Front cover

Distributing Notes
Clients Automatically
Creating customized Notes installation
packages

Automated Deployment Toolkit

described

Using Active Directory for

client distribution

Tommi Tulisalo
Ted Dziekanowski
Ben Morris
Kurt Nielsen
Carol Sumner

ibm.com/redbooks Redpaper
International Technical Support Organization

Distributing Notes Clients Automatically

July 2003
 Note: Before using this information and the product it supports, read the information in
Notices on page v.

First Edition (July 2003)

This edition applies to Lotus Notes and Domino 6.0.2

Copyright International Business Machines Corporation 2003. All rights reserved.

Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
Contents

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... ...... . . vii

The team that wrote this Redpaper . . . . . . . . . . . . . . . . . . ....... ...... . . vii
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . ....... ...... . . viii
Comments welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... ...... . . viii

Chapter 1. Customizing client installations with transform files . . . . . . . . 1

1.1 Brief description of Windows Installer technology . . . . . . . . . . . . . . . . . . . . 2
1.1.1 Using the InstallShield Tuner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Chapter 2. Using Automated Deployment Toolkit for Notes clients . . . . . 11

2.1 Introduction to Automated Deployment Toolkit . . . . . . . . . . . . . . . . . . . . . 12
2.1.1 Integrating services and functions. . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.2 Communication with the users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.1.3 Asset inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.1.4 Training Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.5 User ID Generation component . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.1.6 Client Software Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.1 Client PC requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.2 Server SMTP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.3 ADT server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.4 Lotus Domino server changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.5 ADT groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.6 Assign HTTP passwords to all users . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.7 Enable HTTP on the ADT server . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.8 Assign manager rights to the agent signer . . . . . . . . . . . . . . . . . . . . 19
2.2.9 Copy files to the ADT server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2.10 Additional steps for automated client setup process . . . . . . . . . . . . 20
2.2.11 Sign the ADT database templates . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.12 Configure agent execution parameters in the ADT template . . . . . 21
2.2.13 Create the ADT and the ADT Log databases . . . . . . . . . . . . . . . . . 22
2.2.14 Create ADT Mail-In Database document . . . . . . . . . . . . . . . . . . . . 22
2.2.15 Creating the ADT encryption key . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.16 Installing data migration tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.17 Copying files to the Notes client installation set . . . . . . . . . . . . . . . 24
2.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Copyright IBM Corp. 2003. All rights reserved. iii

 2.3.1 How to capture at Database Replica ID . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 3. Deploying the Notes client with Active Directory . . ...... .. 27

3.1 Active Directory basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... .. 28
3.2 Using Group Policies to deploy the Notes client . . . . . . . . . . . . ...... .. 34
3.2.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... .. 46
3.3 Installing non-MSI applications . . . . . . . . . . . . . . . . . . . . . . . . . ...... .. 46
3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... .. 50

iv Distributing Notes Clients Automatically

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions
are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES
THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.

Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.

This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.

COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrates programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy,
modify, and distribute these sample programs in any form without payment to IBM for the purposes of
developing, using, marketing, or distributing application programs conforming to IBM's application
programming interfaces.

Copyright IBM Corp. 2003. All rights reserved. v

Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:

Domino IBM Notes

DFS ibm.com Redbooks
Lotus Notes Redbooks (logo)
^ Lotus Tivoli

The following terms are trademarks of other companies:

Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other
countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure
Electronic Transaction LLC.

Other company, product, and service names may be trademarks or service marks of others.

vi Distributing Notes Clients Automatically

Preface

This IBM Redpaper describes how to distribute Notes clients automatically. The
paper is not a complete guide on Notes client deployment, rather it is a collection
of information about some of the different technologies that can be used for
deploying Notes clients automatically. The basic idea behind automated software
distribution is to make installing multiple clients more efficient.

We begin by explaining how to use InstallShield Tuner for Lotus Notes to

create customized Notes installation packages. We guide the reader through the
process of customizing an installation of Lotus Notes using that technology.

We then describe how to use Automated Deployment Toolkit (ADT), which is an

automated, managed system for deploying, upgrading, or migrating an existing
messaging system to Notes R5 and Notes 6.

The final chapter describes how to use Active Directory for deploying Notes
clients.

Another option, not covered in this Redpaper, is to use one of the software
products is are architected for distributing any software to the workstation. Some
of the most used tools include IBM Tivoli Configuration Manager, Microsoft
SMS, and ZenWorks.

The team that wrote this Redpaper

This Redpaper was produced by a team of specialists from around the world
working at the International Technical Support Organization, Cambridge Center.

Tommi Tulisalo is a Project Leader for the International Technical Support

Organization at Cambridge, Massachusetts. He manages projects whose
objective is to produce redbooks in all areas of Lotus Software products. Before
joining the ITSO in 2001, he was an IT Architect for IBM Global Services in
Finland, designing solutions for customers, often based on Lotus software.

Ted Dziekanowski is an independent consultant and owner of the Chatham

Technology Group, which is based in the New York Metropolitan area. Ted is
both a Lotus and Microsoft Certified Trainer, holds PCLP, MCSE+I, and
Windows 2000 certifications, and has a BS in Accounting and an MBA in
Management. His recent engagements include Active Directory infrastructure
design for a Fortune 50 company, migrations from Exchange 5.5 to Exchange

Copyright IBM Corp. 2003. All rights reserved. vii

 2000, as well as numerous engagements involving versions of Domino 3.0a to
6.0.1 and Exchange 4.0 to Exchange 2000.

Ben Morris is an IT Specialist with IBM Global Services. He has supported

Notes and related products within IBM for over two years, and has been involved
in the Notes 6 project for much of that time. He can be contacted at
morrisb@us.ibm.com.

Kurt Nielsen is a Senior IT Specialist for ITS' Lotus Technology Group in

Denmark, with an emphasis on architecture and infrastructure. He has been with
IBM/Lotus since 1998, originally working as a systems programmer and systems
specialist in Networking Services. His primary responsibilities are Domino
design, infrastructure, migration, and analysis. Kurt has over 12 years of
experience in consulting with client organizations in the insurance, banking, and
manufacturing industries.

Carol Sumner is an Advisory IT Specialist working for IBM Software Services for
Lotus. She has 11 years of IT experience, including six years of specialization in
messaging systems implementation, administration, and migrations. She
received a BA from the University of Iowa, and holds a Master of Divinity degree
from Texas Christian University.

Become a published author

Join us for a two- to six-week residency program! Help write an IBM Redbook
dealing with specific products or solutions, while getting hands-on experience
with leading-edge technologies. You'll team with IBM technical professionals,
Business Partners and/or customers.

Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you'll develop a network of contacts in IBM development labs, and
increase your productivity and marketability.

Find out more about the residency program, browse the residency index, and
apply online at:
ibm.com/redbooks/residencies.html

Comments welcome
Your comments are important to us!

viii Distributing Notes Clients Automatically

We want our papers to be as helpful as possible. Send us your comments about
this Redpaper or other Redbooks in one of the following ways:
Use the online Contact us review redbook form found at:
ibm.com/redbooks
Send your comments in an Internet note to:
redbook@us.ibm.com
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. JLU Building 107-2
3605 Highway 52N
Rochester, Minnesota 55901-7829

Preface ix
x Distributing Notes Clients Automatically
 1

Chapter 1. Customizing client

installations with transform
files
This chapter introduces you to Windows Installer technology and walks you
through the process of customizing an installation of Lotus Notes using that
technology.

Copyright IBM Corp. 2003. All rights reserved. 1

1.1 Brief description of Windows Installer technology
Notes 6 takes advantage of the Windows Installer technology, which allows an
administrator to standardize custom installations by distributing pre-configured
installation packages. The administrator manipulates the configuration by means
of a transform file that the Windows Installer service uses when it is installing an
application.

The InstallShield Tuner for Lotus Notes provides administrators with a graphical
and easy-to-use method of modifying the default install options of the new
installer in Notes 6. This allows administrators much more flexibility in their
options and enhances control over what an end user can and cannot do or see
when installing the program.

1.1.1 Using the InstallShield Tuner

This section provides a brief introduction to using the InstallShield Tuner for
Lotus Notes. For more information, along with training opportunities, visit the
InstallShield Web site at:
http://www.installshield.com

Initial setup
To set up the install:
1. Begin by installing the InstallShield Tuner for Lotus Notes from your Lotus
Notes CD. After the install is complete, start the Tuner from your Lotus
Applications program directory. You will immediately be prompted for a Tuner
Configuration (.ITW) file. Select the lotusnotes.itw file from the x:\apps
directory (where x is the location of your Notes install files) and click Open.
2. The first screen you are presented with is the InstallShield Today welcome
screen. Select Create a new transform file in the second pane.
3. In the Base Windows Installer Package section of the third pane, click the
Browse button and navigate to the x:\allclient directory on the Notes CD.
Select the Lotus Notes 6.msi file, and click Open.
4. Create the transform file.
In the Windows Installer Transforms section, specify the location and name of
the install modification (.MST) file. This is the file that stores all of the
modifications, and must be included in the install package that will be
distributed to the users when they run the install.
a. Browse to the directory to which you wish to save the .MST file, type a
name, and click Save.

2 Distributing Notes Clients Automatically

 b. Click the Create Transform File button.

Figure 1-1 Create the transform file

Modify the transform file

To modify the transform file:
1. MSI file prevalidation
The next screen displayed is the MSI File Prevalidation screen. Since the
Lotus Notes 6.msi file has already been verified, this step can be skipped. If
you do perform the prevalidation check, you may receive many (up to 100)
errors and warnings. These errors are harmless and should be ignored.
2. Setup organization
In this step you select the features to install, as follows:
a. Using the navigator in the first pane, select step 2, Setup Organization ->
Features. (You will be specifying the information under Default
Destination and Organization later in the process.) This is where you will
choose the default features that will be installed on the users machine.
b. Highlight each feature that you want installed by default in the second
pane, and change the Initial State (in the third pane) to The feature is
installed on the local drive.

Chapter 1. Customizing client installations with transform files 3

 c. If this is going to be a User Interface install, and you do not want the users
to have the option of turning a certain feature on or off (for example, you
do not want to give them the ability to install the designer client), then
change the Visible field to either Not Visible or Visible, depending on your
preference.
d. Note that the default for the Notes client and CoreProgramFiles is The
feature is run from source, CD, or network. In most cases, you will want to
change both to The feature is installed on the local drive.

Figure 1-2 Modifying the install options for the users

3. Target system configuration

a. Files (optional)
i. If there are any extra files you wish to have installed along with Notes
(for example, a modified bookmark.nsf file with some bookmarks
already selected), select Files under step 3, Target System
Configuration.
ii. In the Source computers directory tree box navigate to the location of
the file you want to include.
iii. In the Destination computers folders box, specify the destination
directory path. To do this, highlight Destination computer and click
Insert. This will create NewFolder1, which should be renamed at the
top level directory (below the root) that you wish to use (that is, Notes).

4 Distributing Notes Clients Automatically

 Highlighting that directory and pressing Insert will create NewFolder2
beneath NewFolder1. It should be renamed to the next level folder (that
is, data).
iv. Drag the selected file from Source computers files to the Destination
computers folders. See Figure 1-3 for an example.

Figure 1-3 Adding files to the install package

b. Registry
Any registry changes you wish to make can be made in a similar way
through the Registry tab in step 3. However, since Notes adds very little to
the registry, this step can be skipped in most cases.
c. Shortcuts/Folders
The Shortcuts/Folders tab is used to control which shortcuts you wish to
have installed on the users OS desktop and Start menu. To remove a
particular shortcut, highlight it and press Delete.
d. Notes.ini file changes
If there are any preferences stored in the notes.ini that you would like to
specify for all users, do so by clicking the IniFiles tab.
e. The NT Services and ODBC Resources tabs should be skipped in most
cases.

Chapter 1. Customizing client installations with transform files 5

 4. Identify Additional Servers
If you are going to put the Notes install files on a network drive, specify it here.
Doing so will allow users to automatically repair Notes installations through
their add/remove programs option in the control panel if a file becomes
corrupt.
5. Application Configuration
Select that Setup Properties view, and leave the defaults for most of the
options. The ones worth noting are:
DATADIR: This is the default location of the users data directory (usually a
subdirectory called data under the PROGDIR).
PROGDIR: The directory that the main Notes files will be installed to.
AgreeToLicense: This must be set to Yes if you will be doing a silent
install, and will require one less click from users in a User Interface install.

Figure 1-4 Modifying setup properties

Other options
If you would like to modify the options available to the users from the
Add/Remove programs list in the Windows control panel (such as
disabling their ability to uninstall the software), select Add/Remove
Programs Setting, and select Yes for Disable Modify Button, Disable

6 Distributing Notes Clients Automatically

 Remove Button, and Disable Repair Button, depending on your
preferences.
6. Prepare to Package
a. The postvalidation step should be skipped since you will once again see
many harmless errors and warnings if you run it.
b. The final step is to package the installation.
i. Select the Package view from the first pane, and Location from the
second pane. This is the location (your local drive, a network drive, or
an FTP site) to which Tuner will copy all of the files required for the
installation.
ii. Choose the Setup view. This option will create a customized setup.exe
that includes the .MST file along with any other files needed for the
install. This is much easier than running a command line with
parameters for the transform file. If any of your users are running
Windows 95, Windows 98, or Windows NT, then select the appropriate
checkboxes.
iii. In the Windows Installer Command Line Arguments field you can
specify any switches that should be incorporated into the setup. For
example, you can specify that this package should always do a silent
install by typing /qn in this field. For a list and description of the various
command line options available look in the MSI help file.

Chapter 1. Customizing client installations with transform files 7

 Figure 1-5 Creating the install package

iv. The SMS tab is for companies that have deployed Microsoft Systems
Management within their organization. To create the necessary files to
use SMS with Notes 6, select the appropriate options (depending on
the version of SMS), and the necessary .pdf and .mif files will be
created.

Save the transform file and the package

To save the transform file and the package:
1. Click Save on the toolbar.
2. Select Package from the Project menu. Tuner will copy all of the required
files to the location you selected on the Location tab. You will see a log of the
files being copied in the lower pane.

8 Distributing Notes Clients Automatically

Figure 1-6 Packaging log

3. Click Save on the toolbar one more time and close Tuner.

The package is now ready to be distributed to your users. They will run the install
with the setup.exe included with the package. If you ever need to make changes
to the package, simply start Tuner and choose Open an existing transform file
from the menu. Note: Once you have made changes to a transform file you must
save the .mst and then repackage the install by selecting Package from the
project menu.

Chapter 1. Customizing client installations with transform files 9

10 Distributing Notes Clients Automatically
 2

Chapter 2. Using Automated

Deployment Toolkit for
Notes clients
This chapter contains an overview of the functionality of the Automated
Deployment Toolkit (ADT) from Wolcott Systems Group, and information needed
to install ADT into an environment. This is not to be regarded as an installation
guide, but more as a description of the tool, and a way to get around the few
gotchas we encountered installing and using it. The documentation that ships
with ADT is very thorough an we recommend using this.

Copyright IBM Corp. 2003. All rights reserved. 11

2.1 Introduction to Automated Deployment Toolkit
Automated Deployment Toolkit (ADT) is an automated, managed system for
deploying, upgrading, or migrating an existing messaging system to Notes R5
and Notes 6. ADT centrally manages and automates the client deployment
process and integrates with industry-eading data migration and training
toolssaving companies significant time and expense.

One of the major obstacles in deploying new clients is actually not installing the
clients, but managing the process. Wolcott Systems Group seems to have taken
this approach on their deployment tool and wrapped it in management tools. The
ADT provides functionality for maintaining a complete Notes deployment process
from a centralized location, and automating other key processes during the
deployment, upgrade, or migration porcess.

2.1.1 Integrating services and functions

ADT is integrating the business workflow that a Notes deployment is, rather than
having the set of engineering tasks that most IT departments are familiar with.
The ADT has automated the following key deployment processes:
Discovery: PC hardware and software determination
Training: Integrates with third-party computer based or instructor-led training
processes
ID Generation: User ID and mail file creation
Client Installation: Installation/upgrade and setup of the Notes workstation
Data Migraiton: Integration with Lotus tools and third-party data migration
products (like BinaryTree)
Mail File upgrade: Upgrading the users mail file to the administrator-specified
template(s)

The tool is built in a way that makes management easy. Services not required, or
not needed at the moment, can simply be turned off or have their order changes
by the administrator. If required, it is actually possibly to add further steps to the
framework using the workflow framework provided.

The design
The ADT is designed as a open and customizable framework. In this way,
flexibility is added and specific tailoring is easier to do. Many of the
customizations can be made without programming. The design of the database
is open and allows easy integration of customer-specific processes.

12 Distributing Notes Clients Automatically

 User interface
The ADT is equipped with a Dashboard, which helps configure the tool to the
specific needs. The Dashboard helps track the progress of the users during the
deployment. Some features of the Dashbord are:
The administrator uses menu choices and configuration documents to easily
build his own upgrade, deployment, or migration workflow.
Shows the administrator where each user is in the deployment process.
Gives the administrator the ability to manually control the progress of users, if
needed.
The administrator can have a fully updated snapshot of the number of users
at each point in the process.
Eliminates the need to create management progress reports. The
management team can be pointed directly to the ADT database, and they can
check status any time they wish.

2.1.2 Communication with the users

One of the key factors affecting the success of any deployment project is being
able to communicate in a meaningful way to users affected by the project. The
ADT offers a feature to help communicate with the end-users via the Deployment
Control Panel. This means that the administrator can customize the messages
sent to his end users to meet specifics of their own corporate environments,
thereby improving the quality of deployment, which again may reduce overall
project cost.

2.1.3 Asset inventory

One of the obstacles when planning a deployment project is What is out there?
That is, asset inventory. The ADT framework provides a discovery component
that helps to:
Ensure that the users machines are capable of running the new Notes client
software.
Automatically gather and summarize key end-user workstation hardware and
software configuration information using the PC Survey component.
Administrators can set their own minimum system requirements for hard disk
utilization, RAM, operating system, processor speed, etc.
Provides e-mail notification of system failure to meet minimum requirements,
which can be routed to the administrator or tech team responsible for physical
system upgrades.

Chapter 2. Using Automated Deployment Toolkit for Notes clients 13

 Feeds user status to the ADT Dashboard, giving the administrator real-time
information on the status of each user in the process.
Automatically moves users, with systems that meet the requirements, to the
next step in the deployment process without requiring administrator
intervention.

The PC Survey tool provides a snapshot of the current configuration. A more

thorough version is available upon request. Figure 2-1 shows a screenshot from
the PC Survey tool.

Figure 2-1 PC Survey tool

2.1.4 Training Management

The Training Management component of ADT reduces cost for customers by
allowing customers to integrate training products into the deployment process.
The company can in this way ensure that users know how to use the new Notes
client prior to the client installation. This eliminates the training coordination
bottleneck that can delay the deployment process. Another benefit is that this
allows the administrators to restrict users from advancing on to the next step in
the process, until they have completed the necessary training or to simply notify
users of the training options available to them before automatically moving them
onto the next step.

14 Distributing Notes Clients Automatically

 ADT tool integrates with third-party CBTs, such as tools from ReCor, OfCourse,
and TLCC.

2.1.5 User ID Generation component

The User ID Generation component of ADT delivers strong management
features to administrators, simplifying the task of creating and storing user IDs.
With this component, administrators can automate the creation of a Lotus Notes
user ID, mail file, and public encryption key for each user. Configurable
parameters are included to set the ID expiration date, password strength, and
client license type. The User ID Generation component uses special algorithms
to generate random passwords as well as validate mail file name and user short
name uniqueness. The generated ID files and encrypted passwords are stored in
the ADT database for simplified recovery by an authorized administrator if an ID
file is lost or a password forgotten.

2.1.6 Client Software Distribution

Central to any solution for a deployment project is the ability to install the
software on the users workstations. The Client Software Distribution component
of the tool features the following:
Eliminates the requirement to manually touch each PC to install the Notes
client.
Automatically sends a mail message to the user with an attachment that
initiates the installation of the Notes client after the automated PC Survey
component confirms that the user workstation can support the Notes client
software.
Reports confirmation of installation process to the ADT database, allowing
the administrator to track the users process at a glance. Confirmation
includes indication of when the installation started, completed, encountered
an error, and finished successfully.
Uses a distributed method of making the client software available to end
users. The Notes client installation sets can be placed on servers close to the
users, thus minimizing the impact on the WAN.
Allows for the automated installation of the client software with administrators
building the necessary response files for the installation, thus eliminating the
errors caused during user interaction with the dialogs and prompts appearing
in the standard installation.
Allows administrators to support a manual installation by the users, if in a
case this would be desired.

Chapter 2. Using Automated Deployment Toolkit for Notes clients 15

 Supports the installation from CD-ROM (could be a important feature for
remote/disconnected users).

Additional features:
Notes Mover component: Allows administrators to automatically relocate
Notes to a standard location on the users workstation prior to launching the
Lotus Notes client installation.
Setting up of the workstation via LotusScript code that is executed at the
conclusion of the client installation, allowing administrators to add database
icons, create local replicas and update replicator page entries, modify location
documents, and many other client configuration tasks.
Deployment of custom names.nsf and notes.ini.
Integrated data migration components providing integration with standard tool
providers like Lotus and BinaryTree.
Automating upgrade of users mailfile using a standard or customized
template.
Server consolidation component.

2.2 Installation
Be sure that your environment meets the requirements, which for the Notes 6,
Domino 6, and ADT V2.1, include the following.

2.2.1 Client PC requirements

The requirements are:
Notes 6 client and ADT executables require a Win32 (Win98 or higher).
All users must have TCP/IP installed and configured on their computer
systems.
All users must have access to the company servers through local network
access or via the Internet or an intranet.
For self-service registration, users must have browser (http) access to the
server running ADT. Supported browser platforms are Microsoft Internet
Explorer (Version 4 or higher) and Netscape Navigator (Version 4 or higher).

2.2.2 Server SMTP configuration

During the PC Survey and client installation steps, SMTP is used to deliver
survey results plus installation and client configuration status messages to the

16 Distributing Notes Clients Automatically

 ADT database. For this reason, your internal messaging environment must be
configured to receive SMTP mail and route these incoming messages to the ADT
database (a Notes mail-in database). If your messaging environment is not
configured for SMTP, you must make the appropriate modifications to support
this. If necessary, you can configure SMTP on the ADT server and route
messages directly there.

Organizations that have high volume inbound or outbound SMTP messaging

traffic in their environment may not wish to configure ADT to send its messages
through the company gateway. In this case it will be better to have the messages
delivered directly to the ADT server. Enabling SMTP on the ADT server does not
open up a new message routing option for your users, unless they are
specifically enabled to do so. If the server running ADT is visible to the Internet
and you have SMTP enabled on the system, you will need to configure Domino
so the server cannot be used for spamming purposes. In most cases, the
Domino server used by ADT (if it is a dedicated server) is not configured to be
visible to the Internet.

Note: ADT includes an application for testing the SMTP connection, SMTP
Tester; refer to the SMTP Tester documentation for additional information.

2.2.3 ADT server

In order to ensure the best performance, it is recommended that a Domino server
is dedicated for the ADT processing server. The ADT processing server is the
server that executes the scheduled agents that sends and processes the return
messages sent during PC Survey, training, Lotus Notes client installation, and
other processing steps. The dedicated server is recommended because ADT
periodically launches external processes to create the self-extracting
executables sent to the user, and the heavy use of the server might induce
problems for other processes running on the system.

Since ADT uses several 32-bit Windows applications during processing, the
server running ADT must be running on a 32-bit Windows server (Windows NT,
2000, or XP).

ADT server minimum system requirements:

Windows NT, Windows 2000, or Windows XP
Pentium III class processor (or equivalent)
256 MB of RAM
500 MB free disk space
Lotus Domino 6 server or higher (can work with release 5; consult manual)
SMTP routing and mail delivery
TCP/IP communications protocol

Chapter 2. Using Automated Deployment Toolkit for Notes clients 17

 Additional server requirements:
For the self-service option, the ADT server must have the HTTP protocol
enabled on the server.
All mail servers participating in the server consolidation process must be
running Lotus Domino Server Version 4.6 or higher.

It is possible to use a standard desktop system for running ADT. What you have
to do is install Windows and Domino on the server and it is ready for the ADT
installation.

Note: A version of the ADT server that supports the Sun Solaris operating
system is available; please contact Wolcott Systems Group to obtain further
information.

2.2.4 Lotus Domino server changes

Depending on the steps you are performing in your Notes deployment, different
Domino servers in your organization will be affected. If you are doing a mail
server consolidation, all of your existing mail servers will be involved. If you are
doing an upgrade, then all of your mail servers will be involved. In order to
provide support for the processes listed above, you must modify each affected
server document to include the signer of the ADT database agents as a person
allowed to run unrestricted agents. You will most likely sign the ADT database
with a user ID that has manager rights to the server and Domino Directory.

Several of the ADT process steps require messages to be delivered back to the
ADT database so agents can update the users status. As part of the product
installation, you will have to create a mail-in database document in the Domino
Directory. Before the installation begins, administrators should review corporate
naming standards to determine the mail-in database name that will be used for
ADT. We recommended using the name ADT for the process, but local Notes
administration standards may dictate a different naming convention.

Once the mail-in database document has been created, you should test mailing
documents into the database from Lotus Notes mail and Internet (SMTP) mail.

2.2.5 ADT groups

The ADT templates are already configured with standard groups in the ACL. If
you create the following groups (and populate them with the appropriate
members) you will be able to easily access the ADT databases once they have
been created.

18 Distributing Notes Clients Automatically

 Table 2-1 Recommended Domino Directory group
Group name Function

ADT Administrators Used to define the list of users who will have manager rights to
the ADT database and the processes within. This group is
usually assigned to the [Admin] role in the ADT database.

ADT Editors Defines the list of users who will have the ability to modify
documents in the ADT database. This includes the ability to
update the status of user documents in the ADT database.

Remember that after adding new groups, the Domino Server needs a restart (this
is not the case when users are added). Go to the server console and type
Restart Sever to make your changes take effect.

2.2.6 Assign HTTP passwords to all users

If the self-service registration option will be used, the participating users (who are
going to use this process) must have HTTP passwords assigned to them in their
person documents in the Domino Directory. The password is required, or the
users will not be able to authenticate to the ADT server.

Note: If you do not have an easy mechanism for setting the HTTP password
for users in your Domino Directory, ADT includes an agent that will perform
this function for you. Refer to the ADT Operations Guide for additional
information on this.

2.2.7 Enable HTTP on the ADT server

If you will be using the self-service registration option, the ADT servers HTTP
process must be running. If you have a dedicated server allocated for running
Domino applications, you can place a replica of the ADT database on the
Domino server for user registration and use a different server for ADT
processing. The issue here is that there will be a processing delaythe
processing will not begin before the users information has been replicated to the
ADT server.

2.2.8 Assign manager rights to the agent signer

When performing a mail file upgrade or server consolidation using ADT, agents
in the ADT database must have access to all mail files. In order for this process
to work, a user ID that has manager access to all mail databases must sign the
agents in the ADT database. Set up all mail databases Access Control Lists so

Chapter 2. Using Automated Deployment Toolkit for Notes clients 19

 that a person (or a user ID created for this purpose) has manager access to
them.

Note: Depending on the setup of your LocalDomainServers group, you may

be able to use ADT without making any ACL changes in the users mail
database.

2.2.9 Copy files to the ADT server

Copy the ADT template files (called ADT_V210.NTF and ADT_Log.NTF) to the
Domino servers data folder (\lotus\domino\data by default). Be aware that the
files copied off of a CD-ROM disc may have the Read-Only attribute enabled. If
the Read-Only attribute is set, be sure to remove it on the files. The Domino
Server will not be able to update or open the templates if they are set to
Read-Only.

In the Lotus Domino Server data folder on your ADT server (\lotus\domino\data\
by default), create a folder called ADT. Copy the installation CDs Bin folder to
the ADT folder you just created. Be sure to remove the Read-Only attribute on all
of the files you copied.

2.2.10 Additional steps for automated client setup process

If you are performing the automated client setup during a Notes deployment or
migration, you must provide properly configured notes.ini and pernames.ntf files
you will be using. During client setup, ADT will create a new names.nsf from the
template and include the notes.ini in the installation package sent to the user. On
the client side, the Lotus Notes client installation component of ADT will copy the
files to the users workstation along with the users ID file and patch the notes.ini
with the correct settings for the user. Create the necessary notes.ini file and
customize the pernames.ntf template to your needs and place both of the files
into the ADT servers ADT\Bin folder with the rest of the ADT executables.

The ADT will support multiple address book configurations. A setting on the User
Option document in ADT contains a setting that allows you to specify the file
name for the personal address book template you wish to be used for all users
assigned to the User Option.

ADT will support only one Lotus Notes client configuration file (notes.ini) for all
users processed by this instance of ADT.

20 Distributing Notes Clients Automatically

2.2.11 Sign the ADT database templates
After the ADT database templates have been copied to the ADT server, you
must sign the design of the templates so that they will function in the Notes
Security infrastructure within your organization. Open the Lotus Domino
Administrator client using a user ID that has administrative rights to the Lotus
Domino Domain and sign the templates.

Note: If you did not remove the Read-Only attributes on the templates after
you copied them to the ADT server, you will receive errors when you try to
access the templates from the Administrator client.

Now add the ADT Administrators group and insert the persons or groups who
are supposed to be using this tool. After adding new groups, the Domino Server
needs a restart for the group changes to take effect. When convenient, go to the
server console and type Restart Server. When the server is ready, you are
ready to make the final changes to the ADT templates.

2.2.12 Configure agent execution parameters in the ADT template

Before you create the ADT database, you will need to change the configuration
for the scheduled agents in the ADT database.

Open the ADT Database Template on the ADT server from the Lotus Domino
Designer client. Open the Agents section of the database design, and for each
scheduled agent there will be a comment listed below the agents name. Open
the agent and change the schedule option as indicated in the table below. Be
carefull, there are many angents to handle.

Table 2-2 ADT Agent Configuration

Options comment Change Run on to

R4.X Agent Run on Mail Servers Any server

R5 Mail Servers Only Any Server

Run on ADT Server Choose when agent is enabled

Run on Migration Server Choose when agent is enabled

As part of the agent execution strategy, you may want to adjust the times at
which the agents run, to support your specific requirements.

Chapter 2. Using Automated Deployment Toolkit for Notes clients 21

2.2.13 Create the ADT and the ADT Log databases
Create a new ADT database from the template you copied to the servers data
directory. Make sure you turn on the Show advanced templates option;
otherwise you will not see the template in the list of available templates. Put the
ADT database in the ADT folder you created earlier.

Create the ADT Agent Log database from the standard Agent Log template.
Again make sure you turn on the Show advanced templates option. Put the
ADT Log database in the ADT folder.

Update the ADT and ADT Log database ACLs with the appropriate settings for
your organization.

Enable the [Admin] role for any users or groups who will require access to the
Configuration Profile or the ability to run agents in the ADT database. The
[Admin] role controls access to the Admin action and the Execute Tasks option
on the ADT navigator.

Note: If you did not create the standard ADT groups in your Domino Directory,
you may need to modify the ACL in the templates so you can access them
from your workstation.

2.2.14 Create ADT Mail-In Database document

Several of the components of ADT sends messages back to ADT, when steps
performed by the user have been completed. This is accomplished by defining
the ADT database as a mail-in database in the Domino environment.

In Domino, the mail-in database is merely a configuration change in the Domino

Directory, which allows mail messages to be automatically routed into the
database. As far as the users are concerned, the mail-in database is another
mail recipient.

To set up the mail-in database configuration, you will need to add a Mail-in
Database document in your organizations Domino Directory.

Use the Mail-In Databases and Resources to create a Mail-In Database

document. Populate the fields on the form with the information pertinent to your
installation of ADT; for Mail-in name, the recommended choice is ADT, but you
may want to choose another name depending on your organizations naming
conventions or in order to ensure an unambiguous name. The Mail-in Database
document should point to the main copy of the ADT database you created
earlier.

22 Distributing Notes Clients Automatically

 Be sure to use the correct domain and server name to make sure that the
messages are routed to the correct server. Once you have made the necessary
changes, be sure to replicate the changes to all mail servers throughout your
environment.

Figure 2-2 Automated Deployment Toolkit

When you are sure your changes have replicated, send a test message into the
ADT database from a Lotus Notes mail client. The message will appear in the
Process Inbox under the Monitoring option on the ADT database, as shown
below. Test the mail routing to the ADT database and delete the test message
from the process inbox.

Note: Later in the process, when you are configuring ADT, you will populate
the SMTP settings for ADT and will use the SMTP Tester program to test
inbound message routing to ADT from an SMTP mail client.

2.2.15 Creating the ADT encryption key

If you are using the ADT User ID Generation component for a deployment or
migration, you will need to create the ADT encryption key and install it in the ADT
servers ID file. ADT uses a special encryption key, ADTUserRegistration, to

Chapter 2. Using Automated Deployment Toolkit for Notes clients 23

 encrypt the users password on the user documents and the certifier password
on the certifier documents in the ADT database. Before you can save any
certifier documents or create any user ID files, you must create the encryption
key and store it in the ADT servers ID file, plus the ID files for any users who will
create or edit any certifier documents or any user who will need to read the
users ID file password from the ADT database.

Note: This is only required if you are performing a Lotus Notes client
deployment or migration and have turned on the User ID Generation option
within ADT.

2.2.16 Installing data migration tools

If you are performing a migration using ADT, you should now begin installation of
the data migration tools you will be using along with ADT. Installation instructions
for the migration tools supported by ADT are provided in installation
supplements; please refer to the appropriate document for your migration
platform.

2.2.17 Copying files to the Notes client installation set

When you configure ADT, you will be creating Lotus Notes client installation sets
on servers throughout your environment. The Installer folder on the ADT
installation CD contains files that need to be copied to each of the installation
sets. By default, you must copy the notes6inst.exe files to each installation set. If
you wish to perform some additional file copy activities during the installation,
you will also need to copy notesconfig.exe and notesconfig.ini to the installation
sets. These steps are described further in the ADT Configuration Guide.

Note: Be sure to remove the Read-Only attributes on these files once you
have copied them. This will eliminate any problems encountered when you
attempt to update these files later.

2.3 Configuration
The ADT tool has been designed in a way so that you should not have to modify
the design of ADT in order to make ADT work in your environment. Most of the
configuration options are maintained in documents in a Domino database rather
than being hard-coded.

The two major components of the ADT configuration are: Lotus Notes client
installation configuration and ADT database configuration. The remaining

24 Distributing Notes Clients Automatically

 sections of the document provide instructions on how to create the necessary
Lotus Notes client installation sets and get them distributed throughout your
environment, plus detailed instructions on how to set the configuration options in
the ADT database.

There are two types of configuration options in ADT:

Global options: Options that affect the overall operation of the ADT process
and processing options that affect all users processed by ADT. Examples of
Global options are options defined on the ADT Configuration Profile and the
mail message content sent to users.
Functional options: Options that affect a functional area of the system of
which there can be a single option or multiple options defined within ADT.
Examples of Functional options are Installation Path, Installation Type, or
User option configuration documents.

This topic has been described very thoroughly in the actual ADT Configuration
Guide, please consult this for further information.

2.3.1 How to capture at Database Replica ID

You will need to have Databse Replica IDs during the configuration.

Capturing the Replica ID of a database for cut and paste is unfortunately not as
simple as it seems, as it cannot be selected within the normally accessed
screens.

One way to get the Replica ID is by opening the Notes client, selecting the
database on the workspace, and choosing File -> Database -> Design
Synopsis. On the screen that appears select Choose DB Info, chekc the box
Replication, and click OK. This will give you a page similar to the one you see
below.

Chapter 2. Using Automated Deployment Toolkit for Notes clients 25

 Figure 2-3 Design synopsis of a Domino database

26 Distributing Notes Clients Automatically

 3

Chapter 3. Deploying the Notes client

with Active Directory
Imagine getting a brand new computer without an operating system. You turn it
on and then as if by magic you get an operating system, the Notes client, the
Notes clients desktop, and everything you might want on it. No, it is not magic,
but a combination of Active Directory, RIS, Group Policies, and Organizational
Policies in Domino.

With the new policies feature of Domino you can configure different desktops for
different groups of users as well. Creating a complete desktop with no one
touching the machine represents a real reduction the total cost of ownership.

To make this work for everyone, clients will need Windows 2000 or higher on
their desktops, and Active Directory needs to be deployed as well. Your
administrators will need to understand Group Policies thoroughly. Do not
underestimate the complexity of this project. It can take a company many months
to get it right. However, in these days of tight IT budgets, savings on support calls
and desktop reconfiguration represent a real savings. So if you are migrating to
Active Directory anyway, take the time and leverage Dominos new desktop
management features. You will not regret it.

Copyright IBM Corp. 2003. All rights reserved. 27

3.1 Active Directory basics
You need to know some basics about the Active Directory so that you can deploy
the Notes client using it. For more detailed information try the Microsoft Resource
Kit for Windows 2000 as a starting point.

The following is a table that compares some Active Directory features and tools
to their Domino counterparts.

Table 3-1 Active Directory components and their counterparts in Domino

Term Microsoft speak Lotus speak

Active Directory A database that is a The Domino Directory is

Administrative Tools
collection of objects and a collection of
attributes associated documents that contain
with each. The fields and values for
database is divided into those fields that control
three partitions: the behavior of a
Domain, configuration, Domino Domain. All
and schema. Domain servers in a domain
controllers of the same share the same Domino
domain share the Directory.
domain partition. Every
domain in the forest
shares configuration
and schema partitions.
All three partitions
control the behavior of
domains in a forest.
The Microsoft Control of the Domino
Management Console is Directory is
a program whose accomplished by the
functionality is use of groups and
enhanced through the entries in the Access
use of snap-ins. Control List.
Restricting the number Additionally, there is the
of objects that can be Administrative client,
viewed can control the Domino Administrator,
scope of functionality, which provides more
as well as use of the tools for monitoring one
predefined or more domains.
administrative groups. A
basic set of predefined
MMCs to control a forest
can be found by
executing
adminpak.msi.

28 Distributing Notes Clients Automatically

Term Microsoft speak Lotus speak

Active Directory users An MMC console that Registration of users,

and computers controls the creation of
users, groups,
computers, and
organizational units. It is
also used to publish
shares and printers, and
change the nature of the
domain from mixed to
native mode, and to
access the default
group policy for the
domain.
Active Directory Sites An MMC console that
and Services controls replication and
authentication and
visualizes the topology
of a forest. Sites, site
links, and subnets are
created here.
Active Directory MMC console that can
domains and trusts be used to add new trust
relationships or modify
existing ones.
computers, and the
creation of
organizational certifiers
is done through the
Domino Administrator
program.
A server document
identifies the Notes
Named Network a
server belongs to.
Connection documents
control the method and
time of replication.
Domino Administrator
can visualize the
topology.
Cross certification of
Domino Domains in the
Domino Administrator is
an equivalent here.

Global Catalog Server A domain controller that Directory Catalog,

has information not only Directory Assistance.
from its own domain, but
about 40% of the
information that exists
on domain controllers
from other domains in
the forest. Required for
authentication in native
mode. First machine in
the forest is a GC.
Others can be created
in Active Directory sites
and services.

Chapter 3. Deploying the Notes client with Active Directory 29

 Term Microsoft speak Lotus speak

Flexible Single Master In a domain, one Having the Domino

Operations (FSMO)
machine is in charge of Directory being
three specific functions, authoritative on a
can be one server but server.
should not be, PDC
emulation (downward
domain controller
compatibility), RID
master domain
controllers are
multi-master and need
a pool of IDs to hand
out, and infrastructure
master that handles
user and group
relationships. Be very
careful here: Loss of a
FSMO can lead to
significant functionality
being lost. Roles can be
seized, but the original
machine cannot be
brought back.

Native Mode All domain controllers Having the benefits

are Windows 2000. associated with all
While there is a PDC servers being Version
emulator per domain, 6.
changes to users,
groups, etc. can be
made on any domain
controller and
syncronized every 5
minutes within a site
and per schedule
between sites. Other
changes include the
ability to nest group
types and the addition of
a new group type called
universal. Change to
Native is done once
only. No going back to
old BDCs.

30 Distributing Notes Clients Automatically

Term Microsoft speak Lotus speak

NTDSUTIL The most important Compact, Fixup.

utility. Can only be used
in AD restore mode, F8,
at startup. Used to seize
roles, perform
authoritative restore,
compact database, and
move log files. Need to
know this one cold.

Group Policy Objects A collection of registry Setup and

commands that can be organizational profiles in
used to control the the Domino Directory.
desktop and capabilities
of users. Can be
implemented at site,
domain, and OU levels.
Notes clients can be
deployed using this.
Settings are kept in two
places, sysvol and
Active Directory.
Distributed File System Stand-alone or domain Directory links.
(DFS) controller based it is the
ability to have multiple
share points appear as
one.

Site Collection of domain Notes named network

controllers from one or for mail. Connection
more domains located documents for Domino
on the same physical Directory replication
subnet. Domain manually created or
enabled for replication.
controllers are put in
the default first site
until moved. Replication
is uncontrolled (every 5
minutes) and not
compressed. Topology
can be change
manually. Clients
authenticate to domain
controllers in the same
site first.

Chapter 3. Deploying the Notes client with Active Directory 31

 Term Microsoft speak Lotus speak

Site links Links between domain Connection documents.

controllers on different
subnets. Frequency can
be adjusted and
availability of links
controlled. When
amount of data is
substantial, data is
compressed.

Trust relationships Ability to assign Complete cross

permissions to users certification of all
and groups in other Domino domains.
domains. Automatically
created in 2000, they
are bi-directional and
transitive.
OU Organizational units OU does have a
created in AD users and security context.
computers. No security
context is given to an
OU. Security can be
applied to an OU via
group policies and
delegation of authority
wizard.

32 Distributing Notes Clients Automatically

Term Microsoft speak Lotus speak

Schema Master A server for the forest Templates, schema

that controls the design database.
of Active Directory.
Disabled by default,
only schema admins
can make changes to
the design. If the
schema master is
unavailable you cannot
add Active Directory
integrated software to
the forest. When you do
this a very large amount
of replication will take
place to inform all the
domain controllers in
the forest of the change
to AD. Things go into
AD when you change
the schema, but they do
not come out.
Domain Naming Maste One server that record Having a cert ID file to
domains added to a create a domain. Rights
forest. If you cannot to the Domino Directory.
make a domain
controller a domain
naming master, or if you
cannot contact it, you
are unable to add or
remove domains from
the forest.
ADSI Program tools used to Notes API.
change Active
Directory. ADSI in the
resource kit can be used
to see if modifications to
AD have occurred.

Chapter 3. Deploying the Notes client with Active Directory 33

 Term Microsoft speak Lotus speak

Dcpromo Program used to make Install program.

a server a domain
controller. Invoked
automatically on the
primary domain
controller when it is
upgraded. Make sure
W2K DNS is functioning
properly or it will fail.

3.2 Using Group Policies to deploy the Notes client

Group Policies can be used to set the registries of Windows 2000 (and higher)
machines. It can also be used to deploy software. Software deployment using
Active Directory is not a complete answer for many organizations. If you were to,
say, use SMS, you could do hardware inventories and check licensing. Software
deployment with Active Directory will not check how much disk space or memory
a machine has. It will install the software or make it available to end users
through publishing.

This technique needs to be fully tested before full deployment. Be sure to

consider such issues as bandwidth when placing packages on servers from
which users will have software.

To demonstrate using Active Directory to deploy Notes 6, let us assume we have

a small branch office and we would like to deploy the Notes software. We have
Active Directory and a Domain Controller at the branch office. How can we install
the Notes client on all of the workstations?

First some assumptions: All of the machines at the branch office are Windows
2000 or better and have sufficient space for the Notes client. We have a file
server and have placed a version of the Notes client software distribution files,
configured the way we want, on a share point that all clients can get to. This
share has at least read as a permission for authenticated users. Our
administrators have rights to create Group Policies in Active Directory and child
objects as well.

We first begin by creating an organizational unit in Active Directory users and

computers. This OU can look like your Domino certifier hierarchy if you wish. We
want an OU for our branch office so that we can apply Group Policies here that
might be very different than elsewhere in our organization. When Group Policies
are evaluated, they start at the site level (see Table 3-1 on page 28 for the
definition of a site), then the domain, then the OUs. Policies can cancel each

34 Distributing Notes Clients Automatically

other out as they get to the object they affect. The last policy determines the final
setting of the user or machine.

Because we want the Notes client on every machine (note in our scenario there
are no servers in this OU), we will create a policy at the branch office OU object.
You could create additional policies further down in the hierarchy if you want to.
The only penalties will be in additional logon time and complexity in resolving any
client issues.

Figure 3-1 Selecting the branch office object

To create a Group Policy:

1. To create a Group Policy, select the properties of an OU (Figure 3-2 on
page 36).

Chapter 3. Deploying the Notes client with Active Directory 35

 Figure 3-2 Select properties of an OU as a first step

2. The branch office object has a Group Policy tab that we will add a new Group
Policy to. When giving it a name be very careful to give it one that is unique to
the location and purpose. We are calling our Group Policy Branch Office.

36 Distributing Notes Clients Automatically

Figure 3-3 Group Policy tab

3. Note the unique name number on the General tab.

Figure 3-4 Branch office properties

Chapter 3. Deploying the Notes client with Active Directory 37

 4. Group policies are stored in two places: In Active Directory itself, where they
are visible to everyone in the forest; and in the SYSVOL share of every
domain controller of the domain they were created in. Figure 3-5 shows the
contents of the SYSVOL share and a folder that has the settings of the Group
Policies with a number identical to the property page of the policy itself.
Because the group policies are visible to all, you need to manage who can
use them. If, for example, an administrator from another domain in the forest
decided to use your policy, the users from the other domain would look for a
domain controller that contained the settings. This might mean going across a
wide area network link to do so.

Figure 3-5 The physical location of the group policies on a domain controller

5. Another important aspect of Group Policies is permissions to read those

Group Policies (Figure 3-6 on page 39). The default behavior is to allow
authenticated users to read Group Policies. If you did not want everyone who
could log in to be impacted by a Group Policy, you would remove the ability to
read about the policy in the permissions page. This can be a useful testing
tool. You could create groups allowing them to read a policy. This could
prevent impacting users in an adverse way. By all means test policy
permissions carefully before putting them in a production environment.

38 Distributing Notes Clients Automatically

Figure 3-6 Permissions page for a Group Policy

To distribute software we will next create a software package in the Group

Policy.
1. Begin by selecting edit of the Group Policy you want to modify (Figure 3-7 on
page 40).

Chapter 3. Deploying the Notes client with Active Directory 39

 Figure 3-7 Edit the Group Policy object

2. Examine the properties of the software installation object (Figure 3-8).

Figure 3-8 Select the properties of the object

3. Examining the properties page will show you some of the capabilities of
software deployment on a collection of computer objects in an OU. Selecting
categories allows you to organize what people will see when they go into the
control panel in Windows and use Add and Remove Software -> add New
Software.

40 Distributing Notes Clients Automatically

Figure 3-9 Property page for software installation

Notice the ability to remove software deployed by a policy. Group policies have
immense power as far as controlling application deployment. We will next create
a software package for Notes.
1. When we create a package there are two ways of deploying it. We can install
it on every machine (Figure 3-10 on page 42) before the users log on or we
can install it after a user logs into a machine that does not have an application
and invokes a download by clicking an icon or file extension of an application
(Figure 3-11 on page 42).

Chapter 3. Deploying the Notes client with Active Directory 41

 Figure 3-10 Creating a new package for every machine

Figure 3-11 A package for users of a Group Policy

2. The next step is to point to an MSI file for a software package. You should put
all of the software that will be downloaded by users in an OU on a server that
is close to them. For creating customized MSI files for Notes see Chapter 1,
Customizing client installations with transform files on page 1.

42 Distributing Notes Clients Automatically

Figure 3-12 Selecting a package

3. Open the properties for the package. The General tab contains the name and
and other general information for the package.

Figure 3-13 Properties of the package

Tip: You could remove applications deployed by a Group Policy as well as

install them.

Chapter 3. Deploying the Notes client with Active Directory 43

 Figure 3-14 Deployment options

4. Notice all of the information stored in the package. The property page also
gives you the ability to uninstall the application if you wish (Figure 3-14), and
add install shield msi files to the package as well (Figure 3-15 on page 44).

Figure 3-15 Adding an MSI file

44 Distributing Notes Clients Automatically

5. If you want to control whether you can see a package in order to use it, that
can be done through a Security tab of the Property page. See the Microsoft
documentation for best practices on Group Policy permissions.

Figure 3-16 Permissions for a software package

6. After you have deployed an application, you can return to the package and
either remove it or redeploy it, if you made significant changes to it.

Figure 3-17 You have the ability to change versions and remove applications

You can use the same exact steps to publish or assign an application for users. If
you publish an application end users will see the Notes client offered as a
software application available for install (Figure 3-22 on page 49). If the

Chapter 3. Deploying the Notes client with Active Directory 45

 application is assigned, the user would have the download occur if she clicked
the Notes icon or tried to open an NSF file.

3.2.1 Summary
With the new support for MSI files in the Notes 6 client, it is not only easy to
customize the installation package, but it is possible to use Active Directory to
deploy the software. Remember software deployment with Group Polices does
not deal with getting hardware or software inventories from clients. To get those
features you would need a fully featured software distribution program. The
technique of software distribution might be an ideal solution to those companies
that have Active Directory and want to use Domino and Notes but do not require
the full feature set of Tivoli or SMS. This technique can help bring down the cost
of deployment, a benefit worth working toward.

3.3 Installing non-MSI applications

Group Policies software distribution is not limited to software packages that use
MSI files. You can publish non-MSI based software by creating what is referred
to as a ZAP file. Say, for example, you are still on Notes 5.0.x and want to rollout
the Domino Unified Messaging Client. You would create a share point for the
DUCS software, making sure that the licensing components ae available. You
then need to create a text file with a .zap extension that has information like in
the sample that follows.
[Application]
; Only FriendlyName and SetupCommand are required,
; everything else is optional.

; FriendlyName is the name of the program that

; will appear in the software installation snap-in
; and the Add/Remove Programs tool.
; REQUIRED
FriendlyName = "DUCS Client Software for Avaya"

; SetupCommand is the command line used to

; Run the program's Setup. If it is a relative
; path, it is assumed to be relative to the
; location of the .zap file.
; Long file name paths need to be quoted. For example:
; SetupCommand = "long folder\setup.exe" /unattend
; or
; SetupCommand = "\\server\share\long _
; folder\setup.exe" /unattend
; REQUIRED

46 Distributing Notes Clients Automatically

SetupCommand = "setup.exe"

; Version of the program that will appear

; in the software installation snap-in and the
; Add/Remove Programs tool.
; OPTIONAL
DisplayVersion = 1.1

; Version of the program that will appear

; in the software installation snap-in and the
; Add/Remove Programs tool.
; OPTIONAL
Publisher = IBM Lotus Software

After you create the file, you would put it into the folder where the application
resides. Once in place you can create a software package for users that you can
publish. Figure 3-18 shows selecting a zap file located on the distribution
sharepoint.

Figure 3-18 Make sure under file type you select zap as the file type

You have the option of publishing or advance publishing. See the Microsoft
documentation for a further explanation of these options.

Chapter 3. Deploying the Notes client with Active Directory 47

 Figure 3-19 Select the Publishing option

Since there might be several hundred packages to choose from, you might elect
to give your package a unique category. This is done under the machine
software installation (Figure 3-20).

Figure 3-20 Categorizing a software package

48 Distributing Notes Clients Automatically

Figure 3-21 Lotus applications category has been selected

Assuming a user has the rights to read about the software package, Figure 3-22
shows what he would see if the user had a Windows 2000 or higher client. Notice
some the information we placed into the ZAP file appears here.

Figure 3-22 Selecting an application

Figure Figure 3-23 shows the different categories and software available to this
user.

Chapter 3. Deploying the Notes client with Active Directory 49

 Figure 3-23 Multiple categories for software in add/remove programs

Tip: For further information about creating ZAP files see Microsoft Knowledge
Base article 231747.

3.4 Summary
If you have Active Directory, Domino and Notes can take full advantage of it.
Software can be deployed and used in conjunction with Domino policies to fully
deploy your new Notes clients.

50 Distributing Notes Clients Automatically

 Back cover

Distributing Notes Clients

Automatically
Redpaper

Creating customized This IBM Redpaper describes how to distribute Notes clients
Notes installation automatically. The paper is not a complete guide on Notes
INTERNATIONAL
packages client deployment, rather it is a collection of information about TECHNICAL
some of the different technologies that can be used for SUPPORT
Automated deploying Notes clients automatically. The basic idea behind ORGANIZATION
automated software distribution is to make installing multiple
Deployment Toolkit
clients more efficient.
described
We begin by explaining how to use InstallShield Tuner for BUILDING TECHNICAL
Using Active Lotus Notes to create customized Notes installation packages. INFORMATION BASED ON
Directory for client PRACTICAL EXPERIENCE
We guide the reader through the process of customizing an
distribution installation of Lotus Notes using that technology.
IBM Redbooks are developed by
We then describe how to use Automated Deployment Toolkit the IBM International Technical
(ADT), which is an automated, managed system for deploying, Support Organization. Experts
from IBM, Customers and
upgrading, or migrating an existing messaging system to
Partners from around the world
Notes R5 and Notes 6. create timely technical
information based on realistic
The final chapter describes how to use Active Directory for scenarios. Specific
deploying Notes clients. recommendations are provided
to help you implement IT
solutions more effectively in
your environment.

For more information:

ibm.com/redbooks