1. Open the database that uses the extended ACL, and choose File -
Database - Access Control.
2. With Basics selected, click Extended Access. You see Extended
Access only if you have enabled extended access.
3. In the Target box to the left, expand the target categories as necessary
and select the target for which you want to determine a subject’s
access.
4. Click “Effective Access” to open the “Effective Access access at
target” dialog box.
5. Below the “People, Servers, Groups” box at the top of the dialog box,
type or select the subject whose effective access you want to
determine. If the subject you cannot be found in the directory, this
prompt appears:
“Name type cannot be determined. Is this a group? Click Yes if the
name is a group, or No if the name is not a group.”
Note You cannot determine the effective access for the subject Self.
6. Click “Calculate Access.”
7. The Default Access section shows the subject’s default access to the
selected target.
8. The Modified Forms section shows any forms for which the subject’s
access is different than the default access for the selected target.
a. Select a form in the Modified Forms section to see the access set
for the form.
b. Look at the Modified Forms section to see the Browse, Create,
and Delete access set for the selected form.
c. Look at the Modified Fields section to see the field access set for
the selected form. -Default- shows the default field access for the
select form. If there are individual fields listed, select a field to
see how its access is different than the default field access.
9. The “Database access” section shows the access the database ACL
grants the subject.
25-30 Administering the Domino System, Volume 1
10. The “Access derived from” box shows all the subjects that can
control the subject’s access allowed in the database ACL and the
extended ACL and displays a check mark next to the subject or
subjects that determine the access.
11. When you are finished viewing the effective access, click Done.
Using the history log to monitor changes to an extended ACL
You can display a log of all changes made to an extended ACL and to the
database ACL. Each entry in the list shows when the change occurred,
who made the change, and what changed.
1. Open the database that uses the extended ACL, and choose File -
Database - Access Control.
2. Do one of the following:
Click
 Log from the Access Control List dialog box
Click
 Extended Access and then click Log from the “Extended
Access at target” box.
3. Select a line of log history. To see the complete text of the log history,
look in the field at the bottom of the dialog box.
4. (Optional) Click Copy to copy the log to the Clipboard so that you
can paste it into a document.
Note If you use a Macintosh client, you cannot do Step 4.
Disabling extended access
Disabling extended access takes effect immediately and irreversibly
removes any extended ACL restrictions that have been set and so will
alter security checking for the database. You will remove all restrictions
set on forms and fields, and the database ACL will no longer be
restricted by extended ACL access settings. In addition, the database
ACL will no longer be enforced for Notes client lookups to the directory,
and the domain Configuration Settings will resume as the access control
mechanism for anonymous LDAP searches of the directory.
Disabling extended access removes all evidence of extended ACL
settings, information that cannot be recovered unless you restore it from
a recent backup or archive of the directory, or unless you write down the
settings prior to disabling them and then reapply them manually later.
Caution Do not disable extended access if you have any uncertainty
about doing so.
Note Disabling extended access may take a few minutes on a very large
directory database. The Notes client or Domino Administrator client is
unavailable for other purposes during this process.
Setting Up Extended ACLs 25-31
Directory Services
To disable extended access:
1. Open the database and choose File - Database - Access Control.
2. Make sure you have Manager access in the database ACL.
3. Click Advanced and then click the “Enable Extended Access” check
box to remove the selection.
4. At this prompt, click Yes if you are sure you want to disable
extended access; otherwise, click No:
“Warning: Disabling extended access removes all extended access
control restrictions that have been set. Do you want to continue?”
5. Click OK in the Access Control List dialog box.
6. At this prompt, click OK:
“Disabling extended access control restrictions. This may take a
while.”
The status bar indicates when the process is complete.
Chapter 26
Overview of the Domino Mail System
This chapter describes how the Domino mail system works and provides
information that you need to consider before you deploy mail.
Messaging overview
The Domino mail system has three basic components: Domino mail
servers, Domino mail files, and mail clients. The Domino mail server is
the backbone of an organization’s messaging infrastructure, acting both
as an Internet mail server and a Notes mail server. Domino provides
standards-based Internet messaging through its support of the Simple
Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3),
Internet Message Access Protocol (IMAP), and Multipurpose Internet
Mail Extensions (MIME). At the same time, Domino supports Lotus
Notes mail through the use of Notes routing protocols — Notes remote
procedure calls (NRPC) — and the Notes rich text message format.
Domino mail servers provide services that directly and indirectly
support messaging. These include specialized databases for locating
users and servers, for message storage and transit, and for collecting
statistics; and processes that initiate and receive connections between
servers, route messages, and allow users to retrieve mail.
Every mail user in a Domino system has a mail file on a Domino mail
server. You can create a replica of the mail file on other servers for
failover in case the primary server is unavailable. Users create mail
messages using a mail client, such as Lotus Notes, or a POP3 or IMAP
client, and send mail through the Domino mail server, which routes the
message to its recipient. The recipient then uses a mail client to read the
message. To protect confidential information in mail messages, Domino
supports Notes public key encryption and S/MIME encryption.
The Lotus Notes client and the Domino mail router (the Router) create
and send messages in the format (MIME or Notes rich text) appropriate
for each recipient, as determined from the address format and settings in
the recipient’s Person document. If conversion between formats is
necessary, Domino performs the conversion automatically.
26-1
Mail
The Router uses information in the Domino Directory to determine
where to send messages and what transfer protocol to use. For messages
sent over SMTP, the Router also uses information from the Domain
Name System (DNS).
Domino provides tools for monitoring mail, controlling unsolicited
commercial e-mail (UCE), and preventing unauthorized access to the
mail system. To reduce the space needed to store users’ mail, you can set
quotas on users’ mail files, restrict users from creating full-text indexes,
and implement Domino shared mail on the server. Domino provides
migration tools and message transfer agents to help you move from a
heterogeneous system to a Domino mail server, which combines support
for Notes mail alongside support for Internet mail standards.
This section includes overview information on the following topics:
Supported
 mail routing and mail access protocols
The
 Domino mail server and mail routing
The
 Domino Directory and mail routing
Domino
 mail files
Mail  security
Mail  clients
Working  with other mail systems
Mail  performance and monitoring
Supported routing, format, and access protocols
The Lotus Domino server and Lotus Notes client support both Internet
standards and Notes protocols for message routing, retrieval, and
formatting. On the server, the Domino mail router (the Router) can send
and receive messages using the Simple Mail Transfer Protocol (SMTP)
and Notes Remote Procedure Calls (NRPC), or Notes routing. To enable
users to retrieve mail, the server supports the Internet access protocols,
IMAP and POP3, as well as NRPC. In addition. the Domino HTTP
service interacts with Domino mail databases to provide mail service for
HTTP clients, such as the iNotes Web Access client.
Domino sends and stores messages in both MIME format and Notes rich
text format, and the Notes client creates and sends messages in either
format.
26-2 Administering the Domino System, Volume 1
Mail clients retrieve messages from the server using NRPC, IMAP and
POP3. In addition, Web clients, such as the iNotes Web Access client,
access mail through the Domino HTTP service. The Notes client sends
and retrieves mail using NRPC, or Internet protocols (SMTP, IMAP and
POP3).
Mail routing protocols
When a new message arrives in MAIL.BOX, the Router determines
where and how to send the message. By default, the Router uses Notes
routing to transfer mail from one server to another. If the server has both
SMTP and Notes routing enabled for the local Internet domains, the
Router chooses the optimal protocol to use to move the message to its
destination. The protocol selection is based on the current message
format, the Domino version of the server that holds the recipient’s mail
file, and the format preference specified in the recipient’s Person
document. For example, the Router uses SMTP to route the MIME copy
of a message to a POP3 recipient’s server, and uses Notes protocols to
route the Notes rich text format copy of a message to a Notes recipient’s
server.
You can also configure Domino to use SMTP to route mail. SMTP routing
can be used instead of, or in addition to, Notes routing. You can
configure a Domino server to use SMTP when transferring mail to
destinations within the local Domino domain only, to external Internet
domains, or both.
Supported message formats
Domino transports and stores messages in both MIME format and Notes
rich text format. The transit format of a message depends in part on the
routing protocol used, and can differ from the format in which the
message is stored in the destination mail file. When transferring
messages over Notes routing the Router handles messages in either
MIME or Notes format. Messages sent over SMTP are always sent in
MIME format.
Overview of the Domino Mail System 26-3
Mail
The format used to store a message depends on the storage preference
specified in the user’s Person document. A mail file can store messages in
MIME format only, Notes rich text format only, or in both formats,
accepting messages as is, regardless of format. Administrators should
ensure that each user’s Person document specifies the format preference
appropriate to their mail client. For example, because IMAP clients
require messages in MIME format, the Person document of a user who
always accesses mail from an IMAP client should specify MIME as the
format preference for incoming mail.
To ensure that users receive messages in the format best suited to their
chosen mail clients, Domino converts messages between formats as
needed. The Router may convert a message during transfer between
servers or when delivering the message to a user’s mail file. Conversion
during transfer occurs when a message in Notes format must be sent
over SMTP, or when routing a MIME message to a Release 4.x or earlier
server that cannot process MIME. For example, The Domino IMAP and
POP3 services also convert messages, as when an IMAP or POP3 client
needs to retrieve a message stored in Notes format.
Because Notes routing can transport messages in MIME format, on
networks that support both Notes routing and SMTP, a MIME message
may travel over both protocols enroute to its destination.
POP3 and IMAP clients, which always send messages to the server over
SMTP, create messages in MIME format. The Notes client creates
messages in either Notes rich text or MIME format, depending on the
format required by the intended recipient. When a user sends a message
from a Notes client to another Domino mail user, the client software
looks up the format preference specified in the recipient’s Person
document to determine which format to send. If the Person document
indicates that the user’s mail file stores messages in MIME format (as
when a user accesses mail from an Internet mail client, such as an IMAP
client), the sender’s Notes client software sends messages to that
recipient in MIME format.
If a recipient is not listed in the Domino Directory, the client software
sends the message in the format that corresponds to the address type;
sending recipients with Internet-style addresses, such as
jane_doe@acme.com, messages in MIME format; and recipients with
Notes-style addresses (Jane Doe/Sales/Acme@Acme), Notes rich text.
26-4 Administering the Domino System, Volume 1
When sending messages to multiple recipients, the client software creates
the message in both MIME and Notes rich text formats if necessary. For
example, the client software creates a Notes rich text format message for
a recipient who uses a Release 4 Notes client and creates a MIME
message for a recipient who uses a POP3 client.
By combining SMTP, Notes routing, and automatic message conversion,
Domino provides flexibility in setting up your mail infrastructure. For
example, you can set up a mail system that is based completely on
Internet standards and use the Router to route MIME messages over
SMTP. You can set up a mail system that is based completely on Notes
mail and use the Router to route Notes format messages over Notes
routing. Or you can set up a mail system that uses both SMTP and
Notesrouting, sends both MIME and Notes format messages, and uses
automatic message conversion to ensure that clients receive mail in the
proper format.
Mail access protocols
Domino supports Internet mail access protocols such as IMAP and POP3
and also offers mail access to Notes clients. IMAP and POP3 clients
connect to their respective protocol services to retrieve and send mail by
way of an SMTP server. The Notes client can use Notes protocols to
connect to a Domino mail server to read and send mail, and can also use
IMAP or POP3 to access mail on a Domino server or on non-Domino
mail servers — for example, a UNIX sendmail server.
The Domino mail server and mail routing
To process incoming and outgoing mail, Domino mail servers run a
variety of server tasks and maintain a number of special databases. Some
components are required for all Domino messaging systems; others are
needed to support specific configurations only.
Overview of the Domino Mail System 26-5
Mail
The following table lists some of the required and optional components
Domino uses to route mail:

Componen
Name Description
t
type
Server Monitors the MAIL.BOX database for
Router task
tasks new
messages. Responsible for
transferring messages to other
servers and delivering messages to
local mail files. Can transfer mail
using Notes remote procedure calls
(NRPC) as well as SMTP. Converts
message format between Notes rich
text and MIME as needed.
Maintains a routing table comprised
of information derived from the
Domino
Directory and NOTES.INI file.
(Optional) Enables the SMTP listener,
SMTP task
which
lets the server receive messages sent
over
SMTP routing.
Listens for incoming messages sent
Server task
by clients
and servers over Notes routing and
for Notes
client requests.
(Optional) Enables IMAP clients to
IMAP task
access
messages in user mail databases on
the
Domino server.
(Optional) Enables mail files for IMAP
Converter
access.
Message (Optional) Maintains the
Tracking MTSTORE.NSF
Collector (MT database used to perform message
tracking.
Collector)
(Optional) Performs maintenance
Object Store
activities on
Manager databases and mail files that use
shared mail.
(Optional) Enables POP3 clients to
POP3 task
access
messages in user mail databases on
the
Domino server.
 HTTP task (Optional) Allows the server to host
Web applications. Needed to provide
Web clients and iNotes users with
access to their mail
databases on the Domino server.
(Optional) Provides iNotes Web
DOLS
Access users
with offline access to their mail
databases.

Componen Name Description

t type
Databases Mail Router Special Notes database that acts
and Mailbox as a temporary repository for all
database (MAIL.BOX) messages in transit to and from
templates mail clients, applications, other
servers. Created automatically at
startup. The server creates the
number of MAIL.BOX databases
specified on the Configuration
Settings document.
Domino Directory Repository for documents that
(NAMES.NSF) mail clients and the Router use to
determine where and how to send
messages. Server document,
Configuration Settings, Person
documents -security/message
format, Domain, Connection,
Internet Site documents.
Mail file End-user mailbox for receiving
databases and sending electronic mail. Every
user who accesses mail on a
Domino server has a mail file.
Object Store (Optional) Repository for shared
(Shared mail) messages. The Router
databases automatically creates the number
(SMXXXXXX.NSF) of shared mail databases to meet
the quantity and directory
locations you specify in the Server
document. Domino also creates an
associated database link in the
Data directory.
Mail Journaling (Optional) Stores copies of
database messages that pass through the
(MAILJRN.NSF) Router Mailbox. A Mail journaling
database is automatically created
at startup after you enable
journaling.
Mail Tracking Repository for summary
database information about mail flowing
(MTSTORE.NSF) through a server. Created and
written to by the MTC add-in task
after you enable message
tracking. The Mail Tracking
database is read by the message
tracking tool.
DOLADMIN.NTF Contains Security Policy
documents and user profile
documents for DOLS and iNotes
applications. DOLADMIN.NSF is
automatically created at startup.
 MAIL6EX.NTF Template for Web mail and iNotes
Web Access for Microsoft Outlook
mail files. iNotes Web Access for
Microsoft Outlook, using DOLS,
allows users to work in their Notes
mail through Microsoft Outlook.

These steps describe how

mail routes in a Domino mail system.
1. Using a mail client, a user creates and addresses a mail message to a
recipient.
2. The user sends the message.
3. The user’s mail client does one of the following:
Uses
 Notes protocols to deposit the message into the MAIL.BOX
database on the user’s Domino mail server.
Uses
 SMTP to send the message to the user’s Domino mail server,
which must be running the SMTP listener task. The SMTP listener
task deposits the message into MAIL.BOX (Lotus Notes, IMAP
clients, POP3 clients).
Uses  HTTP to send the message to the user’s Domino mail server,
which must be running the HTTP task. The HTTP task deposits
the message into MAIL.BOX (Web clients).
4. The Router finds the message in MAIL.BOX and determines where to
send the message for each recipient. The Router checks its routing
table to calculate the next “hop” for the message on the path to its
recipients and determines the appropriate protocol — either SMTP
or Notes routing — to transfer the message.
Using  SMTP routing, the Router connects to the destination server
— the recipient’s mail server, a relay host, a smart host, or one of
the servers in the recipient’s Internet domain — and transfers the
message.
Using  Notes routing, the Router moves the message to the
MAIL.BOX database on the server that is the next hop in the path
to the recipient’s mail server. The Router on that server transfers
the message to the next hop, until the message is deposited in the
MAIL.BOX database on the recipient’s home server.
5. The Router on the recipient’s server finds the message (in MAIL.BOX
on a Domino server) and delivers it to the recipient’s mail file.
6. Using a mail client, the user retrieves the message from the mail file.
Depending on the type of mail client, one of the following protocols
is used: Notes remote procedure calls, IMAP, POP3, or HTTP.
The Domino Directory and mail routing
The Domino Directory (NAMES.NSF) is the most important database on
a server. It defines the primary administrative unit in a Domino network,
the Domino domain, which is a group of servers that have the same
Domino Directory. The Domino Directory serves as the control center for
the domain. Administrators use it to manage users and connect and
configure servers and it contains almost all of the essential information
required for routing mail.
When you set up the first Domino server, the setup program creates your
Domino domain’s Domino Directory. Each server in the domain stores a
replica of the Domain’s Domino Directory. Domino replication
synchronizes the Domino Directories on each server.
In addition to the Domino Directory, Domino retrieves information from
the server’s NOTES.INI file and, when routing mail over SMTP, from the
Domain Name System (DNS), which is maintained separately.
The Domino Directory supports LDAP so that Internet mail clients can
use LDAP to query and modify the directory if they have access to do so.
For more information on LDAP, see the chapter “Setting Up the LDAP
Service.”
Overview of the Domino Mail System 26-9
Mail
Domino routing tables
A routing table is a list of connections from a Domino server to all other
servers it can contact. Domino uses the routing table to determine the
best, least-cost path to deliver mail. When you start the Router on a
server, it gathers information from the NOTES.INI file, and the
Configuration Settings, Connection, Domain, and Server documents in
the Domino Directory to build a dynamic routing table.
The Router automatically recalculates the routing table after you reboot
the server or restart the router task. In addition, the Router checks the
Domino Directory for changes at intervals of approximately five minutes.
If it detects changes in these source documents, it rebuilds the routing
table to incorporate the new information.
Note Changing routing information in the NOTES.INI file or in the
Domino Directory, does not force the Router to immediately recalculate
the routing table.
You can use a TELL command to refresh the routing table without
having to restart the Router. The ability to update the routing table on
demand is especially useful when testing new configuration settings. See
the chapter “Setting Up Mail Routing” for more information about using
the update configuration TELL command.
How the Router uses the Domino Directory to look up mail
recipients
When a user sends mail to a recipient in the local domain, the Router
looks up the complete address in the ($Users) view of the Domino
Directory (if you set up Directory Assistance, the Router can also look up
the address in a secondary directory) for the recipient’s Person
document, which lists the recipient’s home server. If the recipient’s home
server is the current server, the Router will deliver the message. If it is a
different server, the Router consults the routing table to determine the
best route, or least-cost path, for transferring the message to the
destination home server and routes the message along that path..
If the Router cannot find a match for the recipient in the specified
directories, it can forward the message to a “smart host,” which is a
server that has a directory of users who are in the local domain but who
are not listed in the Domino Directory. For example, if you are migrating
users from a UNIX sendmail system to a Domino mail system but you
have not migrated all users yet, you set up a UNIX server as a smart host
that can locate the sendmail users and route mail to them. Enter the name
of the smart host in the Local Internet domain smart host field on the
Router/SMTP-Basics tab of the Configuration Settings document.
26-10 Administering the Domino System, Volume 1
For more information setting up routing in the local Internet domain and
setting up a smart host, see the chapter “Setting Up Mail Routing.”
Documents used for routing mail
The Domino Directory uses numerous documents to define the
messaging topology. Depending on your needs, you may need to create
or edit the following documents:

Documents Description
Every Domino server requires a Server document.
Server
Server
documents documents specify the following for each server:
Notes name;
IP address; fully-qualified Internet hostname;
Domino domain;
the Notes Named networks it is a member of;
Internet
messaging ports and services available, such as the
IMAP,
POP, and SMTP ports; the security options for each
port.
Configuration Configuration Settings documents provide additional
Settings information that determines how servers process
incoming
documents and outgoing mail. They define Router settings for
SMTP and
Notes routing; set inbound SMTP restrictions;
provide MIME
conversion information; configure mail access for
IMAP and
iNotes Web Access clients.
Connection documents define the routing path to
Connection
servers
documents outside the current Domino domain or Notes Named
Network.
Global Global Domain documents identify the Internet
Domain domains
documents considered to be internal to a Domino domain and
for which
the local domain can accept mail. Also provides
instructions for converting the sender’s Notes mail
address to an SMTP address.
Adjacent and Non-adjacent Domain documents
Adjacent and
specify the
Non-adjacent domains from which the current domain will accept
mail
Domain destined for a specified adjacent or non-adjacent
domain.
documents Non-adjacent Domain documents also define the
intermediary
domain through which the local domain routes mail
intended
for a Notes domain to which no direct connection
exists.
Foreign Foreign SMTP Domain documents define the
SMTP relationship
Domain between Domino domains and SMTP mail systems.
documents
Internet Site documents provide protocol
Internet Site
information for
documents IMAP, POP3 and SMTP ports. If configured, the
information in
a Site document takes precedence over settings for
the port in
the Server document.

Documents Description
File Identifications documents define the
File
relationships
Identification between the file extensions and MIME types and
subtypes of
documents various file types.
Person documents provide information about the
Person
location of
documents the user’s mail file; Notes and Internet mail
addresses; Internet
passwords required for HTTP, POP3, and IMAP
access; and mail storage preferences.

Host names in the Domino system

For ease of maintenance, when entering server information in the
Domino Directory, refer to the server by its fully-qualified host name
rather than its IP address. Although Domino fully supports IP addresses,
host names are less subject to change than numeric addresses. For
example, for TCP/IP to work properly a server’s numeric IP address
must change if you move the server to a new subnet, or have to merge
two networks as the result of reorganization. Using a host name in the
same documents, on the other hand, would not require any update.
Domino mail files
When you create a user account through the Domino registration
process, Domino creates a Notes database (NSF file) to serve as the user’s
personal message store. Each mail file database is created from a mail file
template on a Domino server. The server where the mail file resides is
known as the user’s home server or mail server. Users can access a
Domino mail file from a Notes client, a Web browser, a POP3 client or an
IMAP client or from multiple types of clients (for example, a user might
access mail from a Notes client while at work and from a POP3 client at
home). For users to access mail from the iNotes Web Access client, an
administrator must create the mail file using the iNotes Web Access
template (iNotes60.ntf).
Mail databases support full-text indexing, encryption, replication, soft
deletions, and archiving. Administrators can specify properties or
policies to limit the use of these features on mail files.
For users who access mail primarily or exclusively from the Notes mail
client, you must create User IDs during registration. A User ID is not
required if a user accesses mail only from a mail client other than the
Notes client. For example, although a user who accesses mail from an
iNotes Web Access, POP3, or IMAP client must have a Person document
and Internet passwords, a User ID is not required. However, a User ID is
required for iNotes Web Access users who wish to work offline or read
encrypted mail.
26-12 Administering the Domino System, Volume 1
The Router on a user’s home server delivers incoming messages for the
user to the mail file. Messages in a mail file may be stored in either Notes
rich text format (also known as Compound Document, or CD format) or
MIME format. The format used depends on settings in the user’s Person
document. If a user’s mail client opens or downloads a message that is
stored in a format it cannot read, Domino automatically converts the
message. For example, if an IMAP client opens a message stored in Notes
rich text format, the Domino IMAP service converts the message to
MIME before passing it to the client.
In environments where all users access mail from Notes mail clients, you
might specify rich text storage. For users who always access mail from
IMAP or POP3 clients, MIME storage eliminates the need to convert
messages before they can be read. If you set a user’s preferred storage
format to “Keep in sender’s format,” the Router does not change the
format of messages before placing them in the mail file, so the mail file is
likely to contain a mix of rich text and MIME messages.
By default, each user is considered to be the owner of their personal mail
file, and as such, is granted Manager access in the mail file’s Access
Control List (ACL). Users with Manager access can delegate subsidiary
access to their mail files to specified, trusted individuals from a Notes
client, iNotes Web access client, or Webmail client. For example,
executives in an organization may allow their secretaries to read and
send mail on their behalf.
To allow for mail delivery, the default ACL also grants Manager access
to a user’s mail server and other servers in the local Domino Domain.
The ACL provides no access to other users in the mail system.
During registration, the presiding administrator can assume Manager
access of a user’s mail file by resetting the mail file owner access from
Manager to Designer. Users require a minimum of Editor access to their
mail files to perform routine mail operations — creating, sending,
replying to, and deleting messages. Other mail file operations require
greater access privileges. For example, users must have at least Designer
access to create a full-text index.
To help manage disk space, you can set database quotas to restrict the
mail file size. In the Configuration Settings document, you can enable the
Router to withhold delivery of new mail when a mail file reaches its
quota. The Router continues to withhold mail until the user reduces the
size of the mail file by deleting or archiving messages.
In addition to a user’s primary mail file, users and administrators can
replicate mail files to other locations. Administrators can create server
replicas to provide failover. A user can create a local replica on a
workstation or laptop and use it to work off-line.
Overview of the Domino Mail System 26-13
Mail
Notes client users can create mail filtering rules to manage inbound
messages. Administrators can use the Domino Administrator and other
standard Notes database tools, such as Compact and Fixup, to perform a
variety of maintenance tasks.
Mail security
To provide secure message transfer among clients and servers, the
Domino mail server supports name and password authentication and
Secure Sockets Layer (SSL) for SMTP mail routing, IMAP, and POP3
access, and supports Notes encryption when routing mail over Notes
routing.
To encrypt and sign messages, Notes clients can use Notes encryption
with User ID files and public-private keys or Internet mail security with
X.509 certificates. Internet mail clients can use X.509 certificates.
For more information, see the chapters “Planning Security,” “Setting Up
SSL on a Domino Server,” “Encryption and Electronic Signatures,” and
“Setting up Clients for S/MIME and SSL.”
Working with other mail systems in your organization
Domino interoperates with other mail servers and systems through its
support of Internet standards and message transfer agents (MTAs) for
X.400, cc:Mail, and other systems. Domino can exchange mail with other
SMTP servers and route mail to and from X.400 and cc:Mail systems
through the X.400 and cc:Mail MTAs. Additional third-party tools are
available to provide interoperability with and gateways to other mail
systems.
If you have some users who use Lotus cc:Mail, you need at least one
server running the cc:Mail message transfer agent (MTA) to connect your
Domino system to the cc:Mail system.
If you have some users who use an X.400 mail system, you need at least
one Release 4 server running the X.400 MTA to connect your Domino
system to the X.400 system.
If you have users in the local Internet domain who are not listed in the
Domino Directory, set up a smart host so the Router can forward
messages for users in other local mail systems.
26-14 Administering the Domino System, Volume 1
Mail clients
Clients interact with mail files on the Domino server in different ways.
All clients can create, send, and receive mail. Some clients, such as Web
browsers, can only interact with mail on the server and cannot store mail
locally. Some clients, such as POP3 clients, can only download mail from
the server and work with it locally. Some clients, such as Lotus Notes,
iNotes Web Access, and IMAP clients, can download mail or work with
it on the server and can store mail locally. You can use the following
types of clients with the Domino mail server:
Lotus
 Notes clients
IMAP
 clients, such as Microsoft Outlook Express
POP3  clients, such as Netscape Messenger
Web  browsers, such as Netscape Communicator and Microsoft
Internet Explorer
iNotes  Web Access clients
iNotes  Web Access for Microsoft Outlook clients
Lotus Notes clients
A Notes client can interact with a Domino server using either Notes
protocols or Internet protocols, such as IMAP, POP3, and SMTP. If your
organization uses Notes clients, select any of these protocols for server
access. Enable the protocol on the server that clients use for access.
Notes clients access the Domino Directory using either Notes protocols or
Lightweight Directory Access Protocol (LDAP). Users can create a local
replica of their mail file while maintaining a complete mail file on a
Domino server. Notes users can work off-line and then connect to their
server to replicate changes to documents and send mail.
IMAP clients
Users with IMAP clients can download mail to a local mail file or interact
with and manage mail directly on a Domino server that runs the IMAP
service. They use the IMAP protocol to read and manage mail, use SMTP
to send mail, and can use LDAP to access the Domino Directory.
Enable the IMAP service and enable the SMTP listener to let IMAP
clients use the Domino server for mail.
For more information, see the chapter “Setting Up the IMAP Service.”
Overview of the Domino Mail System 26-15
Mail
POP3 clients
Users with POP3 clients can download mail to a local mail file and
interact with it there, as well as leave a copy of the mail in their file on
the Domino server. POP3 clients retrieve mail from a Domino server that
runs the POP3 service, use SMTP to send mail, and can use LDAP to
access the Domino Directory.
Enable the POP3 service and enable the SMTP listener so that POP3
clients can use the Domino server for mail.
For more information, see the chapter “Setting Up the POP3 Service.”
iNotes Web Access clients and Webmail clients
Users with mail files on a Domino server running the HTTP service can
retrieve and send mail from a Web browser. All mail-related tasks and
actions are transmitted to the server over HTTP and performed by the
server.
From a Web browser, a user accesses mail using either the standard mail
template or the iNotes Web Access template (iNotes60.ntf). Users whose
mail files are based on the standard mail template can interact with mail
on the server but cannot store mail locally.
Users whose mail files are based on the iNotes Web Access template and
who use Internet Explorer as their Web browser can use the iNotes Web
Access mail client. On servers running Domino Off-Line Services
(DOLS), iNotes Web Access users can create a local mail file replica and
work offline. Changes made to the offline mail file are replicated to the
server the next time the user connects. Users whose mail files are based
on the standard mail template cannot access a local mail file replica from
the browser.
Enable the HTTP service for Web clients to use the Domino server for
mail.
For more information, on setting up the HTTP service, see the chapter
“Setting Up the Domino Web Server.” For more information on
supporting iNotes Web Access, see the chapter “Setting Up iNotes Web
Access.”
iNotes Web Access for Microsoft Outlook
Users with mail files based on the Extended Mail template
(MAIL6EX.NTF) on a Domino server running Domino Off-Line Services
(DOLS), can use iNotes Web Access for Microsoft Outlook to access mail
from a Microsoft Outlook client.
26-16 Administering the Domino System, Volume 1
iNotes Web Access for Microsoft Outlook communicates with the server
using the Notes MAPI service provider. Installing DOLS on the client
automatically creates and configures a MAPI profile. Data exchanged
between client and server travels over Notes routing protocols. Users can
send and receive Mail using Outlook, as well as create and update entries
in the mail file’s calendar view using calendaring and scheduling tools in
the Outlook client.
Together with the iNotes Sync Manager, iNotes Web Access for
Microsoft Outlook lets a user create a local mail file replica and work
offline. Changes made to the offline mail file are replicated to the server
the next time the user connects.
For more information about iNotes Web Access for Microsoft Outlook,
see the chapter “Setting up iNotes Web Access.”
Mail performance and monitoring
Domino offers many performance-enhancing features, such as using
multiple MAIL.BOX databases and shared mail. Using multiple
MAIL.BOX databases allows multiple server processes to write mail at
once; the Router can operate on messages in one MAIL.BOX database,
while clients or other servers deposit mail to other MAIL.BOX databases.
Shared mail provides more efficient disk usage by storing a single copy
of a message addressed to multiple recipients on a server in a shared
mail database on the server. Each recipient receives a header for that
message, but the body of the message is stored in the shared mail
database to save disk space in users’ mail files. Users can still forward
and reply to mail as usual.
Domino and the Domino Administrator have a number of monitoring
features to help you plan, review, and troubleshoot your Domino system.
You can record server statistics, see which tasks are running on servers,
track mail messages, and make changes to multiple databases at once.
For more information, see the chapters “Setting Up Shared Mail,”
“Monitoring the Domino System,” and “Monitoring Mail.”
Overview of routing mail using Notes routing
By default, Domino uses Notes Remote Procedure Calls (NRPC) — also
called Notes routing or the Notes routing protocol — to transfer mail
between servers. Notes routing uses information in the Domino
Directory to determine where to send mail addressed to a given user.
Notes routing moves mail from the sender’s mail server to the recipient’s
mail server. The Router for the sender’s server determines the next server
Overview of the Domino Mail System 26-17
Mail
to move the message to — or in other words, the next “hop” on the path
to the message’s destination. Each server uses its routing table to
calculate the next hop along the route to the destination server. When the
message reaches the destination server, the Router delivers it to the
recipient’s mail file.
How Notes routing moves a message
When a user sends mail to a recipient with a Notes address — for
example, Jane Doe/Acme — the Router picks up a message in
MAIL.BOX to determine where to direct the message. The Router first
looks in the Domino Directory for a Person document for the recipient,
Jane Doe/Acme. The Person document contains the name of Jane Doe’s
mail server. From this information the Router uses its knowledge of the
network (that is, the routing table) to determine the next stop for the
message. How the Router dispatches the message depends on whether
the recipient’s mail file is located:
On
 the same server
On  a different server in the same Domino named network
On  a server in a different Domino named network within the local
Domino domain
On  a server in an external Domino domain
Moving a message to a recipient on the same server
After checking the recipient’s Person document, if the Router determines
that the recipient’s mail server is the same as the sender’s server, the
Router delivers the message to the recipient’s mail file.
Moving a message to a recipient on another server within a Notes
named network
If the sender and recipient don’t share a mail server, the Router checks
the Domino Directory to determine whether the servers are in the same
Domino domain.
If the Server document for the destination server is found within the
Domino Directory, the Router checks that document to determine the
network information for the server. On the Ports - Notes Network Ports
tab of the Server document, the server is assigned to one or more Notes
named networks (NNNs). A Domino named network is a group of
servers in a given Domino domain that share a common protocol and are
connected by a LAN or modem connections.
Note Servers within the same domain may or may not be in the same
Notes named network. Servers that share a Notes named network are
always in the same Domino domain.
26-18 Administering the Domino System, Volume 1
If the two servers share a Notes named network, the Router immediately
routes the message from the MAIL.BOX file on the sender’s server to the
MAIL.BOX file on the recipient’s server. The Router on the recipient’s
server then delivers the message to the recipient’s mail file. Because mail
routes automatically within a Notes named network, you do not need to
create any additional connections or documents.
Moving a message to a recipient in a different NNN within the same
Domino domain
If the sender’s and recipient’s mail servers are in the same Domino
domain, but don’t share either a mail server or a Domino named
network, for transfer to succeed there must be some connection between
the two networks. Connections between Domino named networks can be
achieved by two means:
Using
 a “bridge” server that is a member of multiple Domino named
networks
Using
 a Connection document
When a Connection document provides the information for routing mail
between NNNs, the source and destination networks can be in different
Domino domains. The document contains all of the information the
Router needs to locate the destination network.
Using a “bridge” server to connect two networks in the same
Domino domain
Two networks in the same domain can communicate with each other in
the absence of a Connection document if any one server is a member of
both networks. Servers that reside in multiple networks can act as a
bridge between networks running diverse protocols. For example, if you
have one Domino named network running TCP/IP and another running
SPX, you can set up a server that runs both protocols to be a member of
both Domino named networks. This server acts as a bridge between the
networks.
When  a user in the TCP/IP network sends a message to someone in
the SPX network, the Router transfers the message from MAIL.BOX
on the sender’s server to MAIL.BOX on this ”bridge“ server. After
the message reaches a server in the destination Domino named
network, the Router on that server transfers the message to the
MAIL.BOX on the recipient’s server. The Router on the recipient’s
server delivers the message to the recipient’s mail file.
If  the path between servers involves multiple server “hops,” the
Router transfers the message to MAIL.BOX on the next server in the
path. Each Router on the path transfers the message to the
MAIL.BOX on the next server in the path.
Overview of the Domino Mail System 26-19
Mail
Using Connection documents to connect networks and domains
When there is no common server to provide a bridge between networks,
the Router requires a Connection document to transfer mail between
them. A Connection document specifies the sending and receiving
servers, when and how to connect, and what tasks — such as, replication
and mail routing — to perform during the connection. The source, or
sending, server, and the receiving, or destination, server named in a
Connection document may reside within the same Domino domain, or in
different Domino domains.
After the Router finds a connection between the two Domino named
networks, it routes the mail to the next server along the connection path.
Connection documents for mail routing specify connections in one
direction and are generally found in pairs. For example, one Connection
document schedules a connection from Server A to Server B, and another
Connection document schedules a connection from Server B to Server A.
For more information about connecting servers in different Domino
named networks, see the chapter “Setting Up Mail Routing.”
Moving a message to a recipient in an external Domino domain
When a message in MAIL.BOX has a recipient address that points to a
destination outside of the local Domino domain, the Router checks the
Domino Directory for a Connection document that describes how the
local domain communicates with the destination domain. You can create
a Connection document between two domains whenever there is a direct
physical connection between them.
After finding the Connection document, the Router routes the message to
the server in the sender’s domain that connects to a server in the
recipient’s domain. When the servers connect, the message is transferred
to the other domain, where it routes to the recipient’s server and mail file.
Indirect connections between Domino domains
In organizations that have three or more Domino domains, you may not
be able to use Connection documents to connect certain domains,
because the network topology does not allow for direct physical
connections between them. However, if they both have Connection
documents to a common intermediate domain, you can route mail from
the source domain to the destination domain through the domain (or
domains) that bridge them. For example, if Domain A and Domain B do
not have any server connections but both have connections to Domain C,
mail between Domain A and Domain B can route through Domain C.
26-20 Administering the Domino System, Volume 1
To set up this routing path, you create Non-adjacent Domain documents
that specify the target domain and the domain through which to route
mail to reach that target domain.
Addressing mail to users in a different domain
When sending mail within a Domino domain, the sender only has to
specify the user’s common name, for example, John Smith. Since John
Smith has a Person document in the same Domino Directory as the
sender, the Router finds John’s entry in the directory and determines the
location of his mail file. However, when sending mail to a user in a
different Domino domain, the Router does not have access to the
recipient’s Person document, since it is stored in a different Domino
Directory. When addressing mail to a user in a different Domino domain,
the sender must append the recipient’s domain to the recipient’s address.
For example, a user in the Lotus domain who wants to send mail to John
Smith in the Acme domain must address the message to jsmith@Acme,
not just jsmith or John Smith. The domain name in the address signals the
Router to look for a Connection document to this domain and transfer
the message to the server specified in that document.
To make it easier to address mail to users in other domains, users can
create an entry in their Personal Address Book to specify the recipient’s
complete address — for example, jdoe@Acme. Alternatively, an
administrator can create an entry in the Domino Directory to specify the
recipient’s address in the Forwarding address field of the recipient’s
Person document, or use Directory Assistance or a Directory Catalog to
share Domino Directories across domains.
For information about setting up Directory Assistance and Directory
Catalogs, see the chapter “Planning Directory Services.” For information
on using LDAP directories, see the chapter “Setting up the LDAP
Service.”
Overview of routing mail using SMTP
By default, Domino uses the Notes routing protocol to transfer mail
between servers. You can configure Domino to use SMTP to route mail
instead of or in addition to using Notes routing.
Overview of the Domino Mail System 26-21
Mail
Message transfer over SMTP routing is performed as a point-to-point
exchange between two servers. The sending SMTP server contacts the
receiving SMTP server directly and establishes a two-way transmission
channel with it. To send a message over SMTP:
1. The sending server checks the recipient’s address, which is in the
format localpart@domain, and looks up the domain in the Domain
Name System (DNS).
2. DNS returns the Mail Exchanger (MX) record for the domain,
indicating the IP address of the servers in the domain that accept
mail over SMTP.
3. The sending server connects to the destination server over TCP/IP,
establishes an SMTP connection on port 25, transfers the message,
and closes the connection.
Enabling SMTP on the Domino server
Domino supports sending and receiving mail over SMTP by means of the
SMTP listener task and SMTP Router, respectively, each of which you
enable separately. The SMTP listener task handles incoming SMTP
connections and delivers messages received over those connections to
MAIL.BOX. It does not handle subsequent delivery or transfer of those
messages. You configure the SMTP listener task for receiving mail on the
Basics tab of the Server document. For more information about
configuring Domino to receive SMTP mail from other servers in your
organization and/or from the Internet over SMTP, see the chapter
“Setting Up Mail Routing.”
The Router task for SMTP is the same Router task that handles Notes
routing. When a message in MAIL.BOX requires transfer to another
server, the Router determines where to send it and whether to send it
over Notes routing or SMTP.
By default, SMTP is disabled. To configure Domino to use SMTP to send
mail, you must change settings on the Router/SMTP-Basics tab of the
Configuration Settings document. You can configure Domino to use
SMTP when sending mail to destinations:
Outside
 the local Internet domain
Within
 the local Internet domain
For more information, see the chapter “Setting Up Mail Routing.”
26-22 Administering the Domino System, Volume 1
How the Router determines when to use SMTP
On servers that support both SMTP and Notes routing, each time the
Router detects a new message in MAIL.BOX, it chooses the protocol by
which to transfer the message. The routing decision is based on the
message’s address and format, and whether the server is configured to
send SMTP within the local Domino domain, outside the local Internet
domain, or both.
Using SMTP to send mail to local domain addresses
Enabling SMTP within the local Domino domain allows the Router to
consider SMTP as an alternative routing protocol when transferring mail
to another Domino server in the same Domino domain. When
configuring servers to send SMTP within the local Domino domain, you
have the following options:
SMTP
 allowed for MIME messages only - If the destination is a
Domino server running the SMTP listener and the message
deposited in MAIL.BOX is already in MIME format, the Router sends
it using SMTP. Messages in Notes rich text format are sent over
Notes routing.
SMTP
 allowed for all messages - If the destination is a Domino server
running the SMTP listener, the Router always uses SMTP when
transferring a message to another Domino SMTP host, regardless of
the message’s current format. If a message deposited in MAIL.BOX is
in Notes format, the Router converts the messages to MIME before
sending.
When the Router picks up a message in MAIL.BOX, it reads the address
to determine whether the recipient is in the local domain. If the recipient
is local, the Router looks in the ($Users) view of the Domino Directory for
a Person document containing that address. If SMTP is allowed within
the domain and the message format matches the format specified in this
setting, the Router uses TCP/IP to connect to the destination server,
establishes an SMTP connection, and transfers the message.
By default, enabling SMTP within the local Domino domain allows the
Router to use SMTP to transfer mail to any other Domino SMTP host in
the same Domino domain. You can restrict the use of SMTP within the
local domain so that SMTP is allowed only for message transfers that
take place between servers in the same Domino named network. To set
this restriction, use the field “Servers within the local Domino domain
are reachable via SMTP over TCPIP” on the Router/SMTP - Basics tab of
the Configuration Settings document.
Overview of the Domino Mail System 26-23
Mail
If the receiving server is running the SMTP listener, servers configured to
send SMTP within the local Domino domain always use SMTP to send
MIME messages to destinations within the same Domino named
network. For messages in Notes format, the Router sends SMTP only if
the server is configured to send all messages over SMTP.
Sending SMTP outside the local Internet domain
Enabling Domino to send SMTP to external Internet domains allows the
server to transfer outbound Internet mail either directly to a host in the
receiving domain or indirectly to an Internet host.
If a message in MAIL.BOX has a recipient address that contains an @ sign
and a domain part (the part of the address to the right of the @ sign) that
does not resolve to the local Domino domain, the Router identifies the
message destination as non-local. A non-local address can be an RFC 821
Internet address (where the domain part contains a period and is in the
form localpart@org.domain) or an address in another Domino domain
(including Foreign domains such as a pager or fax gateway).
To determine whether an Internet address is local, the Router checks
whether the domain part of the address matches any of the local Internet
domains defined in the Global Domain document in the Domino
Directory. Local Internet domains include any domains listed in the
Local primary Internet domain and Alternate Internet domain aliases
fields in the Global Domain document. If there is no Global Domain
document, the Router compares the domain in the recipient’s address to
the server’s host name. For example, if the message is addressed to
jdoe@mailhost3.acme.com and the Router is on the server
mailhub.acme.com, the Router knows that the recipient is in the local
Internet domain.
Connecting the Domino mail system to the Internet
Because Domino routes mail using the Internet-standard SMTP routing
protocol, it’s easy to configure the Domino system to send and receive
mail from external Internet domains. For outgoing mail you can use a
gateway routing architecture in which only designated servers use SMTP
to route mail to external domains, or you can enable all mail servers to
use SMTP to route mail to external domains. For inbound mail, you need
to decide how to route mail coming in to your Internet domain from a
firewall to Domino servers. How you set up inbound mail depends on
whether your organization uses a single Internet domain name or
multiple names and on the distribution of your servers.
For information on connecting Domino to the Internet, see the topics
Preparing to send and receive mail to the Internet and Routing mail to
external Internet domains.
26-24 Administering the Domino System, Volume 1
For information on connecting Domino to the Internet, see the chapter
“Setting Up Mail Routing.”
Using a relay host
A relay host is an SMTP server or firewall that connects to the Internet
and forwards, or relays, inbound or outbound Internet mail. A relay host
can also be a DNS name that maps to multiple MX records. To configure
Domino to use a relay host, you use two fields on the Configuration
Settings document of the sending server. Add the relay’s DNS or host
name to the “Relay host for messages leaving the local Internet domain”
field and enable “SMTP used when sending messages outside of the local
Internet domain.”
Note R4 SMTP MTA servers use the relay host specified in the SMTP
Connection document.
For more information on configuring Domino to use a relay host, see the
chapter “Setting Up Mail Routing.”
Using Notes routing to transfer outbound Internet mail to an SMTP
server
On internal Domino servers that do not use SMTP to route mail, Domino
uses Notes routing to transfer outbound Internet messages to a Domino
SMTP server, which then transfers the messages to the Internet, either
directly or through a relay host. To configure servers that use Notes
routing to transfer Internet mail to a Domino SMTP server requires use of
a Foreign SMTP Domain document and an SMTP Connection document.
For more information on setting up Notes routing for Internet mail, see
the chapter “Setting Up Mail Routing.”
The Domain Name System (DNS) and SMTP mail routing
The Domain Name System (DNS) is a directory used by SMTP to convert
a name, such as acme.com, to a list of servers that can receive connections
for that name and to find the IP address of a specific server. By looking
up a destination server’s address in the DNS, the sending server can
properly route a message to a recipient. DNS uses two kinds of records:
Mail Exchanger (MX) records and A records. An MX record maps a
domain name to the names of one or more mail hosts. An A record maps
a host name to the IP address of a server.
Mail servers also use other DNS records. For example, servers that
receive Internet mail perform a reverse lookup to a DNS PTR record to
determine the host name for a given IP address. Reverse lookups are
Overview of the Domino Mail System 26-25
Mail
useful in verifying the source of a message, an important tool for
restricting relay access through your server or preventing unsolicited
commercial e-mail (UCE).
You must correctly configure DNS to support your use of SMTP. To
determine the IP address of the mail server for the destination domain,
Domino does the following:
1. The server looks up the domain part of each recipient’s address in
DNS.
2. If DNS finds an MX record, the server tries to connect to the server
listed in that MX record. If there is more than one MX record, the
server tries to connect to the record that has the lowest cost. If more
than one MX record has the lowest cost, the server randomly selects
one and tries to connect to the server listed in that MX record.
Note There may be more than one MX record for a specific domain
name. The host name is looked up in DNS to find an A record. An A
record contains the IP address for the host.
3. If DNS finds only an A record, Domino routes the message to the IP
address in that A record.
4. If DNS does not find a record, Domino cannot deliver the message
and sends a nondelivery message to the sender.
An MX record maps a domain name to one or more host names. An A
record maps a host name to the IP address of a server. You may want to
use a host name in the MX record instead of just an A record for the
following reasons:
Some
 third-party tools recognize only host names, not IP addresses.
If  you replace or relocate a machine, you can assign the existing host
name and IP address to the new or relocated machine. This change is
transparent to users, and messages continue to route properly.
You can use DNS to provide failover and load-balancing for your mail
servers by creating multiple MX records for a domain name on the DNS
server. When you set more than one MX record for a name, you can set
preference values to control how DNS selects those records. DNS selects
lower value preferences first — for example, DNS selects 5 before 10. If
more than one MX record has the same preference value, DNS randomly
selects from among those MX records. If one of those MX records fails —
for example, because a server is unavailable — DNS caches that failure
and tries other MX records of equal weight, followed by less-preferred
MX records.
26-26 Administering the Domino System, Volume 1
For example, the acme.com domain has four MX records:
MX
 record: acme.com IN MX 5 mail1.acme.com
MX  record: acme.com IN MX 5 mail2.acme.com
MX  record: acme.com IN MX 10 mail3.acme.com
MX  record: acme.com IN MX 10 mail4.acme.com
When a server tries to connect to acme.com, the DNS first uses MX
records with preferences of 5. If there are two MX records with
preferences of 5, DNS randomly selects between the MX record for
mail1.acme.com or mail2.acme.com. If the DNS returns the MX record
for mail1.acme.com and mail1.acme.com is unavailable, the DNS returns
the MX record for mail2.acme.com. If mail2.acme.com is unavailable,
both MX records with a cost of 5 have failed. The DNS then selects MX
records that have a cost of 10 and uses them the same way it used the MX
records that have a cost of 5.
Examples of using multiple MX records
These are examples of setting up multiple MX records in the DNS.
Using a single Internet domain with a single domain name
You can specify MX records for a single Internet domain — for example,
acme.com — with a single Internet domain name, such as acme.com. Use
the server’s fully-qualified Internet host name in the MX and A records
— for example, mail1.acme.com.
For example, configure a backup SMTP server (mail2.acme.com) to
deliver or forward mail when the primary SMTP server
(mail1.acme.com) is unavailable:
1. MX record: acme.com IN MX 5 mail1.acme.com
A record: mail1.acme.com IN A 192.168.10.17
2. MX record: acme.com IN MX 10 mail2.acme.com
A record: mail2.acme.com IN A 192.168.10.18
Messages addressed to acme.com route to mail1.acme.com first
because the record’s preference (5) is lower. If mail1.acme.com is
unavailable, mail is routed to mail2.acme.com.
Overview of the Domino Mail System 26-27
Mail
Using a single Internet domain name with two balanced servers
If you specify equal preference for two servers, DNS randomly selects a
server to balance the load of incoming mail.
1. MX record: acme.com IN MX 5 mail1.acme.com
A record: mail1.acme.com IN A 192.168.10.17
2. MX record: acme.com IN MX 5 mail2.acme.com
A record: mail2.acme.com IN A 192.168.10.18
Using a single Internet domain with multiple domain names
You can create MX records for a single Internet domain — for example,
acme.com — with multiple Internet domain names — for example,
acme.com, qrs.com, and xyz.com.
Note Users can address mail to each domain name and each domain
has a backup SMTP server.
1. MX record: acme.com IN MX 5 mail1.acme.com
2. MX record: acme.com IN MX 10 mail2.acme.com
3. MX record: qrs.com IN MX 5 mail1.acme.com
4. MX record: qrs.com IN MX 10 mail2.acme.com
5. MX record: qrs.com IN MX 5 mail1.acme.com
6. MX record: xyz.com IN MX 10 mail2.acme.com
26-28 Administering the Domino System, Volume 1

Chapter 27
Setting Up Mail Routing
This chapter describes how to set up mail routing on your Domino
system. If you are upgrading a mail system from a previous Domino
release, see the Upgrade Guide.
The Domino mail router
The Domino mail router (the Router) is a special server task responsible
for the delivery and transfer of the messages in MAIL.BOX. Delivery
refers to moving messages from MAIL.BOX into a local mail file or
database; while transfer refers to sending messages from MAIL.BOX
across the network to another server.
Mail routing on a Domino server begins when a mail server receives a
message from a mail client, a Router on another Domino server, or an
application. The message is transferred to a special Notes database,
called MAIL.BOX, on the server. The server temporarily stores all
incoming and outgoing mail in the MAIL.BOX database.
The Router periodically checks MAIL.BOX for new or changed messages.
When it finds a message that requires processing, the Router reads the
recipient list and for each recipient determines whether the destination
mail file is on the current server or a different server. The Router then
moves the message, delivering it to local mail files on the server or
transferring it to MAIL.BOX databases on other servers as necessary.
When a recipient’s mail file is not on the local server, but is in the
Domino domain, Domino calculates how to route the message to the
recipient’s server and whether to use SMTP or Notes routing. The
configuration of the local server and the message format determine how
Domino moves the message to the server. For messages in MIME format,
if the local server can send SMTP within the local Internet domain and
the home mail server can receive SMTP, the Router uses SMTP to send
the message. Otherwise the message is routed using NRPC.
When necessary, the Router converts the format of the message.
Conversion can occur during message delivery and during message
transfer. For example, if a recipient’s Person document specifies MIME
storage for incoming mail, but the original message was sent in Notes
27-1
Mail
rich text format, the Router converts the message to MIME before
delivering it to the local recipient’s mail file. Likewise, during message
transfer, if a server receives a message in MIME format and must transfer
it to a Domino Release 4 server, which does not support MIME, the
server converts the MIME message to Notes rich text before transferring
it. To determine whether the receiving server can handle MIME
messages, the sending server checks the Server document of the
receiving server to find out what version of Domino it’s running.
To minimize the number of conversions, Domino servers running
Release 5 or later support the transfer of MIME messages over Notes
routing. As a result, MIME messages destined for Internet recipients can
route through internal servers “as is,” regardless of whether the
intermediate servers use Notes routing or SMTP.
Planning a mail routing topology
Domino offers you considerable flexibility in configuring your mail
system infrastructure, allowing you to use Notes routing, SMTP routing,
or both, for internal and external messages. In determining how to set up
mail routing, you need to consider:
How
 clients access the server
How
 to route internal mail
How  to route mail to external destinations
Connection
 topologies for mail routing
Connection topologies for mail routing
Typically, mail routing on the network occurs across a mix of
hub-and-spoke and peer-to-peer connections. In a hub-and-spoke
topology, mail traffic passes between a central hub server and multiple
spoke servers; no mail is exchanged directly among the spokes. A
hub-and-spoke topology is suited to handling a high volume of mail
across a large organization. In a peer-to-peer topology, on the other
hand, every server connects to every other server. A peer-to-peer
topology is commonly used when connecting a small number of servers
in a workgroup or department.
 larger networks, create a Domino server cluster to act as the mail
In
hub and specify the cluster as the destination in Connection
documents originating from spoke servers.
27-2 Administering the Domino System, Volume 1
When
 connecting Domino domains, designate one server in each
domain to connect to other domains. In larger networks, make this
connecting server part of a Domino cluster to provide failover.
When
 connecting domains across a wide-area network (WAN),
ensure that the Connection documents match the physical network
path of the WAN. For example, in a network where multiple WAN
connections originate from a central site (hub-to-spoke design),
create Connection documents that follow this same design, with
Connection documents between the hub server or server cluster and
each spoke server, and vice-versa.
When  setting up a connection from a spoke server to a clustered hub,
specify the name of the cluster as the destination server in
Connection documents.
Establish
 a single Connection document to define routing from all
spoke servers in a domain to a central hub server or server cluster by
using a wildcard (*) to represent part of the source server’s name in
the Connection document. For example, enter */acme as the source
server to set up a connection from all servers in the /acme
organization (Mail1/acme, Mail2/acme, SalesMail/acme,
HRMail/acme, and so forth) to a designated destination server.
Establish a single Connection document to define routing from a hub
server to each spoke server by creating a server group that includes
each spoke server as a member and specifying this group as the
destination server in the Connection document from the hub server.
For example, create a group MailSpokes and add the servers
Mail1/acme, Mail2/acme, SalesMail/acme, and HRMail/acme to
this group. Then create a Connection document from the hub server
that lists MailSpokes as the destination server.
For more information on connecting servers, see the chapter “Setting Up
Server-to-Server Connections.”
Clients accessing the Domino server
Users who have mail files on the Domino server can use either the Notes
client or an Internet mail client to access their mail. By default, Notes
clients use Notes protocols to send and access mail on a Domino server,
but a Notes client can also act as an Internet mail client. Internet mail
clients access mail files through the Domino POP3, IMAP, or HTTP
servers. POP3 and IMAP clients send mail using SMTP.
When deciding how to route local mail, keep in mind what types of mail
clients you support. For example, if users have Internet mail clients, such
as POP3 or IMAP, you’ll need servers that can receive mail over SMTP.
On the other hand, if most users send mail from the Lotus Notes mail
Setting Up Mail Routing 27-3
Mail
client, you’ll want to implement Notes routing to ensure support for
Notes public key security and features such as Notes Document links
and workflow applications.
For more information about Domino mail clients, see the chapter
“Overview of the Domino Mail System.”
Routing internal mail
Internal mail consists of messages sent between users within an
organization and its local Internet domains. The Domino mail router (the
Router) uses both SMTP and Notes routing to transfer messages between
network servers, and handles messages in both MIME format and Notes
rich text format. By default, the Router transfers local mail using the
Notes routing protocol only. Within a given Domino named network,
servers that use Notes routing automatically transfer mail among
themselves.
For information about configuring Notes routing to support messaging
across multiple Domino named networks and domains, see the topic
“Setting up Notes routing” later in this chapter.
To use SMTP routing to transfer local mail, you must enable the SMTP
listener for receiving mail and enable servers to send SMTP within the
local Domino domain. In addition, the Server document for each
SMTP-enabled server must specify a valid, fully qualified Internet host
name for the server. In most cases the host name field is populated
during server setup or by the Admin process (AdminP).
For information about setting up internal SMTP routing, see the topic
“Setting up SMTP routing within the local Internet domain” later in this
chapter.
Implementing different protocols for internal and external routing
When selecting the protocol to use for internal mail routing, don’t base
your decision on whether you’re using SMTP to transfer mail to external
systems. Domino can send mail to the Internet even if you use Notes
routing for internal mail. Rather than having all your servers route
SMTP, you may want to retain a gateway-style architecture wherein you
channel all mail to and from the Internet through a few designated
servers and prohibit the majority of internal servers from sending
directly to the Internet.
Ensuring support for Lotus Notes functionality
When choosing a routing protocol, consider security requirements and
the need to support Notes applications. Using Notes as the internal
routing protocol and SMTP for external routing can provide greater
27-4 Administering the Domino System, Volume 1
protection for your network against external intrusion. Certain Lotus
Notes features, such as mail-enabled workflow applications, Notes
public key security, and Notes items, such as Doclinks, require Notes
routing to work properly.
Routing mail to local users not listed in the Domino Directory
If you have users in your organization who are not listed in the Domino
Directory, but in an alternate directory on another SMTP server, set up
Domino to use this other server as a smart host. When processing a
message in MAIL.BOX, if the Router comes across a recipient address
that is in the local Internet domain, but does not have a match in the
Domino Directory, it forwards the message to the specified smart host,
which routes it to the recipient.
For information about setting up a smart host, see the topic “Setting up a
smart host” later in this chapter.
A Domino SMTP server in your organization may receive Internet mail
for recipients in Domino domains that are within the local Internet
domain, but outside the local Domino domain, and thus not listed in the
Domino Directory. To ensure that the server can access other Domino
Directories and route messages to servers in other Domino domains,
configure Directory Assistance on the server.
For more information, see the chapter “Setting Up Directory Assistance.”
Starting and stopping the mail router
By default, when you start the server, the Router task automatically loads
and starts. You can manually shut down and restart the Router to
troubleshoot server and messaging problems. You can also disable
automatic loading of the Router.
To shut down the Router from the console
Enter this command at the console:
tell router quit
This shuts down the Router. Mail accumulates in MAIL.BOX, since other
servers and clients continue to deposit mail, but the Router does not
deliver or transfer the messages.
To reload the Router, enter this command at the console:
load router
The Router task starts and begins routing and delivering mail.
Setting Up Mail Routing 27-5
Mail
To shut down the Router from the Domino Administrator
1. From the Domino Administrator, click the Server — Status tab.
2. Select the Server Tasks view.
3. From the list of tasks, right-click Router and select Stop Task.
4. Click Yes when prompted to confirm the operation. The Router task
shuts down and no longer appears in the list of active tasks. Mail
accumulates in MAIL.BOX, since other servers and clients continue
to deposit mail, but the Router does not deliver or transfer the
messages.
To start the Router from the Domino Administrator
1. From the Domino Administrator, click the Server — Status tab.
2. Choose Tools — Task — Start.
3. From the Start New Task dialog box, select Router and click Start
Task. The Router task starts and begins routing and delivering mail.
4. Click Done to close the dialog box.
To prevent the Router from automatically starting when the server
starts
1. Shut down the server.
2. Edit the NOTES.INI file to remove Router from the ServerTasks
setting.
3. Restart the server so that the change takes effect.
When you restart the server, it does not load the Router task.
To restore automatic loading, add Router back to the ServerTasks setting
in the NOTES.INI file.
Routing mail on demand to a specific server
You can route mail to another Domino server between scheduled
intervals, forcing all mail in the transfer queue of the specified server to
route immediately. Use one of the following methods:
Console
 ROUTE command
Domino
 administrator
Sending mail outside the local Internet domain
Because all mail on the Internet travels over SMTP routing, for your
organization to send mail to Internet addresses you’ll need to set up at
least one Domino server to send SMTP to external Internet domains and
one to listen for incoming SMTP connections. Alternately, you can enable
multiple, or even all, of your servers to route mail over SMTP to external
Internet domains. Although you can use a single server to handle
27-6 Administering the Domino System, Volume 1
incoming and outgoing SMTP connections, if you anticipate a high
volume of Internet mail, to avoid bottlenecks consider balancing the load
among multiple servers.
The Domino SMTP servers you use for inbound and outbound Internet
mail can connect to the Internet either directly or through an SMTP relay
host or firewall. Routing between the Domino Internet mail server and
internal mail servers can be over either SMTP or Notes routing. It’s not
necessary to enable SMTP routing on your internal servers.
Using a single server to route mail to external Internet domains
In this configuration, a single designated mail server connects to the
Internet. All other internal mail servers route messages addressed to
recipients in external Internet domains to this server. If you use SMTP for
internal mail routing, you can configure all of your internal servers to use
the server that is connected to the Internet as a relay host. In the
Configuration Settings documents that apply to any mail servers that do
not connect directly to the Internet, enter the host name of the designated
relay host in the “Relay host for messages leaving the local Internet
domain” field. When the Router on these internal servers finds a message
addressed to a recipient in an external Internet domain, it looks up the
specified relay host in the DNS and forwards the message to it.
To set this up using Notes protocols, create a Foreign SMTP Domain
document and an SMTP Connection document. When the Router on a
server not connected directly to the Internet finds a message addressed to
a recipient in an external Internet domain, the Router forwards the
message to the domain in the Foreign SMTP Domain document, which is
connected to the server with an Internet connection by the SMTP
Connection document. When that server receives the message, its Router
connects to the external Internet domain and routes the message.
Using multiple servers to route mail to external Internet domains
In this configuration, a few designated mail servers connect to the
Internet. Other mail servers route messages addressed to recipients in
external Internet domains to these servers. To set this up using SMTP,
configure the servers that are connected to the Internet as relay hosts —
for example, create a DNS name, such as outbound.acme.com, that maps
to multiple MX records. Each MX record lists one of the connected
servers. Enter the DNS name in the “Relay host for messages leaving the
local Internet domain” field in the Configuration Settings document that
applies to all servers that do not connect directly to the Internet. When the
Router on those servers finds a message addressed to a recipient in an
external Internet domain, it forwards the message to one of the servers
that are listed in DNS and correspond to that name.
Setting Up Mail Routing 27-7
Mail
To set this up using Notes protocols, create Foreign SMTP Domain and
SMTP Connection documents. When the Router on a server not
connected directly to the Internet finds a message addressed to a
recipient in an external Internet domain, the Router forwards the
message to the domain in the Foreign SMTP Domain document, which is
connected to one of the servers with an Internet connection by the SMTP
Connection document. When that server receives the message, its Router
connects to the external Internet domain and routes the message.
Enabling all mail servers to route mail to external Internet domains
In this configuration, every mail server connects to the Internet and runs
the TCP/IP network protocol. Each server has the setting “SMTP used
when sending messages outside of the local Internet domain” enabled in
its Configuration Settings Document. When a user sends a message to a
recipient in an external Internet domain, the Router looks up the domain
in the Domain Name Service (DNS) and uses SMTP to connect to the
receiving server in that domain. The Router transfers the message and
closes the connection.
Routing SMTP mail over dialup connections
Your organization may connect to the Internet and external Internet
domains through a dialup connection — for example, to an Internet
Service Provider (ISP). To set up a dialup connection in your Domino
mail system:
For
 Notes routing, create a Notes Direct Dialup Connection
document
For SMTP routing, create a Network Dialup Connection document
that specifies TCP/IP as the network protocol
After you create the appropriate Connection document, specify how
Domino exchanges messages over that connection.
For more information on creating Connection documents for dialup
connections, see the chapter “Setting up Server-to-Server Connections.”
For information on setting up mail routing over a dialup connection, see
the topic “Routing mail over transient connections” later in this chapter.
Routing Internet mail through a relay host
A relay host is an SMTP server that receives mail from other servers and
then transfers, or relays, it to the next SMTP server on the route to the
recipient’s domain. A relay host can be a Domino SMTP server, or a
non-Domino SMTP host — for example, you might relay mail to an
SMTP server hosted by your ISP, or through a firewall server. If only a
small number of servers on the network have direct connections to the
Internet, set these servers up as relay hosts to which other internal
27-8 Administering the Domino System, Volume 1
servers forward messages for recipients in external Internet domains.
You can set up a single relay host that handles messages addressed to
any external Internet domain, or set up multiple relay hosts, and set up
each one to route messages addressed to specific Internet domains.
For more information on setting up relay hosts, see the topic
“Configuring Domino to send mail to a relay host or firewall” later in
this chapter.
Sample mail routing configurations
These sample mail routing configurations represent typical messaging
implementations; however, other configurations are possible. Use these
sample configurations to help you plan and refine the messaging
infrastructure in your organization:
Use
 one server for all Internet messages
Use one server for inbound and one server for outbound messages
Use  two servers to balance Internet mail load
Set  up mail routing in the local Internet domain
Set  up mail routing between a third-party server and Domino in the
same Internet domain
Use  a smart host
Use  all servers to route outbound mail and one to route internal mail

In this example, a single

Domino server, Mail2, handles messages from
the Acme organization destined for other Internet domains (external
addresses) and receives all mail addressed to the Acme Internet domain
(acme.com). Mail2 has the field “SMTP used when sending messages
outside of the local Internet domain” enabled on the
Router/SMTP-Basics tab of the Configuration Settings document that
applies to the server, and has the SMTP listener task enabled on the
Basics tab of its Server document.
If a user on either of the two Acme internal mail servers, Mail1 or Mail3,
sends a message to an external address — one with a domain other than
acme.com — the server routes the message to Mail2, which can route
mail to external domains. Any mail from an external Internet domain —
one other than acme.com — is routed to Mail2, which is listed in the DNS
as the Mail Exchanger (MX) host for acme.com. After the mail reaches
Mail2, the server routes it to its destination.
The two internal mail servers, Mail1 and Mail3, can route Internet mail to
the server with SMTP enabled for external mail (Mail2) either via Notes
routing, with a Foreign SMTP Domain document and SMTP Connection
document linking to Mail2, or via SMTP routing, with Mail2 configured
as the relay host.
Configuring these servers requires:
Enabling
 “SMTP used when sending messages outside of the local
Internet domain” for Mail2.
Enabling
 the SMTP listener task for Mail2.
Setting
 up DNS correctly to list Mail2 as the connecting server for the
acme.com domain for inbound mail.
Either  enabling “SMTP allowed outside of the local Internet domain”
for Mail1 and Mail3 and listing Mail2 as the relay host, or creating a
Foreign SMTP Domain document and SMTP Connection document
that define the route to Mail2.
27-10 Administering the Domino System, Volume 1
 In this example, one Domino
server, Mail2, routes messages from the
Acme organization destined for other Internet domains (external
addresses) and a second Domino server, Mail3, receives mail addressed
to the Acme Internet domain (acme.com). Mail2 has the field “SMTP
used when sending messages outside of the local Internet domain”
enabled on the Router/SMTP-Basics tab of the Configuration Settings
document that applies to the server. Mail3 has the SMTP listener task
enabled on the Basics tab of its Server document, and has an MX (mail
exchanger) record in the external DNS.
If a user on the Acme internal mail server, Mail1, sends a message to an
external address — one with a domain other than acme.com — the server
routes the message to Mail2, which can route mail to external domains.
Any mail from an external Internet domain — one other than acme.com
— is routed to Mail3, which is listed in the DNS as the MX host for
acme.com. Once the mail reaches Mail3, the server routes it to its
destination.
The internal mail server, Mail1, can route Internet mail to the server with
SMTP enabled for external mail (Mail2) either via Notes routing, with a
Foreign SMTP Domain document and SMTP Connection document
linking to Mail2, or via SMTP routing, with Mail2 configured as the relay
host.
Configuring these servers requires:
Enabling
 “SMTP used when sending messages outside of the local
Internet domain” for Mail2.
Enabling
 the SMTP listener task for Mail3.
Setting
 up DNS correctly to list Mail3 as the MX host for the
acme.com domain for inbound mail.
Setting Up Mail Routing 27-11
Mail
Either
 enabling “SMTP allowed outside of the local Internet domain”
for Mail1 and listing Mail2 as the relay host, or creating a Foreign
SMTP Domain document and SMTP Connection document that
define the route to Mail2.
Example of using two servers to balance Internet mail load
 In this example, two Domino
servers, Mail1 and Mail3, route messages
from the Acme organization destined for other Internet domains
(external addresses) and receive mail addressed to the Acme Internet
domain (acme.com). Mail1 and Mail3 have the field “SMTP used when
sending messages outside of the local Internet domain” enabled on the
Router/SMTP-Basics tab of the Configuration Settings document that
applies to the servers and have the SMTP listener task enabled on the
Basics tab of their Server documents.
If a user on the Acme internal mail server Mail2 sends a message to an
external address — one with a domain other than acme.com — the server
routes the message to Mail1, which can route mail to external domains. If
a user on the Acme internal mail server Mail4 sends a message to an
external address — one with a domain other than acme.com — the server
routes the message to Mail3, which can route mail to external domains.
This splits the load of outbound messages — half route to Mail1 and half
route to Mail3.
Any mail from an external Internet domain — one other than acme.com
— is routed to either Mail1 or Mail3. The external DNS has two MX
records for the acme.com domain, one for Mail1 and one for Mail3. When
an Internet mail server tries to connect to the acme.com domain to
transfer a message, it looks up acme.com in the DNS. The server finds the
27-12 Administering the Domino System, Volume 1
MX records for acme.com and, based on the record preferences of the
MX records, returns the IP address of either Mail1 or Mail3. If the MX
records have equal weight, the server randomly selects one of the records
and returns the IP address of that record’s server. Should that server be
unavailable, the other MX record is selected and the IP address of the
other server is returned. This provides load balancing through the
random selection of the MX records when record preferences are equal
and provides failover since the DNS shifts to another MX record when a
connection fails. Once the mail reaches Mail1 or Mail3, that server routes
the message to its destination.
The internal mail servers can route Internet mail to the server with SMTP
enabled for external mail either via Notes routing, with a Foreign SMTP
Domain document and SMTP Connection document linking to the SMTP
server, or via SMTP routing, with the SMTP server configured as the
relay host.
Configuring these servers requires:
Enabling
 “SMTP used when sending messages outside of the local
Internet domain” for Mail1 and Mail3.
Enabling
 the SMTP listener task for Mail1 and Mail3.
Setting
 up DNS correctly to include MX records for Mail1 and Mail3,
indicating to external SMTP systems that these are the hosts that
receive inbound mail for the acme.com domain.
Either  enabling “SMTP allowed outside of the local Internet domain”
for the internal mail servers, Mail2 and Mail4, and listing Mail1 or
Mail3 as the relay host, or creating a Foreign SMTP Domain
document and SMTP Connection document that define the route to
Mail1 or Mail3.

In this example, Acme users

send messages in the acme.com domain
(internal messages) over SMTP. Mail1, Mail2, and Mail3 are Domino mail
servers with “SMTP allowed within the local Internet domain” enabled
for “MIME messages only” on the Router/SMTP-Basic tab of the
Configuration Settings document that applies to the servers and have the
SMTP listener task enabled on the Basics tab of their Server documents.
This allows the servers to send mail to each other over SMTP and to
receive mail over SMTP.
The servers must be in the same Domino named network, based on
TCP/IP, to route mail unless each server has the field “Servers within the
local Domino domain are reachable via SMTP over TCPIP” set to Always
in the Configuration Settings document that applies to it.
If a user sends a MIME message to another user in the acme.com domain,
her mail server determines which server the recipient’s mail file is on,
connects to that server over TCP/IP, and transfers the message using
SMTP. If the message is in Notes format — for example, if the user is
using an R4 Notes client — the message is routed using Notes routing.
Configuring these servers requires:
Enabling
 the SMTP listener task for Mail1, Mail2, and Mail3.
Enabling
 “SMTP allowed within the local Internet domain” for
“MIME messages only” for Mail1, Mail2, and Mail3.
27-14 Administering the Domino System, Volume 1
Either
 having all three servers in the same Domino named
network or enabling “Servers within the local Domino domain are
reachable via SMTP over TCPIP” for each server.
Entering
 the server’s Fully qualified Internet host name field on
the Basics tab of the Server document. The local Router uses the
value in this field to define the local Internet domain in the
absence of a Global Domain document. Other Domino servers on
the network check this field before attempting inbound SMTP
connections to this server. If the field is blank or contains an
invalid value, all inbound mail transfers take place over Notes
routing.
 host in the local Internet domain that
handles mail for some users. All
users have entries in the Domino Directory. When a user sends mail to
another user in the acme.com domain, the Domino server looks up the
recipient in the Domino Directory. If the recipient has a mail file on one
of the Domino mail servers — Mail1, Mail2, or Mail3 — the server routes
the message to its destination over Notes routing. Notes routing handles
both MIME and Notes format messages. If the recipient has a mail file on
the third-party server, non-Notesserver.acme.com, their Person
document has a forwarding address with the domain
“non-Notesserver.acme.com.” To route mail over SMTP, Mail1 and Mail3
find a Foreign SMTP Domain document for
“*.non-Notesserver.acme.com” that corresponds to an SMTP Connection
document listing Mail2 as the server to which to transfer messages. The
server sends the message via Notes routing to Mail2, which has the field
“SMTP used when sending messages outside of the local Internet
Setting Up Mail Routing 27-15
Mail
domain” enabled on the Router/SMTP-Basics tab of the Configuration
Settings document that applies to it. If the message is in Notes format,
Mail2 converts it to MIME. Mail2 connects to non-Notesserver.acme.com
over TCP/IP and transfers the message over SMTP.
If a user on non-Notesserver.acme.com sends a message to a user on
Mail1, Mail2, or Mail3, the server transfers the message over SMTP to
Mail2, which has the SMTP listener task enabled on the Basics tab of its
Server document, and Mail2 routes the message to its destination over
Notes routing.
Configuring these servers requires:
Enabling
 the SMTP listener task for Mail2
Setting
 up DNS correctly
Creating
 a Foreign SMTP Domain document for
“*.non-Notesserver.acme.com” and an SMTP Connection document
that links to Mail2

If the local Internet

domain includes mail systems other than Domino,
users who have Internet addresses ending in yourdomain.com may not
have mail files on a Domino server or Person documents in the Domino
Directory. When Domino receives a message for such a user, the Router
cannot resolve the address. To prevent Domino from generating delivery
failures, set up the Domino server to forward mail it receives for
unknown local domain users to a local smart host. A smart host is
typically a more central computer that has an authoritative directory of
all users in the local domain. When Domino receives mail it doesn’t
know how to deliver, it sends it to the smart host.
27-16 Administering the Domino System, Volume 1
In this example, Acme has three Domino servers (Mail1, Mail2, and
Mail3) and a third-party SMTP host, smarthost.acme.com, that houses
the directory for users who have non-Domino mail files within the
acme.com domain. Users in the non-Domino system do not have Person
documents in the Domino Directory. The Domino servers have the field
“SMTP allowed within the local Internet domain” enabled and have
smarthost.acme.com listed in the “Local Internet domain smart host”
field on the Router/SMTP-Basic tab of the Configuration Settings
document.
If a user on one of the Domino mail servers sends a message to a user in
the acme.com Internet domain, and the Router cannot find the recipient
in the Domino Directory, the Router forwards that message to
smarthost.acme.com over SMTP.
Configuring these servers requires:
Setting
 up DNS correctly
Enabling
 “SMTP allowed within the local Internet domain” for
“MIME messages only” for Mail1, Mail2 and Mail3
Listing
 “smarthost.acme.com” as the “Local Internet domain smart
host” for Mail1, Mail2, and Mail3.

each of which can route

messages from the Acme organization destined
for other Internet domains (external addresses). All three servers have
the field “SMTP used when sending messages outside of the local
Internet domain” enabled on the Router/SMTP-Basics tab of the
Configuration Settings document that applies to them. One server, Mail2,
receives mail addressed to the Acme Internet domain (acme.com). Mail2
Setting Up Mail Routing 27-17
Mail
has the SMTP listener task enabled on the Basics tab of its Server
document.
If a user on one of the mail servers sends a message to an external
address — one with a domain other than acme.com — the server looks
up the destination domain in the DNS, connects to the destination server
over TCP/IP, establishes an SMTP connection, and transfers the message.
Any mail from an external Internet domain — one other than acme.com
— is routed to Mail2. The DNS lists Mail2 as the MX host for acme.com.
Once the mail reaches Mail2, the server routes the message to its
destination.
Since each server can send messages directly to external domains, no
relay host, Foreign SMTP Domain documents, or SMTP Connection
documents are needed.
Configuring these servers requires:
Enabling
 “SMTP used when sending messages outside of the local
Internet domain” for all three servers
Enabling
 the SMTP listener task for Mail2
Setting
 up DNS correctly to list Mail2 as the connecting server for the
acme.com domain for inbound mail
Creating a Configuration Settings document
Using a Configuration Settings document you can set up mail routing on
multiple Domino servers at once. The Configuration Settings document
includes settings that affect both Notes routing and SMTP routing.
Administrators can create a single Configuration Settings document for:
All
 Domino servers in the Domino domain
Servers
 in a specific group
A  specific server
You can designate a Configuration Settings document to serve as the
default for all servers in the Domino domain by selecting the field “Use
these settings as the default settings for all servers” or by entering a
wildcard (*) in the Group or Server field. Using a default Configuration
Settings document simplifies administration and saves time because you
can change the settings for the entire Domino domain by editing a single
document.
27-18 Administering the Domino System, Volume 1
Each setting applies to every server included in the Configuration
Settings document. Therefore, you need multiple Configuration
documents if you need different settings for specific servers. For
example, if your Domino domain includes three geographic locations,
you may want a Configuration Settings document for each location. You
can create groups that include all the servers in the specific location and
use the location as the group name.
To specify additional restrictions for a server that is included in a group,
create a separate Configuration Settings document for the specific server.
For example, assume you have a Configuration Settings document for a
group of servers or for all servers. The executives in your organization
have their own mail server and require different settings. You will need
to create a Configuration Settings document for the specific server. The
document that is most specific (in terms of which servers it applies to)
will take precedence.
Each server checks the Configuration Settings documents in the
following order — a document specific to the server, then a group
document for any group the server is in, and then for the default
document. If there are multiple Configuration documents for groups
containing the same server, the results are undefined. For example, you
could have a server ServerA, and two groups named Group1 and
Group2 that both contain ServerA. If you create a Configuration Settings
document naming ServerA, all settings that are set in that document are
used by ServerA, but if there are settings that are not defined in that
document, then the Configuration documents defined for Group1 and
Group2 are examined for those settings. However any settings that were
defined in the ServerA document will not be examined in the Group1
and Group2 documents. If after examining the Group1 and Group2
documents there are still settings that do not have values defined, the
default settings apply.
For more information about creating groups, see the chapter “Setting Up
and Managing Notes Users.”
Note Use fully qualified host names in fields on the Configuration
Settings document instead of IP addresses. While IP addresses will work
and are fully supported, using host names ensures that you won’t need
to change a server entry in the event that a subnet change requires a
change to the server’s IP address. You can change the server’s record
once in the Domain Name Service (DNS) rather than having to search
through the Domino Directory to find every instance where the server is
referenced.
Setting Up Mail Routing 27-19
Mail
To create a Configuration Settings document
1. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
2. Choose Configurations.
3. Click Add Configuration to create a new Configuration Settings
document.
4. Click the Basics tab.
5. Complete one of these fields, and then click Save & Close.

Field Enter
Use these Select the Yes checkbox to have this document
settings serve as
as the default the default Configuration Settings document
for all
settings for all Domino servers in the Domino domain. If you
create
additional Configuration Settings documents in
servers
the
Domino Directory for specific servers or groups
of
servers, settings in those documents override
equivalent settings in the default document.
Group or Enter the name of the individual server or
server server group
to which this Configuration Settings document
name
applies.

Setting up Notes routing

By default, Domino uses Notes routing to transfer messages between
servers. Notes routing uses information in the Domino Directory to
determine where to send mail addressed to a given user. If two servers
are in the same Domino named network, Notes routing automatically
transfers mail between them. A Domino named network is a group of
servers in a given Domino domain that share a common protocol and are
connected by a LAN or modem connections.
To set up routing between servers that are not in the same Domino
named network, you must create documents in the Domino Directory to
specify how to route mail within the Notes mail system, as follows:
1. Create Connection documents to enable message transfer between
servers in different Notes named networks. A Connection document
specifies how and when two servers connect to exchange mail and
update common databases through replication. To route mail
between servers in different Notes named networks requires a pair of
Connection document, one from each server to the other.
27-20 Administering the Domino System, Volume 1
2. Depending on your messaging system topology, create these
documents, as necessary:
Non-adjacent
 domain documents.
Adjacent
 domain documents.
Foreign
 domain documents.
Foreign
 SMTP domain documents.
SMTP
 Connection documents.
How you create connections for Notes routing depends on:
The location of the two servers: same Notes named network, same
Domino domain, adjacent Domino domain, non-adjacent Domino
domain
The  type of network connection between the two servers: LAN,
direct dialup, network dialup, or passthru
In addition, the number of Connection documents you need to create
depends on how you want to route mail — that is, whether you want to
route mail both to and from a server, only to a server, or only from a
server. Since, in most cases, you’ll want to route mail in both directions,
you generally need to create two Connection documents for each
connection.
In small Domino networks, you can minimize the number of Connection
documents by using the same document to schedule mail routing and
replication. Or you can create a separate Connection document for each
task.
This table describes the typical types of connections and the documents
required to set them up

Type of
Documents required to create connection
connection
required
To a server in No Connection documents required. There must
same be a
Domino named common entry on the Ports - Notes Network
Ports tab of
network each server’s Server document.
Two Connection documents —one from each
To a server in a
server —to
different Domino ensure that mail routes in both directions.
named network
within the local
Domino domain
Two Connection documents, one in each Domino
To an adjacent
domain,
Domino domain to ensure that mail routes in both directions.
One Adjacent domain document if you need
restrictions.

Type of
Documents required to create connection
connection
required
To a non- Two Connection documents, one in each Domino
adjacent domain
Domino domain that connects to the adjacent Domino domain.
Two Non-adjacent domain documents, one in
each Domino domain that are not adjacent, to
provide restrictions and simplify addressing
across the intermediary domain between the first
and third domains.
To a gateway for One Foreign domain document to identify the
a foreign
foreign domain domain for non-mail messaging systems, such as
fax or
pager systems.
To an SMTP- One Foreign SMTP domain document to identify
enabled server the destination for messages being sent to the
(for example, a Internet. One SMTP connection document to
server that can specify the SMTP-enabled server.
send mail to the
Internet)

Note When you create a Connection document, Notes routing is

enabled by default.
For complete information on creating Connection documents, see the
chapter “Setting up Server-to-Server Connections.”
Recalculating the server’s routing table
The Router on each server maintains a dynamic routing table, which
specifies the best route to each possible destination server. The routing
table builds on information contained in the server’s NOTES.INI file and
in the Configuration Settings, Domain, Connection, and Server
documents in the Domino Directory.
By default, at intervals of approximately 5 minutes, or after you restart
the task, the Router examines the Domino Directory for changes that
would warrant rebuilding the routing table. In cases where you want
new settings to take effect immediately, but do not want to interrupt the
flow of mail by stopping and restarting the Router, you can use a TELL
command to force an update.
To update the server's routing table
Enter the following command at the server console:
Tell router update config
The Router checks the Server, Server Configuration, Connection,
Adjacent and Non-Adjacent domain documents, and the NOTES.INI file
for changes that might effect the routing topology. The Router then
builds a new routing table that incorporates the changes. The Router
27-22 Administering the Domino System, Volume 1
reprocesses any messages currently in MAIL.BOX based on the new
routing table.
The Router does not check the Global Domain document for changes in
response to the update configuration command. The information
contained in the Global Domain document is loaded into memory only
after server initialization. It is not refreshed when the routing tables
reload.
Creating an Adjacent domain document
You create an Adjacent domain document when you need to restrict the
transfer of mail from one adjacent domain to another. For example, if you
are in domain B and want to prevent mail from an adjacent domain A
from traversing your domain to reach another adjacent domain C, create
an Adjacent domain document that names C as the adjacent domain and
denies mail from A.

The restrictions you define

in the Adjacent domain document apply to
the domain of the previous hop only. That is, in the Adjacent domain
document created in the previous example, adding A to the Deny list
prevents mail originating in A from routing to C. This includes mail that
domain A may receive from domain Z for eventual transfer to C.
But suppose you want to allow mail from A, but deny mail from domain
Z, which uses A and B as intermediate domains to reach C. If the
administrator in domain B removes domain A from the deny list of the
Adjacent domain document for domain C, and adds domain Z, domain Z
is allowed to route mail to C. This is because once the message arrives in
domain B the domain of origin appears to be A, rather than Z. In the
Mail
absence of restrictions on transferring mail from A to C, Domino allows
the message to rout

You also use Adjacent domain

documents to allow Free Time searches
across domains. For more information, see the chapter “Setting up
Calendars and Scheduling.”
Note Restrictions set in an Adjacent domain document work in
conjunction with those in the Configuration Settings document. Domino
always defaults to the most restrictive entry.
Adjacent Domain documents do not provide connectivity to adjacent
domains, and are not required to enable connections between adjacent
domains. To define routes between adjacent domains, create a
Connection document.
Using Adjacent domain documents to restrict mail
By default, a domain that can route mail to your domain can also route
mail through your domain to another adjacent domain. When mail
routes from one domain to another through your domain, it ties up your
resources. To prevent your servers from being used to transfer mail
between other domains, you can selectively allow and deny mail routing
through your domain to the domain named in the Adjacent domain
document.
The Allow and Deny fields on the Restrictions tab of the Adjacent
domain document let you control the flow of messages from other
domains to the adjacent domain. Entries in these fields must be the
names of adjacent domains; the Router ignores entries for non-adjacent
domains beyond the previous hop. If you deny a domain from sending
mail through your domain, the Router denies all mail received from that
domain, including messages the domain may have passed on from
another, non-adjacent domain. There is no way to restrict specific users
from routing to a Notes domain. Restrictions apply to all users in
specified domain.
The settings in the Allow and Deny fields work in conjunction with the
Allow and Deny fields on the Router/SMTP - Restrictions and Controls -
Restrictions tab of the Configuration Settings document. In the event of
any conflict between settings, Domino applies the most restrictive entry.
Messages may be further restricted by Adjacent Domain documents,
Non-adjacent Domain documents, and Configuration Settings documents
set up between domains along the routing path.
To create a Adjacent domain document
1. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
2. Choose Domains.
3. Click Add Domain to create a new Domain document.
4. On the Basics tab, complete these fields:

Field Enter
Domain type Choose Adjacent domain
Adjacent The name of the adjacent Domino domain. The
domain current
domain must have a Connection document to
name
this
domain.
Domain Optional description of the domain
description

To restrict other domains from routing mail through the current

domain to the adjacent domain, click the Restrictions tab, complete
the following fields, and then click Save and Close:

Field Enter
Allow mail Enter the names of adjacent Domino domains
only that are
from domains allowed to route mail to this adjacent domain.
To allow any domain to route mail through the
local domain to this adjacent domain, leave this
field blank.
Deny mail Enter the names of adjacent Domino domains
from that are
domains not allowed to route mail to this adjacent
domain.
To allow any domain to route mail through the
local domain to this adjacent domain leave this
field blank.

Note You cannot use wildcards in the Restrictions fields. You must
enter explicit domain names.
6. Create a Connection document to specify how servers in the current
domain connect to the adjacent domain.
up routing to non-adjacent Domino domains
Non-adjacent domains are Domino domains that are not directly
connected, but have an intermediary domain, adjacent to both of them in
common. For example, domain A and domain B are adjacent and have
Connection documents defining the route between them. Similarly,
domain B, in turn, is adjacent to domain C and mutual Connection
documents exist between them; and domains C and D are likewise
adjacent to each other and linked by Connection documents. Domain B is
thus adjacent to domain A on one side, and domain C on the other; and
domain C is adjacent to B and D, respectively. If no direct connection
exists between A and C, these two domains are considered to be
non-adjacent domains. Similarly if there is no direct connection between
B and D, these two domains are also non-adjacent.

Because there is no direct connection

between two non-adjacent domains,
you cannot define the routing path between them in a Connection
document. Connection documents can only be used between two
directly-connected, adjacent domains. However, users in non-adjacent
domains can send mail to each other by routing it through the
intermediary domain.
One way to do this is to use explicit addressing — telling the Router how
to reach the destination domain through the intermediary domain by
placing the entire routing path in the address field. For example, if Kathy
27-26 Administering the Domino System, Volume 1
Burke in domain A wants to send a message to Robin Rutherford in the
non-adjacent domain C, she addresses the message by way of domain B,
as follows:
Robin Rutherford@C@B
In processing the message, the Router on the domain A mail server looks
only at the last part of the address, and uses the Connection document to
determine the route to domain B. The domain B server then uses the
Connection document in its Domino Directory to transfer the message to
domain C.
Although the use of explicit addressing is an effective method for
directing mail to non-adjacent domains, because it relies on a complete
knowledge of the inter-domain routing topology, it’s also not a very
practical solution. This information is not readily available to a typical
user. To simplify routing and addressing to non-adjacent domains, you
can create a Non-adjacent domain document in the Domino Directory to
define the path between the non-adjacent domains.
Using a Non-adjacent domain document
Administrators can create a Non-adjacent domain document to control
message routing to a non-adjacent domain. A Non-adjacent Domain
documents serves three functions:
Specifies
 a routing path to the non-adjacent domain by supplying
next-hop domain information
Restricts
 mail from other domains from routing to the non-adjacent
domain
Defines
 the Calendar server used to enable free time lookups
between two non-adjacent domains.
For more information on how to enable free time lookups between
non-adjacent domains, see the chapter “Setting up Calendars and
Scheduling.”
Non-adjacent domain documents are only required to specify routing
restrictions to a non-adjacent domain. However, to simplify addressing
on messages destined for a non-adjacent domain, it’s useful to have a
Non-adjacent domain document for that domain. Without a
Non-adjacent domain document in the Directory, the Router has no
defined routing path to the non-adjacent domain. The Router can transfer
a message to the non-adjacent domain if the recipient address uses
explicit path routing (User@AdjacentDomain@NonAdjacentDomain), but
cannot transfer a message with a simple domain address
Setting Up Mail Routing 27-27
Mail
(User@NonAdjacentDomain). When explicit addressing is used the
Router uses the Connection documents between domains to calculate the
path to the next-hop domain.
But when a Non-adjacent domain document is available, the Router
obtains intermediary domain information from that document. This
eliminates the need for users sending mail to a non-adjacent domain to
use complex, explicit addressing. Thus, if domain A has a Non-adjacent
domain document for domain C, when Kathy Burke in domain A sends
mail to Robin Rutherford in domain C, she uses the address Robin
Rutherford@C (rather than Robin Rutherford@C@B). Because the Router
finds the intermediate domain information in the Non-adjacent domain
document, the message is transferred successfully to domain C by way of
domain B.
Using Non-Adjacent domain documents to restrict mail
Using Non-adjacent domain documents to simplify addressing makes
them valuable enough. But Non-adjacent domain documents play
another equally significant role. Although they are not strictly required to
enable routing between non-adjacent domains, they are needed if you
want to restrict routing of messages from certain domains.
By default, any domains that can route mail to your domain can also
route mail to the destination domains named in a Non-adjacent domain
document. Mail routed from one domain to another through your
domain consumes your network resources. To prevent your servers from
being used to transfer mail between other domains, you can selectively
allow and deny mail routing through your domain.
The Allow and Deny fields on the Restrictions tab of the Non-adjacent
domain document let you control the flow of messages from other
domains to the non-adjacent domain. Entries in these fields must be the
names of adjacent domains; the Router ignores entries for non-adjacent
domains beyond the previous hop. If you deny a domain from sending
mail through your domain, the Router denies all mail received from that
domain, including messages the domain may have passed on from
another, non-adjacent domain.
The “Deny mail from domains field” in a Non-adjacent domain
document does not block messages that use explicit domain addressing,
that is, addresses that explicitly name every domain on the routing path.
A Non-adjacent domain document can only block mail that relies on
information in the Non-adjacent domain document to supply the name of
a a missing intermediate domain. If the entire routing path is contained
in the recipient address, the Router doesn’t need to check the document
to determine where to route the message, and thus cannot block it. For
example, if in the previous example, the administrator in domain B
27-28 Administering the Domino System, Volume 1
creates a a Non-adjacent domain document for domain D and adds
domain A to the Deny mail from domains field. Kathy Burke in domain
A can still send mail to Judy Kaplan in domain D by specifying the
following explicit domain address: Judy Kaplan@D@C@B.
To prevent Kathy Burke from sending this message, the administrator in
Domain B would have to create an Adjacent domain document for
domain C that names domain A in the Deny mail from domains field.
The settings in the Allow and Deny fields work in conjunction with the
Allow and Deny fields on the Router/SMTP - Restrictions and Controls -
Restrictions tab of the Configuration Settings document. In the event of
any conflict between settings, Domino applies the most restrictive entry.
Messages may be further restricted by Adjacent Domain documents,
Non-adjacent Domain documents, and Configuration Settings documents
set up between domains along the routing path.
To create a Non-adjacent domain document
1. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
2. Choose Domains.
3. Click Add Domain to create a new Domain document.
4. On the Basics tab, complete these fields:

Field Enter
Domain
Choose Non-adjacent domain
type
The name of the non-adjacent Domino domain
Mail sent to
you want
domain to route mail to.
Route The name of the intermediary Domino domain
through through
domain which you want to route mail for the destination
domain. The current domain must have a
Connection document to
this domain.
Also, the Domino Directory in the intermediary
domain must have a Connection document to the
destination
domain.
Domain An optional description of the domain
description

5. Click the Restrictions tab, complete one or both of these fields, and
then save the document:

Field Enter
Allow mail Enter the names of Domino domains adjacent to
only the
from current domain that are allowed to route mail to
domains this
non-adjacent domain.
Leave this field blank to allow any domain to
route mail through the local domain to the non-
adjacent domain.
Deny mail Enter the names of Domino domains adjacent to
from the
domains current domain that are not allowed to route
 mail to this
non-adjacent domain.
Leave this field blank to allow any domain to
route mail through the local domain to the non-
adjacent domain.

Note You cannot use wildcards in the Restrictions fields. You must
enter explicit domain names.
6. Create a Connection document to specify how servers in the current
domain connect to the intermediary adjacent domain.
Note Since, by definition, all servers in a domain use the same Domino
Directory, only one Non-adjacent domain document is required for each
non-adjacent domain. You do not have to create a separate document for
each server.
Setting up routing to external application gateways
Domino treats external messaging applications, such as fax or pager
gateways, as foreign domains. To route mail from a Domino domain to
an external application, create a Foreign domain document.
Creating a Foreign domain document
A Foreign domain document defines the path between a Domino domain
and an external application, such as a fax or pager gateway. A Foreign
domain document identifies the Domino server that acts as the gateway
to the external application.
Applications such as X.400 and cc:Mail use their own specialized
versions of the Foreign domain document to direct the messages through
a message transfer agent (MTA). For more information about MTAs, see
the documentation for the specific MTA.
Although Foreign domains are mostly used for third party applications,
you can also use them to transfer messages between a Release 5.0 or later
server and a Release 3.x SMTP server.
27-30 Administering the Domino System, Volume 1
Restrictions that you set on this Foreign domain document apply only to
the From domain of the previous hop. These restrictions work in
conjunction with those in the Configuration Settings document. Domino
always defaults to the most restrictive entry.
To create a Foreign domain document
1. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
2. Choose Domains.
3. Click Add Domain to create a new Domain document.
4. Click the Basics tab, and complete these fields:

Field Enter
Domain type Choose Foreign domain.
Foreign Domain The domain name of the foreign mail
Name system. This name was chosen when the
MTA or gateway was installed.
An optional description of the gateway or
Domain description
MTA.
Click the Restrictions tab, and then complete these fields:
Field Enter
Allow mail only The names of Domino domains that are
from domains allowed to route messages to this foreign
domain. Leave this field blank to allow any
domain to route mail through the local
domain to the foreign domain.
Deny mail from The names of Domino domains that are
domains not allowed to route messages to this
foreign domain. Leave this field blank to
allow any domain to route mail through
the local domain to the foreign domain.

Click the Mail Information tab and complete these fields,

and then save the document:
Field Enter
Gateway server The name of the Domino server running
name the gateway software.
Gateway mail The gateway’s mail file name. See the
filename documentation that came with the
gateway for the proper file name.

Create a Connection document to specify how servers in

the current domain connect to the foreign domain.

Transferring outbound Internet mail to an SMTP server over Notes

routing
On Domino networks that don’t use SMTP for internal mail routing you
can implement a gateway topology for sending outbound mail to the
Internet. Your internal servers can continue to use Notes routing to
transfer mail and send Internet mail to an SMTP server that connects to
the Internet. Your “gateway” server must be a Domino server able to
send SMTP mail to external Internet domains.
To define a route between your internal servers and the SMTP gateway
server, create:
One
 or more Foreign SMTP domain documents that define the next
domain for sending SMTP mail addressed to a given set of
destination addresses
SMTP
 Connection documents specifying the server that processes
outbound SMTP mail for each Foreign SMTP domain document
The gateway server receives outbound mail from internal servers over
Notes routing and then transfers it to the Internet over SMTP. The
gateway server can connect to the Internet directly or through an SMTP
relay host or firewall that connects to the Internet.
The Foreign SMTP domain document
A Foreign SMTP domain document provides servers that don’t use
SMTP routing and which do not have access to DNS with the next hop
information required to route Internet mail. You can also use Foreign
SMTP domain documents with servers that route mail over SMTP to
configure different routing paths for mail sent to different destinations.
A Foreign SMTP Domain document provides servers in a Domino
domain with information on where to transfer mail destined for external
SMTP addresses. The Foreign SMTP domain document specifies the
name of the next hop domain to which messages addressed to a specific
Internet domain or domain pattern are sent. For example, a Foreign
SMTP Domain document might specify that the next hop for messages
addressed to the domain company.com should be the domain
TheInternet.
The next hop domain can either be an actual Domino domain — that is, a
group of servers sharing a Domino Directory — or a “virtual” domain.
Use the name of an existing Domino domain if you can create a
Connection document to it and it already has SMTP servers connected to
the Internet. If the network does not currently have a Domino domain
that routes outbound Internet mail, use a virtual, or logical, domain
name. The name must not correspond to the name of any servers or
27-32 Administering the Domino System, Volume 1
domains in the Domino Directory. Domino uses the virtual domain name
to link this SMTP domain document with an SMTP Connection
document, which, in turn, specifies the name of an SMTP-enabled server
that can process outbound mail, for example, a firewall server that can
route outbound Internet mail.
Configuring different relay hosts for different destination domains
To explicitly control message routing, you can set up multiple Foreign
SMTP domain documents, splitting outbound mail traffic so that
messages destined for one Internet domain route through one Domino
host and those destined for others go to a different host.
For example, you can configure one Foreign SMTP Domain document to
route all mail addressed to domains ending in lotus.com; a second can
route all mail addressed to domains ending in ibm.com; and a third can
process mail addressed to all other Internet domains (*.*). For each of the
three configured Foreign SMTP domains, you must create an SMTP
Connection document that describes how to transfer the messages routed
to that domain.
Note If you use a wildcard when specifying which messages to route to
a domain, you can still restrict messages destined for specific Internet
domains using the SMTP Outbound Controls in the Configuration
Settings document.
The Router always uses the Foreign SMTP Domain document that most
closely matches the address. For example, if a message is addressed to
jdoe@server1.japan.lotus.com and there are two Foreign SMTP Domain
documents — one for lotus.com and one for japan.lotus.com — the
Router uses the document for japan.lotus.com.
After the Router determines which Foreign SMTP Domain document
most closely matches the address of the message, it forwards the message
to the specified next domain. If the domain is a real Domino domain, the
Router looks in the Domino Directory for a connection to that domain
and routes the message. If the domain is a logical domain, the Router
checks for an SMTP Connection document that describes the next hop for
mail routed to that domain.
To create a Foreign SMTP domain document
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
3. Choose Domains, and then click Add Domain.
Setting Up Mail Routing 27-33
Mail
4. On the Basics tab, complete this field:

Field Enter
Domain type Foreign SMTP Domain

Click the Routing tab, complete these fields, and then

click Save & Close:
Field Enter
Messages The name of the Internet domain to which
Addressed to — this document applies, for example,
Internet company.com, or a wildcard (*.*) to indicate
Domain all Internet domains.
Should be A fictitious, logical domain name —for
Routed to — example, TheInternet —to which messages
Domain name that match the pattern in the Internet
Domain field will be routed. The name you
specify serves as a placeholder; Domino uses
the name to pair the Foreign SMTP Domain
document with the connection document you
create in the next step.
Create an SMTP Connection document to associate the
Foreign SMTP Domain document with an SMTP server that
can send outbound mail to the Internet.

Creating an SMTP Connection document

On networks where internal mail travels over Notes routing, the SMTP
Connection document works in conjunction with a Foreign SMTP
Domain document to route messages from non-SMTP servers to an
SMTP server that can send messages outside the local Internet domain.
SMTP Connection documents link the virtual foreign SMTP domain
specified in a Foreign SMTP Domain document, to a Domino SMTP
server. For example, an SMTP Connection document might link the
virtual domain TheInternet to the firewall server that routes mail to the
Internet. In the SMTP Connection document, you specify the source
server (the server that can connect directly to the Internet and route
SMTP mail), the destination domain (which must match the Internet
domain in the Foreign SMTP Domain document), and the method to use
when connecting to the source server (direct or dialup). An SMTP
Connection document lets Internet messages travel from a Domino
domain to a server that is enabled to use SMTP to route outbound
Internet mail.
When the Router receives a message for a recipient outside the local
Internet domain, it forwards the message to the domain specified in the
Foreign SMTP Domain document. After the message reaches a Domino
server that can connect to the Internet, that server establishes a
27-34 Administering the Domino System, Volume 1
connection with a server in the destination domain and routes the
message.
To create an SMTP Connection document
1. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
2. Choose Connections and click Add Connection.
3. On the Basics tab, complete these fields, and then save the document:

Field Enter
Connection
SMTP
type
The name of the SMTP-enabled server where
Source server non-SMTP
servers send mail destined for the Internet
domains
specified in the Foreign SMTP domain
document. This server must have access to
DNS and have SMTP
enabled for sending messages outside the local
Internet domain.
Connect via Choose one:
• Direct connection —For servers that
communicate over LAN connections
 • Dial-up connection —For servers that
communicate over transient connections, such
as phone lines. If you select this option, Domino
displays the field “Dial using connection record.”
Dial using Specifies the Network Dialup Connection
connection document containing the dialup settings for
record connecting to the SMTP server specified in the
Source server field. This field appears only if
you selected “Dial-up connection” in the
preceding field. Click “Choose record,”to select
a Network Dialup Connection document (remote
LAN service connection record) from the list of
previously created Network Dialup Connection
documents. For information about creating a
Network Dialup Connection document, see the
chapter “Planning server-to-server
connections.”
Destination A unique, fictitious, placeholder name —such
server as, all_internal_hosts. Domino does not use the
value in this field, but the Connection document
will not work if the field is empty. The name
you specify must not match the name of any
server on the network.

Field Enter
The fictitious, logical domain name specified in
Destination
the
domain Internet Domain name field of the
corresponding
Foreign SMTP domain document. The name in
this field
links this SMTP connection document with the
Foreign
SMTP Domain document.
Specifies the SMTP host to which the source
SMTP MTA
server transfers outbound mail. This allows a
relay host
SMTP server to
further split Internet destinations and configure
multiple relays.
If this field is blank, the Router transfers
outbound mail
to the relay host specified in the server’s
Configuration Settings document.
If there is no relay host specified in either this
field or in the Configuration Settings document,
the Router determines the next hop by looking
up the destination domain in the DNS or a local
hosts file, depending on the value of “Host
name resolution”field on the
Router/SMTP- Basics tab of the Configuration
Settings document.
For information on configuring how the Router resolves
host names,
see the topic “Specifying how Domino looks up SMTP
hosts when
sending outbound mail”later in this chapter.
On the Replication/Routing tab, complete these fields:
Field Enter
Replication
Disabled
task
Routing task Choose Mail Routing. Because the same routing
task is responsible for transferring messages
over NRPC and SMTP, there’s no need to specify
SMTP routing. The source server must have
SMTP routing enabled in its Server document;
otherwise, the Router discards the
information in the SMTP Connection document.
Choose SMTP routing only if the specified source
server is running Domino Release 4.6x or
earlier.
Route at once The number of pending messages that will force
if routing.
Default is 5.
On the Schedule tab, specify the desired routing schedule.
6. Click Save & Close. Replicate the Domino Directory to all servers in
the Domino domain.
The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, recalculate the
routing tables on all effected servers.
Configuring Domino to send and receive mail over SMTP
Setting up a Domino server as an SMTP server consists of enabling two
separate tasks: a listener task and a routing task. Enabling the SMTP
Listener allows a server to receive mail over SMTP. Enabling SMTP
routing lets the Domino Router send mail to other servers using SMTP.
You enable SMTP routing to destinations within the local Internet
domain separately from SMTP routing to external destinations. It’s also
possible to enable SMTP routing on a server without enabling the
Listener task, and vice-versa.
For example, to support POP3 and IMAP clients, which use SMTP to
send mail, you must have at least one internal server running the SMTP
Listener task. However, the server does not have to use SMTP when
transferring messages it receives over SMTP to the next hop on the
routing path. After the server has accepted a message over SMTP, it can
use Notes routing to transfer the message to other servers.
By default, Domino uses Notes routing only and is not configured for
SMTP routing. To have Domino use SMTP to send and receive mail, do
the following:
Prepare
 your system for sending messages to the Internet by testing
your Internet connection and verifying that DNS is set up properly.
Enable
 the SMTP Listener task in the Server document of each server
you want to receive mail over SMTP
Enable
 SMTP routing within the local Internet domain so that servers
can send mail over SMTP within the local Internet domain.
Enable  SMTP to be used to send messages outside the local Internet
domain.
Specify  the relay host, if any, to be used when sending mail outside
the local Internet domain. Configure a relay host for SMTP servers
that do not have direct access to the Internet.
Set  up inbound and outbound mail restrictions to protect against
misuse of the mail infrastructure.
To  allow POP3 or IMAP users who connect to Domino from an
external network to send mail to external Internet domains, specify
exceptions to inbound relay enforcement for authenticated users.
If you intend to allow users to access mail from POP3 or IMAP mail
clients, you must install and enable these access protocols on users’ mail
servers. By default, Domino supports only Notes client access.
Setting Up Mail Routing 27-37
Mail
For information about using POP3 mail, refer to the chapter “Setting Up
the POP3 Service.” For information about using IMAP mail, see the
chapter “Setting Up the IMAP Service.”
Preparing to send and receive mail to the Internet
Use this list to ensure that your system is ready to send mail to and
receive mail from the Internet or another private SMTP network.
1. Make sure that you have a connection to the Internet via an Internet
Service Provider (ISP) or a direct connection.
2. Use the Ping command to test the connectivity between the
SMTP-enabled server and any external host to which it connects. Test
the connection between machines from which messages will be sent
and the servers from which you send mail to the outside world, such
as your ISP. Ping tests only the accessibility of the host, not the
existence or proper configuration of SMTP.
3. Define a list of the inbound Internet domain names by which your
organization is known. In some cases, a company may have multiple
Internet domain names. Enter these names as aliases in the Global
domain document.
4. Make sure that the DNS is set up to include all the Internet domain
names that your company uses.
5. If your company uses a mail relay or firewall, obtain the host name.
Setting up SMTP routing to external Internet domains
To send messages over SMTP to destinations outside of the local Internet
domain — for example, to the Internet or another private network — you
must enable external SMTP routing.
To enable SMTP routing outside of the local Internet domain
1. Make sure that you prepared your system to send mail to the
Internet.
2. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
3. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
4. Choose Configurations.
5. Select the Configuration Settings document and then click Edit
Configuration.
27-38 Administering the Domino System, Volume 1
6. On the Router/SMTP - Basics tab, complete this field, and then save
the document:

Field Enter
SMTP used when Choose one: • Enabled to use SMTP to
sending messages route mail to the Internet • Disabled
outside the local (default) to prevent the server from routing
Internet domain mail outside the local Internet domain

The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Setting up SMTP routing within the local Internet domain
You can set up servers to use SMTP routing when transferring messages
to other servers in the local Internet domain.
You can enable SMTP routing on every server or only on servers that
route to destinations outside of the Domino named network. For
example, you may not have a direct IP connection between all the servers
in one TCP/IP Domino named network and all the servers in another.
You may still require that all messages moving from one Domino named
network to another be routed through hub servers.
To set up SMTP routing within the local Internet domain
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
3. Choose Configurations.
4. Select the Configuration Settings document to be edited and then
click Edit Configuration.
5. Click the Router/SMTP- Basics tab.
Setting Up Mail Routing 27-39
Mail
6. Complete these fields, and then save the document:

Field Enter
SMTP Choose one: • MIME messages only —The Router
allowed uses SMTP to transfer MIME messages to other
within the Domino servers that are within the same Domino
local domain and that run the SMTP Listener. •
Internet Disabled (default) —The Router uses Notes
domain routing to transfer mail to other servers in the
same Domino domain. • All messages —The
Router uses SMTP to transfer both Notes format
and MIME format messages to other Domino
servers that are within the same Domino domain
and that run the SMTP Listener. This will cause
Notes format messages to be converted to MIME
format before being transferred. This may cause
loss of fidelity and performance. For example,
Notes Doclinks and applications such as Calendar
and Scheduling will not work. You can limit the
use of SMTP to transfer mail within the Domino
domain by setting the next field (“Servers within
the local Domino domain are reachable via SMTP
over TCPIP”) to only allow SMTP within the same
Domino named network.

Servers Choose one: • Always (default) —The Router can

within the use SMTP to transfer mail to any Domino server
local in the local Domino domain that runs the SMTP
Domino Listener. • Only if in same Domino named
domain are network —The Router can use SMTP to transfer
reachable mail to other Domino servers in the local Domino
via SMTP domain only if the destination server is in the
over TCPIP same Domino named network. If the destination
server is in the local Domino domain, but resides
in a different Domino named network, the Router
must use Notes routing to transfer mail.

Enabling a server to receive mail sent over SMTP routing

To set up a server to receive SMTP-routed messages, you must enable the
SMTP Listener. Then the server can “listen” for SMTP traffic over the
TCP/IP port (usually port 25) and receive SMTP messages in the
MAIL.BOX database(s).
Enabling the SMTP listener causes the server SMTP task to start up
automatically every time the server starts. Disabling the SMTP listener
prevents the SMTP task from starting up when the server starts.
Note Do not add SMTP as a task to the task list in the NOTES.INI file or
this feature will not work.
To enable or disable the SMTP Listener
1. From the Domino Administrator, click the Configuration tab and
then expand the Server section.
2. Select the Server document to be edited it and then click Edit Server.
3. On the Basics tab, complete these fields:

Field Enter
The server’s complete combined host name
Fully qualified
and
Internet host domain name, including the top-level domain.
name For example, smtp.acme.com; smtp is the
host name; acme is the second-level domain;
and .com is the top level domain.
In the absence of a Global Domain document,
the
Router uses the entry in this field to
determine the local Internet domain.
Typically, the fully qualified host name is
added to the Server document during server
setup or by the Administration process
(AdminP). A routing loop can result if this field
does not contain a valid entry.
SMTP listener
Choose one:
task
• Enabled to turn on the Listener so that the
server
can receive messages routed via SMTP
routing
• Disabled (default) to prevent the server
from
receiving messages routed via SMTP routing

Click the Ports - Internet Ports - Mail tab.

5. In the Mail (SMTP Inbound) column, ensure that the TCP/IP port
status is set to Enabled, and then click Save and Close.
Refer to “Reconfiguring the SMTP port” for more information about
modifying the default SMTP port settings.
Setting up how addresses are resolved on inbound and outbound
mail
To ensure that messages are properly routed, you can configure the
following addressing and lookup options:
Create
 forwarding addresses for users that do not have Notes mail
files
Specify
 a smart host that contains a master directory for the
organization
Enable
 Domino to accept mail for multiple Internet domains used by
the organization
Specify how Domino looks up the recipients of incoming SMTP
messages
Specify  how Domino resolves host names for outbound SMTP
messages
Enable  Domino to look up the sender’s Internet address from a
Person document when sending outbound SMTP messages
Specify  how Domino forms the sender’s return address when
sending outbound Internet messages
Setting up a forwarding address
A forwarding address allows users who have Person documents in the
Domino Directory to have their mail forwarded to another address. Set
up forwarding addresses for users who:
Change
 their names — for example, because of marriage — but still
want to receive all their messages.
Move
 — for example, a user may resign from the company but leave
a forwarding address so that mail addressed to the old address is
forwarded to the new location.
Use  a different mail system and do not have Notes mail files.
Configure the forwarding address on the user’s Person document.
For more information about creating a Person document for a user, see
the chapter “Setting Up and Managing Notes Users.”
By default, the Router supports use of the “Send copy to” rule action,
which lets Notes users create mail rules to automatically forward copies
of messages delivered to their mail files to another address, such as a
forwarding address.
For information on disabling automatic message forwarding, see the
chapter “Customizing the Domino Mail System.”
27-42 Administering the Domino System, Volume 1
Setting up a smart host
A smart host is a directory server to which SMTP-routed messages are
sent when the message recipient cannot be found in the Domino
Directory or other secondary directories configured on the server.
Typically, a smart host is used in organizations that employ multiple
mail systems within a single Internet domain. Users on these systems
may not be in the Domino Directory. For example, if some users are on a
UNIX sendmail system but their inbound messages are routed through
the Domino mail system, you can set up a smart host to ensure proper
address resolution.
After you set up a smart host, when Domino receives a message, if the
domain part of the recipient’s address matches the local Internet domain
or one of the alternate Internet domain aliases defined in the Global
Domain document, the Router looks up the address against all
configured directories. If the address is not found, the Router then uses
SMTP to forward the message to the configured smart host.
Domino sends all messages addressed to unknown recipients in the local
Internet domain to the configured smart host. You cannot configure
Domino to send to the smart host only messages addressed to recipients
in some subset of the internal domains and domain aliases defined in the
Global domain document.
Note Domino does not send messages addressed to unknown Notes
addresses to the smart host.
You must have DNS set up correctly to use a smart host. For more
information about DNS, see the chapter “Overview of the Domino Mail
System.”
To set up a smart host
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. Enable “SMTP allowed within the local Internet domain” for “MIME
messages only.”
For information, see the topic “Setting up SMTP routing within the
local Internet domain” earlier in this chapter.
3. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
4. Choose Configurations.
5. Select the Configuration Settings document and then click Edit
Configuration.
6. Click the Router/SMTP - Basics tab.
Setting Up Mail Routing 27-43
7. Complete these fields, and then save the document:

Field Enter
The host name for the server that hosts the
Local Internet
directory
domain smart for SMTP recipients who are not in the local
Domino
host Directory. To provide a level of failover and
load-balancing, specify a host name that maps
to an
existing MX record. You can also specify IP
address
Smart host is Choose one: • Enabled to route all incoming
used for all SMTP messages to the smart host for lookup
local Internet before routing elsewhere. • Disabled (default)
domain to route only messages whose recipients are
recipients not found in the Domino Directory to the smart
host for lookup.

Note Smart host settings are ignored if you enable the field “Verify
that local domain recipients exist in the Domino Directory” on the
Router/SMTP - Restrictions and Controls - SMTP Inbound Controls
tab.
8. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Setting up a server to receive mail for multiple Internet domains
Every organization has a primary Internet domain name — for example,
acme.com — by which it is known to the rest of the world. By default,
Domino considers the local, primary Internet domain to be the domain
specified in the server’s host name. For example, for a server with the
host name Server1.acme.com, both Server1.acme.com and acme.com are
considered local Internet domains. The server does not accept messages
addressed to recipients in any other Internet domain.
In addition to having a primary Internet domain, some organizations use
alternate Internet domain names. If your organization uses more than
one Internet domain name, you’ll want Domino to consider other domain
suffixes as local. Using multiple Internet domain names typically results
when:
An
 organization changes names
An  organization acquires or merges with another company that
already has an existing Internet domain name, and users continue to
use the other Internet domain in their addresses
You  set up a mail topology to route messages addressed to other
subsidiaries through your firewall before routing the messages to the
Internet or another private network
27-44 Administering the Domino System, Volume 1
You
 set up a mail topology specifically to include more than one
Internet domain name
If for any of the preceding reasons people in your organization have
addresses in an Internet domain other than the primary domain, create a
Global Domain document. A Global Domain document identifies the
Internet domains that are considered to be internal to a Domino domain
and for which the local domain can accept mail. By default, the Domino
Directory does not contain a Global domain document. Within the Global
Domain document, you specify one primary Internet domain name and
multiple secondary domains. Secondary domains are listed as alternate
Internet domain aliases.
You must ensure that the DNS is set up to include all the Internet domain
names that your company uses.
To create a Global Domain document
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured. For Domino Release 5 and greater
servers, a Configuration Settings document is required to set up
SMTP routing.
2. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
3. Choose Domains, and then click Add Domain.
4. On the Basics tab, complete these fields:

Field Enter
Domain type Choose Global Domain
Global domain (Optional) A word or phrase that describes
name the domain. Never use the name of an
existing domain for your Global Domain
Global domain
Choose one:
role
• R5 Internet Domain —For Domino Release
5 and greater SMTP servers. • R4.x SMTP
MTA —For Domino servers that use the
SMTP MTA to send Internet mail.

5. Click the Conversions tab, complete these fields, and then save the
document:

Field Enter
The primary Internet domain name that your
Local primary
company
Internet uses to represent themselves to the outside
domain world —for
example, another.com.
Alternate Additional Internet domain names that your
Internet company uses —for example, still.another.com,
domain yet.another.com,
aliases have.another.com, and so on.
Use the asterisk (*) as a wildcard to represent
the names
of subdomains. Wildcard use is valid only if the
wildcard character appears as the first character
of a given entry and represents an entire
subdomain name,
for example: the entry *.another.com indicates
that
Domino treats any subdomain of
“another.com”as a local domain.
Entries that use wildcards in any other way are
considered invalid, including:
• Using a wildcard in any position other than as
a leading character in the entry. For example,
the
entries another.*, and still.*.com are not valid.
• Using a wildcard on its own to represent an
entire domain suffix. For example, the entry * is
not valid.
• Using a wildcard to represent a portion of a
name only. For example, the entries *other.com
 and
*ill.another.com are not valid.

These fields represent the only ones you must complete if you are
using the Global Domain document solely for the purpose of
defining the internal Internet domains in an organization running
Domino Release 5 and greater.
6. Restart the server to put the changes into effect. The server reloads
information in the Global Domain document into memory only after
a restart.
For more information about DNS, see the chapter “Overview of the
Domino Mail System.”
If a Domino server uses ETRN to pull mail for multiple Internet domains
from another mail host, you can set up the Connection document to that
host to request mail for alternate Internet domains.
Specifying how Domino looks up the recipients of incoming SMTP
messages
When Domino receives a message over SMTP, the message recipient is
identified by an Internet-style address, in the format
Genevieve_Martin@acme.com, rather than a Notes-style address, such as
Genevieve Martin/Acme. To determine the correct destination mail file,
Domino must match the SMTP address to a Person document in the
Domino Directory. To find a match, the Router checks the $Users view of
the directory. This view displays all name entries in all Person
documents in the directory, including Internet mail addresses, as well as
all user name variations, first names, last names, common names (CN),
distinguished names (DN), short names, and soundex names.
Note To display the hidden $Users view: Open the directory, press
CTRL-SHIFT and select View-Go To. In the Go To dialog box, select the
view ($Users) and click OK.
Inbound recipient lookups are controlled by the Address lookup setting
on the Router/SMTP - Basics tab of the Configuration Settings document.
This setting determines the criteria that the Router uses when attempting
to match the SMTP address on an incoming message to an entry in the
$Users view. The Router matches addresses based on:
The
 full SMTP address only — for example,
Genevieve_Martin@acme.com
The local part of the SMTP address (that is, the part to the left of the
@ sign) only — for example, Genevieve_Martin
The  full SMTP address, and then if no match is found, the local part
address
When using full name matching, the Router searches the Domino
Directory for an exact match of the entire SMTP address (for example,
First_Last@Acme.com). If an exact match is not found, the Router
performs a secondary search if the domain suffix of the incoming address
is listed in the Global domain document as an Internet domain alias. For
this secondary search, the Router replaces the given domain suffix with
the domain suffix designated in the Global domain document as the
Primary domain name.
To prevent the Router from using domain aliases when looking up
addresses, do not include alternate Internet domain aliases in a Global
domain document. Instead, create multiple Global Domain documents,
each specifying a different primary Internet domain.
Restricting the Router to matching addresses on the full Internet address
only ensures that each user’s Internet address complies with a standard
format. Users cannot receive inbound mail addressed to their short
Setting Up Mail Routing 27-47
Mail
names, soundex names, or other name variations that exist in the $Users
view. When configuring the Router to look up users’ full Internet
addresses only, complete the Internet address field in all Person
documents, and Mail-in database documents for mail-in databases that
receive mail over SMTP.
To specify how addresses are looked up
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
3. Choose Configurations.
4. Select the Configuration Settings document to be edited and then
click Edit Configuration.
5. Click the Router/SMTP - Basics tab.
6. Complete these fields, and then save the document:

Field Enter
Address Specifies how the Router searches the Domino
lookup Directory
to determine the Notes recipient of an inbound
Internet message. Choose one:
• Fullname then Local Part —(default) The Router
first searches the Domino Directory for a match
for the full
Internet address (localpart@domain.com). If no
match
is found, it searches the directory again, looking
for a match for the local part of the address only.
• Fullname only —The Router searches the
Domino Directory for full Internet addresses only.
For example,
it searches for “user@domain.com”but not for
“user.”
If an exact match is not found and the domain
suffix is
equivalent to an Internet domain alias defined in
the
Global domain document, a secondary search is
performed using the domain suffix of the primary
Internet domain.
• Local Part only —The Router searches the
Domino Directory for a match of the local part of
the Internet
address, that is, the part before the @ symbol.
Local
part matching matches periods and underscores
in the address with spaces in the directory.

Field Enter
Exhaustive Choose one: • Enabled —The Router searches all
lookup directories to ensure that there are no duplicate
recipient names that might prevent the message
from getting to the right person. Performing
exhaustive lookups is time-consuming and places
a heavy load on the server. • Disabled —
(default) The Router limits its search to the first
directory that contains the address.

The change takes effect after the next Router

configuration update. To put the new setting into effect
immediately, reload the routing

Specifying how Domino looks up SMTP hosts when sending

outbound mail
You can specify how the Router determines the IP address(es) for
destination SMTP systems (for example, the Internet). Known as address
resolution, the method you select determines how the Router performs
domain-name-to-IP-address translation.
Address resolution methods are:
Dynamic
 lookup only (DNS only)
Local
 lookup only
Dynamic
 then local
If you configure TCP/IP to use the Domain Name System (DNS), select
Dynamic mapping only or Dynamic then local. For Dynamic mapping
only, the Router queries a DNS server to map a fully qualified host name
to an IP address.
For Dynamic then local, the Router first queries the DNS and then checks
a file on your local drive. This file, known as a hosts file, maps destination
host names to IP addresses. The Dynamic then local option can be useful
if you need to connect to internal hosts that are not listed in the DNS.
If you configure TCP/IP to use local hosts lookup, select “Local lookup
only.” If you use this option, the IP address and fully qualified host name
for each destination must exist in the hosts file. This option requires more
administrative attention than the Dynamic mapping only option because
you need to maintain the file.
If the DNS does not list a destination host name, the Router designates
the message as non-deliverable. If the DNS is unavailable, the Router
retries delivery up to the configured number of times as indicated in the
Initial transfer retry field on the Configuration Settings document.
Setting Up Mail Routing 27-49
Mail
To set how host names are looked up
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
3. Choose Configurations.
4. Select the Configuration Settings document to be edited and then
click Edit Configuration.
5. Click the Router/SMTP tab.
6. On the Basics tab, complete this field, and then save the document:

Field Enter
Host name
Choose one:
lookup
 • Dynamic lookup only (DNS only) —The
Router determines the IP address for a host by
looking it up in DNS. SMTP transfer can occur
only if the destination host is listed in DNS.
• Local lookup only (host files only) —The
Router determines the IP address for a host by
looking it up in a hosts file on the local
machine.
• Dynamic then local —(default) The Router
determines the IP address for a host by
looking it up in DNS first and then checking
the local hosts file if no DNS entry exists.

7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Enabling the Router to look up the sender’s Internet address from
the Person document
When a Notes client is configured to send mail for Internet recipients in
Notes rich text format, a Domino server must convert outbound mail
from the client to MIME format for Internet mail transport over SMTP.
The Domino server responsible for the conversion must ensure that all
addresses in the message headers, including both the recipient and
sender addresses, are in Internet mail (RFC 821/822) format.
If the sending user’s Location document specifies an Internet address,
Domino places this address in the From field of the MIME message.
However, if the Location document does not specify an Internet address,
Domino must obtain the address by other means. By default, Domino
forms an Internet address by converting spaces in the user’s Notes
address into underscores, and prefixing the names of Domino domains in
the address with percent signs. For example, a Domino server in the
acme.com Internet domain converts the Notes address John
Smith@Notes to the Internet address John_Smith%Notes@acme.com.
Domino determines the Internet domain from the Server document or
the Global Domain document.
If your organization prefers to standardize Internet addresses using a
format that does not reveal internal domain names, you can specify an
Internet address in each user’s Person document and configure Domino
to look up the specified addresses during MIME conversion.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the MIME - Conversion Options - Outbound tab.
Setting Up Mail Routing 27-51
Mail
6. Complete the following and click Save & Close:

Field Description
Lookup Addresses on all messages sent to Internet
Internet recipients must be in Internet format (RFC
address for all 821/822 format). A Notes user may send a
Notes message to both Notes addresses and Internet
addresses addresses. To specify how Domino converts
when Internet the addresses of Notes recipients on messages
address is not sent to the Internet, choose one: • Enabled —
defined in On outbound Internet messages, if the address
document of the sender or any recipient is in Notes
format, Domino looks up the user’s Internet
address from the Person document and, if
found, substitutes it for the Notes address
before sending. • Disabled —(default) Domino
forms Internet addresses based on rules in the
Global Domain document. If a Global domain
document is not present, Domino constructs
addresses by converting spaces into
underscores and encoding Domino domains
with percent signs. For example, Domino
converts the Notes address John Smith@Notes
to the Internet address John_Smith
%Notes@acme.com When this option is
disabled, Domino will continue to perform
Internet address lookups if configured to do so
in the field “Internet address lookup”in the
SMTP Address Conversion section of the
Conversion tab of the Global Domain
document.

How Domino formats the sender’s Internet address in outbound

messages
Outbound SMTP messages always include the Internet address of the
sender. Domino can obtain the sender’s address, sometimes called the
reply address, from the sender’s Location document, the sender’s Person,
or by constructing the address based on a default format or rules
configured in the Global Domain document. To ensure that message
replies are routed correctly to the original sender, reply addresses should
match the sender’s Internet address.
27-52 Administering the Domino System, Volume 1
To comply with Internet addressing standards, Domino uses RFC 821 or
RFC 822 address formats for any message sent over SMTP, as illustrated
in the following table.

Internet Address Format Example

Address
Style
RFC 821 Username@IPDomain. Tyler_Hamilton@acme.com
TopLevelDomain
RFC 822 “FriendlyName” “Tyler Hamilton”
<Username@IPDomain. <Tyler_Hamilton@acme.com>
TopLevelDomain>

If a Domino SMTP server receives a message that is in Notes mail format

— as when a server in the local network transfers a message to an SMTP
server for routing to the Internet — it must convert that message to
MIME before transferring it over SMTP. As part of the conversion
process, the Router replaces Notes-style addresses in the message,
including the sender’s address, with an Internet-style address.
It’s easy for the Router to add the appropriate address when it’s been
defined in the sender’s Person document. In this case, the sender’s Notes
client enters the Internet address in the INetFrom field of the message.
When converting the message for SMTP transfer, the Router uses the
supplied Internet address.
For more information about Location documents, see the topic “Creating
or editing a Location document manually” in Lotus Notes 6 Help. You
can download or view Notes 6 Help from the Documentation Library of
the Lotus Developer Domain at http://www.lotus.com/ldd/doc.
If the sender’s Internet address is not present in the Notes message, the
Router can attempt to retrieve it from the Person document. For address
lookups to occur, you must enable them on the MIME - Conversion
Options - Outbound tab of the server’s Configuration Settings document
(if lookups are disabled in the Configuration Settings document, they can
occur if enabled in the Global domain document).
For information about enabling outbound address lookup in the
Configuration Settings document, see the chapter “Customizing the
Domino Mail System.”
Setting Up Mail Routing 27-53
Mail
Finally, if the Router cannot obtain the sender’s Internet address from
either the message itself or the Person document, it will construct the
address. You can specify the rules for constructing this address in the
Global domain document, but in the absence of a Global domain
document, the Router constructs Internet addresses using the following
default format:
Full_Name/Org%DominoDomain@IPDomain.TopLevelDomain
For example, the Router on the host smtp.acme.com would construct the
following default Internet address for the Notes user Tyler
Hamilton/Sales@Europe: Tyler_Hamilton/Sales%Europe@acme.com.

Internet Address Description

component
The Notes common name of the sender. The
Full_Name
Router
replaces spaces in the name with
underscores. For
example, Tyler Hamilton becomes
Tyler_Hamilton.
The organizational certifier or certifiers in the
Org
sender’s
Notes hierarchical name. For example /Sales.
The name of the Domino domain that hosts
DominoDomain
the user’s
mail file. For example, Europe. By default,
the Domino domain is separated from the
Org name by the percent (%) character.
The Internet domain suffix listed in the Fully
IPDomain.TopLevelD
qualified
omain Internet host name field of the Server
document of the
server converting the message for SMTP
transfer. For example, the domain suffix of
the server smtp.acme.com is acme.com.

To ensure that messages always include the sender’s correct and

reply-able Internet address, always add the Internet address to a user’s
Location document and Person document. To fill in the Internet Address
field for all Person documents in which the field is blank, use the Internet
Address Tool.
For more information about the Internet Address tool, see the Upgrade
Guide.
Changing the default format for constructing the sender's Internet
address on outbound mail
When converting a Notes message for SMTP transfer, the Router replaces
the Notes address of the sender with an Internet address. If the Router
cannot determine the sender’s Internet address, either from the InetFrom
field of the Notes message, or the Internet address field of the user’s
Person document, it constructs an Internet address by combining the
27-54 Administering the Domino System, Volume 1
user’s Notes name with Domino domain and Internet domain
information. The rules for constructing the sender’s Internet address are
specified in the Global domain document. By default, the Global domain
document constructs addresses in the following format:
First_Last/ou/org%DominoDomain@Internetdomain.TopLevelDomain
For example:
Meredith_Richards/East/Acme%Acme@acme.com
The address conversion settings in the Global domain document apply to
all mail sent over SMTP from servers in this Global domain — including
messages for recipients in the local Internet domain as well as messages
for recipients in external Internet domains.
The Router uses the address conversion settings in the Global domain
document for outbound mail only in cases where the sender does not
have an Internet address defined in the Location and Person documents,
or address lookup to the Domino Directory either fails or is disabled.
To ensure that every user has a standard Internet address, populate the
Internet address field in each user’s Person document. The Internet
address tool available in the Domino Administrator lets you specify an
address format for creating unique Internet addresses in every Person
document in which the Internet address field is not currently set.
Generally speaking, if all users have Internet addresses in their Person
documents and address lookups are always successful, address
construction on outbound SMTP messages never occurs. However, even
if you complete the Internet address field of every user’s Person
document, configure address conversion in at least one Global domain
document to ensure that addresses are formed correctly in the event that
lookups fail and address conversion occurs. Only in the most limited of
deployments can one expect never to require address conversion.
For information about enabling Internet address lookup for outbound
SMTP mail, see the topic “Enabling the Router to look up the sender’s
Internet address from the Person document” earlier in this chapter.
How Domino uses Global domain documents during inbound and
outbound SMTP routing
When Domino receives an inbound SMTP message, it attempts to
determine whether the message is for a local recipient. When the Domino
Directory does not include a Global Domain document, Domino accepts
only messages addressed to users in the same Internet domain as the
server, as indicated in the Fully-qualified Internet host name that appears
in the Server document.
Setting Up Mail Routing 27-55
Mail
But if the Domino Directory includes a Global domain document,
Domino can receive mail for multiple Internet domains. To determine
whether to accept a message, Domino compares the domain part to the
local primary Internet domain listed in the Global domain document. If it
does not find a match in this field, it examines the secondary Internet
domains — the “alternate Internet domain aliases” — listed in that
document.
The role of Global domain documents in determining whether to
accept inbound SMTP mail
If the Domino Directory contains multiple Global domain documents,
Domino uses a similar process to determine whether a recipient is local:
it first checks the primary Internet domain in each Global Domain
document, and then, if it still hasn’t found a match, it continues by
checking the alternate Internet domains. If the domain in the address
does not match any of the domain entries in any Global domain
document, the message is considered an attempt to relay, and Domino
rejects the message.
Inbound address lookup when the Domino Directory contains
multiple Global Domain documents
After Domino accepts a message, the Router attempts to match the
recipient’s Internet address to an entry in the Domino Directory. When
looking up the recipient in the Domino Directory, if the domain suffix in
the address matches an alternate Internet domain aliases defined in a
Global Domain document, and no Person document includes this
address, the Router performs a secondary lookup. In this secondary
lookup, the Router pairs the local part of the address with the domain
suffix of the primary Internet domain specified in the Global domain
document.
For example, a server receives a message for
craig_bowker@acmewest.com. The Router searches all of the Person
documents in the Domino Directory for this Internet address, but cannot
find a match. However, in the Domino Directory, there is a Global
domain document that includes the domain suffix acmewest.com as an
alternate Internet domain alias. In this same Global Domain document,
the primary Internet domain is acme.com. After the primary lookup fails,
Domino performs a secondary lookup, using the address
craig_bowker@acme.com. Domino performs secondary lookups only if
the Router is configured to perform fullname, or fullname, then local part
lookups.
In cases where the Domino Directory contains multiple Global domain
documents, and a secondary lookup is required, when replacing the
domain suffix in the original address with the domain suffix of the
27-56 Administering the Domino System, Volume 1
primary Internet domain, the Router only considers Global domain
documents that list the alternate Internet domain alias. That is, Domino
always replaces the domain suffix from within a given document; it
never replaces an alternate domain listed in one document with a
primary domain from another document.
To prevent the Router from using domain aliases when looking up
addresses, do not include alternate Internet domain aliases in a Global
domain document. Instead, create multiple Global Domain documents,
each specifying a different primary Internet domain.
Controlling outbound addresses construction with multiple Global
domain documents
When the Domino Directory contains a single Global Domain document,
the address construction rules in that document determine how a server
forms the sender’s address in an outbound SMTP message. However, if
the Domino Directory contains multiple Global Domain documents,
when constructing the sender’s address, Domino uses the Internet
domain specified in the Server document and the address construction
rules defined in the Global Domain document listed last, alphabetically,
in the directory. If you want Domino to form the sender’s outbound
address from the primary Internet domain and the address construction
rules contained in a particular Global domain document, designate that
document as the default Global Domain document.
Designating a default Global domain document
When there are multiple Global Domain documents in the Domino
Directory, designate one as the default so that when a servers construct a
sender’s outbound Internet address, the addresses created are based on
the primary Internet domain and address construction rules specified in
the designated document.
1. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
2. Choose Domains, and click Global Domain
3. Select the Global Domain document you want to designate as the
default and click Edit Domain.
4. On the Basics tab, complete following field, and then click Save &
Close:

Field Enter
Use as default Global Select Yes to designate this Global
Domain Domain
(for use with all Internet document as the default Global
domain for
protocols except HTTP) this Domino Directory.

Configuring Domino to send mail to a relay host or firewall

A relay host can be a server within your organization or an Internet
Service Provider (ISP) that routes messages addressed to destinations
outside the local Internet domain. Often the same server acts as a firewall
through which your organization funnels all messages outbound to the
Internet. It can be a Domino server or another type of server — for
example, a UNIX sendmail server.
To configure internal SMTP servers to send mail to a relay host, you
specify the IP address or host name of the relay host in the Configuration
Settings document. If connections from the internal mail server to an ISP
mail server pass through a firewall, specify the internal interface of the of
the firewall in this field, and configure the firewall to forward traffic
received on port 25 to the ISP mail server.
Servers that do not route mail over SMTP require special configuration to
transfer messages to a relay host or firewall. For more information, see
the topic “Transferring outbound Internet mail to an SMTP server over
Notes routing” earlier in this chapter.
For information about restricting relay access through an Internet
domain, see the chapter “Customizing the Domino Mail System.”
Configuring multiple relay hosts
To enable greater control over outbound message routing, you can
configure multiple relay hosts. Using multiple relay hosts enables Domino
to route mail addressed to certain Internet domains to certain relay hosts,
without first performing a DNS lookup. For example, you can split
external SMTP mail routing so that Domino routes all outbound Internet
mail along one path, except mail addressed to a specific domain, such as
*.acmepartner.com, which it sends through a specific SMTP server.
To configure multiple relay hosts, create a Foreign SMTP Domain
document for each set of destinations, and then create SMTP connection
documents to match these foreign SMTP domain documents. For
example, using the previous example, you would create one Foreign
SMTP Domain document for *.* and another for *acmepartner.com.
Foreign SMTP Domain documents are used by servers that route mail
over SMTP as well as those using NRPC. For servers that use SMTP
routing, Foreign SMTP Domain document indicate the destinations that
need relay hosts and the relay hosts to use in each case.
For more information on creating Foreign SMTP Domain documents, see
the topic “Transferring outbound Internet mail to an SMTP server over
Notes routing” earlier in this chapter.
27-58 Administering the Domino System, Volume 1
To set up a relay host
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
3. Choose Configurations.
4. Select the Configuration Settings document and then click Edit
Configuration.
5. Click the Router/SMTP - Basics tab.
6. Complete this field, and then click Save & Close:

Field Enter
Relay host for The host name, domain name, or IP address
messages of the server being used as a relay host. A
leaving the local domain name is a valid entry only if the
Internet domain internal DNS contains an MX record for that
domain and can resolve it to a host name.
When entering an IP address, enclose it
within square brackets; for example,
[127.0.0.1].

The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
8. After you set up a relay host, you can set up restrictions based on
where the message originated or the message destination.
Routing mail over transient connections
Sites that do not have permanent connections to the Internet, or to other
servers on the Domino network, can send and receive messages over a
transient connection, such as a dialup connection.
For example, an organization that does not have a constant connection to
the Internet might use a remote mail server at its ISP to hold mail until a
local mail server calls in to the ISP server to retrieve or “pull” pending
messages from the ISP server. If the ISP mail server supports the SMTP
ETRN command, you can configure the Domino server to “pull” mail
over SMTP. A local Domino server can also use Notes routing protocols
to pull messages from a remote Domino server over a Notes Direct
Dialup connection.
Setting Up Mail Routing 27-59
Mail
Setting up Domino to pull mail from a remote server
By default, when a local server initiates a connection to a remote server,
it uses the connection to push messages to the remote server. The local
server does not “pull” pending messages from the remote server.
Instead, the local server only receive mail from the remote server when
the remote server initiates a connection to route those pending messages.
To change this default behavior and have the local server retrieve
messages from a remote server during the same session in which it sends
messages to the remote server, set up the local server to send a “pull
request” to the remote server.
When the local server is configured to send a “pull request,” it sends a
message to the remote server requesting that the server deliver any
messages it has pending for the local server. The remote server receiving
the pull request can be any SMTP host; it does not have to be a Domino
server. When the remote server receives the “pull request,” it checks its
mail queues for any messages pending for the initiating server and starts
the processing necessary to transfer those messages.
If you are using SMTP routing, you must make sure that ETRN protocol
extension has been enabled on the other server (the one receiving the
“pull request”), or it will not be able to receive the pull request. Also the
remote server must be able to resolve the DNS host name of the initiating
server to an IP address to ensure that the messages can be sent.
Generally, ETRN requires that the initiating server has a static IP
address, which is available in DNS to the server holding the pending
messages.
Note Some ISPs use DHCP to assign a host a new IP address whenever
it connects. If the remote system assigns a new IP address every time you
connect, do not configure dialup systems to use pull routing.
When configuring dialup routing, you can indicate how long the
initiating server keeps the line open to allow the remote server to
establish a connection. This is useful to prevent the initiating server from
hanging up the line before the remote server is able to attempt to transfer
any pending mail. The initiating server sends a pull request, then pushes
any messages it has for the remote server, and then waits for any
messages pending from the remote server.
When sending a pull request, the initiating server can also request
messages for other servers, domains, hosts, or any queue name within
your organization for which the initiating server is responsible.
27-60 Administering the Domino System, Volume 1
The ETRN command
With ETRN support, a dialup SMTP host can notify an SMTP server
holding messages for it when to deliver those messages. ETRN enables
servers to use bandwidth resources efficiently, because the dialup host
sends and receives mail during the course of a single session.
ETRN stands for Extended Turn and is an SMTP service extension
command, defined in RFC 1985. that provides improved security over
the SMTP TURN command, originally defined in RFC 821. The TURN
command allows hosts involved in a SMTP session to reverse their
respective roles, so that, for example, if Server1 is sending an SMTP
message to Server2, Server1 can issue the TURN command so that
Server2 then becomes the sender and Server1, the receiver.
However, because the TURN command has no mechanism for verifying
the identity of the calling host, use of the command poses a security risk.
A malicious user who spoofs the identify of a server can falsely appear to
belong to a someone else’s Internet domain and then use the TURN
command to retrieve messages intended for that domain.
The ETRN command plugs this security hole by redefining the sending
and receiving roles during the course of the SMTP session. For example,
after Server1 issues the ETRN command to Server2, ETRN instructs
Server2 to open a new SMTP session with Server1. Because Server2 has
to resolve the name of Server1 to an IP number in the DNS, Server2 is
more likely to open a new SMTP session with the correct machine.
For Domino to use ETRN to retrieve new mail over a dialup connection,
your ISP must support this command. Check with your ISP to verify
whether they support this command or not. You can also verify support
for the command by establishing a telnet connection to port 25 of the
ISP’s SMTP server. After the SMTP session starts, type EHLO and press
Enter. The response from the ISP’s SMTP server indicates whether the
server supports ETRN.
For more information about Notes Direct Dialup Connections and
Network Dialup Connections, see the chapter “Setting Up
Server-to-Server Connections.”
To set up a server to route mail over a transient connection
1. For SMTP routing, on the Router/SMTP Basics tab of the
Configuration Settings document for the sending server, enable
SMTP for messages sent outside the local Internet domain.
For information on how to enable SMTP for outbound Internet mail,
see the topic “Setting up SMTP routing to external Internet domains”
earlier in this chapter.
Setting Up Mail Routing 27-61
Mail
2. From the Domino Administrator, click the Configuration tab and
then expand the Messaging section.
3. Click Connections.
4. Click Add Connection.
5. On the Basics tab, complete these fields:

Field Description
Connection Choose one: • Network Dialup —Choose this
type option for servers that will route mail over SMTP
using this dialup connection. You can also use this
option for NRPC routing. • Notes Direct Dialup —
Choose this option only for servers that will use
this connection to route mail over NRPC to another
Domino server.

Source The Notes hierarchical name of the local Domino

server server
initiating the routing request, for example,
SMTP/East/Acme.
The Domino domain of the source server, for
Source
example,
domain AcmeEast
Use the For Network dialup connections, enter the port
LAN name for
port(s) the Domino TCP/IP port on the local server.
For Notes Direct Dialup connections, specifies the
Use the
name of
port(s) the communications port that the source server
uses.
The name of the Domino server, or SMTP server to
Destination
which
server you want to route mail.
For SMTP routing connections to an ISP server,
enter the host name of the ISP server, for
example, internet.isp.com.
Depending on the requirements of your ISP, the
specified
host can be used for outbound mail, inbound mail
(using ETRN), or both. If the host is used for
outbound mail, enter
the same host name on the Router/SMTP - Basics
tab of the
Configuration Settings document, in the field
“Relay host for messages leaving the local Internet
domain.”
For routing to Domino servers over Notes routing,
Destination
enter the
domain Domino domain of the destination server.
 Leave this field blank when configuring SMTP
routing to an ISP server.

6. On the Routing and Replication tab, complete these fields, and then
click Save & Close:

Field Description
Routing Select Mail routing
task
Router Choose one: • Push/Wait —Select this option when
type the destination server is used for outbound mail only,
and initiates the connection to the source server.
After the source server establishes the dialup
connection, it waits to receive a connection from the
destination server. When the destination server
connects and issues a “pull request,”the source
server then pushes any messages pending for the
remote server. • Push Only —(default) Select this
option if the destination server is used for outbound
mail only. The source server calls the destination
server and sends messages queued for that
destination. You’ll need to create a separate
Connection document to the server used for inbound
mail. • Pull Push —Select this option if the ISP host to
which the source server connects is used for both
inbound and outbound routing. The source server
calls the destination server, pushes, or sends, any
pending messages for that destination, and then
“pulls”messages from the destination server
(actually, the calling server issues a request to the
other server to push messages back to it). The
destination server pushes any pending messages
back to the source server. If you select this option,
you must specify whether the source server issues
the pull request using Notes routing or SMTP. • Pull
Only —Select this option if the destination server is
used for inbound mail only. The source server calls
the destination server and issues a pull request (a
request for the other server to push back messages).
The destination server pushes any pending messages
to the source server. You’ll need to create a separate
Connection document to the server used for outbound
mail.

Field Description
Pull Choose one: • Notes RPC —The server makes the
routing pull request using Notes Remote Procedure Calls. •
request SMTP —The server makes the pull request using
protocol SMTP. Select this option for SMTP connections that
support ETRN. When the destination server is a
Domino server, the protocol specified in this field
only applies when the Router type is set to Pull Only.
By contrast, if the Router type is set to Pull/Push, the
sending server always uses the same protocol to
issue the pull request that it used to transfer
messages to the destination server.
Request Specifies the servers, hosts, or domains on whose
the behalf the source server issues a pull request. As a
following result of the request, the remote server sends all
when messages it is holding for the specified entities.
issuing a Choose one or more of the following: • Source server
pull name (both Notes and Host) —(default) The source
request server requests that the remote server transfer any
messages addressed to recipients on the source
server. The source server receives messages for
addresses that specify either the Domino server
name or the DNS host name (for example,
CN=Server/Org=ACME or server1.acme.com). • All
local primary Internet domains listed Global
Domain(s) —(default) The source server requests
that the destination server transfer all messages it is
holding for recipients with addresses in the primary
Internet domain named in the source server’s Global
Domain document (for example, acme.com). • All
alternate Internet domain aliases listed in Global
domain(s) —The source server requests that the
destination server transfer all messages it is holding
for recipients with addresses in any of the Internet
domain names listed in the source server’s Global
Domain document (for example, acme.com,
sales.acme.com, acme-alias.com). • The following
servers/domains/hosts —The source server requests
that the destination server transfer all messages it is
holding for recipients in the specified Domino
servers, Internet domains, or DNS host names. If
you select this option, list the specific servers,
domains, or hosts on whose behalf the pull request is
made. Use this option if the remote server requires
the calling server to use a specific syntax or name
when sending the ETRN pull request to initiate
message transfer.

Field Description
Pull The number of seconds that the calling server waits
router for the
timeout answering server to respond to a pull request before
disconnecting. The default is 30 seconds.

For outbound SMTP connections, configure other servers on the local

network to use the dialup system as a relay.
8. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Updating the SMTP configuration
The SMTP service controls the SMTP listener on the Domino server. By
default, whenever you restart the SMTP service, and at two-minute
intervals thereafter, the SMTP service automatically checks the
NOTES.INI file, Configuration Settings document, and Server document
to see if any settings have changed. If the service detects that settings
have changed, it rebuilds its internal configuration to incorporate the
changes.
You can use a server console command to manually trigger such a
service update. Using the console command allows you to immediately
put into effect changes to the SMTP configuration without disrupting
normal service operation.
To update the SMTP service configuration
1. Modify settings in the NOTES.INI file, Configuration Settings
document, or Server document.
2. At the server console, enter:
Tell smtp update config
If the server’s logging level is set to Informational or Verbose, the
server console displays messages to indicate when the update begins
and completes.
Chapter 28
Customizing the Domino Mail System
This chapter explains how to customize messaging for your Domino
system after you set up mail routing.
Customizing mail
After you set up basic mail routing, you can customize the Domino
messaging system to improve performance and meet the specific needs
of your organization. For example, you can set inbound messaging
restrictions to prevent unwanted commercial e-mail (UCE) from entering
your system; implement restrictions on message size to conserve network
bandwidth; enforce database quotas to ensure that users promptly delete
old messages; set system mail rules to automatically process messages
that meet certain criteria; and enforce security policies by encrypting
messages delivered to user mail files and restricting message transfer to
the Internet.
Before you customize your messaging system, you must:
1. Make sure that your mail system is properly set up.
2. Evaluate your customizing options and decide which you want to
implement.
Controlling messaging
After you set up basic mail routing, use Domino’s administrative controls
to customize the messaging system to your environment. Using the
Domino Administrator and other tools you can change settings that
affect routing performance, protect the system from unauthorized use,
schedule message transfer, and ensure efficient use of network
bandwidth and storage space.
Some of the settings you change apply to all of the messages that the
server processes, regardless of whether a message is sent or received
using Notes routing or SMTP routing; other settings are specific to a
particular routing protocol.
28-1
Mail
These topics provide additional information on customizing the Domino
system:
Improving
 mail performance
Customizing
 message transfer
Customizing
 Notes routing
Customizing
 SMTP routing
Setting  server mail rules
Configuring
 message delivery options
Using  mail journaling
As you customize your messaging system, you may need to troubleshoot
problems that occur. To assist in troubleshooting, Domino lets you:
Change  the log level to record additional messaging information
Temporarily  disable mail routing
Requirements for a working mail system
For the Domino mail system to work properly you must first complete
the following tasks:
Install
 a Domino server that runs without errors.
Load
 the Router task and verify that it runs properly.
Create
 a mail file and Person document for every user in the Domino
mail system.
Set  up Notes routing or SMTP mail routing.
For more detailed information on setting up mail routing, see the chapter
“Setting Up Mail Routing.”
Improving mail performance
Domino includes features that improve efficiency in specific
environments, but these features may not be switched on by default. See
the following topics for information about how you can improve the
efficiency of the Domino mail system:
Creating
 multiple MAIL.BOX databases
Disabling
 type-ahead addressing
28-2 Administering the Domino System, Volume 1
Creating multiple MAIL.BOX databases
Domino mail servers use a MAIL.BOX database to hold messages that
are in transit. Mail clients and other servers use SMTP or Notes routing
protocols to deposit messages into MAIL.BOX. The Router on each server
checks the address of each message in MAIL.BOX and either delivers the
message to a local mail file or transfers it to the MAIL.BOX database on
another server.
Server processes — including server threads and the Router — that write
to MAIL.BOX require exclusive access to it. To ensure exclusive access,
processes that write to or read from MAIL.BOX lock the database to
prevent simultaneous access by other processes. Other processes trying
to access the database must wait until the currently active process
completes and unlocks the database before they can complete.
In most cases, a mail process locks MAIL.BOX for only an instant.
However, longer wait times occur when the Router or another process
reads or writes a large message. When there is a large amount of new
mail — for example, on a busy system with heavy mail traffic — several
server threads may try to deposit mail into MAIL.BOX while the Router
attempts to read and update mail. Under heavy loads, such contention
for a single MAIL.BOX database degrades performance.
On servers that run Domino Release 5 and higher, you can improve
performance significantly by creating multiple MAIL.BOX databases on a
server. Using multiple MAIL.BOX databases removes contention for
MAIL.BOX, allows multiple concurrent processes to act on messages,
and increases server throughput. While reading one MAIL.BOX, the
Router marks the database “in use” so other server threads trying to
deposit mail move to the next MAIL.BOX. As a further benefit, having
multiple MAIL.BOX databases provides failover in the event that one
MAIL.BOX becomes corrupted.
When creating additional MAIL.BOX databases, consider placing each
one on a separate disk. Because disk contention is rarely an issue for
MAIL.BOX, placing each additional MAIL.BOX database on a different
disk will not improve performance per se. However, distributing the
databases across multiple disks does ensure greater availability in the
event of a disk failure.
Creating a second MAIL.BOX database offers a large performance
improvement over using a single MAIL.BOX. Depending on server mail
traffic, adding a third and fourth MAIL.BOX database may further
improve performance. However, the improvement gained with each
additional MAIL.BOX is increasingly smaller.
Customizing the Domino Mail System 28-3
Mail
You specify the number of MAIL.BOX databases on the Router/SMTP -
Basics tab of the Configuration Settings document. Changes to the
mailbox count take effect only after the next server restart.
After you configure a second MAIL.BOX database, you can use mail
statistics to determine whether additional MAIL.BOX databases are
needed.
For more information, see the topic “Determining how many MAIL.BOX
databases to place on a server” later in this chapter.
To create multiple MAIL.BOX databases
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab, and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Basics tab.
6. Complete this field and then click Save & Close:

Field Description
Number Indicates the number of mailboxes (MAIL.BOX
of databases) on
mailboxes servers that uses this Configuration Settings
document. If this
field is blank, one mailbox is used. Configure a
maximum of
ten mailboxes.

7. Restart the server to put the new setting into effect.

Determining how many MAIL.BOX databases to place on a server
When a server sends and receives mail, server processes, such as the
Router, access the server’s MAIL.BOX database, writing messages to it
and reading messages from it. Because only one process at a time can
access MAIL.BOX, when mail traffic is heavy, access conflicts occur as
multiple processes try to access the database simultaneously.
For servers that support a small number of users, access conflicts are
rare, and the default of a single MAIL.BOX usually provides an
acceptable level of service. However, on servers that support a higher
numbers of users, creating an additional MAIL.BOX database can
eliminate most access conflicts.
28-4 Administering the Domino System, Volume 1
Especially busy servers may benefit from more than two MAIL.BOX
databases. Use mailbox statistics to determine whether additional
MAIL.BOX databases are indicated. As seen in the following table,
separate statistics provide information on the number of access conflicts
and the number of total mailbox accesses.

Statistic name Description

Mail.Mailbox.Accesses
Mail.Mailbox.AccessConflicts
Total number of times that threads
accessed
any mailbox on the server.
The number of times that a thread
attempting to access a mailbox had
to wait because the
number of concurrent threads
exceeded the
number of mailboxes configured.

Mail.Mailbox.CurrentAccesses
Mail.Mailbox.AccessWarnings
Mail.Mailbox.MaxConcurrent
Accesses
For example, if there are three
mailboxes configured, and there are
four concurrent accesses, the
conflict count would be incremented.
If the number of access conflicts
consistently exceeds two percent of
the value of Mail.Mailbox.Accesses,
consider creating an additional
mailbox.
The total number of current
accesses (for example. a count of 2
would indicate that two threads are
accessing mailbox at this time.
The number of times that the
number of threads accessing the
mailbox (that is, the value of
Mail.Mailbox.CurrentAccesses)
reached one less than the number of
configured mailboxes.
For example, the warning count is
incremented when two threads
attempt to access MAIL.BOX
concurrently and there are three
mailboxes configured.
If the number of warnings
consistently exceeds ten percent of
the value of Mail.Mailbox.Accesses,
consider creating an additional
mailbox.
The highest number of current
accesses recorded.

By calculating the number of access conflicts as a percentage of total

accesses, you can determine whether a server will benefit from the
addition of another MAIL.BOX. In general, the number of access conflicts
should be no more than two percent of the total number of accesses.
However, because some access conflicts may result from unusually high
peak loads, there’s no need to eliminate all access conflicts. Only when
the percentage of access conflicts remains consistently greater than 2
percent is an additional MAIL.BOX database warranted.
Note Mailbox statistics are available only on servers where two or more
MAIL.BOX databases are configured. You must restart the server to put
into effect any changes to the number of mailboxes.
Disabling type-ahead addressing
Type-ahead addressing displays names that match the letters a user
types in the To, cc, and bcc fields in a mail message. For example, if a
user types Jane D in the To field of a mail memo and Domino finds a
Person document for Jane Doe/Acme in the Domino Directory, Domino
automatically completes the rest of the recipient’s address. The user can
change or retype the address as needed.
To save bandwidth and improve server performance, you can disable
type-ahead addressing. If you disable type-ahead addressing on a mail
server, users can still use type-ahead addressing to find addresses in
their Personal Address Book or mobile Directory Catalog.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers to administer, and click Edit Configuration.
5. On the Basics tab, complete this field, and then click Save & Close:

Field Enter
Type-
Choose one:
ahead
• Enabled —(default) The server checks the Domino
Directory for an address that matches what a user
enters
in the To, cc, or bcc field of a message.
• Disabled —The server does not try to match
addresses.
Matches occur only in the user’s Personal Address
Book or local Directory Catalog.

6. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration
28-6 Administering the Domino System, Volume 1
Changing the logging level for mail
By default, when the Router is unable to deliver a mail message, Domino
records information in the server log file (LOG.NSF). When you
troubleshoot messaging, you may want to record additional information
in the log file.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Advanced - Controls tab.
6. Complete this field in the Miscellaneous Controls section, and then click Save & Close:

Field Enter
Logging Choose one: • Minimal —Domino logs all mandatory
level status messages and fatal error messages. •
Normal (default) —Domino logs all minimal events,
plus warning messages indicating conditions that do
not cause processing to stop. • Informational —
Domino logs all minimal and normal events, plus
informational messages involving intermediate
storage, MAIL.BOX access, message handling,
message conversion, and transport status. •
Verbose —Domino logs all minimal, normal, and
informational events, plus additional messages that
may help you troubleshoot system problems. To
prevent the log file from becoming excessively
large, use Verbose logging only when
troubleshooting specific problems.

7. The change takes affect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Customizing the Domino Mail System 28-7
Mail
Controlling message delivery
Message delivery occurs when the Router deposits a message in the
recipient’s mail file. You can control how the Router behaves when
delivering messages to mail files on the Domino server. For example, you
can specify whether messages are always encrypted, how many server
threads the Router can use to deliver messages, and what the Router
does with messages sent to users whose mail files are larger than the
allowed size.
You set delivery controls in the Configuration document on the
Router/SMTP - Restrictions and Controls - Delivery Controls tab. You
can also set quota controls to help control the size of user mail files.
Setting delivery controls
You can customize message delivery on Domino, including how many
threads are used to deliver messages, whether the messages must be
encrypted, how long the server waits for a pre-delivery agent to run, and
whether the Router supports the forwarding action in Notes client mail
rules.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Delivery
Controls tab.
6. Complete these fields in the Delivery Controls section, and then click
Save & Close:

Field Description
Maximum The maximum number of server threads
delivery Domino can create to deliver mail from
threads MAIL.BOX to local mail files. The Router
automatically sets the default maximum
number of delivery threads based on server
memory. Letting the Router select the
maximum number is usually best. To set the
maximum number manually, enter a maximum
between 1 and 25, based on the server load.
Encrypt all Choose one: • Enabled —When delivering
delivered messages to local mail files, Domino encrypts
mail the messages, regardless of whether the sender
encrypted the message or the recipient’s mail
file encrypts messages. • Disabled (default) —
Domino encrypts messages only if the
recipient’s mail file is set to encrypt received
messages. When encryption is enabled and an
external user requests a return receipt for a
message sent to a user whose mail file is on the
server, the return receipt message that Domino
generates contains a blank message body.
Pre-delivery Users who create LotusScript or Java agents for
agents their mail files can set the agent to run before
new mail arrives. When delivering a new
message, if the Router detects such a pre-
delivery agent, it runs the agent against the
message before the message ever appear in the
recipient’s Inbox. Use this field to specify
whether the server permits the use of pre-
delivery agents. Choose one:
• Enabled —(default) Allows the Router to run
agents that process mail before delivering it to
user mail files on the server.
• Disabled —Prevents the Router from running
pre-delivery agents.
Pre-delivery The maximum time (in seconds) that a pre-
agent delivery agent, such as a mail filter, can run
timeout before the Router interrupts it. Because the
Router waits for pre-delivery agents to
complete, failure to restrict agents can slow
routing performance on the server. The default
time-out is 30 seconds.

Field Description
User rules Notes users can create mail file rules[[ that
mail automatically process new mail. User mail rules
forwarding specify an action to
take when a newly-delivered messages meets
certain
conditions. Use this field to specify whether the
Router on this server supports the rule action to
send copies of
selected messages automatically to other
recipients.
Choose one:
• Enabled —The Router supports the “Send copy
to” action for Notes client mail rules, allowing
users to send copies of messages automatically
to other
recipients.
• Disabled —Prevents Notes clients from using
the “Send copy to”rule action.

7. The change takes affect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Using quotas to manage the size of user mail files
Users may receive and save a high volume of e-mail, including their own
sent messages, in their mail files. Large mail files can overwhelm a
server’s disk capacity and reduce the performance of the mail client.
Because you generally cannot provide users with unlimited storage
space, set a size limit, or database quota, for each mail file. When
delivering mail to a user’s mail file, the Router checks the current size of
the mail file against the specified quota.
You can configure the Router to respond in several ways when a mail file
exceeds its quota, each representing a higher level of enforcement. The
least restrictive response is to have the Router issue automatic
notifications to users when their mail files exceed the quota. If users fail
to respond to notifications, you can hold pending messages in
MAIL.BOX or return messages to the senders as undeliverable until the
users reduce the size of their mail files.
In addition to setting a quota, you can configure a warning threshold and
use it as the basis for providing users with advance notice that their mail
files have grown too large. For example, you might set a warning
threshold of 25MB on a mail file that has a 30MB quota. In the
Configuration Settings document, you can enable the Router to send
notifications to users who exceed their warning threshold. If you enable
this option, the Router delivers an Over Threshold Warning to users
whose mail files exceed the warning threshold. Sending such warnings
allows users to reduce the size of their mail files before they exceed the
quota.
28-10 Administering the Domino System, Volume 1
Along with the methods the Router uses to enforce quotas, the Notes
client also displays a warning to any user who has exceeded their
designated warning threshold or quota whenever the user attempts to
send mail.
Setting mail file quotas
You can set two types of size limits on a user’s mail file: an absolute
quota size and a warning threshold. Set a quota if you intend to establish
a policy of interrupting users’ mail usage if their mail files exceed a
specified size. Set a warning threshold to provide users with advance
notice when their mail files approach the designated mail file quota, so
they can reduce the size of their mail files before message flow is
interrupted. You must set a quota before you can set a warning
threshold.
Quotas and warning thresholds are associated with a particular mail file
database only, not with a user ID. If a user has access to an alternate mail
file, the quota set on the primary mail file has no effect on the alternate
mail file.
You set quota limits and warning thresholds:
During
 registration — quotas specified during registration apply
only to new users, not to existing users. For users migrated from
other mail systems, the restrictions do not apply to mailbox contents
brought over from the old system. In other words, a mail file limit of
5MB does not prevent you from migrating a user’s 6MB mail box
from cc:Mail. However, the user will not be able to receive new mail.
Per database — Using the Domino Administrator, you can manually
specify the warning threshold and quota of one or more mail files
using the same method you would to set these limits for any Notes
database.
Detecting when a mail file exceeds its quota
If quota enforcement is enabled, whenever the Router delivers mail, it
compares the current size of the destination mail file against its
configured database quota or threshold. If the size exceeds one of these,
the Router takes appropriate action.
If a mail file uses shared mail, Domino factors in the complete size of any
messages stored in shared mail databases when calculating mail file size.
When calculating mail file size, Domino does not take into account the
space consumed by a file’s full-text index. When setting a mail file quota,
be sure to consider the additional space required for the file’s full-text
index. Over time, the full-text index of a typical mail database can reach
a size between 5 and 15 percent of the database size.
Customizing the Domino Mail System 28-11
Mail
To specify the method a server uses to calculate the size of a mail
file
1. From the Domino Administrator, click the Configuration tab, expand
the Server section, and click “All Server Documents.”
2. Select the Server document to edit, and then click Edit Server.
3. Click the Transactional Logging tab, and in the Quota enforcement
field, select one of these methods and then click Save & Close:

Method for Description

enforcing
quotas
Check space The Router calculates the current size of a mail
used in file file from the amount of space that messages
when adding occupy in the database and determines whether
a note mail files are in compliance with configured
warning thresholds or quotas based on this
calculation. White space in the database is
discounted. If the user is over quota and quota
enforcement is enabled, no new messages are
delivered. If the mail file is close to its quota, the
Router continues to deliver messages only until
their cumulative size exceeds the quota;
thereafter, messages are held or rejected,
depending on the enforcement setting.
When a user deletes a message, the space
occupied by that message is immediately
removed from the calculated size of the mail file.
There is no need to run the Compact task to
recover space. Users who cannot receive mail
because of a quota violation can reduce the
current size of the mail file immediately by
archiving or deleting
messages.
If transaction logging is enabled on the server,
select this method of enforcement, because it
does not require administrative intervention to
compact mail files.

Method for Description

enforcing
quotas
Check (Default) The Router calculates the current size
filesize when of a mail file from its actual physical size. The
extending calculated physical size includes the unused
the file “white space”in a file that results when a user
deletes or archives a message. Domino does not
immediately recover this white space. As a
result, accumulated white space may account for
a large portion of the file size, so that the actual
mail file size is considerably larger than the
combined size of its stored messages.
The size check occurs only if adding a message
requires an increase in the size of the mail file.
When quota enforcement is enabled and this
option is selected, if a message delivered to the
mail file requires an increase in the file size that
would result in a quota violation, delivery fails.
However, a message is always delivered if there
is sufficient white space to accommodate it.
On servers that do not use transaction logging,
users can run the Compact task to remove white
space and decrease the file size. However, when
transaction logging is in effect, users cannot
compact their own mail files. An administrator
must run Compact with the -B option to reduce
 the size of the file.

Check The Router calculates the current size of a mail

filesize file from its
when adding actual file size. Both the space occupied by
a note messages and white space in the database count
toward the total size.
This option is more restrictive than the preceding
option, because the Router checks the quota
every time it adds a message to the mail file,
regardless of whether this results in an increase
in file size.
On servers that do not use transaction logging,
when quota enforcement is enabled, select this
option to eliminate inconsistent behavior during
delivery to the mail files of users who exceed
their quotas. Because the Router always checks
the current file size when delivering a message,
after a mail file reaches quota, no new messages
are delivered, even if a particular message is
small enough to fit within the available white
space in the mail file.
On servers where transaction logging is enabled,
selecting this option can prevent a user from
recovering from a quota violation, since
compacting the mail file does not reduce its size,
preventing the user from getting back under
quota. An administrator must run Compact with
the -B option to reduce the size of the file.

How the configured size method effects over-quota enforcement

Unless you configure the Router to withhold mail from or send warnings
to users whose mail files exceed their quotas or warning thresholds, you
won’t notice any differences between the various methods for calculating
file size. However, the method you select for calculating file size becomes
significant if you enable quota enforcement or warning notifications on
the server.
When servers are set to use file size to determine whether a user is over
quota, a user who is over quota might not be able to receive mail
immediately after deleting messages. This is because white space
remains in the mail file until the Compact task removes it. As a result, a
user whose mail is withheld due to a quota error typically experiences
some delay between removing messages and achieving the reduced mail
file size required to reinstate mail delivery.
On servers where quota enforcement is set to “Hold mail and retry,” you
choose whether the Router attempts delivery to mail files that exceed
quota.
For more information on the “Hold mail and retry” setting, see the topic
“Withholding mail from users who exceed their quota” later in this
chapter.
If database usage is enabled as the method for calculating size, message
delivery always fails after a mail file exceeds it quota. If a mail file is
close to its quota but has not yet exceeded it, the Router may succeed in
delivering smaller messages. But eventually the file will exceed its quota,
and subsequent deliveries will fail.
Reclaiming space in mail files for which soft deletions are enabled
When soft deletions are enabled for a mail file, deleting messages from a
mail file doesn’t immediately reduce its size. Instead, the “deleted”
messages are moved to the Trash view until they expire - after 48 hours,
by default. Only then are the messages permanently removed from the
database.
To reclaim space immediately, a user must open the Trash view of the
mail file and click Empty Trash or select a message in the view and then
click Delete Selected Item. By default, soft deletions are enabled for mail
files that use the Release 6 mail template (MAIL6.NTF).
For more information about soft deletions, see the chapter “Improving
Database Performance.”
Notifying users who exceed their mail file's quota or warning
threshold
You can configure the Router to notify a user whose mail file exceeds a
warning threshold or quota. The following table lists the information
contained in the notification message:

Message field Description

Describes why the user received the notification.
Notification type
For
example, an over quota report explains that an
incoming
message caused the user’s mail file to exceed the
quota set
for their mail file. Over quota and quota warning
reports
contain default text, which you can customize.
Message The sender (FROM field), recipients (TO and CC),
headers subject
of the effected message.
Message size The size of the affected message, in KB.
Current mail file Database usage or current size of the user’s mail
usage file, in KB.
The warning threshold and quota currently set for
Current quota
the
settings user’s mail file.
What you Explains what action, if any, was taken —for
should example,
do whether the message was returned to the sender
or is being held for retry; and provides
instructions explaining
what actions the user should take to reduce the
size of the
mail file —for example, deleting or archiving
messages. If you customize the text of the
notification to provide users
with additional instructions or information, the
text you
add appears as part of the Notification type
information at the beginning of the message.

For information on adding custom text to over quota and quota warning
reports, see the topic “Customizing the text of mail failure messages”
later in this chapter.
Users who exceed the quota for their mail file receive over quota
warnings only. If the Router is configured to send over threshold
warnings, it stops sending them to users who exceed their quota.
Message tracking is not enforced or supported for either type of warning
notification.
If Domino rejects an inbound message as the result of a quota violation, it
returns a failure message stating the reason for the failure to the sender.
Specifying how often users receive notifications
You have three options for specifying how often the Router delivers
warning notifications to users who violate their mail file’s warning
threshold or quota:
None
 - (Default ) — Users receive no warning if their mail files
exceed the size limit.
Per Message — Users whose mail files exceed the size limit receive a
warning notification every time MAIL.BOX receives a new message
for them.
Per  time interval — Users whose mail files exceed the size limit
receive a warning message at the specified interval until they reduce
the size of their mail file. If you select this option, an additional field
appears where you can specify the interval in minutes, hours, or days.
Withholding mail from users who exceed their quota
Quota controls enable the Router to selectively hold or reject mail if the
destination mail file has exceeded its quota. When the Router has new
mail to deliver to a user whose mail file is already full, it checks the
Configuration Settings document to determine the appropriate action. By
default the Router continues to deliver mail, even after a mail file exceeds
its quota. To change the default behavior, you must configure the Router
to refuse or hold mail.
When delivering mail to a user’s mail file, the Router checks the mail
file’s size. If the file will remain within the specified threshold after
delivery of the message, no action is taken.
The Router recognizes certain exceptions to the specified quota setting.
For example, users who are over quota continue to receive over quota
notifications from the Router, regardless of the current setting. However,
if the Router is configured to Hold and Retry, all messages are held, and
the owner of the mail file receives no further notifications until the size of
the mail file is reduced or the administrator takes action to allow
messages to be delivered.
To prevent an excessive number of messages from accumulating in
MAIL.BOX when you choose the Hold and Retry method of enforcing
quota violations, it’s best to have Domino calculate database size based
on usage, rather than file size. This is especially true on servers where
transaction logging is enabled, because users cannot reduce the size of
their mail files without assistance from an administrator.
Limiting the size and number of messages held for retry
If you set the Router to temporarily hold mail intended for users whose
mail files exceed the specified quota, the increased number of pending
messages can increase the size of MAIL.BOX and decrease Router
28-16 Administering the Domino System, Volume 1
performance. To help ensure service quality, you can limit the number of
pending messages.
You can also specify the maximum size of messages that the Router will
hold. If a message is larger than the configured size, it is returned to the
sender as undeliverable, rather than held.
Restrictions do not apply to sent messages
Router enforcement of mail file quotas is limited to withholding new
mail from users who exceed their quotas. The Router continues to accept
outgoing mail from whose mail files are full. However, these users are
not able to save any messages to mail files on the server.
When a user who exceeds the configured warning threshold or quota
sends a message from a Notes client, the client displays a warning, but
the user can still send the message.
Setting quota controls for the Router
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Delivery
Controls tab.
6. In the Quota Controls section, complete these fields:

Field Enter
Over Specifies how often the Router delivers
Warning notifications to users who exceed their warning
Threshold threshold. Choose one: • None —The Router does
Notifications not deliver notifications when mail files grow
larger than the specified warning threshold. • Per
Message —The Router delivers a notification for
every message it delivers after the mail file
exceeds the specified warning threshold. • Per
Interval N — Send notifications at a specified
interval until the user deletes or archives enough
messages to bring the size of the mail file below
the specified Warning Threshold. When this
option is selected, an additional field, “Warning
Interval Minutes,”appears.

Field Enter
Warning Specifies, in minutes, how long the Router waits
Interval to send the next Over Warning Threshold
Minutes Notification
Over Quota Specifies how often the Router delivers
Notification notifications to users who exceed their quota.
Choose one:
• None —The Router does not deliver
notifications when mail files grow larger than the
specified warning threshold. • Per Message —The
Router delivers a notification for every message it
delivers after the mail file exceeds the specified
quota. • Per time interval —Send notifications at
the specified interval until the user deletes or
archives enough messages to bring the size of
the mail file below the specified quota. When this
option is selected, an additional field appears
where you can specify an interval measured in
minutes, hours, or days.
Specifies, in minutes, hours, or days, how long
Error
the Router waits to send the next over quota
Interval
notification.
Over Quota Specifies the action the Router takes when
Enforcement receiving new mail for a user whose mail file is
larger than the specified quota. Choose one:
 • Deliver anyway (don’t obey quotas) —(Default)
The Router continues to deliver mail to a mail file
that is over quota. • Non Deliver to originator —
The Router stops delivering new messages to the
mail file and returns a nondelivery message to
the sender reporting that the message could not
be delivered because the intended recipient’s
mail file was full.
• Hold mail and Retry —The Router stops
delivering new messages to the mail file and
temporarily holds incoming messages in
MAIL.BOX until space is available in the mail file.
After a configured interval, the Router tries to
deliver the message. If the user has sufficiently
reduced the size of the mail database by the next
scheduled delivery attempt, the mail is delivered.
Messages that cannot be delivered before the
configured expiration time (default =1 day) are
returned to the sender as undeliverable. If you
choose this option, the document displays
additional fields where you can specify how the
server handles held messages. To prevent an
excessive number of messages from
accumulating in MAIL.BOX when this option is
selected, it’s best to have Domino calculate
database size based on usage, rather than file
size.
7. If you selected “Hold mail and Retry” in the “Over Quota
Enforcement” field, complete the following:

Field Description
Pending messages may be of different sizes. A mail
Attempt
file that
delivery of has reached its quota may have sufficient space
available to
each fit some messages, but not others. Use this field to
message specify
whether the Router delivers messages small
enough to fit
the available space in a destination mail file.
Choose one:
• Enabled —The Router attempts delivery of each
new
message. Messages that fit the available space are
delivered. Other messages are held.
• Disabled —After a mail file reaches its quota, the
Router
holds all messages until the file size is reduced.
Specifies the maximum number of messages that
Maximum
the Router
number of will hold in MAIL.BOX for a given mail file. After
the
messages number of pending messages reaches the specified
to number,
hold per the Router returns a delivery failure report to the
user sender of
each additional message in first-in, first-out order.
Specifies the maximum size, in KB, of messages
Maximum
that the
message Router can hold in MAIL.BOX for over quota users.
size If a
to hold message larger than the specified size is received
 for the
user, the Router returns a delivery failure report to
the
sender.

8. Click Save & Close.

9. The change takes affect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Overriding quotas
Administrators can provide users who are over quota with temporary
access to their new mail by:
Modifying
 the quota currently in effect for the user’s database.
Changing
 the Router setting, so that the Router ignores database
quotas and delivers mail. If you set the Router to ignore database
quotas, all users who exceed their quotas are able to receive mail.
To permanently change a quota, reset its size value.
Customizing the Domino Mail System 28-19
Mail
Setting server mail rules
You can create content filtering rules for a server that define actions to
take on certain messages. When a new message that meets a specified
condition is deposited in MAIL.BOX, Domino automatically performs the
designated action. Rule conditions are based on content in the message
headers. Possible actions include journaling a message, moving it to a
graveyard or quarantine database, refusing to accept or deliver a
message, or changing the routing state of a message. You can specify
only one action for each rule. Rule conditions are based on content in the
message headers. or in the message body.
Mail rules automatically handle mail in a variety of situations. By
configuring a set of conditions and actions, you can customize rules to
block spam mail or intercept messages with questionable content. For
example, you could create a rule that rejects mail with subjects like
“make money fast” or that comes from a known spam vendor. Similarly
you can restrict users from receiving message attachments that do not
have a business purpose by setting up a rule to intercept messages that
contain attachments of certain file types (EXE, VBS, VBE, SCR, and so
forth) and redirect them to a quarantine database where they could be
reviewed by an administrator and optionally sent on to the intended
recipient.
Except where a rule action explicitly indicates, Domino does not notify
the sender or recipient if a rule prevents a message from reaching its
destination. For example, if a rule results in a message being routed to a
graveyard database, Domino does not generate a delivery failure report
or indicate to the intended recipients that a message for them has been
intercepted. By contrast, if a message triggers a rule with the specified
two-part action “Don’t deliver message/ Send NDR,” the sender receives
a delivery failure report stating that the message was rejected for policy
reasons.
Note Although Domino does not generate a notification to the sender
when a rule condition triggers the action “don’t accept message,”
because rules execute as mail is deposited to MAIL.BOX, the sender may
still receive notification that the message was rejected. For example,
when the Domino SMTP listener refuses a message because of a mail
rule, the sending SMTP server receives the error indicating that the
transaction was rejected for policy reasons. Typically, servers receiving
this type of error generate a delivery failure report to the sending user.
Similarly, when a mail rule prevents the server from accepting a
message, a Notes client attempting to deposit the message in MAIL.BOX
displays an error indicating that the message cannot be sent.
28-20 Administering the Domino System, Volume 1
Mail rules are not intended to serve as an anti-virus solution and should
not be considered a replacement for anti-virus software. Although you
can configure rules to quarantine messages with known virus
attachments, the available rule actions do not include typical anti-virus
features such as generating warnings upon detecting a virus or
automatically disinfecting files.
Domino stores the mail rules you create in the Configuration Settings
document. On startup, each server retrieves from the appropriate
Configuration Settings document and registers them as monitors on each
MAIL.BOX database in use.
Whenever MAIL.BOX receives a new message from any source — the
SMTP process, the Router on another server, or a client depositing a
message — the server evaluates the various message fields against the
registered mail rules. Each message is evaluated only once. Additional
updates occurring after a message is added to MAIL.BOX — such as
updates to reflect the number of recipients handled — do not cause
reevaluation of the rules.
Prioritizing mail rules
When multiple mail rules are enabled, you can set their relative priority
by moving them up and down in the list.
Putting new rules into effect
The Configuration Settings document displays new mail rules only if the
document has been previously saved. Before adding rules to a new
Configuration Settings document, save and close the document. Reopen
the document to begin adding rules.
When you add a new rule, it takes effect only after the server reloads the
mail rules. A reload is automatically triggered if the Server task detects a
rule change when performing its routine check of the Configuration
Settings document. This check occurs approximately every five minutes.
You can force the server to reload rules, using a console command.
Enter the following command at the server console:
set rules
To create a new mail rule
1. Make sure you already have a Configuration Settings document for
the server(s) where the rules will apply.
If you are creating a new Configuration Settings document, complete
the Group or Server name field on the Basics tab, and then click Save
& Close. Then reopen the document to begin adding rules.
Customizing the Domino Mail System 28-21
Mail
If you attempt to add a new rule before saving a new document, you
are prompted to save the configuration before proceeding.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Rules tab.
6. Click New Rule.
7. In the Specify Conditions section of the New Rule dialog box, set the
criteria the server uses to determine whether to apply a rule to a
given message. A rule condition can include the following
components
Condition
Description
component
Specifies the Notes message item that the
Message item to
Router
examine examines when evaluating whether to
apply a
rule. Choose one of the following:
Sender, Subject, Body, Importance,
Delivery
priority, To, CC, BCC, To or CC, Body or
subject,
Internet domain, Size (in bytes), All
documents,
Attachment name, Number of
attachments, Form,
Recipient count, or Any recipient.
Note To create a rule that acts on all
messages
deposited in MAIL.BOX, choose All
Documents.
Specifies how the Router evaluates the
Logical operator or
content of the target field. Choose one of
qualifier
the following:
• contains (for text field values)
• does not contain (for text field values)
• is
• is not
• is less than (for numeric field values)
• is greater than (for numeric field values)
For example, if you selected the message
item Attachment Name, selecting the
qualifier “is” defines a rule that acts on all
messages having an attached file with a
name that exactly matches the name you
specify.
continued

Condition
Description
component
Specifies the content to search for in the
Value to check in
target
message item message item.
For example, if the target message item is
Attachment Name and the qualifier is
“contains,”
enter .VBS to create a rule that acts on all
messages having an attached file with a
name containing the
string .VBS, including, LOVE-LETTER.VBS,
CLICK-THIS.VBS.TXT, and
MY.VBS.CARD.EXE.
• Text fields do not support wildcard
values, such as the asterisk character (*).
To specify a search string for a target field,
use the “contains”
operator and enter the search string in the
accompanying text field. For example, as
in the preceding example, to search for an
attached
file with a name that contains the string
.VBS,
 create the condition “Attachment Name
contains .VBS,”not “Attachment Name is
*.VBS.”
• Search string text is not case sensitive.
• When indicating numeric values, always
enter a numeral, rather than its text
equivalent (that is,
enter 2, not two).

8. Click Add. The Rules tab displays the new rule.

9. (Optional) Modify the condition by doing the following:
Add
 more conditions, by selecting Condition, selecting “AND” or
“OR,” and repeat Steps 7 and 8 for each new condition.
Add an exception by selecting Exception and repeating Steps 7
through 9 for each exception. You can add only one exception to a
condition statement.
10. In the Specify Actions section specify the action to perform when a
message arrives that matches the condition statement, and click Add
Action. You can specify one action per rule.
The following actions are available:

Action name Description

Journal this The Router sends a copy of the message
message to the
configured Mail journaling database and
continues routing the message to its
destination.
Journaling must be enabled on the
Router/SMTP
- Advanced - Journaling tab.

Action name Description

Move to database The Router removes the message from
MAIL.BOX and quarantines it in the
database specified in the accompanying
text field, for example, GRAVEYARD.NSF.
The specified database must already
exist. The message is not routed to its
destination. Placing messages in a
quarantine database lets you examine
them more closely for viruses or other
suspicious content.
Don’t accept Domino rejects the message, but the
message Router does not generate a delivery
failure report. Depending on the message
source, the sender may or may not
receive an NDR or other indication that
the message was not sent. When Domino
does not accept an incoming SMTP
message it returns an SMTP “permanent
error”code to the sending server,
indicating that the message was rejected
for policy reasons. SMTP permanent
errors (500-series errors) indicate error
types that will recur if the sender
attempts to send to the same address
again. Depending on the configuration of
the sending client and server, the
message originator may then receive a
Delivery Failure report. For messages
received over Notes routing, Domino
returns a Delivery Failure Report
indicating that the message violated a
mail rule. For messages deposited by a
Notes client, the sending client displays
an error indicating that the message
violated a mail rule.
Don’t deliver Domino accepts the message, but rather
message than sending it to its destination, it
processes the message according to one
of the following specified options: •
Silently delete —Domino deletes the
message from MAIL.BOX with no
indication to the sender or recipient. •
Send NDR —Domino generates a
nondelivery report and returns it to the
sender. The MIME and Notes rich-text
versions of messages sent from a Notes
client result in separate delivery failure
reports.

Action name Description

Change routing Domino accepts the message but does
state not deliver it. Instead, it marks it as held,
changing the value of the RoutingState
item on the message to HOLD. This
change to the routing state of the
message causes the Router to retain the
message in MAIL.BOX indefinitely,
pending administrative action.
Domino differentiates between messages
held by a mail rule and messages held as
undeliverable.
This action may not work properly on
servers where third-party products, such
as certain types of anti-virus software,
also manipulate the RoutingState item.

For information on enabling mail journaling, see the topic “Mail

journaling” later in this chapter.
11. To save the rule and put it into effect immediately, click OK.
To save the rule but wait before putting it into effect, click the Off
radio button at the top of the dialog box, and then click OK.
12. (Optional) After you create several rules, you can rearrange them to
indicate their relative priority. The server executes each rule in turn,
beginning with the rule at the top of the list. To change the position
of a rule, select it and click Move Up or Move Down. Place rules with
security implications higher in the list to ensure that the server
processes them before other rules.
13. Click Save & Close.
14. The change takes affect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
How mail rules handle encrypted messages
If MAIL.BOX receives an encrypted message (Notes encrypted, S/MIME,
PGP, and so forth), the server mail rules process any rule conditions that
are based on unencrypted information in the message envelope, such as
the sender, importance, and recipients, but do not process conditions
based on the encrypted portion of the message body. Most rule
conditions are based on information in the message envelope. The server
does not log instances in which rules are unable to process a message.
Customizing the Domino Mail System 28-25
Mail
Specifying the message form in a condition
You can specify which types of messages a rule acts on by specifying the
message form type in the rule condition. When evaluating the form type,
the server checks the Notes message form used (the Form item displayed
in the Document properties); it does not use form information defined in
MIME items in the message. All messages deposited in MAIL.BOX are
rendered as Notes documents, including inbound Internet messages in
native MIME format. By default, messages received over SMTP use the
Memo form, except for SMTP Nondelivery reports, which Domino
renders using the NonDelivery Report form. Common Notes form names
include:
Appointment

Delivery
 Report
Memo 
NonDelivery
 Report
Notice 
Reply 
Return  Receipt
Trace  Report
Customizing message transfer
To control the transfer of messages between servers in your Domino
system, you can:
Restrict
 routing of large messages
Route
 messages by priority
Generate
 delay notifications for low-priority mail
Restrict
 sending to groups listed in the Domino Directory
Set  transfer limits — for example, the number of transfer threads and
the retry interval
Set  advanced transfer controls — for example, change the logging
level and specify when to ignore message priority
Customize  the text of mail failure messages
Transfer  settings apply to messages sent using either Notes routing
or SMTP.
28-26 Administering the Domino System, Volume 1
Routing mail by priority
Notes users can click the Delivery Options button to specify a priority
level — high, normal, or low — for each message they create. The
priority level determines how quickly the Domino Router transfers a
message over either Notes or SMTP routing. If you do not specify a
priority for a message, the server treats it as normal priority by default.

Priority level Default Notes routing

High The server routes the mail immediately.
The server routes the mail at the next scheduled
Normal
connection
time, based on the schedule in the Connection
document to
the server that is the next hop for the message.
Within the same Notes named network, normal
priority messages route immediately.
By default, the server routes low-priority mail only
Low
between
midnight and 6 AM. Even if low-priority mail is
pending
delivery when the server routes other mail, the
server does
not route the low-priority mail except during the
specified
time interval. You can change the default time for
routing
low-priority mail.

For information on changing the default time for routing low-priority

mail, and setting the Router to ignore message priority, see the topics
“Setting transfer limits” and “Setting advanced transfer and delivery
controls” later in this chapter.
The Router typically processes delayed messages within 5 minutes of the
start of the low-priority time range.
Forcing low-priority mail to route
By default, the Router delays low-priority mail until the low-priority
time range, even for servers in the same Notes Named Network. If you
do not want to delay low-priority mail you can:
Set
 Domino to ignore message priority.
For information on configuring Domino to ignore message priority,
see the topic “Setting advanced transfer and delivery controls” later
in this chapter.
Change
 the low-priority time range in the Configuration Settings
document.
For information on changing the low-priority time range, see the
topic “Setting transfer limits” later in this chapter.
Customizing the Domino Mail System 28-27
Mail
Use
 the “ROUTE servername” command at the console to force all
mail in the transfer queue of the specified server to route
immediately.
For information on using the ROUTE command, see the appendix
“Server Commands.”
Restricting mail routing based on message size
You can set size limits on messages to prevent large messages from
consuming network bandwidth. There are two types of message size
limits: a maximum message size and a low-priority size range. Messages
that exceed the maximum message size are returned to the sender as
undeliverable. Messages that are smaller than the maximum size, but
that fall within the specified size range, are marked low-priority and
routed during off-peak hours (12 AM to 6 AM by default).
Domino uses the maximum message size you specify as the upper limit
of the low-priority size range. Before specifying a low-priority size range,
you must set a maximum message size.
The size restrictions you set in the Configuration Settings document
apply to every message the Router handles, regardless of whether the
message is inbound or outbound, routed over Notes routing or over
SMTP. To set a unique size limit on some part of your messaging traffic,
you must set up distinct routing paths for that traffic and then create
separate Configuration Settings documents for servers on those paths.
For example, if you want to place a 500KB limit on inbound SMTP mail
and a 1000KB size limit on internal mail, create two Configuration
Settings documents: one for the servers that receive mail from the
Internet that specifies a 500KB size limit and a second for your internal
mail servers that specifies a 1000KB limit.
To set message size restrictions
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Restrictions tab.
28-28 Administering the Domino System, Volume 1
6. Complete these fields in the Router Restrictions section, and then
click Save & Close:

Field Enter
Maximum The maximum message size in KB
message (thousands of
size bytes) the server accepts. The Router rejects
any
messages that exceed this size for both
transfer and
delivery. The default is 0 KB, which does not
limit
message size.
Send all Choose one: • Enabled • Disabled (default)
messages as If you choose Enabled, specify the lower limit
low-priority if of the size range in KB. By default (size
message size is range 0 to 0) message priority is not based
between on size.

7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
Total
 message size is equal to the sum of the message text and the
size of all attachments.
You can change the default hours for routing low-priority mail.
For more information, see the topic “Setting transfer limits” later
in this chapter.
You  can customize the text of delivery failure messages.
For more information, see the topics “Customizing the text of mail
failure messages” later in this chapter and “Routing mail by
priority” earlier in this chapter.
On  Domino SMTP servers you can use the ESMTP SIZE extension
to prevent inbound transfer of messages that exceed the specified
maximum message size. You can also use the outbound ESMTP
SIZE extension to configure Domino to honor size restrictions on a
target server when transferring outbound SMTP mail.
For information on setting the inbound and outbound SIZE
extensions, see the topics “Supporting inbound SMTP extensions”
and “Supporting outbound SMTP extensions” later in this chapter.
Customizing the Domino Mail System 28-29
Mail
Generating delay notifications for deferred low-priority mail
When Domino routes all low-priority mail within the specified
low-priority time range, the affected messages may remain in MAIL.BOX
for a significant amount of time. The delay may be acceptable to users
who sent their messages as low priority, but users may be less forgiving
if their messages were relegated to late-night routing after the Router
automatically demoted their priority — as happens when you set
Domino to change the routing priority of messages above a certain size.
Unexpected routing delays are likely to cause concern and result in calls
to the help desk.
You can configure the Router to notify senders when low-priority mail is
delayed. Of course, you should also educate users about your policy on
routing low-priority mail. When delay notifications are enabled, the
Router delivers a message to the sender of the delayed message that
explains that the message is being held until the specified routing time.
When a message is delayed, users receive an informational Delay report,
which identifies the number and addresses of the intended recipients and
indicates that transfer is delayed until the low-priority time range. The
notification includes the headers of the original message, but not the
message body, and explains that no additional user action is required to
deliver the message. You can also customize the text of the notification to
include additional information.
For information on customizing the text of a delay notification, see the
topic “Customizing the text of mail failure messages” later in this chapter.
You can have the Router deliver delay notifications for every
low-priority message held; for messages held because the sender
designated them as low-priority; or for messages held because Domino
changed the priority for policy reasons — as, for example, when a size
restriction forces a change to the routing priority of a large message.
For information on configuring Domino to send delay notifications when
it holds low-priority messages, see the topic “Setting transfer limits”
earlier in this chapter. For information on setting size limits on messages,
see the topic “Restricting mail routing based on message size” earlier in
this chapter.
Normally, a server sends only one delay notification for each message.
However, restarting a server or Router can result in duplicate delay
notifications. Also, a user may receive multiple delay reports for a
message that is delayed by servers at successive hops along the routing
28-30 Administering the Domino System, Volume 1
path. Servers at successive hops can each send a delay report if delay
notifications are enabled and they each receive the message before their
configured low-priority routing time and buffer time.
For example if a first hop server has a low-priority range of 12:00 AM to
3:00 AM and receives a low-priority message at 11:30 PM, it generates a
delay notification. At the start of the low-priority routing time, the server
routes the message to the next hop server. If this server also defers
low-priority mail and has a low-priority range of 4:00 AM to 6:00 AM, it
generates an additional delay notification.
By default, the Router does not send delay notifications for low-priority
messages that a user sends within the low-priority time range or a buffer
time of 30 minutes before the start of the time range. You can alter the
default behavior by adding the variable
RouterLPDelayNotifyBufferTime to the NOTES.INI file and setting its
value to the length of the desired buffer time, in minutes. For example, if
you would like to prevent low-priority messages sent within an hour of
the start of the time range from generating a delay notification, enter the
following line in the NOTES.INI file:
RouterLPDelayNotifyBufferTime=60
Exceptions to sending delay notifications
The Router does not send delay notifications in the following cases:
 you enabled the following setting in the Configuration Settings
If
document: Router/SMTP - Restrictions and Controls - Advanced -
Controls- Advanced transfer controls - Ignore message priority.
When
 inbound SMTP messages include a Delivery Status
Notification (DSN) request that is set to NOTIFY=NEVER. Only DSN
requests with the value NOTIFY=DELAY result in delay
notifications.
If  the delayed message is a delivery failure report. For example, if a
message is demoted to low priority and delayed because its size
exceeds the threshold for normal priority mail, the resulting delay
notification (which includes the original message) is not delayed.
If  a Notes client user sets the Delivery Reports option to None in the
Delivery Options dialog box.
Customizing the Domino Mail System 28-31
Mail
Restricting users from sending mail to groups listed in the Domino
Directory
By default, all users can send mail to groups defined in the Domino
Directory. To reduce unnecessary mail traffic, you can edit the reader
fields for a Group document to restrict access to the group, specifying the
users who are allowed to send mail to the group. Only users to whom
you grant reader access can send mail addressed to the group. Users who
do not have access to the group can see the group name listed in the
Domino Directory and choose the name in the Select Addresses dialog
box, but the Router rejects the message if they attempt to send a message
to the group.
The restrictions apply to messages sent to either a group’s Notes address
or its Internet address and to messages originating from a Notes client as
well as messages sent and received over SMTP (as from an IMAP or
Notes client). From a Notes client, a user who does not have permission
to use the group receives an error when attempting to send mail to the
restricted group. If the same user attempts to mail from a POP3 or IMAP
client, the Router generates a Nondelivery reports indicating that the
sender is not authorized to send mail to the specified recipient.
To restrict users from sending mail to a group
1. From the Domino Administrator, click the People & Groups tab,
expand the Domino Directory that contains the group you want to
restrict access to, and select the Groups view.
2. Right-click the Group document to manage and choose Document
Properties.
3. Select the Security tab (the Key).
4. Deselect the All readers and above checkbox to enable editing of the
readers list.
5. To enable a user to send mail to the group, select the user’s name in
the list.
6. To provide access to users not listed, click the Person icon to the
right, add the name in the Select Names dialog box, and click OK.
The user’s name appears at the bottom of the list with a check next
to it.
7. Deselect the names of users you want to prevent from sending mail
to the group, including the Anonymous entry.
8. Close the Document Properties dialog box.
28-32 Administering the Domino System, Volume 1
Setting transfer limits
Transfer controls affect how Domino transfers messages between servers.
They control the number of threads used, the number of hops allowed
before a message fails, the low-priority mail routing time range, and the
time-out and purge intervals. Transfer controls apply to both SMTP and
Notes routing.
To set message transfer controls
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Transfer
Controls tab.
6. Complete these fields in the Transfer Controls section, and then click
Save & Close

Field Enter
The maximum number of server threads Domino
Maximum
creates to
transfer messages to all other servers. The value
transfer
applies to
threads both Notes routing and SMTP. The Router sets a
default maximum number of transfer threads
based on server
memory. Letting the Router select the maximum
number is usually best. If you set the maximum
number manually, set the maximum to between 1
and 25 threads, depending on server load.

Field Enter
Maximum The maximum number of server threads the
concurrent Domino Router can use to transfer messages to a
transfer single destination. The value applies to both Notes
threads routing and SMTP. If no value is specified, the
default value is equal to one-half of the maximum
transfer threads, rounded down to the nearest
integer. For example, if the maximum transfer
threads is 5, the maximum concurrent transfer
threads defaults to 2. On servers that send
outbound Internet mail to an SMTP relay host, this
setting effectively defines the total threads
available for transferring mail to the relay host. By
default, when transferring messages over Notes
routing from one Domino domain to another, the
Router does not use multiple concurrent threads.
To enable use of multiple concurrent transfer
threads between Domino domains, add the variable
RouterAllowConcurrentXFERToALL to the server’s
 NOTES.INI file.

Maximum The maximum number of times a message can be

hop count transferred between servers before delivery fails
and
Domino sends a nondelivery message.
Low- The time range when Domino routes messages
priority marked as low-priority. The default is between 12
mail AM and 6 AM. For low-priority mail to route at the
routing specified time, the Router must be configured to
time obey message priority. If you configure the Router
range to ignore message priority, low-priority mail does
not receive special handling.

Field Enter
If you configure the Router to hold low-priority
Low-priority
messages
delay until a given time period, message originators
may not be
notifications aware of the reason for the delay. To inform
senders when low-priority messages are delayed,
have the Router
automatically generate delay notifications. The
Router can
either generate delay notifications for every low-
priority message it holds or when it holds
messages for a specific
reason only. Choose one:
• Disabled —The Router does not notify senders
when messages are delayed for priority reasons.
• Only if priority changed for policy reasons —The
Router notifies senders of priority-related delays
only for
messages that were designated low-priority as
the result of a configured mail rule or size
restriction.
• Only if user requested low-priority —The Router
notifies senders of priority-related delays only for
messages that
the sender designated as low-priority.
• All low-priority messages —The Router notifies
senders of priority-related delays for all low-
priority messages.
Domino Release 5.0.x used the variable
RouterLowPriorityDelayNotify in the server’s
NOTES.INI
 file to control the use of low-priority delay
notifications. If this setting is present, it takes
precedence over the setting
specified in the Configuration Settings document.
Initial The time (in minutes) that the Router waits after
transfer a message transfer failure before retrying the
retry transfer. If failure recurs, Domino doubles the
interval interval before a second retry. If additional retries
are needed, they occur at three times the initial
retry value.
The default interval is 15 minutes. Lower values
increase
the retry attempts per hour and could possibly
increase the success rate of routing the
messages. Higher values decrease the retry
attempts per hour, resulting in longer routing
times.
The Router continues attempts to transfer a
pending message until the age of the message
reaches the configured time-out value (by
default, 24 hours). After a message times out, the
Router generates a delivery failure report to the
sender.
Expired Specifies, in minutes, how often the Router
message checks MAIL.BOX for expired messages to purge.
purge The default is 15 minutes.
interval

Values specified in the NOTES.INI file override settings in the

Configuration Settings document. If you use the NOTES.INI file to
configure message transfer settings, the Domino server console
displays informational messages indicating that the setting can be
specified in the Configuration Settings document.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Enabling multiple concurrent transfer threads between Domino
domains
In a Domino network, message transfer over SMTP is always
multithreaded, allowing multiple transfer threads to a single destination.
However, by default, Notes routing is multithreaded only for transfers
within the local Notes Named Network (NNN). When using Notes
routing to transfer mail outside the NNN, Domino does not allow
multiple concurrent transfer threads. You can add a setting in the
NOTES.INI file to enable the use of multiple concurrent transfer threads
for inter-domain Notes routing.
To transfer a message, the Router assigns a transfer thread to a message
in its transfer queue. When Notes routing is used, the transfer thread
moves the message across the network by copying it from the queue and
writing it to the MAIL.BOX database on the destination server by means
of a Notes remote procedure call. Each transfer thread processes a single
message for a single destination only. If a message has multiple
recipients at that destination, the thread deposits a single message
addressed to all of them. To send additional messages or send the same
message to additional destinations, the Router must activate additional
transfer threads.
When the transfer queue has many messages for a given destination, the
messages may be able to be transferred more efficiently if the server can
create multiple transfer threads to that destination. However, for
multiple transfer threads to improve efficiency there must be ample
bandwidth on the connection between the servers. On a slow link,
multiple active threads are forced to contend for bandwidth, with no
resulting increase in the total throughput, thus defeating the purpose of
multiple threads. Furthermore, if a high proportion of the total transfer
threads are busy on a slow link, the server may be unable to transfer
messages to destinations over other, faster links because of a lack of
available threads.
28-36 Administering the Domino System, Volume 1
For Notes routing, connections that rely on Connection documents,
including connections to remote domain servers, are typically slower
than local domain connections; so, by default, Domino does not allow
multiple concurrent transfer threads to destinations that require a
Connection document. To ensure that message transfer is not adversely
affected, alter only the default behavior servers that have
high-bandwidth connections to other Domino domains.
To enable multiple concurrent transfer threads between Domino
domains
1. From the Domino Administrator, open the Domino Directory and
click the Configuration tab.
2. To edit an existing Configuration Settings document, highlight and
click Edit Configuration. To create a new Configuration settings
document, highlight the server for which the Configuration Settings
document will apply, then click Add Configuration.
3. Click the NOTES.INI Settings tab.
4. Click Set/Modify Parameters.
5. In the Item field, enter:
RouterAllowConcurrentXFERToALL
6. In the Value field, enter:
1
7. Click Add, and then click OK.
8. Click Save & Close.
Note When this variable is set, the server does not attempt to
determine the connection speed or number of messages pending for
a particular destination. The server allows multiple concurrent
transfer threads, regardless of whether the speed of a particular
connection justifies the additional threads. The number of transfer
threads for each destination remains limited by the value you set for
the number of Maximum concurrent transfer threads.
Setting the message time-out value
When the Router is unable to transfer a message on the first attempt, it
continues to attempt delivery at intervals, as specified in the “Initial
transfer retry interval” field of the Configuration Settings document. If a
message cannot be delivered (or forwarded to the next server on the path
to the user’s mail server) within a specified time-out period, the Router
returns a delivery failure report to the sender. By default, the message
time-out value is 24 hours.
Customizing the Domino Mail System 28-37
Mail
In the event that mail files on certain servers become unreachable for an
extended period, consider increasing the default time-out value on other
servers. A higher time-out value decreases the likelihood of important
mail being returned because of transfer and delivery failures.
On the Internet, the time-out value for message transfer is typically five
days - that is, if the next hop server is unreachable, the connecting server
continues to retry transfer for five days before giving up and generating
a delivery failure report.
Increasing the time-out value to n days may result in senders receiving a
delivery failure report for undeliverable mail n days after the message
was sent.
Because each successive retry consumes server resources, a high volume
of undeliverable mail can place a significant extra load on the server. If
you notice an increase in the amount of pending mail in MAIL.BOX,
examine messages to determine the validity of their origins and
destinations. If a large portion of pending messages are addressed to
nonexistent users or originate from known or possible spam mailers,
consider resetting the time-out interval to a lower value. Using a lower
time-out value reduces the time before the server marks a message as
undeliverable, thereby decreasing the number of retries.
For information about managing undeliverable mail, see the topic
“Managing undeliverable mail in MAIL.BOX” later in this chapter.
For information about methods for rejecting unwanted mail before
servers accept it, see the topic “Restricting SMTP inbound routing” later
in this chapter.
For information about using mail rules to process mail automatically, see
the topic “Setting server mail rules” earlier in this chapter.
To set the message time-out value
1. From the Domino Administrator, open the Domino Directory and
click the Configuration tab.
2. To edit an existing Configuration Settings document, highlight and
click Edit Configuration. To create a new Configuration settings
document, highlight the server for which the Configuration Settings
document will apply, then click Add Configuration.
3. Click the NOTES.INI Settings tab.
4. Click Set/Modify Parameters.
5. In the Item field, enter:
MailTimeout
28-38 Administering the Domino System, Volume 1
6. In the Value field, enter the number of days after which Domino
returns undeliverable mail to the sender, click Add, and then click
OK.
Note To specify a time-out period shorter than one day, specify the
variable MailTimeoutMinutes in the Item field in Step 5, and specify
a time-out period, in minutes, in Step 6.
7. Click Save & Close.
Setting advanced transfer and delivery controls
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Advanced - Controls tab.
6. Complete these fields in the Advanced Transfer Controls section:

Field Enter
Ignore Choose one: • Enabled —The Router sends all
message messages as Normal priority. • Disabled —
priority (default) The Router honors message priority
settings assigned by the sender or another
server process. Do not enable this setting if
you restricted Domino to routing messages of a
specified size as low priority and want to
confine routing of large messages to the
specified low priority routing time.

The time, in minutes, after which the Router

Dynamic cost
resets the
reset interval costs for the various connections. For example,
if the cost reset interval is 15 minutes and a
network failure
caused the Router to increase a connection cost
from 1
to 2, the Router resets the connection cost to 1
after the
15-minute cost reset interval.

Field Enter
Restrict name Choose one: • Enabled —Users can look up
lookups to names and groups only in the Domino Directory
primary for the server’s Domino domain. Users cannot
directory only look up names and groups in other directories
that are available through Directory Assistance.
• Disabled —(default) Users can look up names
and groups in any directories available from the
server.

Cluster
Choose one:
failover
• Disabled —If a recipient’s server is
unavailable, the Router does not automatically
route mail through a clustered server.
• Enabled for last hop only —(default) When the
Router detects that a recipient’s mail server
(the last
hop in the routing path) is unavailable, it
attempts to
locate a clustered server and transfer the
message to that server. For example, Server1
routes a message
addressed to Jane Doe, whose mail file is on
Server3.
Server1 fails to connect to Server3, which is
unavailable. Server1 checks the Domino
Directory to
see if there are any servers clustered with
Server3.
Server2 is clustered with Server3, so the Router
on
Server1 attempts to connect to Server2. If the
connection is successful, the Router transfers
the
message to Server2.
• Enabled for all transfers in this domain —
When the
 Router detects that a server for any hop in the
routing path is unavailable, it attempts to locate
a server
clustered with that hop server. If the Router can
find
another clustered server, it transfers the
message to that server. For example, if the
Router on Server 1
attempts to transfer to HubA but HubA is
unavailable, the Router checks the Domino
Directory to see if there are any servers
clustered with HubA.
Because HubB is clustered with HubA, the
Router
attempts to connect to HubB. If the connection
is successful, the Router transfers the message
from
Server1 to HubB, which continues routing the
message.

Field Enter
Hold • Enabled —When the Router cannot transfer or
undeliverable deliver a message, it leaves the message in
mail MAIL.BOX rather than generate a delivery
failure
report. Select this option if you want to be able
to
examine messages with failures. You can then
access
these messages and either release them,
forward
them, or delete them
• Disabled —(default) When the Router cannot
deliver
a message, it generates a delivery failure
report.
If you configure MAIL.BOX to hold undeliverable
messages, examine the database frequently to
check for
accumulated messages.

For more information on directory assistance, see the chapter

“Setting Up Directory Assistance.” For more information on clusters,
see Administering Domino Clusters.
8. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Managing undeliverable mail in MAIL.BOX
MAIL.BOX databases on the server may contain two types of
undeliverable messages: dead messages, designated by a stop sign icon;
and held messages, designated by a red exclamation point.
By default, when Domino cannot transfer or deliver a message — for
example, when the address is typed incorrectly — the Router returns a
delivery failure report to the sender. If the Router can neither deliver the
message to its intended recipient (To, CC, or BCC) nor deliver the failure
report to the sender — for example, when the recipient’s address is typed
incorrectly and the sender’s mail server is unavailable — the Router
changes the routing state of a message to Dead.
A message that is marked Dead lists the originator of the message in the
Recipients field and the address to whom the originator first sent the
message in the Intended Recipient field. You can correct addressing
errors in these fields to resend a delivery failure report to the originator
or the original message to its intended destination.
Undeliverable messages result when a server receives mail addressed to
nonexistent local recipients. Some undeliverable messages might be
legitimate, as in the case where a recipient’s name is misspelled or the
intended recipient has left the organization. But a high volume of
Customizing the Domino Mail System 28-41
Mail
undeliverable messages may represent what’s known as a “dictionary
attack” in which a spam mailer attempts to harvest e-mail addresses in a
domain by guessing every possible user name in the domain. The
attacker directs a bogus mass-mailing to the target domain, using a list of
names automatically generated by a script. The attacker then uses
delivery failure reports returned from the target domain to determine
which names are valid.
Held messages
In some cases, rather than letting Domino generate delivery failure
reports automatically, you may want to examine messages before
returning them. To trap undeliverable messages, you can configure the
Router to mark them as Held. For example, if you suspect that spam sites
are using delivery failure responses to test addresses in your
organization, you can hold undeliverable mail to eliminate this source of
feedback.
When you configure the Router to hold undeliverable messages, each
held message remains in MAIL.BOX indefinitely and is processed only if
an administrator releases the message.
Note If you configure MAIL.BOX to hold undeliverable messages,
examine the database frequently to check for accumulated messages.
You can prevent servers from accepting mail addressed to nonexistent
users by requiring Domino to check whether a recipient has a Person
document in the Domino Directory before it can accept a message.
For more information on configuring Domino to validate recipients
before accepting messages, see the topic “Restricting users from receiving
Internet mail” later in this chapter.
The Router also changes the routing state of a message to Held when
directed to do so by a mail rule.
By default, when you configure the Router to hold undeliverable mail, it
does not mark messages as Dead. Only if the Router cannot deliver a
held message or its delivery failure report after you release it for a final
delivery attempt does the Router mark any message Dead.
For each held or dead message, the views in MAIL.BOX display
information about when the server received the message, as well as the
sender and recipient, message size, and the reason why the message
failed. In addition, Dead messages display a Dead failure reason
explaining why the message could not be returned to the sender.
28-42 Administering the Domino System, Volume 1
You can use the following tools to manage undeliverable mail in
MAIL.BOX:
Check
 MAIL.BOX for undelivered mail
Edit
 the recipient and subject items of held or dead messages
Release
 held and dead messages from MAIL.BOX
Delete messages from MAIL.BOX
To check MAIL.BOX for undelivered mail
Periodically examine MAIL.BOX for messages, especially if you
configure MAIL.BOX to hold undeliverable messages.
1. From the Domino Administrator, select the server on which you
want to resolve undelivered mail.
2. Click the Messaging - Mail tab.
3. Select the MAIL.BOX database you want to examine by clicking
Servername Mailbox (mail.box). On servers with multiple mailboxes,
a separate view is available for each mailbox.
4. Check Held and Dead messages. You can do one of three things with
undeliverable messages:
Correct
 the addresses of the message recipients
Release
 the messages to their intended recipients
Delete
 the messages
To edit and release held or dead messages
Edit messages in MAIL.BOX to specify the destination address for
resending the original message or resulting delivery failure report. You
can also edit the Subject line to insert additional information about the
message, such as the reason it was held or the name of the original
recipient.
1. In the MAIL.BOX database, select the Held or Dead message for
which you want to correct addresses and click Edit Message.
2. Edit the address in the Recipients field or Intended Recipient field as
follows:
To edit the address of a held message:
To correct the destination address to which the Router resends an
original message, edit the Recipient field. You can specify a Notes
address or an Internet address.
When you release held messages, the Router ignores the entry in the
Intended Recipient field.
Customizing the Domino Mail System 28-43
Mail
To edit the address of a dead message:
To correct the destination address to which the Router resends the
original message, edit the address in the Intended Recipient field,
and click Release - Resend dead message to originally intended
recipient. You can specify a Notes address or an Internet address.
The Router ignores the entry in the Recipients field. The received
message displays the original recipient address.
To correct the destination address to which the Router resends the
delivery failure report for a dead message, change the address in the
Recipients field, and click Release - Return Non Delivery Report to
sender. You can specify a Notes address or an Internet address.
To release held and dead messages from MAIL.BOX
Depending on what caused a message to be retained in MAIL.BOX, you
may be able to successfully resend it to its originally intended recipients
or return a delivery failure report to the sender. For example, if messages
were marked held or dead as a result of a temporary network failure,
you may be able to release messages to their destinations after restoring
network connections. Or, if a message failed to reach its destination
because of a misspelled address, you can resend it by correcting the
address and releasing the message.
When deciding what to do with dead messages, always examine them
carefully before taking action. Check the message origin and the list of
intended recipients, and determine the failure reason. If the From or
Recipients fields of a dead message are blank or contain invalid
addresses, or if the failure reason indicates a null SMTP reverse path,
consider deleting the message, rather than releasing it.
1. From the Domino Administrator, select the server on which you
want to resolve undelivered mail.
2. Click the Messaging - Mail tab.
3. Click Servername Mailbox (mail.box) to select the MAIL.BOX
database to examine. On servers with multiple mailboxes, the view
displays each of the available mailboxes (mail1.box, mail2.box, and
so forth).
28-44 Administering the Domino System, Volume 1
4. Select the held or dead messages to release and click the Release
button. Choose one of the following:

Release option Description

Resend all The Router attempts to resend each dead
dead message in
the current MAIL.BOX database to the
messages to
originally
originally intended recipient (To, CC, or BCC), listed in
intended the
recipients Intended Recipient field. If the Router cannot
deliver or transfer the message, it generates a
delivery failure
report to the sender. If the NDR is also
undeliverable,
the Router again marks the message Dead.
This action applies to all messages in the
current
MAIL.BOX database only. On servers with
multiple MAIL.BOX databases, dead messages
in other
MAIL.BOX databases are not released.
Resend The Router attempts to resend the selected
selected dead
dead messages message to the originally intended recipient
to (To, CC,
originally or BCC) listed in the Intended Recipient field.
intended If the
recipients Router cannot deliver or transfer the message,
it
generates a delivery failure report to the
sender. If the
NDR is also undeliverable, the Router again
marks the
message Dead.
The Router attempts to resend the delivery
Return Non
failure
Delivery Report report for the selected dead messages to the
to message
sender of all originator specified in the Recipients field. If
the
selected dead failure report is undeliverable, the Router
again marks
messages the message Dead.
Resend The Router attempts to resend the selected
selected held
held messages messages to the originally intended recipient
(To, CC, or BCC) listed in the Recipients field.
The Router ignores the entry in the Intended
Recipient field.
If the Router cannot transfer or deliver a
released
message, it again marks the message Held.
Resend The Router attempts to resend the selected
selected held
held messages messages to the originally intended recipient
for (To, CC,
a final time or BCC) listed in the Recipients field. The
Router
ignores the entry in the Intended Recipient
field.
If the Router cannot deliver the messages to
the
recipients, it sends a nondelivery failure report
to the
message originator and removes the message
from MAIL.BOX. If the delivery failure report
cannot be
sent, the Router marks the message Dead.

When you finish processing undeliverable messages, close the

MAIL.BOX database.
Customizing the Domino Mail System 28-45
Mail
To delete messages from MAIL.BOX
The Router automatically deletes sent messages from MAIL.BOX. If you
cannot resend a message or delivery failure report, or choose not to
resend it, delete the message.
1. Select the Held or Dead to delete.
2. Click Delete Message. The messages are marked for deletion.
3. Press F9, and click Yes when prompted to delete the document.
Customizing the text of mail failure messages
You can customize the text of messages that Domino sends when various
mail failures occur. The text you specify is added to the default text for
the message. Customize messages to provide text in multiple languages
or supply users with additional information about how to respond to a
failure. For example, add text that provides the phone number to call in
case a mail message does not reach your server.
You can enter customized text directly on the Configuration Settings
document or create text files for each customized message and then use
the Configuration Settings document to specify the location of each file.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Advanced - Controls tab.
6. In the Failure Messages section, choose a method for specifying the
customized text for failure messages:

Method Description
Text file The Router adds customized text to failure
messages from external files. For each
condition listed, enter the
complete path to a text file that contains
customized text
you want to add to the default failure message.
The Router adds customized text to failure
Text
messages
from text entered in the Configuration Settings
document. For each condition listed, enter the
customized text you want to add to the default
failure
 message.

Field Enter
Transfer Transfer failures occur when there is a transient
failure connection failure between the servers —for
example, a network problem. If you specified Text
in Step 6, enter text to add to the default transfer
failure message; otherwise specify the path to a file
containing the text —for example,
C:\DOMINO\DATA\TRANSFER.TXT.
Delivery Delivery failures occur when the server is unable to
failure deliver the message to the recipient’s mail file —for
example, if the recipient’s mail file has moved and
the Domino Directory has not been properly
updated. If you specified Text in Step 6, enter text
to add to the default delivery failure message;
otherwise specify the path to a file containing the
text —for example,
C:\DOMINO\DATA\DELIVER.TXT.
Message Message expiration failures occur when Domino
expiration cannot transfer the message to its destination in a
given period of time. If you specified Text in Step 6,
enter text to add to the default message expiration
notification; otherwise specify the path to a file
containing the text —for example,
C:\DOMINO\DATA\EXPIRE.TXT.
Domain Domain failures occur when Domino cannot identify
failure the destination domain for a recipient of a message.
For example, if you send a message to
jdoe@lotus.com and Domino cannot locate
lotus.com in either the Domino Directory or the
DNS, the server generates a domain failure
message. If you specified Text in Step 6, enter text
to add to the default message for domain failures,
or specify the path to a file containing the text —for
example, C:\DOMINO\DATA\DOMAIN.TXT.
Server Server failures occur when Domino cannot connect
failure to the destination server. For example, if you send
a message to jdoe@lotus.com, and DNS instructs
you to send mail for the lotus.com domain to
mail1.lotus.com but Domino cannot connect to
mail1.lotus.com, the sending Domino server
generates a server failure message. If you specified
Text in Step 6, enter text to add to the default
message for server failures; otherwise, specify the
path to a file containing the text —for example,
C:\DOMINO\DATA\SERVER.TXT.

Field Enter
Username User name failures occur when Domino cannot
failure match the local part of an address to a recipient.
For example, if you send a message to
jdoe@lotus.com, but Domino cannot find jdoe in
the Domino Directory, the server generates a user
name failure message. If you specified Text in Step
6, enter text to add to the default message for user
name failures; otherwise, specify the path to a file
containing the text —for example,
 C:\DOMINO\DATA\USER.TXT.

Size Size failures occur when Domino rejects a message

failure because its size is greater than the maximum
message size (which you can specify in the
“Maximum message size”field on the Restrictions
and Controls - Restrictions tab of the Server
Configuration document) and generates a size
failure message. If you specified Text in Step 6,
enter text to add to the default message for size
failures; otherwise, specify the path to a file
containing the text —for example,
C:\DOMINO\DATA\SIZE.TXT.
Restriction Restriction failures occur when Domino rejects a
failure message based on outbound Router restrictions.
For example, if you send a message to
jdoe@lotus.com, but lotus.com is listed in the
“Deny messages from the following Internet
addresses to be sent to the Internet”field on the
Router/SMTP -Restrictions and Controls - SMTP
Outbound Controls tab of the Server Configuration
document, Domino rejects the message and
generates a restriction failure message. If you
specified Text in Step 6, enter text to add to the
default message for restriction failures; otherwise,
specify the path to a file containing the text —for
example, C:\DOMINO\DATA\RESTRICT.TXT.

Field Enter
Delay Low-priority routing delays occur when MAIL.BOX
notification receives process the message until the specified
low-priority routing time (12:00 AM to 6:00 AM
by default). If low-priority delay notifications are
enabled for the message, the Router sends a
delay notification to the originator’s address. If
you specified Text in Step 6, enter text to add to
the default low-priority delay notification;
otherwise, specify the path to a file containing
the text —for example,
C:\DOMINO\DATA\DELAY.TXT Domino Release
5.0.x specified this file using the
MailTextFileForTransferDelays setting in the
server’s NOTES.INI file. If this setting is present,
it takes precedence over the setting specified
here.
Quota
warning mail files exceed their configured quota warning
notification threshold. If you specified Text in Step 6, enter
text to add to the default quota warning
notification; otherwise, specify the path to a file
containing the text —for example,
C:\DOMINO\DATA\WARNING.TXT.
Quota The Router sends Quota error notifications to
error users whose mail files exceed their configured
notification quota. If you specified Text in Step 6, enter text
to add to the default quota error notification;
otherwise, specify the path to a file containing
the text —for example,
C:\DOMINO\DATA\QUOTA.TXT.

For information on setting inbound mail restrictions see

the topics “Restricting mail routing based on message
size”earlier in this chapter and “Restricting who can
send Internet mail to your users” later in this chapter.
The change takes effect after the next Router
configuration update. To put the new setting into effect
immediately, reload the routing configuration. For
information on how to reload the routing configuration,
see the chapter “Setting Up Mail Routing.”

Customizing Notes routing

To customize Notes routing in your organization, you can:
Schedule
 routing for optimal efficiency
Change
 the routing cost of connections between Domino servers
Restrict
 mail routing based on Domino domains, organizations, and
organizational units
Scheduling Notes routing
By default, when using Notes routing Domino can transfer messages
only to other servers in the same Notes Named Network (NNN). To
extend Notes routing beyond a single NNN you must create Connection
documents in the Domino Directory and specify a routing schedule.
Domino does not automatically create Connection documents for mail
routing.
Default schedule
By default, Connection documents instruct the Router to connect to the
destination server to transfer mail every six hours between 8:00 AM and
10:00 PM, or whenever the number of pending messages in MAIL.BOX
reaches 5. You can customize the schedule to specify the number of
pending messages that trigger routing, as well as the day, time range,
and repeat interval for a connection.
Using Connection documents to control routing within a Notes
Named Network (NNN)
You can use Connection documents to restrict routing within a NNN to a
specified schedule. Connection documents apply to both Notes routing
and SMTP routing. In the absence of any Connection documents, the
Router transfers all mail within a NNN immediately, except for
low-priority messages. If the Router is configured to use both SMTP and
Notes routing, it queues messages pending in MAIL.BOX for each
protocol separately. Regardless of the schedule, high-priority messages
continue to route immediately.
Forcing mail to route to a specific server
To force the server to immediately route all pending mail to another
server, use the Route command at the server console.
Routing schedules and low-priority messages
Routing schedules in Connection documents do not apply to low-priority
messages. Low-priority messages route only during the configured
low-priority mail interval, even among servers in the same Notes named
network.
28-50 Administering the Domino System, Volume 1
You can configure Domino to designate messages over a certain size as
low-priority and send them when the server is less busy.
For more information on changing the priority of large messages and
scheduling the low-priority mail interval, see the topics “Restricting mail
routing based on message size” and “Setting transfer limits” earlier in
this chapter.
To schedule Notes routing
1. Make sure that you have already created the necessary Connection
documents.
See the chapter “Setting Up Server-to-Server Connections.”
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Connections.
4. Select the Connection document for the server connection you want
to configure, and click Edit Connection.
5. Click the Schedule tab.
6. Complete these fields in the Scheduled Connection section:

Field Enter
Schedule Choose one: • Enabled to use this schedule to
control connections between the specified
servers. • Disabled to cause the server to ignore
the schedule.

Call at times One or more time ranges and/or specific times

when you want mail routing to occur each day —
for example, 8:00 AM - 5:00 PM, 11:00 PM, 2:00
AM. The default is 8:00 AM - 10:00 PM.
Repeat The number of minutes between routing
interval attempts; the default is 360 minutes.
Days of The days of the week when the server should use
week this schedule and route mail. The default is to
use this connection for each day of the week.

7. Click the Replication/Routing tab.

Customizing the Domino Mail System 28-51
Mail
8. Complete these fields in the Routing section, and then click Save &
Close:

Field Enter
Routing task Choose one or more: • Mail Routing —(default)
Enables Notes mail routing between the servers •
X400 Mail Routing —Enables routing of X.400
mail between servers in a system with an X.400
Message Transfer Agent • SMTP Mail Routing —
Enables routing of Internet mail to a server that
can connect to the Internet • ccMail Routing —
Enables routing of cc:Mail mail between servers
in a system with a cc:Mail Message Transfer
Agent • None —The Connection document is not
used to route mail between the servers

Route at The number of normal-priority messages that

once accumulate before the server routes mail. The
default is 5.
Routing cost The relative cost of this server connection. Do
not modify this cost unless you are an
experienced Domino administrator.
Router type How Domino routes mail between the servers.

9. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
For more information on Router types, see the chapter “Setting Up Mail
Routing.”
Example: Scheduling immediate 24 x 7 routing
To route mail immediately 24 hours a day, 7 days a week, create a
routing schedule for a 24-hour, 7-day period. Then set routing to begin as
soon as MAIL.BOX contains a single pending message.
1. Complete these fields in the Scheduled Connection section of the
Connection document:

Field Enter
Schedule Enabled
Call at times 12:00 AM - 12:00 PM
Repeat
Blank
interval
Days of week Select Sun, Mon, Tue, Wed, Thu, Fri, Sat

2. Complete this field in the Routing section of the Replication/Routing

tab

Field Enter
Route at
1 message pending
once if

3. Update the routing configuration to ensure that the new schedule

takes effect.
Changing the routing cost for a connection
Notes routing assigns a routing cost to each connection and uses these
costs to select the most efficient way to route mail from one server to
another. The Router computes and stores information about these costs
in its routing tables. If there is more than one possible route for mail to
travel between the source server and the destination server for the
message, the Router uses routing cost information in the tables to
calculate the least-cost route for the message.
The Router uses information in Server, Domain, and Connection
documents to create the routing tables. A LAN connection has low cost; a
dialup modem connection has high cost. By default, each LAN
connection has a cost of 1, while each dialup modem connection has a
cost of 5.
If server connections are disrupted or a network fails, the Router selects
an alternate path and increases the cost for the path that failed.
How the Router chooses a route
1. It calculates and selects the least-cost route.
2. If the least-cost route fails — for example, if there is no answer or if
the network times out — the Router increases the cost of the initial
route by 1. For example, if a LAN connection between Server A and
Customizing the Domino Mail System 28-53
Mail
Server B initially has a cost of 1 but the connection fails during an
attempted transfer, the Router increases the cost of that LAN
connection between Server A and Server B to 2.
3. The next time the Router tries to transfer mail between servers, it
again looks for the least-cost route between those servers. If there is
an alternate route that is equal in cost and requires fewer hops, the
Router selects that alternate route. For example, if there are two
paths between Server A and Server B, each with a total cost of 4, the
Router examines the number of hops in each path. If one route
requires three hops but the other requires only two hops, the Router
uses the path that requires two hops because the costs are equal.
The Router resets the cost for a connection when:
The
 server receives an inbound connection from the failed server
The dynamic cost interval occurs
You  stop and restart the Router
The routing tables reside in memory and are dynamic. When you restart
the server or modify a Connection, Server, Configuration Settings, or
Domain document, the Router rebuilds the routing tables.
To override the default routing cost
You can override the default setting for the routing cost for a connection.
You can change this setting only for connections between servers in
different Notes named networks. Change the default routing cost for a
connection only if you are an experienced Domino administrator.
Improperly changing routing costs can create routing loops and disable
the Router’s selection of an alternate route.
1. Make sure that you have already created the necessary Connection
documents.
For more information on Connection documents, see the chapter
“Setting Up Server-to-Server Connections.”
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Connections.
4. Select the Connection document for the server connection you want
to configure, and click Edit Connection.
5. Click the Replication/Routing tab.
28-54 Administering the Domino System, Volume 1
6. Complete this field, and then click Save & Close:

Field Enter
Routing cost A number from 1 to 10. The default is 1. The
Router chooses connections with lower cost
first; for example, the Router chooses a
connection with a cost of 2 over a
connection with a cost of 3.

7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Restricting mail routing based on Domino domains, organizations,
and organizational units
You can use two methods to restrict how mail routes over Notes routing
in your infrastructure.
Create
 Adjacent domain documents in the Domino Directory to keep
users from routing mail through your domain to another domain.
For example, if you have a connection from your domain, Acme, to
the Lotus domain and the IBM domain, you might set up an
Adjacent domain document to keep users in the Lotus domain from
routing to the IBM domain through the Acme domain. Using these
restrictions reduces the mail load on your system. Adjacent domain
documents keep users from using your domain as a Notes mail relay.
For more information on Adjacent domain documents, see the
chapter “Setting Up Mail Routing.”
Specify
 restrictions in the Configuration Settings document in the
Domino Directory to restrict mail from specified Domino domains.
To restrict Notes mail routing
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration document for the mail server or servers you
want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - Restrictions tab.
Customizing the Domino Mail System 28-55
Mail
6. Complete these fields in the Router Restrictions section, and then
click Save & Close:

Field Enter
Domino domains from which the server accepts
Allow mail
mail. If
only from you enter Domino domains in this field, only
messages
domains from those domains can enter your domain
over Notes routing. Domino denies mail from
all other Domino domains. For example, if you
enter Lotus in the field, Domino accepts only
messages sent from the Lotus domain to your
users. Domino denies messages sent from all
other Domino domains.
This restriction does not affect mail in the local
Domino
domain.
Domino domains from which the server denies
Deny mail
mail. If you
from domains enter Domino domains in this field, all
messages except those from the domains listed
in this field can route to your users. For
example, if you enter Lotus in the field,
Domino accepts messages from all Domino
domains except the Lotus domain. Domino
denies messages from the Lotus domain.
This restriction does not affect mail in the local
Domino
domain.
Organizations and/or organizational units from
Allow mail
which the
only from the server accepts mail. If you enter organizations
and/or
following organizational units in this field, only messages
from users
organizations in those organizations and/or organizational
units can
and enter your domain over Notes routing. Domino
denies
organizational mail from all other organizations and/or
organizational
units units. For example, if you enter */East/Lotus in
the field,
Domino accepts only messages from the
/East/Lotus
organizational unit to your users. Domino
denies messages
from organizations and/or organizational units
other than
*/East/Lotus.
Organizations and/or organizational units from
Deny mail
which the
only from the server does not accept mail. If you enter
organizations or
following organizational units in this field, all messages
except those
organizations from users in the organizations and/or
organizational
and units in this field can enter your domain over
Notes
organizational routing. Domino denies mail only from
organizations
units and/or organizational units in this field. For
example, if
you enter */West/Lotus in the field, Domino
accepts
messages from all organizations and
organizational units
except /West/Lotus. Domino denies messages
from the
/West/Lotus organizational unit.

Note If you specify the same entry in an Allow field and a Deny
field so there is a conflict between the two fields, Domino denies
messages for that entry. The Deny setting takes precedence for
security reasons. Avoid placing the same entry in both the Allow and
Deny fields for the same setting.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Customizing SMTP Routing
If you enabled SMTP routing, you can customize it by:
Stopping
 and starting the SMTP service
Changing
 the inbound and outbound SMTP port settings
Restricting
 inbound SMTP routing
Restricting
 outbound SMTP routing
Specifying
 inbound and outbound MIME settings
Stopping and starting the Domino SMTP service
The Domino SMTP service, or SMTP Server task, runs the SMTP listener,
which checks for incoming SMTP connections and messages. SMTP
messages can originate from any Internet host or another Domino Server
in your domain. For Domino to receive inbound SMTP mail, the SMTP
listener must be running on the server.
The SMTP service does not control SMTP routing. SMTP routing is
handled by the server’s Router task.
If the SMTP listener task is enabled on the Basics tab of the Server
document, the SMTP service starts automatically when you start the
server. You can stop and start the SMTP service manually from the
Customizing the Domino Mail System 28-57
Mail
Domino Administrator client or the server console. The following table
shows how to restart, stop, and start the SMTP service using both
methods.

Task From the Domino Administrator From the

server
console
Restart 1. Click the Server - Status tab and select
the 2. the Server Tasks view. Select SMTP Enter:
Restart
SMTP Server from the list of tasks. Task SMTP
service
Click Tools - Task - Restart, and then
3.
click Yes.
Stop 1. Click the Server - Status tab and select Enter: Tell
the 2. the Server Tasks view. Select SMTP SMTP quit
SMTP 3. Server from the list of tasks. Click
service Tools - Task - Stop, and then click Yes

Start 1. Click the Server - Status tab and select Enter: Load
the 2. the Server Tasks view. Click Tools - SMTP
SMTP 3. Task - Start. From the list of server
service tasks, select SMTP Server.

4. Click Start Task.

5. Click Done to close the Start New Task
dialog box.

Note The SMTP Server task is represented in the server task list by
three related subtasks. The status of all three tasks changes when you
change the status of any one of them.
As an alternative to restarting the SMTP service to incorporate
configuration updates, you can use a console command to refresh SMTP
service parameters.
For information on using a console command to refresh the SMTP
configuration, see the chapter “Setting Up Mail Routing.”
Changing SMTP port settings
You can modify inbound and outbound SMTP port settings.
Inbound
 SMTP port settings determine how the Domino SMTP
listener receives SMTP connections from other servers. For inbound
connections, you can specify the port numbers, port status, and
authentication methods required for both TCP/IP and SSL ports.
For more information, refer to the topic “Changing the inbound
SMTP port settings” later in this chapter.
28-58 Administering the Domino System, Volume 1
Outbound
 SMTP settings determine how Domino makes SMTP
connections to other servers. For outbound connections, you can
change the default port numbers and status of the TCP/IP and SSL
ports.
For more information, refer to the topic “Changing the outbound
SMTP port settings” later in this chapter.
Configuring SMTP authentication options on servers that use
Internet Site documents
On servers that use Internet Site documents, the SMTP service obtains
inbound port authentication settings from the Security tab of the SMTP
Site document, rather than from the Server document. As a result, when
Internet Site documents are used, the TCP/IP and SSL port
authentication settings described in the procedures that follow are not
available in the Server document. Settings in the Server document
continue to provide the inbound SMTP port number and status and
determine whether the Domino server allows incoming connections from
the authenticated user.
To determine whether the use of Internet Site documents is enabled for a
server, check the value of the following field on the Basics tab of the
Server document: “Load Internet configurations from Server\Internet
Sites documents.” If this field is set to “Enabled,” the server uses Internet
Site documents to configure all of its Internet protocols (SMTP, POP3,
IMAP, and so forth).
If the server uses Internet Site documents, and an Inbound SMTP Site
document is not present in the Domino Directory, or the authentication
options in a configured Inbound SMTP Site document are set to No, the
SMTP service rejects incoming connections. In each case, connecting
hosts receive the following error when attempting to authenticate with
the SMTP service:
This site is not enabled on the server.
For information on creating and using Internet Site documents, see the
chapter “Installing and Setting Up Domino Servers.”
Ensuring that SMTP clients can connect to a nonstandard port
Because remote SMTP clients attempt to connect to port 25 by default, if
you specify a different port number, be sure to configure connecting
clients to use the new port, otherwise inbound SMTP connections will
fail. This can cause routing problems, especially if the server with the
nonstandard SMTP port acts as a relay host for outbound Internet mail.
Customizing the Domino Mail System 28-59
Mail
To configure your other Domino servers to transfer outbound SMTP mail
to a nonstandard SMTP port, change the Outbound SMTP setting on the
Port - Internet Ports - Mail tab of the Server document.
For example, if a server must initiate an SMTP session with a receiving
server on which the SMTP task is listening on port 26, set the SMTP
Outbound port to 26 on the Server document of the initiating server.
Configuring SMTP port security
To prevent unauthorized access to the SMTP Listener and to protect
SMTP sessions from eavesdropping, you can require users and servers to
provide name and password credentials to authenticate with the server,
and you can enable the use of SSL to encrypt both inbound and
outbound SMTP sessions.
On servers that support SSL, you can encrypt SMTP mail sessions by
having the server send and receive mail over the SSL port (port 465 by
default). Domino also supports negotiated SSL for both inbound and
outbound sessions, which allows for encryption over the TCP/IP port
between servers that support the STARTTLS command.
For information on the STARTTLS command, see the topic “Securing
SMTP sessions using the STARTTLS command” later in this chapter.
You can restrict access to the SMTP listener so that only users who are
allowed to access the server can connect to the server’s inbound SMTP
port. For more information on securing the SMTP port, refer to the topic
“Changing the inbound SMTP port settings” later in this chapter. For
more information on restricting server access, see the chapter
“Controlling Access to Domino Servers.”
Changing the inbound SMTP port settings
Inbound port settings affect how other SMTP hosts connect to Domino.
For inbound connections, you can specify TCP/IP port settings and SSL
port settings. For both ports you can define port numbers, port status,
and the supported authentication methods.
Configuring SMTP authentication options on servers that use
Internet Site documents
On servers that use Internet Site documents, the SMTP service obtains
port authentication settings from the Security tab of the SMTP Inbound
Site document, rather than from the Server document. As a result, when
Internet Site documents are used, you cannot use the Server document to
configure TCP/IP and SSL authentication settings for the SMTP port.
28-60 Administering the Domino System, Volume 1
Settings in the Server document still provide the port numbers and status
for the SMTP TCP/IP and SSL ports, and enable the SMTP ports to honor
server access restrictions.
To determine whether the use of Internet Site documents is enabled for a
server, check the value of the following field on the Basics tab of the
Server document: “Load Internet configurations from Server\Internet
Sites documents.” If this field is set to “Enabled,” the server uses Internet
Site documents to configure all of its Internet protocols (SMTP, IMAP,
POP3, and so forth).
If the server uses Internet Site documents, then you must use Site
documents to configure all Internet protocols on the server. If an SMTP
Site document is not present in the Domino Directory, or the
authentication options in a configured SMTP Site document are set to
No, users cannot connect to the SMTP service. In each case, SMTP clients
receive the following error when attempting to connect to the SMTP
service:
This site is not enabled on the server.
For information on creating and using Internet Site documents, see the
chapter “Installing and Setting Up Domino Servers.”
Changing the default port number
By default, after you enable the SMTP task, it “listens” for client
connections on TCP/IP port 25 on the Domino server. The default SMTP
SSL port is port 465. In some cases — for example, on partitioned servers
— you might need to specify a port number other than the default to
avoid conflicts. You might also change the default port to a nonstandard
port number to “hide” it from clients attempting to connect to the default
port or if another application uses the default port on the server.
Disabling the SMTP inbound TCP/IP port or SSL port prevents other
servers from accessing the SMTP Listener on that port.
Note On servers with multiple TCP/IP ports, by default, the SMTP
service uses the port listed first in the NOTES.INI file as the preferred
path. You can configure the service to use a different port.
For information on configuring the SMTP service on a server with
multiple TCP/IP ports to use a specific TCP/IP port, see the chapter
“Setting Up the Domino Network.”
Changing the default SMTP greeting
You can modify the default reply that the SMTP service sends in
response to a connecting host. By default, the Domino SMTP server
reveals its host name and software version to connecting clients. For
security reasons, you can change the default greeting so that the server
Customizing the Domino Mail System 28-61
Mail
does not disclose essential information. Use the variable SMTPGreeting
in the NOTES.INI file to customize the SMTP service greeting.
To change inbound SMTP TCP/IP port settings
1. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the SMTP
service.
2. Click the Ports - Internet Ports - Mail tab.
3. In the Mail (SMTP Inbound) column, complete these fields, and then
click Save & Close:

Field Enter
TCP/IP port Choose 25 (default) to use the industry
number standard port for SMTP connections over
TCP/IP. You can specify a different port, but 25
works in most situations. When specifying a
nonstandard port, make sure the port is not
reserved for another service. Port numbers can
be any number from 1 to 65535.
TCP/IP port Choose one: • Enabled (default) —SMTP clients
status can connect to the Domino SMTP service using
the designated TCP/IP port. Depending on the
authentication options you choose, users may
have to supply a user name and Internet
password to connect. • Disabled —SMTP clients
cannot connect to the Domino SMTP service
using the TCP/IP port.

Enforce server Choose one: • Yes —Access to the SMTP

access listener is controlled by the server access
settings settings on the Security tab of the Server
document. Users and servers that are not
allowed to access the server cannot send mail
to the SMTP port. For this option to be effective
you must enable authentication for the port. •
No —(default) The SMTP listener ignores the
server access settings in the Server document.
Users and servers can send mail to the SMTP
port, even if they are denied other access to
the server.

Field Enter
Authentication Choose one: • Yes —Sets the ESMTP AUTH
options: Name extension for the TCP/IP port. Domino
& password advertises AUTH=LOGIN to connecting SMTP
clients. Clients must supply a user name and
Internet password to connect to the SMTP
service over the TCP/IP port and transfer mail.
Remote SMTP servers that do not support the
AUTH extension cannot connect to the SMTP
service over this port. When Name and
password authentication is enabled, you can
specify whether authenticated POP3 and IMAP
users sending mail to the SMTP port are
subject to anti-relay enforcement. • No —
(default) Domino does not support Name-and-
password authentication over the TCP/IP port.
If you choose No, you must enable Anonymous
connections to allow SMTP connections to this
port. On servers supporting negotiated SSL on
the inbound TCP/IP port (STARTTLS), the
setting in the SSL Name & password field —not
the setting in the TCP/IP Name & password
field —determines whether the server accepts
SMTP AUTH commands for SSL-over-TCP/IP
sessions. For information about enabling
support for STARTTLS, see the topic
“Supporting inbound SMTP extensions”later in
this chapter.
Authentication If the TCP/IP port status is set to Enabled,
options: choose one: • Yes —(default) The SMTP service
Anonymous allows clients and servers to connect to the
TCP/IP port anonymously to transfer mail. If
both Name and password and Anonymous
authentication are enabled (set to Yes), the
port allows connections from SMTP hosts that
supply a name and password as well as those
that connect anonymously. • No —The SMTP
service does not allow anonymous connections
over the TCP/IP port. SMTP hosts can connect
to the TCP/IP port only if Name & password
authentication for the port is set to Yes, and
the connecting host must send the SMTP AUTH
command.

Note If you enable the TCP port, at least one authentication option
must be set to Yes to save the document.
Note To support inbound SMTP connections, the server must have
at least one SMTP port enabled and be running the SMTP task.
Customizing the Domino Mail System 28-63
Mail
4. Restart the SMTP task to put the new settings into effect.
As an alternative to restarting the SMTP service to incorporate
configuration updates, you can use a console command to refresh
SMTP service parameters.
For information on using a console command to refresh the SMTP
configuration, see the chapter “Setting Up Mail Routing.”
If you change the default SMTP port, inbound SMTP connections fail if
the connecting host is not configured to use the new port. See the topic
“Ensuring that SMTP clients can connect to a nonstandard port” earlier
in this chapter for information about configuring Domino servers to
connect to nonstandard SMTP ports.
To change inbound SMTP SSL port settings
1. Familiarize yourself with the Domino security model.
2. To secure SMTP sessions using SSL, set up SSL on the Domino
server.
3. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the SMTP
service.
4. Click the Ports - Internet Ports - Mail tab.
5. In the Mail (SMTP Inbound) column, complete these fields, and then
click Save & Close:

Field Enter
SSL port Choose 465 (default) to use the industry
number standard port
for SMTP connections over SSL. You can specify
a
different port, but 465 works in most
situations. When
specifying a nonstandard port, make sure the
port is not
reserved for another service. Port numbers can
be any
number from 1 to 65535.
SSL port
Choose one:
status
• Enabled —SMTP clients can connect to the
Domino
SMTP service using the designated SSL port.
• Disabled (default) —SMTP clients cannot
connect to
the Domino SMTP service using the designated
SSL
port.

Field Enter
Authentication Choose one: • Yes —Enables the SSL port to
options: Name support the SMTP AUTH command. POP3 and
& password IMAP clients, and remote SMTP servers that
send AUTH, must supply a name and password
to connect to the SMTP service over the SSL
port and transfer mail. To allow remote SMTP
servers that do not send the SMTP AUTH
command to connect to the SMTP service over
this port, set Anonymous authentication to Yes.
• No —(default) Domino does not support
name and password authentication for hosts
connecting to the SMTP service over the SSL
port. If a connecting host sends AUTH, Domino
rejects the command and returns an error
indicating that the command is not
implemented. If you choose No, you must set
Anonymous authentication to Yes to allow
SMTP connections to this port. On servers
supporting negotiated SSL on the inbound
TCP/IP port (STARTTLS), the setting in the SSL
Name & password field —not the setting in the
TCP/IP Name & password field —determines
whether the server accepts SMTP AUTH
commands for SSL-over-TCP/IP sessions.
Authentication If the “SSL port status”field is set to Enabled,
options: choose one: • Yes —(default) The SMTP service
Anonymous allows clients and servers to connect to the SSL
port anonymously to transfer mail. If
Anonymous is set to Yes and Name and
password authentication is also set to Yes,
IMAP and POP3 clients are prompted to supply
a name and password when connecting to this
port, but servers can connect anonymously. •
No —The SMTP service does not allow
anonymous connections over the SSL port.
IMAP and POP3 clients, and servers that send
the SMTP AUTH command, may connect to the
SSL port if you set Name and password
authentication for the port to Yes.

6. Restart the SMTP task to put the new settings into effect.
As an alternative to restarting the SMTP service to incorporate
configuration updates, you can use a console command to refresh
SMTP service parameters.
For information on using a console command to refresh the SMTP
configuration, see the chapter “Setting Up Mail Routing.”
If you change the default SSL port, inbound SMTP SSL connections fail
unless the connecting host is configured to use the new port.
For information about configuring Domino servers to connect to
nonstandard SMTP ports, see the topic “Ensuring that SMTP clients can
connect to a nonstandard port” earlier in this chapter.
For information about enabling support for STARTTLS, see the topic
“Securing SMTP sessions using the STARTTLS command” later in this
chapter.
Changing outbound SMTP port settings
Outbound SMTP port settings affect how Domino connects to other
SMTP servers. Change the default port numbers and the status of the
TCP/IP and SSL ports to match the settings on servers to which this
server sends SMTP mail.
The outbound port settings apply to all outbound SMTP sessions. If you
change an outbound port number to a nonstandard value, the server
cannot establish SMTP connections with servers that listen for SMTP
requests on the standard port. Similarly, if you set up the server to send
SMTP over SSL only, disabling the outbound SMTP TCP/IP port, the
server cannot establish SMTP connections with a remote server that
accepts SMTP connections over the TCP/IP port only.
To change outbound SMTP port settings
1. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the SMTP
service.
2. Click the Ports - Internet Ports - Mail tab.
28-66 Administering the Domino System, Volume 1
3. In the Mail (SMTP Outbound) column, complete these fields, and
then click Save & Close:

Field Enter
TCP/IP The number of the TCP/IP port on the remote server
port to which Domino attempts to connect when initiating
number an SMTP session. The default and industry standard
port for SMTP connections over TCP/IP is 25. Specify
a nonstandard port only if this Domino server makes
all of its outbound SMTP connections over TCP/IP to
a server that uses the nonstandard port.
TCP/IP Choose one: • Enabled —The Domino SMTP Router
port connects to the designated TCP/IP port number on a
status remote server to initiate an SMTP session. If the
SSL port status is also set to Enabled, the Router
attempts to use the SSL port first and uses the
TCP/IP port only if it cannot connect to the SSL port.
• Disabled (default) —The Domino SMTP Router
cannot initiate an SMTP session using the TCP/IP
port on a remote server.

• Negotiated SSL —The Domino SMTP Router

connects to the designated TCP/IP port on a remote
server to initiate an SMTP session. If the remote
server advertises STARTTLS during the EHLO
greeting, Domino issues a STARTTLS command to
request that the remainder of the session be
encrypted using SSL. If the remote server does not
support STARTTLS, an unencrypted TCP/IP session
ensues.
SSL port The number of the SSL port on the remote server to
number which Domino attempts to connect when initiating
an SMTP session. The default and industry standard
port for SMTP connections over SSL is 465. Specify
a nonstandard port only if this Domino server makes
all of its outbound SMTP connections over SSL to a
server that uses the nonstandard port.
SSL port Choose one: • Enabled —The Domino SMTP Router
status connects to the designated SSL port number on a
remote server to initiate an SMTP session. If the
Router cannot connect to the SSL port and the
TCP/IP port is also enabled on both the Domino
server and the remote server, Domino makes a
second attempt to connect, using the designated
TCP/IP port. • Disabled (default) —The Domino
SMTP Router cannot initiate SMTP sessions over the
SSL port of a remote server.

Securing SMTP sessions using the STARTTLS extension

SMTP sessions conducted over a standard TCP/IP channel are
vulnerable to eavesdropping because the unencoded transmission can be
easily intercepted. To protect SMTP communications, servers can use
transport-layer security (TLS), more commonly known as SSL
encryption, to provide privacy and authentication.
Some servers support SSL for SMTP communications by sending and
receiving SMTP traffic through the SSL port (port 465 by default) only.
However, because this requires that both the sending and receiving
servers support SMTP over SSL, this solution isn’t always practical.
To provide SSL security for SMTP transfers over TCP/IP, Domino
supports the use of negotiated SSL. In a negotiated SSL scheme, the
sending and receiving hosts each use the SMTP STARTTLS extension,
defined in RFC 2487, to signal their readiness to negotiate an SSL
connection. The receiving server displays the STARTTLS keyword in
response to the sending server’s EHLO command. The sending server
issues the STARTTLS command to request the creation of a secure
connection. After the initial TLS handshake completes successfully, the
two parties proceed to set up an SSL channel between them. Both the
sending and receiving server must possess SSL certificates.
For more information on obtaining server certificates, see the chapter
“Setting Up SSL on a Domino Server.”
Supporting STARTTLS for outbound SMTP sessions
A Domino server configured to use negotiated SSL for outbound mail
connects to the receiving server’s SMTP TCP/IP port (port 25 by default).
If the initial SMTP response from the receiving server indicates that it
supports the STARTTLS extension, Domino issues the STARTTLS
command to request the use of SSL to encrypt the rest of the session.
If the receiving server did not advertise support for STARTTLS in
response to the Domino server’s EHLO command, the sending Domino
server continues with an unencrypted SMTP TCP/IP session.
To enable outbound STARTTLS support, set the SMTP outbound TCP/IP
port status to: Negotiated SSL.
Supporting STARTTLS for inbound SMTP sessions
You can configure Domino to support the STARTTLS command for
inbound SMTP transactions. When a Domino SMTP server is set to use
negotiated SSL for inbound sessions, the server advertises support for
STARTTLS in response to EHLO commands the TCP/IP port receives
from connecting hosts. A connecting host can then issue the STARTTLS
command to request an encrypted session.
28-68 Administering the Domino System, Volume 1
If Domino is configured to require STARTTLS for SMTP sessions over
TCP/IP and a connecting host cannot meet this demand, no mail is sent
over the connection.
To enable inbound STARTTLS support:
Enable
 the SMTP listener task.
Enable
 the SMTP inbound TCP/IP port.
Enable
 the STARTTLS ESMTP extension. This causes Domino to
advertise STARTTLS as one of its supported extensions in the
ESMTP EHLO greeting response.
(Optional)
 Enable name-and-password authentication for the SSL
port. Although SMTP sessions that use negotiated SSL are conducted
over the Domino TCP/IP port, Domino uses the authentication
options you set for the server’s SSL port to determine how to handle
name-and-password arguments.
For information about enabling the ESMTP extension for inbound
STARTTLS, see the topic “Supporting inbound SMTP extensions” later in
this chapter
Requiring name and password authentication for SMTP STARTTLS
sessions
Enabling ESMTP support for negotiated SSL allows a server to accept
requests to use SSL over TCP/IP from remote servers that connect
anonymously. However, not all inbound connections are anonymous. A
connecting SMTP server may be configured to send Domino a name and
password by means of the ESMTP AUTH command.
To support connections from SMTP clients that send a name and
password during a negotiated SSL session, set the value of the Name &
password field for the SMTP inbound SSL port to Yes. You do not have
to enable the SSL port. If the SSL port does not support
name-and-password authentication, the Domino SMTP server rejects the
AUTH command from the remote server and returns an error indicating
that the command is not implemented.
Even though Domino receives the AUTH command over the TCP/IP
port, Domino uses the SSL name-and-password authentication settings to
determine whether to accept the AUTH request because it receives the
command in the context of an SSL session. The Name & password
authentication setting for the TCP/IP port is ignored.
Customizing the Domino Mail System 28-69
Mail
Restricting SMTP inbound routing
You can set up your Domino system to control, verify, and restrict
inbound mail. Restricting inbound mail routing prevents Domino from
accepting unwanted commercial e-mail (UCE) sent to your users and
consequently reduces the load on your system. You can set these
restrictions:
Set
 anti-relay restrictions
Enable
 DNS blacklist filters for SMTP connections
Verify
 and restrict inbound connections
Verify  and restrict who can send inbound Internet mail to your users
Restrict  who can receive Internet e-mail in your organization
Set  inbound SMTP extensions
In addition, on servers that receive some of their inbound mail over
Notes routing, you can restrict routing based on Domino domains,
organizations, and organizational units
Error handling of messages rejected by SMTP inbound controls
The inbound SMTP restrictions are enforced by the SMTP Listener before
a message is accepted, rather than by the Router after a message is
already in the system. This difference in where restrictions are enforced
affects how errors are handled when a message is rejected. When a
Router restriction results in a message being rejected, Domino returns a
failure message stating the reason for the failure to the sender.
Domino-generated nondelivery reports contain default text, which you
can customize. For example, when you configure a maximum message
size for a server, Domino checks the size of the message only after it is
received in MAIL.BOX. If the message exceeds the configured size, the
Router generates a failure message to the sender.
However, if you set an SMTP restriction that causes Domino to reject an
inbound message, the SMTP listener returns a permanent error during
the SMTP transfer; the message never enters the server. In this case, it is
the responsibility of the originating SMTP server to generate a failure
message to the sender. For example, if both the receiving Domino SMTP
server and the sending SMTP server support the ESMTP SIZE extension,
and the Domino server is configured to honor a maximum message size,
when the Domino SMTP listener receives a message that exceeds the
defined limit, it rejects the message before it is ever received and returns
a permanent error to the sending server. You cannot use Domino
administrative tools to customize the server’s SMTP response.
28-70 Administering the Domino System, Volume 1
Using Extension Manager to customize the server's SMTP response
You can control the content of SMTP responses using SMTP logical
function hooks available in the Extension Manager services of the IBM
Lotus C API Toolkit for Notes/Domino 6. For additional information,
and to download the toolkit, see the web site at
http://www.lotus.com/capi.
How Domino uses reverse DNS lookups to control inbound SMTP
sessions
Domino’s inbound relay controls, DNS blacklist filters, and inbound
connection controls allow or deny mail based on where messages
originate. For these controls to work, Domino must be able to identify the
connecting host’s IP address, host name, and Internet domain.
Domino obtains this information from two sources: the IP stack and the
Domain Name Service (DNS). When a host originates a connection to the
Domino SMTP service, the connecting host passes its IP address to the IP
stack of the computer running the Domino server. The SMTP service
reads the IP address directly from this source.
For Domino to obtain host name and domain information, it must have
access to the Domain Name Service (DNS) and be able to locate a PTR
record for the connecting host. A PTR record resolves an IP address to a
host name.
To request a PTR record, the Domino SMTP listener performs a reverse
lookup to the DNS. From the host name returned by this query, Domino
parses out the domain name of the connecting host, comparing this
domain name to the list of local Internet domains in the Global domain
document. Hosts from domains listed in the Local primary Internet
domain or Alternate Internet domain aliases fields of the Global Domain
document are considered to be part of the local Internet domain; all
others are treated as external hosts.
Restricting inbound SMTP connections
To prevent your mail system from accepting unwanted mail, Domino
provides a set of controls that let you restrict incoming SMTP
connections. The Inbound Connection controls let you specify:
Whether
 Domino checks the names of connecting hosts in DNS
By  host name or IP address, the remote hosts from which the server
allows and denies connections
To determine whether a connection attempt is allowed or denied, the
Domino SMTP task first checks the remote host’s IP address, which the
server’s TCP/IP stack reads from the incoming IP packet headers. If the
IP address does not match any entry in the Inbound Connection control
Customizing the Domino Mail System 28-71
Mail
fields, the SMTP task performs a second check, querying DNS to obtain
the host name for the given address. If the query is successful, Domino
compares the name obtained against the host names in Allow and Deny
fields.
If you create a separate Configuration Settings document for your
internal SMTP servers, you can use the inbound connection controls to
ensure that these internal servers accept SMTP connections from specific
SMTP hosts only. For example, configure servers to allow SMTP
connections only from servers that receive mail from the Internet.
Restricting connections in this way prevents users with POP3 or IMAP
clients from sending mail through the server, helps you define valid
outbound routing paths, and limits the load on the server.
In addition to these inbound connection controls, Domino provides two
other means for blocking connections: DNS blacklist filters and access to
the SMTP Listener through Domino Extension Manager (EM) services.
DNS blacklist filters enable a server to check a host against one or more
blacklists during the SMTP conversation. If a connecting host matches an
entry in a blacklist, you can configure the server to reject the connection,
tag any received messages, or record the transaction in the Notes Log.
For more information on DNS blacklist filters, see the topic “Enabling
DNS blacklist filters for SMTP connections” later in this chapter.
Extension Manager (EM) services allow developers to access some
functions of the SMTP Listener task. The Extension Manager (EM) allows
an executable program library, such as a dynamic link library or shared
object library, to register a callback routine that will be called before,
after, or before and after Domino performs selected internal operations.
Using EM hooks in the SMTP Listener can extend current functionality
by providing:
Additional
 anti-spam controls
Custom
 address translation
Custom
 SMTP responses
Interception
 of messages
The Domino C API header file EXTMGR.H, included in the Software
Development Kit, defines symbols for the supported Extension Manager
notification events and types. For additional information on the
Extension Manager and registering callback routines, see the Lotus C API
Toolkit for Notes/Domino 6. The toolkit is available at
http://www.lotus.com/capi.
28-72 Administering the Domino System, Volume 1
To restrict inbound SMTP connection
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to restrict mail on, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound
Controls tab.
6. Complete these fields in the Inbound Connection Controls section
and then click Save & Close:

Field Enter
Verify Choose one: • Enabled —Domino verifies the
connecting name of the connecting host by performing a
host name in reverse DNS lookup. Domino checks DNS for a
DNS PTR record that matches the IP address of the
connecting host to a host name. If Domino
cannot determine the name of the remote host
because DNS is not available or no PTR record
exists, it does not allow the host to transfer
mail. Although Domino accepts the initial
connection, later in the SMTP transaction it
returns an error to the connecting host in
response to the MAIL FROM command. Internet
SMTP hosts are not required to have PTR entries
in DNS. As a result, when this field is enabled,
the SMTP task may reject connections from
valid SMTP hosts. • Disabled —(default) Domino
does not check DNS to verify the name of the
connecting host.

Field Enter
Allow The host names and/or IP addresses allowed to
connections connect to the SMTP service on this server. If
only from the you enter host names and/or IP addresses in
following this field, only servers matching these entries
SMTP can connect to the SMTP listener; connection
Internet host requests from all other servers are denied.
names/IP Enter IP addresses in brackets —for example,
addresses [192.168.10.17]. Host name entries may be
complete, as in the fully qualified host name of
a particular server, or partial and imply the
existence of a wildcard. That is, if you enter:
abc.com Domino extends accepts only
connections from mail hosts in the domains
represented by *abc.com, that is, all host
names ending in abc.com, including
smtp.abc.com and mailhost.abc.com. Domino
rejects all other connection requests. If you
specify host name entries, each time a host
connects, Domino checks DNS for a PTR record
for the connecting host. If Domino cannot
resolve the IP address to a host name because
DNS is unavailable or no PTR record exists, no
mail is accepted from the connection.
The host names and/or IP addresses that are
Deny
not
connections allowed to connect to the SMTP service on this
from server. If
you enter host names and/or IP addresses in
the following
this field,
SMTP all servers except those matching entries in this
Internet field can
host connect to the SMTP listener; connection
names/IP requests are
addresses denied only for servers matching the entries in
this field.
Enter IP addresses in brackets —for example,
[192.168.10.17].
Host name entries may be complete, as in the
fully qualified host name of a particular server,
or partial and use an implied wildcard. That is, if
you enter:
abc.com
Domino implicitly extends the restriction to all
mail hosts within the denied domain, denying
connections from *abc.com, that is, all hosts in
the abc.com domain,
including smtp.abc.com and mailhost.abc.com.
The entry abc.com does not prevent
connections from xyzabc.com.
Do not use a leading dot (.) in an entry; for
example, .abc.com. Because Domino does not
match the leading dot, the entry .abc.com does
not prevent connections originating from the
domain abc.com.

7. Reload the SMTP task or update the SMTP configuration to put

changes into effect.
Note Be careful not to specify the same entry in an Allow field and a
Deny field because Domino will deny messages for that entry. The Deny
setting takes precedence for security reasons.
Restricting the total number of inbound SMTP sessions
By default, the SMTP service supports an unlimited number of inbound
sessions; that is, as many connections as the server’s resources physically
permit. To restrict the number of concurrent SMTP sessions that a server
accepts, set the variable SMTPMaxSessions in the server’s NOTES.INI
file, where xxx is the maximum number of sessions allowed without any
buffering. When the specified number of inbound SMTP connections is
reached, the server refuses additional connections and returns the
following error:
421 Server.domain.com SMTP service not available, closing
transmission channel
Preventing unauthorized SMTP hosts from using Domino as a relay
To protect SMTP servers from unauthorized relaying, Domino provides
inbound relay controls used to define the hosts to which and from which
a server can relay messages. The Domino SMTP listener denies requests
to relay messages to or from unauthorized hosts.
Setting and enforcing inbound relay controls
To prevent misuse of your system, configure Domino to prevent open
relaying, while allowing relays originating from and destined for known
domains and hosts. By default, a new Domino SMTP server prevents
external hosts from relaying mail to any destination. You can further
customize Domino’s anti-relay controls to specify when relays are and
are not allowed.
The Router/SMTP - Restrictions and Controls - SMTP Inbound Controls
tab of the Configuration Settings document provides two sets of controls
for managing relay access:
Inbound
 relay controls
Inbound
 relay enforcement
Use the Inbound relay controls to restrict relays by destination and
origin. Use the relay enforcement controls to selectively apply the relay
restrictions based on the originator’s relation to the local Internet domain,
host name, or authentication status.
Customizing the Domino Mail System 28-75
Mail
Open relays
An SMTP server that indiscriminately accepts mail from outside the local
Internet domain and attempts to dispatch it to another external
destination is known variously as a spam relay, third-party relay, or
open relay host (open relay, for short). Leaving a mail server open to use
by anonymous third parties is generally considered irresponsible, largely
because open relays are often the target of Internet mass-mailers who use
them to distribute unsolicited commercial e-mail (UCE), commonly
referred to as electronic junkmail or spam. Spam vendors use open relays
as waypoints between themselves and their target recipients, allowing
them to distribute vast quantities of mail anonymously.
When someone reads a spam message that has been relayed through one
of your SMTP servers, the message appears to originate in your Internet
domain. In other words, your organization seems to be linked with the
spam source.
Not only does relaying spam reflect badly on your organization, but
there are other more serious and costly implications. Relayed mail
consumes network bandwidth and server resources, reducing your
system’s ability to handle legitimate mail. As mail backs up,
administrators and help desk personnel are faced with service
interruptions and the task of sorting out the backlog of undeliverable
messages. Failure to restrict access to an open relay could result in the
server being reported on Internet blacklists. Because SMTP hosts in many
organizations will not accept mail from blacklisted servers, if your
outbound mail server is blacklisted, your organization may be unable to
transfer mail to other Internet domains.
Setting inbound relay controls
To block relays to a specific domain or from a specific host, set
restrictions in the inbound relay controls on the Router/SMTP -
Restrictions and Controls - SMTP Inbound Controls tab of the
Configuration Settings document.
Use the inbound relay controls to define:
The
 destination domains to which you allow and deny relays
The originating hosts from which you allow and deny relays
Note In determining whether to allow a relay, Domino checks the
original sender, not just the last hop domain. This prevents people from
routing from a denied source through an accepted one to your domain.
28-76 Administering the Domino System, Volume 1
To set inbound relay controls
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound
Controls tab.
6. Complete these fields in the Inbound Relay Controls section, and
then click Save & Close

Inbound Relay Controls

Field Enter
Allow messages Internet domains to which Domino can
to be sent only to relay messages. Domino relays messages
the following to recipients in the specified domains only.
external Internet Messages for recipients in other external
domains Internet domains are denied.
For example, if you enter abc.com and
xyz.com in this field, Domino accepts only
messages to recipients with addresses that
end in abc.com or xyz.com domains.
Messages for recipients in other domains
are denied.
To name a domain explicitly, prefix an @
sign to the entry. For example, if you enter
@xyz.com the server relays messages only
if the domain part of the address matches
xyz.com exactly, such as User@xyz.com.
Messages to addresses in other domains
that end in xyz.com, such as
User@uvwxyz.com or User@abc.xyz.com,
are denied.
Prefix a percent sign (%) to specify the
name of a Domino domain to which mail
can be sent; for
example, enter %AcmeEast to specify that
the server can send mail to the Domino
domain
AcmeEast.

Inbound Relay Controls

Field Enter
Deny messages Internet domains to which Domino will not
to be sent to the relay messages. An asterisk (*) in this field
following external prevents Domino from relaying messages
Internet domains to any external Internet domain.
Domino denies only messages destined for
recipient addresses in the specified
domains. All other messages may relay.
For example, if you enter abc.com in the
field, Domino relays messages to recipients
in all external Internet domains except
abc.com. Domino denies messages for
recipients in the abc.com domain.
To name a domain explicitly, prefix an @
sign to the entry. For example, if you enter
@xyz.com, the server rejects messages
addressed to users if the domain part of the
address matches xyz.com exactly, such as
user@xyz.com, but allows messages to
relay to other domains that end in xyz.com,
such as user@server.xyz.com.
Prefix a percent sign (%) to specify a
Domino domain name; for example,
entering %AcmeEast specifies the Domino
domain AcmeEast. This lets you prevent
SMTP users from sending mail to certain
internal Domino domains or even foreign
domain servers, such as FAX systems.
Allow messages Specifies the hosts or domains that the
only Domino
from the following SMTP service allows to relay outbound
Internet
Internet hosts to mail. If this field contains valid entries,
be Domino
sent to external allows only servers matching these entries
to relay.
Internet domains Message relays from other servers are
denied.
Enter host names or IP addresses to
designate the sites that are authorized to
use Domino to relay messages to recipients
outside your local Internet domain. For
example, if you enter lotus.com or ibm.com
in the field, Domino accepts messages for
recipients in external Internet domains only
from servers with host names that end in
lotus.com or
ibm.com. Domino rejects messages for
external recipients from any server not
listed in this field.

Inbound Relay Controls

Field Enter
Deny messages Specifies the hosts or domains that the
from Domino
the following SMTP service does not allow to relay
Internet outbound
hosts to be sent Internet mail. If this field contains valid
to entries,
external Internet Domino denies message relays from
 servers
domains matching those entries. Domino allows
message relays from all other servers.
Enter host names or IP addresses to
designate the sites that cannot use Domino
to relay messages to recipients outside the
local Internet domain.
For example, you enter lotus.com in the
field.
Domino accepts messages to recipients in
external Internet domains from all servers
except those with host names ending in
lotus.com. Domino denies messages to
recipients in external Internet domains
from servers in the lotus.com domain.
An asterisk (*) in this field prevents
Domino from relaying messages from any
host subject to the relay controls.

7. Reload the SMTP task, or update the SMTP configuration to put the
changes into effect.
You
 can use an asterisk (*) to indicate “all domains.” For example,
putting * in an Allow field allows all hosts in all domains to
perform that operation.
Wildcards
 may be used in place of an entire subnet address; for
example, [127.*.0.1]. Wildcards are not valid for representing
values in a range — for example, the entry [123.234.45-*.0-255] is
not valid because the asterisk is used to represent the high-end
value of the range that begins with 45.
When  entering multiple addresses, separate them with carriage
returns; after the document is saved, Domino automatically
reformats the list, inserting semicolons between the entries.
When  entering an IP address, enclose it within square brackets; for
example, [127.0.0.1].
How Domino resolves conflicts between settings in the inbound
relay controls
When there is a conflict between the allowed and denied relay
destinations, and the allowed/denied relay sources, the entry in the
“Allow” field takes precedence. Thus, a host that you explicitly allow to
relay can always relay to any destination, including denied destinations.
Similarly, if you allow relays to a given domain, all hosts can relay to that
Customizing the Domino Mail System 28-79
Mail
destination, including hosts to which you have explicitly denied relaying.
Denied hosts cannot relay to domains other than those that you
specifically list in the Allow field. The following table provides several
examples of how Domino resolves conflicts between entries in the Allow
and Deny fields of the Inbound relay controls.
Example of conflict between an allowed relay destination and denied
relay source

Field Entry Results of settings

Allow messages to be sent
xyz.com All hosts can relay to
only
to the following external xyz.com, including
internet
domains: smtp.efg.com, which is
a
denied host.
 smtp.efg.com cannot
Deny messages from the smtp.efg.com
relay to
following internet hosts to any destination, except
be
sent to external internet xyz.com, which is
explicitly
domains: (* means all) allowed.

Example of conflict between a denied relay destination and allowed

relay source

Field Entry Results of settings

Allow messages to be sent
xyz.com All hosts can relay to
only
to the following external xyz.com, including
internet
domains: smtp.efg.com, which is
a
denied host.
smtp.efg.com cannot
Deny messages from the smtp.efg.com
relay to
following internet hosts to any destination, except
be
sent to external internet xyz.com, which is
explicitly
domains: (* means all) allowed.

Example of conflict between a denied relay destination and allowed

relay source

Field Entry Results of settings

Deny messages to be sent No relays are allowed
qrs.com
to the to
following external internet qrs.com, except relays
domains: (* means all) originating from
relay.abc.com, which is
specifically allowed.
Allow messages only from Relay.abc.com can
relay.abc.com
the relay to
following internet hosts to any destination,
be including
sent to external internet qrs.com, which is a
denied
domains: destination.

Note This differs from the behavior of Domino Release 5, where if you
denied relays to a destination domain, an allowed source host could not
relay to the denied domain, and a denied source could not relay to any
destination. You can revert to the Release 5 behavior by setting the
variable in the NOTES.INI file.
For information on the NOTES.INI setting
SMTPRelayAllowHostsandDomains, which is required to make the
inbound relay controls behave as they did in Domino Release 5, see the
appendix “NOTES.INI File.”
Example of conflict between allowed and denied relay destinations
If the same entry is placed in the list of allowed and denied destinations,
or the list of allowed and denied sources, Domino honors the entry in the
Deny list. For example, Domino rejects relays to xyz.com if you configure
the relay controls as follows:

Field Entry
Allow messages to be sent only to the xyz.com, abc.com,
following external internet domains: qrs.com

Deny messages to be sent to the following xyz.com

external internet domains: (* means all)

Specifying enforcement of inbound relay controls

When you first create a Configuration Settings document for a server, by
default, the SMTP inbound relay controls, or anti-relay settings, apply to
all external hosts only, that is, to hosts that are not located in the local
Internet domain. After you set inbound relay controls, you can customize
how Domino applies them by selecting inbound relay enforcement
options.
The available options allow you to specify how strictly to enforce the
relay controls by letting you exempt certain hosts from enforcement. You
can exempt hosts from relay enforcement based on:
Domain
 location — By default, Domino enforces relay controls for
hosts outside the local Internet domain only. You can enforce stricter
control by applying them to all connecting hosts or relax enforcement
entirely so Domino does not perform any relay checks (not
recommended).
Authentication
 status — By default, Domino applies relay controls to
authenticated SMTP sessions. You can relax enforcement by
exempting all authenticated users from relay checks.
Host  name or IP address — By default, all external hosts are subject
to relay controls. You can specify a list of hosts (by IP address or host
name) to exempt from relay checks.
Applying relay restrictions to internal hosts
By default, Domino enforces anti-relay settings for external hosts only.
Internal hosts are exempt from anti-relay checks so Domino does not
consider an internal host as a possible relay, even if it’s explicitly listed in
the Inbound relay controls’ “Deny messages from the following Internet
hosts to be sent to external Internet domains” field.
Customizing the Domino Mail System 28-81
Mail
Depending on your environment, you may want to extend the scope of
enforcement by applying relay restrictions to both internal and external
hosts. This is equivalent to setting the variable SMTPAllHostsExternal=1
in the NOTES.INI file.
Applying relay enforcement to internal hosts lets you achieve more
secure and controlled routing. For example, you can configure your
Domino SMTP server so that only other Domino mail servers are allowed
to relay. By doing so you can prevent internal users who run other mail
clients (for example, POP or IMAP clients), as well as servers in other
internal mail systems, from using the Domino SMTP server to send mail
to the Internet.
You might also enable relay enforcement for internal hosts if you have a
Domino SMTP server that receives mail from a dual-interface firewall
server. For security purposes, some organizations may not connect their
Domino SMTP servers directly to the Internet, choosing instead to set up
an internal SMTP relay host or firewall to receive Internet mail destined
for the organization’s Internet domain. The relay or firewall then routes
the mail to a Domino SMTP server, which, in turn, transfers it to the
organization’s internal mail servers.
A host in the local Internet domain can always relay to external Internet
domains unless it is explicitly denied by an entry in the field “Deny
messages from the following internet hosts to be sent to external internet
domains.”
If the internal relay or the firewall does not implement its own relay
controls, the Domino SMTP server may then receive mail that is not
destined for a local user. If the Domino server is set up to perform
anti-relay enforcement on external hosts only, then mail received from
the internal relay or firewall is not subject to the Inbound Relay Controls
because the sending system, the relay or the firewall, belongs to the same
local Internet domain. Thus, when the Router determines that the
Internet address listed in the RCPT TO command has no match in the
$Users view in the Domino Directory, it routes the message back out to
the Internet.
Allowing relays from authenticated users connecting from outside
the local domain
By default, if you deny relaying for a domain or set of domains (for
example, all external domains), all hosts in the denied domains are
subject to the relay controls. This level of restriction prevents remote
IMAP or POP3 clients that connect to Domino by way of Internet service
providers (ISPs) in external domains from sending outbound Internet
mail because Domino does not recognize the source of the message as a
valid relay origin.
28-82 Administering the Domino System, Volume 1
To ensure that Domino allows POP3 or IMAP users to send outbound
Internet mail, you can customize relay enforcement to allow all
authenticated users to relay. After the Domino SMTP listener determines
that a connecting host has been authenticated, it treats the connection as
though it originated from a local user and exempts it from the Inbound
relay controls.
Specifying enforcement exceptions based on host name or IP
address
By default, after you deny relaying for a domain, all hosts in that domain
are subject to the relay controls. You can customize relay enforcement to
allow specific clients or servers in a domain to relay by entering host
names or IP addresses in the field “Exclude these connecting hosts from
anti-relay checks.” For each specified exception, Domino does not
enforce the inbound relay controls. Use exceptions to allow hosts outside
the local Internet domain to use the Domino SMTP server as a relay to
send and receive their mail from the Internet, while still preventing
Domino from being used as an open relay by unauthorized Internet
hosts.
Note Because many ISPs use the dynamic host control protocol (DHCP)
to assign IP addresses to each connecting user, a user’s IP address may
differ from session to session. As a result, specifying enforcement
exceptions based on host name or IP address is not effective for ensuring
relay access for IMAP and POP3 users who connect to Domino from an
ISP. To ensure relay access for these users, enable enforcement
exceptions for authenticated users.
For more information on relay hosts and Global domain documents, see
the chapter “Setting Up Mail Routing.”
To specify relay enforcement
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to restrict mail on, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound
Controls tab.
Customizing the Domino Mail System 28-83
Mail
6. Complete these fields in the Inbound Relay Enforcement section, and
then click Save & Close:

Inbound Relay Enforcement

Field Description
Perform Anti- Specifies the connections for which the server
relay enforces the inbound relay controls. Choose
enforcement one: • External hosts (default) —The server
for these applies the inbound relay controls only to hosts
connecting that connect to it from outside the local Internet
hosts domain. Hosts in the local Internet domain are
exempt from anti-relay restrictions. The local
Internet domain is defined by either a Global
Domain document, if one exists, or as the
Internet domain of the host server. • All
connecting hosts —The server applies the
Inbound relay controls to all hosts attempting to
relay mail to external Internet domains. • None
—The server ignores the settings in the Inbound
relay controls. All hosts can always relay.
Exceptions Specifies whether users who supply login
for credentials
authenticated when connecting to the server are exempt from
enforcement of the inbound relay controls.
users
Choose one:
• Perform anti-relay checks for authenticated
users —
The server does not allow exceptions for
authenticated users. Authenticated users are
subject
to the same enforcement as non-authenticated
users.
• Allow all authenticated users to relay —User
who
log in with a valid name and password are
exempt
from the applicable inbound relay controls. Use
this
to enable relaying by POP3 or IMAP users who
connect to the network from ISP accounts
outside the
local Internet domain.
You create an exceptions list containing the IP
Exclude these
addresses
connecting or host names of hosts that relay to any
hosts permitted
from anti- domain. For each specified exception, the
relay inbound relay
checks controls will not be enforced. Enter the IP
addresses or
host names of hosts to be exempted from the
restrictions specified in the Inbound relay
controls section.
 When entering an IP address, enclose it within
square brackets; for example, [127.0.0.1]. You
can use wildcards to represent an entire subnet
address, but not to represent values in a range.
For example, [127.*.0.1] is valid; [123.123.12-
*.123] is not.

How inbound anti-relay settings control message transfer to

external Internet domains
1. The SMTP listener receives a connection request.
2. The server performs a reverse DNS lookup, querying DNS to find the
host name that matches the connecting host’s IP address. If the
address resolves to a name in one of the local Internet domains, the
host is considered internal. IP addresses that resolve to host names
outside the local Internet domains or that do not have DNS entries
are considered external.
3. The server checks the setting in the field “Perform Anti-Relay
enforcement for these connecting hosts” to determine whether
anti-relay controls are enabled, and if so, whether they apply to all
hosts or external hosts only. If connections from the sending domain
are not subject to inbound relay controls, the server allows relays for
this session.
4. If the relay controls apply, Domino next checks whether the host
name appears in the field “Exclude these connecting hosts from
anti-relay checks. ”If the host name is found, the server allows relays
for this session.
5. If the relay controls still apply and the connecting host successfully
authenticated with the server, the server checks the field “Exceptions
for authenticated users” to determine whether authenticated users
are exempt from the inbound relay checks. If authenticated users are
exempt, the server allows relays for this session.
Note A connecting host provides authentication credentials only
when Domino requests them. Because Domino closes the session if
authentication is not successful, there is no case where Domino needs
to determine whether a host that could not authenticate might be
allowed to relay.
6. The SMTP listener receives “RCPT TO” commands from the
connecting host.
7. The server examines each recipient address to see if the message
would be a relay to an external domain. If so, the server checks the
Inbound relay controls to determine:
Whether
 the connecting host is allowed to relay
Whether
 relays are allowed to the target domain
Matching for domain is performed by looking for the restricted
domain name as a trailing substring of the recipient’s domain. If you
deny the domain spamme.com, you also deny the domain
you.spamme.com. Rejected recipients receive a failure status in
response to the RCPT commands.
Customizing the Domino Mail System 28-85
Mail
Enabling DNS blacklist filters for SMTP connections
To prevent unsolicited commercial e-mail (UCE), or spam, from entering
your system, you can set up Domino to check whether incoming SMTP
connections originate from servers listed in one or more DNS blacklists
(DNSBLs). DNSBLs are databases that keep a record of Internet SMTP
hosts that are known sources of spam or permit third-party, open
relaying.
When DNS blacklist filters are enabled, for each incoming SMTP
connection Domino performs a DNS query against the blacklists at the
specified sites. If a connecting host is found on the list, Domino reports
the event in a console message and in an entry to the Mail Routing
Events view of the Notes Log. Both the console message and log entry
provide the host name and IP address of the server, and the name of the
site where the server was listed.
In addition to logging the event, you can configure Domino to reject
messages from hosts on the blacklist or to add a special Notes item to flag
messages accepted from hosts on the list.
Specifying the DNS blacklist sites to check
After you enable the DNS blacklist filters, you can specify the site or sites
the SMTP task uses to determine if a connecting host is a “known” open
relay or spam source. Specify sites that support IP-based DNS blacklist
queries.
If Domino finds a match for a connecting host in one of the blacklists, it
does not continue checking the lists for the other configured sites.
For performance reasons, it’s best to limit the number of sites because
Domino performs a DNS lookup to each site for each connection.
You can choose from a number of publicly available and private, paid
subscription services that maintain DNS blacklists. When using a public
blacklist service, Domino performs DNS queries over the Internet. In
some cases, it may take a significant amount of time to resolve DNS
queries submitted to an Internet site. If the network latency of DNS
queries made over the Internet results in slowed performance, consider
contracting with a private service that allows zone transfer, so that
Domino can perform the required DNS lookups to a local host. During a
zone transfer, the contents of the DNS zone file at the service provider
are copied to a DNS server in the local network.
Each blacklist service uses its own criteria for adding servers to its list.
Blacklist sites use automated tests and other methods to confirm whether
a suspected server is sending out spam or acting as an open relay. The
more restrictive blacklist sites add servers to their list as soon as they fail
28-86 Administering the Domino System, Volume 1
the automated tests and regardless of whether the server is verified as a
source of spam. Other less restrictive sites list a server only if its
administrator fails to close the server to third-party relaying after a
specified grace period or if the server plays host to known spammers.
By searching the Internet, you can find Internet sites that provide
periodic reports on the number of entries in various DNS blacklist
services.
Hosts that are exempt from DNS blacklist checks
To avoid unnecessary DNS lookups, Domino performs DNS blacklist
checks only on hosts that are subject to relay checks, as specified in the
SMTP inbound relay restrictions. Any host that is authorized to relay is
exempt from blacklist checks. For example, by default, Domino enforces
the inbound relay restrictions only for external hosts (Router/SMTP -
Restrictions and Controls - SMTP Inbound Controls - Perform Anti-Relay
enforcement for these connecting hosts). If the default setting is used,
internal hosts are not subject to relay controls and thus are also exempt
from blacklist checks.
For more information on configuring relay enforcement, refer to the topic
“Setting inbound relay controls to prevent unauthorized mail relaying”
earlier in this chapter.
Specifying how Domino handles connections from hosts found in a
DNS blacklist
You can configure Domino to take the following actions when it finds a
connecting host on one of the blacklists:
Log
 only
Log
 and tag message
Log and reject message
In each case, the server records the following information in the Notes
log: the host’s IP address and host name (if a reverse DNS lookup can
determine this information) and the name of the site that listed the host.
When tagging messages, Domino adds a special Note item to messages
received from hosts found on a blacklist. After Domino determines that a
connecting host is on the blacklist, it adds the Note item, $DNSBLSite, to
each message it accepts from the host before depositing the message in
MAIL.BOX. The value of a $DNSBLSite item is the blacklist site in which
the host was found. Administrators can use the $DNSBLSite note item to
provide custom handling of messages received from hosts listed in a
blacklist. For example, you can test for the presence of the item through
Customizing the Domino Mail System 28-87
Mail
the use of formula language in an agent or view and provide conditional
handling of messages that contain the item, such as moving the messages
to a special database.
When considering what action to take when Domino finds a host on the
blacklist, choose an action that’s consistent with the policies of the DNS
blacklist site you use. For instance, if the service you use is very
restrictive, its blacklist may include “false positives”; that is, it may
blacklist hosts that are not known sources of spam. As a result, if you
take the action of rejecting mail from any host found on the blacklist, it
could prevent the receipt of important messages.
Use restraint when taking action, particularly if you use the blacklist of a
more restrictive site. The action you select applies to each of the specified
blacklist sites. That is, you cannot configure Domino to deny connections
for hosts found on one site’s list and log the event only for hosts found on
another site’s list.
DNS blacklist statistics
The SMTP task maintains statistics that track the total number of
connecting hosts that were found on the combined DNSBL of all sites
combined, as well as how many were found on the DNSBL of each
configured site. Because the statistics are maintained by the SMTP task,
they are cumulative for the life of the task only and are lost when the
task stops.
You can view the statistics from the Domino Administrator or by using
the SHOW STAT SMTP command from the server console. You can
further expand the statistics to learn the number of times a given IP
address is found on one of the configured DNSBLs. To collect the
expanded information, you set the variable SMTPExpandDNSBLStats in
the NOTES.INI file on the server. Because of the large numbers
generated by the expanded set of statistics, Domino does not record the
expanded statistics by default.
Note Domino uses IP version 4 (IPv4) addresses when querying DNS
blacklist sites to find out if a connecting host is listed. If the connecting
host has an IP version 6 (IPv6) address, Domino skips the DNSBL check
for that host.
Changing the default error message
When denying a blacklisted host, Domino returns to it a default SMTP
response, which includes the remote host’s IP address and the blacklist
site that listed the host. You can customize this response in the “Custom
error message for denied hosts” field in the Configuration Settings
document. The text of a customized response can include the string
28-88 Administering the Domino System, Volume 1
format specifier “%s” to represent a denied host’s IP address and the
DNSBL site where the host was found. Refer to the table in the following
procedure for more information.
To enable DNS blacklist filters
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers where you want to enable DNS blacklist filters, and click Edit
Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound
Controls tab.
6. Complete the following fields in the DNS Blacklist Filters section,
and then click Save & Close:

Field Enter
DNS Choose one: • Enabled —When Domino receives
Blacklist an SMTP connection request, it checks whether
filters the connecting host is listed in the blacklist at the
specified sites. • Disabled —Domino does not
check whether a connecting host is on the
blacklist.

DNS If DNS blacklist filters are enabled, specify the

Blacklist DNSBL
sites sites to check when Domino receives an SMTP
connection
request.
Desired Choose one: • Log —When Domino finds that a
action connecting host is on the blacklist, it accepts
when messages from the host and records the host
connecting name and IP address of the connecting server and
host is the name of the site where the server was listed.
found in a • Log and tag message —When Domino finds that
DNS a connecting host is on the blacklist, it accepts
Blacklist messages from the hosts, logs the host name and
IP address of the connecting server, and the
name of the site where the server was listed, and
adds the Notes item $DNSBLSites to each
accepted message. • Log and reject message —
When Domino finds that a connecting host is on
the blacklist, it rejects the connection and returns
a configurable error message to the host.

Field Enter
Custom Enter the text of the error message Domino
SMTP error returns when denying a connection because it
response found the host in the DNS blacklist. The default
for rejected error message indicates that the connection was
messages denied for policy reasons.
You can use the format specifier “%s”to specify
the IP address of the denied host and the DNS
blacklist site
where Domino found the host listed. For example,
if you enter the following:
Your host %s was found in the DNS Blacklist at
%s
whenever Domino denies a connection, it returns
an error
 to the host, in which it replaces the first instance
of “%s” with the IP address of the host, and the
second instance
with the DNS blacklist site name. Thus, if you
entered the text in the preceding example, a
denied host receives an error such as:
Your host 127.0.0.2 was found in the DNS
Blacklist at blackholes.mail-abuse.org

7. Reload the SMTP task, or update the SMTP configuration to put

changes into effect.
Restricting who can send Internet mail to your users
Unsolicited commercial e-mail (UCE) can flood your server with
numerous copies of the same message. Accepting UCE reduces
performance and consumes system resources. You can specify
restrictions to prevent UCE from being routed to or relayed through your
server. Specifying restrictions prevents malicious users from using your
system to spoof addresses or send UCE.
To save system resources, before it accepts a message, the Domino SMTP
listener checks the Mail From address specified in the message envelope
during the SMTP transaction. If you set the Domino server to deny mail
from a particular source, Domino denies it whenever that source is
encountered — for example, if users from a denied domain send mail
through a relay, Domino denies it based on its origin from that domain.
Domino creates an entry in the log file (LOG.NSF) whenever a message is
rejected.
To restrict who can send Internet mail to your users
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
28-90 Administering the Domino System, Volume 1
4. Select the Configuration Settings document for the mail server or
servers you want to restrict mail on, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound
Controls tab.
6. Complete these fields in the Inbound Sender Controls section, and
then click Save & Close:

Inbound Sender Controls

Field Enter
Verify sender’s Choose one: • Enabled —Domino verifies that
domain in DNS the sender’s domain exists, by checking the
DNS for an MX, CNAME, or A record that
matches the domain part of the address in the
MAIL FROM command received from the
sending host. If no match is found, Domino
rejects inbound mail from the host. This can
result in Domino rejecting mail from
legitimate hosts that do not have these
records in their DNS entries. • Disabled —
(default) Domino does not check DNS to verify
that the sender’s domain exists.
Allow messages Internet addresses from which the server
only from the accepts messages. If you enter addresses in
following this field, only messages with senders
Internet matching those addresses can send Internet
addresses/ mail to users in your local Internet domain.
domains Mail from all other addresses is denied.
During the SMTP conversation, the Domino
SMTP listener compares the address in the
MAIL FROM command received from the
connecting host with the entries in this field.
For example, if you enter lotus.com in the
field, Domino accepts incoming mail only if
the address in the MAIL FROM command ends
in lotus.com.
Domino denies messages from all other
Internet addresses.
You can create a Notes group containing a list
of addresses from which to allow messages
and enter the group name in this field. A
group entry is valid only if it does not contain
a domain part or dot (“.”). For example, the
group with the name group1 is valid, but the
groups named iris.com or group2@iris are
not.

Inbound Sender Controls

Field Enter
Deny messages Internet addresses from which the server
from the does not accept messages. During the SMTP
following conversation, the Domino SMTP listener
Internet compares the address in the MAIL FROM
addresses/ command received from the connecting host
domains with the entries in this field. If you enter
addresses in this field, all messages except
those matching addresses listed in this field
can route to your users. Mail is denied only
from addresses matching the entries in this
field. For example, if you enter lotus.com in
the field, Domino accepts messages from all
Internet addresses and domains except those
ending in lotus.com. Domino denies messages
from senders whose addresses end in
lotus.com. You can create a Notes group
containing a list of addresses from which to
deny messages and enter the group name in
this field. A group entry is valid only if it does
not contain a domain part or dot (“.”). For
example, the group with the name group1 is
valid, but the groups named iris.com or
group2@iris are not.

7. Reload the SMTP task, or update the SMTP configuration to put

changes into effect.
Note Be careful not to specify the same entry in an Allow field and a
Deny field because Domino will deny messages for that entry. The Deny
setting takes precedence for security reasons.
Restricting users from receiving Internet mail
Domino provides SMTP intended recipient filters that let you control the
users for whom the server accepts mail sent over SMTP connections. One
filter triggers a directory lookup that enables the server to verify that an
intended recipient exists before accepting a message. The other two
filters let you explicitly specify the Internet addresses that can and cannot
receive mail. To ensure that you don’t unintentionally block desirable
mail, use discretion when applying these settings.
During the SMTP conversation, the connecting host sends the Domino
SMTP listener a RCPT TO command, which specifies the recipient’s
Internet address. Each of the Inbound Intended Recipient Controls works
by examining the addresses specified as arguments to the RCPT TO
command. For example, if you enable directory verification and the
address specified in the RCPT TO command is in the local Internet
28-92 Administering the Domino System, Volume 1

domain, the SMTP listener refers to the Domino Directory to determine

whether the address is valid. Messages for invalid addresses are rejected,
preventing them from becoming “dead” messages in MAIL.BOX.
Note Because enabling this setting results in messages for recipients not
found in the directory being rejected, do not use this setting in
environments that require mail to be forwarded to a smart host for
further processing.
The “Allow messages” setting lets you list Internet addresses that are
allowed to receive mail. If the RCPT TO command contains one of the
specified addresses, the SMTP listener accepts the message; messages for
all other recipients are rejected. The “Deny messages” setting lets you
explicitly deny mail to certain addresses. If the RCPT To command
contains a denied address, the SMTP listener rejects the message, but
messages for all other recipients are accepted.
Note If the server supports Local Part name lookups, users whose
addresses are listed in the Deny field may still receive mail addressed to
any alternate Internet addresses configured for them. To ensure greater
control, specify the Internet address in each user’s Person document and
allow users to receive inbound mail destined for their fullname addresses
only.
For information on restricting how Domino looks up recipient names, see
the chapter “Setting Up Mail Routing.”
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound
Controls tab.
Customizing the Domino Mail System 28-93
Mail
6. Complete these fields in the Inbound Intended Recipients Controls
section, and then click Save & Close:

Field Description
Verify that local Specifies whether the SMTP listener checks
domain recipient names specified in RCPT TO
recipients exist commands against entries in the Domino
in the Domino Directory Choose one:
Directory

• Enabled —If the domain part of an address

specified in an SMTP RCPT TO command
matches one of the configured local Internet
domains, the SMTP listener checks all
configured directories to determine whether
the specified recipient is a valid user. If all
lookups complete successfully and no
matching user name is found, the SMTP
server returns a 550 permanent failure
response indicating that the user is
unknown. For example:
550 bad_user@yourdomain.com ... No such
user
Choosing this setting can help prevent
messages sent to nonexistent users (for
example, spam messages and messages
intended for users who have left the
organization) from accumulating in
MAIL.BOX as dead mail.
To avoid messages from being rejected as a
result of directory unavailability, Domino
accepts messages when an attempted
directory lookup does not complete
successfully.
To avoid unnecessary directory lookups,
Domino applies this setting only after
performing all other configured SMTP
inbound checks (inbound relay, sender, and
recipient controls).
When this setting is enabled, the server
cannot relay mail to a smart host because
Domino rejects messages addressed to local
domain recipients who are not listed in the
Domino Directory.
• Disabled —(default) The SMTP listener
does not check whether local domain
recipients specified in the RCPT TO command
are listed in the Domino
Directory.

Field Description
Internet addresses that are within the local
Allow messages
Internet
intended only for domain and that are allowed to receive mail
from
the following the Internet. If you enter addresses in this
field, only
Internet those recipients can receive Internet mail.
addresses Domino denies mail for all other recipients.
You can create a Notes group containing a
list of addresses allowed to receive mail from
the Internet
and enter the group name in this field. A
group entry is valid only if it does not contain
a domain part or dot (“.”). For example, the
group with the name group1 is valid, but the
groups named yourdomain.com or
 group2@yourdomain are not.

Internet addresses within the local Internet

Deny messages
domain
intended for the that are prohibited from receiving mail from
the
following Internet. If you enter addresses in this field,
Internet all
addresses addresses except those listed in this field can
receive Internet mail. Domino denies mail for
only the addresses in this field.
You can create a Notes group containing a
list of addresses that cannot receive mail
from the Internet
and enter the group name in this field. A
group entry is valid only if it does not contain
a domain part or dot (“.”). For example, the
group with the name group1 is valid, but the
groups named yourdomain.com or
group2@yourdomain are not.

Note The SMTP listener accepts messages addressed to any variant

of a user’s name that is not explicitly denied and that is otherwise
acceptable to Domino. For example, if you deny mail to
Kieran.Campion@acme.com, a message addressed to
Kcampion@acme.com may be accepted and delivered to the same
user.
7. Reload the SMTP task, or update the SMTP configuration to put
changes into effect.
Note Be careful not to specify the same entry in an Allow field and a
Deny field because Domino will deny messages for that entry. The Deny
setting takes precedence for security reasons.
Supporting inbound SMTP extensions
Domino supports a number of extended SMTP (ESMTP) functions.
These include the ability to combine (or “pipeline”) commands, set the
server to check message size before accepting transfer, create a secure
SSL connection with another server, and create delivery status
notifications in MIME format. You enable or disable each of these options
in the Configuration Settings document for the server or servers for
which you want to use these extensions.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Advanced - Commands and Extensions
tab.
6. Complete these fields in the Inbound SMTP Commands and
Extensions section, and then click Save & Close:

Field Enter
SIZE
Choose one:
extension
 • Enabled —(default) Domino declares its
maximum message size to connecting hosts
and checks the sending host’s estimates of
message size before accepting transfer. If the
sender indicates that a message to be
transferred is larger than the maximum size,
Domino returns an error indicating that it will
not accept the message.
• Disabled —Domino does not advertise its
maximum
message size or check inbound message size
before transfer.
For information about setting the maximum
message size, see the topic “Restricting mail
routing based on message size”earlier in this
chapter
Pipelining Choose one: • Enabled (default) —Improves
extension performance by allowing Domino to accept
multiple SMTP commands in the same network
packet. • Disabled —Domino does not accept
multiple SMTP commands in a single packet.

Field Enter
DSN
Choose one:
extension
• Enabled —Domino supports incoming
requests to return delivery status notifications
to the sender for failed, delayed, delivered, and
relayed messages. Domino sends delay reports
for low-priority messages held until the low-
priority routing time to the sender of an SMTP
message upon request. • Disabled —(default)
Domino does not return delivery status
notifications for SMTP messages.
8-bit MIME Choose one: • Enabled —Domino accepts 8-bit
extension messages as is, allowing reception of
unencoded multinational characters.

• Disabled (default) —Domino requires inbound

messages containing 8-bit characters to be sent
using 7-bit ASCII encoding.
HELP
Choose one:
command
• Enabled —(default) In response to the Help
command, Domino displays a list of supported
commands. • Disabled —Domino ignores the
Help command.
VRFY
Choose one:
command
• Enabled —Domino accepts inbound requests
to verify user names. • Disabled —(default)
Domino denies requests to verify user names.

EXPN
Choose one:
command
 • Enabled —Domino expands mailing lists or
groups to show individual recipient names. •
Disabled —(default) Domino does not expand
lists and groups.
ETRN
Choose one:
command
• Enabled —Domino accepts inbound
“pull”requests from other SMTP hosts to
transfer messages destined for the calling
server. Enabling ETRN support allows for more
efficient use of bandwidth resources by allowing
a remote SMTP host to request pending
messages at the same time it transfers
messages to the Domino server.
• Disabled —(default) Domino does not accept
inbound “pull”requests from other SMTP hosts.

Field Enter
SSL Choose one: • Enabled —Domino supports the
negotiated STARTTLS command, allowing it to create an
over TCP/IP encrypted SSL channel over the SMTP TCP/IP
port port. • Required —Domino accepts inbound
SMTP connections over the TCP/IP port only
from hosts that issue the STARTTLS command.
• Disabled (default) —Domino does not allow
secure SSL connections over the SMTP TCP/IP
port. After accepting the STARTTLS command
from a remote server, Domino uses settings for
the server’s SSL port to govern authentication
for the sessions. For Domino to authenticate
remote hosts that use the SMTP AUTH
command, Name & Password authentication
must be enabled for the Domino SSL port.

For more information about the authentication settings required to

support STARTTLS, see the topic “Securing SMTP sessions using the
STARTTLS command” earlier in this chapter.
7. Reload the SMTP task, or update the SMTP configuration to put
changes into effect.
Note Enabling VRFY and EXPN allows people outside your
organization to expand group names and to check for valid e-mail
addresses in your organization. You may not want to enable these
extensions for security reasons.
To prevent an SMTP server from sending outbound messages that
exceed the specified maximum size on the destination server, set the
outbound SMTP SIZE extension.
For information on enabling the outbound SMTP SIZE extension, see the
topic “Supporting outbound SMTP extensions” later in this chapter.
Restricting outbound mail routing
You can control outbound messages from your system to external
Internet domains by restricting who can send these messages and by
enabling extended SMTP (ESMTP) outbound features. You can set these
restrictions to:
Restrict
 who can send mail to the Internet
Set outbound SMTP extensions
28-98 Administering the Domino System, Volume 1
Restricting users from sending Internet mail
You can control the transfer of outbound mail from your organization to
the Internet. Domino provides two methods for restricting outbound
Internet mail:
Outbound
 sender controls - These controls specify which users in
your organization are allowed to send mail to the Internet.
Outbound
 recipient controls - These controls specify the Internet
destinations to which users can send mail.
Setting outbound sender controls
The outbound sender controls let you specify who can and cannot send
mail to the Internet. The controls are implemented in two sets of Allow
and Deny lists:
Internet
 addresses of users who can/cannot send mail to the Internet
Notes  addresses of users who can/cannot send mail to the Internet
Domino sends a restriction failure message to restricted users who
attempt to send outbound mail. You can customize the text of mail
failure messages.
For more information, see the topic “Customizing the text of mail failure
messages” earlier in this chapter.
The Outbound sender controls are not intended to restrict SMTP relay
access. To configure relay restrictions, use the Inbound Relay Controls on
the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls
tab of the Configuration Settings document.
For more information on setting the inbound relay controls, see the topic
“Setting inbound relay controls” earlier in this chapter.
Note Because you might unintentionally block desired mail, be careful
when you use these fields.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP
Outbound Controls tab.
Customizing the Domino Mail System 28-99
Mail
6. Complete these fields in the Outbound Sender Controls section, and
then click Save & Close:

Outbound Sender Controls

Field Description
Allow messages Specifies the RFC 821 Internet addresses
only from the of users in the local Internet domain from
following Internet whom Domino accepts mail destined for
addresses to be Internet addresses outside the local
sent to the Internet Internet domain. If this field
contains entries, Domino accepts
outbound Internet mail from the specified
Internet addresses only and rejects
outbound Internet mail sent from other
addresses. Rejected mail is returned to
the sender.
Enter Internet addresses in the form
user@domain.com, or enter the name of
a Notes
group containing a list of Internet
addresses allowed to send mail to the
 Internet. Domino

expands entries for groups only if the

group name can be found in the primary
Domino Directory.
Wildcards (for example, *acme.com) and
isolated Internet domain suffixes (for
example, acme.com) are not acceptable
values in this field.
Deny messages Specifies the RFC 821 Internet addresses
from the following of users in the local Internet domain from
Internet addresses which Domino does not accept mail
to be sent to the destined for external Internet addresses.
Internet If this field contains entries,
Domino rejects outbound Internet mail
sent from the specified Internet
addresses and returns it to the sender. All
other users can send Internet
mail.
Enter Internet addresses in the form
user@domain.com, or enter the name of
a Notes
group listing the Internet addresses from
which to deny outbound Internet mail.
Domino expands entries for groups only if
the group name can be found in the
primary Domino Directory.
Wildcards (for example, *acme.com) and
isolated Internet domain suffixes (for
example, acme.com) are not acceptable
values in this field.

Outbound Sender Controls

Field Description
Allow messages Specifies the Notes user names from
only which
from the following Domino accepts mail destined for external
Notes addresses to Internet addresses. If this field contains
be entries,
sent to the Internet Domino accepts outbound Internet mail
from the
specified entries only and rejects
outbound Internet mail sent from all
other Notes addresses.
Rejected mail is returned to the sender.
Enter fully qualified Notes addresses in
the form
User/Organizational_unit/Organization, or
enter the name of a Notes group whose
members you want to prevent from
sending Internet mail.
Domino expands entries for groups only if
the
group name can be found in the primary
Domino Directory.
Deny messages Specifies the Notes user names from
from which
the following Notes Domino does not accept mail destined for
addresses to be external Internet addresses. If this field
sent to contains
the Internet entries, Domino rejects outbound Internet
mail sent from the specified entries and
returns it to the sender. Domino accepts
outbound Internet mail from all other
Notes addresses.
Enter fully qualified Notes addresses in
the form
User/Organizational_unit/Organization or
the name of a Notes group whose
members you want to prevent from
sending Internet mail. Domino expands
entries for groups only if the group name
can be found in the primary Domino
Directory.

Note Group entries cannot contain a domain qualifier (’@’ sign). For
example, an entry for a group with the name DenyMail is valid, but
if you add the domain name to the entry, as in Denymail@acme,
Domino does not expand the entry to determine its members. This
restriction applies to nested groups also. That is, if the group
DenyMail includes Sales@AcmeWest as a member, Domino does not
expand Sales@AcmeWest to determine its members.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Customizing the Domino Mail System 28-101
Mail
The outbound sender controls are not intended to control relaying. For
information on controlling message relaying, see the topic “Setting
inbound relay controls” earlier in this chapter.
Setting outbound recipient controls
The Outbound recipient controls let you specify the Internet domains,
and host names users are allowed to and denied from sending mail to.
The controls consist of a set of pair of lists, one specifying the Internet
domains or host names to which users can send mail and another listing
the domains and host names to which users cannot send mail.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP
Outbound Controls tab.
6. Complete these fields in the Outbound Recipient Controls section,
and then click Save & Close:

Outbound recipient controls

Field Description
Specifies the Internet domains, such as
Allow messages
acme.com,
only to and Internet host names, such as
recipients in mailhost.acme.com,
the following to which Domino can send mail. If there are
entries in
Internet this field, users can send Internet mail to the
domains or specified
host names entries only. Domino denies mail to all other
domains or host names.
If you specify an Internet domain, users can
send mail to any host or sub-domain in that
domain. Domino matches entries against the
last part of domain names or host names, so
entering host.acme.com allows mail to
mail.host.acme.com as
well inbound.host.acme.com.
If you list a host name that matches an MX
record for a domain, Domino allows mail to
all recipients in that domain. For example, if
mailhost.acme.com exactly matches the
name of an MX host in the DNS for the
domain acme.com, entering it in this field
allows all mail to that domain.

Outbound recipient controls

Field Description
Deny messages Specifies the Internet domains, such as
to acme.com,
recipients in the and Internet host names, such as
mailhost.acme.com,
following to which Domino cannot send mail. Domino
Internet allows
domains or host mail to all other domains or host names.
Domino
names matches entries against the last part of
domain names or host names, so entering
host.acme.com denies mail to
smtp.host.acme.com as well as
inbound.host.acme.com.
If you enter a host name that matches an MX
record for a domain, mail to all host names /
MX records for that domain is denied. Thus,
specifying a host name that matches an MX
record for a domain denies all
mail to that domain.

7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Note For security reasons, if there is a conflict between the two fields for
a given setting, entries in the Deny field take precedence. For example, if
acme.com appears in both the “Allow messages only to recipients in the
following Internet domains or host names” field and the corresponding
“Deny messages” field, Domino denies messages sent to acme.com. Be
careful not to have the same entry in an Allow field and a Deny field for
the same setting.
Note Domino checks each address to see if it is an Internet address or a
Notes address. The Router then applies the restrictions specified for that
type of address.
Note If you are entering multiple names in a field, consider creating a
group and entering the group name in the field. Domino expands the
group into a list of members. If you update the group list in this
document or edit the group members in the Domino Directory, changes
do not take effect immediately.
Supporting outbound SMTP extensions
Domino supports outbound extended SMTP (ESMTP) features to interact
with other messaging servers. These extensions are controlled in the
Configuration Settings document.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
Customizing the Domino Mail System 28-103
Mail
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Router/SMTP - Advanced - Commands and Extensions
tab.
6. Complete these fields in the Outbound SMTP Commands and
Extensions section, and then click Save & Close:

Field Enter
SIZE
Choose one:
extension
• Enabled —(default) If the destination SMTP
host also supports the SIZE extension, Domino
declares the estimated size of messages before
transfer. • Disabled —Domino does not declare
message size before transferring messages to
another SMTP server.
Pipelining Choose one: • Enabled —(default) If the remote
extension SMTP host also supports pipelining, Domino
sends multiple SMTP commands in the same
network packet to improve performance. •
Disabled —Domino sends each SMTP command
in a separate packet.

DSN
Choose one:
extension
• Enabled —When sending a message to a
server that also supports the DSN extension,
Domino appends a NOTIFY parameter to the
SMTP RCPT TO command to request a particular
type of delivery status notification for the
message. For messages sent from Notes
clients, Domino uses the Delivery report options
specified by the client (Confirm delivery; Trace
entire path; Delivered) to determine the type of
DSN requested. • Disabled —(default) Domino
does not send DSN requests.
8-bit MIME Choose one: • Enabled —When sending a
extension message to a remote server that also supports
8-bit MIME, Domino improves performance by
sending messages containing multi-national
characters as is, without first encoding them. •
Disabled —(default) Domino encodes messages
containing 8-bit characters as 7-bit ASCII
before sending.

7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Mail journaling
By default, after the Router processes a message, it does not retain a copy
of the message. That is, after ServerA successfully sends a message to
ServerB, the Router on ServerA deletes the message from its MAIL.BOX
database. Likewise, when ServerB successfully transfers or delivers the
message to the next server on the routing path, the Router on ServerB
removes the message from its MAIL.BOX database.
To comply with laws or regulations that apply to your business, your
organization may be required to save a copy of every message processed
by the local mail system and permanently store or otherwise process the
message copies. For example, government agencies such as the Securities
and Exchange Commission (SEC) require a business to retain all
messages related to the transactions they undertake.
Mail journaling enables administrators to capture a copy of specified
messages that the Router processes by the Domino system. Journaling
can capture all messages handled by the Router or only messages that
meet specific defined criteria. When mail journaling is enabled, Domino
examines messages as they pass through MAIL.BOX and saves copies of
selected messages to a Domino Mail Journaling database
(MAILJRN.NSF) for later retrieval and review. Mail journaling works in
conjunction with mail rules, so that you create a journaling rule to specify
the criteria for which messages to journal. For example, you can journal
messages sent to or from specific people, groups, or domains. Before
depositing messages in the Mail Journaling database, the Router encrypts
them to ensure that only authorized persons can examine them.
Journaling does not disrupt the normal routing of a message. After the
Router copies a message to the Mail Journaling database, it continues to
dispatch the message to its intended recipient.
Domino mail journaling differs from message archiving. Journaling
works dynamically, making a copy of each message as it passes through
MAIL.BOX to its destination and placing the copy in the Mail Journaling
database. A copy of the message is retained, even if the recipient, or an
agent acting on the recipient’s mail file, deletes it immediately upon
delivery. Archiving is used to reduce the size of an active mail file
database by deleting messages from one location and moving them to an
Customizing the Domino Mail System 28-105
Mail
offline database, usually in another location, for long-term storage.
Archiving acts on messages that have already been delivered. Journaling
is performed automatically by the server; while archiving is a manual
operation, performed by end users on their own mail files. End users can
search for and retrieve messages from a mail file archive, but only an
authorized administrator can examine a Mail Journaling database.
You can use Domino mail journaling in conjunction with third-party
archiving programs to fulfill long-term storage needs.
To provide access to certain journaling routines, Domino implements
several Extension Manager (EM) hooks. EM hooks enable an executable
program library, such as a dynamic link library or shared object library,
to register a callback routine that will be called before, after, or before
and after Domino performs selected internal operations. Using EM
hooks, developers can customize mail processing. For example, EM
hooks to the Journaling task could be used in conjunction with a
third-party archiving program to route certain messages directly to an
archive center. For more information about Extension Manager, see the
IBM Lotus C API Toolkit for Notes/Domino 6. The toolkit is available at
http://www.lotus.com/capi.
Setting up mail journaling
There are two steps to configure journaling:
Setting
 up the Mail Journaling database
Specifying
 which messages to journal
Setting up the Mail Journaling database
By default, mail journaling is not enabled. You enable journaling from
the Configuration Settings document. To set up the Mail Journaling
database, you specify where to store journaled messages and then set
options for managing the security and size of the database.
After you enable journaling, Domino automatically creates the Mail
Journaling database in the specified location.
To set up the Mail Journaling database
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers where you want to journal mail, and click Edit Configuration.
28-106 Administering the Domino System, Volume 1
5. Click the Router/SMTP - Advanced - Journaling tab.
6. Complete the following fields, and then click Save & Close:

Field Description
Journaling Specifies whether the server supports mail
journaling. Choose one:
• Enabled —Domino supports mail journaling on the
servers governed by this document. To journal mail,
create a server mail rule with the action “Journal
this message.” • Disabled —(default) Mail journaling
is not supported on the servers governed by this
document.
Field Specifies the names of Notes message fields that
encryption Domino does not encrypt when adding messages to
exclusion the Mail Journaling database. Encrypted fields
list cannot be displayed in a view. List any fields you
want to display in a view. By default, the following
fields are not encrypted: Form, From, Principal, and
PostedDate. When using a mail-in database for
journaling, Domino does not automatically encrypt
messages added to the database. To encrypt
messages in a mail-in database use the Mail-in
database document to specify encryption of
incoming messages.
Method Specifies the location of the Mail Journaling
database. Choose one:
 • Copy to local database —(default) The Router
copies each journaled message to a database on the
local server. If it does not already exist, Domino
creates a local Mail Journaling database on the
server. If the Configuration Settings document
applies to multiple servers, Domino creates a
unique Mail Journaling database on each server. •
Send to mail-in database —The Router copies each
journaled message and sends it to a specified mail-
in database. The specified database must already
exist and must have a Mail-in database document in
the Domino Directory. The mail-in database used
for journaling may be on any Domino server,
including the local server. Specify the mail file
where journaled messages are to be sent in the Mail
Destination field. When using a mail-in database for
journaling, be sure to encrypt messages when
adding them to the database. To encrypt messages
sent to a mail-in database, enable encryption on the
Administration tab of the Mail-in database
document.

Field Description
Database If you specified “Copy to local database”as the
name journaling method, specify the file name you
want Domino to use when it creates the Mail
Journaling database. The default name is
MAILJRN.NSF.
Mail If you specified “Send to mail-in database”as the
destination journaling method, use this field to enter the
name of the mail-in database to which the Router
forwards messages to be journaled. Click the
down-arrow to select the name of the mail-in
database from the Domino Directory. You must
create the mail-in database beforehand; Domino
does not automatically create mail-in databases
for journaling.
Encrypt on If you specified “Copy to local database”as the
behalf of journaling method, enter the fully qualified Notes
user Name of the user whose certified public key
Domino uses to encrypt messages added to the
database. To ensure privacy, consider creating a
special user ID for reviewing journaled messages,
and protect the ID with multiple passwords. To
encrypt messages sent to a mail-in database,
enable encryption on the Administration tab of
the Mail-in database document.
Database For local Mail Journaling databases, the entry in
Management this field specifies how Domino controls the size
- Method of the Mail Journaling database. When the
database management method in effect calls for
Domino to create a new Mail Journaling database,
on the day that it creates the new database, it
does so at approximately 12:00 AM. Choose one
of the following methods: • Periodic Rollover —
(default) When the current Mail journaling
database reaches the age specified in the
Periodicity field, Domino renames the existing
Mail Journaling database and creates a new Mail
Journaling database with the original name. •
None —Domino does not automatically control
the size of the Mail Journaling database. If you do
not use one of the available methods for
controlling database size automatically, be sure
to monitor the database size and use appropriate
tools to archive the journal data. •
Purge/Compact —Domino deletes documents
from the database after the number of days
specified in the Data Retention field and then
compacts the database. • Size Rollover —When
the current database reaches the size specified in
the Maximum size field, Domino renames the
database and creates a new Mail Journaling
database with the original name.

Field Description
If you specified Periodic Rollover in the preceding
Periodicity
field,
Domino displays this field for specifying the length,
in days,
of the rollover interval. The default value is 1 day.
Data If you specified Purge/Compact in the Database
Retention Management-Method field, Domino displays this
field for
specifying the time, in days, that a message
remains in the
Mail Journaling database before being deleted.
Maximum If you specified Size Rollover in the Database
size Management-Method field, Domino displays this
field for
specifying a size limit, in megabytes (MB), for the
Mail
journaling database. After the database reaches the
specified
size, Domino renames it and creates a new one.

7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
For information on Mail-in database documents, see the chapter “Rolling
Out Databases.”
For more information on the different journaling and database
management methods, and on securing the Mail Journaling database, see
the topic “Managing the Mail Journaling database” later in this chapter.
Managing the Mail Journaling database
When setting up the Mail Journaling database, you must specify:
The
 journaling method
Security
 settings
How  to manage database size
Specifying the journaling method
There are two methods available for journaling messages, copying
messages to a local database (local journaling) and forwarding messages
to a mail-in database (remote journaling). In local journaling the Router
moves messages from MAIL.BOX to a Mail Journaling database on the
same server. If you enable local journaling on more than one server, each
server maintains its own unique Mail Journaling database. Since local
journaling doesn’t require messages to be transferred between servers to
reach the Mail Journaling database, this is the preferred method for
minimizing network traffic.
Customizing the Domino Mail System 28-109
Mail
Remote journaling lets you journal messages from multiple servers to a
single location, sending them to the mail-in database specified in the
“Mail Destination” field. Domino does not automatically create mail-in
databases for journaling; you must manually create both the destination
database and the necessary Mail-in database document.
Using a mail-in database to journal messages greatly increases mail
traffic, since messages must travel over the network to be deposited in
the Mail Journaling database.
For information about using Mail-in databases, see the chapter “Rolling
Out Databases.”
Managing security of the Mail Journaling database
The Mail Journaling database contains private information about many
people. Domino employs two methods to restrict access to the Mail
Journaling database. First, it conceals the database from users. By default,
Domino makes the Mail Journaling database “invisible” to users; that is,
the database does not appear in the Open database dialog box when a
user opens a new database. To display the database, check “Show in
’Open Database’ dialog” on the Design tab of the Database properties
dialog box.
Second, when local journaling is enabled, Domino encrypts the
information in the Mail Journaling database, using the Certified public
key of a specified Notes user. To specify the ID to use when encrypting
messages, enter a user name in the field “Encrypt on behalf of user.” By
default, Domino exempts certain summary information fields from
encryption so that the information they contain can be used in database
views. You can specify other fields to exempt in the field, “Field
encryption exclusion list.”
Setting up a Mail Journaling user
To maximize security, create and register a special user ID for the Mail
Journaling database and assign multiple passwords to the ID. Distribute
passwords in such a way that no one person knows them all, so that the
consent of multiple parties is required to view the contents of the
database.
For information on assigning multiple passwords to an ID, see the
chapter “Protecting and Managing Notes IDs.”
28-110 Administering the Domino System, Volume 1
Providing access to the Mail Journaling database for users who are not
server administrators
Domino encrypts journaled messages with the user ID specified on the
Router/SMTP - Advanced - Journaling tab of the Configuration Settings
document. The ID you specify can be the ID of an existing server
administrator or another user ID. By default the ACL of the Mail
Journaling database includes only users listed in the Administrators field
of the Server document’s Security tab. If the ID for encrypting messages
does not belong to a server administrator, you must add this user to the
database ACL before the user can access the database.
The user’s name is preserved in the ACL during daily rollovers and size
rollovers, but if you remove the Mail Journaling database, the next time
the server starts, it automatically creates a new database using the
original ACL. You must add the ID used for encryption to the database
ACL again.
Enabling encryption for remotely journaled messages
By default, mail-in databases do not encrypt incoming mail. To ensure
privacy when sending journaled messages to a mail-in database, enable
the mail-in database to encrypt incoming mail. When enabling
encryption for a mail-in database, you select a user whose Notes certified
public key Domino uses to encrypt messages stored in the database.
For more information on setting up a mail-in database, see the chapter
“Rolling Out Databases.”
No encryption of previously encrypted messages
A message that Notes has previously encrypted for its recipients is not
re-encrypted with the certified public key of the specified Journal user.
As a result, when depositing encrypted messages in the Mail Journaling
database, Domino preserves the original encryption, so that the message
content cannot be decrypted with the ID of the designated Mail
Journaling user, unless, of course, that user was included in the original
recipient list. A Mail Journaling user who was not on the recipient list
can view header information only.
Customizing the Domino Mail System 28-111
Mail
Managing the size of the Mail Journaling database
Depending on how you set up journaling rules, the size of the Mail
Journaling database may increase rapidly. Domino provides several
methods for automatically controlling the database size:

Description Size
management
method
Periodic Rollover (Default) Domino creates a new Mail Journaling
database at an interval in specified in days,
The default interval is one day. The new
database takes its name from the name of the
current database (for example, MAILJRN.NSF)
and is created at approximately 12:00 AM of
the specified day. Domino renames the current
database using the format: MJ<date>.NSF
where <date>is an 8-digit number
representing the current date in a format
specified by the operating system’s
international date settings. For example, if the
server defines dates in MMDDYYYY format, the
current database is renamed to
MJ09032002.NSF.
Purge/Compact Domino deletes documents from the database
after a specified number of days and then
compacts the database to eliminate deletion
stubs and white space.
Size Rollover Domino creates a new Mail journaling database
when the current database reaches a specified
size, renaming the old database using the
format: MJXXXXXX.NSF where XXXXXX
represents a number series starting at 000001
and increasing by 1 with each successive
rollover, for example, MJ000001.NSF, followed
by MJ000002.NSF, and so forth. If a database
with the next name in the sequence already
exists on the server, Domino uses the next
number in the sequence. The new Mail
journaling database uses the original database
name (for example, MAILJRN.NSF). Because
Domino may be unable to determine the exact
size of any message attachments before
adding a message to the Mail journaling
database, the database may exceed the
maximum size after the addition of a new
message. If this happens, the next message
added to the database triggers creation of the
new database.
These methods for controlling database size are not available
if you use a mail-in database for journaling messages. If you
select this method of journaling, be sure to monitor the
database size and use appropriate tools to archive data to
another location.

Specifying messages to journal

After you enable journaling, set mail rules on the Configuration Settings
document to specify which messages to journal.
For information about setting mail rules, see the topic “Setting server
mail rules” earlier in this chapter.
If you specify All documents and a message is returned as undeliverable,
Domino journals the delivery failure report as well as the original
message.
When Domino journals a message, it sets a journal flag on the message
before transferring it to the next server on the route. This ensures that
servers later in the routing path do not journal the message again. When
the Router on the destination mail server delivers the message to the
user’s mail file it removes the journal flag so to that the user remains
unaware that the message was been journaled.
On servers running the ISpy task, this task sends mail probes in the form
of trace messages to test mail connectivity approximately every five
minutes. Under normal use, the ISpy task automatically deletes these
probes from the ISpy mail-in database and the only trace of them are
entries in the Routing events view of the server log file and on the server
console. However, if you enable a journaling rule on these servers and
specify the condition “All documents,” the Mail Journaling database will
capture each trace message that the ISpy task sends. To prevent the Mail
Journaling database from filling up with these entries, configure a rule
exception for messages where the sender includes “ISpy.”
Retrieving messages from the Mail Journaling database
Administrators can examine the contents of the Mail Journaling database
by logging in as the user for whom Domino encrypts journaled messages.
A user who is listed in the database ACL, but who is not the specified
journal user (and thus does not own the correct private decryption key),
may be able to access the Mail Journaling database but will receive the
following error when attempting to open messages in the database:
You cannot access portions of this document because it is
encrypted and was not intended for you.
By default, the Mail Journaling database does not appear in the Open
database dialog box. You can open the database by specifying its file
name — for example MAILJRN.NSF — in the Filename field in the Open
Database dialog box. To list the database in the Open Database dialog
box, check “Show in ’Open Database’ dialog” on the Design tab of the
Database properties dialog box.
Customizing the Domino Mail System 28-113
Mail
To facilitate searches and provide quick information about journaled
messages, the Mail Journaling database provides a full-text index and
several views. You can create views or customize existing ones to better
determine the characteristics of your mail traffic.
Note Notes database views do not display encrypted fields. By default,
Domino encrypts the subject field of messages added to the Mail
Journaling database, when you open a view of the database, the Subject
column may be blank. To display message subjects, add “Subject” to the
“Field encryption exclusion list.”
For information on how to specify the fields to encrypt when journaling
mail, see the topic “Setting up the Mail Journaling database” earlier in
this chapter.

View
Description
name
By Displays messages by the Internet domain hierarchy
Hierarchy (for messages received over SMTP) or Notes
organizational certifier hierarchy (for messages received
over Notes routing) of the sender. The Count column
displays separate message totals for all messages, for
messages received from each node in the hierarchy,
and for messages received from each sender. Expand
entries for each node to view messages in descending
order by date and time (most recent message first). In
addition to the date, individual message entries display
the size in bytes and the message subject, if that field is
specified in the Field Encryption Exclusion list.
By Displays messages by the name of the sender. Senders
Sender may be listed more than once: by their Internet address
for messages received by the server over SMTP routing
and by their Notes address for messages received over
Notes routing. The Count column displays the total
number of messages routed and the number of
messages from each sender. Expand sender entries to
view messages in descending order by date and time
(most recent message first). In addition to the date,
individual message entries display the size in bytes and
the message subject, if that field is specified in the Field
Encryption Exclusion list.
By Size Displays messages in descending order by size in bytes.
Click the column head to reverse the order. Individual
message entries display the message date, sender
(From), and subject, if that field is specified in the Field
Encryption Exclusion list.
By Date (Default) Displays messages in ascending order by
date, with the most recent date last. The Count column
displays the number of messages routed on each date.
Expand date entries to view messages sorted in
descending order by time, with the most recent
message listed first. Individual message entries display
the message time, sender (From), and subject, if that
field is specified in the Field Encryption Exclusion list.
View name Description
Displays messages in ascending alphabetical order by
By Form
the name
of the Notes message form used; for example,
Delivery report,
Memo, Reply, Trace Report, and so forth.
Uncategorized forms
are listed last. The Count column displays the
number of
messages routed for each form type. Expand form
entries to view
messages sorted in ascending order by date and
time. Individual
message entries display the message date, sender
(From), and
subject, if that field is specified in the Field
Encryption Exclusion
list.
Displays messages in ascending order by attachment
By
size in
Attachments bytes. Column totals provide the average size in
bytes of
journaled attachments and the total size of all
journaled
attachments. Individual message entries display the
attachment
name, sender (From), date, and subject, if that field
is specified in
the Field Encryption Exclusion list.

Viewing messages that use forms not included in the Mail

Journaling database
The Mail Journaling database does not include all of the form types that
can be used to send messages. If a message copied to the database was
sent using a form that is not part of the Mail Journaling database design,
the database substitutes the memo form to display the message. To view
the document using the original form type, copy the form design element
into the design of this database.
For information about copying forms into the database design, see Lotus
Domino Designer 6 Help.
Setting inbound and outbound MIME and character set options
You can control how servers convert MIME items and international
character sets for inbound and outbound messages by specifying options
on the Configuration Settings document.
You can specify settings for the following:
Return
 receipt processing
Primary
 and secondary character set groups
Message
 conversion options
Font  and message options for international languages
Advanced inbound MIME options
Advanced  outbound MIME options
Mapping  MIME types to file extensions
Customizing the Domino Mail System 28-115
Mail
Enabling Domino to process return receipts for SMTP messages
When a Notes mail user sends a message to another Notes user and
selects the Return Receipt delivery option, the mail client adds the Notes
ReturnReceipt item to the message. The ReturnReceipt item on a Notes
mail message prompts the recipient’s Notes client to generate a
notification (the receipt) to the sender when the recipient opens the
message.
By default, Notes return receipts are not compatible with SMTP
messages, which use MIME headers to identify return receipt requests.
For return receipts to work seamlessly when a Notes message is
converted to MIME and vice versa, you must set up Domino to translate
between the two formats.
Enabling return receipts lets Domino honor return-receipt requests on
inbound SMTP mail and add return-receipt requests to outbound SMTP
mail. On inbound messages, Domino converts MIME return-receipt
headers to Notes “ReadReceipt” requests before delivering the message.
On outbound Internet mail, Domino maps a Notes return receipt request
to the MIME header specified in the Return Receipt Mapping field.
There are two MIME headers that can be used to request a read receipt.
You can specify which header Domino uses for outbound mail when
converting a Notes return-receipt request into a MIME return-receipt
request. The Return-Receipt-To header is the older method; the
Disposition-Notification-To header is the newer, preferred method.
Choose the method supported by the majority of the systems to which
your organization sends mail. For return receipts to work, the receiving
server and client must both support the header used. Newer mail clients
may not support the older header.
When you disable return receipts, Domino ignores the Return-Receipt-To
or Disposition-Notification-To headers on inbound SMTP mail and does
not return the return receipt to the sender. It also does not convert Notes
client requests for return receipts into a corresponding MIME header field.
Note Disabling return-receipt support affects SMTP messages only.
Internal messages sent over Notes routing continue to process return
receipts.
Enabling return receipts in your system does not guarantee that your
users will receive return receipts every time they are requested. The
Internet mail specifications do not require servers or clients to honor
return-receipt requests. If the recipient’s server does not honor the
request, it is ignored. Generally, large organizations with LAN-based
mail systems that provide their own internal return-receipt features
28-116 Administering the Domino System, Volume 1
implement return-receipts over SMTP, while commercial Internet mail
systems, such as Web-based mail systems tend not to.
Requesting Return Receipts from an IMAP or POP client
Disabling return receipts on a server does not affect non-Notes clients. If
users request return receipts for messages sent from an IMAP or POP
client, such as Microsoft Outlook or Netscape Messenger, the client
generates the proper MIME header (that is, either a Return-Receipt-To or
Disposition-Notification-To field in the header). Domino does not strip
the messages of the return receipt request. Domino leaves existing MIME
headers intact on outbound messages and sends a MIME message that
asks the receiving server to send a receipt when it delivers the message.
To enable return receipts
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the MIME - Conversion Options - General tab.
6. Complete these fields, and then Click Save & Close:
Field Description
Return Choose one: • Enabled to allow the sender of a
Receipts message to receive a return receipt. • Disabled to
prevent the sender of a message from receiving a
return receipt.

Return Choose one: • Use Disposition-Notification-To —

Receipt (default) When converting an outbound Notes
Mapping message that includes a return receipt request into
MIME format, the server converts the Notes
ReturnReceipt item into the MIME header item
Disposition-Notification-To. • Use Return-Receipt-To
—When converting an outbound Notes message that
includes a return receipt request into MIME format,
the server converts the Notes ReturnReceipt item into
the MIME header item Return-Receipt-To. This field
appears only if you enable Return Receipts.

Note Domino does not map the Return Receipt request to one of the
MIME headers if the address specified in the
Disposition-Notification-To or Return-Receipt-To header does not
match the sender’s address. Domino sends return receipts only to the
sender.
7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Setting the primary and secondary character set groups
In the text parts of a MIME message, character set tags, such as US-ASCII
or EUC-KR (Korean), specify how Domino interprets the text data and
renders it into recognizable characters. The value that represents a
character in one character set can represent a different character in
another character set.
When converting a MIME message into Notes rich-text, Domino uses the
information in the character set tags to determine the appropriate
characters for representing the message text. Similarly, when Domino
converts a Notes rich-text message into MIME, it must determine which
MIME character set tag to apply.
On the MIME - Basics tab of the Configuration Settings document, you
can define a primary character set group and one or more secondary
character set groups. These primary and secondary choices control,
among other things, how Domino detects character sets to correctly
identify ambiguous text data in a message when converting inbound
MIME messages to Notes rich-text and outbound Notes rich-text
message to MIME.
Note If your organization sends and receives messages that use
US-ASCII characters only, there’s no need to change the default settings.
Domino can interpret text represented in 16 different character set
groups (also known as language groups) including the Unicode standard
for encoding character systems (www.unicode.org/ ). A language group
can correspond to a single language (for example, Japanese) or to a
region where multiple languages use more or less the same characters
(for example, Central Europe). A language group can also support
multiple character sets.
For a list of character set groups and the language codes associated with
them, see the topic “Language codes supported in Notes and Domino”
later in this chapter.
28-118 Administering the Domino System, Volume 1
If the MIME messages your organization receives always contained the
correct character set information, there would be no need to change the
default settings. However, some mail systems do not provide character
set information when sending mail. For example, older mail systems may
not support MIME at all, and some Web-based systems enable users to
create messages in a given language but don’t correctly generate MIME
character set information when sending the message. Thus a user
sending mail from a Web-based mail system might be able to compose
and send messages written in Chinese, but in the sent message, the
character set tag US-ASCII is incorrectly applied to the message text. If
your SMTP server is configured to use the default character set group, it
would be unable to correctly convert this message.
In such cases, Domino examines incoming messages to determine the
byte range used and identify unique control codes. It then attempts to
match patterns in the incoming message to a probable character set. This
process is effective in distinguishing among certain character sets only.
For example, it can correctly distinguish messages in the CJKT languages
(Simplified Chinese, Japanese, Korean, and Traditional Chinese ) from
each other and from an English message), but it cannot distinguish
between messages in English or any other Western languages, which
tend to use the identical bytes and byte ranges.
To ensure accurate character set detection for the CJKT languages,
configure a priority order among the languages by specifying a primary
and secondary character. For example, if Domino cannot distinguish
whether a MIME message uses EUC-KR (a Korean character set) or
GB2312 (a Simplified Chinese character set), it uses the priority order
assigned to the primary and secondary character set groups to determine
which character set to use in converting the message to Notes rich-text.
Domino chooses the primary character set first, then the secondary
character set (in an undefined order — the order of multiple secondary
choices doesn’t matter), then the operating system group (for operating
systems such as Windows NT where the locale can be queried).
When converting outbound messages to MIME format, Domino chooses
a MIME character set based on the text of the message. Outbound
messages are examined by the Router and the appropriate character set is
selected for the message. For example, messages in Japanese are
converted using the ISO-2022-JP character set; messages in Simplified
Chinese, using the GB character set; messages in Traditional Chinese,
using the Big5 character set; and messages in French, using the
ISO-8859-1 character set. When Domino cannot automatically detect
which character set to use, as with some European languages, it refers to
the primary, secondary, and operating system groups, in that order, to
determine which character set to use. For example, if all of the characters
Customizing the Domino Mail System 28-119
Mail
in a message could be French or Turkish, Domino uses the information
about the primary and secondary character set groups to determine
which character set to use.
To set the primary and secondary character set groups
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Basics tab, and in the field International MIME Settings for
this document, select Enabled.
6. Click the MIME - Basics tab.
7. Complete the following fields and click Save & Close:

Field Enter
Primary The character set group for this domain’s
character primary
language. English is the default value. Choose
set group
the
language or region appropriate for your
organization,
for example, Simplified Chinese.
The character set groups for other languages
Secondary
typically
character set used in this domain. By default, no secondary
character set group is configured. Choose the
groups
language
or region(s) appropriate for your organization,
for
example, Western. You can specify multiple
secondary
character set groups.

8. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Language codes supported in Notes and Domino
The following table lists each character set group supported in Notes and
Domino Release 6 together with the character set language codes and
encoding types for that group. Where multiple language codes or
encoding types may be used for a given character set group, the default
code and encoding for the group are listed first. For each character set
28-120 Administering the Domino System, Volume 1
group, the default character set language code and encoding are the
same for message bodies and headers unless otherwise indicated.

Character set
Header and body
language code
encoding
Characters set group
Arabic Windows-1256, ISO- Base64, Quoted
8859-6 Printable, None
Baltic Rim Windows-1257 Quoted Printable,
Base64, None
Central Europe ISO-8859-2, Quoted Printable,
Windows-1250 Base64, None
Cyrillic KO18-R, ISO-8859-5, Base64, Quoted
Windows-1251 Printable, None

English US-ASCII None, Base64, Quoted

Printable , None
Greek Windows-1253, ISO- Base64, Quoted
8859-7 Printable, None
Hebrew Windows-1255, ISO- Base64, Quoted
8859-8, ISO-8859-8-I Printable, None
Japanese ISO-2022-JP Header - Base64, Quoted
Printable, None Body -
None, Base64, Quoted
Printable, None
Korean Header - EUC-KR, Header - Base64, Quoted
ISO-2022-KR Body - Printable, None Body -
ISO-2022-KR, EUC- None, Base64, Quoted
KR Printable, None
Simplified GB2312, GB18030, Base64, Quoted
Chinese HZ-GB2312 Printable, None
Thai TIS-620 Base64, Quoted
Printable, None
Big5, EUC-TW
Base64, Quoted
Traditional
Printable, None
Chinese
Turkish Windows-1254, ISO- Quoted Printable,
8859-9 Base64, None
Unicode UTF-8, UTF-7 Base64, Quoted
Printable, None
Vietnamese Windows-1258, Quoted Printable,
TCVN3 Base64, None
Western ISO-8859-1, ISO-
Quoted Printable,
8859-15, Windows-
Base64, None
1252

Specifying inbound and outbound MIME conversion options

If a server sends or receives messages in MIME format, you can set
options to control how Domino:
Converts
 outbound Notes rich-text messages into MIME for sending
over SMTP
Converts
 inbound messages received in MIME format into Notes
rich-text messages
Configuring how Domino converts outbound Notes rich-text
messages to MIME format
Outbound conversion options apply to messages exported from the
server. This includes Notes rich-text messages sent outbound over SMTP
to another Domino server or other mail host and messages retrieved by
the IMAP or POP3 service for sending to a client.
Settings in this section do not apply to messages delivered to mail files on
the server or messages transferred over Notes routing. Nor do they apply
to messages sent in MIME format from the client — either messages sent
by POP3 or IMAP clients or messages from a Notes client where the
Location document specifies the use of MIME format for messages sent
to Internet addresses.
Note If the Internet mail format specified in the client’s current Location
document is set to Notes rich-text (Mail tab - Format for messages
addressed to Internet addresses), the client sends all messages in Notes
rich-text, even if the Internet mail format in the User Preferences dialog
box (File - Preferences - User Preferences - Mail - Internet - Internet Mail
Format) is set to send HTML.
Providing the richest content when converting messages on
internal servers
By default, when converting messages in Notes rich-text format to MIME
format, Domino generates MIME messages in plain text format only,
resulting in a loss of formatting. This default setting, which is required to
ensure that recipients can read messages that are received by SMTP
servers that do not correctly process multipart MIME messages, is not
necessary for internal servers. To enable conversion on internal servers to
generate the richest possible MIME from messages in Notes format,
change the default Message Content setting to “Convert from Notes to
Plain Text and HTML.”
28-122 Administering the Domino System, Volume 1
To specify outbound MIME conversion options
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the MIME - Conversion Options - Outbound tab.
6. Complete the following fields and then click Save & Close:

Field Description
When a Notes client sends a rich-text message
Attachment
with a file
encoding attachment that contains 8-bit data —for example,
program,
method image, sound, video, and application files —
Domino
encodes the attachment data as ASCII text for
SMTP
transport. Choose the encoding method best
suited to the file
types sent and supported by the majority of likely
message
recipients.
Choose one of the following:
• Base64 —(default) This is the preferred method
for encoding non-text data attachments when
sending
messages to recipients who use MIME-compliant
mail
programs. Domino adds a MIME tag to describe
what
type of file was sent. Sending files with MIME
encoding
ensures that the recipient receives binary data
(non-text)
intact. Base64 encoding converts binary data in
attachments into a subset of the US-ASCII
character set
and is slightly more efficient than UUencode,
resulting in
a transmitted file approximately 37% larger than
the
original.
• Quoted Printable —This method is best suited to
sending text-based files to recipients that use
MIME-compliant
mail programs. Quoted-Printable (QP) encoding
replaces
each special character in the attachment with an
equal
sign “=”followed by two hexadecimal digits, which
represent the 8-bit character code. Printable ASCII
 characters are left unencoded. QP provides
efficient
encoding of text-based files, creating an encoded
file
that’s only a fraction larger than the original.
However,
for non-text files, QP encoding can result in
encoded files
that are two to three times the size of the original.

Field Description
• UUencode —Use UNIX-to-UNIX encoding on
Attachment
servers
encoding that send message attachments primarily to
recipients
method who use UNIX or older PC mail programs.
UUencode
(continued increases the size of the encoded file by about
) 42%.
• BinHex —Use primarily when sending binary
data to
recipients who use Macintosh mail programs
This field does not control encoding for messages
sent from
the Macintosh version of the Notes client. To
configure
attachment encoding for messages sent from
Macintosh
clients, use the field “Macintosh attachment
conversion”on
the MIME - Advanced - Advanced Outbound
Message
Options tab.
Specifies how Domino structures the MIME content
Message
of messages when converting Notes rich-text
Content
messages before
sending them over SMTP. Choose one:
• Convert from Notes to plain text —(default)
Domino converts the text in a Notes rich-text
document to plain
text. If the message contains file attachments or
images, Domino creates a multipart/mixed MIME
message with
the images and attachments following the
text/plain part.
Use this option in organizations that send most of
their outbound SMTP mail to mail systems that are
unable to
handle MIME messages containing multiple text
parts (for
example, messages with a multipart/alternative
structure that includes text/plain and text/html
parts).
• Convert from Notes to HTML —Domino converts
the
text in a Notes rich-text document to HTML. If the
message contains file attachments, Domino
creates a
multipart/mixed MIME message and includes the
attachment in that part. If the message contains
images,
 Domino includes the images in the message body
by
creating a multipart/related part.
• Convert from Notes to Plain Text and HTML —
Select this
option on internal server for Domino to best
preserve rich-text content when converting
messages from Notes
format to MIME. Domino converts the text in a
Notes
rich-text document to both plain text and HTML by
creating a multipart/alternative body part that
contains
both the text/plain and text/html parts. If the
message
contains file attachments, Domino creates a
multipart/mixed MIME message and includes the
attachment in that part. If the message contains
images,
Domino creates a multipart/related part and
includes the image in that part along with the text
parts.

Field Description
Create multi-part alternative including
Message
• conversion and
Content encapsulation —Domino converts Notes rich-
text
(continued messages and creates an additional file
) attachment that
contains a Notes database with the original
message in it.
This option results in a message nearly twice
the size of
the original. Use this option only in
organizations that
send most of their outbound SMTP mail to
recipients
using Notes 4.x clients.
Convert Choose one: • Yes —Enables the Router to change
tabs to tabs to spaces when converting outbound
spaces messages to MIME format. Use this option only in
organizations that send most of their outbound
SMTP mail to recipients using mail clients that do
not recognize tabs. • No —(default) The Router
does not change tabs to spaces when converting
outbound messages to MIME format.

(Default = 75) The maximum line length from left

Outbound
to right for
line length the body of outbound messages; useful when a
message contains long lines of text without spaces
—for example, URLs.
If there is a table or forwarded mail headers, then
the line
length default is doubled so no line break occurs
until 150.
Lookup All addresses on messages sent to Internet
Internet recipients must be in Internet format (RFC
address for 821/822 format). A Notes user may send a
all Notes message to both Notes addresses and Internet
addresses addresses. To specify how Domino converts the
when addresses of Notes recipients on messages sent to
Internet the Internet, choose one: • Enabled —On
address is outbound Internet messages, if the address of any
not defined recipient is in Notes format, Domino reads the
in user’s Internet address from the Person document
document and adds it to the message before sending. •
Disabled —(default) Domino forms Internet
addresses by converting spaces into underscores
and encoding Domino domains with percent signs.
For example: John_Smith%Notes@acme.com

7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Customizing the Domino Mail System 28-125
Mail
Configuring how Domino converts inbound MIME messages to
Notes rich-text
Inbound conversion options apply to messages received over SMTP in
MIME format, which must be converted to Notes rich-text format.
Conversion to Notes rich-text format is necessary when the storage
preference for the recipient’s mail file is set to Notes rich-text format, or
when the route to the destination mail file includes Domino servers
earlier than Release 5.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the MIME - Conversion Options - Inbound tab.
6. Complete the following fields and then click Save & Close:

Field Enter
Use character Choose one of the following: • Yes —Domino
set auto- examines the text of inbound messages to
detection if determine the character set if it is not specified
message has in the message. Select this option if your site
no character routinely receives non-MIME messages that are
set encoded in character sets other than ASCII.
information Provides the most accurate rendering of the
original character information, but slows
performance. • No —(default) Character set
auto-detection is disabled.

7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Setting font and message options for international languages
A single Domino SMTP server can handle inbound and outbound
messages in any language group or character set, including double-byte
character sets. For each character set group, for example, Simplified
Chinese, Domino provides default settings that control how servers
convert messages in that character set group from Notes rich-text format
28-126 Administering the Domino System, Volume 1
to MIME and vice-versa. You can change the default settings to
customize conversions for specific languages.
Inbound settings specify font options that control how the text of a MIME
message using a given character set tag displays in Notes. Outbound
settings determine the character set tag and encoding to apply when
converting Notes rich-text messages to MIME.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the Basics tab. If it is not already selected, select the field
“International MIME Settings for this document.”
6. Click the MIME - Settings by Character Set Groups tab.
7. Complete the following fields and then click Save & Close:

Field Enter
For outbound When unchecked (default), Domino’s
message Outbound
options below use Message Options are set to use the
all standard
possible choices character set and encoding method for the
(Advanced users) language group specified in the field “MIME
settings by character set.”The options in
the Character Set field are limited to the
standard
character sets for the language group.
Check this box to enable use of
nonstandard
character set choices in the header and
body of messages in any language group.
Click the drop-down list to choose the
MIME settings by
language
character set group to configure. You can accept the
group default settings or configure specific
settings for one or
more language groups.
The language group displayed at the time
you
save and close the document is not the
only one
for which Domino saves settings. After you
save the Configuration Settings document,
Domino
retains the settings for each language
group that
you modified.

These fields allow you to override default values for character sets,
fonts, and so on, for individual character set groups.
Customizing the Domino Mail System 28-127
Mail
Note If no Server Configuration document exists, Domino uses the
default typeface and point size settings. The default typeface used
for HTML text is Default Sans Serif, and the point size is determined
by the sender of the message. The default typeface for Plain Text
(US-ASCII) is Default Monospace with point size of 10.
To set character set options for inbound messages
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
4. Click the MIME - Settings by Character Set Groups tab.
5. In the Inbound Message Options - Font Options section, complete the
following fields, and then click Save & Close:

Field Enter
The typeface style to be used for proportional
HTML
type in
Proportional inbound SMTP messages.
(default = Default Serif)
The typeface to be used for monospaced type in
HTML
inbound
Mono- SMTP messages.
spaced
(default = Default Monospace)
The point size to use for HTML text in inbound
HTML Size
SMTP
messages.
(default = 12)
The typeface to be used for plain text in inbound
Plain text
SMTP
messages.
(default = Default Monospace)
Plain text The point size to use for plain text in inbound
size SMTP
messages.
(default = 10)

Note The font list displays every font available to the client system.
However, when converting messages, Domino uses the “Default”
fonts (Default Serif, Default Sans Serif, Default Monospace, and
Default Multilingual) only. If you select a font other than one of the
four “Default” fonts, Domino converts the text in all incoming
messages to Default Monospace.
28-128 Administering the Domino System, Volume 1
6. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
To set character set options for outbound messages
You can specify the character set and encoding type for the header and
body text of outbound messages. The settings you select do not affect
attachments. For each language (or region) there is a default character
set. For example, for Western Europe the default character set is
ISO-8859-1, but other Latin character sets can also be used. You can
indicate the specific character set and encoding to be used for outbound
SMTP message headers and body content. In general, use the same
character set for both the headers and the body of outbound messages.
However, because some characters set groups, such as Korean, typically
use different character sets for the headers and body, by default, for
these languages, the character set specified for header text differs from
the character set for body text.
For a complete list of character set groups and the default characters sets
used in the headers and body of messages in those groups, see the topic
“Language codes supported in Notes and Domino” earlier in this
chapter.
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
4. Click the Basics tab and select “International MIME settings for this
document.”
5. Click the MIME - Settings by Character Set Groups tab.
Customizing the Domino Mail System 28-129
Mail
6. In the Outbound Message Options section, complete the following
fields, and then click Save & Close:

Field Choose
Header - The character set Domino uses to display
Character Set message headers. The default entry depends
on the character set language group currently
selected in the field “MIME settings by
character set group.”In most cases, the
default entry is the best choice for
representing header text for this language
group.
Body - The character set used to display message
Character Set body. The default entry depends on the
character set language group currently
selected in the field “MIME settings by
character set group.”In most cases, the
default entry is the best choice for
representing body text for this language
group.
Header -
The encoding method for outbound headers.
Encoding
The default entry depends on the character
set language group currently selected in the
field “MIME settings by character set
group.”In most cases, the default entry is the
best choice for encoding header text for this
language group. Choose one:
• Base64 • Quoted Printable • None

Body -
The encoding method for outbound body text.
Encoding
The default entry depends on the character
set language group currently selected in the
field “MIME settings by character set
group.”In most cases, the default entry is best
choice for encoding body text for this
language group. Choose one:
 • Base64 • Quoted Printable • None

7. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter, “Setting Up Mail Routing.”
28-130 Administering the Domino System, Volume 1
Setting advanced inbound MIME options
Set advanced inbound MIME options to control how servers process
certain address headers and how servers decipher messages using
undefined or incorrectly defined character sets.
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
4. Click the MIME - Advanced - Advanced Inbound Message Options tab.
5. Complete the following fields, and then click Save & Close:

Field Description
Resent Specifies whether Domino uses resent- headers
headers on
take inbound messages. When forwarding a message,
precedence some mail programs add header lines that
over original describe the
headers forwarding sender. These headers begin with the
resent-
prefix, such as “Resent-From:”The received
message contains both the resent- headers and
headers describing
the original sender, for example:
From: original-sender
Resent-From: forwarding-sender
When generating a reply to a forwarded
message, some
older mail programs address the reply to address
specified in the resent-from header. However,
most
modern mail programs consider resent- headers
to be for
informational purposes only and do not normally
use them to generate replies. Instead, when
forwarding a
message, a MIME-compliant mail program
creates a new
message and encapsulates the original message
within this message as a MIME body part of
content type
message.
Choose one:
• Enabled —When receiving a forwarded
message over SMTP, Domino places the value of
the Resent-From
header in the From header. Select this option
only if a
large number of users in your organization find
that when replying to Internet messages that
 use resent-

headers, their replies are incorrectly addressed

to the
original sender, rather than the forwarding
sender.
• Disabled —(default) Domino ignores resent-
headers in inbound messages.

Field Description
Remove Specifies whether Domino preserves the names
group of Internet distribution lists in the message
names from headers of inbound messages. RFC 822 specifies
headers use of a group construct to allow Internet
address headers to include
distribution lists. Groups are designated using
either of the following formats:
Groupname:;
groupname: person1@domain.com,
person2@domain.com, person3@domain.com;
This option does not control the use of
Notes/Domino group names in recipient lists.
Choose one:
• Yes —Domino strips RFC 822 group names
from address headers on incoming SMTP
messages.
• No —(default) Domino preserves RFC 822
group names in the address headers of incoming
SMTP
messages.
If each Choose one: • Yes —Enables Domino to resolve
recipient’s differences between addresses in the SMTP RCPT
address TO commands and the RFC 822 message header.
does not If an address is referenced in the SMTP RCPT TO
appear in command, but not in the message header,
any address Domino creates a new copy of the message and
header, then places the address in the BCC: field of the new
add their message. • No —(default) Domino ignores
address to differences between the recipients listed in the
the BCC list RCPT TO command and the message header.

For non- Specifies the default character set that Domino

MIME uses to
render messages with 8-bit characters if the
messages or
message does
MIME not contain character set information, and
automatic
messages character set detection is disabled (on the MIME
with -
an unknown Conversion Options - Inbound tab).
character
set,
8-bit
character
set is
assumed
to be
Character Enter the substitute name for the equivalent
set character set
name aliases to allow MIME to be converted to native MIME.
An alias
 allows a character set name tag in an inbound
message to be treated as though it were a
different character set.
For example, mapping “ISO-8859-1”to “KOI8-
R”would be useful in an environment where
incoming messages are frequently labeled as
ISO-8859-1 (Western) when the data is really
KOI8-R (Cyrillic).

6. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
Setting advanced outbound MIME options
Outbound MIME settings apply to messages sent over SMTP to another
host. They do not apply to messages delivered to local mail files on the
server or messages transferred over Notes routing.
Use the advanced outbound MIME options to specify how servers
determine the following message items:
Encoding
 for attachments sent from Macintosh clients
Use of phrases specifying the sender’s user name in the sender’s
Reply address
Sending
 of Notes mail items that do not have standard MIME
equivalents
Removal of Notes fields from message headers
Character set to use when converting multilingual messages
Character  set alias to use in place of one that is typically mislabeled
in outgoing messages
To set advanced outbound MIME options
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
4. Click the MIME - Advanced - Advanced Outbound Message Options
tab.
Customizing the Domino Mail System 28-133
Mail
5. Complete the following fields, and then click Save & Close:

Field Enter
Macintosh The format for Macintosh attachments.
attachment Choose
conversion one:
• AppleDouble [base64 only] —(default)
Provides standard MIME encoding for
sending Macintosh files to recipients using
newer Macintosh and PC mail programs.
AppleDouble splits the data fork and the
resource fork of the file and encodes the
resulting data in Base 64 for transport. PC
clients receiving the attachment discard
the resource fork and use the data fork
only.
 The AppleDouble header is effectively the
resource fork and includes the original Mac
file name of the file. If the Apple-Double
data part has a recognizable MIME type,
Domino uses it to label the MIME part of
the converted message; for example, the
data part of a Microsoft Word attachment is
described as
application/msword. If the MIME type
cannot be determined, Domino labels the
MIME part as application/octet-stream.
• BinHex4.0 —Sends Macintosh
attachments with
the MIME type application/mac-binhex40.
Use this method for sending Macintosh files
to other Macintosh users who do not use
MIME-compliant mail programs. Because
few Windows mail programs can decode
BinHex, this method should not be used
when sending files to recipients who use
Windows.
Specifies how the server handles phrases
RFC822 phrase
in an
handling address header. Choose one:
• Do not add phrase (default) —Outbound
mail displays the sending user’s RFC 821
address.
The Router permits user-defined phrases in
recipient addresses.
• Use DN as phrase (Use domain name for
the phrase) —The Router constructs an
RFC
822-style address using a phrase part
derived
from the person’s hierarchical,
distinguished
name; for example, “John
Jones/Sales/ACME”
<JJones@acme.com>. The Router permits
user-defined phrases in recipient
addresses.

Field Enter
RFC822 phrase • Use alt. name if available —otherwise DN
handling (Use the alternative name or domain
(continued) name) —If an
Alternate name is specified in the user’s
Person
document, constructs an RFC 822-style
address
using it as the phrase part; otherwise uses
the
hierarchical, distinguished name; for
example,
“John Jones/Sales/ACME”
<JJones@acme.com>. The Router permits
user-defined phrases in recipient
addresses.
• Remove phrase —Only RFC 821-style
addresses allowed. The Router strips
user-defined phrases in recipient
 addresses.
Use CN as phrase —Constructs an RFC
822-style
address using a phrase part derived from
the
person’s common name; for example,
“John Jones”
<JJones@acme.com>. The Router permits
user-defined phrases in recipient
addresses.
Internet mail Notes private items are header items
server sends present in a Notes rich-text message that
Notes private do not map to any of the standard header
items in messages fields for SMTP messages, as defined in
RFC 2822. When adding private items to
the headers of an SMTP message, Domino
adds the prefix “x-notes-item”to the field
name to indicate that it is a nonstandard
field.
Choose one:
• Enabled —When converting Notes rich-
text messages for SMTP transport or
download by a POP3 or IMAP client,
Domino converts all
Notes private items in the message to
custom “x-notes-item”headers. The
resulting “x-notes-item”is a structured
header with
parameters that reflect the attributes of
the original notes item, for example, data
type, value, summary flags, item name,
and so on. Because Notes private items are
not generally used in Internet mail, do not
select this option unless you have a specific
reason for sending private items.
Items specified in the field “Notes items to
be removed from headers”are excluded
from the
headers of the converted message.
• Disabled —(default) When converting
Notes rich-text messages for SMTP
transport, Domino removes nonstandard
Notes header items.

Field Enter
Always send the List the Notes header items to always
following Notes include as RFC 2822 headers in outbound
items in headers SMTP messages, mapping each specified
Notes item to a valid nonstandard RFC
2822 header item. For example, the Notes
item, header-1 would be mapped to the
RFC 2822 header, x-header-1. The header
body is the first 255 bytes of the item
value, converted to text if necessary.
Domino sends the items specified in this
field even if sending of Notes private items
is disabled. Use this field to send specific
items only, while preventing export of all
unspecified Notes private items. If an item
listed in this field is also listed in the field
“Notes items to be removed from headers,”
the item is not included.
Notes items to be List the Notes header items to exclude
removed from from x-headers in outbound SMTP
headers messages.
When converting a Specifies the character set Domino uses
multilingual when converting a Notes rich-text message
message to MIME with text content that cannot be
represented by a single character set group
—for example, a message in which part of
the content is in French (Western character
set group) and part in Arabic. Choose one:
• Send it in Unicode [UTF8] —(default)
Domino converts all the text to an 8-bit
encoding of the Unicode character set. To
read the resulting message, recipients’mail
programs must support Unicode. • Send it
in most representable character set —
Domino selects the character set that best
matches the majority of characters in the
message. If the message is sent as plain
text, any character that cannot be
represented by the selected character set
is replaced by a fallback character —
typically a question mark. If the message
is sent as HTML, a Unicode-enabled mail
program is required to decode the message
because such a mail program can replace
unrepresentable characters with their
Unicode numeric values.

Field Enter
Character set Specifies the name of a nonstandard
name character set
aliases alias to be used when converting Notes
rich-text
messages for outbound SMTP transfer. For
example, you can send messages sent in
ISO-8859-1 with the tag “My-Character-
Set.”It is
not recommended that you provide aliases
here
because outbound messages will be
understood
only by similarly configured mail clients.
Note These settings apply to messages sent outbound over SMTP to
another host, or exported to the IMAP or POP3 service. They are not
applied to messages delivered locally or messages transferred over Notes
routing.
6. The change takes effect after the next Router configuration update.
To put the new setting into effect immediately, reload the routing
configuration.
For information on how to reload the routing configuration, see the
chapter “Setting Up Mail Routing.”
For more information about using the RFC 822 address format, see the
topic “Configuring outbound Internet mail to use RFC 822 address
format (phrase parts)” later in this chapter.
Examples: How Domino handles Macintosh attachments in inbound
messages
For inbound messages, Domino supports AppleSingle, AppleDouble,
and BinHex attachment encoding. Macintosh attachments of any
encoding are stored as normal Notes Macintosh attachments; if the data
fork would be meaningful to a PC user, then a Notes user at a PC
workstation can launch the attachment normally.
In the following examples, unless noted otherwise, it is assumed that the
application required to open the attachment is properly installed on the
user’s computer. Also, it is assumed that both sender and recipient are
using MIME-compliant mail programs.
A Macintosh Netscape user sends a JPEGview file containing a JPEG
image (with no resource fork, which would be the normal case) to
two Notes recipients: one uses a Macintosh, and one uses a PC.
Both users receive the attachment intact. If the Macintosh user has
JPEGview, the attachment displays with the JPEGview file icon and
can be launched from within Notes. If the Macintosh user does not
have JPEGview, the attachment displays with a generic file icon and
cannot be launched from within Notes. For the PC user it also has a
Customizing the Domino Mail System 28-137
Mail
generic icon; it can be launched from within Notes only if its name
ends in JPG and the user has an application association set up for the
JPG extension. In all cases, the image can be viewed from within
Notes by using the “Attachment - View” function.
A Macintosh Claris Emailer user sends a Lotus 1-2-3 spreadsheet to
two Notes recipients: one uses a Macintosh, and one uses a PC.
Both recipients receive an intact Lotus 1-2-3 spreadsheet attachment.
The Macintosh recipient can launch it from within Notes or can
detach it and double-click to launch — regardless of the name given
to the attachment.
The PC user can launch it from within Notes or detach it and
double-click to launch, only if the file name ends in WK1, WK3, 123,
or some other extension associated with the Lotus 1-2-3 application.
(This is a Windows restriction, not a Notes restriction.)
A  Lotus Notes user sends a Lotus 1-2-3 spreadsheet from a PC to a
Macintosh recipient using Claris Emailer.
The PC user must save the spreadsheet as a 1-2-3 R1 spreadsheet
because it is the most recent version of 1-2-3 available on the
Macintosh. The spreadsheet is encoded with the MIME type
“X-Lotus-123R1,” a private MIME type defined by Lotus. Since this is
a private MIME type, by default, it cannot be launched directly from
Claris Emailer. To view the file, the recipient can detach it, launch
Lotus 1-2-3, and then open it using the File - Open command.
As an alternative, Macintosh users can install Internet Config (a
widely used free software utility) and configure a mapping for the
“X-Lotus-123R1” MIME type. Claris Emailer can then use the file
mapping table in Internet Config to determine the application to use
to launch the attachment directly from the message.
Configuring outbound Internet mail to use RFC 822 address format
(phrase parts)
RFC 821 defines the standard convention for naming mailbox addresses
as “user@domain” or more broadly, “Localpart@Domainpart.” This
format has come to be known as RFC 821-style addressing. Subsequently,
RFC 822 specified a format for a more human-readable Internet address,
which adds a phrase part, also known as a friendly name or display
name, before the actual address. Phrase-style addresses use the form
“Phrase” <localpart@domainpart>; an optional display name indicates
the name of the recipient for display to the user of a mail application, for
example, “John Jones” <JJones@acme.com>.
28-138 Administering the Domino System, Volume 1
You can have Domino add a phrase to the sender’s address on outbound
SMTP mail and specify the name component to use as the address
phrase. By default, addresses do not include phrases. If you choose not to
support phrase-style addresses, you can specify that Domino remove any
user-added phrases in the recipient fields of outbound messages.
You configure this address format using the “RFC822 phrase handling”
field in the Configuration Settings document, under the MIME -
Advanced - Advanced Outbound Message Options tab.
The Router adds phrases to Internet addresses both when taking the
address from a Person document in the Domino Directory and when
constructing the address from rules in the Global domain document.
This setting applies to messages sent over SMTP to another host or
exported to the IMAP or POP3 service. It does not apply to messages
delivered to mail files on the server or messages transferred over Notes
routing.
The options for this field are as follows:
Do
 not add phrase — (Default setting) Outbound mail displays the
sending user’s RFC 821 address. The Router permits user-defined
phrases in recipient addresses.
Use DN as phrase — Constructs an RFC 822-style address using a
phrase part derived from the person’s hierarchical, distinguished
name; for example, “John Jones/Sales/ACME” <JJones@acme.com>.
The Router permits user-defined phrases in recipient addresses.
Use  alt. name if available - otherwise DN — If an Alternate name is
specified in the user’s Person document, constructs an RFC 822-style
address using it as the phrase part; otherwise uses the hierarchical,
distinguished name; for example, “John Jones/Sales/ACME”
<JJones@acme.com>. The Router permits user-defined phrases in
recipient addresses.
Remove  Phrase — The Router strips user-defined phrases in
recipient addresses. Only RFC 821-style addresses are allowed.
Use  CN as phrase — Constructs an RFC 822-style address using a
phrase part derived from the person’s common name; for example,
“John Jones” <JJones@acme.com>. The Router permits user-defined
phrases in recipient addresses.
Mapping MIME types to file extensions
Domino uses File identification documents in the Domino Directory to
associate file types and their file name extensions with MIME types and
subtypes. For example, a File identification document for JPEG files
classifies files with the extension JPG as having the MIME type image
Customizing the Domino Mail System 28-139
Mail
and MIME subtype jpeg. Domino servers and Notes clients use the
information in the File Identification documents to map file types to file
extensions and vice versa on inbound and outbound mail.
This ensures that the contents of attached files are correctly interpreted
by the recipient’s mail client. Upon opening the message in a
MIME-aware mail program, the recipient can open the attached
document from within the message, provided that the mail program
recognizes the MIME type and the associated application is installed on
the recipient’s computer.
You can add, modify, or delete File Identification documents from the
Domino Directory. Add new documents to support additional file types.
When adding a new File Identification document, you must know the
MIME type for the application and the file extension associated with the
application. Modify a File Identification document in the event that a
default mapping is incorrect or later standards dictate a change. You
might also edit a File Identification document to specify which of
multiple MIME types and subtypes Notes and Domino assign to files
with a given file extension when sending outbound mail.
How Domino uses File Identification documents when processing
inbound mail
When receiving an inbound MIME message that includes a file
attachment, Domino reads the MIME headers to determine the name and
type of the attached file. If, however, the MIME headers do not specify
the name of the attached file, Domino must assign a name to the file that
is both unique within the document and includes the appropriate file
extension. To determine the file extension to use in creating the file name,
Domino refers to the File Identification documents in the Domino
Directory.
For example, if Domino receives a message that has a MIME header
indicating that it contains a Microsoft Word attachment (MIME
type/subtype of application/ms-word), but neither the content-type
header or content-disposition header specify a file name, the server has
to provide a name for the attachment. To ensure that Domino creates a
name using the correct file extension for a file of this type, the server
checks the Domino Directory for a File Identification document for this
file type and subtype, and then checks the “Extension” field of the
matching document. Because, by default, the only document that
matches files with the MIME type application/ms-word indicates that
the file uses the extension DOC, Domino creates a file name using this
extension.
28-140 Administering the Domino System, Volume 1
By default, the File Identifications view of the Domino Directory lists
multiple documents for a given MIME type/subtype alphabetically, by
file extension. For example, by default, Domino includes several File
Identification documents for the MIME type/subtype
application/vnd.lotus-1-2-3, and the default view lists these from top to
bottom, beginning with the document that specifies the extension 123
and proceeding through those that specify the extensions unknown,
WK2, WK3, WK4, and WKS. This list order determines how Domino
names files when receiving a message containing an unnamed file
attachment with one of these MIME types. When creating the file name,
the server uses the information in the first document that appears
alphabetically in the view. Thus, when a server receives an inbound
message that includes an unnamed file attachment with the MIME
type/subtype application/vnd.lotus-1-2-3, Domino names the file using
the extension 123, because the File Identification view lists the document
specifying this extension before the other documents that describe the
same MIME type/subtype.
How Domino uses File Identification documents when processing
outbound mail
Domino servers and Notes clients both use File Identification documents
when sending MIME messages that include file attachments. In both
cases, information in the document is used to specify the MIME content
type of the message attachment.
Domino servers use File Identification documents when converting
messages that include file attachments from Notes rich-text format to
MIME format for sending over SMTP. When converting an outbound
message that includes a file attachment, Domino first searches for a File
Identification document that corresponds to the file extension of the
attachment. After locating the correct document, Domino uses the MIME
type and subtype information from the document to construct the MIME
Content-type header for the message part that describes the attachment.
When a Notes client attaches a file to a message it sends in MIME format
(for example, when sending to Internet recipients or to Notes mail
recipients whose mail storage preference is set to MIME), the client first
checks the operating system to determine what file associations are
defined. Clients running on Microsoft Windows check the Windows
registry, while clients running on the Macintosh check Internet Config. If
the client cannot locate MIME type information from these sources, it
then checks the Domino Directory for a File Identification document that
applies to files with the same extension as the attached file. After locating
the correct document, the client places the MIME type and subtype
information from the document in the MIME header describing the
attachment.
Customizing the Domino Mail System 28-141
Mail
In the case of both servers and client, if more than one File Identification
document applies to a given file extension, the setting in the “Outbound”
field of the documents determines which MIME type and subtype to
assign to file attachments with this extension when sending mail.
To create or modify a File Identification document
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging view.
2. Click File Identifications.
3. To add a new File Identification document, click Add File
Identification.
To edit an existing File Identification document, select it from the
documents listed, and click Edit File Identification.
4. Complete the following fields:

Field Description
MIME type General MIME category used to describe files of
this content type or media; for example,
application, audio, image, or video. When
sending attachments in MIME messages, the
information in this field is placed in the MIME
Content-type header. Each MIME type/subtype
combination can be mapped to zero or more file
extensions.
MIME The specific MIME category that uniquely
subtype identifies the application that created files of this
content type, for example, X-Lotus-NSF. When
sending attachments in MIME messages, the
information in this field is placed in the MIME
Content-type header. Each MIME type/subtype
combination can be mapped to zero or more file
extensions.
File The Windows or UNIX file name extension
extension associated with files of this type; for example,
JPG, BMP, or NSF. The Domino Directory can
contain multiple File identification documents for
a given file extension. If the MIME headers of an
inbound message do not specify the name of an
attached file, Domino creates a file name for the
attachment using this extension.
Description Use this field to specify the type of file or the
name of the application used to create and open
the file.

Field Description
Outbound If the Domino Directory contains multiple File
Identification documents for files with this file
extension,
this setting determines which MIME type and
subtype Notes and Domino use to send file
attachments with this
extension.
Notes clients also use settings in the Windows
registry or the Macintosh Internet Config object
to determine the MIME type and subtype to
associate with a given file extension.
Choose one:
• Send —When sending outbound messages in
MIME format, Domino assigns this MIME type
and subtype specified in this document to
attachments that have this file extension. If
there are multiple File Identification documents
for a given file extension, select this option for
one document only. If the value in this field is
set to Send in multiple File Identification
documents for a given file extension, Domino
uses the first document listed in the File
Identifications view to
set the MIME information for attachments with
the
extension.
• Do not send —When sending outbound
messages to MIME format, Domino does not
assign the MIME type and subtype specified in
this document to attachments that have this file
extension. If there are multiple documents for a
given file extension, specify this option in the
Outbound field in all but one of the documents.

Chapter 29
Setting Up Shared Mail
This chapter describes setting up and managing shared mail databases.
Shared mail overview
By default, the Domino mail system employs a message-based model for
mail storage, delivering a separate and complete copy of every document
to each recipient’s mail file. When a message is small or is addressed to
only a few recipients, creating multiple copies of a message does not
consume much additional disk space. But when a large message is
broadcast to thousands of users on a single server, creating a separate
copy of the message for each recipient can consume several gigabytes of
disk space.
To use disk space more efficiently, you can set up shared mail on each
mail server after you set up the Domino mail system. Shared mail,
sometimes referred to as the Single Copy Object Store (SCOS), offers an
alternative to message-based mail, allowing servers to store a single copy
of messages received by multiple recipients in a special central database,
or object store. Every server using shared mail contains one or more of
these object stores, or shared mail databases, to hold all shared messages.
After you enable shared mail on a server, all mail databases on the server
automatically use the shared mail database to store the content of new
messages, unless you explicitly exclude a database from using shared
mail. You do not need to configure each user’s mail file individually for
shared mail use.
When shared mail is enabled and an incoming message is addressed to
multiple local recipients, the Router divides the message into a message
header and message body. The header includes the message’s To, cc, bcc,
Subject, and From fields. The body includes the text and other content, as
well as any file attachments. The Router then writes the message body to
a shared mail database and the message header to each recipient’s mail
file. The message body stored in the shared mail database contains an
object store link, which identifies all of the mail files linked to that
message. Similarly, the corresponding message headers stored in each
recipient’s mail file each contain a pointer to the object store that contains
the message body.
29-1
Mail
To keep shared mail databases small, Domino automatically purges the
shared portion of a message from the shared mail database after all
recipients delete the message from their mail files. Domino purges the
shared portion of these obsolete messages immediately; you do not have
to wait for a task to run before a message can be removed.
To improve efficiency and support encryption, Domino excludes certain
messages from the object store. Users always receive messages smaller
than one kilobyte (1 KB) as complete messages. This guarantees that
message pointers in a mail file never exceed the size of the message body
in the shared mail database. In addition, users always receive complete
messages if instructions in their Person documents specify to encrypt
incoming mail.
Using a shared mail database is completely transparent to users. When a
recipient opens a message, the link between the mail file and the shared
mail database causes the message to appear in its entirety. Users can
delete, reply to, change the view or folder, edit, save, resend, and
perform all the same tasks on a mail message stored in a shared mail
database as they would with the same message stored in their own mail
files. If a users edit and save, or encrypt and save a message, the
complete message is then stored in their personal mail file, with no effect
on how the original message appears to other users.
Shared mail works for all messages, regardless of the mail client used to
compose the message. That means that users who use a POP3, IMAP, or
Notes mail client and who have a mail file on the Domino mail server can
all use shared mail. However, shared mail is not used if the various
recipients have different format preferences for incoming mail. For
example, if a message is sent to four users, half of whom have Notes rich
text format specified as their format preference, and half whose format
preference is set to MIME, all of the users receive the complete message.
Using multiple active shared mail databases
To improve scalability and reduce database contention, Domino servers
support the use of multiple active shared mail databases in multiple
shared mail directories. The directories can exist on any disk that the
server has access to. An active shared mail database is one that is open
for delivery of new messages. When multiple active shared mail
databases are available, the Router evenly distributes incoming mail to
each of them, choosing the destination database at the time of delivery.
Each new message that a user receives may be stored in any one of the
currently active shared mail databases. After a message is stored in a
shared mail database, it remains there until all users delete the message
from their mail files.
29-2 Administering the Domino System, Volume 1
You can configure the server to use as many as ten active shared mail
directories at one time. Each configured shared mail directory can
contain as many as 100 shared mail databases, to a maximum of 1000
total shared mail databases per server.
If a server has less than 1000 active databases configured, it can continue
to reference a number of inactive shared mail databases up to the
maximum of 1000. Inactive databases no longer receive new mail, but
store previously received messages. A server can support as many as 40
inactive shared mail directories, As with active shared mail directories,
each of these inactive directories can contain a maximum of 100 shared
mail databases. A single shared mail directory can contain both active
and inactive databases.
A shared mail database is automatically set to inactive if the parent
directory exceeds the maximum size you specify for it in the Server
document.
When a server has multiple active shared mail databases, user mail files
on the server may contain links to any or all of them, as well as to
inactive shared mail databases. If you create additional shared mail
databases, Domino distributes a portion of all new incoming messages to
each of them. Previously received messages continue to reside in the
shared mail databases where Domino originally stored them.
Using multiple shared mail databases reduces the amount of shared mail
that could be lost or become temporarily inaccessible as a result of
database corruption. You can enable transaction logging for shared mail
databases, so that databases corrupted as the result of a server crash or
power outage can be automatically recovered at server startup. Enabling
transaction logging frees you from the need to restore shared mail
databases manually.
If transaction logging for shared mail is not enabled, to protect shared
mail databases against data loss, install a backup utility that can back up
and verify open NSF files and back up all shared mail databases at least
once a day. Because security settings on shared mail databases prevent
replication, you cannot replicate shared mail databases to provide
backup.
For more information on restoring shared mail databases, see the topic
“Restoring a shared mail database” later in this chapter.
Setting Up Shared Mail 29-3
Mail
How using shared mail affects a user’s mail file quota
When calculating the size of a mail file to determine whether it conforms
to configured mail quota or warning threshold limits, Domino treats
shared messages as though each user owned the entirety of the shared
message. Thus, the full size of every message delivered to a mail file that
uses shared mail counts against the mail file quota. Likewise, when a
user deletes a message that is linked to a shared mail database, the full
size of the message is removed from the mail file quota.
The actual file size of the mail database that uses shared mail therefore
does not necessarily reflect its logical size. For example, a user’s mail file
might exceed its quota limit of 60MB even though the physical size of the
file is only 35MB.
How Domino maintains the security of a shared mail database
Because a shared mail database contains confidential messages for all
users on a server, it must be secured against unauthorized browsing.
These security features ensure that only users who should have access to
a given message actually have access to that message:
Shared
 Mail databases are encrypted locally with a random key,
which is in turn encrypted using the public key of the server’s ID.
The access control list (ACL) of a shared mail database is set so that
only the server’s ID can access the database. The server’s ID has
Manager access, and the user type is Server. Even if an unauthorized
user obtains the server ID, the user cannot use the server ID to access
a shared mail database from a Notes workstation and cannot create a
replica of the database on another server.
The  shared mail database does not appear in the Open Database
dialog box.
A  shared mail database contains no views, and none can be added
to it.
The  shared mail database includes links to message headers. When a
user reads a message, Domino verifies that the message header
matches the content stored in the shared mail database.
Messages  received by users for whom the “Encrypt incoming mail”
option in the Person document is set to “Yes” cannot be stored in a
shared mail database. Messages delivered to recipients who encrypt
incoming mail are placed in the recipient’s mail file in their entirety.
For more information on mail encryption, see the chapter “Encryption
and Electronic Signatures.”
29-4 Administering the Domino System, Volume 1
How shared mail works
1. The Router on a server receives a mail message addressed to two or
more recipients whose mail files are on that server.
2. The Router splits the incoming message into two parts: the header
and the content. The header consists of the message’s To, cc, bcc,
Subject, and From fields. The content contains the body of the
message, along with any file attachments.
Note If the combined size of a message and its attachments is 1KB
or less, Domino delivers the complete message to the recipient’s mail
file and does not use the object store.
3. The Router stores a copy of the header in each recipient’s mail file
and stores a single copy of the content in the shared mail database.
4. When a recipient opens the message, the header activates a link to
the message content, which is stored in the shared mail database. The
message appears as though the entire message is stored in the
recipient’s mail file.
5. If the recipient deletes a shared message, Domino deletes only the
header in the recipient’s mail file. The content is not affected because
it is stored in the shared mail database.
6. After all of the recipients delete the message header from their mail
files, Domino automatically purges the obsolete message, including
the content in the shared mail database.
For more information on how Domino removes obsolete message
from a shared mail database, see the topic “Purging obsolete shared
mail messages” later in this chapter.
 a user edits and saves a received message, Domino stores the
If
revised message in the user’s mail file in its entirety and deletes
links between the user’s mail file and the message body in the
shared mail database.
Setting up shared mail databases
Before setting up shared mail, decide where to locate your shared mail
databases. On each server that uses shared mail, you specify the
directory where you want shared mail databases to reside. When
creating multiple shared mail databases, you can place all of the
databases in one directory, or create multiple directories and have
multiple databases in each directory. Servers can have up to 10 active
shared mail directories, each supporting a maximum of 100 shared mail
databases. In addition, Domino recognizes as many as 40 inactive shared
Setting Up Shared Mail 29-5
Mail
mail directories, from which users can continue to access messages.
Inactive directories are directories that no longer appear in the server
document, but remain in the last location specified. Each server can
support a combined total of 1000 active and inactive shared mail
databases.
Shared mail directories must reside within the logical directory structure
that is controlled by the server or be referenced by a directory link within
that directory structure. To improve performance, you can place shared
mail databases on another file system. When creating shared mail
databases in a directory that is not a subdirectory of the Domino data
directory, Domino creates a link to point to the shared mail directory. If
no link exists, Domino cannot locate the shared mail databases.
To create and enable a shared mail database
1. From the Domino Administrator, click the Configuration tab and
then expand the Server section.
2. Select the Server document to be edited and then click Edit Server.
3. Click the Shared Mail tab.
4. Enable or disable the use of shared mail by completing the following
field:

Field name Enter

Shared Mail Choose one:
• None —The server does not use shared mail.
• Delivery —The server uses shared mail for
messages
delivered to multiple local recipients. Selecting
this option sets the value of the variable
Shared_Mail in the NOTES.INI file to 1.
• Transfer and delivery —The server always uses
shared mail. Selecting this options sets the value
of the variable Shared_Mail in the NOTES.INI file
to 2.

5. For each shared mail directory you want to create, complete the
following fields and then click Save & Close:

Field name Enter

Directory The full path to the shared mail directory. For
example: C:\LOTUS\DOMINO\DATA\SHAREDMAIL
If the directory you specify does not exist,
Domino creates it for you. You can configure up to
10 active shared mail directories. In addition,
Domino recognizes as many as 40 inactive shared
mail directories, from which users can continue to
access messages. Inactive directories are
directories that no longer appear in the server
document, but remain in the last location
specified.
The number of shared mail databases to create in
Number of
the specified directory. Enter a number between 1
files
and 100.
Maximum The maximum total size, in megabytes (MB), of
directory all shared mail databases in the directory. Enter a
size number between 1 and 8192. If the directory size
exceeds this value, Domino stops adding new mail
to the shared mail databases in the directory.
Delivery Specifies whether the Router can deliver
status messages to shared mail databases in the
directory. Choose one: • Open —(default) The
Router can access active shared mail databases in
this directory for delivery. Although the delivery
status for the directory is set to Open, individual
databases in the directory may be closed to
delivery. • Closed —The Router does not deliver
new messages to shared mail databases in this
directory. Domino closes a directory automatically
if it exceeds its size or as the result of certain
error conditions. Select this option if you have a
temporary need to shut off access to the database
to prevent directory growth —for example, if
another service that stores data on the disk needs
immediate space —but you don’t want to change
the configured directory size.
continued

Field name Enter

Specifies whether the mail system can access
Availability
shared mail
databases in the directory. Choose one:
• Online —(default) Domino designates shared
mail databases in the directory as available for
use. The
server periodically checks the directory to ensure
that it
contains the number of configured shared mail
databases. If the number of databases in the
directory
falls below the value specified in the Number of
Files
field, the server attempts to recreate the missing
databases.
• Offline —Domino designates shared mail
databases in the directory as not available. The
server does not check
the directory to ensure that it contains the correct
number of shared mail databases. Select this
option to
prevent access to shared mail databases in
 preparation
for moving a directory or database. Setting the
availability status of a directory to Offline
automatically
sets the delivery status to Closed.

6. To put the new configuration into effect, restart the server or enter
the following command at the server console:
Show SCOS
For more information about using the SHOW SCOS command, see
the appendix “Server Commands.”
Using shared mail for delivery only or for transfer and delivery
There are two ways of setting up shared mail. One is for delivery only,
and the other is for transfer and delivery. When shared mail is enabled
for delivery only, the Router places the body of an incoming message in
the shared mail database only if there are multiple local recipients.
Messages for a single local user are delivered as complete messages. The
server uses its normal transfer mechanism for messages being routed
through the server to another destination; that is, messages in MAIL.BOX
that are awaiting transfer to another server always remain intact.
In contrast, when shared mail is enabled for transfer and delivery, the
server splits every message it receives (that is, the content goes to the
shared mail database and the header goes to MAIL.BOX), regardless of
the number of recipients. Then, during delivery, the Router merges the
header and content together, examines the recipient list, and either
transfers the message to the next server, or delivers it to the local
recipients (with the content staying in the shared mail database and the
header going to the users’ mail files).
29-8 Administering the Domino System, Volume 1
The shared mail setting that you decide to use depends on your situation.
In general, use shared mail for transfer and delivery on servers that have
mostly deliveries and few transfers to other servers. Because most
incoming messages are likely to be for local delivery, it’s efficient to have
the server automatically place all incoming messages in the object store.
On the other hand, on servers such as hub servers, which perform mostly
transfers and have few local mail file deliveries, use shared mail for
delivery only. Because incoming messages on these servers are likely to
be transferred to another server, it’s counterproductive to have the server
absorb the cost of preparing mail for the object store.
In the end, both settings provide similar disk space savings, but because
the “transfer and delivery” setting always places the message body
directly in the object store, rather than in MAIL.BOX, it provides faster
delivery for local users by eliminating the transfer time required to move
mail from MAIL.BOX to the object store.
Specifying the location and size of a shared mail directory
Shared mail databases may become quite large, so be sure to locate
shared mail directories on a disk that has enough free space to
accommodate future growth. To manage growth, you can specify a size
limit for the database set contained in each shared mail directory. The
size limit applies to the cumulative size of all shared mail databases in
the directory. The size of individual databases may fluctuate as messages
are added and removed, but barring any configuration change, the
number of databases remains constant, and the size of the entire database
set never significantly exceeds the specified maximum. Domino supports
a maximum size limit of 8GB (8192MB) for each shared mail directory.
Always set a maximum directory size that is less than the actual amount
of available disk space. A shared mail directory may exceed the specified
size limit if the Router adds a large message to the directory when it is
already near the limit.
If a shared mail directory reaches the configured maximum size, Domino
automatically deactivates it, changing the delivery status of the directory
to Closed, so that it can no longer receive new mail. Existing links
between users’ mail files and the inactive shared mail database continue
to work, so users can read and otherwise work with these messages. If
another shared mail directory is available, the Router places future
messages into the active shared mail databases in that directory. If no
shared mail directories are available, the Router delivers new messages
as complete messages to user mail files.
Setting Up Shared Mail 29-9
Mail
Managing object store growth
As the object store becomes host to a greater number of users and
messages, you may need to change the size limits on existing shared mail
directories or add new directories to accommodate the increased usage.
Whether you extend the size of current directories or add new ones
depends on the amount of physical space and the number of concurrent
users accessing your current directories.
If there’s still adequate space on the current disk, after the existing
shared mail directories reach their size limit, you can increase the
maximum size of the existing directories. If the amount of additional
space on the current disk is limited, create another shared mail directory
on a separate disk that has more space.
If database contention (too many users accessing the database at the
same time) is affecting performance, and space allows, increase the
number of databases (not the size) within the existing shared mail
directories or create new shared mail directories on the same disk or a
separate disk.
Creating shared mail directories outside of the Domino Data
directory
If you create a shared mail directory that is not a subdirectory of the
Domino data directory, Domino automatically creates a link file, or
directory link, within the Data directory, called SCOS_N.DIR, where N
indicates the sequence order in which the link file was created relative to
other shared mail database links. For example, the directory link Domino
creates for the first shared mail directory outside of the Domino Data
directory is named SCOS_1.DIR; the second one is named SCOS_2.DIR;
and so forth. Domino does not create link files for shared mail directories
residing within the Domino Data directory. The link file is a text file
containing the path to the shared mail directory so that the server can
locate shared mail databases.
If the server has a drive mapped to another computer, you can place the
directory on that drive by entering its full path. For example:
J:\Shared\SHAREDMAIL
You cannot specify a path in the form of a Universal Naming Convention
(UNC) name (that is, using the format: //hostname/sharepoint).
Caution If Domino loses access to the remote directory for any reason,
users will be unable to access messages stored in that directory.
29-10 Administering the Domino System, Volume 1
Managing a shared mail database
Use these procedures to manage a shared mail database and the user
mail files that are linked to it:
Reconfigure
 shared mail
Generate
 and view shared mail information
Link,
 unlink, or relink a user’s mail file
Include
 or exclude a user’s mail file
Enable
 shared mail for replicas of mail files
Purge
 obsolete shared mail messages
Restore
 a shared mail database
Move  mail files between servers that use shared mail
Delete  a shared mail database
Disable  shared mail
Reconfiguring shared mail settings
As the object store becomes host to a greater number of users and
messages, you may need to change the existing settings to accommodate
continued growth. You can:
Increase
 the number of files in a directory
Increase
 the size limits on existing shared mail directories
Change
 the delivery status of a directory
Add  new shared mail directories
Whether you extend the size of current directories or add new ones
depends on whether physical space or concurrent usage is the limiting
factor.
If your existing shared mail directories reach their size limit, and there’s
still adequate space on the current disk, increase the maximum size of the
existing directories. If the amount of additional space on the current disk
is limited, create another shared mail directory on a separate disk that
has more space.
If database contention (too many users accessing the database at the
same time) is affecting performance, and space allows, increase the
number of databases (not the size) within the existing shared mail
directories or create new shared mail directories on the same disk or a
separate disk.
Setting Up Shared Mail 29-11
Mail
Use the Shared Mail tab on the Server document to change the directory
settings. In addition, you can also use the SET SCOS command to change
the status of individual shared mail databases within a directory. For
more information about using the SET SCOS command, see the appendix
“Server Commands.”
To change directory settings for shared mail
1. From the Domino Administrator, click the Configuration tab and
then expand the Server section.
2. Select the Server document to be edited it and then click Edit Server.
3. Click the Shared Mail tab.
4. To create an additional shared mail directory, complete the following
fields:

Field name Enter

Directory The full path to the shared mail directory, For
example:
C:\LOTUS\DOMINO\DATA\SHAREDMAIL
If the server can has a drive mapped to another
computer, you can place the directory on that
drive by entering its full path. For example:
J:\Shared\SHAREDMAIL

If the server is unable to connect to the remote

drive, access to directories on the drive will be
interrupted. If the directory you specify does not
yet exist, Domino creates it for you. You cannot
specify a path in the form of a Universal Naming
Convention (UNC) name (that is,
//hostname/sharepoint)
Number of The number of shared mail databases to create
files in the specified directory. Enter a number
between 1 and 100.
Maximum The maximum total size, in megabytes (MB), of
directory all shared mail databases in the directory. Enter
size a number between 1 and 8192. If the directory
size exceeds this value, Domino stops adding
new mail to the shared mail databases in the
directory.
Delivery Choose one: • Open —The server can access any
status active shared mail databases in this directory for
delivery. Individual databases may be closed to
delivery. • Closed —The server cannot access
any shared mail databases in this directory.

Field name Enter

Specifies whether the mail system can access
Availability
shared mail
databases in the directory. Choose one:
• Online —(default) Domino designates shared
mail databases in the directory as available for
use. The
server periodically checks the directory to ensure
that
it contains the number of configured shared mail
databases. If the number of databases in the
directory
falls below the value specified in the Number of
Files
field, the server attempts to recreate the missing
databases.
• Offline —Domino designates shared mail
databases in the directory as not available. The
server does not
check the directory to ensure that it contains the
correct number of shared mail databases. Select
this
option to prevent access to shared mail
databases in
preparation for moving a directory or database.
Setting the availability status of a directory to
Offline
automatically sets the delivery status to Closed.

5. To add more shared mail databases to an existing shared mail

directory, increase the value in the Number of Files field for that
directory.
6. To increase the size of an existing shared mail directory, enter a new
value in the Maximum directory size field for that directory. A
directory can have a maximum size of 8192MB. If the directory size
exceeds this value, Domino stops adding new mail to the shared mail
databases in the directory.
7. At the server console, enter the following command to put the new
configuration into effect:
Show SCOS
For more information about using the Show SCOS command, see the
appendix “Server Commands.”
Generating and viewing shared mail statistics
The Object Collect task automatically generates shared mail statistics,
such as how many messages in a shared mail database are shared by a
certain number of users. You can view these statistics from the Shared
Mail view on the Messaging-Mail tab of the Domino Administrator, or
from the Object Store view of the server log file (LOG.NSF). The view is
populated automatically when the Object Info -Full command runs by
default at 3 AM. You can specify when to run the Object task by editing
the ServerTasks parameter in the NOTES.INI file.
Setting Up Shared Mail 29-13
Mail
These statistics provide information you need before administering
shared mail by showing how shared mail is currently used on a server.
You can see the object store filename, the mail databases that use the
object store, the number of documents referenced in the object store for
each mail database, and the total size of documents in the object store for
each mail database. This information can help you determine how much
disk space you would need if you were to unlink the user’s mail file from
the shared mail database. Likewise, you can see the total size of all
documents in the shared mail database, so you’d know how much space
you would need if you unlinked the entire shared mail database.
To run the Object Collect task to generate shared mail statistics
Enter the following at the server console:
Load Object Info -Full SHARED.NSF
where SHARED.NSF is the full pathname of a shared mail directory or a
specific shared mail database.
Note The Domino Administrator maintains shared mail statistics
cumulatively. As a result, if you have previously populated statistics,
duplicate entries appear. To ensure accurate results, clear existing
information before generating new statistics.
To view shared mail statistics
1. Run the Object Collect task, as described above. To view statistics for
all configured shared mail directories, run the task against each
directory.
2. From the Domino Administrator, click the Messaging - Mail tab.
3. Open the Shared Mail view. The view displays each configured
shared mail directory and the shared mail databases within them.
The following information appears for the shared mail databases or
directories for which you generate statistics in Step 1:

For each Display

Shared Database name and names of the parent
mail • directory and
database shared mail server
File name and database title of each mail file
• that
references the shared mail database
Number of messages each mail file references in
•
the
shared mail database
Size (in bytes) of all message bodies a given
•
mail file
references in the shared mail database
Total size (in bytes) of all messages bodies in the
•
shared
mail database
For each Display
Shared Total size (in bytes) of the message bodies
mail contained in the
directory included shared mail databases. This value may be
less than
the true total, if you generated statistics for a
subset of the
databases in a directory.
Shared Total size (in bytes) of the message bodies
mail contained in the
included shared mail directories and databases. This
server
value
may be less than the true total, if you generated
statistics for a subset of the databases in a
directory.

Linking unshared messages in a mail file to the object store

After you set up shared mail on a server, Domino automatically stores all
new shared mail messages in the shared mail database. However,
messages that users received before shared mail was enabled, or that
were delivered while shared mail was temporarily disabled, remain in
their mail files as complete messages.
To eliminate redundant copies of messages received by multiple users to
save additional space, you may want to transfer these existing messages
to the object store. To store these messages in a shared mail database, you
use the Object Link command to link the user’s mail file to a shared mail
directory.
During the linking operation, the Object Store Manager moves the
content of each shared message from the user’s mail file to the shared
mail databases in the specified directory. Message headers remain in the
mail file with a link to the shared mail database containing the shared
portion. If more than five messages are moved to the shared mail
database, the Object Store Manager automatically compacts the user’s
mail file to reclaim the disk space that was previously occupied by the
message content. Linking does not determine whether the mail file stores
future messages it receives as complete messages or uses the object store.
If you disable shared mail on the server, or exclude the mail file from
using shared mail, the messages placed in the object store during the
linking process remain there, even if the mail files receive complete
messages in the future.
You can also use the Object Link command to unlink a mail file from all
shared mail databases so that existing messages in the mail file will be
stored as compete messages; and unlink a shared mail database from all
mail files.
Setting Up Shared Mail 29-15
Mail
To link a mail file
The linking operation splits complete messages in a mail file into headers
and content and distributes the content to the shared mail databases on
the server. Typically, you would use linking to process the complete
messages in a mail file that is newly replicated to another shared mail
server, or that existed on a server before you enabled shared mail.
Enter this command at the console:
Load Object Link USERMAIL -ALL
where USERMAIL is the name of the directory containing user mail files.
Running this command links messages in the specified user mail files to
the configured shared mail databases in a distributed fashion. You
cannot link a mail file to a specific shared mail database.
To link a mail file without compacting it
By default, if linking a mail file results in more than five messages being
moved to the shared mail database, the Object Store Manager compacts
the user’s mail file. To link a mail file without compacting it, use the
-Nocompact option.
Enter this command at the console:
Load Object Link -Nocompact USERMAIL -ALL
where USERMAIL is the name of a single user mail file or a directory
containing user mail files.
For example:
Load Object Link -Nocompact Mail\DMalone.NSF
E:\Lotus\Domino\Shared\SCOS1
Unlinking messages in a user's mail file from the object store
You can restore complete messages to a user’s mail file by unlinking the
mail file from the shared mail databases.
After you unlink existing messages from the shared mail databases, new
messages delivered to the mail file continue to use shared mail as long as
shared mail is enabled on the server, unless you explicitly exclude the
mail file from using shared mail.
For information about excluding a mail file from using shared mail, see
the topic “Excluding a mail file from using shared mail” later in this
chapter.
Note Unlinking a mail file can result in a significant size increase.
29-16 Administering the Domino System, Volume 1
To unlink a mail file
Enter this command at the console:
Load Object Unlink USERMAIL.NSF
where USERMAIL.NSF is the complete path to a user mail file or a
directory containing mail files.
To unlink an object store
Enter this command at the console:
Load Object Unlink OBJECTSTORE
where OBJECTSTORE is the name of a shared mail directory or an
individual shared mail database.
Caution Unlinking an object store can significantly increase the size of
all mail files that previously linked to the object store. Before unlinking
an object store, confirm that the disk where user mail files reside includes
enough available space to accommodate the resulting increase.
Excluding a mail file from using shared mail
By default, after you enable shared mail on a server, all mail files on the
server use shared mail for new mail. You can disconnect specific mail
files from shared mail if you want their owners to use standard,
message-based mail, and you can reconnect previously disconnected
mail files to shared mail.
To determine which mail files use shared mail
If a server contains a mix of some mail files that use shared mail and
some that do not, you can display a list of all mail files that use shared
mail. Enter this command at the console:
Load Object Info USERMAIL.NSF
where USERMAIL.NSF is the complete path to the user’s mail file or a
directory that contains mail files.
For example, to determine the shared mail use of all mail files in a
directory, enter:
Load Object Info C:\LOTUS\DOMINO\DATA\MAIL
For each mail database in the directory, the results indicate whether the
mail file is set to use shared mail and currently has links to messages
shared in any shared mail databases:
12/06/2001 03:45:03 PM Object Store Manager:
mail\gthiers.nsf is not an object store
Setting Up Shared Mail 29-17
Mail
12/06/2001 03:45:03 PM Object Store Manager:
mail\gthiers.nsf contains notes which use an object store
12/06/2001 03:45:03 PM Object Store Manager:
mail\gthiers.nsf is set always to use object store
(multiple)
12/06/2001 03:45:05 PM Object Store Manager:
mail\ewilson.nsf is not an object store
12/06/2001 03:45:05 PM Object Store Manager:
mail\ewilson.nsf contains no notes which use an object store
12/06/2001 03:45:05 PM Object Store Manager:
mail\ewilson.nsf is set always to use object store
(multiple)
To exclude a mail file from using shared mail
Enter this command at the console:
Load Object Set -Never USERMAIL.NSF
where USERMAIL.NSF is the full path for a mail file or a directory that
contains mail files.
For example:
Load Object Set -Never C:\LOTUS\DOMINO\DATA\MAIL\RBOWKER.NSF
sets the mail file RBOWKER.NSF to never use shared mail on the server.
The process has no effect on existing messages.
To include a previously excluded mail file
If you previously excluded a mail file from shared mail and then want it
to use shared mail again, you can re-enable the mail file to use shared
mail for new messages. The process has no effect on existing messages.
Enter this command at the console:
Load Object Reset -Never USERMAIL.NSF
where USERMAIL.NSF is the full path for a mail file or a directory that
contains mail files.
For example:
Load Object Reset -Never C:\LOTUS\DOMINO\DATA\MAIL\
resets all mail files in the MAIL directory that were previously excluded
from using shared mail so they use the object store for new mail.
29-18 Administering the Domino System, Volume 1
Replicating mail files that use shared mail
By default, when you replicate a primary mail file that uses shared mail
to another server, messages in the new replica are added to the mail file
as complete documents, even if shared mail is also enabled on the
destination server. Similarly, all future messages replicated from the
primary mail file to the replica mail file are also added as complete
documents. This is necessary, because not only does shared mail prohibit
a mail file on one server from accessing messages in an object store on
another server, but the security settings prevent shared mail databases
from replicating between servers.
Enabling shared mail for replica mail files
By default, after you replicate a mail file to a shared mail server, the new
replica does not use shared mail for either existing messages or messages
added during future replications. Enabling shared mail for replicas of
mail files increases the available space on servers that contain mail files
that are populated using replication. If a user’s primary mail server is
unavailable, the user can retrieve message content by accessing the
replica mail file from the shared mail database on the secondary server.
To have the replica use shared mail, you can:
Enable
 the new replica to use the object store on the new server for
messages received from the primary mail file during future
replications
Enable
 the new replica to use the object store on the new server for
existing messages
Enabling messages added during replication to be placed in the
object store
When shared mail is enabled on a server, mail files hosted on the server
automatically use shared mail for new messages received through the
Domino routing process. However, when the replication process, rather
than the Router, adds new mail to a replica mail file, by default, the mail
file stores the mail as complete documents.
Setting Up Shared Mail 29-19
Mail
To enable messages added during replication to be placed in the
object store
To enable messages added during replication to be placed in the object
store, you must set a mail file to always use shared mail. Enter this
command at the console of the server that stores the replica mail files and
that uses shared mail:
Load Object Set -Always USERMAIL.NSF
where USERMAIL.NSF is the name of a replica mail file or a directory
that contains replica mail files. For example,
Load Object Set -Always Dmalone.nsf
causes Domino to store the content of messages replicated to
DMALONE.NSF in one of the configured shared mail databases on the
server during future replications.
To split messages that were previously replicated and place the message
bodies in a shared mail database, use the Load Object Link command.
For more information on the Load Object Link command, see the topic
“Linking unshared messages in a mail file to the object store” earlier in
this chapter.
To enable existing messages in a replica to be placed in the object
store
To have a mail file use shared mail for messages that already existed at
the initial replication, link the mail file to the object store on the second
server. For more information on linking a mail file to an object store, see
the topic “Linking unshared messages in a mail file to the object store”
earlier in this chapter.
To disable shared mail for replica mail files
Enter this command at the console of the server that stores the replica
mail files:
Load Object Reset -Always USERMAIL.NSF
where USERMAIL.NSF is the name of a replica mail file or a directory
that contains replica mail files.
Using shared mail with Domino clusters
For a Domino cluster in which some servers have shared mail enabled,
you can create replicas of user mail files, and use cluster replication to
increase mail reliability. Although you cannot use cluster replication to
keep shared mail databases synchronized, you can use cluster replication
to replicate information to another mail file replica and then configure
29-20 Administering the Domino System, Volume 1
that replica to use shared mail on the local server. Each server in the
cluster must have shared mail enabled.
Use these steps on each cluster member server that hosts replica mail
files. Once activated, Domino clustering (not the Domino Router task)
automatically splits any replicated messages into their header and
content portions, saving the headers in the individual mail databases and
the content portions in the shared mail database on the target server.
You can also use this same procedure for mail file replicas located on
servers not in a cluster — that is, servers kept synchronized by standard
Domino replication.
Moving users or mail files between servers that use shared mail
You may need to move mail files when you need more space on a server
or when users change jobs. When moving a mail file from a server that
uses shared mail, the Administration Process (AdminP) automatically
unlinks the existing mail file from any shared mail databases to which it
may be linked, creates the new mail file, replicates mail to the new mail
file, and deletes the old mail file. When using the Move Users tool to
move a mail file, you can specify whether to use shared mail on the new
server.
For more information on moving mail files, see the chapter “Setting up
and Managing Notes Users.”
Purging obsolete shared mail messages
Each message in a shared mail database contains object links to the mail
files of all recipients of the message. The number of mail files that a
message links to represents the reference or share count for that message.
When a user deletes a message from a personal mail file, Domino
immediately removes the object link to that mail file from the shared mail
database.
When all recipients have deleted a message from their mail files, the
reference count for the message reaches zero, and the message becomes
obsolete. Domino automatically purges the shared portion of obsolete
messages from the shared mail databases immediately after all users
have deleted it from their mail files.
In earlier releases of Domino, links to user mail files and obsolete
messages were not immediately deleted after users deleted messages
from their mail file. Deletions occurred only after the Object Collect task
was run, an expensive process that examines each link in the referencing
databases to determine whether the referring note still exists.
Setting Up Shared Mail 29-21
Mail
In Domino Release 6, the Object Collect task is used to resynchronize
mail files with a shared mail database and to generate shared mail
statistics. Synchronization between a shared mail database and the mail
files that use it can become disrupted if a shared mail database is
restored from a backup that doesn’t include the most recently received
messages. As a result, these messages are incomplete and cannot be read:
the message headers appear in users’ mail files, but no message body
exists in the object store. Running the Object Collect task resynchronizes
a mail file with the object store by purging incomplete messages. The
task checks each mail file that uses the object store and removes those
messages that have no message body in the object store.
If a mail file has replicas on other servers, messages removed during
resynchronization can be restored to the shared mail database when
replicated to the mail file on the shared mail server.
Running the Object Collect task to purge messages, automatically
generates shared mail statistics. For information about using the Object
Collect task to generate shared mail statistics without purging messages,
see the topic “Generating and viewing shared mail statistics” earlier in
this chapter.
To preview which messages will be purged
Before purging obsolete messages, enter this command at the console to
determine which documents will be deleted and how much space will
become available:
Load Object Collect -Nodelete
To purge messages from the shared mail database
Enter one of these commands at the console:
Load Object Collect SHARED.NSF
Load Object Collect -Force SHARED.NSF
where SHARED.NSF is the name of the shared mail directory or a
specific shared mail database. Use the -Force option after you delete a
user’s mail file to reclaim the disk space used by shared messages that
reference the deleted mail file only.
Caution If you do not indicate a specific database, the Object Collect
task purges obsolete messages from all shared mail databases. Also,
before you use the -Force option, ensure that all of the mail files that store
messages in the shared mail database are available. If Domino cannot
write to mail file referenced by the shared mail database — for example,
if the mail file has been moved or cannot currently accept new mail —
the Object Collect task behaves as though the mail file had been deleted.
As a result, the task deletes messages that should be retained.
29-22 Administering the Domino System, Volume 1
To purge messages from a user's mail file
Enter this command at the console:
Load Object Collect USERMAIL.NSF
where USERMAIL.NSF is the name of the user’s mail file.
Restoring a shared mail database
Data loss is an unusual occurrence, but it can occur. To prevent data loss
in a shared mail database, enable transaction logging, and use a backup
utility that supports transaction logs. When you restore from the backup
media, Domino automatically applies any notes that have been added
since the backup was taken. In general, you should perform a complete
backup at least once a week, and incremental backups of the transaction
logs every day. Refer to the documentation that came with your backup
utility for specific recommendations.
If you do not use transaction logging, back up the shared mail database
at least once a day and use multiple shared mail databases on the server.
Using multiple shared mail databases on different physical disks can
reduce the amount of shared mail data lost in the event of database
corruption or disk failure.
If data loss occurs on a server that does not use transaction logging or
was not backed up using a utility that supports transaction logging, you
may be unable to restore some messages to the shared mail database.
Therefore, users’ mail files might still contain message headers that
reference message content that was not restored in the shared mail
database. These users cannot read these messages because the shared
mail database doesn’t contain the corresponding message content.
To restore a shared mail database when transaction logging is not
enabled
1. Download the most recent backup copy of the shared mail database
to a directory that is not part of the Domino server’s directory
structure. The Domino server’s directory structure includes the data
directory, directories that are referenced by directory links, and
subdirectories of all of these directories. The directory can be on a
network drive if there is not enough room on the server’s local disks
to store the backup copy of the shared mail database.
Setting Up Shared Mail 29-23
Mail
2. At the console, enter the Push command to push changes from the
backup shared mail database to the current shared mail database.
For example, after downloading the backup copy of the shared mail
database into the directory h:\backup, enter this command at the
console:
Push Manufacturing h:\backup\SHARE1.NSF
where Manufacturing is the name of the server and SHARE1.NSF is
the name of the shared mail database.
3. Delete the backup copy of the shared mail database.
4. In the user’s mail file, purge messages that no longer have
corresponding message content in the shared mail file.
Deleting a shared mail database
If your organization decides to stop using shared mail, or a server has
several inactive shared mail databases that only a few mail files still link
to, you may need to delete shared mail databases.
Before deleting a shared mail database, unlink all mail files from it.
Unlinking mail files from a shared mail database places a complete copy
of each message in the shared mail database in all of the mail files listed
in the message’s object store link. If you delete a shared mail database
that is still linked to users’ mail files, those users lose access to message
bodies contained in the database.
Note Before you unlink a shared mail database, verify the number and
size of the messages shared in it to determine if you have enough disk
space available to store complete copies of the shared messages in each
recipient’s mail files.
To delete a shared mail database
1. Enter this command at the console to generate shared mail statistics
that indicate which mail files have links to the object store:
Load Object Info -Full OBJECTSTORE
where OBJECTSTORE is the complete path to a shared mail directory
or a single shared mail database.
For more information on generating shared mail statistics, see the
topic “Generating and viewing shared mail statistics” earlier in this
chapter.
2. View the usage statistics in the Domino Administrator. Use this
information to determine if you have enough disk space available for
storing complete copies of the shared messages in the recipients’ mail
files.
29-24 Administering the Domino System, Volume 1
3. Enter this command at the console:
Load Object Unlink SHARED.NSF
where SHARED.NSF is the name of the shared mail database. This
unlinks the shared mail database from all mail files, so that the
messages it contained are restored as complete messages to user mail
files.
4. Delete the shared mail database file.
Disabling shared mail
If you decide to return to the use of message-based mail storage, you can
disable shared mail on the server. After you disable shared mail on a
server, user mail files that were linked to shared mail remain linked to
the now inactive shared mail databases. Because the shared mail
databases still contain the body portion of previously delivered
messages, use caution before moving or removing databases.
To take advantage of the space savings already achieved, you may
choose to preserve inactive shared mail databases in their current state. If
you do decide to retain these inactive databases, they must remain in
their current location to allow users to access messages.
To disable shared mail
1. From the Domino Administrator, click the Configuration tab and
then expand the Server section.
2. Select the Server document to be edited and then click Edit Server.
3. Click the Shared Mail tab.
4. In the Shared Mail field, choose None.
5. To refresh the shared mail configuration enter the following
command at the server console:
SHOW SCOS
For more information about using the Show SCOS command, see the
appendix “Server Commands.”
After you disable shared mail, the Router stops adding new
messages to shared mail databases. However, users whose mail files
remain linked to the shared mail database can still access previously
received messages.
Setting Up Shared Mail 29-25
Mail

Chapter 30
Setting Up the POP3 Service
This chapter describes how to set up the POP3 service on a Domino
server and how to set up POP3 users.
The POP3 service
POP3 (Post Office Protocol Version 3) is an Internet mail protocol that
allows a user running a POP3 client — for example, the Lotus Notes
POP3 client, Netscape Navigator, Eudora Pro, or Microsoft Outlook
Express — to retrieve mail from a server that runs the POP3 service. You
can set up a Domino server to run the POP3 service. The Domino server
receives and stores mail for POP3 users, who can then connect to the
server to retrieve their mail.
The Domino POP3 service acts as an intermediary for communications
between POP3 mail clients and the Domino mail server. By default, the
Domino POP3 service monitors TCP port 110, where POP3 clients
connect to submit requests to the service to retrieve mail. After receiving
a request, the POP3 service sends mail to the client. POP3 clients let users
specify whether to leave a copy of a message on the server after
retrieving it. By default, messages downloaded by the client are deleted
from the server.
The POP3 service complies with RFC 1939 - Post Office Protocol Version 3.
Supporting outbound mail service for POP3 clients
POP3 is a mail access protocol only and does not stipulate any method
for sending mail. To ensure that POP3 clients can send outbound mail,
you must provide them with access to an SMTP server. The SMTP server
can be the Domino server running the POP3 service, another Domino
server, or a non-Domino SMTP server.
For information about specifying the SMTP server that a POP3 client uses
for outbound mail, see the topic “Configuring POP3 client software” later
in this chapter.
30-1
Mail
Authenticating with the server
The Domino server does not check Notes User ID files to verify the
identity of users who connect from a POP3 client. Because the POP3
service does not use ID files to identify users and control access to
servers, a POP3 user does not have to be a registered Notes user. To
access mail through the POP3 service, users need a mail file on the server
and a Person document (including an Internet password) in the Domino
Directory. Only users who receive encrypted Notes mail or access
Domino applications must be registered Notes users.
To authenticate POP3 users, Domino relies on authentication methods
built into the Internet protocols. The methods available depend on the
server ports you configure the POP3 service to use. The POP3 service can
use a TCP/IP port, a Secure Sockets Layer (SSL) port, or both the TCP/IP
and SSL ports.
If POP3 uses the TCP/IP port only (the default), the server uses basic
name-and-password authentication to identify users. The login names
that the server accepts as valid depend on the setting in the Internet
authentication field on the Security tab of the Server document.
For more information on configuring how Domino authenticates Internet
clients, see the chapter “Setting Up Name-and-Password and
Anonymous Access to Domino Servers.”
If the SSL port is enabled, you can specify whether a client certificate is
required to authenticate (SSL authentication), and whether clients must
also supply a name and password.
For information on setting up an SSL server, see the chapter “Setting Up
SSL on a Domino Server.” For information on setting up clients for SSL,
see the chapter “Setting Up Clients for S/MIME and SSL.”
Accessing a mail file from the Notes client and a POP3 client
POP3 clients use the standard Domino mail file database. This allows
registered Notes users to access their mail files from both a POP3 client
and the Notes mail client.
Setting up the POP3 service
The Domino POP3 service can be run on any Domino server on which a
TCP/IP port is configured. The POP3 protocol provides a mechanism for
retrieving mail only; POP3 clients send mail using the SMTP protocol.
30-2 Administering the Domino System, Volume 1
To set up the Domino POP3 service
1. Edit the Server Document to enable the TCP/IP port for POP3.
Optionally, you can configure the POP3 TCP/IP port to run from an
alternate port number, and to accept SSL connections.
For more information on enabling and configuring POP3 ports, see
the topic “Enabling and configuring the POP3 service port” later in
this chapter.
2. Start the POP3 task on the Domino server.
Starting and stopping the POP3 service
You can load the POP3 service manually or start it automatically when
you start the Domino server.

To do this Perform this task

Start the POP3 service
Enter the following command at the
manually
console:
load POP3

Start the POP3 service Edit the ServerTasks setting in the

automatically when you start
the
Domino server
Stop the POP3 service
NOTES.INI file to include the
command
POP3. Domino adds the POP3 task
by
default to the NOTES.INI file if you
select
the POP3 service during installation.
Enter the following command at the
console:
tell POP3 quit

Enabling and configuring the POP3 service port

For POP3 clients to access mail files on the server, you must enable a
POP3 port on the server. You can enable the TCP/IP port, the SSL port,
or both. By default, the Domino POP3 service uses TCP/IP port 110. A
procedure later in this topic explains how to enable and disable the POP3
port, how to set the POP3 service to use a nonstandard port, and how to
change security options for the port.
Configuring POP3 authentication options on servers that use
Internet Site documents
On servers that use Internet Site documents, the POP3 service obtains
port authentication settings from the Security tab of the POP3 Site
document, rather than from the Server document. As a result, when
Internet Site documents are used, the TCP/IP and SSL port
authentication settings described in the procedures that follow are not
available in the Server document. Settings in the Server document still
provide the port numbers and status for the POP3 TCP/IP and SSL ports,
and enable the POP3 ports to honor server access restrictions.
To determine whether the use of Internet Site documents is enabled for a
server, check the value of the following field on the Basics tab of the
Server document: “Load Internet configurations from Server\Internet
Sites documents.” If this field is set to “Enabled,” the server uses Internet
Site documents to configure all of its Internet protocols (POP3, IMAP,
SMTP, and so forth).
If the server uses Internet Site documents, then you must use Site
documents to configure all Internet protocols on the server. If a POP3 Site
document is not present in the Domino Directory, or the authentication
options in a configured POP3 Site document are set to No, users cannot
connect to the POP3 service. In each case, POP3 clients receive the
following error when attempting to connect to the POP3 service:
This site is not enabled on the server.
For information on creating and using Internet Site documents, see the
chapter “Installing and Setting Up Domino Servers.”
To enable the POP3 TCP/IP port
1. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the POP3
service.
2. Click the Ports - Internet Ports - Mail tab.
3. To enable the default TCP/IP port, in the Mail (POP) column, change
the value of the TCP/IP port status field to Enabled.
4. Click Save and Close or edit additional settings, as directed in the
following procedure.
Note On servers with multiple TCP/IP ports, by default, the POP3
service uses the port listed first in the NOTES.INI file as the preferred
path. If you want the service to use a port other than the default one, you
can configure it to use a specific port.
For information on configuring an Internet service to bind to a specific
TCP/IP port, see the chapter “Setting Up the Domino Network.”
To configure the POP3 TCP/IP port
1. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the POP3
service.
2. Click the Ports - Internet Ports - Mail tab.
30-4 Administering the Domino System, Volume 1
3. In the Mail (POP) column, complete these fields, and then click Save
and Close:

Field Enter
TCP/IP port Choose 110 (default) to use the industry
number standard port for POP3 connections over
TCP/IP. You can specify a different port, but
110 works in most situations. When specifying
a nonstandard port, make sure the port is not
reserved for another service. Port numbers can
be any number from 1 to 65535.
TCP/IP port Choose one: • Enabled (default) —Allows POP3
status clients to connect to the Domino server without
using SSL. Users must provide their name and
Internet password to connect.

• Disabled —Prevents POP3 clients from

connecting to the Domino server, unless they
can connect using SSL.
Enforce server Choose one: • Yes —Access to the POP3
access service is controlled by the server access
settings settings on the Security tab of the Server
document. Users who are not allowed to access
the server cannot access mail through the
POP3 service.

• No —(default) The POP3 service ignores the

server access settings in the Server document.

4. Restart the POP3 task to put the new settings into effect.
To enable and configure the POP3 SSL port
1. Familiarize yourself with the Domino security model and set up SSL
on the Domino server.
2. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the POP3
service.
3. Click the Ports - Internet Ports - Mail tab.
4. In the Mail (POP) column, complete these fields, and then click Save
and Close:

Field Enter
SSL port Choose 995 (default) to use the industry
number standard port for POP3 connections over SSL.
You can specify a different port, but 995 works
in most situations. When specifying a
nonstandard port, make sure the port is not
reserved for another service. Port numbers can
be
any number from 1 to 65535.
SSL port
Choose one:
status
• Enabled —Allows POP3 clients to connect to
the
POP3 service over SSL.
• Disabled —(default) Prevents client
connections
over SSL.
Authentication If “SSL port status”is set to Enabled, choose
options: Client one: • Yes —The POP3 SSL port authenticates
certificate POP3 clients that use client certificates. If a
connecting client does not have a certificate,
the server reverts to using name-and-password
authentication. • No —(default) The POP3 SSL
port does not support client certificate
authentication.
Authentication If the “SSL port status”field is set to Enabled,
options: Name choose one: • Yes —POP3 clients use name-
& password and-password authentication when connecting
to the POP3 service over SSL. • No —(default)
The POP3 SSL port does not support name-
and-password authentication.

5. Restart the POP3 task to put the new settings into effect.
Performing additional POP3 configuration
In addition to configuring the POP3 service port, you can customize the
operation of the POP3 service by setting variables in the server’s
NOTES.INI file. Variables used to configure the POP3 service begin with
the prefix “POP3.”
For more information on setting variables in the NOTES.INI file, see the
appendix “NOTES.INI File.”
30-6 Administering the Domino System, Volume 1
Setting up POP3 users
To set up POP3 users, perform these procedures:
1. Set up the Person document.
2. Create a mail file for the POP3 user.
3. Configure POP3 client software.
Setting up the Person document for a POP3 user
To access mail files on the Domino server, a POP3 user must have a
Person document in the Domino Directory. For users who already have a
Person document, edit settings in the existing document as necessary to
provide POP3 support. If a user does not have an existing Person
document, you must create a new one. You can create a Person document
manually, or use the Domino registration process to create the Person
document automatically. If you use the Domino registration process,
select POP3 in the “Mail system” field of the Register Person dialog box.
Note By default, the Domino registration process generates a Notes ID
file (and corresponding Notes Public Encryption Key in the Domino
Directory) for each user in addition to creating the Person documents
and mail files required by a POP3 user. Because users who will access
Domino from POP3 clients only do not require a Notes ID, during
registration you can deselect the option to “Create a Notes ID for this
person.” However, if a new POP3 user also requires access to Domino
from a Notes client, Domino Administrator client, or Domino Designer
client, be sure to enable creation of an ID file.
For more information on using the Domino registration process, see the
chapter “Setting Up and Managing Notes Users.”
The following procedure specifies the Person document settings required
for POP3 users and explains how to create a Person document manually.
To set up a Person document for a POP3 user
1. From the Domino Administrator, click the People & Groups tab.
2. Select Domino Directories - Address Book - People.
3. If no Person document exists for this user, click Add Person to create
a new Person document.
To display an existing Person document, select the name of the user,
and click Edit User.
Setting Up the POP3 Service 30-7
Mail
4. Click the Basics tab, complete these fields, and then click Save &
Close:

Field Description
 The name the client uses to authenticate with
First name
the POP3
Last name server must be unique in the Domino Directory.
User name Depending on the level of Internet access
security established for the server (Server
document - Security tab), the login name or
user name configured on the POP3 client must
match an entry in one of these fields. Entries in
the User name field are always accepted as the
login name. If Internet authentication is set to
allow “More name variations with lower
security”entries in the First name and Last
name fields may also be accepted as login
names.
The password that the user enters to access
Internet
the Domino
password server from the POP3 client. POP3 users must
have an
Internet password that complies with your
organization’s password quality requirements.
Choose POP or IMAP if the user does not
Mail system
require Notes
client access.
The name of the Notes domain to which the
Domain
server
belongs.
The name of the POP3 user’s Domino mail
Mail server
server.
The path for the user’s mail file, relative to the
Mail file
Domino
data directory —for example: MAIL\AJONES.
Leave this blank for users who access mail files
Forwarding
on the
address Domino server from a POP3 client.
Internet The Internet address at which the user can
address receive mail
within your organization. This address must
match the
Internet address specified in the POP3 client.

Field Description
Format Choose one: • Keep in sender’s format -
preference for (default) The mail file may contain messages in
incoming mail either Notes rich text or MIME format. When
delivering messages to the mail file, the local
Router preserves the current message format.
Thus messages received at the server in MIME
format are stored in the mail file in MIME
format, and messages received at the server in
Notes rich text format are in Notes rich text
format. When a POP3 client requests a
message that is stored in Notes rich text
format, the POP3 service must convert the
message to MIME before sending it to the
client. Because the stored message remains in
Notes rich text format, each time a POP3 client
requests the message, the POP3 service must
perform the conversion. • Prefers MIME - The
mail file stores messages in MIME format only.
Choose this option for users who access mail
exclusively from a POP3 client. Since POP3
clients require messages in MIME format,
storing mail in MIME format ensures the best
performance for POP3 users, eliminating the
need for the POP3 service to convert messages
before passing them to the client. • Prefers
Notes Rich Text - The mail file stores messages
in Notes format only. The Router converts
messages received as MIME into Notes rich text
before delivery. In addition, the POP3 task
must convert messages to MIME format when
sending them to a POP3 client. To ensure the
best performance, do not choose this option for
users who access their Domino mail file
primarily from a POP3 client.
When Choose No (default). POP3 clients cannot read
receiving encrypted Notes mail. To ensure that users
unencrypted who read mail exclusively from POP3 clients do
mail, encrypt not receive Notes-encrypted mail, remove the
before storing POP3 users’Notes public encryption keys from
in your mail their Person documents. Never remove the
file Notes public key from the Person document of
users who access Notes databases from a
Notes client.

For more information about password quality requirements, refer to

the chapter “Protecting and Managing Notes IDs.”
5. Complete the procedure “Creating a mail file for a POP3 user.”
Setting Up the POP3 Service 30-9
Mail
Creating a mail file for a POP3 user
Each POP3 user must have a mail file on the Domino server. You can
create the mail file automatically during user registration, or you can
manually create a mail file. If the user is already a registered Notes user
who has an existing Notes mail file and if you set up the Person
document to use POP3 as the mail system, the user can use a POP3 client
to access the mail file.
If a user does not have an existing mail file on a Domino server, create a
new mail one as described in the following procedure.
To manually create a mail file
1. Make sure that you have set up a Person document for the POP3
user.
2. Choose File - Database - New.
3. In the New Database dialog box, enter the following:

Field Enter
The Domino mail server that stores the user’s mail
Server
file.
Title The name of the client’s mail file —for example, Alan
Jones’ Mail.
File The full path to the mail file, relative to the Domino
name data directory —for example, MAIL\AJONES.NSF.

4. From the list of template names, select Mail (R6) with the filename
MAIL6.NTF, and click OK.
5. After Domino creates and opens the mail file, determine what level
of access is appropriate for both the user and you, as the
administrator. Then, edit the Access Control List (ACL) as follows:
a. Choose File - Database - Access Control.
b. From the Access Control List dialog box, create an ACL entry for
the user by clicking Add and then selecting the user’s name from
the Domino Directory.
c. Set the user type to Person and select the level of access. Users
require at least Editor with Delete document access.
d. (Optional) Select your name from the ACL and click Remove. As
the administrator, you can choose to retain Manager access,
particularly for users who do not have Notes client access.
e. Click OK to save the entry and close the ACL.
6. Complete the procedure “Configuring POP3 client software.”
30-10 Administering the Domino System, Volume 1
Configuring POP3 client software
After you set up a Domino server to run the POP3 service, users can
access their mail files on the Domino server from any POP3 mail client.
The POP3 service supports all POP3-compliant clients — for example,
the Lotus Notes POP3 client, Microsoft Outlook and Outlook Express,
Netscape Messenger, and Qualcomm Eudora.
The requirements for configuring POP3 client software differ for each
product. This table presents general requirements.

Field Description
Incoming mail Fully qualified host name of Domino POP3
(POP3) server.
server
Outgoing mail The fully qualified host name of a server
(SMTP) running
SMTP to which the user can send mail
server
addressed to
intranet or Internet recipients. The SMTP
server may be the Domino server running the
POP3 service, a different Domino server, or a
non-Domino SMTP
server.
Authentication
Specifies whether the configured SMTP server
required
to send outbound requires users to provide a name and
mail password
before they can send outgoing messages.
Account/Login name The name by which the user authenticates
with the Domino server. Valid user name
values depend on the setting in the Internet
authentication field of the Server document:
• If the server is set to use “More name
variations
with lower security,”users can enter a login
name that matches any entry in the First
name, Last name, User name or Short
name/UserID field of the Person document,
as long as it is unique within the Domino
Directory, for example, JCorrer.
• If the server uses “Fewer name variations
with
higher security,”a user’s login name must
match an entry in the User name field of the
Person document, for example, Jada
Correr/ACME
Password The Internet password from the user’s Person
document.
By default, when downloading messages from
Automatically delete
the
mail documents server, most POP3 clients delete the server
from copy to
the POP3 server conserve disk space. For users who read mail
after from
the client copies both the Notes client and a POP3 client, make
them sure
locally. the POP3 client is set to leave messages on
the server.

Field Description
Determines how often the POP3 client checks
POP3 client should
for
check for mail no mail. If the client checks for mail more
more frequently, it
than every five (5) may affect server performance.
minutes.
The Internet address specified in the user’s
E-mail address
Person
document.

For more information on the relationship between security settings and

valid login names, see the chapter “Setting Up Name-and-Password and
Anonymous Access to Domino Servers.”
Chapter 31
Setting Up the IMAP Service
This chapter describes how to set up a Domino server to use the IMAP
service and how to set up IMAP users.
The IMAP service
The Domino server supports the Internet Mail Access Protocol
(IMAP4rev1), defined in RFC 2060, for reading mail. The Domino IMAP
service lets users with IMAP mail clients access mail files on a Domino
server. The IMAP service differs from the POP3 service in that users are
not required to download messages to a local computer to read and
manipulate them. Users can work with messages over the network, while
the messages remain on the server.
The Domino IMAP service acts as an intermediary for communications
between IMAP mail clients and the Domino mail server. By default, the
IMAP service monitors TCP port 143 for IMAP client requests. After
connecting to the IMAP service, IMAP mail clients can:
Access
 messages on the Domino mail server
Retrieve
 messages from the Domino mail server and store them
locally
Copy  messages for offline use and then later synchronize with mail
on the server
View  folders in another user’s mail file or public folders in a shared
database (requires a client that supports the IMAP NAMESPACE
extension)
Supporting outbound mail service for IMAP clients
IMAP is a mail access protocol only and does not stipulate any method
for sending mail. To ensure that IMAP users can send outbound mail,
you must provide them with access to an SMTP server. The SMTP server
can be the Domino server running the IMAP service, another Domino
server, or a non-Domino SMTP server.
For information about specifying the SMTP server that an IMAP client
uses for outbound mail, see the topic “Configuring IMAP client
software” later in this chapter.
31-1
Mail
Authenticating with the server
When a user connects to the IMAP service, rather than verifying the
user’s identity by checking a Notes ID file, the IMAP service uses
name-and-password authentication, SSL, or both. Because Notes ID files
are not used, an IMAP user does not have to be a registered Notes user.
To access mail through the IMAP service, users need a mail file on the
server and a Person document (including an Internet password) in the
Domino Directory. Only users who receive encrypted Notes mail or
access Domino applications must be registered Notes users. The IMAP
service can authenticate users from entries in the primary Domino
Directory or any secondary directory used by the server.
To authenticate IMAP users, Domino relies on authentication methods
built into the Internet protocols. The methods available depend on the
server ports you configure the IMAP service to use. The IMAP service
can use a TCP/IP port, or a Secure Sockets Layer (SSL) port, or both the
TCP/IP and SSL ports.
If IMAP uses the TCP/IP port only (the default), the server uses basic
name-and-password authentication to identify users. The name under
which a user can log in to the IMAP service must match one of several
fields in the user’s Person document. The set of names that the server
accepts as valid depends on the setting in the Internet authentication
field on the Security tab of the Server document.
For more information on configuring how Domino authenticates Internet
clients, see the chapter “Setting Up Name-and-Password and
Anonymous Access to Domino Servers.”
If the IMAP SSL port is enabled, you can specify whether a client
certificate is required to authenticate (SSL authentication), and whether
clients must also supply a name and password.
For information on setting up an SSL server, see the chapter “Setting Up
SSL on a Domino Server.” For information on setting up clients for SSL,
see the chapter “Setting Up Clients for S/MIME and SSL.”
How Domino modifies mail files to support IMAP
IMAP clients use a standard Domino mail file that must be specially
enabled for IMAP. If you enable IMAP access for the mail file of a
registered Notes user, the user can access the file from either the Notes
client or from an IMAP client.
A standard Domino mail file stores information about the messages it
contains within database items of the message. Notes clients can read and
interpret the information stored in these items, but IMAP clients cannot.
31-2 Administering the Domino System, Volume 1
To support IMAP clients and store IMAP-specific information, the
Domino mail file requires the addition of special IMAP database items.
IMAP stores message information within its own set of attributes. For a
Domino mail file to be used with IMAP, Notes/Domino items in the mail
file have to be translated into IMAP attributes. In addition, the mail file
must be set up so that all future messages delivered to it store attribute
information in IMAP format.
To enable IMAP clients to access Domino mail files, run the mail
conversion utility. The conversion process places information about each
message, such as its message ID and folder location, into the message’s
IMAP attributes, and sets a flag in the mail file that notifies the Router to
add these IMAP attributes when delivering future messages.
You can run the conversion utility manually to convert mail files before
users log in to the IMAP service, or set up the IMAP service so that it
converts mail files automatically the first time a user logs in.
Note To avoid possible conversion delays, run the conversion utility
before users log in.
Before running the conversion utility, you may first need to prepare the
mail file. For more information, see the topic “Preparing a mail file for
IMAP access” later in this chapter.
Additional IMAP attributes for improving client download of
message headers
When an IMAP client opens an IMAP-enabled mail file, it issues a
FETCH command to the server, requesting information that enables it to
display message headers. To improve performance for IMAP clients
downloading message headers, the Router adds these IMAP attributes to
messages delivered to an IMAP-enabled mail file:
$Content_Type

IMAP_BodyStruct

IMAP_RFC822Size

Note The Router adds these attributes only if the recipient’s Person
document specifies MIME as the preferred mail storage format. The
attributes are not added to messages delivered in MIME format to a user
whose storage preference is set to “Keep in sender’s format.”
These attributes contain summary information about the MIME content
type, structure, and size of a message. Exactly how the attributes are
used depends on the client. Almost all clients request size information. In
addition, some request type and body structure information. If these
summary attributes are present, when the IMAP service returns message
headers in response to a client FETCH request, it uses the attribute
Setting Up the IMAP Service 31-3
Mail
information to fulfill the request, rather than opening each message to
obtain the information. As a result, the client displays message headers
much more quickly than it can in the absence of the summary attributes.
The improved response time is especially significant for large mail files
with a a high percentage of messages in Notes rich text format.
Note The Domino Release 6 IMAP service does not use the settings on
the Basics tab of the Configuration Settings document for specifying
whether to return the exact size of messages. This field appears in the
Configuration Settings document to provide backward compatibility
with earlier versions of Domino.
After you run the conversion utility to enable a mail file for IMAP use,
you have to run the conversion utility a second time, using the -h option,
to add these attributes to messages. The initial mail file conversion
performed to enable a mail file for IMAP use does not add IMAP-specific
attributes to pre-existing messages in the mail file, regardless of whether
you run CONVERT manually or let the IMAP service automatically
enable mail files. Thus messages added to a mail file before it is enabled
for IMAP never contain these summary attributes.
After you enable a mail file for IMAP use, the Router automatically adds
these IMAP attributes to messages, if the mail storage preference is set to
Prefers MIME in the user’s Person document. However it does not add
them to messages stored in Notes rich text format.
For more information about running the mail conversion utility using the
-h option, see the topic “Using the conversion utility to add IMAP
summary attributes to messages” later in this chapter
Setting up the IMAP service
The Domino IMAP service can be run on any Domino server on which a
TCP/IP port is configured. For information about configuring TCP/IP,
refer to the chapter “Setting Up the Domino Network.”
IMAP provides a mechanism for retrieving mail only; IMAP clients send
mail using SMTP. For information about enabling SMTP, refer to the
chapter “Setting Up Mail Routing.”
To set up the Domino IMAP service
1. Edit the Server Document to enable the TCP/IP port for IMAP
Optionally, you can configure the IMAP TCP/IP port to run from an
alternate port number, and to accept SSL connections.
31-4 Administering the Domino System, Volume 1
For more information on enabling and configuring IMAP ports, refer
to the topic “Enabling and configuring the IMAP service port” later
in this chapter.
2. Start the IMAP task on the Domino server.
Starting and stopping the IMAP task
You can load the IMAP task manually or start it automatically when you
start the Domino server.

To do this Perform this task

Start the IMAP service
Enter the following command at the
manually
console:
load imap

Start the IMAP service Edit the ServerTasks setting in the

automatically when you start
the
Domino server
Stop the IMAP service
NOTES.INI file to include the
command
imap. Domino adds the IMAP task by
default to the NOTES.INI file if you
select
the IMAP service during installation.
Enter the following command at the
console:
tell imap quit

Customizing the IMAP service

You customize the IMAP service by editing the Server document and
Configuration Settings document. You can change the following settings:
IMAP
 port configuration
IMAP
 session limits
Enable
 IMAP during login
Access
 to other users’ and public folders
Thread
 use
Default
 service greetings
Enabling and configuring the IMAP service port
From the Domino Administrator you can modify the current IMAP port
configuration to:
Enable
 or disable the IMAP TCP/IP or SSL port
Change
 the TCP/IP or SSL port number
Enable
 or disable TCP/IP or SSL authentication options
Setting Up the IMAP Service 31-5
Mail
By default, IMAP clients connect to TCP/IP port 143 on the Domino
server. You might need to specify a different port number if there are
multiple instances of the IMAP service on the host machine as, for
example, on a partitioned server. You might also change the default port
to a nonstandard port number to “hide” it from clients attempting to
connect to the default port, or if another application uses the default port
on the server. Disable the port or change the security options to prevent
IMAP clients from accessing the Domino server.
Configuring IMAP authentication options on servers that use
Internet Site documents
On servers that use Internet Site documents, the IMAP service obtains
port authentication settings from the Security tab of the IMAP Site
document, rather than from the Server document. As a result, when
Internet Site documents are used, the TCP/IP and SSL port
authentication settings described in the procedures that follow are not
available in the Server document. Settings in the Server document still
provide the port numbers and status for the IMAP TCP/IP and SSL
ports, and enable the IMAP ports to honor server access restrictions.
To determine whether the use of Internet Site documents is enabled for a
server, check the value of the following field on the Basics tab of the
Server document: “Load Internet configurations from Server\Internet
Sites documents.” If this field is set to “Enabled,” the server uses Internet
Site documents to configure all of its Internet protocols (IMAP, POP3,
SMTP, and so forth).
If the server uses Internet Site documents, and an IMAP Site document is
not present in the Domino Directory, or the authentication options in a
configured IMAP Site document are set to No, users cannot connect to
the IMAP service. In each case, IMAP clients receive the following error
when attempting to connect to the IMAP service:
This site is not enabled on the server.
For information on creating and using Internet Site documents, see the
chapter “Installing and Setting Up Domino Servers.”
To enable the IMAP TCP/IP port
1. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the IMAP
service.
2. Click the Ports - Internet Ports - Mail tab.
3. To enable the default TCP/IP port, in the Mail (IMAP) column,
change the value of the TCP/IP port status field to Enabled.
31-6 Administering the Domino System, Volume 1
4. Click Save and Close or edit additional settings, as directed in the
following procedure.
Note On servers with multiple TCP/IP ports, by default, the IMAP
service uses the port listed first in the NOTES.INI file as the preferred
path. If you want the service to use a port other than the default one, you
can configure it to use a specific port.
For information on configuring an Internet service to bind to a specific
TCP/IP port, see the chapter “Setting Up the Domino Network.”
To configure the IMAP TCP/IP port
1. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the IMAP
service.
2. Click the Ports - Internet Ports - Mail tab.
3. In the Mail (IMAP) column, complete these fields, and then click
Save & Close:

Field Enter
Choose 143 (default) to use the industry standard
TCP/IP
port for IMAP
connections over TCP/IP. You can specify a different
port
port, but
number 143 works in most situations. When specifying a
nonstandard
port, make sure the port is not reserved for another
service. Port
numbers can be any number from 1 to 65535.
TCP/IP Choose one: • Enabled (default) - Allows IMAP
port clients to connect to the Domino server without
status using SSL. Users must provide their name and
Internet password to connect. • Disabled - Prevents
IMAP clients from connecting to the Domino server,
unless they can connect using SSL. • Redirect to SSL
- Denies access to clients connecting to the IMAP
TCP/IP port, but returns a message indicating that
they must connect over SSL. You can specify the
contents of the message. To support IMAP clients,
either the IMAP TCP/IP port or the IMAP SSL port
must be enabled, and the IMAP task must be running
on the server.

Enforce Choose one:

• Yes - Access to the IMAP service is controlled by
server
the server
access access settings on the Security tab of the Server
document.
settings Users who are not allowed to access the server
cannot
access mail through the IMAP service.
• No - (default) The IMAP service ignores the server
access
settings in the Server document.

For information on customizing IMAP service greetings, see the topic

“Specifying the default IMAP service greetings” later in this chapter.
For instructions on setting up the IMAP SSL port, refer to the next
topic, “To enable and configure the IMAP SSL port.”
4. Restart the IMAP task to put the new settings into effect.
To enable and configure the IMAP SSL port
1. Familiarize yourself with the Domino security model and set up SSL
on the Domino server.
2. From the Domino Administrator, click the Configuration tab and
then open the Server document for the server that runs the IMAP
service.
3. Click the Ports - Internet Ports - Mail tab.
4. In the Mail (IMAP) column, complete these fields, and then click
Save & Close:
Field Enter
SSL port Choose 993 (default) to use the industry
number standard port
for IMAP connections over SSL. You can specify
a
different port, but 993 works in most situations.
When
specifying a nonstandard port, make sure the
port is not
reserved for another service. Port numbers can
be any
number from 1 to 65535.
SSL port
Choose one:
status
• Enabled - Allows IMAP clients to connect to
the
IMAP service over SSL.
• Disabled - (default) Prevents client
connections over
SSL.
Authentication If “SSL port status”is set to Enabled, choose
options: one of the following: • Yes - Allows IMAP clients
Client to connect using client certificate
certificate authentication. • No - (default) Prevents the
IMAP service from using client certificate
authentication.

Authentication If the “SSL port status”field is set to Enabled,

options: choose one of the following: • Yes - Allows
Name & IMAP clients to use name-and-password
password authentication when connecting to the IMAP
service over SSL. • No - (default) Prevents
IMAP clients from using name-and-password
authentication over SSL.

5. Restart the IMAP task to put the new settings into effect.
Setting IMAP session limits
You can configure the following IMAP session limits:
Maximum
 number of IMAP sessions
Default
 timeout value
Specifying the maximum number of IMAP sessions
To maintain a session with a client, Domino allocates a main session
thread, which uses a certain portion of the server’s memory. Each IMAP
client connecting to the server consumes an additional session thread,
and thus a certain amount of memory. If the number of IMAP sessions
exceeds the amount of available memory, the server can become
unstable.
To ensure that servers can properly support the number of connecting
IMAP clients, you can set a limit on the number of concurrent IMAP
sessions allowed. By default, servers do not place limits on the number of
concurrent IMAP sessions.
After the number of sessions reaches the specified limit, the IMAP
service rejects additional connection attempts.
Note You cannot use the NOTES.INI variable, IMAPMaxSessions,
available in Domino 5.0.3, to limit the number of IMAP sessions on a
Domino Release 6 server.
Specifying a default IMAP session timeout value
After a user opens a session with the IMAP service, the service waits for
commands from the mail client. If no commands are received, the session
is considered to be idle. Sessions that are idle for a long period may be
the result of a user forgetting to log out after completing their mail
processing. Because servers must allocate memory for each IMAP session
and send periodic keep-alive messages to a client to maintain the
connection, idle sessions represent a waste of server resources.
You can limit how long the server continues to maintain client sessions
that do not show any activity. Specify the number of minutes that the
IMAP service waits before disconnecting idle IMAP client sessions. Many
IMAP clients poll for new mail every 10 minutes, so it’s best to set the
value to greater than 10 minutes, because the overhead of supporting an
idle session is less than the overhead required to support clients logging
in and opening mailboxes.
By default, servers drop idle sessions after 30 minutes.
Note You cannot use the NOTES.INI variable, IMAP_Session_Timeout,
available in earlier versions of Domino, to configure the IMAP session
timeout on a Domino Release 6 server.
Setting Up the IMAP Service 31-9
Mail
To set IMAP session limits
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to restrict mail on, and click Edit Configuration.
5. Click the IMAP - Basics tab.
6. Complete the following fields and then click Save & Close:

Field Enter
The maximum number of concurrent IMAP
Maximum
client
number of sessions the server allows. By default, no limit
IMAP is
sessions imposed.
The time, in minutes, that the IMAP service
IMAP session
continues
timeout to maintain an idle session. If there is no client
activity
by the end of the specified time, Domino closes
the session. By default, servers drop idle
sessions after 30
minutes.

Note These settings apply to Domino Release 6 and later. To specify

IMAP session limits on a Domino Release 5 or earlier server, use the
IMAPMaxSessions and IMAP_Session_Timeout settings in the
NOTES.INI file.
For more information on these settings, see the appendix
“NOTES.INI File.”
Setting the IMAP service to automatically enable mail files at login
User mail files must be specially enabled for IMAP use. After a mail file
is enabled, Domino converts information about each message in the mail
file, such as its message ID and folder location, into a set of IMAP
attributes. IMAP clients use these attributes to organize messages for
display. An additional attribute informs the Router to add IMAP
attributes to new messages delivered to the mail file.
Note When the mail conversion utility enables a mail file for IMAP use,
it does not automatically add IMAP summary attributes, which enable
clients to download message headers more efficiently, to messages that
were already in the file before conversion occurred. To add IMAP
summary attributes to preexisting messages, rerun the conversion utility
manually, using the -h option.
31-10 Administering the Domino System, Volume 1
For information on adding IMAP summary attributes to messages in a
user’s mail file, see the topic “Using the conversion utility to add IMAP
summary attributes to messages” later in this chapter.
By default, the IMAP service is set to automatically enable mail files
during login. When the default setting is used, whenever a user logs in,
the IMAP service checks the user’s mail file to see if it is enabled. If a
mail file is not currently enabled, the IMAP service provides a dedicated
conversion thread to enable it. This conversion thread continues to work
on this one mail file until it completes the task. If additional users require
conversion services at the same time, the IMAP service provides an
additional conversion thread for each instance.
Each conversion can require several minutes to complete, with
conversion times for users with slow connections typically needing more
time. Because the conversion threads are drawn from the same thread
pool responsible for servicing other IMAP requests, a high number of
conversions can place a high demand on the available IMAP resources.
This can result in increased response times and service delays not only
for the those whose mail files require conversion, but for other users
connecting to the service as well. The likelihood of delay naturally
increases if there are a large number of users accessing the server for the
first time.
To prevent service delays on busy servers where many mail files require
conversion, consider disabling automatic conversion during peak hours,
particularly if users typically log in over a phone line or other slow
connection. If you disable automatic conversion, users whose mail files
are not enabled for the Domino Release 6 IMAP service cannot access
their mail files from an IMAP client and receive the following error
message after each login attempt:
The database has not been enabled for IMAP.
When automatic conversion is not available, you must convert users’
mail files manually before they can access mail from IMAP clients. For
information on manually converting mail files for IMAP access, see the
topic “Running the mail conversion utility to enable a mail file for IMAP”
later in this chapter.
To specify whether the IMAP service automatically enables mail
files
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
Setting Up the IMAP Service 31-11
Mail
4. Select the Configuration Settings document for the mail server or
servers you want to restrict mail on, and click Edit Configuration.
5. Click the IMAP - Basics tab.
6. Complete the following field and then click Save & Close:

Field Enter
Enable Choose one: • Enabled - (default) The IMAP service
IMAP automatically converts mail files to Lotus Domino
during Release 6 IMAP format the first time a user logs in
login from an IMAP client. • Disabled - Administrators
must manually convert mail files for IMAP use
before users can access mail from an IMAP client.

Configuring the IMAP service to allow shared access to mail files

In addition to providing access to a user’s personal mail folders, the
IMAP service supports the NAMESPACE extension, which permits
controlled access to shared mail files. By default, when the IMAP service
is installed, NAMESPACE support is enabled so that clients accessing the
service can view and open their personal mail files, as well as any other
mail file on the server that they have permission to use — for example
other users’ personal mail files to which they have been delegated access,
and any public mail files that you set up as IMAP public folders.
As with personal mail files, an IMAP client can access Public and other
users’ mail files only if they reside on the same server as the IMAP
service. In addition, the IMAP service must be able to authenticate the
user from an entry in a configured directory on the server.
To configure namespace support on the server, enable NAMESPACE
support so that IMAP users can view other users’ and public mail files to
which they’ve been granted access, and then do one or both of the
following:
Configure
 IMAP public folders
Configure
 IMAP other users’ folders
For information about enabling IMAP namespace support, see the topic
“Enabling the IMAP service to automatically display all accessible mail
folders” later in this chapter.
For information about delegating access to a mail file, see Lotus Notes 6
Help, which is available from the Documentation Library at the Lotus
Developer Domain at http://www.lotus.com/ldd/doc.
Note To provide IMAP users with access to other users’ mail files, you
must use a Notes client or iNotes client to delegate mail file access. You
31-12 Administering the Domino System, Volume 1
can not delegate access by adding names to the ACL of the mail file. To
enable IMAP access to other users’ mail files, the Domino Administration
Process (AdminP) must process an IMAP delegation request, which is
only generated in response to a user setting delegation preferences from
a Notes or IMAP mail client.
About IMAP namespaces
Typically, most users have a personal mail file to which they alone have
access. The IMAP service considers messages in a personal mail file to
exist in a hierarchy known as the personal namespace.
In addition to the personal namespace, messages can also exist in other
hierarchies. For example, if a user is granted access to another user’s mail
file, such as when a secretary has been delegated access to a manager’s
mail file, messages in that mail file become available under an additional
hierarchy, the other users’ namespace.
Other mail files for example, mail-in databases that are intended to be
shared amongst users, do not exist within a single user’s namespace at
all, but are intended for public access. Messages in these mail files exist
only in the shared or public namespace.
Enabling the IMAP service to automatically display all accessible
mail folders
The Domino IMAP service complies with RFC 2342, which defines a
method by which the IMAP service automatically presents a client with a
list of all mail files to which the current user has access, including:
The
 user’s personal mail file
Other
 users’ personal mail files to which the user has been delegated
access
Public
 mail files, such as mail-in databases, to which the user has
access, and which are set up as IMAP public folders.
For information about delegating access to a mail file, see Lotus Notes 6
Help.
Note To provide IMAP users with access to other users’ mail files, you
must use a Notes client or iNotes client to delegate mail file access. It is
not sufficient to add the names of users to the ACL of the mail file.
Enabling clients that do not support the NAMESPACE extension to
access shared folders
By default, only IMAP clients that support the NAMESPACE extension
can display mail files other than the user’s personal mail file. However,
you can configure the IMAP service so that it presents public and others
users’ folders even if the user’s IMAP client does not have built-in
Setting Up the IMAP Service 31-13
Mail
NAMESPACE support. Configured in this way, the IMAP service always
returns to the client the complete range of mail folders to which the
current user has access.
To enable IMAP NAMESPACE support on the server
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the IMAP - Public and Other Users’ Folders tab.
6. In the Basics section, complete the following field and then click Save
& Close:

Field Enter
Public and Choose one: • Enabled - (default) In addition
other to presenting an IMAP client with the current
users’folders user’s mail folder, the IMAP service also
support presents any public folders and other
users’mail files that the current user has access
to. • Disabled - The IMAP service does not
present IMAP clients with public and other
users’mail folders. The IMAP client can access
the current user’s personal mail file only.

Include all Choose one: • Enabled - The IMAP service

public and always displays all available folders to the
other users’ connecting client. • Disabled - (default) The
folders when a IMAP service displays available folders in the
folder list is Other users’and Public namespaces only to
requested clients that request them using the
NAMESPACE command. If a client does not
support the NAMESPACE command, the IMAP
service presents to it the current user’s
personal mail folder only. This field is not
available if “Public and other users’ folders
support”is set to Disabled.
Note These settings apply to Domino Release 6 and later only.
Changes take effect after the next IMAP update interval. Sessions
that begin after the updated settings take effect use the updated
settings. However, existing sessions continue to use the settings that
were in effect when the session started.
31-14 Administering the Domino System, Volume 1
7. To force an immediate update, restart the IMAP service.
For information on how to restart the IMAP service, see the topic
“Starting and stopping the IMAP service” earlier in this chapter.
For information on setting the NOTES.INI variable
IMAP_Config_Update_Interval to control the IMAP update interval,
refer to the appendix “NOTES.INI.File.”
Configuring IMAP Public folders
To provide IMAP clients with access to a public mail database, you must
do the following:
Use
 the mail conversion utility to enable the database for IMAP use
Specify
 the appropriate level of access for users in the database ACL,
including the Maximum Internet name and password access.
Designate
 the database as an IMAP public folder
The IMAP service does not automatically enable databases other than the
user’s personal mail file for IMAP use. To enable a mail-in database for
IMAP use, run the mail conversion utility.
Users’ access to a shared database is defined by their entries in the
database ACL. Before users can access a public folder, an administrator
must explicitly grant them access to the database by editing the ACL. If
the database ACL does not grant a user access to an IMAP public folder,
when the user logs in from an IMAP client, the client displays the folder,
but does not display the folder Inbox.
To designate a Notes database as an IMAP public folder, copy its
database link and paste it into the Configuration Settings document.
Note To be configured as a public folder, a database must be created
from a Notes mail template. The IMAP service does not support the use
of NNTP or discussion databases as IMAP public folders.
To configure Notes databases for use as IMAP public folders
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Notes client or Domino Administrator client, select a
database that has been enabled for IMAP access to be designated as
an IMAP public folder and copy it as a database link.
For example, from the Files tab of the Domino Administrator client,
double-click the database icon to open it, and then click Edit - Copy
As Link - Database Link to copy the database as a link.
3. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
Setting Up the IMAP Service 31-15
Mail
4. Click Configurations.
5. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
6. Click the IMAP - Public and Other Users’ Folders tab.
7. Complete the following field and then click Save & Close:

Field Description
Public The name of the virtual root folder Domino uses to
folder organize
prefix the hierarchy of Notes mail databases configured as
IMAP public folders. When an IMAP client connects
to the server it displays the public folders available
to the user as subfolders of this folder.
Unless you have a specific reason to change the
folder prefix, accept the default name to ensure
IMAP clients can access public folders on the
server.
Public Database links for IMAP-enabled Notes mail
folder databases you
database want to designate as IMAP public folders. Paste the
database
links link copied in Step 2 into this field.
For example, insert the cursor in the field and click
Edit -
Paste. The Notes database represented by the link
is now
designated as an IMAP public folder. Users with the
appropriate access privileges can open the
database from an
IMAP client.

Note These settings apply to Domino Release 6 and later only.

Configuring IMAP Other Users’ folders
If NAMESPACE support is enabled on the server, in addition to
displaying the current user’s primary personal mail folders, an IMAP
client displays the personal namespaces of other users who have
explicitly granted access to their personal mail files to the currently
authenticated user.
The default configuration for the Other Users’ namespace on the server
will support most installations. If necessary you can customize the Other
Users’ namespace on the server, by doing the following:
Changing
 the default folder prefix
Changing
 the default domain delimiter the IMAP service uses to
display user mail file names
Specifying
 IMAP users who can change other users’ unread marks
31-16 Administering the Domino System, Volume 1
Changing the default folder prefix
To enable IMAP users to view other personal mail files to which they
have access, the IMAP service maintains a virtual list, or collection, of
those mail files on the server whose owners have granted access
privileges to one or more secondary users. This collection of other users’
mail files represents the hierarchy, in addition to a user’s own mail
folders hierarchy and the hierarchy of publicly-accessible mail files, in
which a message may exist.
Specifying IMAP users who can change other users’ unread marks
By default, the only user allowed to change unread marks in a mail file is
the Notes user with primary access to the file. If a secondary user
accesses the mail file, any documents opened are marked as read for the
secondary user, but not for the primary user. This is similar to what
happens in a discussion database, where multiple users can read
documents and each maintain their own set of unread marks.
Some organizations employ third-party messaging services that run in
conjunction with the Domino IMAP service to provide users with
alternate means for accessing their mail files. For example, a unified
messaging service might connect to the IMAP service to access the
Domino mail server, acting, in effect, as an IMAP client. Users connecting
to the third-party service can open, read, send, and forward mail. To
ensure that the unread marks in users’ mail files are properly
maintained, the third-party service must have the ability to change
unread marks on the user’s behalf, as if it were the mail file owner.
To provide a third-party application with access to a mail file, at
minimum, the mail file ACL must grant the application Designer access.
To configure IMAP support for access to Other Users’ folders
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the IMAP - Public and Other Users’ Folders tab.
Setting Up the IMAP Service 31-17
Mail
6. In the Other Users’ Folders section, complete the following field and
then click Save & Close:

Field Enter
The name of the virtual root folder which
Other users’
contains Notes
folder prefix mail databases whose owners delegated access
to other users. When an IMAP client connects to
the server it
displays the other users’folders to whom the user
has access as subfolders of this folder.
Unless you have a specific reason to change the
folder prefix, accept the default name to ensure
IMAP clients can access other users’folders on
the server.
The character that Domino uses to separate the
Other users’
common
domain name, organizational unit(s), and organization
name in a
delimiter users’Notes hierarchical names when displaying
the
user’s mail file to an IMAP client as part of the
Other users’folder list. Default is forward slash ( /
). For IMAP
clients, such as the Netscape client, that cannot
display
hierarchical names that contain the default
separator character, specify a different character,
for instance a dot
“.”) or pipe character (“|”).
For example, if you enter the pipe character,
Domino
sends the mail folder of a user named Jada
Mendez/Sales/Acme to IMAP clients as Jada
Mendez|Sales|Acme.
IMAP users The fully-qualified Notes names of users who are
who can permitted to change the unread status of
messages in
change other users’mail files. You can also enter the
other name of a
users’unread Notes group.
marks

The change takes effect after the next IMAP service update. You can
restart the IMAP service to force an immediate update to the IMAP
service configuration.
7. To provide other another user with access to a personal mail file,
instruct the mail file owner to delegate access from a Notes client.
For information about delegating access to a mail file from a Notes
client, see the topic “Delegating mail access” if you have installed
Lotus Notes 6 Help. Or, visit the Documentation Library in the Lotus
Developer Domain at http://www.lotus.com/ldd/doc to download
or view Lotus Notes 6 Help.
Note To provide IMAP users with access to other users’ mail files,
you must use a Notes client or iNotes client to delegate mail file
access. It is not sufficient to add the names of users to the ACL of the
mail file.
31-18 Administering the Domino System, Volume 1
Configuring IMAP internal thread use
The IMAP service acts as an intermediary between IMAP clients
attempting to retrieve messages and the Domino mail server. IMAP
clients do not have direct access to mail files on the Domino server;
instead, the IMAP service acts as a proxy, relaying each client’s request to
retrieve messages to the mail server. To return message data to the client,
Domino opens the mail database and passes on the requested
information to the IMAP service. The IMAP service then sends the
requested message information to the client.
An IMAP session begins when a user at an IMAP client logs in to the
Domino IMAP service. Domino allocates each IMAP session its own
session thread from the server’s main thread pool. This session thread
becomes the sole channel for all communications between the client and
the IMAP service. When the session ends, Domino returns the thread to
the pool for use by another client.
The session thread communicates directly with the server’s IMAP port to
receive client input, validate the syntax of received requests, queue
requests to the IMAP service, and send responses from the service back
to the client. If the IMAP service is slow to respond, the main thread also
sends periodic keep-alive messages to the client so that it does not close
the connection.
A Domino server can interact with multiple clients simultaneously
because it allocates a new thread to service each client session. Clients
connect to a port and exchange all input and output through that port.
Threads require memory and CPU time. The thread pool contains a
limited number of physical threads, but thread use is virtualized so that a
single thread works on different tasks. Thus in a fraction of a second, a
single thread that is idled by one task as it waits for information, can
switch to another task. This allows Domino to maximize processor use
and minimize memory.
By avoiding the need to create a new physical thread for each requested
connection, Domino makes the best use of available memory. However, a
high number of IMAP sessions can place a strain on the server. If clients
experience slow response during times of peak usage, consider limiting
the number of IMAP sessions.
The internal IMAP thread pool
The Domino IMAP service provides an internal IMAP thread pool that is
independent of the thread pool that Domino uses to create client
sessions. The default number of available threads is based on the amount
of physical memory the server has. The service has a minimum of 50
threads available and a maximum of 400 threads. To ensure that the
Setting Up the IMAP Service 31-19
Mail
IMAP service continues to function properly, it’s best to use the default
thread pool settings and modify these settings only at the direction of a
qualified IBM support representative.
The IMAP thread pool consists of three types of worker threads as shown
in the following table:

Default maximum
Thread type Description
value
FETCH thread Accepts validated FETCH 80% of pool total
commands from the
client and transmits
them to the Domino mail
service
FETCH response Transmits message data 80% of pool total
thread from the Domino mail
service to fulfill client
FETCH requests
LOGIN None
Converts mail files to
conversion
IMAP format
thread

Available threads become active when the main session thread queues a
request.
To specify IMAP thread use
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to restrict mail on, and click Edit Configuration.
5. Click the IMAP - Advanced tab.
6. In the Worker thread pool section, complete the following:

Field Description
Maximum The total number of threads available in the
number IMAP
service’s thread pool, including Login
of IMAP worker
conversion
threads threads for upgrading mail files to Domino
Release 6
IMAP format; FETCH threads for transmitting
validated client requests to the Domino mail
server;
and FETCH response threads for transmitting
message data from the mail server in
response to client FETCH requests.

Field Description
Maximum The number of threads available to transmit
number message
of response data to fulfill a given FETCH request (default
threads is 4).
per FETCH
Maximum The Number of concurrent threads the IMAP
number service
of FETCH can use to transmit client requests to FETCH
threads message
allowed data to the Domino mail server
Maximum The number of threads the IMAP service can
number use to
of FETCH return message data from the Domino mail
response server in
threads allowed response to FETCH requests received from all
active IMAP sessions.

Note These settings apply to Domino Release 6 and later only.

Specifying the default IMAP service greetings
On the Server document, you can configure the ports that IMAP clients
can use to connect to the IMAP service. IMAP clients can connect over a
TCP/IP port or an SSL port. If you have SSL set up on the server, you can
configure the TCP/IP port so that it redirects connections to the SSL port.
When a client connects, the IMAP service responds by sending the client
the greeting that is associated with the port the client uses to connect. On
the Configuration Settings document, you can customize the greetings
that the IMAP service returns to clients connecting over each port.
The IMAP service checks for new settings at the specified update
configuration interval. If you change the greeting text, sessions that begin
after the new configuration takes effect will receive the updated greeting.
To modify the default IMAP service greetings
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. Click the IMAP - Advanced tab.
Setting Up the IMAP Service 31-21
Mail
6. In the Greeting section, enter the text for the IMAP service to display
to connecting clients and the click Save & Close:

Field Enter Default

IMAP The By default, the service sends a
server greeting the greeting that includes the server
greeting IMAP name, Domino release number, and
service the current date and time. For
sends to example: *OK Domino IMAP4 Server
clients Release 6 ready Wed, 17 April 2002
connecting 17:57:13 -0400
over
TCP/IP.
IMAP The By default the service sends a greeting
SSL greeting the that includes the server name, Notes
greeting IMAP release number, and the current date
service and time. For example: *OK Domino
sends to IMAP4 Server Release 6 ready Wed, 17
clients April 2002 17:57:13 -0400
connecting
over SSL.
IMAP The By default, the service sends the
SSL greeting the following greeting: *IMAP Server
redirect IMAP configured for SSL Connections only.
greeting service Please reconnect using the SSL Port
sends to portnumber Where portnumberis the
clients number of the configured SSL port.
when the
TCP/IP port
is
configured
to redirect
connections
to SSL.

Note To specify IMAP greetings for Domino Release 6 servers, you

must use the Configuration Settings document. However, you cannot use
the Configuration Settings document to specify service greetings for
Domino Release 5 and earlier. To configure IMAP service greetings on
earlier Domino release, use the settings IMAPGreeting,
IMAPRedirectSSLGreeting, and IMAPSSLGreeting in the NOTES.INI
file.
For more information on these settings, see the appendix “NOTES.INI File.”
Setting up IMAP users
To set up IMAP users, perform these procedures:
1. Set up the users’ Person documents.
2. Create a mail file for the IMAP user.
3. Enable the mail file for IMAP access.
4. Configure IMAP client software.
31-22 Administering the Domino System, Volume 1
5. (Optional) Create a full-text index of the mail file so the IMAP user
can search for information in the file. When you create the index,
choose the “Index attachments” option to allow the user to search for
information in attachments that are in MIME format.
For more information on creating a full-text index, see the chapter
“Setting Up and Managing Full-text Indexes.”
Note If you use the Domino registration process to create a new IMAP
user, Domino automatically creates the Person document and mail file
and lets you specify registration options to create a full-text index for the
mail file and enable the mail file for IMAP use.
Setting up the Person document for an IMAP user
To access mail files on the Domino server, an IMAP user must have a
Person document in the Domino Directory. For users who already have
Person document, edit settings in the existing document as necessary to
provide IMAP support. If a user does not have an existing Person
document, you must create a new one. You can create a Person document
manually, or use the Domino registration process to create the Person
document automatically. If you use the Domino registration process,
select IMAP in the “Mail system” field of the Register Person dialog box.
Note By default, the Domino registration process generates a Notes ID
file (and corresponding Notes public encryption key in the Domino
Directory) for each user in addition to creating the Person documents
and mail files required by an IMAP user. Because users who will access
Domino from IMAP clients only do not require a Notes ID, when
registering these users, deselect the option to “Create a Notes ID for this
person.” However, if a new IMAP user also requires access to Domino
from a Notes client, Domino Administrator client, or Domino Designer
client, be sure to enable creation of an ID file.
For more information on using the Domino registration process, see the
chapter “Setting Up and Managing Notes Users.”
The following procedure specifies the Person document settings required
for IMAP users and explains how to create a Person document manually.
To set up a Person document for an IMAP user
1. From the Domino Administrator, click the People & Groups tab.
2. Select Domino Directories - Address Book - People.
3. If no Person document exists for this user, click Add Person to create
a new Person document.
To display an existing Person document, select the name of the user,
and click Edit User.
Setting Up the IMAP Service 31-23
Mail
4. Click the Basics tab, complete these fields, and then click Save &
Close:

Field Enter
The login name a client uses to authenticate
First name
with the
IMAP server must be unique in the Domino
Last name
Directory.
User name Depending on the level of Internet access
security established for the server (Server
document - Security
tab), the login name or user name configured
on the
IMAP client must match an entry in one of
these fields. Entries in the User name field are
always accepted as
the login name. If Internet authentication is set
to allow
“More name variations with lower
security”entries in the First name and Last
name fields may also be
accepted as login names.
The password that the user enters to access
Internet
the Domino
password server from the IMAP client. IMAP users must
have an
Internet password that complies with your
organization’s password quality requirements.
Choose IMAP if the user does not require Notes
Mail system
client
access.
The name of the Notes domain to which the
Domain
server
belongs.
The name of the IMAP user’s Domino mail
Mail server
server.
The path for the user’s mail file, relative to the
Mail file
Domino
data directory —for example, MAIL\AJONES.
Leave this blank for users who access mail files
Forwarding
on the
address Domino server from an IMAP client.
Internet The Internet address at which the user can
address receive mail
within your organization. This address must
match the
Internet address specified in the IMAP client.
Field Enter
Format Choose one: • Keep in sender’s format -
preference for (default) The mail file may contain messages in
incoming mail either Notes rich text or MIME format. When
delivering messages to the mail file, the local
Router preserves the current message format.
Thus messages received at the server in MIME
format are stored in the mail file in MIME
format, and messages received at the server in
Notes rich text format are in Notes rich text
format. When an IMAP client requests a
message that is stored in Notes rich text
format, the IMAP service must convert the
message to MIME before sending it to the
client. Because the stored message remains in
Notes rich text format, each time an IMAP
client requests the message, the IMAP service
must perform the conversion. • Prefers MIME -
The mail file stores messages in MIME format
only. Choose this option for users who access
mail exclusively from an IMAP client. Since
IMAP clients require messages in MIME format,
storing mail in MIME format ensures the best
performance for IMAP users, eliminating the
need for the IMAP service to convert messages
before passing them to the client. In addition,
using MIME storage allows the Router to add
special IMAP attributes to the messages it
delivers. • Prefers Notes Rich Text - The mail
file stores messages in Notes format only. The
Router converts messages received as MIME
into Notes rich text before delivery. In addition,
the IMAP task must convert messages to MIME
format when sending them to an IMAP client.
To ensure the best performance, do not choose
this option for users who access their Domino
mail file primarily from an IMAP client.
When Choose No (default); IMAP clients cannot read
receiving encrypted Notes mail. To ensure that users
unencrypted who read mail exclusively from IMAP clients do
mail, encrypt not receive Notes-encrypted mail, remove the
before storing IMAP users’Notes public encryption keys from
in your mail their Person documents. Never remove the
file Notes public key from the Person document of
users who access Notes databases from a
Notes client.

For more information about password quality requirements, refer to

the chapter “Protecting and Managing IDs.”
5. Complete the procedure “Creating a mail file for an IMAP user.”
Setting Up the IMAP Service 31-25
Mail
Creating a mail file for an IMAP user
Each IMAP user must have a mail file on the Domino server. You can
create the mail file automatically during user registration, or you can
manually create a mail file. If the user is already a registered Notes user
who has an existing Domino mail file and if you set up the user’s Person
document for IMAP access, the user can access the mail file from an
IMAP client.
If a user does not have an existing mail file on a Domino server, create a
new mail one as described in the following procedure.
To manually create a mail file
1. Make sure that you have set up the Person document for the IMAP
user.
2. Choose File - Database - New.
3. In the New Database dialog box, enter the following:

Field Enter
The Domino mail server that stores the user’s mail
Server
file.
Title The name of the client’s mail file —for example,
Alan Jones’ Mail.
File name The full path to the mail file, relative to the Domino
data directory —for example, MAIL\AJONES.NSF.

4. From the list of template names, select Mail (R6) with the filename
MAIL6.NTF, and click OK.
5. After Domino creates and opens the mail file, determine what level
of access is appropriate for both the user and you, as the
administrator. Then, edit the Access Control List (ACL) as follows:
a. Choose File - Database - Access Control.
b. From the Access Control List dialog box, create an ACL entry for
the user by clicking Add and then selecting the user’s name from
the Domino Directory.
c. Set the user type to Person and select the level of access. Users
require at least Editor with Delete document access.
d. (Optional) Select your name from the ACL and click Remove. As
the administrator, you can choose to retain Manager access,
particularly for users who do not have Notes client access.
e. Click OK to save the entry and close the ACL.
6. Complete the procedure “Preparing a mail file for IMAP access.”
31-26 Administering the Domino System, Volume 1
Preparing a mail file for IMAP access
To support access from IMAP clients, mail files must be specially
modified to store IMAP folder and message attributes as database items.
If you used the Domino registration process to create a user, and set the
user’s mail system type to IMAP, Domino automatically performs the
steps required to prepare the mail file for IMAP use. Otherwise, you
must complete several tasks to prepare a mail file to support IMAP
access.
To prepare a mail file for IMAP access
1. Verify that you have:
Set
 up the Person document for the IMAP user.
Created
 a mail file for the IMAP user.
2. If you are upgrading a mail file, run Compact on the mail file to
ensure that it uses the Notes ODS (on-disk structure) version 41 or
greater.
You do not have to run Compact on newly created mail files that are
based on a Lotus Domino Release 5 or later mail template. For new
mail files, skip to Step 4.
3. Run the Fixup task on the mail file.
4. Run the mail conversion utility on the mail file to enable it for IMAP
access.
5. If this is not a new mail file, run the mail conversion utility with the
-h option to increase the speed of header downloads when clients log
in.
The IMAP service does not rely on template views to store IMAP folder
and message data; you can enable mail files created from any mail
template.
For users with multiple mail file replicas — for example, users with mail
files on clustered servers — you must independently enable each replica
for IMAP access. Because Domino does not replicate IMAP database
items between databases, by default, when you create a new replica of an
IMAP-enabled mail file, it is not enabled for IMAP use.
Differences when viewing mail files from IMAP clients and Notes
client
Some aspects of a mail file are structured in template items that are
visible only to a Notes client, and as such are not available to IMAP
clients. As a result, IMAP clients display certain folders and views in a
mail file differently from Notes clients. For instance, from an IMAP
client, the Inbox and Trash folders, and any public folders, appear as
Setting Up the IMAP Service 31-27
Mail
IMAP mailboxes. Also, hidden and private folders are not visible to
IMAP clients. And finally, IMAP clients do not display views that are
part of the Notes mail file template, such as the Draft and Sent view.
The Domino IMAP service does not support renaming of the Inbox folder
in a Notes mail file from an IMAP client.
For users who access their mail files from both an IMAP client and a
Notes client, Domino synchronizes unread message marks between the
two. Thus, a message marked as read in Notes is also marked as read for
an IMAP client, and vice versa.
IMAP clients cannot read messages that use Notes encryption. IMAP
clients do not have access to the Notes private key needed to decrypt
messages encrypted with a user’s Notes public key certificate. As a
result, when a user opens an encrypted Notes message from an IMAP
client, only the unencrypted header information is available. The server
replaces the blank message body with the following text:
[Portions of this MIME document are encrypted with a Notes
certificate and cannot be read.]
Running Compact to update the ODS version of a mail file
To be enabled for IMAP, a mail file must use the Domino Release 5 or
later file format, Notes ODS (on-disk structure) version 41 or greater. If a
mail file is at a previous ODS version, you must run Compact on it to
update the ODS version. It is not necessary to run Compact to enable
newly mail files that are based on either the MAIL6.NTF or MAIL50.NTF
mail templates.
The ODS version of a mail file database is listed on the Info tab of the
Database properties dialog box. For information on how to determine the
file format of a database, see the chapter “Improving Database
Performance.”
To run Compact using a console command
Compacting converts Release 4 databases to the Lotus Domino 6 file
format or ODS 43.
1. From the Domino Administrator, on the Server pane on the left,
select the server on which to run Compact. To expand the pane, click
the servers icon.
2. Click the Server - Status tab.
3. Click Console.
31-28 Administering the Domino System, Volume 1
4. Enter the following command in the command line at the bottom of
the console, and then press ENTER:
Load compact databasepath
Enter the database path relative to the Domino data directory. To
compact a specific mail file in the MAIL directory, enter the name of
the MAIL directory followed by the name of the mail file, for
example:
Load compact MAIL\USER.NSF
To compact all mail files in the MAIL directory, enter the name of the
MAIL directory as the database path, for example:
Load compact MAIL
Note You can also enter Step 4 directly at the console on a server.
After you run compact on the mail file, continue preparing the file for
IMAP users by running Fixup.
Running Fixup to prepare a mail file for IMAP use
You do not need to run Fixup on newly created mail files that are based
on a Lotus Domino Release 5 or later mail template.
After you run Compact on a user’s mail file to ensure that it uses the
correct file format, run the Fixup task on the mail file.
Because the Fixup task requires exclusive access to the mail file database,
you must shut down the server before running Fixup.
To run Fixup
1. Shut down the server.
2. From the Windows NT command prompt, change to the Domino
program directory. For example, if you installed Domino in the
default location, enter:
cd c:\lotus\domino
3. To run Fixup on a specific mail file, enter:
nFixup path\mailfile
where path is the database path relative to the Domino data directory
and mailfile is the name of the mail file database. For example, to run
Fixup on the mail file database USER.NSF in the DATA\MAIL
folder, enter:
nFixup mail\user.nsf
Setting Up the IMAP Service 31-29
Mail
Note If transaction logging is enabled on the server, run Fixup with
the -j switch, for example:
nFixup -j mail\user.nsf
Running the mail conversion utility to enable a mail file for IMAP
Note If you used the Domino Release 6 registration process to add a
user account, and set the user’s mail system type to IMAP, Domino
automatically enables the mail file for IMAP use.
After you run Fixup on the mail file, run the mail conversion utility (the
Convert task) to enable IMAP-specific features in the mail file. The
conversion utility sets an option bit in the database indicating that this
database is IMAP enabled. After you enable a mail file for which the
format preference is set to MIME, the Router automatically adds special
IMAP attributes to new messages delivered to the database. These
attributes provide IMAP clients with summary information which
enables them to download message headers more efficiently. To ensure
the best performance, after the initial conversion completes run the
conversion utility a second time, using the -h option to add these
attributes to messages that were already in the mail file at the time of the
initial conversion.
For users with multiple mail file replicas — for example, users with mail
files on clustered servers — you must independently enable each replica
for IMAP access. Because Domino does not replicate IMAP database
items between databases, by default, when you create a new replica of an
IMAP-enabled mail file, it is not enabled for IMAP use.
After the conversion utility enables a mail file for IMAP, the following
information is added to the bottom of the Information tab of the mail
file’s Database Properties dialog box:
Database is IMAP enabled
Deciding whether to convert mail files manually or automatically
By default, when a user connects to the IMAP service, the service checks
whether the user’s mail file is currently enabled for IMAP. If the mail file
is not already enabled, the IMAP service automatically launches the
conversion utility to format it for use with IMAP. To prevent conversions
from occurring during login, change the default configuration by
disabling automatic conversion.
For information on enabling and disabling automatic conversion, see the
topic “Setting the IMAP service to automatically enable mail files at
login” earlier in this chapter.
31-30 Administering the Domino System, Volume 1
Although the IMAP service can automatically convert mail files, consider
manually converting them before users first log in to the IMAP server to
ensure that mail files are properly converted. By performing conversions
ahead of time, you can ensure that users are not confronted with
conversion errors that they are unable to recover from. For example,
because the conversion utility requires that a mail file be at least at ODS
version 41, for mail files that use an earlier ODS version you must run
Compact before converting the mail file; using automatic conversion
would fail. Similarly, in databases where some type of internal
corruption has occurred (for example, an invalid note, or corrupt meta
data), you must run Fixup against the mail file before running the
conversion utility.
You might also choose to run the conversion utility manually if many of
your first-time IMAP users access the server over slow modem
connections, particularly if a large proportion of them would be logging
in at the same time. The reason for this is related to the way the IMAP
service allocates threads to perform automatic conversions. The IMAP
service dedicates a single conversion thread for each conversion and it
draws this conversion thread from the same thread pool that provides
the threads responsible for servicing other IMAP client requests, such as
logging in users or retrieving messages. Because mail file conversions can
require a significant amount of time, with conversion times increasing as
connection speeds decrease, a conversion thread typically remains busy
longer than other thread types. As a result, an IMAP service flooded with
conversion requests can experience a thread shortage. This shortage
affects not only the users awaiting conversion, but current IMAP users,
too, who encounter unexpected delays attempting to log in and retrieve
messages. When the conversion utility is run manually on the mail
server, the operation completes in a very short time, even if the mail file
is relatively large.
Finally, you must run conversions manually to enable mail files in the
other users’ and public folders namespaces. Automatic mail file
conversion can occur only for the personal mail file of the currently
authenticated user.
To manually convert mail files for use with IMAP
You can run the mail conversion utility on a single mail file or on all mail
files in a directory.
1. At the server console of the Domino server on which you want to
enable mail files, shut down the Router by entering:
tell router quit
This prevents Domino from routing mail to the mail files while they
are being converted. Mail is stored in MAIL.BOX while you upgrade
Setting Up the IMAP Service 31-31
Mail
the mail files. After you have converted the mail files and loaded the
Router task again, the Router processes and delivers the mail in
MAIL.BOX.
2. Load the mail conversion utility by entering the following command:
load convert -e maildirectory\mailfilename
where maildirectory names the path to the mail subdirectory that
contains the user’s mail file and mailfilename is the filename of the
user’s mail file. The maildirectory path describes the path relative to
the server’s Domino data directory. For example, to convert the mail
database USER.NSF in the \MAIL subdirectory of the Domino data
directory enter:
load convert -e mail\user.nsf
Note On UNIX systems, use a forward slash (/) as the hierarchy
separator, rather than a backslash (\). For example, enter:
load convert -e mail/user.nsf
To specify all files in a directory, make sure the directory contains
only mail files and that they are the mail files you want to convert.
For example, to enable IMAP for all mail files in the \MAIL
subdirectory, enter:
load convert -e mail\*.nsf
3. After you finish enabling mail files for IMAP on this server, load the
Router by entering:
load router
4. Configure IMAP client software.
For information on configuring IMAP client software, see the topic
“Configuring IMAP client software” later in this chapter.
For information about disabling IMAP access to a mail file, see the topic
“Disabling an IMAP mail file” later in this chapter.
31-32 Administering the Domino System, Volume 1
Convert utility options

Optio
Use
n
-e Enables mail files for IMAP use.
-h To enable clients to download message headers more
efficiently, the Convert task processes all messages in the
mail file in the order in which they are listed in the mail
file’s “All Documents”view and adds the special IMAP
attributes ($Content_Type, IMAP_BodyStruct, and
IMAP_RFC822Size) to messages that don’t have them.
Because the Convert task is single-threaded, and this
option requires the Convert task to process every message
in the mail file, it is resource-intensive and can take a long
time, especially for mail files where messages must also be
converted from Notes rich text to MIME format.
You cannot use this option in combination with the -e
switch.
Removes from messages the IMAP items used to provide
-o
more
efficient header retrieval. You may use this option in
combination
with the -h option, but not with the -e option.
-e- Disables IMAP access to mail files.

How the conversion utility handles unread marks

In previous versions of Notes and Domino, mail files maintained
separate sets of unread marks for IMAP clients and Notes clients, with
IMAP-enabled mail files relying on special template views to indicate
that a message was read. With the introduction of native IMAP in
Domino Release 6, a mail file enabled for IMAP displays a consistent set
of unread marks to the IMAP and Notes clients opening the file.
If you used IMAP in an earlier release of Domino, and are upgrading
a mail file to Domino Release 6 IMAP format, the conversion utility
will mark a message as read in the converted mail file if either the IMAP
or Notes items in the unconverted mail file indicate that the message
was read.
Preserving folder references during upgrade of IMAP mail files
In earlier releases of Domino, the IMAP service used hidden folder
reference views in the mail template to retrieve IMAP folder and
message data. By contrast, the Domino Release 6 IMAP service doesn’t
use folder references. Instead, it enables native storage of IMAP folder
and message attributes in the mail file, thus eliminating the need for
hidden views in the mail template.
By default, when you convert mail files to Lotus Domino 6 IMAP format,
the conversion utility disables folder references in the mail file. In most
environments, use the default and disable folder references to ensure the
best performance.
Setting Up the IMAP Service 31-33
Mail
If your environment uses Domino applications that rely on folder
references in user mail files to gather information, you may need to
preserve folder references. To preserve folder references during
conversion, you can set the variable IMAP_CONVERT_NODISABLE_
FOLDER_REFS in a server’s NOTES.INI file. When this variable is set,
folder references are preserved during all mail file conversions, whether
performed manually from the server console, or automatically as the
result of an IMAP user logging in to the IMAP service for the first time.
Immediately following conversion, the folder and message information
stored in the folder references matches the information stored in the mail
file’s IMAP attributes. However, because Domino does not continue to
update folder references after the initial conversion, over time, as a user
receives, moves, and sends messages, folder reference information will
no longer be synchronized with the information stored in the mail file
attributes.
Using the conversion utility to add IMAP summary attributes to
messages
The IMAP service uses special IMAP summary attributes
($Content_Type, IMAP_BodyStruct, and IMAP_RFC822Size) in messages
to facilitate the process of sending message headers in response to client
requests. After you convert a mail file for IMAP use, for users who
receive messages in MIME format, the Router automatically adds these
items to new messages it delivers.
However, these items might not be added to all messages in a mail file.
Messages delivered in Notes rich text format do not contain the items.
And Domino does not automatically add these items to messages
delivered before conversion occurred.
Although an IMAP client can read messages that do not contain IMAP
summary attributes, the client must first download each message in its
entirety before it can display headers. To enable faster header fetching,
run the mail conversion utility with the -h switch to add IMAP summary
attributes to messages that don’t have them.
Updating IMAP attributes following mail file changes
Changing a message that contains the IMAP_RFC822Size attribute, might
affect a user’s ability to access the message. When the size value of the
IMAP attribute no longer matches the actual message size, IMAP clients
might have difficulty downloading the message. If the actual message
size is larger than the size indicated by the attribute, the IMAP client
might not download the entire message. If the actual size is smaller than
the size indicated by the attribute, the IMAP client can hang as it
attempts to download the remaining expected message data.
31-34 Administering the Domino System, Volume 1
Message size might change inadvertently as a consequence of an agent
running after a message is delivered or of changes to certain server
configuration options, such as the settings governing outbound MIME
conversion options. Although the outbound MIME conversion options
apply primarily to messages sent outbound over SMTP, they also affect
any message exported from the server, including messages retrieved by
the IMAP service for sending to a client. For example, if you change the
setting for adding RFC 822 phrases to users’ Internet return addresses,
this changes message size, because the Internet return address in each
message an IMAP client retrieves is altered to comply with the new
setting.
To prevent changes to the server configuration from contributing to
download errors, update IMAP attributes to reflect the new settings. To
update IMAP message attributes and refresh the mail file’s MIME
directory, you must remove the existing attributes and then add them
again. Because IMAP clients cache header information, users must also
recreate their IMAP accounts to download messages successfully.
Note A similar problem occurs for IMAP users whose Person
documents specify Notes rich text as the mail storage preference. In this
case, the Router does not add IMAP attributes to messages delivered to
mail files, but the IMAP client still caches size information. When you
modify the server’s configuration, for example, by setting the server to
export message content as HTML rather than plain text when converting
messages to MIME, this changes message size. Because the client expects
the size of existing messages to match their cached size, user can no
longer retrieve these existing messages from an IMAP client. To remove
the header information cached by the IMAP client, the user must recreate
the IMAP account.
To run the mail conversion utility to add or update IMAP attributes.
1. Shut down the Router on the server containing the mail files to
convert, by entering the following command at the console:
tell router quit
This prevents Domino from routing mail to the mail files while they
are being converted. Mail is stored in MAIL.BOX while you upgrade
the mail files. After you have converted the mail files and loaded the
Router task again, the Router processes and delivers the mail in
MAIL.BOX.
2. Load the mail conversion utility by entering the following command:
load convert [-h /-o] maildirectory\mailfilename
where maildirectory names the path to the mail subdirectory that
contains the user’s mail file and mailfilename is the filename of the
Setting Up the IMAP Service 31-35
Mail
user’s mail file. The maildirectory path describes the path relative to
the server’s Domino data directory. For example, to add IMAP
attributes to the mail database USER.NSF in the \MAIL subdirectory
of the Domino data directory, enter:
load convert -h mail\user.nsf
Note On UNIX systems, use a forward slash (/) as the hierarchy
separator, rather than a backslash (\). For example, enter:
load convert -h mail/user.nsf
To specify all files in a directory, make sure the directory only
contains mail files and that they are the mail files you want to
convert. For example, to add IMAP attributes to all mail files in the
\MAIL subdirectory, enter:
load convert -h mail\*.nsf
Caution When the conversion utility is run with the -h option, the
conversion operation can take a long time to complete. The exact
time depends on server processing speed and memory, as well as on
the size and composition of the mail file. To ensure that you can
complete conversions in the available time, run a test with a single
mail file before using a wildcard to run multiple conversions.
3. After you finish enabling mail files for IMAP on this server, load the
Router by entering:
load router
Re-enabling a corrupted IMAP mail file
If an IMAP-enabled mail file becomes corrupted, you can repair it by
performing the following tasks:
1. Run Fixup.
2. Disable the mail file for IMAP use.
3. Re-enable mail file for IMAP use.
If you are unable to repair the mail file, contact Lotus Support Services
for assistance.
31-36 Administering the Domino System, Volume 1
Running Fixup to repair a corrupted IMAP mail file
To repair a corrupted IMAP mail file, the Fixup task requires exclusive
access to the mail file database. Before running Fixup, you must shut
down the server. After the server is shut down, run Fixup as described
below:
To run Fixup
1. From a command prompt, change to the Domino program directory.
For example, if you installed Domino in the default location, enter:
cd c:\lotus\domino
2. To run Fixup on a specific mail file in the MAIL directory, enter:
nFixup path\mail file
where path is the database path relative to the Domino Data
directory. For example, to run Fixup on the database USER.NSF in
the DATA\MAIL folder, enter:
nFixup mail\user.nsf
Note If transaction logging is on, run Fixup with the -j switch, for
example:
nFixup -j mail\user.nsf
Disabling an IMAP mail file
If you need to disable IMAP-specific features in a mail file, run the mail
conversion utility with the -e- option file. The example below removes
the IMAP capability of the mail database USER.NSF in the \MAIL
subdirectory of the Notes data directory:
load convert -e- mail\user.nsf
Note On UNIX systems, use a forward slash (/) as the hierarchy
separator, rather than a backslash (\). For example, enter:
load convert -e- mail/user.nsf
Re-enabling a mail file for IMAP
After disabling the mail file as described in the preceding section, you
can re-enable it. For more information on enabling a mail file, see the
topic “Running the mail conversion utility to enable a mail file for IMAP”
earlier in this chapter.
Setting Up the IMAP Service 31-37
Mail
Configuring IMAP client software
After you set up a Domino server to run the IMAP service, users can
access their mail files on the Domino server from any IMAP mail client.
The IMAP service supports all IMAP-compliant clients — for example,
Microsoft Outlook and Outlook Express, Netscape Messenger,
Qualcomm Eudora, Cyrusoft Mulberry, and PC-Pine.
IMAP clients display Notes folders as IMAP mailboxes. When users
receive or delete documents in an IMAP mailbox, the changes also occur
in the Notes folder, and vice versa.
Users can access their mail files from both an IMAP client and the Notes
mail client. Domino IMAP clients can send mail to other Notes users and to
IMAP and POP3 clients on the Domino mail system or other mail systems.
For a complete list of IMAP clients and for more information on IMAP,
visit the Web site http://www.imap.org.
The specifics of configuring IMAP client software differ for each product.
This table presents some general requirements.
The root folder path required by some IMAP clients. Most
IMAP clients do not need to specify folder prefixes when
using the Domino IMAP service to connect to mail files.
Folder namespace
prefixes
Determines how often the client checks for mail. If the
client checks for mail more frequently, it may affect server
performance.
Check for
messages every (x)
minutes.
The Internet address specified in the user’s Person
document.
E-mail address
The Internet password from the user’s Person document. Password
The name by which the user authenticates with the Domino
server. Valid user name values depend on the setting in the
Internet authentication field of the Server document.
Account/Login
name
Specifies whether the configured SMTP server requires
users to provide a name and password before they can
send outgoing messages.
Authentication
required to send
outbound mail
The fully qualified host name of a server running SMTP to
which the user can send mail addressed to intranet or
Internet recipients. The SMTP server may be the Domino
server running the IMAP service, a different Domino
server, or a non-Domino SMTP server.
Outgoing mail
(SMTP) server
The fully qualified host name of the Domino server
running the IMAP service.
Incoming mail
(IMAP) server
Description Field
31-38 Administering the Domino System, Volume 1
For more information on determining the login names that a server will
accept, see the chapter “Setting Up Name-and-Password and
Anonymous Access to Domino Servers.”
Example of configuring PC-Pine folder prefixes
You must configure INBOX and Folder collections for the PC-Pine client
to work properly with the Domino IMAP service. Enter this syntax in the
PC-Pine Setup Configuration dialog box:

Syntax Example
INBOX-PATH {fully qualified INBOX-PATH
domain {East.Acme.com}INBOX
name of IMAP server}INBOX
Folder collections {fully qualified Folder collections
domain {East.Acme.com}
name of IMAP server}

Example of configuring other IMAP client software folder prefixes

For IMAP clients other than PC-Pine, set any folder prefix configurations
to blank or empty. This table shows the configuration settings for some
common IMAP clients:

IMAP client Folder configuration

Netscape Messenger (Netscape IMAP Mail Directory
Communicator 4.7)
Outlook Express Mail (Microsoft
Root Folder Path
Internet
Explorer 5.0)

IMAP settings in the server NOTES.INI file

Default Applicabl
Variable name Description
value e
Domino
releases
IMAP_Config_Update_Interva Specifies in
None. 4.6x, 5.x,
l minutes
how often Without 6.x
the IMAP this
service
setting,
checks for
configuration Domino
changes checks
made to the for
Domino updates
Directory. every 2
minutes.

Variable name Description Default Applicabl

value e Domino
releases
IMAP_Convert_Nodisable_ Specifies None. 6.x
Folder_Refs whether Without this
the mail setting,
conversion Domino
utility removes
(CONVERT) folder
preserves references
folder during
references conversion.
when
updating
mail files
for use
with the
Domino
Release 6
IMAP
service.
IMAP_Session_Timeout Specifies None. 4.6x, 5.x
how long Without this
the server setting,
continues Domino
to maintain drops idle
inactive sessions
sessions after 30
with IMAP minutes.
clients.
IMAPDisableFTIImmedUpdate Specifies When this 6.x
whether variable is
the IMAP not present,
service or is set to
updates a 0, updates
mail file’s occur
full-text immediately
index after a new
(FTI). Set message is
this received.
variable to This allows
2 to users to
disable search new
updates to messages.
FTIs; or 1
to
suppress
the update
request to
occur at 15
minute
intervals.
IMAPDisableMsgCache Specifies When this 6.x
whether variable is
the IMAP not present,
service or is set to
caches the 0, the IMAP
last service
message caches the
retrieved most
from a recently
user’s mail retrieved
file. message.

Variable name Description Default Applicabl

value e Domino
releases
IMAPGreeting Specifies a None 4.6x, 5.x
custom
greeting to
send to IMAP
clients
connecting
over TCP/IP.
IMAPMaxSessions Specifies the None 5.0.3 and
maximum later
number of 5.0.x
concurrent releases
IMAP sessions
the server
allows.
IMAPRedirectSSLGreeting Specifies a None 4.6x, 5.x
custom
greeting to
send to IMAP
clients
attempting to
connect a
TCP/IP port
configured to
redirect
connections to
the SSL port.
IMAPShowIdleStatus Enables the When this 6.x
SHOW TASKS variable
command to is not
display the present,
number of idle or is set
IMAP threads. to 0, the
SHOW
TASKS
command
does not
return the
number
of IMAP
idle
threads.
IMAPSSLGreeting Specifies a None 5.6x, 5.x
custom
greeting to
send to IMAP
clients
connecting
over SSL.

Chapter 32
Setting Up iNotes Web Access
This chapter describes how to set up iNotes Web Access so that Notes
client users can use a Web browser to access their Lotus Notes mail and
calendar. It provides configuration document settings and NOTES.INI
settings to control and customize iNotes Web Access for users. In
addition, this chapter describes how iNotes Web Access works with
Sametime and Domino Off-Line Services to provide users with instant
messaging and the ability to work offline.
iNotes Web Access
iNotes Web Access provides Notes users with browser-based access to
Notes mail and to Notes calendar and scheduling features. iNotes Web
Access users can send and receive mail, view their calendars, invite
people to meetings, create to do lists, keep a notebook, and work offline.
After being set up for iNotes Web Access, a user can use both the
standard Notes client and a Web browser to access their mail files.
Because both the Notes client and iNotes Web Access operate on the
same underlying user mail file, read and unread marks remain
up-to-date, regardless of which client the user uses to read the mail.
Users can also synchronize contact information in their Personal Address
Book with information in their Contact List in iNotes Web Access.
While users simply need a name and Internet password to log on and use
iNotes Web Access, a Notes ID is required if a user wants to work offline.
Be sure to create a Notes ID for each user when registering new users
with the iNotes Web Access template.
For more information, see the topic “Registering iNotes Web Access
users” later in this chapter.
Security
iNotes Web Access requires user log-on and logout security. When a user
logs onto iNotes Web Access, they must enter their name and Internet
password, as specified in their Person document. The login names that
the server accepts as valid depend on the setting in Internet
authentication field on the Security tab of the Server document.
32-1
Mail
For more information, see the chapter “Setting Up Name-and-Password
and Anonymous Access to Domino Servers.”
When the user logs out of iNotes Web Access, iNotes closes the browser
and removes the user’s log-on credentials and private data from the
browser’s cache. By deleting this data, iNotes prevents an unauthorized
user from using cached information to access the user’s mail file.
Note The removal of private data from the browser’s cache and more
secure data clearing capabilities are available only if the user accepts the
iNotes ActiveX control.
iNotes Web Access will not remove some personal data unless the user
explicitly selects “Logout for Shared PCs or Kiosk Users.” With this
selection, users can choose one of two secure logouts:
Secure
 - This option deletes all traces of the user’s personal use of
iNotes Web Access and any Web pages that they may have browsed,
but keeps iNotes Web Access program elements (this boosts
performance when the next person logs on).
More
 secure - This option deletes all traces of iNotes Web Access and
all other Web pages in the temporary Internet files folder.
You can also redirect users to a specific Web page after they logout.
For more information, see the topic “Redirecting users to a Web page
after logout” later in this chapter.
Integration with DOLS and Sametime
To provide users with the ability to work offline and use instant
messaging, you can integrate iNotes Web Access with Domino Off-Line
Services (DOLS) and Sametime. DOLS enables users to work offline,
disconnected from the network, and provides many replication features
that Notes users expect when working in the Notes client. Sametime
provides integrated, real-time chat features for iNotes Web Access users.
Neither DOLS nor Sametime are required for iNotes Web Access use.
For more information about setting up Sametime and iNotes Web Access,
see the chapter “Installing and Setting Up Domino Servers.”
Registering iNotes Web Access users
When registering users, choose “iNotes” as the mail system. This choice
uses the iNotes60.ntf template. The name of the template is “iNotes Web
Access (R6.0).” The template contains mail template support for the
iNotes Web Access client and the Notes client.
32-2 Administering the Domino System, Volume 1
For information on registering new users, see the chapter “Setting Up
and Managing Notes Users” and keep the following information in
mind:
The
 mail system, “iNotes,” does not automatically create a Notes ID
for the person. You must select “Create a Notes ID for this person.”
Under
 “Password Options,” enable “Synch internet password with
Notes ID password.” Making the passwords the same makes it easier
to manage passwords and allows Notes users to work offline with
iNotes Web Access.
Providing a log-on URL for iNotes Web Access users
After you register new iNotes Web Access users, they will need three
things to access their mail files:
User
 name
Internet
 password
Default
 log-on URL (http://servername.com/mail/username.nsf)
The default URL displays the Welcome Page. However, you can give
users a URL that will initially display other views. Appending the
following text to the URL with a specific keyword (see following table)
will cause iNotes Web Access to initially display a different view:
.../username.nsf/inotes/keyword/?OpenDocument&ui=inotes

To display Use URL keyword

Mail Inbox mail
Calendar calendar
To Do List todo
Contact List contacts
Notebook notebook

Creating Portal URLs

A portal is a Web site that aggregates information from a variety of
sources onto one page. You can provide a Web portal showing only one
view of iNotes Web Access, or one showing several views. iNotes Web
Access supports special URLs that allow a particular iNotes Web Access
functional area to be displayed within an IFRAME (or a full browser
window). This view takes up very little screen real estate and limits
access to other functional areas.
Setting Up iNotes Web Access 32-3
Mail
An individual iNotes Web Access portal view is limited to one of the
following:
Inbox

Calendar

To  Do List
Notebook

Contact  List
URL syntax for an iNotes Web Access portal showing just the mail Inbox:
.../username.nsf/inotes/mail/?OpenDocument&ui=portal
Note that you can place all of iNotes Web Access within a portal page by
using the normal iNotes URL and not using the &ui=portal parameter.
Customizing iNotes Web Access for users
This section describes how to customize iNotes Web Access settings for
users.
Editing
 the Configuration Settings document for iNotes Web Access
Making
 document links work
Allowing
 users to take the Domino directory offline
Adding a disclaimer to outgoing messages
Configuring
 alternate name support in iNotes Web Access
Redirecting
 users to a Web page after logout
Disabling  the Active Content Filter
Editing the Configuration Settings document for iNotes Web Access
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the iNotes Web
Access mail server(s) and click Edit Configuration.
4. Select the iNotes Web Access tab.
32-4 Administering the Domino System, Volume 1
5. Change any of the configuration settings and then save the document
and restart the Domino server.
6. Save the document and restart the Domino server.

Setting Action
Welcome Page Setup
Default Welcome Click View/Modify to set Welcome Page
Page settings.
Default Page: Lets users customize the
Welcome Page.
Selected Web Page: Forces users to use a
specific Web page as the Welcome page.
Enter the URL and title.
Custom Layout: Choose from six custom
layouts to specify new mail, calendar
schedule, Web links, and other options to
appear in a layout.
Allow user to edit Enable (default) to allow users to create
the custom
Welcome page Welcome pages and override any settings
on the
server.
Disable to prevent users from changing
the administrator-prescribed Welcome
page.
Alarm and Mail Polling
Alarms Enable (default) to allow users to set
alarms for appointments, meetings,
events, and task deadlines.
Disable to prevent users from setting
alarms that may slow server performance.
Enter a number to specify how often, in
Minimum alarm
minutes,
polling time the iNotes Web Access client checks the
server for alarms. Default is 5 minutes.
Increase this number
to improve server performance.
Mail
Minimum mail Enter a number to specify how often, in
polling minutes,
time the iNotes Web Access client checks the
server for
new mail. Default is 5 minutes. Increase
this
number to improve server performance.
When sending Choose Plain text, or Let user decide. This
mail, set setting
format to: allows you to restrict outgoing mail to
plain text
only. Plain text messages can be read by
most
legacy mail applications. Allowing the user
to
decide lets the user pick the format for
every
outgoing mail message.
Setting Action
Name resolution Enable to allow alternate name lookups,
and similar to
validation “type-ahead”in Notes. Lets user resolve
ambiguous names and use alternate
names by
checking names against a contact list or
Domino
Directory.
Offline
When enabled, allows users to encrypt
Encrypt offline mail
their
files offline mail files for security.
Offline encryption Sets the default offline encryption level to
level be simple, medium, or strong.
Simple encryption provides protection
against casual snooping.
Medium encryption provides the right
balance among security, strength, and
fast database access. Probably the right
choice for most users.
Choose strong encryption when security
requirements are paramount, and the
resulting database access performance is
acceptable.
Allow user to
This setting, when enabled, overrides the
choose
an encryption level administrator-specified encryption level
and
allows users to choose their own
encryption level.
Allow user to go When selected, this option enables the
offline “Go Offline”feature in the iNotes Web
Access client.
Disable this option to prevent users from
using iNotes Web Access offline,
disconnected from the
network.
International
Alternate name Enable (default) to allow iNotes Web
display Access users to display alternate names in
a native language.
Disable to prevent iNotes Web Access
from displaying alternate user names in a
native language. When disabled, users see
alternate names in English only.
This setting overrides the preferred
Alternate name
language for
language an alternate name in user Preferences.
Pick from a list to select the default
alternate
name language. Default is English.

Setting Action
Allow user to Lets users choose the preferred language
choose for an
alternate name alternate name.
display
 Disable (default) to prevent users from
controlling alternate name support.
Other Settings
Full-text indexing Enable (default) to allow users to create a
full-text index of their mail, calendar, and
task entries on
the server.
Disable to prevent creation of full-text
indexes to save disk space on the server
and improve performance.
Archiving on server Enable (default) to allow users to create
archives of their mail files on the server.
Disable to prevent creation of mail
archives to save disk space on the server.
Disable to prevent users from changing
Modification of
their
Internet password Internet password.
Calendar printing Enable (default) to allow users to print
various calendar formats, including
DayRunner, Franklin Planner, and Trifold.
Calendar printing uses the PDF format
from Adobe Acrobat.
Disable to prevent users from printing
Calendar formats using PDF.
Enable (default) to allow users to use the
Custom ActiveX file
custom
attachment utility file upload utility to drag-and-drop file
attachments, select files easily, and have
multiple file views.
Disable to allow users to use the standard
browser
file upload utility.

Making document links work

iNotes Web Access supports document links to any server, including
servers other than the user’s home mail server. Document links work as
long as the user has access to the database to which the link connects. The
database must also be on a Domino server in the local area network.
To configure the server for document links:
1. From the Domino Administrator, click the Configuration tab.
2. Select the Server view and open the Current Server Document.
3. Click Edit Server.
4. Choose the Internet Protocols tab, then Domino Web Engine tab.
Setting Up iNotes Web Access 32-7
Mail
5. Set the field, “Redirect to resolve external links” to “By Server.”
6. Click Save & Close.
Allowing users to take the Domino directory offline
You can use a NOTES.INI variable, $DOLSDirectoryCatalog, to set the
name of a Domino directory that the user may take offline. This setting
makes a part of the interface visible in the user’s preferences, giving
users the option of taking the server’s directory catalog or Domino
directory offline.
For example, if NOTES.INI contains $DolsDirectoryCatalog=dc.nsf, the
user sees a new preference setting, “Include server’s Name and Address
Book”. If the user enables this setting, the server’s directory catalog will
be included among the files when the user goes offline.
Taking the directory catalog rather than the Domino directory offline
improves performance and saves space on the user’s disk drive.
Disabling the Active Content Filter
Use the NOTES.INI variable, iNotes_WA_DisableActCntSecurity, to
disable the Active Content Filter. A setting of 1 disables the filter. Setting
this variable to 0 (or omitting it from the server’s NOTES.INI file) enables
the filter.
The Active Content Filter is intended to remove potentially harmful
active content (JavaScript, Java, ActiveX) from HTML in mail messages
prior to display in a browser. Active content filtering can reduce server
performance because it requires a full parse of HTML content and a
rewrite of the content.
Redirecting users to a Web page after logout
Use the NOTES.INI variable, iNotes_WA_LogoutRedirect, to specify a
URL to redirect users to after logging out from server. The setting
provides normal cache clearing with the iNotes control, and clearing of
browser credentials. This variable allows sites which have additional
actions that need to happen on a logout (such as logging out of a reverse
proxy server) to specify a URL to do this additional activity. Or you can
use this variable to return people to an initial login page.
For instance:
iNotes_WA_LogoutRedirect=http://www.ibm.com
32-8 Administering the Domino System, Volume 1
Specifying the number of names to return
Use the NOTES.INI setting, iNotes_WA_NameLookupMaxNumMatch,
to specify the maximum number of names to return on name lookups.
The default is 200. You can reduce this number to improve server
performance.
Adding a disclaimer to outgoing messages
You can add a disclaimer to the bottom of outgoing mail messages in
iNotes Web Access. A disclaimer is a denial or a disavowal of legal
responsibility for the contents of the message. In some countries, not
having a proper disclaimer on messages may result in fines leveled by
regulatory agencies.
Use the subform s_Disclaimer in Forms5.nsf to create a disclaimer. This
subform works with the s_SessionInfo form. By default, the disclaimer is
not enabled.
1. Make a backup copy of ...\data\iNotes\Forms5.nsf.
2. Using Domino Designer, open Forms5.nsf.
3. Click Shared Code - Subforms.
4. Double click the subform s_Disclaimer to open it.
5. In the JavaScript, change “false” to “true.”
6. Change the text string to state your disclaimer (HTML allowed).
7. Click File - Save.
8. Restart the HTTP server using the Domino Administrator console
(>tell http restart).
Default Disabled Disclaimer JavaScript:
function getDisclaimerHTML(){var strDisclaimer=""; if
(false){strDisclaimer="<br>Place your disclaimer text
here in HTML format. Externally referenced files will
not be sent";}return strDisclaimer;}
Sample Enabled Disclaimer JavaScript:
function getDisclaimerHTML(){var strDisclaimer=""; if
(true){strDisclaimer="<br>The information in this
e-mail, and any attachments therein, is confidential and
for use by the addressee only. If you are not the
intended recipient, please return the e-mail to the
sender and delete it from your computer. Although we
attempt to sweep e-mail and attachments for viruses, we
Setting Up iNotes Web Access 32-9
Mail
do not guarantee that either are virus-free and accept
no liability for any damage sustained as a result of
viruses.";}return strDisclaimer;}
Note HTML is automatically converted to plain text for plain text
messages.
Configuring alternate name support in iNotes Web Access
An alternate name is helpful when a user wants to use his or her native
language and character set to type, display, and look up names. For
example, users can type a name in a native language and character set
when sending mail. A user’s primary name is recognizable to an
international audience; an alternate name is recognizable to the user’s
native language.
By default, iNotes Web Access allows users to view alternate names but
not in any language other than English. You can change iNotes Web
Access to allow users to send and view alternate names in their own
native language.
Note Before a user can use an alternate name for a primary name, you
must register and certify the alternate name.
For more information on alternate names, see the chapter “Setting Up
and Managing Notes Users.”
To allow users to display alternate names in the language of their
choice
1. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
2. Click Configurations.
3. Select the Configuration Settings document for the iNotes Web
Access mail server(s) and click Edit Configuration.
4. Select the iNotes Web Access tab.
5. Enable “Alternate name support.”
6. Enable “Name resolution and validation.”
7. Enable “Allow user to choose the alternate name display.”
8. Save the document and restart the Domino server.
This will change the user interface of Preferences - Other tab. Users will
now be able to display alternate names in the language of their choice.
To allow users to view alternate names in the languages set by the server
1. Perform steps 1 through 6 in the preceding procedure.
2. Disable “Allow user to choose alternate name display.”
32-10 Administering the Domino System, Volume 1
3. In the field “Alternate name languages,” choose languages from the list.
4. Save the document and restart the Domino server.
This change will change the user interface in the user’s Preferences -
Other dialog. Users will be able to display alternate names in the
languages set by you on the server.
iNotes Access for Microsoft Outlook
Lotus iNotes Access for Microsoft Outlook is similar to iNotes Web
Access, but uses a Microsoft Outlook client to access mail file databases
instead of a Web browser. Lotus iNotes Access for Microsoft Outlook
requires a Domino Off-Line Services (DOLS) - enabled server, which
allows users to open their mail files online or offline.
For more information about DOLS enablement, see the chapter
“Installing and Setting Up Domino Servers.”
Lotus iNotes Access for Microsoft Outlook supports Outlook 98, 2000, or
XP. The Microsoft Outlook client must be a “Corporate or Workgroup”
client. To check your Outlook client, start Microsoft Outlook, then choose
Help - About.
Note Lotus iNotes Access for Microsoft Outlook does not support
“Internet Mail Only” clients.
Setting up mail files on the server
To set up your iNotes Access for Microsoft Outlook users, follow these
steps.
1. Register users with the Extended Mail template (MAIL6EX.NTF).
For
 existing users, replace the design of their mail files with the
Extended Mail template. For new users, create mail files with the
Extended Mail template.
Enable
 the “Set Internet password” field in each user’s Person
document in the Domino Directory.
The  download page of an iNotes Access for Microsoft Outlook
mail database gives the user an option to download a directory
catalog (address book) along with the subscription. To download
the catalog, add the following setting to the NOTES.INI file:
$DOLSDirectoryCatalog=file name of the directory catalog
For example, to have users download the catalog DircatOne.nsf
with their mail file, add the following to the NOTES.INI file:
$DOLSDirectoryCatalog=DircatOne.nsf
Setting Up iNotes Web Access 32-11
Mail
2. Create a DOLS Offline Security Policy document.
For more information, see the chapter “Using Policies.”
3. Give each user a Notes user name, Internet password, and URL.
Provide users with a URL that points to their mail file. Append
/inotes to the end of the URL. For example:
http://server1/mail/jsmith.nsf/inotes
Downloading iNotes Access for Microsoft Outlook
To use their iNotes Access for Microsoft Outlook mail file, users must do
the following:
1. Open a Web browser and enter the URL of the mail file.
2. When prompted, enter their Notes user name and Internet password
to access the download page.
From the download page, users can choose the language of the Lotus
iNotes Sync Manager (client software for managing and synchronizing
the mail file); choose to encrypt the mail file; choose whether or not to
download a directory catalog along with the mail file; and choose
whether or not to install an offline version of their mail file. Users can
find detailed help on these options on the download page.
3. Click “Start Download” to download the mail file. During the
download, the mail file and Lotus iNotes Sync Manager software are
installed. When the iNotes Sync Manager appears, it must remain
open while the subscription is synchronizing for the first time. Users
can close the iNotes Sync Manager after the status column no longer
says Active.
4. Start Outlook. When prompted, choose one of the following mail
profiles:
Mail
 on servername - the version of the mail file on the Lotus
Domino 6 server.
Local
 Mail - the version of the mail file on the local computer
5. Use Lotus iNotes Sync Manager to synchronize between the offline
and online mail files, or to schedule automatic synchronizations. The
iNotes Sync Manager Help is available by choosing Start - Programs
- Lotus iNotes - Lotus iNotes Help.
32-12 Administering the Domino System, Volume 1

Chapter 33
Monitoring Mail
This chapter describes how to track messages to determine if they
reached the recipients and how to generate mail usage reports.
Tools for mail monitoring
Domino provides three tools that you can use to monitor mail. Message
tracking allows you to track specific mail messages to determine if the
intended recipients received them. Mail usage reports provide the
information you need to resolve mail problems and improve the
efficiency of your mail network. Mail probes test and gather statistics on
mail routes.
Tracking mail messages
Both users and Domino administrators can track mail. Users can track
only messages that they themselves sent. Administrators can track mail
sent by any user.
When you configure mail tracking, you can specify which types of
information Domino records. For example, you can specify that Domino
not record message-tracking information for certain users, or you can
choose not to record the subject line of messages sent by specific users.
The Mail Tracker Collector task (MTC) reads special mail tracker log files
(MTC files) produced by the Router and copies certain messaging
information from them to the MailTracker Store database
(MTSTORE.NSF). The MailTracker Store database is created
automatically when you enable mail tracking on the server. When an
administrator or user searches for a particular message, either a message
tracking request or a mail report, Domino searches the MailTracker Store
database to find the information.
Note The Mail Tracker Collector differs from the Statistics Collector
(Collect task), which is responsible for gathering statistical information
about servers.
33-1
Mail
How mail tracking works
1. From a Notes client or Domino Administrator client, a user creates a
query to determine whether a specific message arrived at its
intended destination or to determine how far it got if delivery failed.
2. The mail tracking program begins to trace the routing path from the
server where the message originated. If the message is not found on
the originating server, tracking automatically continues at the next
server on the route.
3. Step 2 is repeated on each “next server” until the route ends.
Detailed information is provided about the processing of the
message on each server.
4. After the tracking query completes, the user can select messages
from the results and check their delivery status. The following table
displays the possible values for the delivery status:

Delivery
Meaning
Status
The message was delivered to a mailbox on the
Delivered
server.
The mail file status indicates whether the
message was read, unread, or deleted. If the
mail file status is not read,
unread, or deleted, it appears as unknown.
Delivery The server attempted to deliver the message to
failed a mail file
but was unsuccessful. The recipient may not
exist, or the
server’s disk may be full.
In queue The Router is processing the message.
 The Router successfully sent the message to the
Transferred
server
identified in the next hop field.
Transfer The Router attempted to transfer the message
failed to another
server and failed.
Group The message was addressed to a group, and the
expanded group
was expanded on this server.
The status of the message on the server cannot
Unknown
be
determined.

Generating mail usage reports

Over time, the Domino MailTracker Store database (MTSTORE.NSF)
accumulates valuable data about message routing patterns on the server.
It may be useful to generate mail usage reports from this data. For
example, you can generate reports of recent messaging activity, message
volume, individual usage levels, and heavily traveled message routes.
You can use the Reports database (REPORTS.NSF) to generate and store
mail usage reports. Typically, the Reports database is created
automatically when you set up the server.
33-2 Administering the Domino System, Volume 1
Mail usage reports provide important information that you can use to
resolve problems and improve the efficiency of the mail network. In
addition, this information is valuable when you plan changes or
expansions to the mail network. For example, you can generate reports
that show the 25 users who received the most mail over a given period of
time (a day, a week, a month, and so forth), or the volume of mail sent by
a specified user over some interval. With this information, you can
identify users who might be misusing the mail system. Other reports
show the most frequently used next and previous hops, enabling you to
assess compliance with mail use policies.
Agents stored in the Reports database let administrators schedule reports
on a one-time, daily, weekly, and monthly basis. By default, Domino
generates scheduled reports at midnight at the interval you specify —
daily, weekly, or monthly. When a report query is run, the active report
agent examines the data collected in the Domino MailTracker Store
database to generate the resulting report. You can configure a report to
save results in the Reports database or mail results to one or more
administrators. Saved reports are organized in the Reports database
under several different views. Reports that are mailed, but not saved, are
not added to the Reports database.
You can use the Reports database to analyze server mail usage. Views in
the database display previously saved reports according to date,
schedule, report type, and user. In addition, a view displays all
scheduled reports by interval.
Mail routing event generators
To monitor a mail network, you can configure mail routing event
generators to test and gather statistics on mail routes.
For more information on mail routing event generators, see the chapter
“Monitoring the Domino Server.”
Setting up mail monitoring
To set up mail monitoring, you must complete these procedures:
1. Start mail tracking (the MTC task) on the server.
2. Configure the server for message tracking.
3. Set up the Reports database (REPORTS.NSF).
Monitoring Mail 33-3
Mail
Setting up the Reports database
After you set up the Domino MailTracker Store database, you can use the
Reports database (REPORTS.NSF) to generate and store mail usage
reports. Although the Reports database is created automatically when
you set up the server, before you can generate mail usage reports, you
must set up security for the database.
To create the Reports database
1. From the Domino Administrator, Notes client, or Domino Designer
client, choose File - Database - New.
2. At the bottom of the New Database dialog box, click Show advanced
templates.
3. Complete these fields and click OK:

Field Enter
Server The name of the server that stores the Mail
Tracking Store database (MTSTORE.NSF)
Title Reports
File name REPORTS.NSF
Template The name of the server entered in the Server
server field
Template REPORTS.NTF

To set up security for the Reports database

Note Step 4 of this procedure requires use of the Domino Designer
client.
1. Open the Reports database and choose File - Database - Access
control to open the database ACL.
2. Verify that the server and the server administrator have Manager
access, then click OK.
3. With the Reports database active in your client, choose View -
Agents.
4. Verify that the scheduled agents (Daily, Monthly, and Weekly Report
Agents, and the Housecleaning agents) are enabled. Enable agents as
necessary by selecting the agent and clicking Enable; then close the
Domino Designer.
5. From the Domino Administrator, click the Configuration tab, open
the Server document for the server where you created the Reports
database and click the Security tab.
6. In the Programmability Restrictions - Run unrestricted methods and
operations field, enter the names of administrators who need access
to the Reports database, and then click Save & Close.
33-4 Administering the Domino System, Volume 1
Controlling the Mail Tracking Collector
After you enable message tracking on the server, the Mail Tracking
Collector (MT Collector or MTC task) automatically creates the Domino
MailTracker Store database (MTSTORE.NSF) in the MTDATA
subdirectory of the Domino data directory. The MTC task periodically
collects messaging information from raw data accumulated in special
mail tracker log files (MTC files) produced by the Router. After collecting
this message summary information — information about the originators,
recipients, arrival times, and delivery status of the messages processed
by the server — it adds it to the Domino MailTracker Store database.
Mail users and administrators use the information stored in the Domino
MailTracker Store to complete mail tracking requests and to generate
mail usage reports.
Caution Do not edit the Mail Tracking Store database directly.
In addition to collecting message data, the MTC task performs several
maintenance operations on the Domino MailTracker Store database. You
can enter commands at the server console to instruct the MTC task to
perform these operations. The following table lists the commands for
performing various MTC operations:

MTC operation Description and Command

Start mail tracking When mail tracking is enabled in the
Configuration Settings document, tracking
automatically starts when the Router starts.
If you stop the MTC task, you can restart it
by entering the following command at the
server console:
load mtc
Stop mail tracking By default, the MTC task automatically stops
when the Router stops. To stop the task
without stopping the Router, enter the
following command at the server console:
tell mtc quit

MTC operation Description and Command

Collect new data If mail tracking is enabled on the
from mail tracking Router/SMTP -Mail Tracking tab of the
logs Configuration Settings document, the MTC
task collects data from mail
tracking log files at the interval specified in
the “Message tracking collection
interval”field. If there is new data to report, it
creates an entry in the MailTracker Store
database. To instruct the MTC task
to collect data immediately, enter the
following command at the server console:
tell mtc process
Performing a manual collection resets the
automatic collection interval to its full value.
For example, if the collection interval is set to
15 minutes (900 seconds), after you run the
collection manually, the next automatic
collection occurs in 15 minutes.
To check the collection interval that is
currently in effect, as well as the time
remaining to the next collection, enter the
Show Tasks command at the
console.
Establish a different If mail tracking is enabled on the
collection interval Router/SMTP -Mail Tracking tab of the
Configuration Settings document, the MTC
task collects data from mail
tracking log files at the interval specified in
the “Message tracking collection
interval”field. If there is new data to report, it
creates an entry in the MailTracker Store
database. To specify a different interval,
enter the following command at the server
console:
tell mtc interval value
where valueis the desired interval, in
seconds.
 The specified value remains in effect until the
next Router restart. At that time the value
specified in the Configuration Settings
document again goes into effect.
To check the collection interval that is
currently in effect, as well as the time
remaining to the next collection, enter the
Show Tasks command at the
console.

MTC operation Description and Command

Compact the By default, the MTC task compacts the
MailTracker Store Domino MailTracker Store nightly at 2 am. To
database compact the database immediately, enter the
following command at the server console:
tell mtc compact
You can also change the default time for
compacting the database, by setting the
variable MTCDailyTasksHour in the server’s
NOTES.INI file.
Reindex the To assist message tracking tools and mail
MailTracker Store usage reports in searching for information,
database the Domino MailTracker Store database is
full-text indexed. New
documents added to the database are
available to
full-text searches only after the index has
been updated to account for them. Data
contained in an unindexed document is
omitted from search results.
To determine if the index needs to be
updated, display the total of unindexed
documents in a database by clicking the
“Count unindexed documents”button on the
Full Text tab of the
Database Properties box. To ensure that the
full-text index of the Domino
MailTracker Store database remains current,
use the Full Text Index tool available from
the Domino Administrator client to schedule
automatic updates to occur on an hourly or
daily basis. You can also update the database
manually from a Notes client or Domino
Administrator client, using the update tool on
the Full Text tab of the Database Properties
box, or by entering the following command at
the server console:
tell mtc reindex
Purge old entries By default, the MTC task purges documents
from the from the MailTracker Store database after 30
MailTracker Store days. To purge documents less than 30 days
database old from the database, enter the following
command at the server console: tell mtc
purge value
where valueis the maximum number of days
to retain documents in the Mail Tracker Store
database. The MTC task removes all
documents older than value
from the database.
For more information about the MTCDailyTasksHour setting, see the
appendix “NOTES.INI File.”
Monitoring Mail 33-7
Mail
Configuring the server for message tracking
This process allows you to customize the type of information you want to
collect and store in the Mail Tracking Store database (MTSTORE.NSF).
For example, you can exclude certain users’ mail from being collected, or
you can restrict messages from being tracked by message subject.
1. Make sure you already have a Configuration Settings document for
the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and
expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or
servers you want to administer, and click Edit Configuration.
5. In the Configuration Settings document, click the Router/SMTP
Message Tracking tab.
6. Complete these fields, and then click Save & Close:

Field Enter
Message tracking Choose one:
• Enabled to log message-handling activity
information in the Mail Tracking Store
database.
• Disabled (default) to not log any
message-handling information.
Don’t track The names of users and/or groups whose
messages for messages will not be logged and, therefore,
cannot be tracked. This field applies only to
messages sent by the specified person or
group.
For example, to prevent administrators from
tracking messages sent by the Manager of
Human Resources, enter the manager’s
name in this field.
If you leave this field blank (default),
authorized administrators can track
messages for all users and groups on all
servers that are enabled for mail tracking.
On servers running the ISpy task to test
mail connectivity, this task sends trace
messages at 5-minute intervals. To prevent
the Domino MailTracker Store database from
filling up with entries for these trace
messages, enter the name of the ISpy mail-
in database on the server in this field, for
example, ISpy on MailHub1.

Field Enter
Log message Choose one: • Yes —The server records the
subjects subject of each message in the MailTracker
Store database. • No —(default) The server
does not log message subjects.
Don’t log The names of users and/or groups whose
subjects for message subjects will not be logged and,
therefore, cannot be tracked. This field
applies only to messages sent by the
specified person or group. The default is
none.
Message tracking A number that represents how often, in
collection interval minutes, you want to log message tracking
activity in the Mail Tracking Store database.
This number may affect server performance.
Enter a number appropriate to the size and
speed of your system. The default 15
minutes is recommended.
Allowed to track The names of servers and/or users allowed
messages to track messages on this server. If you
leave this field blank (default), only
members of the LocalDomainServers group
are authorized to track messages on this
server. If you add any entries to this field,
you must list all servers and/or users that
are allowed to track messages on this
server.
Allowed to track The names of servers and/or users allowed
subjects to track messages by subject on this server.
If you leave this field blank (default), only
members of the LocalDomainServers group
are authorized to track messages by subject
on this server. If you add any entries to this
field, you must list all servers and/or users
allowed to track subjects on this server. If
you list servers and/or users in this field,
you do not have to list them in the “Allowed
to track messages”field.

If disk storage space is a concern, use database replication settings to

control how many days’ worth of information the Mail Tracking Store
database retains. The number of days restricts how far back in time
messages can be tracked, so choose a value that balances tracking needs
and available disk storage.
For information on replication settings, see the chapter “Creating
Replicas and Scheduling Replication.”
Monitoring Mail 33-9
Mail
Tracking a mail message
If you track a mail message and the search finds no messages, adjust the
search criteria and then perform the search again.
1. Make sure that you set up mail monitoring.
2. From the Domino Administrator, click the Messaging - Tracking
Center tab.
3. In the Maximum results field, specify the maximum number of
search results to display for the tracking request.
4. Complete any of these fields to describe the message that you want
to track, and then click OK:

Field Enter
From The user name of the sender. You can also select the
name from the Domino Directory.
To The user name of the recipient. You can also select
the name from the Domino Directory.
Sent Choose one: • Today • Yesterday • Last week • Last 2
weeks • Last month • All times To increase the
likelihood of finding messages, choose a long time
period.

Start Choose one: • Sender’s home server —(default)

Select this option if you know the sender of the
message. • Current server —Select this option if you
don’t know the sender of the message and you leave
the From field blank. If you manage multiple servers,
you can select a different server by clicking its name
from the Servers bookmark to the left of the Domino
Administrator.

Subjec
The subject of the message that you want to track.
t
The message ID of the message you want to track.
Message
ID

For more information on enabling tracking by message subject, see

the topic “Configuring the server for message tracking” earlier in this
chapter.
33-10 Administering the Domino System, Volume 1
Domino displays summary results that include the sender’s name,
recipient, delivery time and message subject, if subject tracking is
allowed.
5. From the Messages Found pane, select a message and then click
Track Selected Message.
6. Expand the Message tracking results folder, and select a server to
view more information about what happened to the message on that
server. Domino displays the following information:

Field Description
Delivery Indicates whether the Router deposited the
status message in the recipient’s mail file or
transferred it to another
server.
Mailbox Indicates whether the message is unread, read,
status deleted, or unknown.
This server The name of the current server.
Previous The name of the server that delivered the
server message to the current server in the message
path being examined. For messages originating
outside the Domino network and transferred
over SMTP, this is the server from which Domino
received the message.
Next server If the current server is not the final destination,
the next server on the routing path.
Msg priority Indicates whether the message priority is high,
normal, low, or unknown.
Unique A value that uniquely identifies the message on
message ID the current server.
Inbound The message ID of the message when it arrived
message ID on the server.
Outbound The message ID of the message when it left the
message ID server. In some cases, the SMTP Router changes
the ID of the message before transferring it.
Inbound The sender’s e-mail address as it appeared in
originator the message headers when the message arrived
at the current server.
Outbound The sender’s e-mail address as it appeared in
originator the message headers after transfer from the
current server to the next hop server.
Inbound The recipient’s e-mail address as it appeared in
recipient the message headers when the message arrived
at the current server.

Field Description
The recipient’s e-mail address as it appeared in
Outbound
the
recipient message headers after transfer from the current
server to
the next hop server.
Subject The content of the message’s subject header.
Disposition Indicates the time when the Router changed the
time status of
the message to the value in the Delivery status
field.
There can be a delay between the arrival of a
message
and when the Router processes it.
Message The time when the current server received the
arrival message.
time
The size of the message, including any
Message size
attachments.
(bytes)

Generating a mail usage report

If mail tracking is enabled on a server, the Mail Tracking Store database
(MTSTORE.NSF) contains data about mail usage. You can generate a
usage report of the data.
1. Make sure that you set up mail monitoring.
2. From the Domino Administrator, click the Messaging - Mail tab.
3. Expand the Reports for Servername view and open the Report Results
or Scheduled Reports folder.
4. Select a report view; for example, select By Type in the Report
Results folder or Daily in the Scheduled Reports folder.
5. Click New Report.
33-12 Administering the Domino System, Volume 1
6. Complete these fields, and then click OK:

Field Description
Description Required text to identify the report.
Report Type Specifies the type of report to create. Choose
one: • Top 25 Users by Count • Top 25 Users by
Size • Top 25 Senders by Count • Top 25
Senders by Size • Top 25 Receivers by Count •
Top 25 Receivers by Size • Top 25 Most Popular
“Next Hops” • Top 25 Most Popular “Previous
Hops” • Top 25 Largest Messages • Message
Volume Summary • Message Status Summary

Time Range Choose one: • Today • Yesterday • Over the

last week (default) • Over the last two weeks

• Over the last month

• All available information Each choice refers to
the specified time period up to the current day.
For example, if you choose “Yesterday,”the
report includes information from yesterday and
today.
Run this Specifies the execution interval for the report.
report Choose one:
• Once —Generates a report immediately
(default) • Daily —Generates a report at
midnight every day • Weekly —Generates a
report at midnight on Saturdays • Monthly —
Generates a report on midnight on the first day
of every month

Report should Specifies where the server places report results.

be Choose one:

• Saved (default) • Mailed

• Saved & Mailed

Field Description
If you chose Mailed or Saved & Mailed in the
Mail Recipient
“Report
should be”field, enter the user name of the
person who
should receive the report or select the user
name from
the Domino Directory. The default is the name
of the
administrator running the report.

Note The Earliest Message Found and Latest Message Found fields
are filled in automatically when you run the report. They display the
date and time of the earliest and latest message found.
7. (Optional) To narrow the scope of a report, complete any of these
fields:
Field Enter
Sender’s A text string for the sender’s name, and then
Name choose
whether the name should contain the text string
or
exactly match the text string.
A text string for the recipient’s name, and then
Recipient’s
choose
Name whether the string should contain the string or
exactly
match the string.
Delivery
Choose one:
Status
• Is - Delivered (all messages that were
delivered)
• Other than - Delivered (all messages that
encountered delivery failures or are still being
processed)
• Is - Not Delivered (all messages that
encountered delivery failures)
• Other than - Not Delivered (all messages that
were either delivered or are still being
processed)
• Is - Being Processed (all messages that are still
being processed)
• Other than - Being Processed (all messages
that were delivered or encountered delivery
failures)
The delivery status corresponds to the message
tracking delivery status. “Delivered”refers to
messages that were delivered, transferred, or
“group expanded”(that is, the message was
addressed to a group, and the group was
expanded to its member list on the server). “Not
delivered”refers to messages that were not
delivered, not transferred, or whose status is
unknown.
Message The maximum or minimum message size (in
Size bytes) to
include in the report.

8. Reports are saved as Notes documents. Double-click the document to

view it.
33-14 Administering the Domino System, Volume 1
Editing a scheduled report
Edit a scheduled report to change its execution interval (for instance,
daily to weekly) or the method of recording data (saved or mailed).
1. From the Domino Administrator, click the Messaging - Mail tab.
2. Expand the view Reports for Servername and open the Scheduled
Reports folder.
3. Select the report view containing the scheduled report you want to
edit; for example, Daily or Weekly.
4. Select the report to edit and click Edit Report.
5. Edit the report settings as needed and click OK.
Changing the default time for generating a scheduled report
Domino generates any scheduled report at the default time for that type
of report. For example, daily reports run at midnight every day, and
weekly reports at midnight every Saturday. If the default schedule
conflicts with other operations on the server, you can reschedule the
report agent to run when the server is less busy. Changes apply to all
reports scheduled to run at that time; that is, if you change the default
time for running weekly reports, the server runs all weekly reports at the
new time.
The following procedure requires you to have Domino Designer installed
on the administrative workstation.
To change when the server generates a scheduled report
1. From the Domino Administrator, click the Messaging - Mail tab.
2. Expand the Reports for Servername view and open the Scheduled
Reports folder.
3. Select the report view containing the scheduled report you want to
edit; for example, Daily or Weekly.
4. From the View menu, select Agents to launch Domino Designer. If
Designer does not open automatically, launch the program manually
and then open the Reports database (REPORTS.NSF) from the server.
5. Double-click the report agent you want to reschedule.
6. Click Schedule.
7. Specify the time to generate the report.
8. Click OK.
Monitoring Mail 33-15
Mail
Enabling and disabling a scheduled report
By default, Domino enables a scheduled report immediately after you
create it, so that the server runs the report at the next execution interval
— for example, a new daily report runs at midnight following the day
you create it. You can disable any scheduled report and enable scheduled
reports that are currently disabled.
If you created a scheduled report to diagnose a particular problem, you
can disable the report to prevent it from executing after obtaining the
information you need. Disabling a scheduled report conserves server
resources, but lets you retain the report settings for future use. You can
disable a report temporarily, or remove it from the server altogether.
1. From the Domino Administrator, click the Messaging - Mail tab.
2. Expand the Reports for Servername view and open the Scheduled
Reports folder.
3. Select the report view containing the scheduled report to disable; for
example, Daily or Weekly.
4. Select the scheduled report and do one of the following:
Click
 Enable Report — Activates a currently disabled report so
that the server executes the report at the next scheduled interval.
Click
 Disable Report — Prevents a currently enabled report from
running, so that the server cannot execute it at the scheduled
intervals. The report remains in the Reports database and can be
activated at a later time.
Press the DELETE key — Permanently removes the report from
the Reports database.
Viewing mail usage reports
When Domino saves a report, it stores the report data in the Reports
database. Reports that are mailed, but not saved, are not added to the
Reports database.
You can use the Reports database to analyze server mail usage. Views in
the database display previously saved reports according to date,
schedule, report type, and user. An additional view displays all
scheduled reports by interval.
You can open the Reports database (REPORTS.NSF) using either of two
methods:
33-16 Administering the Domino System, Volume 1
To open the Reports database directly
1. From a Notes client, Domino Administrator client, or Domino
Designer client, choose File - Database - Open (CTRL + O).
2. In the Server field, specify the name of the server where the database
resides.
3. Choose Reports for Servername from the list of available databases,
and then click Open.
To open the Reports database in the Domino Administrator
1. From the Domino Administrator client click, the Mail tab.
2. Select the Reports for Servername view.
Viewing report results
1. Expand the Report Results or Scheduled Reports folders.
2. From either folder, expand the category for the report you want to
view.
For example, from the Report Results folder, click the By Schedule
view, and then in the Results panel, expand the category Once to see
the results of all saved reports that were run one time only, rather
than on a repeating schedule.
3. To open a report, double-click it in the Results panel.
Note For scheduled reports, the user is the server running the report;
for reports that an administrator runs manually, the user is the
administrator.
Monitoring Mail 33-17
Mail

Chapter 34
Setting Up the Domino Web Server
This chapter describes how to set up a Domino server as a Web server.
The Domino Web server
Lotus Domino provides an integrated Web application server that can
host Web sites that both Internet and intranet clients can access, and can
serve pages that are stored in the file system or in a Domino database.
When a Web browser requests a page in a Domino database, Domino
translates the document into HTML. When a Web browser requests a
page in an HTML file, Domino reads the file directly from the file system.
Then the Web server uses the HTTP protocol to transfer the information
to the Web browser.
Using Domino to store Web pages as documents in a database has a
major advantage over storing static HTML pages: using Domino, any
change that you make to a database is automatically reflected on the Web
server.
The following diagram shows how the Web server displays a Notes
document as an HTML page to a browser client
 Any Domino application can be
a Web application. Before you create a
Web application, become familiar with the Domino features that can be
translated into HTML and determine whether Web browser users, Notes
clients, or both will access the application. You can use the Notes formula
language to detect which type of user is accessing the application and
then, based on the user type, change the display of information in the
application.
A Domino Web site can consist of a single database or several databases
that are connected by links. In addition to hosting Web sites, the Web
server can run other server tasks, such as mail or directory services. Be
sure to enforce security on databases if you do not want users outside
your organization to access the databases on the server.
For information on designing Web applications, see Application
Development with Domino Designer.
Web server features
Domino includes these Web server features:
Translation
 of Notes features into HTML code. For example, in
HTML code, hot spot links are translated into anchor (<A>) tags.
Passthru
 HTML. This is HTML code that you include in a form,
document, or About and Using documents that Domino does not
interpret during the page translation. Passthru HTML lets you use
Web-only text formatting, links, images, commands, and programs.
Using passthru HTML, you can combine Domino features with
HTML code.
Security
 for applications using standard Domino security, such as the
database ACL and Internet security features, such as Secure Sockets
Layer (SSL) and name-and-password authentication.
Support for Java applets that are referenced using passthru HTML or
embedded in a document.
Support  for JavaScript that is included as passthru HTML or
embedded directly in a document.
Support  for CGI programs that are referenced using passthru HTML
in a document. CGI supports EXE, CMD, and BAT files and scripts
written in Perl, Python, and PHP.
Support  for static HTML pages that are referenced in a directory on
the server’s hard drive. Static HTML pages can be referenced by
passthru HTML included in a document or can be requested directly
using a URL.
34-2 Administering the Domino System, Volume 1
Support
 for a last-modified header in Domino URLs, which allows
many Web browsers or proxy servers to cache Domino pages.
Support
 for URL extensions that expose Domino functionality to the
Web client — for example, opening a database or view.
Redirecting
 and remapping URLs and directories to another location.
Support
 for multiple Web sites with separate DNS names to exist on
a single server machine.
Support
 for server clusters, which allow a server to fail over to an
answering server if the first server is unavailable and provides load
balancing to maximize response time for users.
Domino  Web Server Application Interface (DSAPI) supports all
phases of request handling, including mapping and transforming
incoming URLs, authenticating and authorizing users, processing
requests, and logging.
For information on customizing the authentication of Web application
users, see the DSAPI documentation in the Lotus C API Toolkit for
Domino and Notes.
Making Web site content changes
You might find it convenient to set up one Web server as a production
server and another Web server as a “staging” server. Web content
managers can make changes on the staging server without exposing the
changes to users. After all changes to the Web site are complete, the Web
content manager replicates the Web site from the staging server to the
production server. In addition, using a staging server allows Web content
managers to view changes through a browser before replicating.
If you use a staging server, give access only to Web content managers.
Also be sure to give the Web content managers replication access on both
the staging server and the production server.
Setting Up the Domino Web Server 34-3
Web
In this example, Web content managers make changes on Webstage-E
and replicate these changes to Web-E, which is available to users outside
the firewall.

Setting up a Domino
server as a Web server
You can specify that you want to run the HTTP task on a Domino server.
The Domino server then acts as a Web server so that browser clients can
access databases on the server.
1. Set up the Domino server.
Make
 sure you understand TCP/IP concepts, including DNS host
names and IP addressing.
Set up a Domino server.
Set  up security for the server.
For more information, see the chapters “Configuring Additional
Domino Servers” and “Planning Security.”
2. Decide on an Internet connection strategy.
To  allow users to connect to the server over the Internet, connect
the server to an Internet Server Provider (ISP) and register the
server’s domain name and IP address on the ISP’s DNS server. For
more information, contact the ISP.
To
 allow users to connect to the server internally, without
connecting to the Internet, register the server’s domain name and
IP address on the DNS server at your organization.
3. Start the Domino server.
34-4 Administering the Domino System, Volume 1
4. From the Domino Administrator, click Files, open the Server
document and enable “Loads configuration information from the
Internet Sites view.”
5. Create at least one Web site.
6. Decide on an HTTP port strategy. You can enable ports for TCP/IP,
SSL, or for both. In the Server document, click Ports - Internet Ports -
Web, and enable one or both: “TCP/IP port status” and “SSL port
status.”
For information on setting up SSL, see the chapter “Setting Up SSL
on a Domino Server.”
7. (Optional) Enable the Domino Web server log.
8. Start the HTTP task.
To check the server setup, start your browser and enter the DNS name or
IP address for the server.
Starting and stopping the Domino Web server

To do this Perform this task

Start the Web server
Enter load httpat the console.
manually
Start the Web server
Edit the ServerTasks setting in the
automatically
when you start Domino NOTES.INI file to include the
command
http. Domino adds the HTTP task
by
default to the NOTES.INI file if you
choose
to install a Web server during
installation.
Stop the Web server Enter tell http quit at the console.
Enter tell http restartat the
Use new server configuration
console.
settings by restarting the
HTTP
server task.
Use new server configuration Enter tell http refreshat the
settings without restarting the server console. Note This
HTTP server task. command only works with settings
specified in the Internet Sites view.

Note When the HTTP task starts up, a server console message indicates
the Domino Directory view the task is using for Web configuration
information (Servers\Internet Sites or Servers\Web Configurations).
For more information on server commands and NOTES.INI settings, see
the appendices “Server Commands” and “NOTES.INI File.”
Setting Up the Domino Web Server 34-5
Web
Modifying Web server Internet port and protocol settings
In certain cases, you may need to change some default Internet port and
protocol settings. Check carefully before changing the defaults.
To modify Web server Internet port and protocol settings
1. Open the Server document that you want to edit.
2. (Optional) Click Ports - Internet Ports - Web. Under Web
(HTTP/HTTPS), complete these fields:

Field Action
TCP/IP port Enter a port number. Default is 80.
number
TCP/IP port Choose one: • Enabled —To configure the
status server to listen for HTTP requests on the
specified TCP/IP port. • Disabled —To prevent
the server from listening for HTTP requests on
the specified TCP/IP port. • Redirect to SSL —To
redirect any HTTP requests that come into the
TCP/IP port to the SSL port.

Enforce Choose one: • Yes —To enforce server access

server access settings for this protocol on the server. Server
settings access settings are found on the Security tab of
the Server document, and specify the names of
authenticated users who have been granted
access to this server, and those who have not. •
No —To not enforce server access settings for
this protocol.

Enter a port number. Default is 443. SSL port

number
SSL port Choose one: • Enabled —To configure the
status server to listen for HTTPS requests on the
specified SSL port. • Disabled —If you do not
want to use SSL for this server.

3. (Optional) Click Internet Protocols - HTTP, and complete these fields:

Field Action
Bind to host Choose one:
• Enabled —To enter up to 32 IP addresses
name
and/or
DNS names in the Host name(s) field to which
the Domino server will bind. This allows users to
access a
Web server using a name other than the
Domino
server name.
• Disabled (default) —To bind to all IP
addresses on
the server.
DNS lookup Choose one:
• Enabled —To have Domino look up the DNS
name of the requesting client. The Domino log
files and database contain host names
corresponding to the machine used by the Web
client.
• Disabled (default) —To not look up the DNS
name of the requesting client. The Domino log
files and database contain IP addresses.
Choosing Disabled improves the performance of
the Domino server because the server does not
use
resources to perform the DNS name lookup.
 Note The majority of browser users connect to
the Internet through Internet server providers
(ISPs), so the host names returned by DNS
lookup are those of the ISP’s proxy servers, not
the individual user machines.
DNS lookup Choose one: • Enabled —To have Domino cache
cache the results of a DNS lookup for faster retrieval.
• Disabled —To not have Domino cache DNS
lookup results.

Specify the maximum size of the DNS lookup

DNS lookup
cache.
cache size Default value is 256.
Specify the length of time, in seconds, that IP
DNS lookup
addresses
cache found remain in the cache. Default value is 120
seconds.
timeout

4. Save and close the document.

5. Enter this command at the console so that the changes take effect:
tell http restart
Setting Up the Domino Web Server 34-7
Web
Setting up protocol security for the Web server
If you set up protocol security, you can filter out requests that may be
potential attacks, such as probing for buffer overflows or request parsing
errors.
If you host third-party applications, set the limits to the most stringent
values that still allow the applications to work normally. If the request
exceeds the limit, the Web server discards the request and returns an
error to the browser.
To set up protocol security for the Web server
1. Open the Server document you want to edit and click Edit Server.
2. Click the Internet Protocols - HTTP.
3. Under HTTP Protocol Limits, complete these fields:

Field Action
Enter the maximum size, in KB, allowed for
Maximum URL
URLs
length received from HTTP clients. The length includes
the query string. The default is 4KB.
Increase the default only if you host an
application that requires an extremely long
URL.
Enter the number of segments allowed. The
Maximum
default is
number of 64, which is usually more than enough. A
URL segment is
path delimited by slashes; for example, the URL
segments
“/products.nsf/widgets”contains two segments.
Maximum Enter the total number of HTTP request headers
number of allowed. The default is 48. Normally, there is
no need to
request increase the setting; typical requests sent from
headers browsers
usually include less than a dozen headers.
Maximum size Enter the total length, in KB, of all the headers
of in the
request request. The default is 16KB.
headers
Maximum size Enter the total amount of data, in MB, that can
of be
request contained in a request. The default is 10MB.
content The two
most common ways for users to send data to
the server
is by submitting forms or by uploading files. If
none of
the applications on the server allow users to
upload
large files, you can probably set this to a much
lower
value.

Restricting access by IP address on the Web server

You can determine the client machines that are allowed to access the
HTTP and HTTPS ports of the Web server by specifying a list of IP
addresses that have access, and a list of addresses that are denied access.
You can also specify which list takes priority if an address matches both
lists.
Addresses can include wildcard characters, so that all addresses within a
certain class of address will be restricted. For example, denying access to
address 123.45.6.* denies access to all addresses for that subnet.
Similarly, denying access to address 123.45.* denies access to all subnets
for that address.
IP address filtering is useful for managing incoming requests to your
Web server — for example, your server is behind a firewall and should
only be accepting requests from the firewall and from the Domino
Administrator client. It also helps in minimizing excessive requests, such
as those generated by machines infected by a Web worm.
Caution IP address restriction should not be used as the only means of
protecting your site, or as a substitute for user authentication. Client IP
addresses are specified in the network packets sent by the client, and this
information is easily spoofed. Additionally, hackers routinely use attack
techniques that hide their true IP addresses. IP address restriction cannot
protect the server against such attacks.
To restrict access by IP address on the Web server
1. Open the Server document you want to edit and click Edit Server.
2. Click the Internet Protocols - HTTP. In the Network Settings section,
complete these fields:

Field Action
Specify which IP address list —Allow or Deny
IP address
—
allow/deny takes priority if an incoming IP address is
priority listed in both the allow list and the deny list
(this can happen when both lists contain
wildcards).
The default is that the Allow list takes
priority.
IP address allow List the IP addresses that are allowed to
list access the
ports.
IP address deny List the IP addresses that are denied access
list to the
ports.
Note If a client IP address does not match either list, then the
connection is allowed.
Examples of typical IP address restriction settings

Settings
Example Comment
configuration
Allow access to
IP address allow/deny
all
addresses priority: Allow
(leave
default settings) IP address allow list:
<blank>
IP address deny list:
<blank>
Deny access to IP address allow/deny
everyone priority: Deny IP
address allow list: *
IP address deny list: *
Deny access to
IP address allow/deny All addresses are
a
particular Web priority: Deny allowed, but
crawler
crawler IP address allow list: * is denied because
it
matches the deny
IP address deny list:
list,
123.45.6.78 which takes
priority over the
allow list.
Deny access
IP address allow/deny
from
subnets that are priority: Deny
infected with a IP address deny list:
Web 123.45.*;
worm 95.123.4.*
IP address allow list: *
Allow access IP address allow/deny In this case, you
only from two priority: Allow IP must use a
trusted proxy address allow list: wildcard in the
servers 123.45.6.78; deny list so that
123.45.6.79 IP address all other
deny list: * addresses will
explicitly match
that list.

Hosting Java applets

Using the Java Notes classes, application developers can create applets
that perform Domino tasks, such as opening a session and retrieving
information from a database access control list. The Domino server can
host the applet and when a client requests it, download the applet to the
browser.
To run Java applets created with Java Notes classes on a Domino Web
server, you must enable the Domino IIOP (DIIOP) task on the server.
This task allows Domino and the browser client to use the Domino Object
Request Broker (ORB) server program. The Domino ORB processes the
applet requests and transmits the information to the browser client to
communicate. You must enable both the Domino IIOP task and the
Internet Inter-ORB protocol (IIOP) on the server before users can access
the Domino ORB to run the Java applets.
Application designers must create applets with the Java Notes classes
and, in addition, they must specify that the applets can use the Domino
34-10 Administering the Domino System, Volume 1
ORB to communicate with browser clients. Application designers specify
this setting when they add the applets to a document or form.
For information on designing Web applications, see Application Development
with Domino Designer. For more information on Java Notes classes, see
Domino Designer Programming Guide, Volume 3: Java/Corba Classes.
To set up the Domino ORB
1. Open the Server document you want to edit.
2. Choose Ports - Internet Ports - DIIOP and complete these fields:

Field Enter
The name of the port the Domino IIOP task
TCP/IP port
listens on.
number Do not change this port unless you have
assigned port number 63148 (the default) to
another task.
The default on Linux servers is 60148 because
of an
operating system restriction.
TCP/IP port Choose one: • Enabled (default) —To allow
status communication over this port. • Disabled —To
prevent communication over this port.

3. Choose Internet Protocols - DIIOP and complete this field:

Field Enter
The number of threads you want to allow the
Number of
DIIOP
threads server task to process at the same time. The
default is 10.

4. Click Security and complete these fields in the Programmability

Restrictions section:

Field Enter
The name that the applet or application uses
Run restricted
to access
Java/Javascript/ the server. Applet or application names
entered in this
COM field are allowed to run programs created
using a
restricted set of Java and JavaScript features.
If the applet
or application logs on anonymously, enter the
word
“Anonymous”in this field.
Run The name that the applet or application uses
unrestricted to access the
Java/Javascript/ server. Applet or application names entered
in this field
COM are allowed to run programs created using all
Java and
JavaScript features. If the applet or
 application logs on
anonymously, enter the word “Anonymous”in
this field.

For information on this setting, see the topic Customizing Web server
setup.
Setting Up the Domino Web Server 34-11
Web
5. To restrict the level of authentication, choose a setting in the Internet
server authentication field on the Security tab and save the
document.
6. If necessary, edit the ServerTasks setting in the NOTES.INI file to
include the DIIOP task.
7. Set up SSL server authentication, name and password authentication,
or anonymous access to the IIOP port for the application or applet.
8. Define server access by browser clients that use Java and JavaScript.
If the applet or application uses name-and-password authentication,
enter the name for the applet or application. Otherwise, use the name
“Anonymous” when setting up server access.
9. Restart the server.
Generating references to the Web server
You can specify how other servers generate URL references to this Web
server. This feature works only for servers that are in the same Domino
domain (share the same Domino Directory).
A typical example of how this feature is used is that of a user performing
a domain search from a browser. The user sends the search request to
Server A, but some of the search hits are actually located in a database on
Server B. When Server A generates the HTML for the search results page,
it needs to create URL links to Server B for those hits. To create those
links, Server A will look up the Server record for Server B in the Domino
Directory, and use the fields in the table below to generate the correct
syntax for the URLs.
To generate references to the Web server
1. Open the Server document you want to edit and click Edit Server.
2. Choose Internet Protocols - Domino Web Engine. Under “Generating
References to this Server,” complete these fields:

Field Action
Does (Domino 5.0x servers only) Specify whether this
this server uses the Microsoft IIS stack instead of the
server native Domino HTTP stack. Note This setting is used
use only if the server is Domino 5.0x or earlier; Domino 6
IIS? servers always generate IIS-compatible links.
Protocol Indicate the protocol to be used in URL links to this
server. Choices are HTTP and HTTPS (for SSL).
Host Indicate the fully-qualified host name to be used in
name URL links to this server; for example,
www.acme.com.
Port Indicate the port number to be used in URL links to
number this server. The default is 80, the standard HTTP port.

If Server A in the example above needs to generate a link to a database

on Server B, and Server B’s Server record has the fields set to these
values:
Protocol: HTTP
Host name: www.acme.com
Port number: 8081
then Server A will create the URL like this:
http://www.acme.com:8081/<database replica-id>/....
Managing Java servlets on a Web server
A servlet is a Java program that runs on a Web server in response to a
browser request. Servlets for Domino must conform to the Java Servlet
API Specification, an open standard published by Sun Microsystems, Inc.
For information on creating Java servlets, see Application Development
with Domino Designer.
To manage Java servlets on a Web server
1. Open the Server document you want to edit.
2. Click the Internet Protocols - Domino Web Engine tab. Under “Java
Servlets” complete these fields:

Field Action
Java Choose one: • None (default) —To not load the Java
servlet Virtual Machine (JVM) or the servlet manager when
support the HTTP task starts. • Domino Servlet Manager —To
load the JVM and the servlet manager that comes
with Domino. • Third Party Servlet Support —To load
the JVM, but not the Domino servlet manager. This
lets you use a servlet manager other than Domino,
such as IBM WebSphere.

Enter the path in a URL that signals Domino that the

Servlet
URL
URL refers to a servlet. The default is /servlet.
path

Field Action
Class path Enter one or more paths that the Servlet Manager
and JVM search to find servlets and dependent
classes. The standard Java libraries installed with
Domino are automatically in the class path. This
setting allows you to add additional paths. You may
specify directories, JAR files, and ZIP files. Paths
may be absolute or relative to the Domino data
directory. For example:
• domino\servlet specifies files in the
c:\lotus\domino\data\domino\servlet directory
• c:\apps\myservlets specifies files in the
c:\apps\myservlets directory
• c:\javamail\mail.jar specifies the mail.jar file in
the c:\javamail directory
• domino\servlet\sql.zip specifies the sql.zip file in
the c:\lotus\domino\data\domino\servlet directory
The default is domino\servlet.
Servlet Enter a list of URL file extensions that signal
file Domino that a
extensions URL refers to a servlet. You must map each
extension to a
single servlet by a directive in the
servlets.properties file. The
default is no extensions.
Session Choose one: • Enabled (default) — To have the
state Domino servlet manager check periodically the
tracking user activity of all HttpSession instances. Sessions
that are idle for the period of time specified in the
Idle session timeout field are automatically
terminated. The servlet manager calls the method
HttpSession.invalidate() to inform the servlet that
the session will be terminated. • Disabled —Does
not check for user activity. Domino uses this
setting and the settings below only if the servlet
uses the Java Servlet API HttpSession interface.
The HttpSession interface support is completely
separate from the Domino HTTP session
authentication feature.
Enter the amount of time in minutes the user is
Idle
allowed to
remain idle before the session is terminated. The
session
default is 30
time-out minutes.
Enter the number of simultaneous active sessions
Maximum
allowed. The
default is 1000. After this limit is reached, the
active
sessions that
sessions have been idle the longest are terminated.

Field Action
Session Choose one:
persistence • Enabled —To save session data to a disk file
called
sessdata.ser in the Domino data directory when
the HTTP task exits. Domino saves the data in the
Domino data
directory in a file named sessdata.ser. Domino
reloads the session data when the HTTP task
restarts. Domino also
saves objects that the servlet has bound to
sessions if the objects implement the
java.io.Serializable interface.
• Disabled (default) —Discards all session data
when the
HTTP task exits.

3. If appropriate for your servlet engine, control access to the servlet by

specifying who has access to the servlet files.
For more information, see the chapter “Controlling Access to
Domino Servers.”
Special properties for individual servlets can be specified in a text file
called servlets.properties, which is located in the Domino data directory.
For more information about the servlets.properties file, see the book
Application Development with Domino Designer.
Setting up WebDAV
WebDAV (Web-based Distributed Authoring and Versioning) is a set of
extensions to the HTTP/1.1 protocol which allow users to collaboratively
edit and manage files on remote Web servers.
WebDAV support in the Domino Web Server enables accessing file
resource type design elements in a Domino database. This allows
application designers to work with design elements such as HTML files,
images and other file based resources using web based authoring and
development tools.
The WebDAV implementation in the Domino Web Server supports, and
has been tested with, the following clients; Macromedia Dreamweaver
4.01, Microsoft Office 2000, Microsoft Internet Explorer 5.0x and 6.0,
Windows Explorer on NT4, Windows 98, Windows XP, and Windows
2000.
You must be using Web Site documents to configure and manage the
Web sites on your server in order to use WebDAV.
Be aware that enabling WebDAV also enables the following HTTP
methods for the web site: PUT, DELETE, GET, HEAD, OPTIONS.
Setting Up the Domino Web Server 34-15
Web
There are some restrictions when using a WebDAV-enabled server. For
the Web Site document for which you have WebDAV enabled, do not do
the following:
Configure
 URL redirection.
Enable
 the “Redirect to SSL” option.
Enable
 session authentication on the Web Site for which you have
WebDAV enabled.
Create  a File Protection document for the Web site that restricts access
to the HTML root directory. If a File Protection document is preventing
access to the HTML directory (\domino\data\domino\html), then
some WebDAV clients will not be able to connect to or access the
WebDAV database when accessing this Web Site. The server console
displays one of these error messages:
You are not authorized to perform this operation
[_vti_inf.html]
You are not authorized to perform this operation
[_vti_bin/shtml.exe/_vti_rpc]
To allow access to a database using WebDAV, do the following:
Provide
 the user with either Designer or Manager access in the
database ACL (Access Control List). Also, the user must have both
“Create documents” and “Delete documents” privileges enabled in
the database ACL.
Set the “Maximum Internet name & password” field to either
Designer or Manager access. This option is located on the Advanced
tab on the database ACL dialog box.
Some  WebDAV clients (such as DreamWeaver 4.01 and Microsoft
Office 2000) attempt to lock WebDAV items. In order for these clients
to work correctly with Domino’s WebDAV implementation, you
must enable “Design Locking” for databases that will be used with
WebDAV. You do this on the Design tab of the Database Properties
dialog box.
In  order to use Internet Explorer as a WebDAV client, the WebDAV
database needs to reside in the Domino data directory. Internet
Explorer cannot access databases if they reside in a subdirectory
within the data directory.
34-16 Administering the Domino System, Volume 1
Enabling WebDAV
Before you can use WebDAV (Web-based Distributed Authoring and
Versioning), it must be enabled.
1. From the Domino Administrator, choose Configuration - Web -
Internet Sites.
2. Open the Web Site document on which you want to enable
WebDAV.
3. Click the Configuration tab.
4. Under “Allowed Methods,” select “Enable WebDAV.”
Note If you enable WebDAV, the following HTTP methods are also
enabled: GET, HEAD, OPTIONS, PUT, and DELETE.
5. Enter this command at the console so that the settings take effect:
tell http refresh
For detailed information about using WebDAV, see the book Application
Development with Domino Designer.
Hosting Web sites
The model for hosting Web sites has changed in Lotus Domino 6. You
can now use Web Site documents to host Web sites on Domino. The Web
Site document is one type of Internet Site.
Web Site documents contain Web site configuration information and are
managed through the Servers\Internet Sites view along with other types
of Internet site documents. However, for backward compatibility the
Domino 6 HTTP task still supports the R5 Servers\Web Configurations
view. If you are migrating your site from Domino 5 to Domino 6 you do
not need to immediately convert from the old view to the new view.
However, you will need to convert to the new view to take advantage of
many of the new Web features in Domino 6.
Many of the HTTP task Server record settings used in Domino 5 are now
available in the Web Site document. If you enable the new Internet Sites
view, the HTTP task uses the Web Site settings instead of those in the
Server record.
To enable the Internet Sites view, in the Basics section of the Server
document, click “Loads Internet configurations from Server\Internet
Sites documents.”
For more information, see the topic “Converting from Web Server
Configuration to Internet Sites view” later in this chapter.
Setting Up the Domino Web Server 34-17
Web
Hosting Web sites in Lotus Domino 6
Web sites are not explicitly associated with physical servers. A single
Domino domain can support many Web sites. Each Web site can be
associated with any number of host names or addresses. All servers in
the same Domino domain can use the same Web Site documents in the
Internet Sites view. You can specify which Domino servers support a
Web site. Each Web site has its own security, file-protection, and URL
rules, and you can modify them as needed.
By default, Web Site documents are not associated with specific Domino
servers. All servers that share the same Domino Directory — that is,
reside in the same Domino domain — automatically use the same Web
Site documents in the Internet Sites view. This means that you do not
have to re-create the same Web configuration each time you add a new
server to the domain. When you add or modify a Web Site document, the
changes are picked up automatically by all servers in the domain.
An optional field in the Web Site document allows you to specify the
Domino servers that will host a site. Servers that are not listed in this
field will not load the site configuration.
To set up a Web Site
To set up a Web site on a Domino server, you must complete these
procedures.
1. Enable the Internet Sites view.
2. Create a Web Site document.
a. Configure default mapping rules.
b. Configure DSAPI Filters and Allowed Methods.
c. Configure Domino Web Engine settings for the Web site.
3. (Optional) Create rules (directory, substitution, redirection) for the
Web site.
4. (Optional) Create file protection.
5. (Optional) Create an authentication realm document.
34-18 Administering the Domino System, Volume 1
Hosting Web sites in Lotus Domino 5
Lotus Domino 5 uses the model of multiple virtual servers that are
associated with a single Domino Web server. Each site is configured with
its own IP address; default home page; customized Web server message;
and HTML, CGI, and icons directories. All of the virtual servers share a
single Domino data directory.
You set up each virtual server with a network connection with its own
separate, permanent numeric IP address or map multiple host names to
the same IP address. The number of virtual servers is dependent only on
your operating system and the system hardware. See your operating
system documentation and hardware documentation for more
information.
Converting from Web Server Configurations to Internet Sites view
You can convert Web sites that you created in Domino 5 to Lotus
Domino 6. Documents in the Web Configurations view correspond to
documents in the Internet Sites view:

Release 5 Lotus Domino 6

Server document Web Site document
Note The Server document is still used for
some low-level HTTP task configuration
settings
Virtual server Web Site document
URL Rule
Mapping/Redirection
document
File Protection
File Protection
document
Realm Authentication Realm

If you are using virtual servers or hosts, create one Web Site document
for each virtual site. If you provided a default site in the Release 5 server
record, you must either make one of the Web Site documents the default
site, or create a document for the default site.
To convert from the Web Server Configurations view to the Internet
Sites view
If you do not have virtual servers or hosts, follow these steps to convert
to the new view:
1. Create a Web Site document.
2. Select the Web Site document and choose Edit Document.
Setting Up the Domino Web Server 34-19
Web
3. Click the Web Site button and create the corresponding documents in
Lotus Domino 6: Rule (URL Mapping/Redirection), File Protection
(File Protection), or Authentication Realm (Realm).
4. Open the Server document.
5. Click Basics and check Enabled for “Loads Internet configurations
from Server\Internet Sites documents.”
6. Save the document, and restart the HTTP server task to use the new
view.
Hosting multiple Web sites on a partitioned server
You can set up multiple Web sites for each server’s HTTP process on a
partitioned server.
To set up multiple Web sites on a partitioned server (for Web Site
documents or for Virtual Servers)
1. Set up the partitioned server with separate TCP/IP addresses.
2. Assign IP addresses or hosts to each specific HTTP process. In each
Server document, click Internet Protocols - HTTP. In the host name
field, under “Basics,” include the host name or DNS name for each
Web server, separated by semicolons. (If you separate them with
commas, it will be saved with semicolons.)
3. Set up the Web sites, using either Web Site documents or virtual
server documents, to further define the HTTP configuration.
4. Restart HTTP. You should now be able to send HTTP requests to the
partitioned servers and all of the Web sites or virtual servers for each
partition.
Configuring HTML, CGI, icon, and Java files for Web Site documents
Domino looks for individual HTML, CGI, and icon files in specific
directories on the server’s hard drive. You can change the URL path for
icons and CGI program files. The URL path is where Domino looks for
icons or CGI programs when it encounters a reference in the HTML code
to one of these.
Specifying icon and CGI URL paths is useful if you change the directory
location of icons or CGI programs and you do not want to modify HTML
code that references the previous location of these files.
1. From the Domino Administrator, choose Configuration - Web -
Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
34-20 Administering the Domino System, Volume 1
3. Click Configuration. Under “Default Mapping Rules,” complete
these fields:

Field Action
Enter the URL command to perform when users
Home
access the
URL Web site without specifying a resource —for
example, the
user just requests “http://www.acme.com.”Usually
the home
URL points to the Web site’s home page —for
example,
“/welcome.nsf/hello?OpenPage.”
Specify the directory that will be used to find HTML
HTML
files if a
directory URL does not specify a path —for example,
http://www. acme.com/welcome.html. Default is
domino\html. The path can be relative to the Domino
data directory, such as domino\ myhtml, or it can be
fully qualified, such as c:\websites\html.
Service providers: This directory is relative to the
main Domino data directory, not to the hosted
organization’s data directory.
Enter the directory where icon files are located. You
Icon
can
directory specify the path for the icon directory using either
the fully qualified path or a relative path. Default is
domino\icons.
Service providers: This directory is relative to the
main Domino data directory, not to the hosted
organization’s data
directory.
Icon Enter the URL path that is used to map to the icon
URL directory.
path The default is /icons.
 For example, the URL
http://servername/icons/abook.gif returns the file
c:\lotus\domino\data\domino\icons\abook.gif.
Enter the default directory where CGI programs are
CGI
located.
directory The default is domino\cgi-bin.
Service providers: This directory is relative to the
main Domino data directory, not to the hosted
organization’s data directory.
Enter the URL path that is used to map to the default
CGI URL
CGI
path directory. The default is cgi-bin.
For example, the URL http://servername/cgi-
bin/test.pl runs the CGI program
c:\lotus\domino\data\domino\cgi-bin\test.pl.
Java Enter the directory where the Domino Java applets
applet are located.
directory The default is domino\java.
Java Enter the URL path that is used to access files in the
URL default
path Java directory. The default is /domjava.

Note If you are using the Web Server Configuration view, open the
Server document, choose Internet Protocols - HTTP, and complete the
fields in the “Mapping” section.
Setting Up the Domino Web Server 34-21
Web
Configuring DSAPI, HTTP methods, and WebDAV in Web Site
documents
You can set up a Web Site document to support the Domino Web Server
Application Programming Interface (DSAPI), various HTTP methods,
and Web-based Distributed Authoring and Versioning (WebDAV).
The Domino Web Server Application Programming Interface (DSAPI) is
a C API that you can use to write your own extensions to the Domino
Web Server. These extensions, or “filters,” let you customize
authentication for Web users. For more information about DSAPI and
filters, see the C API User’s Guide and the C API Reference Guide.
WebDAV is a set of extensions to the HTTP 1.1 protocol which allows
users to collaboratively edit and manage files on remote Web servers.
WebDAV clients can only access design elements in the design collection
of a database. Users must have Notes manager or designer level access
rights to the database. Application developers are the typical uses of
WebDAV.
For more information, see the topic “Setting up WebDAV” later in this
chapter.
For more information about WebDAV, see the book Application
Development with Domino Designer.
Note If you are using the Web Server Configurations view, the DSAPI
fields appear in the Server document on the Internet Protocols - HTTP
tab.
1. From the Domino Administrator, click the Configuration tab, expand
the Web section and click Internet Sites.
2. Choose the Web Site you want to edit, and click Edit Document.
3. Click the Configuration tab and complete these fields:

Field Action
DSAPI filter
Enter the name of one or more DSAPI filter files.
file
names Service providers: Each DSAPI filter applies to
the entire server; therefore, if the services must
be different for individual hosted organizations,
the DSAPI filter itself must be coded to handle
those differences for each
individual hosted organization.

Field Action
Methods Choose one or more:
• GET (default)
• HEAD (default)
• POST (default)
• OPTIONS (default)
• TRACE (default)
• PUT
• DELETE
Choose this option to enable Web-based
WebDAV
Distributed
Authoring and Versioning.
Note If you enable WebDAV, the following HTTP
methods are also enabled: GET, HEAD,
OPTIONS, PUT,
and DELETE.

Domino Web Engine settings for Web Site documents

Use the Domino Web Engine tab to do the following:
Set
 up session authentication.
Specify
 GIF or JPEG conversion.
Specify
 the number of lines to display in a view.
Limit  the number of documents displayed when searching.
Find  links with the Redirect URL command.
Restrict  the amount of data that users can send to a Domino
database.
Store  Web user preferences in cookies.
Set  up language preferences.
Specify  an international character set when retrieving pages.
Note If you are using the Web Server Configurations view, use the
Server document.
Setting up session authentication for Web Site documents
You can enable session-based name-and-password authentication for a
Web site document. Web clients must use a browser that supports
cookies. You can customize an HTML login form for users to enter their
credentials, address multiple login prompts, allow logout using the
?logout URL or formula, and log user sessions.
1. From the Domino Administrator, click the Configuration tab, expand
the Web section, and click Internet Sites.
Setting Up the Domino Web Server 34-23
Web
2. Choose the Web Site document you want to edit, and click Edit
Document.
3. Click the Domino Web Engine tab. Under HTTP Sessions, in the
Session authentication field, do one of the following:
Choose
 Multiple Servers (SSO) to allow a Web user to log on once
to a Domino server, then access any other Domino server in the
same domain without logging on again. Under Web SSO
configuration, enter the name of the Web SSO configuration
document.
Choose
 Single Server to use cookies for a single server only. This
option applies only when users access this Web site. Under Idle
session timeout, enter the time (in minutes) when the cookie will
expire and the session will be deactivated. Default is 30 minutes.
Choose
 Disabled (default) to prevent cookies from being used by
the Domino server for authentication.
4. In the Maximum active sessions field, enter the maximum number of
active, concurrent user sessions on the server. Default is 1000.
5. Save the document.
For more information about session authentication and single sign-on,
see the chapter “Setting Up Name-and-Password and Anonymous
Access to Domino Servers.”
Specifying GIF or JPEG conversion in Web Site documents
You can control the format and method Domino uses to display images
that appear in documents. The Domino Web server supports both GIF
and JPEG image formats. This setting has no effect on images referenced
using passthru HTML.
When you enable progressive or interlaced rendering, the image appears
to download quickly and you can typically identify the image before it is
completely downloaded.
To specify GIF or JPEG conversion in a Web Site document
1. From the Domino Administrator, click the Configuration tab, expand
the Web section, and click Internet Sites.
2. Choose the Web Site document you want to edit, and click Edit
Document.
34-24 Administering the Domino System, Volume 1
3. Click the Domino Web Engine tab. Under Conversion/Display,
complete these fields:
To specify GIF conversion

Field Enter
GIF (default) —To convert images in
Image conversion
documents to
format GIF format.
Interlaced
Choose one:
rendering
• Enabled (default) —To display each line of
the
image individually.
• Disabled —To wait for the entire image to
download before displaying the image.

Field Enter
Image JPEG —To convert images in documents to
conversion JPEG
format format.
Progressive Choose one: • Enabled (default) —To display
rendering the image incrementally in several passes. •
Disabled —To wait for the entire image to
download before displaying the image.
JPEG image A percentage between 5 and 100 to indicate
quality the level of image quality. The larger the
value, the larger the file, the longer the files
take to transmit, and the better the image
quality.
The default is 75.

Note If you are using the Web Server Configuration view, open the
Server document and click the Internet Protocols - Domino Web Engine
tab.
Specifying the number of lines to display in a view
You can specify the default number of lines to display in a view when
users do not specify a line count in a URL. The number of lines to display
depends on your preference. Displaying many lines per view makes it
easy to find an item in a large view. Displaying fewer lines per view
make it easy to read the items in the view.
You can also specify the maximum number of lines to display in a view
when the user specifies a line count in a URL.
Entering a maximum number of lines prevents users from overloading
server resources by requesting a large number of lines to display.
Setting Up the Domino Web Server 34-25
Web
To specify the number of lines to display in a view
1. From the Domino Administrator, click the Configuration tab, expand
the Web section and click Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
3. Click the Domino Web Engine tab. Under “Conversion/Display”
complete these fields:

Field Enter
A number from 1 to the number specified in
Default lines per
the
view page “Maximum lines per view page”field. Default
is 30.
Maximum lines
A number that is limited only by the browser
per
view page software. Default is 1000.
Enter 0 if you do not want to limit the
number of lines in a view.

Note If you are using the Web Server Configuration view, open the
Server document and click the Internet Protocols - Domino Web Engine
tab.
Limiting the number of documents displayed during a Web Site
search
You can specify a default and maximum number of documents to
display as a result of performing a search on a database. Users can
specify the number of documents for a search query to return using the
SearchMax parameter with the SearchSite and SearchView commands.
Note If you are using the Web Server Configuration view, open the
Server document and click the Internet Protocols - Domino Web Engine
tab.
Change these options to prevent users from overloading server resources
with search results.
To limit the number of documents displayed during a Web Site
search
1. From the Domino Administrator, click the Configuration tab, expand
the Web section, and click Internet Sites.
2. Choose a Web Site document you want to edit, and click Edit
Document.
34-26 Administering the Domino System, Volume 1
3. Click the Domino Web Engine tab. Under Conversion/Display,
complete these fields:

Field Action
Enter the maximum number of documents to
Default search
display
result limit when users do not specify the SearchMax
parameter in the URL.

If you set the value to 0, the number of

documents displayed is the same value as that
specified in “Maximum search result limit.”
The default is 250.
Maximum Enter the maximum number of documents that
search a user
result limit can specify for the SearchMax parameter in a
URL.
Enter 0 if you do not want to limit the number
of documents displayed. The default is 1000.

Finding links with the Redirect URL command

You use the Redirect URL command to create anchor, document, view,
and database links on a Web page. These links and the links for domain
search results can direct users to a database on the same server or
another server. Enable this option on any server that runs the domain
search and on servers for which you want to resolve links to other
servers.
To find links with the Redirect URL command
1. From the Domino Administrator, click the Configuration tab, expand
the Web section, and click Internet Sites.
2. Choose the Web Site document you want to edit, and click Edit
Document.
Setting Up the Domino Web Server 34-27
Web
3. Click Domino Web Engine. Under Conversion/Display, complete
this field:
For information on the Redirect URL command, see Application
Development with Domino Designer.

Field Enter
Redirect to Choose one: • Disabled (default) —To
resolve external prevent the server from accepting Redirect
links URL commands and to prevent the server
from generating Redirect URL commands as
a result of a domain search. • By Server —
To look up the server name specified in the
URL in the Domino Directory on the Web
server. The Web server searches for the
server name in both the Host names field on
the Internet Protocols - HTTP tab or in the
Fully qualified Internet host name field on
the Basics tab. • By Database —To find the
database in the Domino Directory on any
available server. Domino locates the
database in the domain catalog, if available,
or in the server’s local catalog. Make sure
the domain catalog contains up-to-date
information on the location of databases. By
choosing this option, resolving links take
more time than the By Server option since
the Web server searches for the database on
an available server, instead of just the
server presented in the URL. The By
Database option however, may resolve more
links since the Web server tries to resolve
the link using a replica of the database on
servers in addition to the server presented in
the URL. Use this option on the server that
runs the domain search so more links are
resolved for the user. Since By Server and
By Database both rely on the information in
the Domino Directory, make sure the server
information in the Domino Directory is
complete and correct.

Note If you are using the Web Server Configuration view, open the
Server document and click the Internet Protocols - Domino Web
Engine tab.
34-28 Administering the Domino System, Volume 1
Restricting the amount of data users can send to a Domino
database
The HTTP POST and PUT methods allow users to send data to the
Domino server. The Server record field “Maximum size of request
content” is new for Domino 6, and sets a limit on the amount of data that
can be sent using either POST or PUT. This limit is enforced for all POST
and PUT methods, whether the target is a database, CGI program, or
Java servlet, and applies to all Web sites.
The Web Site document contains two additional settings that control
POST and PUT methods that target a database (for example, filling in a
form or uploading a file attachment). Formerly available in the Server
record, for Domino 6 these settings been moved to the Web Site
document so that you can specify different values for each Web site.
To restrict the amount of data that can be sent to a Domino
database
1. From the Domino Administrator, click the Configuration tab, expand
the Web section and click Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
3. Click the Domino Web Engine tab. Under “POST Data” complete
these fields:
Field Action
Maximum Enter the amount of data in KB that a user is
POST allowed to
data send to the Web site in a POST request that
targets a database. The default is 0, which does
not restrict the
amount of data that users can send (however,
the amount is still limited by the Server record
setting “Maximum request content”). This limit
applies to both the PUT and the POST HTTP
methods.
If users try to send more than the maximum
allowed data, Domino returns an error message
to the browser.
File Choose one: • Enabled —To compress files
compression before adding them to a database. Compressing
on upload files saves disk space on the server. • Disabled
(default) —If clients use a browser that
supports byte-range serving. You cannot
download compressed files using Domino byte-
range serving.

For more information on byte-range serving, see the topic

“Improving file-download performance for Web clients” earlier in
this chapter.
Setting Up the Domino Web Server 34-29
Web
Note If you are using the Web Server Configuration view, open the
Server document and choose the Internet Protocols - Domino Web
Engine tab.
Storing Web user preferences in cookies
Web users can configure their own time zone and regional preferences.
Customized preferences are stored in cookies that reside in Web client
browsers. Thus, your preferences can’t be used if you access the server
from a browser other than the one for which you set up cookies.
1. From the Domino Administrator, choose Configuration - Web -
Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
3. Click Domino Web Engine. Under “Web User Preferences,” complete
these fields:

Field Action
Store user Choose one: • Disabled —Users cannot
preferences in customize their regional preferences •
cookies Single Server —Cookies for customized
preferences are generated for current Web
site/server only • Multi-server —Cookies
for customized preferences are generated
for the DNS domain to which the current
Web site/server belongs

Default regional Use this field for those cases in which a

locale user does
not have any custom regional settings
enabled for
their browser, and the format option for
 regional
setting fields is set to “user’s setting.”This
information is needed for formatting date,
time,
number, and currency fields.
• Server locale —Use server’s operating
system settings.
• Browser’s accept-language (default) —
Use browser’s accept-language. By
default, both
Internet Explorer and Netscape send HTTP
requests with the accept-language header
in the
user’s preferred language(s).

Note If you are using Server document settings and the Web Server
Configurations view, you can enable these settings in the Server
document in Internet Protocols - Domino Web Engine, under “Web user
preferences.”
34-30 Administering the Domino System, Volume 1
Setting up language preferences
The Web server uses language string resource modules to render Web
pages in different languages. The Domino 6 Web server can support
multiple languages and be configured to handle them on the fly. The
language in which a Web server generates a Web page is based on the
“Accept-Language” setting in the headers of client HTTP requests. For
example, a Web server with English and French resource modules will
generate a Web page in French if a Web client sends an HTTP request
with “Accept-Langage:fr (French)” in its headers.
1. From the Domino Administrator, choose Configuration - Web -
Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
3. Click Domino Web Engine. Under “Web User Preferences,” complete
these fields:

Field Action
Use this setting to select the default
Default string
language string
resource resource module for Web clients who do not
language send
“accept-language”information with HTTP
requests,
or for cases in which the languages specified
in the
“accept-language”header are not in the
languages
available on the server.
Additional string Use this setting to select the additional string
resource resource languages that are installed on the
languages server.

Note If you are using Server document settings and the Web Server
Configurations view, you can enable these settings in the Server
document in Internet Protocols - Domino Web Engine, under
“Language.”
Specifying the character set to use when retrieving Web pages
Domino uses the default character set and character set mapping
selection to generate HTML text for the browser. If you have
international users who need to see text in nonwestern languages, you’ll
need to make changes to the settings. The character set setting affects all
databases on the server.
To specify an international character set
1. From the Domino Administrator, click the Configuration tab, expand
the Web section and click Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
Setting Up the Domino Web Server 34-31
Web
3. Click the Domino Web Engine tab. Under “Character Set Mapping”
complete these fields:

Field Enter
Default A character set group to allow users to choose
character their
preferred character set when they create or
set group
edit
documents. The default is Western.
Convert A language to use for messages, HTML for
resource default
strings to search pages, and static strings in pages. You
can choose a language other than English only
for international versions of the Domino server
that have
translated text. The default is English.
Use UTF-8 for Choose one: • Yes —To generate pages using
output UTF-8. • No (default) —To generate pages
using the character set mapping you select.

Use auto- Choose one: • Yes —To detect automatically

detection if the language to use for the database if no
database has default language is selected on the Design tab
no language of the Database Properties box. • No (default)
information —To use the language specified by the Use
UTF-8 for output field. If the language is
specified for a database on the Design tab of
the Database Properties box, Domino uses
that language for text in the database.

Character set Choose one: • Yes (default) —To add the

in header character set to the “Content-Type”HTTP
header of an HTML page. If you select Yes,
then the browser finds the character set
before rendering the page. • No —To exclude
the characters from the HTTP header of an
HTML page. Use this option if you use early
versions of browsers that do not understand
the character set tag in the HTTP header.

Meta character
Choose one:
set
• Yes —To add the character set to the
<META> tag
of an HTML page. This option lets you save the
character set information when you save an
HTML file on a server or on your hard disk.
• No (default) —To exclude the character set
from
 the <META> tag of an HTML page.

4. In the fields that display the character set group names, select one of
the available choices for character set mapping.
5. Save the document.
Table of character sets for Web server pages
The default character set governs the available choices for character set
mapping. If a character set group has mapping choices, you must also
select which character set to use
Character set group Mapping choices
Western US-ASCII
This set includes Windows
ISO-8859-1 (default) ISO-8859-15
and ANSI characters.
Windows-1252
Central European ISO-8859-2 Windows 1250
(default)
Japanese
SJIS (default) JIS(ISO-2022-JP)

EUC-JP
Traditional Chinese Big5 (default)
EUC-TW
Simplified Chinese GB
Korean KSC5601(EUC)
Cyrillic ISO-8859-5
Windows-1251
KOI8-R (default)
Greek ISO-8859-7
Windows-1253 (default)
Turkish ISO-8859-9
Windows-1254 (default)
Thai Windows-874
Baltic Windows-1257
Arabic Windows-1256 (default) ISO-8859-
6
Hebrew ISO-8859-8 (default) Windows-
1255
Vietnamese Windows-1258

Web Site rules and global Web settings

Web Site rules are documents that help you maintain the organization of
a Web site. They have two main uses:
Enable
 the administrator to create a consistent and user-friendly
navigation scheme for a Web site, which is independent of the site’s
actual physical organization.
Allow
 parts of the site to be relocated or reorganized without
breaking existing links or browser bookmarks.
Web Site rules are created as response documents to Web Site
documents, and apply only to that particular Web Site document. If you
want to apply a rule to more than one Web Site document, copy and
paste the rule document from one Web Site document to the other.
Before Web Site rules can be applied to an incoming URL, the URL is
normalized according to a predefined set of filtering and validation rules
and procedures. These procedures reduce the URL to a safe form before
it is passed to an application for processing. Once the URL is normalized,
the HTTP task uses the rules defined for the Web Site to determine if the
URL is to be modified in any way.
Note Only the URL path is used for pattern matching. The query string
is saved for use by the application. Any patterns you specify for a rule’s
Incoming URL pattern field should not include a host name or query
string.
There are four types of Web Site rules. If more than one type of Web Site
rule has been created for a Web Site document, the rules documents are
evaluated in this order:
Substitution

Redirection

Directory

HTTP  response header
Substitution rules
A substitution rule replaces one or more parts of the incoming URL with
new strings. Substitution rules should be used when you want to
reorganize your Web site, and you don’t want to have to rewrite all the
links in the site, or when you want to provide user-friendly aliases for
complex URLs.
34-34 Administering the Domino System, Volume 1
For example, a substitution rule would be useful if you moved a number
of files on your Web site from one directory to another. Instead of fixing
all the links that refer to the old directory, your substitution rule would
map the old directory to the new directory.
The incoming and replacement patterns in substitution rules must each
specify at least one wildcard. If you do not explicitly include a wildcard
somewhere in a pattern, the HTTP task automatically appends “/*” to
the pattern when it stores the rule in its internal table.
Redirection rules
Redirection rules redirect incoming URLs to other URLs. There are two
types of redirection rules: external redirection and internal redirection.
An external redirection rule causes the server to inform the browser that
a file or other resource requested by the browser is located at another
URL. If the incoming URL path matches an external redirection rule, the
HTTP task generates a new URL based on the redirection pattern and
immediately returns that URL to the browser. Using external redirection
rules allows existing links and bookmarks to keep working, but insures
that new bookmarks point to the new location.
An internal redirection rule acts like a substitution rule, as the HTTP task
generates a new URL and then re-normalizes it. There are two
differences, however. First, the redirection table is searched recursively,
so you can create and nest multiple redirection rules. Second, an internal
redirection rule does not require the use of a wildcard character. Thus,
you can choose to use an internal redirection rule instead of a
substitution rule if you want to force an exact match on the URL path.
If the incoming URL path matches an internal redirection rule, the HTTP
task generates a new path, normalizes the path, and searches the
redirection rule table again. Because the HTTP task does a recursive
search through the redirection rule table, you can write broad redirection
rules that capture URLs no matter what substitution or redirection has
been applied.
Note Having a recursive search means that there is the potential for
getting into an infinite loop if you write redirection rules that match each
other. To eliminate this possibility, the HTTP task has a built-in recursion
limit of ten.
Wildcards are allowed in redirection rules, but are not required.
Directory rules
A directory rule maps a file-system directory to a URL pattern. When the
Web server receives a URL that matches the pattern, the server assumes
that the URL is requesting a resource from that directory.
Setting Up the Domino Web Server 34-35
Web
When you install a Domino 6 Web server, several file-resource directories
are created automatically. These default directories are mapped by
directory rules that are defined on the Configuration tab of the Web Site
document. When the Web server starts up, it automatically creates
internal rules to map these directories to URL patterns. The three default
directories are:
HTML
 directory for non-graphic files
Icon
 directory for graphic images such as .GIFs
CGI  directory for CGI programs
Directory rules can only be used to map the location of files that are to be
read directly (such as HTML files and graphic files) and executable
programs to be loaded and run by the operating system (such as CGI
programs). Directory rules cannot be used to map the location of other
types of resources, such as Domino databases or Java servlets.
When you create a Directory Web Site rule, you specify read or execute
access to a file-system directory. It is critically important to choose the
right access. Only directories that contain CGI programs should be
enabled for Execute access. All other directories should have Read access.
If you specify the wrong access level, unexpected results will occur. For
example, if you mark a CGI directory for Read access, when a browser
user sends a URL for a CGI program, the server will return the source
code of the program instead of executing it, which could be a serious
security breach.
Directory rules cannot override file-access permissions enforced by the
operating system.
Note Access level is inherited by all subdirectories under the specified
directory.
HTTP response header rules
Every HTTP browser request and server response begins with a set of
headers that describe the data that is being transmitted. An HTTP
response header rule allows an application designer to customize the
headers that Domino sends — such as an Expires header or custom
headers to HTTP responses — with responses to requests that match the
specified URL pattern.
The most important use of response rules is to improve the performance
of browser caching. An application designer can add headers that
provide the browser with important information about the volatility of
the material being cached.
34-36 Administering the Domino System, Volume 1
The caching headers include the Last-Modified header, Expires header,
and Cache-Control header. The Last-Modified header indicates when the
resource or resources used to generate a response were last changed. The
Expires header tells the browser when resources are expected to change.
A designer can define a rule to add Expires headers to responses based
on when the designer expects resources to change. The Cache-Control
header provides explicit instructions to browser and proxy server caches,
such as “no-cache” for responses that should not be cached, or “private”
for responses that are cacheable but are specific to a particular browser
configuration.
You can also use response rules to customize headers. For example, you
can create response rules for custom headers that display specific error
messages — for example, when a user is not authorized to access an
application.
Unlike other Web site rules, response rules are applied to the outgoing
response, just before the HTTP task transmits the response to the
browser. For response header rules, the pattern is matched against the
final form of a URL, after substitution and redirection rules have been
applied to it. For example, if you have a substitution rule that transforms
/help/* to /support.nsf/helpview/* and you want to create a response
rule to match the response, the pattern for the response rule should be
/support.nsf/helpview/*.
The pattern can include one or more asterisks as wildcard characters. For
example, the pattern /*/catalog/*.htm will match the URLs
/petstore/catalog/food.htm, /clothing/catalog/thumbnails.htm, and so
on. A wildcard is not required in a response rule. This allows you to
create a rule that matches a specific resource, for example,
/cgi-bin/account.pl. Also, as with all rules, the incoming pattern cannot
contain a query string.
Response header rules are different from other rules in that not only do
they have to match a URL pattern, they also have to match the HTTP
response status code. You need to specify one or more status codes in the
HTTP response codes field.
Global Web Settings
Global Web Settings enable you to apply Web rules to multiple Web
sites. You define a name for the Global Web settings document, and
specify the servers to which the Global Web settings apply. You then
create Web Rules documents for a Global Web Settings document. The
Web rules then apply to all Web sites hosted by the servers specified in
the Global Web settings document.
Setting Up the Domino Web Server 34-37
Web
Global Web Settings document and associated Web Site rule documents
are not automatically created. If you want to use the Global Web Settings
document and Web Site rules in your Web environment, you need to
manually create them.
Creating a Web Site Rule document
You can keep database files, HTML files, CGI scripts, and other related
Web files in multiple locations or move them to new locations without
breaking URL links or changing documents. Domino displays the Rules
document as a response to the Web Site document on the Configuration
tab in the Web - Internet Sites view.
Redirecting a URL displays the page in the new location and displays the
URL in the location box for the user. Mapping a URL or directory
displays the page in the new location and hides that new location from
the user.
To create a Web Site Rule document
1. From the Domino Administrator, click the Configuration tab, expand
the Web section and click Internet Sites.
2. Choose the Web Site document you want to edit and click Edit
Document.
3. Click the Web Site button and choose Create Rule.
4. Click the Basics tab and complete the following fields:

Field Action
Enter a name that differentiates this rule from
Description
others you
create.
Type of Rule Choose one:
• Directory —To allow a server file-system
 directory to
be accessed by a URL path.
• Redirection —Resource identified by the URL
has
been moved to a different location or Web site.
• Substitution —To replace a string in the URL
with
another string.
• HTTP response header —To add an Expire
header or
custom headers to HTTP responses that match
specified URL patterns and response codes.
Incoming Pattern that describes the URLs affected by this
URL rule.
pattern If you are defining many rules, specify the
longest unique pattern for each rule. Do not
include http or the host name in the pattern.

Field Action
Redirect to (Redirection only) Enter the new URL location. If
this URL the URL pattern in this field starts with a slash,
the rule is treated as internal redirection.
Otherwise, the rule is assumed to be external
redirection. The pattern for an external
redirection needs to start with an Internet
protocol string that the browser understands,
such as http: or ftp.
Replacement (Substitution only) Enter the string that replaces
pattern the matching part of the incoming URL.
Target (Directory only) Enter the file-system directory
server path being mapped. This can be specified as a
directory fully-qualified path or a path relative to the data
directory. If you want to map a directory that
isn’t under the Domino data directory, specify
the fully qualified path. Service providers: use
the organization’s data directory.
Access level (Directory only) Choose one: • Read access —To
allow browser users to read files from the
directory are displayed in the browser or
downloaded. When a user requests a file from
the directory, the server sends the contents of
the file back to the browser.
• Execute access —To allow browser users to
load and run CGI programs in the directory. The
server relays the output from the program to the
browser.
HTTP (HTTP Response Header only) Enter the HTTP
response response codes to which you want your response
codes headers applied.
Expires (HTTP Response Header only) Choose one: •
header Don’t add header —Files in the directory are
displayed in the browser or downloaded. • Add
header only if application did not —Files in the
directory are CGI files to be executed on the
server. • Always add header (override
application’s header) Note If you choose to add
a header, you must specify an expiration period
— either by specifying the number of days for
which you want to enable this header, or a date
after which you want to disable this header.
Custom (HTTP Response Header only) For each custom
header header you want to use, specify: • Name —The
name of the response header. • Value —The
value of the response header. • Override —
Override application’s header

5. Save the document.

Note If you are using Server document settings and the Web Server
Configurations view, you can enable these settings in the Server
document. Open the Server document and click Create Web (R5) and
select “URL Mapping/Redirection.”
Configuring a Web Site rule to run PHP
PHP (from “Personal Home Page Tools”) is a script language and
interpreter. The PHP script is embedded within a Web page along with
its HTML. To enable a Web Site document to use PHP, you need to create
a directory rule for that site document to point to the PHP executable
files.
Note The default directory for PHP scripts is defined by the
DOCUMENT_ROOT CGI variable, and is the /<notes root
directory>/data/domino/html. PHP looks for scripts relative to this
directory.
To configure a Web Site rule for PHP
1. Install PHP on the Web server. Make sure that the PHP.EXE file can
find the PHP.INI file. Be sure that all paths are set up correctly for
PHP. See the PHP installation documentation for more information.
2. Create a directory rule to run PHP scripts. Use the following settings:

Field Action
Enter a name that differentiates this rule from
Description
others you
create.
Type of Rule Select Directory
Incoming Enter :/php-bin An example of an incoming URL
URL pattern would be:http://<server>/php-
bin/PHP.EXE/<php-scripts>

Enter the location of the PHP binary file (for

Target server
example,
directory c:\PHP)
Access level Click Execute.

Creating a Global Web Settings document

The settings you enable in the Global Web Settings document apply to all
Web Site documents that you have set up on this server. After you have
created the Global Web Settings document, you can create rules for this
document. These rules will apply to all of the servers that are specified in
the Global Web Settings document.
34-40 Administering the Domino System, Volume 1
To create a Global Web Settings document
1. From the Domino Administrator, click the Configuration tab, expand
the Web section and click Internet Sites.
2. Click Create Global Web Settings.
3. Click the Basics tab and complete the following fields:

Field Action
Descriptive name for
Enter a name for this Web site.
this site
Domino servers that List all the servers in the domain that
host this site will host this Web site

Protecting files on a server from Web client access

File protection documents control access to non-database files that users
can access via Web browsers. Like database file (.NSF) access control lists
(ACLs), which specify the names of the users who can access them and
the level of access they have, you can enforce file protection for files that
browser users can access — for example, HTML, JPEG, and GIF — also
by specifying the level of access for these types of files and the names of
the users who can access them.
While you can also apply file protection to CGI scripts, file protection
does not extend to other files accessed by those scripts. For example, you
can apply file protection to a CGI script that restricts access to a group
named “Web Admins.” However, if the CGI script runs and opens other
files, or triggers other scripts to run, the File Protection document cannot
control whether “Web Admins” has access to these additional files.
Do not create file protection documents that restrict access to the
following directories, which contain default image files and Java applets
that are used by the Domino Web server and other applications, such as
mail databases:
Domino\data\domino\java,
 accessed via Web browser using the
path http://server/domjava
Domino\data\domino\icons,
 accessed via Web browser using the
path http://server/icons
File protection does apply, however, to files that access other files — for
example, HTML files that open image files. If a user has access to the
HTML file but does not have access to the JPEG file that the HTML file
uses, Domino does not display the JPEG file when the user opens the
HTML file.
You can create a File Protection document for a directory or for an
individual file. Protection defined for a directory is inherited by all of its
subdirectories. You must set up File Protection documents for all
Setting Up the Domino Web Server 34-41
Web
directories accessible to Web users. Files and file directories that do not
have File Protection documents can be accessed by anyone using a Web
browser.
Note You do not need to use a file protection document to protect a
database (.NSF) file; instead, you use a database ACL.
Examples of controlling Web browser access to server files
Specifying these settings in fields in the File Protection document allows
all users in the Web User Group to open files and start programs in the
c:\notes\data\domino\html directory.
Path: c:\notes\data\domino\html
Access: Web User Group (GET)
Access: - Default - (No Access)
The file “secret.htm” resides in the notes\data\domino\html
subdirectory. You can deny access to this file to members of the Web
User Group and allow access only to user Joe Smith. To do this, create an
additional File Protection document with the following settings:
Path: c:\notes\data\domino\html\secret.html
Access: - Default - (No Access)
Access: Joe Smith (GET)
Creating file protection for Web Site documents
In Domino 6, you create a file protection document for a specific Web
Site. This file protection documents then only applies to that specific Web
Site.
File protection documents provide limited security. Use Domino security
features, such as database ACLs, to protect sensitive information.
To create file protection for a Web Site document
1. From the Domino Administrator, choose Configuration - Web -
Internet Sites.
2. Open the Web Site document for which you want to create file
protection.
3. Click Web Site and choose “Create File Protection.”
34-42 Administering the Domino System, Volume 1
4. Click Basics and complete these fields:

Field Action
(Optional) Enter a name that differentiates this
Description
document
from others you create.
Directory Specify the directory or file path that you want to
or which you
file path want to restrict access. It should be either in the
fully-qualified path format, which includes the
drive letter
—for example, “c:\lotus\domino\data\domino\cgi-
bin,”
or enter the path relative to the server’s data
directory —for
example,“domino\cgi-bin.”
Displays the users and groups who can access the
Current
file or
Access directory you specified, and the type of access
they are
Control allowed. Similar to a database ACL, the access
List control list is
always created with a -Default- entry, set to No
Access,
which you can modify. As with a database ACL,
those not
listed in the Access List receive the default access
level.
To add users to the Access Control List, click
Set/Modify
Set/Modify
Access Access Control List. Select a user name or group
from the
Control Domino Directory or type a name in the Name
List field. Select
“Read/Execute access (GET method),”or
“Write/Read/Execute access (POST and GET
methods,”or
“No Access.”Click Add to add the entry to the
Access
 Control List.
GET lets the user open files and start programs in
the
directory. POST is typically used to send data to a
CGI
program; therefore, give POST access only to
directories
that contain CGI programs. No Access denies
access to the
specified user or group.
To remove an entry from the list, select it and click
Clear.
If users connect to the server using Anonymous
access,
enter Anonymous in the Name field and assign the
appropriate access.
Note If you wish to enter a user name that resides
in an LDAP Directory, you must replace the comma
delimiters
with slashes. Do not enter the name with commas
as
delimiters.
For example, an LDAP user with the following
name
format:
cn=Anthony Jones,l=westford,o=airius.com
should be entered into the access list of a File
Protection
document like this:
cn=Anthony Jones/l=westford/o=airius.com

5. Click Administration and complete the Owners and Administrators

fields. By default, the administrator name you logged in with is the
name that is assigned to both fields.
6. Save the document.
7. Enter this command to refresh the settings:
tell http refresh
Creating file protection for virtual servers (Domino 5.0x)
1. Do one of the following:
From
 the Domino Administrator, choose Configuration - Servers,
and open the Server document for the server to which the file
protection will apply.
If you are creating a File Protection document for a virtual server,
chose Web - Web Server Configurations, and open the Virtual
Server document.
2. Click Create Web (R5) and choose File Protection.
3. Click the Basics tab, and complete these fields:

Field Action
Applies to (Read-only) This setting applies to the base
server, and all virtual servers or virtual hosts
that do not have file
protection settings. If a virtual server or virtual
host has any file protection settings, then this
setting does not apply.
Specify the drive, directory, or file to which you
Path
want to
restrict access. You can use fully-qualified path
or the
 relative path.

4. Click Access Control, complete this field, and then save the
document:

Field Enter
Current The users and groups who can access the files or
access directories you specified and the type of access
control list they are allowed. By default, the access control
list contains a -Default- entry, set to No Access.
Users who are not listed in this field receive the
-Default- access level.
To add users to this list:
1. Click Set/Modify Access Control List.
2. Select a user name or group from the Domino
Directory or enter a name in the Name field.
3. Select “Read/Execute access (GET
method),”or “Write/Read/Execute access (POST
and GET methods),” “No Access.”
4. Click Next to add this entry to the access list.
Note GET lets the user open files and start
programs in the directory. POST is typically used
to send data to a CGI program; therefore, give
POST access only to directories that contain CGI
programs. No Access denies access to the
specified user or group.
To remove an entry from the list, select the
entry and click Clear.
If users connect to the server using Anonymous
access, enter Anonymous in the Name field and
assign the appropriate access.

5. Enter this command at the console to refresh the server settings:

tell http refresh
Domino displays the File Protection document as a response to the Server
document.
Creating a Web Site authentication realm document
Using a Domino Web Site authentication realm, you can specify the text
string that appears when a user tries to access a certain directory, or file
on a Domino Web server. When the browser prompts the user for a name
and password, the browser’s authentication dialog displays the text
string. The browser uses the realm to determine which credentials — that
is, user name and password — to send with the URL for subsequent
requests. The Domino Web server caches the user’s credentials to use for
different realms, in order to avoid prompting the user repeatedly for the
same credentials.
Setting Up the Domino Web Server 34-45
Web
The realm string also applies to requests mapped to paths that have the
specified path as their root, provided that the child paths of the root do
not already have a specified realm. For example, the realm string
specified for D:\NOTES\DATA also applies to a request mapped to
D:\NOTES\DATA\FINANCE, if the latter does not have a realm
specification.
If there is no realm specification for a given path, Domino uses the path
from the request as a realm string.
If you are using Web Site documents, you can create a Web Site
Authentication Realm document for a specific Web Site document. The
Authentication Realm document appears as a response document to the
Web Site document in the Internet Sites view.
If you are using the Web Server Configurations view, or a virtual server
(Domino 5), you create a Web realm. The Web Realm document appears
as a response to the Server document which can be seen in the Web
Server Configurations view.
To create a Web Site authentication realm document
1. From the Domino Administrator, choose Configuration - Web -
Internet Sites.
2. Choose the Web Site document for which you want to create an
authentication realm, and click Edit Document.
3. Click “Web Site” and choose “Create Authentication Realm.”
4. Click the Basics tab and complete the following fields:

Field Action
(Optional) Enter a name that differentiates this
Description
document
from others you create.
Directory Enter the name of the path that you want to
or protect. It
file path should be in either the fully-qualified path format,
which
includes the drive letter; for example, use
“c:\lotus\domino\data\domino\cgi-bin,”or the
relative
path to the server’s data directory for example,
“domino\cgi-bin.”
Realm Enter a text string that describes the location on
label the server
returned to or any other descriptive string, which will be used
as the
browser realm that is displayed to the user and stored by
the browser. This string should not contain any
accented or international characters, because they
will not be displayed correctly by the browser.
The browser displays the text string whenever
there is an authentication or authorization failure
at the location. The
text appears in the browser’s authentication
dialog.

5. Save and close the document.

6. Enter this command at the console so that the settings take effect:
tell http refresh
To create a Web Realm (Domino 5.0x)
1. Do one of the following:
From
 the Domino Administrator, click Configuration and click
Servers.
If  you are creating a Web Realm document for a virtual server,
click Web - Web Server Configurations.
2. Do one of the following:
Open the Server document for the server to which the Web realm
will apply.
If  you are creating a Web Realm document for a virtual server,
open the Virtual Server document.
3. Click “Create Web (R5)” and choose Realm.
4. Complete these fields and then save the document:
Field Enter
IP Address (Optional) The IP address of the virtual server.
Complete this field only if you are creating a
Web realm for a virtual server.
Path Enter the name of the path that you want to
protect. It should be in either the fully-qualified
path format, which includes the drive letter; for
example, use
“c:\lotus\domino\data\domino\cgi-bin,”or the
relative path to the server’s data directory for
example, “domino\cgi-bin.”
Realm Enter a text string that describes the location
returned to on the server or any other descriptive string,
browser when which will be used as the realm that is
access is displayed to the user and stored by the
denied browser. This string should not contain any
accented or international characters, because
they will not be displayed correctly by the
browser. The browser displays the text string
whenever there is an authentication or
authorization failure at the location. The text
appears in the browser’s authentication dialog.

5. Enter this command at the console so that the settings take effect:
tell http restart
Setting Up the Domino Web Server 34-47
Web
Custom Web server messages
You can customize some of the error messages or responses that are
generated by the Web server. If an “Error & Response” form-mapping
document exists in DOMCFG.NSF, custom errors, not generic errors, are
used.
To create a message page, create a form for each type of message and
then create a mapping document in the Domino Configuration database
(DOMCFG.NSF) to specify which form to display. While you can store
message pages in any database, the one most commonly used is
DOMCFG.NSF.
You can customize the messages that a user receives when:
The
 user fails to authenticate with the server.
The user is not authorized to access one of the databases that is part
of the Web site on the server.
The  user issues a command to delete a document from a database,
and the server successfully completes the deletion.
The  user’s Internet password has expired.
The  user attempts to change their Internet password and that is not
allowed.
The  user changes their Internet password and the change is
submitted and accepted.
In addition, you can specify a general message that appears for all other
types of errors or responses that occur on the Web server.
Note The general error message will not be generated for errors that
occur when accessing non-database files. This type of custom error
message only works when errors are encountered while accessing .NSF
files.
If you enabled session-based name and password authentication,
Domino displays an HTML page you specify to request name and
password information from the user. Domino does not use customized
error pages to display errors when authenticating with the server or
accessing a database if session-based name and password authentication
is enabled.
Database designers also have the ability to create custom error messages
for individual databases that reside on Domino servers. These types of
custom error messages are stored within the database and will only be
generated when errors occur while accessing that specific database.
34-48 Administering the Domino System, Volume 1
For information on customizing messages that a user receives for a
specific database on a server, see Application Development with Domino
Designer. For information on session-based name and password
authentication, see the chapter “Setting up Name-and-Password and
Anonymous Access to Domino Servers.” For information on changing
Internet passwords, see the chapter “Protecting and Managing Notes
IDs.”
In this example, the form for the message exists in the database
ANYDB.NSF and is returned to the user when the user encounters an
error.
Users must have Reader access to the Domino Configuration
(DOMCFG.NSF) database and Any database (ANYDB.NSF).

You can create custom error pages

that apply to the entire server, a
specific Web site, or specific databases. If you have a custom error page
configured for a specific database, it overrides the server-wide Web site
specific custom error pages. If you have a Web site specific custom error
page configured, it overrides the server-wide custom error message.
Creating custom Web server messages
Complete these procedures:
1. Create the Domino Configuration database.
2. Customize the Web server messages.
Creating the Domino Configuration database
You use the Domino Configuration database to map custom messages
that you create. These messages can be those that browser users receive
when they access a Web application, or they can be custom HTML pages
that you use to authenticate Web users with a name and password.
Setting Up the Domino Web Server 34-49
Web
For information on customizing HTML pages for name-and-password
authentication, see the chapter “Setting Up Name-and-Password and
Anonymous Access to Domino Servers.”
1. Make sure the Web server exists.
2. From the Domino Administrator, choose File - Database - New.
3. Under Server, enter the name of the Domino server on which you
want to create this database.
4. Select the Domino Web Server Configuration template
(DOMCFG5.NTF) from the Advanced Templates list.
5. Under Title, enter a name for the database.
6. Under File name, enter DOMCFG.NSF.
Note The database must have this file name.
7. Click OK.
8. Add an entry named Anonymous to the database ACL and give the
entry Reader access.
9. Map custom Web server messages.
Mapping custom Web server messages
You can change the message users receive when they encounter an error
or delete a document while working with a site on the Web server.
1. Make sure the Domino Configuration database exists.
2. Open the database that will store the customized messages.
You can store custom messages in DOMCFG.NSF or in any database
on the server.
3. Using Domino Designer, create a form that contains the message you
want to display, and save the form.
4. Repeat Steps 2 and 3 for each custom message. The forms can exist in
the same database or in separate databases.
5. Select the Error & Response Mappings view and then click Add
Mapping.
6. Do one of the following:
Choose
 “All Web Sites/Entire Server” to customize a message for
all Web sites on the server.
Choose
 “Specific Web Site/Virtual Server” and enter the host
name or IP address for the Web site. The custom messages will
then only apply to the specified Web Site or virtual server.
7. (Optional) Enter a comment about the error message or response.
34-50 Administering the Domino System, Volume 1
8. For each type of error or response, under “Target Database,” enter
the name of the database that contains the form you want to display.
9. For each type of error or response, under “Target Form,” enter the
name of the form you want to display.
10. Save the Error Message Response Mapping document.
11. In the ACL for the database that contains the forms, assign Author
access to the server that stores the database.
For information on creating forms and customizing Web server messages
for a specific database on a server, see Application Development with
Domino Designer.
Example of custom Web server messages
This Error Message & Response Mapping document uses forms stored in
the database named MESSAGES.NSF on the current server. These forms
contain custom messages for authentication and authorization failures
and for responses to document deletions. For all other general error
messages, Domino displays the default message text stored in the
Domino Configuration database.

Improving Web server performance

After you set up the Domino Web server and make sure that it runs
properly, check the server’s performance and response time. To improve
server performance and response time, you can do any of the following:
Manage
 the memory cache on the Web server.
Specify
 network timeouts on the Web server.
Specify
 the number of threads used by the Web server.
Improve file-download performance for Web clients.
Specify  whether more than one Web application agent can run at one
time, as well as the timeout period for all Web application agents.
Restrict  the amount of data that users can send to the server using
the HTTP POST command.
Set  up the Domino Web server in a cluster.
For more information on improving clustered Web server performance,
see Administering Domino Clusters.
Managing the memory cache on the Web server
Mapping information about databases and authenticating users can take
time. To optimize response time, Domino uses a memory cache
(command cache) to store this information. The memory cache stores the
information for quick access.
For more information, see the chapter “Monitoring the Domino System.”
For more information on tuning the performance of an application, see
Application Development with Domino Designer.
To manage memory cache on a Web server
1. Open the Server document you want to edit and click Edit Server.
2. Choose Internet Protocols - Domino Web Engine. Under Memory
Caches, complete these fields:

Field Action
Enter the number of database design
Maximum cached
elements to
designs cache for users. The default is 128.
When a user opens a database, Domino
maps each
design element name to an identification
number. This mapping procedure takes time.
Use this field to
specify how many elements you want to
store in
memory so the next time a user accesses
that element, it is immediately available.

Field Action
Enter the number of users to cache. The
Maximum cached
default is 64.
users After a user successfully authenticates with a
server, Domino stores in memory the user’s
name, password, and the list of groups to
which the user belongs. Use this field to
increase the number of users for whom
Domino stores this information.
Enter the time interval in seconds during
Cached user
which
expiration Domino regularly removes user names,
interval passwords, and group memberships from
the cache. The default is 120.
 Remove user names, passwords, and group
memberships from the cache periodically to
force Domino to look up credentials in the
directory the next time those users access
the server.

Specifying network time-outs on the Web server

Open, inactive sessions can prevent users from accessing the server.
Specify time limits for activities between the Domino Web server and
clients or CGI programs so connections do not remain open if there is no
network activity between them.
To specify network time-outs on the Web server
1. Open the Server document you want to edit and click Edit Server.
2. Click Internet Protocols - HTTP. In the Timeouts section, complete
these fields:

Field Action
HTTP Specify whether you want to enable persistent
persistent HTTP connections on the Web server. These
connection connections remain active under the following
conditions:
• HTTP protocol is 1.1.
• The server application returns an HTTP response
code less than 400. (If the server application
returns an HTTP response code greater than or
equal to 400, the connection will be closed by the
server.)
• The HTTP request did come through a proxy
server.
• The client did not send a connection close
header.
• The number of connections that the server can
support is running low, or the number of
connections queued for the thread processing the
request is too large.
If the connection is kept open, then the following
settings apply:

Field Action
HTTP • The connection will be closed if the maximum
persistent number of requests per connection is exceeded. •
connection The connection will be closed if the persistent
(continued time-out is exceeded. • The connection will be
) closed if no data is received by the server within
the specified input timeout. • The connection will
be closed if a complete request is not received
within the specified request timeout. Note
Persistent connections require more server
overhead than connections that are limited by
network activity.
Specify the maximum number of HTTP requests
Maximum
that can be
requests handled on one persistent connection. The default
per is 5.
persistent
connection
Specify the length of time for which you want
Persistent
persistent
connection connections to remain active. The default is 180
seconds.
timeout
Specify the amount of time for the server to wait
Request
to receive
timeout an entire request. The default is 60 seconds. If the
server
doesn’t receive the entire request in the specified
time
interval, the server terminates the connection.
Input Enter the time, in seconds, that a client has to
timeout send a
request after connecting to the server. The default
is 15
seconds. If no request is sent in the specified time
interval,
then the server terminates the connection. If only
a partial
request is sent, the input timer is reset to the
specified time
limit in anticipation of the rest of the data arriving.
Enter the maximum time, in seconds, that the
Output
server has to
timeout send output to a client. The default is 180
seconds.
CGI The maximum time, in seconds, that a CGI
timeout program started
by the server has to finish. The default is 180
seconds.

Running Web agents

You can specify whether Web application agents — that is, agents
triggered by browser clients — can run at the same time. These include
application agents invoked by the WebQueryOpen and WebQuerySave
form events, and for agents invoked by the URL command
“OpenAgent.” If you choose to enable this option, the agents run
asynchronously. Otherwise, the server runs one agent at a time.
You should set an execution time limit for Web application agents. The
purpose of the time limit is to prevent Web agents from running
indefinitely and using server resources. However, do not rely on this
34-54 Administering the Domino System, Volume 1
mechanism for the routine shutdown of agents. When the server shuts
down an offending agent, resources that the agent was using (such as
disk files) may be left open.
To run Web application agents
1. Open the Server document you want to edit.
2. Choose Internet Protocols - Domino Web Engine. Under Web
Agents, complete these fields:

Field Enter
Run Web Choose one: • Enabled —To allow more than
agents one agent to run on the Web server at the
concurrently? same time (asynchronously) • Disabled
(default) —To run only one agent at a time
(serially)

Web agent The maximum number of seconds (elapsed

timeout clock time)
for which a Web application agent is allowed
to run. If
 you enter 0 for the value (default value), Web
application agents can run indefinitely.
Note This setting has no effect on scheduled
agents
or other types of server or workstation agents.

Specifying the number of threads used by the Web server

An HTTP request is processed by a thread. A thread, in turn, can handle
a number of network connections. You can specify the number of threads
the Web server can process. In general, the number of threads specified is
an indication of the number of users who can access the server
simultaneously.
If the number of active threads is reached, the Domino server queues
new requests until another request finishes and threads become
available. The more power your machine has, the higher the number of
threads you should specify. If your machine spends too much time on
overhead tasks, such as swapping memory, specify a lower number of
threads.
To specify the number of threads used by the Web server
1. Open the Server document you want to edit, and click Edit Server.
2. Click the Internet Protocols - HTTP tab.
3. Under Basics, enter a number for “Number active threads.” The
default is 40.
Setting Up the Domino Web Server 34-55
Web
Improving file-download performance for Web clients
Web clients can download a file that is attached to a page or that is in a
server directory that is mapped by a URL. If a client is using a product
that supports byte-range serving (available in HTTP 1.1 and higher) the
client downloads the file in sections — ranges of bytes — and tracks the
progress of each file download. If an interruption occurs, the client can
resume the download from the point where it was interrupted. Without
byte-range serving, users must repeat interrupted downloads from the
beginning.
Domino is compatible with clients that support the HTTP 1.1
specification. The clients may be implemented in a variety of ways — for
example, as browser plug-ins, applets, or stand-alone programs.
Attached files must be decompressed so that clients that support
byte-range serving can access them. When you attach a file, you must
deselect the Compress option. To verify that an existing attachment is
decompressed, from a Notes client choose File - Document Properties,
select the $FILE item, and verify that the Compression Type property is
NONE.
Example of downloading a file from the server's file system
The file INSTALL.EXE is located in a directory that is enabled for
downloading using a URL-mapping. A GetRight 3.1 client can use the
following URL to download the file:
http://hostname/install.exe
where hostname is the name of the site.
If the download is interrupted, the client can restart the download from
the point where it was interrupted.
Example of downloading a file attachment
A user can download a PDF file one page at a time if the PDF file is
attached to a document and the user has set the configuration option in
Adobe Acrobat to download a page at a time. Downloading one page at
a time can greatly improve performance if the user is interested in only a
portion of a large file. For example, a user accesses the PROJECT.PDF file
using the following URL:
http://hostname/dbname/viewUNID/docUNID/$FILE/project.pdf
where hostname is the name of the site, dbname is the name of the
database that stores the attachment, viewUNID is the Universal ID of the
view for the attachment, and docUNID is the Universal ID of the
document to which the file is attached.
34-56 Administering the Domino System, Volume 1

Chapter 35
Setting Up Domino to Work with Other Web
Servers
This chapter describes how to set up Domino to process requests from
other types of Web servers.
Setting up Domino to work with other Web servers
Back-end Domino 6 servers can receive, and respond to, requests from
front-end IBM HTTP Servers (IHS) or from Microsoft Internet Information
Servers (IIS). For this communication to occur, the appropriate
WebSphere Application Server (WAS) 4.0.3 or later plug-in must be
installed on the front-end server. These plug-ins recognize HTTP requests
for Domino applications and pass them along to the Domino server. Other
HTTP requests will be handled by the front-end server itself.
A typical scenario is for the front-end server to be outside a firewall. The
front-end server receives requests from Web users, the plug-in relays the
requests over HTTP, through the firewall, to the HTTP task on the
back-end Domino 6 server. The Domino 6 server then processes the
request and sends the reply back to the plug-in, which relays it to the user.
A plug-in can be configured to support any number of backend servers.
Since Domino uses the same plugins as WebSphere, you can also
combine Domino and WebSphere servers. For example, a Domino server
hosting a mail application and a WebSphere server hosting a J2EE
application could both be placed behind the same IIS front-end server.
The backend Domino server can be on any supported operating system
platform. The following front-end servers are supported:
IBM HTTP Server on AIX, Windows NT 4.0, and Windows 2000 Server.
Microsoft IIS on Windows NT 4.0 and Windows 2000 Server.
The plug-in files are packaged with the Domino 6 server and their use is
covered by your Domino license. You do not need to install any other
WebSphere components to use the Microsoft IIS plug-in. However, to use
the IHS plug-in you must install the IHS components of WebSphere on
the front-end server.
35-1
Web
The following features are supported for the Domino back-end servers:
core Domino database functionality, Lotus iNotes Web Access, Lotus
Domino Off-Line Services (DOLS), Lotus Discovery Server™. Additional
Domino products may also be supported; refer to the product
documentation for details.
Setting up Domino to work with IBM HTTP servers
The IBM HTTP Server (IHS) is packaged as part of the WebSphere
server. For information on installing IHS and the WebSphere server see
the WebSphere installation documentation. Installing the plug-in is an
option during WebSphere installation. For information on installing the
plug-in during WebSphere setup, see the WebSphere installation
documentation.
The plug-in files are also packaged with the Domino 6 server. If the
plug-in was not installed during WebSphere installation, the
administrator can copy the plug-in files from the Domino 6 server.
To install the WebSphere plug-in from Domino
1. Install a Domino 6 server. The plug-in files are packaged with the
server.
2. On the IHS server, create the appropriate directory structure.
For AIX:
/usr/WebSphere/AppServer/bin
/usr/WebSphere/AppServer/config
/usr/WebSphere/AppServer/logs
For Win32 (you can use any drive):
c:\WebSphere\AppServer\bin
c:\WebSphere\AppServer\config
c:\WebSphere\AppServer\logs
Note The rest of these instructions assume you are using an AIX
server.
3. Copy the following files from the Domino server to the IHS server:
Copy <Domino data
directory>/domino/plug-ins/aix/mod_ibm_app_server_http.so to
/usr/WebSphere/AppServer/bin
Copy <Domino data directory>/domino/plug-ins/plugin-cfg.xml to
/usr/WebSphere/AppServer/config
35-2 Administering the Domino System, Volume 1
4. On the IHS server, edit the IHS configuration file httpd.conf (on a
default installation this file is located at
/usr/HTTPServer/conf/httpd.conf). Add the following lines to the
bottom of the file:
LoadModule ibm_app_server_http_module
/usr/WebSphere/AppServer/bin/mod_ibm_app_server_http.so
WebSpherePluginConfig
/usr/WebSphere/AppServer/config/plugin-cfg.xml
5. Modify the plugin-cfg.xml file according to the instructions for
configuring the WebSphere plug-in.
6. Set up the Domino server according to the instructions for IIS.
7. Restart the IHS server and test your installation.
Testing the IHS installation
To test your IHS server with plug-in:
1. Start Domino.
2. To verify that the Domino server HTTP task is functional, from a
browser enter the URL:
http://<domino server name:http port>/homepage.nsf
(or any other NSF request supported by your Domino Web
application). This request should be sent directly to the Domino
server, and the Domino HTTP task should respond with the expected
page.
3. Start the front-end Web server.
4. To verify that the frontend server is functional and that the plug-in is
working, in the browser enter:
http://<frontend-server:http port>/homepage.nsf.
This request should be sent to the front-end server; the WebSphere
plug-in should relay it to the Domino server. The resulting page
should look identical to Step 2.
Setting up Domino to work with Microsoft IIS servers
To use a Microsoft IIS server as a front-end machine, you must install the
WebSphere Application Server 4.0.3 plug-in for IIS on the IIS server. The
plug-in files are packaged with the Domino 6 server and must be copied
from the Domino server to the IIS server. After you copy the plug-in files,
you must configure the plug-in, then configure the Domino server to
work with the plug-in IIS. You do not need to install any other
WebSphere components to use the Microsoft IIS plug-in.
Setting Up Domino to Work with Other Web Servers 35-3
Web
See the following topics:
To
 install the WebSphere plug-in on an IIS server
To  configure the WebSphere plugin
To  configure the Domino server to work with Microsoft IIS
Setting up security for Microsoft IIS
Details  of Microsoft IIS security options
To install the WebSphere plug-in on an IIS server
Do the following to install the WebSphere plug-in on the IIS server and
enable it for a Web site. Before beginning this procedure, you should be
familiar with the Internet Services Manager configuration tool. On
Windows NT this tool is accessed through the Microsoft Management
Console.
1. Create the following directory structure on the IIS machine (you may
use any drive);
C:\WebSphere\AppServer\bin
C:\WebSphere\AppServer\config
C:\WebSphere\AppServer\etc
C:\WebSphere\AppServer\logs
2. Copy the following files from the Domino server to the IIS server:
a. Copy data/domino/plug-ins/plugin-cfg.xml to
c:\WebSphere\AppServer\config.
b. Copy data/domino/plug-ins/w32/iisWASPlugin_http.dll to
c:\WebSphere\AppServer\bin.
c. Copy data/domino/plug-ins/w32/plug-in_common.dll to
c:\WebSphere\AppServer\bin.
3. Start the Internet Service Manager application.
4. Create a new Virtual Directory for the Web site instance you want to
work with WebSphere. To do this with a default installation, expand
the tree on the left until you see “Default Web Site.” Right click on
“Default Web Site” and select New - Virtual Directory. This opens
the wizard for adding a Virtual Directory.
5. In the Alias field, enter “sePlugins.”
6. In the Directory field, browse to the WebSphere bin directory
(C:\WebSphere\AppServer\bin).
7. For access permissions, check and uncheck all other permissions.
8. Click Finish. A virtual directory titled “sePlugins” is added to your
default Web site.
35-4 Administering the Domino System, Volume 1
9. Right click the machine name in the tree on the left and select
Properties.
10. On the “Internet Information Services” tab, select “WWW Service” in
the “Master Properties” drop down box and click Edit.
11. In the “WWW Service Master Properties” window, click the “ISAPI
Filters” tab.
12. Click Add. This opens the “Filter Properties” dialog.
13. In the “Filter Name:” field, type “iisWASPlugin.”
14. In the “Executable:” field, click Browse. Open the WebSphere bin
directory and select “iisWASPlugin_http.dll.”
15. Close all open windows by clicking OK.
16. Open the Windows registry file and create the following key path:
HKEY_LOCAL_MACHINE - SOFTWARE - IBM - WebSphere
Application Server - 4.0. Select 4.0 and create a new string value
“Plug-in Config”. Set the value for this variable to the location of the
plugin-cfg.xml file (C:\WebSphere\AppServer\config\
plugin-cfg.xml)
17. To enable the plug-in for additional Web sites, repeat Steps 4
through 8.
To configure the WebSphere plug-in
The WebSphere configuration file WebSphere\AppServer\config\
plugin-cfg.xml controls the operation of the plug-in. In order for the
plug-in to relay requests to the target Domino server, you must add
directives to plugin-cfg.xml to define a transport route to the server, and
pattern rules for the URL namespaces that identify requests which are to
be relayed to Domino. The plug-in will only relay requests that match a
namespace rule. All other requests will be handled by the front-end Web
server.
Setting Up Domino to Work with Other Web Servers 35-5
Web
To configure plugin-cfg.xml
1. Open plugin-cfg.xml in Notepad.
2. Modify the <Transport> element to target the appropriate Domino
server. To do this, change the Hostname and Port parameters to the
proper values required for the plug-in to reach your backend server’s
HTTP task. For example:
<!— Server groups provide a mechanism of grouping
servers together. —>
<ServerGroup Name=“default_group”>
<Server Name=“default_server”>
<!— The transport defines the hostname and
port value that the web server
plug-in will use to communicate with the
application server. —>
<Transport Hostname=“mydomino.server.com”
Port=“81” Protocol=“http”/>
</Server>
</ServerGroup>
3. Add these directives to the top of the <UriGroup> section. These
directives specify common URL patterns needed for accessing
Domino Web applications.
<UriGroup Name=“default_host_URIs”>
<Uri Name=“/*.nsf*”/>
<Uri Name=“/icons/*”/>
<Uri Name=“/domjava/*”/>
If your Domino application requires additional namespaces, you can
create <Uri> directives for those patterns also.
Note All the WAS plug-ins automatically reread the configuration file
once a minute to pick up changes. If you don’t want to wait that long,
you must stop and restart the front-end Web server. In the case of the IIS
plug-in, you must stop the World Wide Web Publishing Service from the
Windows services control panel, then restart the Web site from the
Internet Services Manager. Just stopping and restarting the Web site by
itself won’t work because the plug-in DLL won’t be reloaded.
35-6 Administering the Domino System, Volume 1
To configure the Domino server to work with Microsoft IIS
On the back-end Domino server, add the following line to NOTES.INI:
HTTPEnableConnectorHeaders=1
This setting enables the Domino HTTP task to process the special headers
added by the plug-in to requests. These headers include information
about the frontend server’s configuration and user authentication status.
As a security measure, the HTTP task ignores these headers if the setting
is not enabled. This prevents an attacker from mimicking a plug-in.
Setting up security for Microsoft IIS
When you have set up an IIS plug-in and a Domino backend server, Web
applications are subject to both IIS security and Domino security. After
IIS authenticates a user based on the NT Windows account registry, those
credentials, if any, are passed to Domino for user authorization.
Microsoft IIS supports four methods of user authentication. The Domino
plug-in configuration supports all except Digest authentication.
Anonymous
 access (the user does not enter a name or password)
Basic
 Authentication (the user enters a name and password)
Digest
 authentication (an enhanced version of Basic authentication
available only on Windows 2000). The Domino plug-in configuration
does not support this authentication method.
Integrated
 Windows authentication (a special protocol supported by
Microsoft Internet Explorer. On NT, this protocol is called Windows
NT Challenge/Response)
SSL 
IIS requires user authentication in order to control access to resources
owned by IIS such as the file system and Active Server Pages. If a user
requests access to a Domino resource, the IIS plug-in passes the
authentication information to Domino. The information passed depends
on the combination of authentication methods enabled on IIS. After the
information is passed, Domino authenticates the user according to the
procedures discussed in the topic “Details of Microsoft IIS security.” All
of the Domino directory options are available, such as using multiple
Domino Directories and LDAP directories.
For information on setting up security options on the Domino server, see
the chapter “Planning Security.”
Setting Up Domino to Work with Other Web Servers 35-7
Web
To set up security on the IIS server:
1. Start the Internet Services Manager (or Microsoft Management
Console on NT).
2. Right-click the IIS Web site and select Properties.
3. Click the Directory Security tab.
4. Click Edit in the Anonymous Access and Authentication Control
section.
5. Choose one or more of the authentication options and click OK.
Details of Microsoft IIS security options
Anonymous Access
Anonymous Access lets Web users access a Web site without a user name
or password. IIS always maps anonymous Web users to a specific NT
anonymous user account, which you can configure. If Anonymous
Access is the only IIS authentication method enabled, IIS does not use
any user credentials — that is, a user name and password — sent by the
browser for authentication, but the IIS plug-in passes the credentials to
Domino, and Domino will authenticate the user according to the normal
procedure for Web users. If an anonymous user attempts to access a
Domino resource that requires authentication, Domino will respond
appropriately according to the security options you have set for the
Domino Web site (a Basic name-and-password challenge, or a session
authentication login page). Therefore, if you want Domino to completely
handle user authentication, you should enable Anonymous Access as the
only security option for the IIS Web site.
For information, see the chapter “Setting Up Name-and-Password and
Anonymous Access to Domino Servers.”
Anonymous Access uses the following guidelines:
The
 Web user does not need to be a registered NT user.
If  you want a user to access secure resources, the Web user must be a
registered Domino user and the user must have an Internet
password.
35-8 Administering the Domino System, Volume 1
Basic Authentication
When using Basic Authentication, IIS verifies the user credentials that the
browser sends as a valid NT user account. If Basic Authentication is the
only IIS authentication method enabled, IIS requires all browser requests
to have credentials — anonymous access is not allowed. Whenever a user
sends a Domino request, the IIS plug-in passes the user name to Domino
and informs Domino that the user has been authenticated by IIS. Such a
user is called a “pre-authenticated” user. The plug-in passes the
pre-authenticated name exactly as the user entered it in the browser.
Domino then attempts to look up that name in its directories. Since IIS
has already verified the user’s password, Domino does not use the
Internet password stored in the user’s Person document or LDAP entry.
If Domino finds the name in a Domino Directory, then Domino uses the
primary name in the Person record for authorization (ACL checking). If
Domino does not find the name, then Domino uses the pre-authenticated
name as-is for authorization.
In both cases, Domino builds the user’s group list from the set of groups
in the Domino Directory which include the user as a member, and
Domino also adds the special group “-WebPreAuthenticated-” to the
group list. You may use -WebPreAuthenticated- as a group entry in
database ACLs and other access lists.
Note If you want to list IIS users by name in database ACLs, you must
be careful to use the correct form of the name. Use the primary name if
the user is listed in the Domino Directory, or the IIS pre-authenticated
name if the user is not in the directory. Remember that if a user is listed
by name in an ACL and is also a member of a group in the ACL
(including “-WebPreAuthenticated-” or any other group), the name entry
takes precedence over the group entry.
In summary, Basic Authentication uses the following guidelines:
Anonymous
 access is not allowed.
The Web user must be a registered NT user.
The  Web user does not have to be a registered Domino user.
Domino  does not use the user’s Internet password.
The  Web user is automatically assigned to the
-WebPreAuthenticated- group.
Integrated Windows Authentication (called Windows NT
Challenge/Response on NT)
Integrated Windows authentication is a Microsoft-specific protocol
supported by Internet Explorer (IE). When a Web user makes a request to
the site, IE automatically sends to IIS the user’s current Windows logon
account name. IIS verifies the name against the Windows registry on the
Setting Up Domino to Work with Other Web Servers 35-9
Web
IIS server. When a user makes a Domino request, the IIS plug-in passes
to Domino the user’s Windows name and Domino processes the
pre-authenticated name as described above for Basic authentication.
Windows account names use the form domain\username or
machinename\username — for example, SALES\JSmith. If Domino is
using Person documents in the Domino Directory to authenticate the
Windows users, the documents must contain the exact Windows account
names as aliases. For example, if Joe Smith has a Notes ID in the
“CorpSales” domain and a Windows user account in the “SALES”
Windows domain, the User name field in Joe Smith’s Person document
needs to contain:
Joe Smith/CorpSales
SALES\JSmith
This allows Domino to authenticate the Windows user SALES\JSmith as
the Domino user Joe Smith/CorpSales.
In summary, integrated Windows authentication uses the following
guidelines:
 this is the only authentication method enabled, only IE users can
If
access the Web site.
Anonymous
 access is not possible since IE automatically sends the
user’s Windows account name on every request.
The  Web user must be a registered NT user.
If  you want to match the Windows user to a Domino Person
document, You need to add the user’s NT Windows account name as
an alias to the Person documents.
Domino  does not use the Internet password.
The  user is automatically assigned to the -WebPreAuthenticatedgroup.
SSL
If you enable SSL on a Web server, IIS handles the actual SSL connection.
However, if a Web user provides a client certificate, the IIS plug-in
passes the certificate to Domino and Domino uses the certificate to
authenticate the user. If Domino cannot find a certificate for the user,
then Domino will downgrade the user to Anonymous access.
Chapter 36
Setting Up the Web Navigator
This chapter describes how to set up the server that runs the Web
Navigator and how to manage the information retrieved from the
Internet.
The Web Navigator
The Web Navigator lets Notes workstations access the Web, without
having a direct connection to the Internet. The Web Navigator server,
which has a direct connection to the Internet, retrieves pages for users.
The Web Navigator retrieves pages on Internet servers — for example,
servers that use Internet services such as HTTP, FTP, or Gopher.
When someone requests a new page, the Web Navigator server connects
to the Internet server, retrieves the requested page, and copies the page
as a document into the Web Navigator database (WEB.NSF). If the
requested page already exists in the database, Domino immediately
opens the document without requesting it again from the Internet server.
Using the Web Navigator provides many benefits, including:
Reduced
 Internet connection costs. Storing all the retrieved Web
pages in a centralized database allows users to access the page on the
database instead of connecting to the Internet.
Monitoring
 capabilities. You can monitor Web-based activity, if
needed.
Simplified
 troubleshooting for Internet connections. You
troubleshoot only one connection instead of troubleshooting one
connection for each workstation.
Familiar
 Notes interface. The retrieved Web pages are stored as
documents in a database where people can request, view, and
manage them using the Notes interface.

The following diagram shows the process the Web Navigator uses to
retrieve a page that a Notes client requests from a Web site.

Setting up a Web
Navigator server
The first time you start the Web task, Domino creates the Web Navigator
database (WEB.NSF) and enters default settings for the Web Navigator
database.
1. Set up a Domino server.
For more information, see the chapter “Installing and Setting Up
Domino Servers.”
2. Start the Web task on the server.
3. Set up the connection between the server and the Internet.
For information on setting up the Internet connection, contact your
Internet Service Provider.
4. If necessary, use a proxy to connect the Web Navigator server to the
Internet.
5. Edit the Server document for the users’ home/mail server.
6. Set up users to use the Web Navigator.
Starting and stopping the Web Navigator program

To do this Perform this task

Start the Web Navigator
Enter load web at the console.
manually
Start the Web Navigator Edit the ServerTasks setting in
automatically the
when you start Domino NOTES.INI file to include the
command web.
Enter tell web quit at the
Stop the Web Navigator
console.

For more information on server commands and NOTES.INI settings, see

the appendices “Server Commands” and “NOTES.INI File.”
Using a proxy server to connect the Web Navigator to the Internet
You can set up the Web Navigator to connect to the Internet through a
proxy server instead of using an Internet Service Provider (ISP) to
connect directly to the Internet. If you don’t specify a proxy, you must
use a direct Internet connection to access the Internet.
1. Make sure that:
The
 proxy is set up to connect to the Internet.
The
 Web task is running on the server.
2. From the Domino Administrator, click the Configuration tab.
3. Expand the Server section and click All Server Documents.
4. Open the Server document for the Web Navigator server.
5. Click the Ports - Proxies tab, complete these fields, and then save the
document:

Field Enter
HTTP proxy The name or IP address of the proxy and the
port to access HTTP pages.
FTP proxy The name or IP address of the proxy and the
port to access FTP pages.
Gopher proxy The name or IP address of the proxy and the
port to access Gopher pages.
SSL Security The name or IP address of the proxy and the
proxy port you want to go through for pages on
Internet servers that use SSL.

Field Enter
HTTP Tunnel Do not enter a value. This field is used to send
proxy Notes remote procedure calls (NRPC). NRPC is
the architectural layer of Notes and Domino
that control services such as replication and
mail. The Web Navigator does not use NRPC for
communication.
SOCKs proxy The name or IP address of the proxy and the
port. If you enter a name or IP address in both
the SSL Security proxy and SOCKs proxy fields,
Domino uses the SSL Security proxy. If you
enter a name or IP address in both the HTTP
proxy and SOCKs proxy fields, Domino uses the
SOCKs proxy.
No proxy for The names of the hosts and domains you want
these hosts to access without going through the proxy. You
and domains can bypass the proxy to access certain domains
on the Internet or to access your internal
intranet domain. Do not enter the IP address in
this field; you must use the name. Separate
multiple entries with commas or returns. You
can use wildcard (*) characters, for example,
*lotus.com or www.*.com.

6. Complete the procedure “Editing the Server document for the Web
Navigator.”
Editing the Server document for the Web Navigator
1. Make sure that you already set up the connection between the server
and the Internet. If necessary, use a proxy to connect the server to the
Internet.
2. From the Domino Administrator, click the Configuration tab.
3. Expand the Server section and then click All Server Documents.
4. Open the Server document for the Web Navigator server.
5. Click the Basics tab. Open the Server Location Information section
and go to the Servers section. Complete the InterNotes server field,
and save the document.

Field Enter
InterNotes The hierarchical name of the server running the
server Web
task. This is the default server to use if the
InterNotes
server field in the user’s Location document is
blank.

6. Complete the procedure “Setting up users to use the Web

Navigator.”
7. Restart the Web task on the server.
Setting up users to use the Web Navigator
You must specify the Web Navigator as the Internet browser for each
user. You can specify the browser in a policy, or you can set it
individually for each user.
Setting up users using a policy
If you are using policies, you can specify the browser setting as the
default for all users or groups. The option is located on the Basics tab of
the Setup Policy document, under “Setup Policy Options for Browsers.”
Complete each field using the information described in the procedure
“Setting up users individually.”
Setting up users individually
1. Edit the Server document for the Web Navigator server.
2. On each user’s machine, choose File - Mobile - Edit Current Location.
3. Click the Internet Browser tab and complete these fields:

Field Enter
Internet
Notes
browser
Retrieve/open “From InterNotes server”to use the Web
pages Navigator server specified in the InterNotes
server field on the Servers tab.

4. Click the Servers tab and complete this field:

Field Enter
InterNotes The hierarchical name of the server running the
server Web
task. The server you specify in this field takes
precedence over the server specified in the
InterNotes
server field on the Server document.

To allow users to access private Web pages

When users fill out forms on the Web or pages from Internet servers to
which users authenticate, the Web Navigator encrypts those pages with
the user’s public key and stores the pages in private folders in the Web
Navigator database.
To ensure that the Web Navigator can encrypt these private pages, be
sure that users’ public keys exist in the Person documents in the Domino
Directory on the server. Domino automatically adds the user’s public key
to the Person document when you register the user.

Customizing the Web Navigator

After you set up the Web Navigator on a server, you can customize it as
follows:
Allow
 multiple users to retrieve pages
Control
 access to Web sites
Control
 access to Internet services
Set  up the Web Navigator to retrieve pages from sites that are
secured by SSL
Send  mail from Web pages to the Internet
For information, see the topics that follow.
Allowing multiple users to retrieve pages concurrently
You can specify the number of users who can use the Web Navigator to
retrieve pages concurrently. If users start more concurrent Web retrievals
than allowed, Domino queues them and starts them as soon as it can.
Increasing the number of users who can retrieve pages improves
response time, but increases the server load.
1. From the Domino Administrator, click the Configuration tab, and
then open the Server document for the Web Navigator server.
2. Click the Server Tasks - Web Retriever tab, complete this field, and
then save the document:

Field Enter
The number you enter depends on the system
Concurrent
configuration
retrievers for your server. If user access is slow because the
number of users specified in this field is less than
the number of users attempting to retrieve pages
from the Internet, increase the number.
Default is 50.

Controlling access to Web sites

You can control the Web sites that users access. For example, you might
want to prevent users from browsing sites that are not work-related.
When you specify access settings, keep these tips in mind:
Use
 a DNS name rather than an IP address. Entering an IP address
forces the Web Navigator to take extra steps to perform a Domain
Name System (DNS) lookup. If the DNS cannot resolve an IP
address, access to that site is denied.

A more specific reference overrides a less specific reference. For

example, if you enter www.*.com in the “Deny access” field and
enter www.ibm.com in the “Allow access” field, users can access
www.ibm.com but cannot access sites with names such as
www.lotus.com.
If you enter an identical reference in both the “Allow access” and
“Deny access” fields, the “Allow access” entry overrides the “Deny
access” entry.
There
 is an implied [*] in the “Allow access” field at all times. This [*]
allows access to all sites by default, unless you enter settings in the
“Deny access” field to override this default.
To control access to Web sites
1. From the Domino Administrator, click the Configuration tab, and
then open the Server document for the Web Navigator server.
2. Click the Server Tasks - Web Retriever tab, complete these fields, and
then save the document:

Field Enter
Allow access One or more of the following, separated by
to these commas or spaces: • A DNS name —for
Internet sites example, www.lotus.com • An IP address —for
example, 205.159.212.10 • A DNS name or IP
address with a wildcard (*) —for example,
www.*.com. You can use only one wildcard per
entry —for example you cannot enter
w*.*.com.

Deny access
Same as above.
to
these Internet
sites

Controlling access to Internet services

You can control which Internet services users can access. The Web
Navigator supports HTTP, FTP, HTTPS, Gopher, and Finger.
1. From the Domino Administrator, click the Configuration tab, and
then open the Server document for the Web Navigator server.
2. Click the Server Tasks - Web Retriever tab, complete this field, and
then save the document:

Field Enter
One or more of the Internet services provided. The
Services
default is
HTTP, FTP, and GOPHER.

Setting up the Web Navigator to retrieve pages on sites secured by

SSL
If users are accessing Web sites that are secured by SSL, you must set up
the Web Navigator to retrieve pages on these sites. The Web Navigator
server does not need to use SSL in order to retrieve pages from a Web
site that uses SSL.
To set up the Web Navigator server for SSL, do the following:
Store
 the Web site’s SSL certificate in the Domino Directory on the
Web Navigator server.
Enable
 the HTTPS protocol on the Web Navigator server as an
Internet service.
For more information on SSL, see the chapter “Setting Up SSL on a
Domino Server.”
The Web Navigator supports sites that have SSL certificates issued by the
RSA Certificate Authority (CA), so you do not need to obtain the Web
site’s SSL certificate if it was issued by the RSA CA. If the Web site does
not have a certificate issued by the RSA CA, you must obtain the Web
site’s certificate and add it to the Domino Directory on the Web
Navigator server. Obtaining the certificate from a secure location ensures
that the certificate you receive is valid and creates an optimally secure
environment by allowing access only to servers with which you share a
valid certificate.
Although not recommended, you can set up Web Navigator to add the
Web site’s SSL certificate automatically to the Domino Directory. Set up
this way, the Web Navigator allows users to access pages on any Web
site that uses SSL, even if the Domino Directory does not already contain
the certificate. This approach allows easy access for users, but
compromises the security of the data sent by users, since the server does
not verify the identity of the remote server before allowing the user to
access it.
To add specific certificates
1. Identify the certificate required by the secured Web site by browsing
to the site and obtaining the certificate name.
2. Use a Notes workstation to merge the certificate for the CA into the
Domino Directory.
For information, see the chapter “Setting Up Clients for S/MIME and
SSL.”
3. On the Server Tasks - Web Retriever tab of the Server document,
select HTTPS in the Services field.

To add certificates automatically

1. From the Domino Administrator, click the Configuration tab, and
then open the Server document for the Web Navigator server.
2. Click the Ports - Internet Ports tab and complete this field:

Field Enter
Accept SSL site certificates Choose Yes.

Click the Server Tasks - Web Retriever tab, complete this

field, and then save the document:
Field Enter
Services Choose HTTPS.

To view certificates
1. From the Domino Administrator, click the Configuration tab, and
choose Miscellaneous - Certificates.
2. Look at the Internet Cross Certificates category.
Sending mail from a Web page to the Internet
When users click a mailto URL on a Web page, Domino opens a new
mail message and enters the Internet address (user@company.com) in the
To: field.
Note If you use the Lotus SMTP MTA (Domino 4.6 and earlier) as the
gateway for Internet mail, users must append the foreign domain of the
SMTP Gateway for each Internet address — for example,
user@company.com@foreigndomain. So that users don’t need to specify
the foreign domain each time, you can specify the foreign domain of the
gateway.
1. Make sure that users’ Notes workstations are already set up to use
Notes mail.
For information, see the chapter “Setting Up and Managing Notes
Users.”
2. From the Domino Administrator, click the Configuration tab, and
then open the Server document for the Web Navigator server.
3. Click the Server Tasks - Web Retriever tab, complete this field, and
then save the document:

Field Enter
SMTP
The name of the foreign domain of the SMTP mail
Domain
gateway.

The Web Navigator database

The Web Navigator database (WEB.NSF) resides on the Web Navigator
server and stores all pages that users retrieve from Web sites. Storing
Web pages in a central database reduces connection costs, since after one
user retrieves a page, the page is available in the database for others to
browse. The Web Navigator database contains features for Notes users
and administrators.
Database access
The default user access for the Web Navigator database is Editor, which
allows users to create HTML forms, Recommendation documents, and
Web tours. Domino adds the administrator names listed in the
Administrators field in the Server document for the Web Navigator
server to the ACL for the Web Navigator database and gives them
Manager access with the WebMaster role.
Administration document
The Administration document is stored in the Web Navigator database
and controls default settings for the database. You must have the
WebMaster role to access the document. Open WEB.NSF and access the
document from the Actions menu

Agents
The Web Navigator database contains three agents that administrators
can use to manage documents in the database. The Purge agent removes
documents that meet the criteria you specify. Regularly purging
documents keeps the size of the Web Navigator database manageable.
The Refresh agent updates the contents of pages stored in the Web
Navigator database with the Web site content from which they were
originally retrieved. Pages in the database are not automatically updated
after they are retrieved; therefore, the page content may quickly become
outdated unless you use this agent.
The Averaging agent creates an average rating of user-recommended
pages. The top ten pages appear in the Recommended by Top Ratings
view.
Web tours and Recommendation documents
Web tours and Recommendation documents allow users to collaborate
with others who use the Web Navigator database.
Using a Web tour document, users can group a set of Web pages for
others to view sequentially — for example, to create training materials or
to collect a set of pages that you previously viewed on the Web.
Using a recommendation document, users can add useful Web sites to
the Web Navigator database.
Customizing the Web Navigator database
You can customize the Web Navigator database as follows:
Display
 the names of users who retrieve pages
Customize
 the default appearance of elements on retrieved Web
pages
Save and view HTML sources
Rename and move the database
Set  preferences for the Purge, Refresh, and Averaging agents
Use  the Purge agent to manage the size of the database
Use  the Refresh agent to update pages in the database
Use  the Averaging agent to calculate page ratings in the database
For information, see the topics that follow.

Displaying who retrieved a page in the Web Navigator database

By default, the Web Navigator database uses a view named ($All) to
display information about each page that users retrieve. However, this
view does not display the name of the user who retrieved a particular
page.
To display the name of the user who retrieved a page, the Web Navigator
template provides a view titled ($All with Authors). The name displays
next to the title of the Web page. To use this as the default view, rename
it to ($All) so that the references to ($All) in the navigators work.
1. Make sure you have Designer access in the ACL of the Web
Navigator template (PUBWEB50.NTF) on the server.
2. Start the Domino Designer, open the Web Navigator template, and
select the ($All) view.
3. Choose Edit - Copy and then choose Edit - Paste to paste the “Copy
of ($All)” view into the template.
4. Delete the ($All) view.
5. Open the ($All with Authors) view.
6. Choose Design - View Properties and rename the view to ($All).
7. On the Options tab, select “Default when database is first opened” to
make this view the default.
8. Close and save your changes.
9. Replace the design of the Web Navigator database.
10. Make sure you have the WebMaster role in the ACL of the Web
Navigator database.
11. Select the Web Navigator database using a network connection to the
server.
12. Choose View - Go to and select All Documents.
13. Choose Actions - Administration, and select Save author
information.
Customizing the default appearance of pages in the Web Navigator
database
Web page authors use HTML tags to specify elements of a Web page.
The Web Navigator interprets these tags to determine how to display
these elements. You can customize the default appearance of many
elements on retrieved Web pages.
The Web Navigator supports Courier, Helvetica, and Times fonts.

1. Make sure you have the WebMaster role in the ACL of the Web
Navigator database.
2. Using the Notes client, open the Web Navigator database using a
network connection to the server.
3. Choose View - Go to and select All Documents.
4. Choose Actions - Administration, and then in the HTML Preferences
section, customize any of these settings:

Field Enter
URL links Anchors Underline/Blue
Times 11-point Body
Font and size of elements not
Text
defined in other fields in the
HTML
Preferences section
Font for text in the
Plain Courier
<PLAINTEXT>,
<PRE>, and <EXAMPLE> The font size is
tags defined by
the Body Text field.

Font for text in the <CODE>, Fixed Courier The font size
<SAMPLE>, <KBD>m and is defined by the
<TT> tags Body Text field.

Font for text in the

Listing Courier
<LISTING> tag
The font size is
defined by
the Body Text field.
Font for text in the
Listing Courier
<LISTING> tag
The font size is
defined by
the Body Text field.
Address Font for text in the
Times
<ADDRESS> tag
The font size is
defined by
the Body Text field.

Saving and viewing HTML sources in the Web Navigator database

You can save and view the HTML source for a Web page. Domino saves
the source in the Body field in the Web Navigator database.
This setting affects all pages retrieved by the Web Navigator server.
To save HTML sources
1. Make sure you have the WebMaster role in the ACL of the Web
Navigator database.
2. Using the Notes client, select the Web Navigator database using a
network connection to the server.
3. Choose View - Go to, and then select All Documents.
4. Choose Actions - Administration.
5. In the HTML Save Options field, choose one of the following:
Save
 as Rich Text only — To store the rich text in the document in
a Body field
Save
 as Rich Text and HTML — To create separate Body fields for
the rich text and HTML tags
Save  as MIME only — To store the document using MIME type
format in a Body field
To view HTML sources
1. Open the document in the Web Navigator database.
2. Choose View - Show - HTML Source.
Renaming and moving the Web Navigator database

To rename the Web Navigator database

By default, Domino names the Web Navigator database WEB.NSF. You
can use another name if necessary.
1. Exit Domino and use the operating system to rename the database
file name.
2. Start Domino.
3. From the Domino Administrator, click the Configuration tab, and
then open the Server document for the Web Navigator server.
4. Click the Server Tasks - Web Retriever tab, complete this field, and
then save the document:

Field Enter
Web The new file name of the Web Navigator
Navigator database
database

To move the Web Navigator database

By default, Domino looks for the Web Navigator database in the data
directory on the Web Navigator server. You can move the Web
Navigator database to somewhere other than the data directory, for
example, to consolidate databases in a subdirectory.
1. Copy the Web Navigator database to a new subdirectory.
2. Delete the original Web Navigator database in the data directory.
3. Create a database link to the new database. You must create a
database link using the file name specified in the Web Navigator
database field in the Server document for the Web Navigator server.
4. Restart the server.

Setting agent preferences for the Web Navigator

The Web Navigator database includes three agents — Purge, Refresh,
and Averaging — that help you manage the database. Before you use the
agents, set up the preferences for them in the Server document for the
server on which the Web Navigator runs. You can specify agent security,
execution time, and schedule.
Caution The options you set in the Server document affect all agents
that run on the server.
To specify agent security
1. From the Domino Administrator, click the Configuration tab, and
then open the Server document for the Web Navigator server.
2. Click the Security tab, complete these fields, and then save the
document:
Field Enter
Run restricted Your user name so that you can run agents
LotusScript/Java that use a subset of the LotusScript features
agents and run agents created with Java
Run
Your user name so that you can run agents
unrestricted
with the full set of LotusScript features and
LotusScript/Java
run agents created with Java
agents

To specify agent execution options

1. From the Domino Administrator, click the Configuration tab, and
then open the Server document for the Web Navigator server.
2. Click the Server Tasks - Agent Manager tab, complete these fields in
the Daytime Parameters and Nighttime Parameters sections, and
then save the document:

Field Enter
Max Maximum is 360. The default is 10 (Daytime
LotusScript/Java Parameters) and 15 (Nighttime Parameters.)
execution time This field controls the time, in minutes, that
the LotusScript agent has to run. Also
controls execution time of agents created
with Java.
Maximum is 90. The default is 50 (Daytime
Max % busy
Parameters)
before delay and 70 (Nighttime Parameters.)
This field controls the percentage of time the
agent manager can spend running agents.
The time is a percentage of the Start and End
times.

Field Enter
Max Maximum is 360. The default is 10 (Daytime
LotusScript/Java Parameters) and 15 (Nighttime Parameters.)
execution time This field controls the time, in minutes, that
the LotusScript agent has to run. Also
controls execution time of agents created
with Java.
Maximum is 90. The default is 50 (Daytime
Max % busy
Parameters)
before delay and 70 (Nighttime Parameters.)
This field controls the percentage of time the
agent manager can spend running agents.
The time is a percentage of the Start and End
times.

To specify the agent schedule

The Web Navigator agents run at default times, but you can reschedule
them. By default, the Purge agent runs at 1 AM; the Refresh agent runs at
3 AM; and the Averaging agent runs at 12 AM.
1. Start the Domino Designer and select the Web Navigator database
(WEB.NSF).
2. Open the agent that you want to reschedule.
3. Select a value in the “When should this agent run” field.
4. Click Schedule and then specify the starting time for the agent.
5. Save the document.
Using the Purge agent to manage the size of the Web Navigator
database
As users open Web pages, the Web Navigator database gets larger. To
manage the database, use the Purge agent.
The Purge agent uses settings in the Web Navigator Administration
document, which is in the Web Navigator database (WEB.NSF), to
determine what and how much to purge. Each night at 1 AM, the Purge
agent goes through the database three times, each time purging
documents according to the criteria you specify. As soon as the database
size you specify is obtained, the Purge agent stops and queues to run the
following night.
The Purge agent purges the database in three passes:
First
 pass — Checks the Expired header on each Web page. If the
Web page has expired, deletes that page.
Second
 pass — Checks the document creation date on each Web
page and deletes pages older than the date you specify.
Third pass — Checks for pages that are larger than the size you
specify, and then deletes them.
To specify purge criteria
1. Make sure that you have already set up security for Web Navigator
agents and that you have the WebMaster role in the ACL of the Web
Navigator database.
2. Using the Notes client, select the Web Navigator database
(WEB.NSF) using a network connection to the server.
3. Choose View - Go to, and then select All Documents.
4. Choose Actions - Administration, edit any of the following fields,
and then save the document:

Field Enter
Maximum The maximum size of the Web Navigator
database size database The default is 500MB
Purge agent One of these methods to use when purging
action documents: • Delete page to delete pages
permanently from the database. • Reduce page
to delete the contents of the page, but saves
the URL so you still see the page in the
database views. Delete page is the default.

Purge to what A percentage of the maximum database size

% setting that
of maximum the Purge agent should reach before stopping.
size
The default is 60%.
Purge When to delete documents based on the
documents number of days
older than they have been in the database.
The default is 30 days.
Purge
When to delete documents based on their size.
documents
larger than The default is 512KB.
One of these that determines if the Purge agent
Purge Private
deletes
documents documents stored in users’private folders:
• Unselected (default) —To not purge
documents
stored in private folders
• Selected —To purge documents stored in
private
 folders

To enable the Purge agent

The Purge agent is set up to run at 1 AM, but it does not start this
schedule until you enable the agent.
1. Make sure you have already set up security for Web Navigator
agents and that you have the WebMaster role in the ACL of the Web
Navigator database.
2. Using a Notes client, select the Web Navigator database (WEB.NSF)
using a network connection to the server.
3. Choose View - Go to, and then select All Documents.
4. Choose Actions - Administration.
5. Click the Enable Purge agent button.
6. Select the name of the server on which the Web Navigator runs in the
Choose Server To Run On dialog box, and then save the document.
Setting Up the Web Navigator 36-17
Web
Using the Refresh agent to update pages in the Web Navigator
database
Regularly refreshing pages keeps the page content up to date. You can
refresh pages using the Refresh agent or set an interval for the update
cache.
To use the Refresh agent to update pages
To keep the most up-to-date pages in the Web Navigator database, use
the Refresh agent, which compares the date of each Web page inside the
database with the date of the Web page on the server. If the Web page on
the server is newer, the Refresh agent replaces the Web page in the Web
Navigator database. By refreshing out-of-date pages, the Refresh agent
ensures that users can quickly access the latest version of a page.
The Refresh agent refreshes only HTTP pages. It does not refresh FTP
pages, Gopher pages, or private pages stored in a user’s private folder in
the database.
By default, the Refresh agent is scheduled to run at 3 AM, but it does not
start this schedule until you enable the agent.
1. Make sure you have already set up security for Web Navigator
agents and that you have the WebMaster role in the ACL of the Web
Navigator database.
2. Using a Notes client, select the Web Navigator database (WEB.NSF)
using a network connection to the server.
3. Choose View - Go to, and then select All Documents.
4. Choose Actions - Administration.
5. Click the Enable Refresh agent button.
6. Select the name of the server on which the Web Navigator runs in the
“Choose Server To Run On” dialog box, and then save the document.
To update pages when users retrieve pages
Domino stores each retrieved Web page in the Web Navigator database.
You can specify how often you want Domino to check the Web page on
the server to determine if the page has changed.
1. From the Domino Administrator, click the Configuration tab, and
then open the Server document for the Web Navigator server.
36-18 Administering the Domino System, Volume 1
2. Click the Server Tasks - Web Retriever tab, complete this field, and
then save the document:

Field Enter
Update Choose one: • Never (default) —To perform no
cache verifications • Once per session —To check only the
first time the user accesses the page during a session •
Every time —To check each time the user opens a
page that is already in the database

Using the Averaging agent to calculate page ratings in the Web

Navigator database
The Averaging agent collects ratings that users assign to Web pages and
calculates the rating of pages in the Web Navigator database (WEB.NSF).
The pages appear in the Recommended by Top Ratings view in the
database. The Averaging agent also calculates the average rating for
pages that have multiple ratings from different users.
By default, the Averaging agent is scheduled to run at 12 AM, but it does
not start this schedule until you enable the agent.
1. Start the Domino Designer and open the Web Navigator database
(WEB.NSF).
2. Select the Averaging agent , and then choose Actions - Enable.
3. Choose the Web Navigator server to run the agent.