Sie sind auf Seite 1von 281

1

Hase00 Introduction
Configuring and Administering Domino Server 6.0

SkillSoft Press © 2003

Introduction
About the Book
Domino is a tool that you can use to message, s chedule, maintain task lists, and to enable
employees of an organization to communicate, collaborate, and coordinate business processes.

This book starts with an introduction to a Domino network and the tools available for Domino
system administration. It discusses how to install and configure Domino servers and users. It also
explains the configuration of tasks in Domino and the server management and monitoring
activities.

This book provides a foundation for a Domino system administrator. It has an in-depth coverage of
the configuration of a Domino Network and the tasks required to administer the Domino Server.
This book caters to experienced Local Area Network (LAN) administrators who set up and manage
the networks in their organization and provide helpdesk to Lotus Notes users. To optimally utilize
this book, the practitioners should have prior knowledge of networking concepts and the Internet
protocols. They should also have a working knowledge of the Lotus Notes client.

Chapter 1: Introducing Domino


Domino belongs to the groupware category of software. Companies use Domino as a tool for
messaging, scheduling, maintaining task lists, and to enable employees to communicate,
collaborate, and coordinate business processes in the office. Domino supports several clients that
allow users to take full advantage of the features that Domino provides.

Several platforms support Domino servers, including Windows, AIX, LINUX, and Solaris. As a
result, you can deploy Domino on a variety of platforms and mixed environments. In addition, you
can run Domino clients on various operating systems, such as Windows 95/98, Windows XP,
Windows NT, Windows 2000, or the Macintosh.

This chapter introduces Domino servers and clients. It describes the Domino Server Console and
the server commands you need to use with the console. It also explains the various administration
clients available with Domino. In addition, the chapter explains the Domino configuration file,
NOTES.INI.

Overview of a Domino Setup


A Domino deployment consists of servers and users. The Domino servers and users are defined in
a Domino database called the Domino directory. All the servers and users of a common Domino
directory form a Domino domain. All users and servers in a Domino domain are named according
to a hierarchical naming scheme.

You access Domino servers using clients, such as Lotus Notes or Web-based clients. To configure
the clients, you first register the users in the Domino directory, and then configure the client
software to connect to the server.
2
Introduction to Domino Servers

A Domino server is a powerful software platform that provides various facilities to users, such as
routing messages to Notes and the Internet, allowing users to browse the Web, hosting
applications for Notes, Web, and mobile users, and providing real-time integration with the
enterprise data.

Based on their functionality, Domino servers are categorized into three types:
 Messaging: Supports Notes mail as well as Internet standards for mail, such as SMTP,
POP3, IMAP, and HTTP mail. Also known as a Mail server, this server is used only for
messaging.
 Utility: Helps develop applications for Notes as well as Web clients. You use this server
for deploying Domino applications. In addition, you can create applications that integrate
with the back-end enterprise data.
 Enterprise: Combines the features of the Mail and Utility servers. In addition, it provides
features such as clustering and partitioned servers. Clustering allows you to configure
servers as backup for each other for fail over and load balancing. Partitioned servers allow
you to install multiple Domino servers on the same computer. You can use this server for
messaging as well as application development.

The servers in a domain are configured to perform various activities, such as routing messages
between users, maintaining scheduling information for users, and hosting application databases for
Notes users. In addition, the servers host Web applications and services, provide directory
services to Internet clients, and provide discussion forums to Notes and Internet clients. Based on
the roles that may be assigned to a server, you configure various services on the server. You can
configure Domino servers as messaging, application, Web, or domain search servers.

Domino servers also provide several tools for monitoring server performance, such as statistics
monitoring, event monitoring, activity analysis, and log analysis.

Introduction to Domino Clients

Domino clients access the Domino server to perform various functions, such as sending e-mail,
accessing databases, and browsing the Web. There are three types of Domino clients:
 Lotus Notes: For end users. You can use this client for messaging, browsing the Web,
organizing schedules, and accessing applications.
 Domino Administration: For administrators. You can use this client for all types of
administrative tasks, such as registering the Domino server, registering users, and setting
up and managing the Domino infrastructure.
 Domino Designer: For application developers. It provides an integrated development
environment that allows you to develop Domino applications for various purposes.

In addition to these three clients, there are some other clients that can access a Domino server:
 Web browsers, such as Internet Explorer and Netscape Navigator.
 Internet e-mail clients, such as Outlook Express
 Mobile clients, such as WAP-enabled cellular phones
 iNotes for Web Access

Working with the Domino Server


The Domino server has a character-based console. You can use this console to issue commands
to the server. Domino also provides various administrative tools to work on the Domino server,
such as the Domino Administration client or the Web Administrator. These tools allow you to
perform administrative tasks, such as registering users and servers and configuring various
activities on the server.

Using the Domino Server Console


The Domino server shows the events on the console as they happen on the server. You use the
Domino server to send commands to the server. Figure 1-1 shows a Domino Server Console:
3

Figure 1-1: A Domino Server Console

All the services on the Domino server, such as messaging, replication, and calendaring and
scheduling, run as tasks. You can start a task using the LOAD command. For example, the
following command starts the mail router task on the server:
LOAD ROUTER

You quit a task using the following command:


TELL <taskname> QUIT command

Using the Domino Server Console, you can give instructions to certain tasks such as
Administration Process (AdminP). These instructions are given using TELL commands as shown in
following command:
TELL ADMINP PROCESS INTERVAL

Domino also provides the following SHOW commands that you can use to view information:
 BROADCAST: Sends a message to specified users or to all users connected to a
server.
 DROP: Closes one or more server sessions.
 Help: Lists the server commands with their descriptions, arguments, and syntax.
 SHOW DIRECTORY: Lists all database files in the Domino DATA directory and
identifies multiple replicas of a database.
 SHOW DISKSPACE: Displays the amount of space, in bytes, available on the disk
drive.
 SHOW OPENDATABASES: Lists the open databases on the server and
information about the databases.
 SHOW SERVER: Displays server status information.
 SHOW STATISTICS: Displays Domino server statistics for disk space, memory,
mail, replication, and network activity.
 SHOW TASKS: Displays the server name, the Domino program directory path, and
the status of the active server tasks.
 SHOW USERS: Lists the users who have established sessions with the server.

You can stop the Domino server by issuing QUIT or EXIT at the Server Console.

Using Server Administration Clients

Domino R6 provides various administration clients to administer the server. The Domino
Administrator client is the most commonly used graphical user interface-based administration
client. To administer the Domino server using a browser, you can use the Web Administrator client.
Domino also includes a Java-based console that allows you to administer multiple Domino servers
from a single computer.
4
The Domino Administration Client
To perform administrative tasks on the server, you need to install the Domino Administrator client
separately from the Domino server. These administrative tasks include registering users and
servers, creating server configuration documents, and monitoring the server.
When you start the Domino Administrator client, it displays a Welcome page as shown in Figure 1-
2:

Figure 1-2: Welcome Page of the Domino Administrator Client

If you do not wish to view this page every time you start the client, check the Don’t show this again
option.
You need to close the Welcome page to access the Domino Administrator client interface. Figure
1-3 shows the Domino Administrator client screen:

Figure 1-3: The Domino Administrator Client Screen

The Domino Administrator client screen contains six tabs:


5
 People & Groups: Contains tools to manage people and groups. It contains
user-related views from the Domino directory, such as Person, Groups, Policies,
Settings, and Certificates.
 Files: Shows the databases, templates, folders, and the links to databases,
folders, and other files in the server’s DATA directory. It also contains tools that
allow you to view disk space information, add, modify, and delete database and
folder links, and perform database management tasks.
 Server: Shows the current server activity and tasks. You can access the Server
Console from this tab and start and stop various tasks running on the server.
This tab has five sub-tabs: Status, Analysis, Monitoring, Statistics, and
Performance. The tools in the Server tab allow you to issue commands to the
Domino server, view server statistics to analyze and troubleshoot the
performance of the server, and monitor the servers in the domain.
 Messaging: Contains mail-related information. This tab has two sub-tabs, Mail
and Tracking Center. The Mail sub-tab contains information, such as server-wise
mail users, the server's outgoing mailbox, shared mail status, and mail routing
status and topology. The Tracking Center contains options to track messages
and generate reports on messages sent by the users. The Messaging tab also
contains tools for starting and stopping the mail router, routing mail, and sending
a mail trace.
 Replication: Contains replication-related information, such as replication
schedules, events, and topology.
 Configuration: Contains all the server configuration documents, such as the
Server, Configuration Settings, Messaging Settings, and Connection documents.
This tab also contains information related to Web configuration, Monitoring
configuration, and Clusters. The tab contains important tools that allow you to
register users, servers, and Notes and Internet certifiers in addition to the tools
needed for certification-related activities.

The Domino Administrator client interface is separated into four panes:


 Task: Contains logically grouped options of a selected tab. For example, the
Configuration tab contains all server configuration options. The Task pane
groups these options into sections, such as Server, Messaging, Replication,
Directory and Web.
 Results: Shows information related to the option selected in the Task pane. For
example, if you select the People view in the Task pane of the People & Groups
tab, the Result pane shows all the person documents from the Domino directory.
 Tools: Provides functions associated with the selected tab. For example, in the
Files tab, the Tools pane contains tools to view disk space information, add,
modify, and delete database and folder links, and perform database
management tasks.
 Server: Shows the list of servers in a domain grouped in various views. The
Server pane appears when you click the Domain bookmark in the bookmark bar.
Figure 1-4 shows the Server pane:
6

Figure 1-4: The Server Pane


Note You can fix the Server pane permanently on the screen by clicking the pin
icon in the Server pane.
If the servers in the Server pane do not display correctly, you can refresh the servers by selecting
Administration-> Refresh Server List-> Current Domain, as shown in Figure 1-5:

Figure 1-5: Refreshing the Server List

In addition to the tabs and the panes, the Domino Administrator client contains two bars:
 Menu: Contains the menu options for performing administrative tasks in the
Domino Administrator client. The Menu bar is located at the top of the Domino
Administrator client.
 Bookmark: Contains bookmarks such as Favorites and Domain, links to Lotus
Notes clients and, if installed, the Domino Designer client. The Bookmark bar is
located to the left in the Domino Administrator client.
The Domino Administrator client also allows you to access the character-based Server Console.
Select Server-> Status. From the Status tabbed page, select Server Console in the Domino
Administrator client to access the character-based Server Console. Figure 1-6 shows the Domino
Server Console:
7

Figure 1-6: The Domino Server Console in the Domino Administrator Client

You can run the Domino Server Console as a live console by clicking the Live button. A live
console shows all the activities and messages appearing on the Domino Server Console.

You can enter Domino Server Console commands in this console by typing the commands or
selecting them from the Domino Command field.

The Web Administrator Client


The Web Administrator client allows you to administer the server using a Web browser. The Web
Administrator client provides most of the options available in the Domino Administrator client, such
as registering and monitoring users and servers, collecting statistics, changing the database
Access Control List (ACL), and using the remote Server Console.

In contrast to the Domino Administrator client, the Web Administrator client does not allow you to
register certifiers or configure any certification-related options. Another difference is that the Web
Administrator contains tools in the Replication tab that allow you to issue commands to the
REPLICATOR task on the server.

The Web Administrator client is based on the Web Administrator database (WEBADMIN.NSF).
Domino creates this database automatically when you start the Web Server task (HTTP) on the
server for the first time.

The Web Administration database contains roles that you can assign to various users to allow
them to perform different activities using the Web Administrator client. For example, you can
assign the [Files] role to a user to allow the user to use the tools in the Files tab. By using roles to
define which user can perform what activities, you can delegate administrative activities to users
who do not have access to the Domino Administrator client.
Note To learn how to assign roles to users, see Chapter 10, Domino Security.

To open the Web Administrator client:


1. Open the Web browser.
Note To access the Web Administrator client, you need to use Internet Explorer
version 5.5 or later or Netscape 4.7x.
2. Specify the following URL:
http://<Domino Server hostname>/webadmin.nsf
3. Specify your user name and Internet password. The Web Administrator client
appears as shown in Figure 1-7:
8

Figure 1-7: The Web Administrator Client

The Java-Based Domino Console


The Java-based Domino console provides a Server Console that runs on any platform that
supports Java. Using the Java-based Domino console, you can:
 Remotely start and shut down the Domino server.
 Connect to various servers in various domains.
 Issue commands for groups of servers.
 Issue operating system or shell commands
 Use menu options for console commands.

The Java-based Domino console has two main components:


 Server Controller: Starts the Domino server it controls and listens to the
commands. You can send operating system commands, also known as shell
commands, Controller commands, and Domino server commands to the Server
Controller. You can also use remote consoles in the Domino Administrator and
Web Administrator to communicate with a Server Controller.
 Domino Console: Provides a user interface to communicate with the Server
Controller. The Domino Console requires only a Domino Internet name and
password to connect to a server. The Domino Console functions as a Server
Console and does not include the full set of Domino administration features that
are available through the Domino Administrator and the Web Administrator. You
cannot use the Domino Console to open and manage Notes databases.

To start the Server Controller, click Start -> Run from the Windows Start menu and run the
following command:
<Domino Program Folder Path>\nserver.exe–jc –c – s

In the above command, you can omit the –s option to start the Server Controller and the Domino
Server together. To start the Domino Console and the Server Controller together, you can omit the
–c option. To start all the three components together, you can omit both arguments, –c as well as –
s.
Figure 1-8 shows the Server Controller screen:
9

Figure 1-8: The Server Controller Screen

To start the Java-based Domino Console, run the following command using the Start-> Run option
from the Windows Start menu:
<DominoProgramFolder>\jconsole
Figure 1-9 shows the Java-based Domino Console window:

Figure 1-9: The Lotus Domino Console

The Domino Console is separated into the following parts:


 Bookmark Panel: Contains bookmarks to the local server, domains, or
connected servers.
 Server Panel: Shows the servers to which you have connected using the
Domino Console.
 Header Panel: Shows the server name, platform, and the user name with which
you have connected to the server.
 Console Window: Shows the server events taking place on the connected
server.
 Command Panel: Allows you to send commands to the connected servers.
 Menu Bar: Contains options to configure the Domino Console window and send
commands to the Server Controller.
10
 Event Filter Panel: Allows you to specify the types of events that must be shown
in the Console window.

Introducing the NOTES.INI File


The NOTES.INI file contains important configuration settings for the Domino server and clients.
The NOTES.INI file for a Domino server is located in the Domino Program folder, which is most
commonly the \LOTUS\DOMINO folder on the drive on which you have installed the Domino
server. The NOTES.INI file for a server contains settings such as the Domino server tasks that
must start automatically at server startup.
Figure 1-10 shows a sample NOTES.INI file:

Figure 1-10: A Sample NOTES.INI File

Domino provides several methods to update the NOTES.INI file:


 Using a text editor, such as Notepad.
 Using the Domino Server Console commands. You can use the following command to
update an entry in the NOTES.INI:
SET CONFIGURATION <parameter> = <value>

For example, the following entry updates the parameter LOG_REPLICATION in the NOTES.INI
and assigns it a value 0:
SET CONFIGURATION LOG_REPLICATION=0
 Using the Configuration Settings document in the Domino Directory.
Note An accidental or incorrect change to the NOTES.INI file may cause Domino
or Notes to run unpredictably.

Chapter 2: Installing and Configuring Domino


Servers
Domino servers form the backbone for the Lotus Domino setup in an organization. To deploy
Domino successfully, you need to make a comprehensive plan for its deployment. Your planning
should include the number of servers to be deployed, the location of each server, the network
connectivity to each location, the roles to be assigned to each server, the name of the
administrator for each server, and the hierarchical naming trees.

During the deployment of Domino servers and clients, you need to install and configure the servers
and clients. You must also set up other services on the servers.

This chapter explains how to install and configure the first Domino server and the administration
client. It also explains how to register, install, and configure the additional servers.
11
Overview of Domino Deployment
The Domino deployment for your organization includes deploying Domino servers, deploying the
clients, and configuring various services that are required in your setup. The deployment process
combines comprehensive planning, software installations and the various configurations.

Your sequence of actions for the deployment of Domino server should be:
1. Plan the number and location of servers in the organization.
2. Plan the naming conventions by creating the hierarchical tree on paper. Decide the
name of the domain and the names of the servers.
3. Plan the roles for each server to decide, which tasks should be enabled on each of
them.
4. Set up the network infrastructure between all the servers.
5. Install and set up the first server.
6. Install and set up the administration client.
7. Set up the administration preferences.
8. Register the additional organization units.
9. Set up password recovery for each certifier.
10. Register the additional servers.
11. Install and configure the additional servers.
12. Register users.
13. Install and set up clients.
14. Set up the rest of the services on the servers.

Planning a Domino Setup


Deploying Domino successfully in an organization requires immaculate planning beforehand. You
must plan out the number of Domino domains that you want to create for your organization. You
must plan the number of servers, the location of each server, the network connectivity to each
location and the roles to be assigned to each server, and also the hierarchical naming tree for the
organization.

Planning the Number of Domains

A Domino domain is a group of servers and users that share a common Domino directory.

Creating multiple domains leads to multiple Domino directories. For small to medium sized
organizations, a single Domino directory is ideal because you can administer the servers and
users from a central location. A single domain is easy to setup and manage.

Managing multiple domains requires additional configurations and extra administration efforts. You
may want to create multiple domains if your organization has independent business units and you
want each business unit to maintain its own Domino directory. You may also create multiple
domains, if the number of users and servers in your organization is too high and you find it difficult
to manage the Domino directory due to its size. It is ideal to split such a directory into two and this
also leads to two different domains. Another situation where you may want to create more than one
Domino domain for your organization is when the various offices are located at geographically
distant locations with slow and unreliable network connections that make it impossible to maintain
a single Domino directory at all these locations. You can setup a separate domain for each
location.

Planning the Hierarchical Naming Tree


Domino uses a hierarchical naming scheme to name all its users and servers. A hierarchical
naming scheme uses an organizational tree structure to name the users and servers in an
organization. The top-most level in the hierarchical tree is the organization name followed by up to
four organization units. You can base this structure on the actual organizational, geographical, or
departmental structure of a company. Figure 2-1 shows a sample hierarchical naming tree:
12

Figure 2-1: A Sample Hierarchical Naming Tree

A hierarchical name tree may include the following components:


 Common name (CN): Corresponds to a user name or a server name. All names
must include a common name component. The maximum number of characters
allowed in a CN is 79.
 Organizational unit (OU): Identifies the location of the user or server in the
organization. Domino allows for a maximum of four OUs in a hierarchical name.
Organizational units are optional. In Figure 2-1, the first level of OUs consists of
RO and HO, which represent the Regional Office and Head Office. The second
levels of OUs are based on the department at each office. You can add two more
levels of OUs in this tree. The maximum number of characters allowed in an OU is
32.
 Organization (O): Identifies the organization to which a user or server belongs.
Every name must include an organization component. In Figure 2-1, the O
component is SNT. The number of characters allowed in an O is 3 to 64.
 Country (C): Identifies the country in which the organization exists. The country
component is optional and can contain a maximum of 2 characters.

A sample hierarchical name is Amy James/Sales/HO/SNT. In this name, Amy James is the CN,
Sales and HO are the OUs, and SNT is the O component of the hierarchical name.

To implement a hierarchical naming tree, you create certifiers for each organization unit
component. The organization level certifier is created automatically when you configure the first
server in your domain. By creating different organization unit certifiers for distant geographical
locations and distributing the certifier IDs to the administrator for the location, you can distribute the
task of user registration and management to the local administrators for the locations.

Before you register the users and servers in your organization, you must have all the organization
and organization unit level certifiers in place. Plan the hierarchical naming tree for your
organization on paper, create the required certifiers and then proceed with the registration of
additional users and servers.

Planning the Servers

You decide the types of servers in your company based on the services that you want to provide to
your users. You can configure a Domino server for one or more of the following roles:
 Messaging server: Hosts users mail databases and routes mails for users.
 Directory server: Hosts the address books for users to lookup information on how
to communicate with other servers and users.
 Application server: Hosts various applications for users.
 Web server: Allows users to use a browser to access applications of the server.
 Firewall: Protects internal servers and users from external users.
 Clustered server: Provides failover and load balancing to ensure constant access
to information.
 Domain Search server: Allows users to search for information in the entire domain.
 Passthru server: Allows users to access all the servers in the domain by
connecting to a single server.

Based on the roles that you select for the server, you decide the type of server that you will install
and the services for which you will configure the server.

You can install one of the following three types of servers:


13
 Utility: Supports Domino application services and clusters but not messaging. This
server does not require client access licenses.
 Messaging: Supports only Domino messaging, not application services or clusters.
 Enterprise: Supports both Domino application services and clusters as well as
messaging services.

Installing a Domino Server


After you install the Domino server, it copies the software to the designated computer’s disk. You
can install Domino on several platforms and the hardware and network specifications vary
according to the platform.

Platform and Hardware Specifications

The following platforms support Domino 6.0 server:


 AIX 4.3.3 and AIX 5.1
 Windows 2000 server and Windows 2000 advanced server
 Windows NT 4.0 - Intel Pentium processor only
 Solaris 2.8
 Linux - Red Hat 7.2, SuSE 8.0
Table 2-1 lists the hardware and network requirements to install Domino server on each of these
platforms and the protocols that the platforms support:
Table 2-1: Hardware and Network Requirements for Installing Domino

Platform RAM Disk Space Protocols


Supported

AIX 192 MB minimum, 1 GB minimum, TCP/IP, X.PC


256 MB or more 1.5 GB or more
recommended recommended

Windows 128 MB minimum, 1 GB minimum, NetBEUI/NetBIOS,


2000 192 MB or more 1.5 GB or more NetBIOS over IP,
recommended recommended
NetBIOS over IPX,
SPX, SPX II,
TCP/IP, X.PC

Windows 128 MB minimum, 1 GB minimum, NetBEUI/NetBIOS,


NT 192 MB or more 1.5 GB or more NetBIOS over IP,
recommended recommended
NetBIOS over IPX,
SPX, SPX II,
TCP/IP, X.PC

Linux 128 MB minimum, 1 GB minimum, TCP/IP, X.PC


192 MB or more 1.5 GB or more
recommended recommended

Solaris 192 MB minimum, 1 GB minimum, TCP/IP, X.PC


256 MB or more 1.5 GB or more
recommended recommended

Installing Domino Server

To install Domino server:


1. Insert the CD-ROM into the CD-ROM drive. The auto-run feature automatically
starts the setup program. Select Install Domino server from the Lotus Software
CD Installer window.
Note If the auto-run feature is disabled, you can start the setup program by locating
the setup.exe in the appropriate folder inside the Servers folder of the CD-ROM.
14
2. The Welcome screen of the Lotus Domino installation wizard appears. Click
Next.
3. The License Agreement for installing Lotus Domino appears. Click Yes to accept
the agreement. The next screen of the Installation wizard prompts you to specify
a name and a company name. If you want to install multiple instances of Domino
server on the same computer as partitions, select the Partition Server
Installation check box. Figure 2-2 shows the screen where you can select the
Partition Server Installation option:

Figure 2-2: The Lotus Domino Installation Wizard - Selecting the Partition Server
Installation Option
4. Click Next. The next screen provides options to install Domino in the Program
and the Data folders, as shown in Figure 2-3:

Figure 2-3: Selecting the Destination Folders for the Domino Server
Note If you selected Partition Server Installation, the program folder for both the
partitions is common but the data folder is automatically taken as data1 and
data2, inside the program folder.
5. Select the appropriate folders and click Next. The next screen allows you to
choose the type of server that you want to install, as shown in Figure 2-4. This
screen also contains a Customize button. By clicking the Customize button, you
can choose the components that you want to install for the selected server type.
15

Figure 2-4: Selecting and Customizing the Server


6. Select a server type as Utility, Messaging, or Enterprise and click Next. In the
screen that appears, select the program folder where you want the Lotus
Domino Server program icon to be added, as shown in Figure 2-5:

Figure 2-5: Specifying the Program Folder for the Lotus Domino Server Program Icon
7. Specify the folder and click Next. The Setup program starts copying the files
required for Lotus Domino Installation, as shown in Figure 2-6:
16

Figure 2-6: The Setup Window Displaying the Progress of Copying Files
8. After the installation is complete, a Thank you screen appears. Click the Finish
button on this screen to complete the installation of Lotus Domino Server.

Configuring the First Server in a Notes Domain


After you have installed the Domino server, you need to configure it. To configure the server, you
use a Server Setup wizard that guides you through the process.

The Configuration Process

When you run the Domino server for the first time after installing it, a Server Setup wizard appears.
This wizard provides you the options to configure the server. The configuration process performs
the following activities:
 Creates a new Domino domain.
 Creates a new Domino directory, names.nsf, using the Pubnames.ntf template and
places the directory in the Domino data folder.
 Creates the certification log using the template, certlog.ntf, and places it in the
Domino data folder.
 Creates an organization-level certifier, names it cert.id, and places it in the Domino
data folder.
 Creates a certifier document for the organization-level certifier in the Domino
directory.
 Creates an organization unit level certifier, certifies it using the cert.id, names it
oucert.id, and places it in the Domino data folder. The configuration process
performs this activity only if you have specified an organization unit for the server
at the time of configuring the server.
 Creates a certifier document for the organization unit certifier in the Domino
directory if the organization unit has been specified.
 Creates a server’s ID named server.id, certifies it using the cert.id or the oucert.id
as specified during the setup, and places it in the Domino data folder.
 Creates a server document for the specified server in the Domino directory.
 Creates a person document for the administrator in the Domino directory.
 Creates a user ID for the administrator, names it user.id, certifies it using the
cert.id, and attaches it to the administrator’s person document in the Domino
directory.
 Creates the mailfile for the administrator in the mail subfolder under the Domino
data folder.
 Creates two group documents, LocalDomainServers and OtherDomainServers, in
the Domino directory.
 Adds the server to the LocalDomainServers Group.
 Add the server’s and the administrator’s name to the access control list (ACL) of
the Domino directory, and provides it with a Manager access.
17
 Creates a group named LocalDomainAdmins if you have specified it during the
configuration process, adds it to the ACLs of all databases and templates on the
server, and provides it with a Manager access.
 Adds the Anonymous entry with No access to all the databases and templates on
the server, if you specify this during the configuration process.
 Creates a log file named Log.nsf and places it in the Domino data directory.
 Enables the specified network and serial ports.
 Creates the Reports.nsf database in the Domino data folder.
 Updates the network settings in the server document.
 Configures any additional services selected during the setup.

Configuring the First Domino Server

To configure the first server after installation:


1. Run the Lotus Domino Server program by selecting Start-> Programs-> Lotus
Applications-> Lotus Domino Server. The Server Setup wizard starts and the
Welcome to Domino Server Setup screen appears.
Note You can change the font of the text in the wizard by clicking the Fonts button in
the Welcome to Domino Server Setup screen.
2. Click Next to continue. The First or additional server? screen appears, which
prompts you to select the server configuration type as either first or additional
server, as shown in Figure 2-7:

Figure 2-7: The Server Setup Wizard - Selecting the First or Additional Server
3. Select the Set up the first server or a stand-alone server option and click Next.
The Provide a server name and title screen appears, which prompts you to
specify the Server name and the Server title, as shown in Figure 2-8:
18

Figure 2-8: The Server Setup Wizard - Providing a Server Name and Title
4. Specify your first server’s name and a descriptive title for the server. A server
name can contain a maximum of 79 characters. If you are reconfiguring the first
server, you can use the existing server ID by selecting the I want to use an
existing server ID file option. Click Next. The Choose your organization name
screen appears, as shown in Figure 2-9:

Figure 2-9: The Server Setup Wizard - Choosing Your Organization Name
5. Specify the Organization name, which can have 3-64 characters. This creates
an organization-level certifier ID for your domain. You need to specify a
password for the organization certifier ID twice. You can use an existing certifier
ID by selecting the I want to use an existing certifier ID file option and clicking
the Browse button to specify the location of the ID file.
6. Click the Customize Button. The Advanced Organization Settings screen
appears, as shown in Figure 2-10:
19

Figure 2-10: The Server Setup Wizard - The Advanced Organization Settings Screen
Note In Domino 6.0, you can additionally specify an organization unit (OU) to certify
the server with the OU-level certifier.
7. Specify the Organizational Unit name and Org. Unit Certifier password in the
respective text boxes. The name can contain a maximum of 32 characters and
the password should contain a minimum of 5 characters. Confirm the password.
To use an existing OU certifier select the I want to use and existing organization
unit certifier ID file option.
8. To add a two-letter country code to the certifier ID, select a country from the
Country code list box and Click OK.
9. In the screen that appears, click Next. The Choose the Domino domain name
screen appears, which prompts you to specify a domain name for your Domino
setup, as shown in Figure 2-11: The domain name can be the same as the
organization name and should have a maximum of 31 characters. During the
first server setup, a new domain is created.

Figure 2-11: The Server Setup Wizard - Choosing the Domino Domain Name
10. Specify the domain in the Domino domain name field and click Next. The
Specify the Administrator name and password screen appears, which prompts
you to specify the administrator for the first server, as shown in Figure 2-12:
20

Figure 2-12: The Server Setup Wizard - Specifying an Administrator Name and
Password
11. Specify the name of the person who will administer the first server. You can also
create a generic ID, such as Administrator or Admin. It is mandatory to provide
the Last name. Provide a password for the administrator’s ID and confirm it by
re-entering the same password. The Administrator’s ID is stored in the Domino
directory as an attachment in the person document of the administrator. You can
also save the Administrator’s ID in the file system by selecting the Also save a
local copy of the ID file option. Click Next. The What Internet services should this
Domino Server provide? screen appears, as shown in Figure 2-13:

Figure 2-13: The Server Setup Wizard - Specifying the Internet Services
You can select one or more of the following Internet services:
 Web Browsers (HTTP services): Enables you to configure the
Domino server as a Web server.
 Internet Mail Clients (SMTP, POP3, and IMAP services): Enables
you to configure the Domino server to allow Internet mail clients
to access e-mail messages on Domino.
21
 Directory services (LDAP services): Enables you to configure the
Domino as a directory server that can be accessed by Internet
clients.
If you wish to, you can configure these services later. To configure these services later,
do not select any option.
12. You can install the Domino server with default services or customize these
services. To customize all other services on Domino, click the Customize button.
The Advanced Domino Services dialog box appears, as shown in Figure 2-14:

Figure 2-14: The Advanced Domino Services Dialog Box


13. Click OK after selecting the tasks and then click Next. The Domino network
settings screen appears, as shown in Figure 2-15. It displays the network ports
that setup detects on the computer. It also shows the Host name based on the
computer’s network name.

Figure 2-15: The Server Setup Wizard - Specifying the Network Settings
14. Click the Customize button to customize the network settings. The Advanced
Network Settings dialog box appears, as shown in Figure 2-16:
22

Figure 2-16: The Advanced Network Settings Dialog Box


15. Select the network port that you want the Domino server to use for
communication with other servers and clients and enable it by selecting the
check box provided. Disable all extra ports. You can also select the Encrypt
option to encrypt the data over a selected port or the Compress option to
compress the data over the selected port.
16. Specify the host name for the Domino server in the Type the fully qualified
Internet host name for this Domino server field. Click OK to save the settings
and close this dialog box. In the next screen, click Next. The Secure your
Domino Server screen appears, as shown in Figure 2-17:

Figure 2-17: The Server Setup Wizard - The Secure your Domino Server Screen
17. Select the Prohibit Anonymous access to all databases and templates option to
add the entry Anonymous with No Access to the ACLs of all databases and
templates on the server. This prevents users from accessing these databases
and templates from a Web browser without specifying their names and
passwords.
18. Select the Add LocalDomainAdmins group to all databases and templates option
to add the named group to all the database and template ACLs with Manager
access. This is useful because, when you create more administrators, you can
add their names to this group and do not need to grant individual access to the
administrators for all the databases and templates.
23
19. Click Next. A summary of entries and selections made by you during the
configuration process appears for you to review and confirm, as shown in the
Figure 2-18:

Figure 2-18: The Server Setup Wizard - Reviewing and Confirming Setup Options
20. Click Setup to start the configuration of the first Domino server in your domain.
The Domino Server Setup progress bar appears. When the setup is complete, a
Setup summary screen appears confirming that the setup is complete. Click the
Finish button to complete the Setup procedure.
To run the server, run the Lotus Domino Server program by selecting Start-> Programs-> Lotus
Applications-> Lotus Domino Server. The Domino server runs in a Character Interface, as shown in
Figure 2-19:

Figure 2-19: The Lotus Domino Server console

To shut down the server, type either QUIT or EXIT on the server console.

Installing the Administrator Client


24
Installing the Domino server does not install the Administrator client. You need to install the
Administrator client separately. You use the Administrator client to perform administration activities
on the Domino server.

The Domino server does not have an interface to perform activities, such as registration of users or
servers. For this reason, to perform further deployment activities such as registering the servers or
users, you must install the Administrator client after configuring the first server.
Note For security reasons, it is advisable that you install the Administrator client
on a different computer from the server.

Platform Specifications
Table 2-2 lists the operating systems that support the Domino Administration client and their
hardware and network requirements:
Table 2-2: Hardware and Network Requirement to Install the Domino Administrator Client

Supported RAM Disk Protocols Supported


Platform Space

Windows 98 64 MB minimum, 275 NetBEUI/NetBIOS,


256 MB MB NetBIOS over IP,
recommended require
d NetBIOS over IPX,
SPX, TCP/IP, X.PC

Windows 2000, 128 MB 275 NetBEUI/NetBIOS (only


Windows XP minimum, 256 MB Windows 2000)
Professional MB require NetBIOS over IP,
recommended d
NetBIOS over IPX,
SPX, TCP/IP, X.PC

Window NT 4.0 64 MB minimum, 275 NetBEUI/NetBIOS,


256 MB MB NetBIOS over IP,
recommended require
d NetBIOS over IPX,
SPX, SPX II,
TCP/IP, X.PC

Installing the Domino Administrator Client

To install the Domino Administrator client:


1. Insert the CD-ROM into the CD-ROM drive. Locate the Setup.eXEfile in the
AdminClient folder on the CD-ROM and run it. The Lotus Notes 6 - Install Wizard
starts and the Welcome message appears.
2. Click Next to proceed. The License Agreement for installing Lotus Notes
appears. Select the I accept the terms in the license agreement option and click
Next.
3. The Lotus Notes 6 - Install Wizard prompts you to specify your own and your
company name. Provide the required information.
4. Click Next. The Installation Path Selection screen for selecting the destination
Folders for installing the Administrator Client appears, as shown in Figure 2-20:
25

Figure 2-20: The Installation Path Selection Screen of the Lotus Notes 6 - Install
Wizard
5. Select the appropriate folders by clicking the Change button and then click Next.
The Custom Setup screen appears. On this screen, you can select or clear the
components of Lotus Notes Client that you want to install, as shown in Figure 2-
21:

Figure 2-21: The Custom Setup Screen of the Lotus Notes 6 - Install Wizard
6. Click the button to the left of Domino Administrator and choose the option This
feature, and all subfeatures will be installed on local hard drive. Click Next. The
Ready to Install the Program screen appears, as shown in Figure 2-22:
26

Figure 2-22: The Ready to Install the Program Screen of the Lotus Notes 6 - Install
Wizard
7. Click Install to begin the installation of Lotus Notes 6 Administration client. The
Installing Lotus Notes 6 screen is displayed. When the installation is complete,
the Install Wizard Completed screen appears, as shown in Figure 2-23:

Figure 2-23: The Install Wizard Completed Screen of the Lotus Notes 6 - Install Wizard
8. Click Finish to complete the Lotus Notes Administration client installation.

Configuring the Administration Client


As in the case of the server setup, the Administrator client also needs to be configured after you
install it. The server should be running while you configure the Administrator client. In addition,
verify the network connectivity to the server from the computer where you installed the
Administrator client.

You configure the Administration client using the Lotus Notes Client Configuration wizard.

To configure the administrator client:


1. Run the Administrator client by selecting Programs-> Lotus Applications-> Lotus
Domino Administrator from the Start menu. The Lotus Notes Client Configuration
wizard starts and the Welcome Screen appears.
2. Click Next. The User Information screen appears, as shown in Figure 2-24:
27

Figure 2-24: The User Information Screen of the Lotus Notes Client Configuration
Wizard
3. In the Your name field, type the name of the Administrator as specified during the
configuration of the first server. In the Domino server field, type the name of the
first server.
4. Select the I want to connect to a Domino server option and click Next. The How Do
You Want to Connect to a Domino Server? screen appears, as shown in Figure 2-
25:

Figure 2-25: The How Do You Want to Connect to a Domino Server? Screen of the
Lotus Notes Client Configuration Wizard
5. Select the Set up a connection to a local area network (LAN) option to connect to
the Domino server over the LAN and click Next. The Additional Services screen
appears, as shown in Figure 2-26. In this screen, you can choose to configure one
or more services, such as Post Office Protocol (POP), Internet Message Access
Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), Network News Transport
Protocol (NNTP), Lightweight Directory Access Protocol (LDAP), Internet Proxy
servers, and Replication settings.
28

Figure 2-26: The Additional Services Screen of the Lotus Notes Client Configuration
Wizard
6. Select the required services and click Finish to complete the setup. A Notes setup
is Complete! message appears, as shown in Figure 2-27:

Figure 2-27: The Notes Setup Completion Message

Registering Additional Servers


After the first server has been configured, all other servers added to the same domain
are called the additional servers. All the additional servers must be first registered in the
Domino directory and then configured. Registering a Domino server creates a server
document for the registered server in the Domino directory. This process also creates a
server ID for the new server certified by a specified certifier.

To register an additional server:


1. Select the Configuration tab of the Administration client.
2. In the Tools pane, select Registration-> Server to register an additional server.
The Choose a Certifier dialog box appears, as shown in Figure 2-28:
29

Figure 2-28: The Choose a Certifier Dialog Box


Note To learn more about the CA process, see Chapter 3, Configuring the Lotus
Notes Clients.
3. Select Supply certifier ID and password and click the Certifier ID button.
Select the ID that you want to use to certify the additional server and click OK.
4. You will be prompted for the certifier ID password. Specify the password for
the selected certifier ID and click OK. The Register Servers dialog box
appears, as shown in Figure 2-29:

Figure 2-29: The Register Servers Dialog Box


5. Click the Registration Server button to change the server on which the
additional server must be registered. Click the Certifier button if you wish to
30
change the certifier now. Select the security type as either International or
North America based on your location. The Certificate expiration date is the
date when the server certificate expires. By default, the server certificate is
valid for 100 years.
6. Click the Continue button to proceed. The Register New Server(s) dialog box
appears, as shown in Figure 2-30:

Figure 2-30: The Register New Server(s) Dialog Box


The Register New Server(s) dialog box consists of two tabs:
 The Basics tab, which you use to specify information about
the server being registered, such as its name, title, and
administrator. This tab is displayed by default.
 The Advanced tab, which you use to specify information that is
required only if you are using the CA process for registration.
7. Specify a name for the additional server in the Server name field and specify a
server title in the Server title field. Provide the Domino domain name that you
had specified during the first server configuration. Specify the name of the
person who will administer this server in the Server administrator name field.
You can select a name from the existing users in the address book or specify
a name that you have not yet registered. Make sure you register the user after
this.
8. In the ID file password field, specify a password for the additional server’s ID.
This is optional.
Note If you have not assigned a password to the server ID file, you cannot store it in
the Domino directory.
9. Choose the location for storing the server ID. You can select the In Domino
Directory option or the In file option or both. Set the path for the ID file if you
have chosen the latter.
10. Click the green check mark to add the server information to the registration
queue, as shown in Figure 2-31:
31

Figure 2-31: The Register New Server(s) Dialog Box with the Server Added to
the Registration Queue
Repeat the steps to add more servers to the queue.
11. Click Register All to register all the servers in the queue and then click Done
to close the dialog box.

This process creates a server document in the Domino directory for each server that is
successfully registered. It also creates a server ID at the location specified.

Configuring Additional Servers


Configuring the additional server is different from configuring the first server because no
server, user, or certifier IDs are created during the additional server setup. The server ID
registered on the first server is used for configuring the additional server. In addition, the
Domino directory on the additional server is replicated from the first server. After the
server IDs have been created by registering the servers, you can deploy an additional
server by first installing the Domino server software and then configuring it. The
configuration process of the additional server performs the following activities:
 Connects to the source server specified during the configuration.
 Replicates the Domino directory from the specified location or server and saves it
in the local Domino data folder as names.nsf.
 Copies the server ID from the location specified during the configuration into the
local Domino data folder as server.id.
 If the server ID used for configuring the additional server was stored in the server
document in the Domino directory, removes the attachment from the server
document.
 Creates the log file named log.nsf and saves it in the Domino data folder.
 Creates a replica of the Administration requests database, admin4.nsf, and the
Statistics and Events database, events4.nsf, present on the source server to the
local Domino data folder.
 Creates a connection document to the other server in the Domino directory.
 Enables the specified network and serial ports.
 Creates the Reports.nsf database in the Domino data folder.
 Updates the network settings in the server document.
 Configures any additional services selected during the setup.
 If specified, creates a group named LocalDomainAdmins and adds it to the ACLs of
all databases and templates on the server with a Manager access.
 If specified, adds the Anonymous entry with No access to all the databases and
templates on the server.

To configure the additional server:


32
1. Install the Lotus Domino Server 6 software on the computer that you want to
configure as the additional server. This process is similar to the Domino
Server installation.
2. Check the network connectivity to the server where you have registered the
additional server. For example, if you are using TCP/IP to connect to the first
server, you can use the PING utility to check the connection.
3. Run the Lotus Domino Server program by selecting Start-> Programs-> Lotus
Applications-> Lotus Domino Server. The Server Setup wizard starts and the
Welcome to Domino Server Setup screen appears.
4. Click Next to continue. You are prompted to select the server configuration
type. Select first or additional server.
5. Select the Set up an additional server option and click Next. The Where is the
ID file for this additional Domino server screen appears, as shown in Figure 2-
32:

Figure 2-32: Where is the ID file for this additional Domino server? Screen of
the Server Setup Wizard
6. Select the first option, The server ID file is stored on a floppy disk, CD, or
network drive, if you saved the ID in the file. If you saved the ID file in the
directory at the time of server registration, select second option, The server ID
file is stored in the Domino Directory.
7. Specify the server ID password if you assigned a password to the server ID
during registration and click Next. The Provide the registered name of this
additional Domino server screen appears, as shown in Figure 2-33:
33

Figure 2-33: The Provide the registered name of this additional Domino
server Screen
8. Click Next. The What Internet services should this Domino server provide?
screen appears. Select the Internet services that you want to configure on the
additional server.
9. Customize the other services on Domino by clicking the Customize Button.
10. Click Next. The Domino network settings dialog box showing the network
ports and the Host name based on the computer’s network name appears.
11. To customize the network settings, click the Customize button and click OK.
12. Click Next. The Provide the system databases for this Domino server screen
appears, as shown in Figure 2-34:

Figure 2-34: The Provide the system databases for this Domino server
Screen
A few system databases created on the first server are replicated to the
additional servers at the time of additional server configuration. The Domino
directory is one such system database. The Provide the system databases for
this Domino server screen requires you to specify the name of the server from
34
where these databases must be replicated and the method by which the
connection to the other Domino server must be established.
You can choose to connect to the server directly over the network by
specifying the server name and the network address or choose from one of
the following options on this screen:
 Use a proxy server to connect to the other Domino server.
 Use a dialup connection.
 Get system databases from CD or other media.
13. Specify the name of the first server in the Other Domino server name field and
click Next. The Specify the type of Domino directory for this server screen
appears, as shown in Figure 2-35:

Figure 2-35: The Specify the type of Domino directory for this server Screen
The Domino directory that is replicated to the additional server can be a full
replica containing all documents from the directory. Alternatively, you can
choose to do a partial replication.
14. Select Set up as a primary Domino Directory to include all types of documents
in the Domino Directory on the additional server.
15. Select Set up as a Configuration Directory to copy only the server
configuration documents to the replica on the additional server. In this case,
the additional server uses the primary Domino Directory located on a remote
server to look up information about users and groups.
16. Click Next. The Secure your Domino Server screen appears. Select the
Prohibit Anonymous access to all databases and templates option to add the
entry Anonymous with No Access to the ACLs of all databases and templates
on the server.
17. Select the Add LocalDomainAdmins group to all databases and templates
option to add the named group to all the database and template ACLs with
Manager access.
18. Click Next. A summary of entries and selections made by you during the
configuration process appears for you to review and confirm, as shown in the
Figure 2-36:
35

Figure 2-36: The Please review and confirm your chosen server setup
options Screen
19. To change any of the options, click the Back button to go back to the previous
screens.
20. Click Setup to start the configuration of the additional Domino server in your
domain. The Domino Server Setup progress bar appears. When the setup is
complete, a Setup summary screen appears confirming that the setup has
been completed.
21. Click the Finish button to complete the Setup procedure.

Run the server by selecting Start-> Programs-> Lotus Applications-> Lotus


Domino Server.

Chapter 3: Configuring Lotus Notes Clients


After configuring the Domino servers, you need to configure the Lotus Notes clients on the
workstations of all users who will be using the Domino server for accessing their messages and
other applications.

To configure the Lotus Notes clients, you must first register all the users on the server. The
registration process creates a Person document for each user in the Domino directory. It also
creates a user ID and a server-based e-mail database for each user. After you have successfully
registered the users, you must install the Lotus Notes client software on each user workstation and
configure it with the user ID created for the specific user.

Domino provides you several options to simplify and facilitate the registration and management of
users. These options include creating policy settings to define default registration, setup, desktop,
and security settings for the user so that you do not need to individually configure these settings on
the users workstations. Setting up ID and password recovery enables you to retrieve lost or
damaged IDs or forgotten passwords. To allow the Lotus Notes user to look up names in the user’s
native language, you can provide an alternate name language to the user.

This chapter explains how to register, install, and configure Lotus Notes clients. It also describes
the various tasks that need to be performed before you register users.

Pre-Registration Activities
36
Before you start registering the users on the Domino server, you must perform certain preliminary
procedures that will help smoothen the registration process and help manage the users later.

During the registration process, you are required to provide various types of information, such as
the e-mail and registration servers and the password options for the users. You can set default
values for most of this information so that the registration process becomes simple. You can set
the default values using the Administration preferences.

If you want to allow registration of users using a Web browser, without using the certifier ID, you
must configure the CA process on the Domino server.

To register users you require certifier IDs. You must ensure that you create all the certifier IDs
based on the hierarchical naming scheme you have defined for your organization. You must also
enable password recovery on these certifiers so that you can recover the user IDs that you
registered using the certifier IDs.

You can create policies to define the default registration, setup, desktop and security options for
the user. These policies are dynamic and you assign the policies to the users at the time of
registration. If you want to change any desktop or security setting for a user later, you only need to
change the policy.

Further, at the time of user registration, you can also assign users to various groups or provide
them with an alternate name and language.
Note Although you can perform most of these activities after you configure the
clients, performing the activities before registering the users saves a lot of
time and effort.

Setting Administration Preferences

The administration preferences stored for a Domino administrator client allow you to customize
default options for the registrations that you perform using that specific client. The administration
preferences also allow you to customize the Domino Administrator client’s environment by
specifying which domain you want to manage from the client or the servers that you want to
connect to.
To access administration preferences, select the Administration Preferences menu option from the
File-> Preferences menu. The Administration Preferences dialog box appears, as shown in Figure
3-1:

Figure 3-1: The Administration Preferences Dialog Box

The Administration Preferences dialog box contains the following tabs:


 Basics: Contains options to select the domains to be managed, the location to be
used while managing each domain, and the directory server for each domain. It
also contains the administrator startup options.
37
 Files: Contains options to select the columns that you want to appear in the File
tab of the Domino Administrator client, the order in which they appear, and the
types of files that the Domino Administrator should retrieve.
 Monitoring: Contains the global settings for monitoring servers in the domain, an
option to generate server health statistics, and location specific settings to monitor
servers.
 Registration: Contains options to specify the default values to be used for
registration, such as the registration domain, the certifier ID, the explicit policies to
be assigned to users, and the server and certifier registration options
 Statistics: Contains the global settings for monitoring statistics.
Note To learn more about the Monitoring and Statistics tab, see Chapter 9,
Monitoring a Domino Server.

You must set the options in the Registration tab of the administration preferences to simplify the
process of registration.

To set the administration preferences:


1. Click the Registration tab in the Administration Preferences dialog box. Figure 3-
2 shows the Registration tab in the Administration Preferences dialog box:

Figure 3-2: The Registration Tab of the Administration Preferences Dialog Box
2. Select the Registration domain as the default domain to register users and
server.
3. To create IDs for users during registration, select the Create Notes IDs for new
users option, and click the Certifier ID button to select the certifier ID that you
want to use to certify the user IDs during the registration process.
Note If you clear the Create Notes IDs for new users option, the Certifier ID button
and the Use CA Process options are replaced with the Certifier name list that
contains a list of certifiers from the Domino directory.
4. Optionally, you can select the Use CA process option to register users using the
CA process on the server.
Note The CA process allows you to register users without using a certifier ID. This is a
useful method for registering users from a Web browser.
5. If you have created an explicit policy for users, from the Explicit policy list, select
an explicit policy to be assigned to the users. If you have created an
organization policy that contains registration settings for the selected certifier,
the policy is automatically assigned to the users and the policy registration
settings are used for the registration settings.
6. Click the Registration Server button to specify the server in whose Domino
directory the documents of the users/servers/certifiers must be created.
7. If you have created user setup profiles and you want to assign one to the users,
select from the User setup profile list. You can apply a user setup profile to a
user only if you are not using a policy.
38
8. Click the Mail Options button to specify the options for creating the e-mail files of
the users. The Mail Registration Options dialog box appears, as shown in Figure
3-3:

Figure 3-3: The Mail Registration Options Dialog Box


The Mail Registration Options dialog box contains the following options:
 Mail system: Enables you to choose the mail system that the
user will use. You can choose from the options such as Lotus
Notes, POP, IMAP, iNotes, Other Internet, Other and None.
 Mail Server: Enables you to choose the server on which the
user’s mail file will be located. Choose a server that is in the
user’s LAN for fast access to mails.
 Mail file template: Enables you to choose the template used to
create the mail files of the users. The default is mail6.ntf.
 Create file now, Create file in background: Enables you to create
the mail file of the user during the registration process.
Alternatively, you can select Create file in background to create
the mail file when the user is set up. Creating mail files in the
background helps you to complete the registration process fast.
9. Click the Advanced mail options button. The Person Registration Mail Options
dialog box appears, as shown in Figure 3-4:

Figure 3-4: The Person Registration Mail Options Dialog Box


The Person Registration Mail Options dialog box contains the following options:
 Mail file owner access: Enables you to assign an appropriate
access to the users for their mail files. To prevent users from
deleting their mail files, the default access that Domino assigns
39
to the owners of the mail files is Editor with Delete Document
privilege. If you assign the owner an access less than Manager,
Domino assigns the current administrator, Manager access to
the mail file.
 Create full text index: Enables you to create a full text index for
the mail database to facilitate searching.
 Set database quota: Enables you to set up a maximum size limit
on the mail database. You can set up a database quota up to a
maximum of 10 GB. Setting up a database quota, helps you to
control the sizes of the mail files of the users, on the server. If
required, you can advise the end users to locally archive their
mails.
 Set warning threshold: Enables you to send a warning to the
user if the mail database reaches the size specified. This value
is usually a little less than the database quota.
 Create replica(s) of mail database: Enables you to create
replicas of the mail database on other servers. You can use this
option to create mail replicas on the clustered servers.
 Create replicas in background: Enables you to create replicas
later using the administration process. As a result, you save the
time taken for registration.
10. Click OK to save these options. When you click OK, this dialog box is closed and
the Mail Registration Options dialog box appears.
11. Click the Internet Address button to set the Internet address format for the users,
as shown in Figure 3-5:

Figure 3-5: The Set Internet Address Format Dialog Box


12. In the Internet Domain field, specify the name by which your domain is
registered on the Internet. Select an Address name format and a separator. For
example, when you register a user, Tanya Rogers, the Internet address using
the format FirstName LastName and the separator Dot would be
tanya.rogers@snt.com, where snt.com is the Internet Domain.
13. Click OK to save these settings and to close the Set Internet Address Format
dialog box.
14. Click OK to close Mail Registration Options dialog box.
15. In the Registration tab of the Administration Preferences dialog box shown in
Figure 3-2, click User ID/Password Options to set the options related to the User
ID file, as shown in Figure 3-6:
40

Figure 3-6: The Person ID File Settings Dialog Box


16. Click the Person ID folder to specify the folder in which the ID files of users will
be stored if you chose to save the IDs in the file. The default path is the
ids\people folder in the client data folder.
17. Select a Person password quality scale between Weak and Strong.
18. Click OK to save the settings and close the Person ID File Settings dialog box.
19. In the Administration Preferences, click the Advanced Options to specify the
advanced registration options, as shown in Figure 3-7

Figure 3-7: The Advanced Person Registration Options Dialog Box


The Advanced Person Registration Options dialog box contains the following options:
 Registration options: From this list, you can select one or more
of the following options:

o Do not continue on registration errors: Stops


registration if there are multiple people being
registered and an error occurs. You may use this
option to prevent Domino from failing all entries in
41
the registration queue, for a similar type of error,
such as insufficient access to create a database on
the mail server specified.
o Keep successfully registered people in the queue:
Retains the people being registered in the
registration queue even if they have been
successfully registered. By default, Domino deletes
users from the registration queue after they are
successfully registered. You can keep the users in
the registration queue, even after registration, if you
want to apply the registration options selected for
the registered users to the new entries.
o Try to register queued people with error status:
Registers users even if the registration status
shows an error. You can use this option to register
users in spite of errors such as insufficiently
complex password.
o Allow registration of previously registered people:
Allows registration of users who have already been
registered in Notes.
o Search all directories for duplicate names: Checks
the primary as well as the secondary directories for
existence of the user name being registered.
o Enforce short name uniqueness: Ensures that all
short names are different from each other. A short
name is created by concatenating one character
from the first name to the last name of the user.

 Don’t prompt for a duplicate person: When you register a user


that already exists in the Domino directory, you can specify
whether Domino should skip the registration of the user or
update the existing address book entry.
 Don’t prompt for a duplicate mail file: Domino names the mail file
of a user by picking one character from the first name and rest of
the seven characters from the last name of the user. If a mail file
with this name already exists, you can:

o Skip the person registration


o Generate a unique mail file name
o Replace the existing mail file

 Use the remote user registration database: If you select this


option, Domino creates a database userreg.nsf on the server to
store the registration queues and errors.
 Generate random user passwords: If you select this option,
users are assigned random passwords. You do not need to
assign passwords to them.
20. Select the options as required and click OK to save the settings and close the
Advanced Person Registration Options dialog box.
21. On the Registration tab of the Administration Preferences dialog box, as shown
in Figure 3-2, click the Server/Certifier Registration button to specify the options
for server and the certifier ID file registration. The Server/Certifier ID File
Settings dialog box appears, as shown in Figure 3-8:
42

Figure 3-8: The Server/Certifier ID File Settings Dialog Box


22. Click the Server ID folder icon to select the folder in which you want to store the
server IDs. The default path is ids\servers in the Administrator client’s data
folder.
23. Select the Server password quality scale. The default value for a server ID
password is 0, which means that a password for the server ID is optional.
24. Similarly, select the Certifier ID folder icon and the certifier password quality. The
default folder for certifier IDs is ids\certs in the Administration client’s data folder.
The default password quality value is 10 for a strong user password.
25. Click OK to save the settings and to close the Server/Certifier ID File Settings
dialog box.
26. Click OK to save and close the Administration Preferences.

When you register a user, server, or certifier, the options specified in the Administration
Preferences dialog box become the default options.

Setting up the CA Process

The CA Process is an automated task that runs on Domino server. You use this process to issue,
manage, and process certificates. You can issue certificates to Notes as well as Internet users.
The certificates you issue must comply with industry Internet certificate standards, such as X.509.
As a result, the certificates can be used on the Internet as well. The CA Process allows you to
register users and servers without using a certifier ID and password. As a result, you can register
users using the Web Administrator. The CA Process also allows an administrator to delegate
registration authority to certain users without distributing the certifier ID file to these users.

The CA Process creates and maintains an Issued Certificate List (ICL) database that records all
the certificates issued by the CA. The CA Process also issues a Certificate Revocation List (CRL)
that contains information about the expired or revoked certificates that have expired or been
revoked.

You can create CA Certifiers either by registering a new Internet certifier or by migrating an existing
Notes certifier. You use the Internet Certifiers to issue server and client Internet certificates.
Note To learn more about Internet Certificates, see Chapter 13, Configuring SSL
on Domino.

Migrating a Certifier to a CA Process

You can migrate an existing Notes certifier to work as a CA certifier. This allows you to register
users and servers using that CA certifier without requiring the Certifier ID file. The method is useful
if you want to allow an administrator to register users using the browser-based Web Administrator.
You can also allow administrators to register users using the Domino Administrator client without
the Certifier ID file. The certification takes place with the help of the CA process on the server and
the security for the certifier is controlled through roles defined while migrating the certifier.
43
To migrate an existing Notes certifier to a CA Process:
1. Select the Configuration tab of the Domino Administrator client.
2. In the Tools pane, click Certification-> Migrate Certificate. The Migrate Certifier
dialog box appears, as shown in Figure 3-9:

Figure 3-9: The Migrate Certifier Dialog Box


3. Click the Select button to select the certificate that you want to migrate. The
Choose id/keyring File dialog box appears, as shown in Figure 3-10:

Figure 3-10: The Choose id/keyring file Dialog Box


4. Select the ID file. For example, select the oucert.id file to migrate the
organizational unit certifier to the CA Process and click Select to close the dialog
box. You can also select a keyring file instead of a Notes certifier ID.
Note To learn more about keyring files, see Chapter 13, Configuring SSL on Domino

5. You are prompted for the certifier ID password.


6. Specify the password and click OK. The Basics tab of the Migrate dialog box
appears, as shown in Figure 3-11:

Figure 3-11: The Basics Tab of the Migrate Dialog Box


44
7. In the Select the server where this certifier will run on field, select the server
name on which the CA Process will run for the selected certifier.
The ICL database for the selected certifier is placed in the icl subfolder inside the
Domino data folder and the file name for the database is generated randomly. You can
change the name of this database in the Name of the ICL database to be created field.
To protect the certifier ID, you can encrypt it with the server ID. You can also assign a
password to the certifier ID. You must activate the password protected certifier ID on the
server using the following console command:
TELL CA ACTIVATE <certifiernumber> <password>
To find the certifier number for a certifier, use the following command:
TELL CA STATUS
You can also encrypt the CA certifier with a user’s ID by selecting a name from the
address book. Before you use the certifier ID, you need to unlock it. To unlock the ID,
use the following command on the server console:
TELL CA UNLOCK <idfile> <password>
In the above command, <idfile> is the location of the user’s ID that has been used as
the Locking ID and <password> is the user’s ID file password. This command unlocks
all CA certifiers that have been locked using the specified ID file.
To control further access to the CA certifier, you can assign the Registration Authority
(RA) administrator and the CA administrator roles to various people. An RA
administrator can register users and servers using the selected CA certifier. A CA
administrator can create, configure, and modify certifiers. The user migrating the CA is
added with both the CA and the RA roles.
8. To assign these roles to more users, click the Add button and select the name
from the address book.
9. Click the Certificates tab of the Migrate certifier dialog box to view the
certification information. Figure 3-12 shows the certification information in the
Certificates tab of the Migrate Certifier dialog box:

Figure 3-12: The Certificates Tab of the Migrate Certifier Dialog Box
10. Click OK to save the certifier information and close the Migrate Certifier dialog
box.

The above procedure creates the ICL database and adds a request to the Administration Requests
database.
Note To learn more about the Administration Requests database, see Chapter 8,
Managing Users and Servers Using the Administration Process.

If the CA process is not running on the server, issue the following command at the server console.
LOAD CA
45
If the CA process is already running, you must refresh the CA to add the certifier to the CA process
using the following commands:
TELL ADMINP PROCESS ALL

The above command forces all the Administration requests to be executed.


TELL CA REFRESH

To view the status of the CA certificates, use the following command:


TELL CA STATUS
Figure 3-13 shows the output of the TELL CA STATUS command:

Figure 3-13: The Status of the CA Process


Note Inactive certificates, indicated by No against Active, must be activated or
unlocked using the appropriate commands.

Creating Additional Certifiers

After you set up the first server, Domino creates the organization certifier. If you chose the option of
adding an organizational unit to the first server, Domino creates an organizational unit certifier as
well. Before you register the users or servers in your domain, you must plan the hierarchical
names of all the servers and users. Based on the hierarchical naming scheme that you have
planned, you must then register the certifiers.

Registering Additional Organization


You can use multiple organizations in a single domino domain. You may need to do this to increase
security because the user or server IDs certified by different organizational certifiers would require
cross certificates to access each other. To create an additional organization certifier:
1. Select the Configuration tab in the Domino Administrator client.
2. In the Tools pane, click Registration-> Organization. The Register
Organization Certifier dialog box appears, as shown in Figure 3-14:
46

Figure 3-14: The Register Organization Certifier Dialog Box


3. Click the Registration Server button to select the server where you want to
create the organization certifier.
4. Click the Set ID File button to set the path where you want to save the ID file
being created.
5. In the Organization field, specify the name of the organization that you want to
register. Optionally, specify a two-letter country code to be associated with the
organization certifier.
6. Specify the password for the new certifier in the Certifier password field.
Select a Password quality scale.
7. Select the Security type as International or North American.
8. In the Mail certification requests to (Administrator) field, specify the name of
the administrator who will receive all the name change requests from users
certified using this certifier. Optionally, specify the location and a comment for
the certifier.
9. Click Register to create the organization certifier ID. A message box appears,
confirming the path where the certifier ID has been created.
10. Click OK to close the message box.

A certifier document for the Organization certifier is added to the Server-> Certificates view of the
Domino directory.

Registering Additional Organizational Unit


Registering an organizational unit certifier creates an additional certifier ID file that you can use to
register users and servers. It also creates a certifier document in the Domino directory.

To create an organizational unit certifier:


1. Select the Configuration tab of the Administrator client.
2. In the Tools pane, click Registration-> Organizational Unit. The Choose a
Certifier dialog box appears, as shown in Figure 3-15:
47

Figure 3-15: The Choose a Certifier Dialog Box


3. Click the Server button to select the registration server for the organization
unit that you want to create.
4. Select the Supply certifier ID and password option and click the Certifier ID
button to select the parent certifier and then click OK. A prompt for the
password of the selected certifier ID file appears.
5. Type the password and click OK. The Register Organizational Unit Certifier
dialog box appears, as shown in Figure 3-16:

Figure 3-16: The Register Organizational Unit Certifier Dialog Box


You can use the Registration Server and the Certifier ID buttons in this dialog box to
change the registration server and the parent certifier that you selected in the Choose a
Certifier dialog box.
48
6. Click the Set ID File Button to set the path where the created ID file must be
saved.
7. In the Organization Unit field, specify the name of the organization unit that
you want to register.
8. Type the password for the new certifier in the Certifier password field and
select a password quality scale.
9. Select the Security type as International or North American.
10. In the Mail certification requests to (Administrator) field, specify the name of
the administrator who will receive all the name change requests from users
certified using this certifier. Optionally, specify the location and a comment for
the certifier.
11. Click Register to create the organizational unit certifier ID. A message box
appears, confirming the path where the certifier ID has been created.
12. Click OK to close the message box.

The Certifier document is added to the Server->Certificates view of the Domino directory.

Enabling Alternate Language Support

Domino allows a user to use more than one language. Each user can be given an alternate
language support for his native language as well as an alternate name for the specified language.
Using an alternate name allows users to use their native language and character set to type,
display, and look up names. Domino provides a user with alternate names and language support
for only those languages that have been enabled for the certifier.
Note You can enable an alternate language for the user at the time of registration.
You can also enable it at a later stage.

Enabling Alternate Language Support for the Organization


Certifier
The organization certifier must include support for all the languages that must be enabled for the
users. Each organization unit certifier can support one or more of the languages supported for the
organization certifier. In addition, each user can have only one alternate language support out of
the languages enabled for the certifier that has certified the user.

To enable alternate language support for an organization certifier:


1. Select the Configuration tab in the Administrator client. Then, in the Tools
pane, click Certification-> Certify. The Choose a Certifier dialog box appears,
as shown in Figure 3-15.
2. Select the Registration Server name and the certifier as the organization
certifier ID, cert.id, and click OK. Domino prompts you for the certifier ID file
password.
3. Type the password and click OK. The Choose ID to Certify dialog box
appears, as shown in Figure 3-17:

Figure 3-17: The Choose ID to Certify Dialog Box


49
4. Select the organization certifier ID, cert.id, again to enable alternate language
support for the organization certifier and click Open.
Note The organization certifier certifies itself, which means that you have chosen the
organization certifier as the ID file to be certified as well as the certifier ID.
5. Type the password for the certifier ID selected. The Certify ID dialog box
appears, as shown in Figure 3-18:

Figure 3-18: The Certify ID Dialog Box


6. Change the certificate expiration date, if required.
7. The Subject name list shows the current name of the certifier. To add more
names, click the Add button. The Specify Alternate Organization Name dialog
box appears, as shown in Figure 3-19:

Figure 3-19: The Specify Alternate Organization Name Dialog Box


8. Select the language for which you want to add support from the Language list.
9. Specify the organization name in the alternate language in the Organization
field. Optionally, you can specify a country code.
10. Click OK to save and close the settings. The new name along with the
language gets added to the Subject name list, as shown in Figure 3-20:
50

Figure 3-20: The Certify ID Dialog Box Showing the Alternate Language Names
Enabled for the Certifier
11. Click Certify to complete the process of certification and enabling the alternate
language support for the organization certifier.

Enabling Alternate Language Support for the Organization Unit


Certifier
To enable alternate language support for a user, you must enable the alternate language for the
certifier that certifies the user. An organization unit certifier can support one or more of the
languages supported by the organization certifier. To enable alternate language support for an
organization unit certifier:
1. Select the Configuration tab in the Administrator client.
2. In the Tools pane, click Certification-> Certify. The Choose a Certifier dialog
box appears, as shown in Figure 3-15.
3. Select the Registration Server name. In addition, select the certifier as the
parent certifier for the organization unit certifier for whom you are enabling
alternate language support. For example, for level1 organization unit, select
the organization certifier. Click OK.
4. Type the password and click OK. The Choose ID to Certify dialog box
appears.
5. Select the organization unit certifier ID and click Open. Domino prompts you
for the certifier password.
6. Type the password for the organization unit certifier ID. The Certify ID dialog
box appears, as shown in Figure 3-18.
7. Click the Add button in the Certify ID dialog box to add more names. The
Specify Alternate Organizational Unit Name dialog box appears, as shown in
Figure 3-21:

Figure 3-21: The Specify Alternate Organization Unit Name Dialog Box
51
8. Select the language for which you want to add support.
9. Specify the Organization name in the Org Unit field.
10. Click OK to save and close the settings. The new name along with the
language is added to the Subject name list
11. Click Certify to complete the process of certification and enabling the alternate
language support for the organization unit certifier.

Enabling ID and Password Recovery

Without an ID file, a Lotus Notes user cannot access the server. As a result, the user cannot read
messages and any data that the user has encrypted with the ID. The user cannot even open the
encrypted databases located on the user’s local workstation without an ID file. For this reason, the
user should keep a backup of the ID file in a secure location. The ID recovery process helps
achieve this.

For the IDs to be recoverable, you should set the recovery information for the certifier to be used to
certify the user IDs. You should specify one or more recovery administrators, who will be able to
provide a recovery password in case a user forgets the ID password. You should also specify a
mail database to which Domino sends the backups of all the ID files registered with the certifier ID.
Domino sends these backups even if the user ID changes.

If the user forgets the password, each recovery administrator provides the user with a recovery
password. The user selects the recover ID option and types all the required recovery passwords.
Domino allows the user to change the password without specifying the original password.

If the user loses the ID or the ID gets corrupt, you can detach the ID file from the backup in the
specified mail database and provide it to the user.

To enable ID and Password Recovery for a certifier:


1. Select the Configuration tab of the Administrator client.
2. In the Tools pane, click Certification-> Edit Recovery Information. The Choose a
Certifier dialog box appears, as shown in Figure 3-22:

Figure 3-22: Choose a Certifier Dialog Box


52
3. Select the registration server name and the certifier name for which you want to
enable password recovery and click OK. This displays a prompt for the
password of the selected certifier ID file.
4. Type the certifier password and click OK. The Edit Master Recovery Authority
List dialog box appears, as shown in Figure 3-23:

Figure 3-23: The Edit Master Recovery Authority List Dialog Box
5. In the How Many Recover Authorities do you require field, specify 2. This
number indicates how many recovery passwords a user will need to specify to
recover the ID, if the user forgets the ID password.
6. To add the names of users to the Current Recovery Authorities list, click the Add
button. This allows you to select the names from the Domino Directory. Select
the names of users responsible to provide recovery passwords to the users to
recover their Ids.
7. After you set the recovery option, Domino automatically sends all the new or
modified ID files to you as attachments. You can receive these IDs in your own
mail box or create a separate mail box to receive these mails. To create a new
mailbox to store the IDs, select the option, I want to create a new mailbox.
8. Click the Address button to provide the information required to create the new
mailbox. The Create New Mailbox dialog box appears, as shown in Figure 3-24:

Figure 3-24: The Create New Mailbox Dialog Box


9. Select the server on which you want the mailbox to be created, specify the Mail
Title, such as ID Store, and specify the File Name, such as mail\IDStore.nsf.
Then, click OK to close the Create New Mailbox dialog box.
10. Click OK to close the Edit Master Recovery Authority List dialog box.
Note To enable password recovery for the IDs that were created before you
enabled password recovery for the certifier, you must export the recovery
information to the owners of the IDs using the Export button in the Edit
53
Master Recovery Authority List dialog box.

Creating Policies

A Policy document is a collection of individual Settings documents. A Settings document is a


collection of default settings assigned to users and groups through the assigned Policy document.
Using a policy for users enables you to apply common settings to groups of users. There are five
types of Settings documents.
 Archiving: Enables you to specify the options related to the archiving of mail
databases of users. The Archiving Settings document contains the following
settings:

o Location of archive database


o Name and folder for the archive database
o Selection criteria for the documents to be archived
o Schedule for archiving
o Logging options for the archive

 Desktop: Enables you to update a user’s desktop and location document settings
dynamically. Domino applies this type of policy setting to a user’s workstation
whenever the user authenticates with the user’s mail server. The Desktop Settings
document contains the following settings:

o Catalog/Domain search server


o Domino Directory server
o Sametime Server
o Corporate welcome page options
o Internet browser
o Mobile catalog
o Database links for the databases to be locally replicated for
the users
o Dialup connection
o Accounts
o Name servers
o Applet Security
o Proxies
o User Preferences
o Registration

 Registration: Enables you to set the default options to be used at the time
of user registration. The Registration Settings document contains the
following settings:

o Registration server
o Password options, such as setting the password quality
scale and the Internet password
o Mail options, such as Mail system, Mail server, Mail
template, Internet domain, and Internet address format
o ID file settings, such as certificate expiration date, location
for storing user ID, and ID security type
o Group assignments
o Local administrator

 Security: Enables you to define the local security options for a user, such as
the workstation ECL or the password management options. The Security
Settings document contains the following settings:

o Password management options, such as options to enable


checking of Notes passwords on the server, to synchronize
Notes and Internet passwords for users, and password
expiration settings.
54
o The Admin ECL to be distributed to the users and its update
frequency and mode.

 Setup: Enables you to define the default settings to be used when a Lotus
Notes client is configured. These settings are included in the user’s
Location document. This document contains options similar to the Desktop
settings document, but its settings are applied only once at the time of
configuring the Lotus Notes client.

Creating a Settings Document


In a Settings document, you specify the settings to be included in a Policy. The settings in a Policy
can be specific or inherited from a parent policy. To inherit a setting from a parent policy, you must
select the Inherit option for the setting in the child policy. Alternately, the enforce option in the
parent Policy also causes the setting to be inherited in the Child Policy. To create a Settings
document:
1. Select the People and Groups tab in the Domino Administrator.
2. Select the Settings view in the View pane and click the Add Settings
action button.
3. Select the type of Settings document that you want to create. A New
Settings document is created. Figure 3-25 shows a sample
Registration Settings document:

Figure 3-25: Registration Settings Document


4. Specify the values for various settings and save and close the
document.

The Settings documents appear in the Settings view, categorized by the Settings type.

Creating Policy Documents


To implement the settings you made in the Settings documents, you need to use the Policy
documents. You can create two types of policies, explicit and organizational. You assign explicit
policies to individual users or groups. You use these policies to apply certain settings to selective
users.

You create organizational policies for an organizational unit. These policies automatically apply to
all the users who have been certified using that organization unit. For example, a policy */SNT
applies to all the users who have been certified by the certifier SNT.

To create a Policy document:


1. Select the People and Groups tab in the Domino Administrator.
2. Select the Policies view in the View pane and click the Add Policy
action button. A new Policy document appears. Figure 3-26 shows a
sample Policy document:
55

Figure 3-26: A Sample Policy Document


3. In the Policy type field, select Organizational to create an
organizational policy. Specify the Policy name as the hierarchical
name of the certifier for which you are creating the policy. For
example, to apply the policy to users certified with the /HO/SNT
certifier, specify the policy name as */HO/SNT.
4. If you want to create an explicit policy, select the Policy type as
Explicit and specify any name for the policy in the Policy name field.
5. Type a description for the policy in the Description field.
6. Select the various settings documents for the five types of settings
that you want to include in the Policy. You can also create new
settings documents by clicking the New Button next to each setting
type.
7. Save and close the policy.

Creating Group Documents

You use a group document to group users and servers. Creating groups helps you to easily
manage users and servers. For example, you can create a group called administrators and assign
all the administrators in your domain to this group. Instead of assigning access on various
databases to individual administrators, you can now assign access to this group. Similarly, you can
create a group called AllUsers to send any message to all the users in your domain.

The types of groups available in Domino 6.0 are:


 Multi-purpose: Used to send e-mail messages as well as for controlling
access.
 Access Control List only: Used only in the database and server access
control lists. Cannot be used for sending e-mail messages.
 Mail only: Used only for sending e-mail messages. Cannot be used in the
access control lists.
 Servers only: Used to group only servers for use in connection documents
and Domino administrator domain bookmarks.
 Deny List only: Used for server access list only and is visible only to the
administrators.

To create a group document:


1. Select the People & Groups tab in the Domino Administrator client.
2. Navigate to the Groups view in the View pane and click the Add Group
action. A New Group document appears, as shown in Figure 3-27:
56

Figure 3-27: A New Group Document


3. In the Group name field, specify the name of the group. For example,
specify AllUsers. A group name can contain a maximum of 62 characters.
The characters can be A-Z, 0-9, ampersand, dash, period, space,
underscore, and apostrophe.
4. From the Group Type list, select the type of group as Multi-purpose.
5. The Category field is used to further optionally categorize the group on
user-defined keywords. Click the Category entry helper button and
specify a keyword, such as User Management.
6. Use the description field to describe the group.
7. In the Mail Domain, specify your Domino domain name.
8. In the Internet Address field, specify the Internet address that can be
used to send messages to this group from the Internet. For example, if
your Internet domain name is snt.com, then the Internet address for the
group can be allusers@snt.com.
9. In the Members field, select the members of the group from the Domino
Directory by clicking the entry helper button.
10. Save and close the Group document.

Registering Users
To configure Lotus Notes clients, you first need to register the users on the server. When you
register a user:
 A person document for the user is added to the Domino Directory.
 A user ID is created for the user.
 A mail database is created for the user on the specified server.
 Optionally, the user is added to a group.

You can either register users one at a time by filling in the information in the user registration
screen or create a text file using any editor, such as Notepad, with the required information of all
the users and use it for registration.

Registering Users by Filling in the User Registration Screen

To register users by filling in the user registration screen, you need to fill in information about each
user one by one. This option is suitable when you have to register few users.

To register users using this method:


1. Select the Configuration tab in the Domino Administrator client.
2. From the Tools pane, select Registration->Person. Domino prompts you for the
password for the certifier ID specified as default in the Administration
Preferences dialog box. To choose a different certifier ID, click Cancel and select
the other certifier, or just type the password and click OK. The Register Person -
New Entry dialog box appears, as shown in Figure 3-28:
57

Figure 3-28: Register Person - New Entry Dialog Box


3. The Register Person - New Entry dialog box shows only the Basic registration
option. To view more options, select the Advanced option. More tabs are added
to the Register Person dialog box, as shown in Figure 3-29:

Figure 3-29: The Register Person Dialog Box with the Advanced Options
Note The default values for options in the Register Person dialog box are populated
from the registration settings in the organizational policy. This policy is activated
based on the certifier that you select for registering the user. If you assign an
Explicit policy to a user, the settings in the Explicit policy apply to the user
instead of the organizational policy. If there is no policy, or if the policy does not
include registration settings, the values are populated from the administration
preferences.
The Basics tab of the Register Person dialog box contains the following options:
 Registration Server: The server on whose Domino directory the
person document of the user being registered must be added.
 First name: First name of the user. This is an optional field.
 Middle name: Middle name of the user. This is an optional field.
 Last name: Last name of the user. This is a mandatory field. The
names fields can consist of uppercase and lowercase alphabets
(A-Z), numbers (0-9), and special characters such as ampersand
(&), dash (-), dot (.), space ( ) and underscore (_).
58
 Short name: Short name of the user. Domino automatically
creates this name using one character from the first name and
rest of the characters from the last name.
 Password: Password for the user ID. Domino validates this
password against the password quality scale specified in the
registration policy/administration preferences. You can override
the password quality scale by clicking the Password Options
button.
 Mail system: The mail system that the user will use, such as
Lotus Notes, IMAP, POP, or iNotes
 Explicit policy: A list of Explicit policies. If you have created an
Explicit policy for the user, select the policy from this list.
 Create a Notes ID for this person: Enable this option to create a
Notes ID for the user.
You can view the synopsis of the registration settings in the Policy assigned to the user
by clicking the Policy Synopsis button. This shows the effective policy assigned to the
user.
4. Specify the required information and select the Mail tab. Figure 3-30 shows the
Mail tab of the Register Person dialog box:

Figure 3-30: The Mail Tab of the Register Person Dialog Box
The Mail tab of Register Person dialog box contains the following options:
 Mail server: The server on which the user’s mail database must
be created.
 Mail filename: The name of the mail database, which is created
in the mail folder inside the server’s data folder. Domino creates
the mail file name using one character from the user’s first name
and seven characters from the user’s last name.
 Mail file template: The template file used to create the mail
database. The default template used is Mail (R6) (Mail6.ntf).
 Create file now/Create file in background: Option buttons that
you can select. Selecting create file now creates the mail
database of the user at the time of registration. Selecting Create
file in the background creates the mail database later using the
administration process.
 Mail file owner access: The access that the user must be given
for the user’s mail database. You can choose form Manager,
Designer, or Editor.
 Create full text index: Creates a full text index for searching in
the mail database.
 Set database quota: Defines a maximum mail database size for
the user.
59
 Set warning threshold: Sends a warning to the user before the
mail database quota is full.
5. Specify the values in the fields.
6. To create replicas of the mail database on clustered servers, click the Mail File
Replicas button. The Mail Replica Creation Options dialog box appears, as
shown in Figure 3-31:

Figure 3-31: The Mail Replica Creation Options Dialog Box


7. Select the option, Create mail database replica(s). The clustered server names
are automatically added to the server list. Click OK to close this dialog box.
8. In the Register Person dialog box, click the Address tab to define the Internet
address for the user. Figure 3-32 shows the Address tab of the Register Person
dialog box:

Figure 3-32: The Address Tab of the Register Person Dialog Box
The Address tab contains the following options:
 Internet address: The Internet address of the user created
automatically using the following options.
 Internet domain: The Internet domain for your Domino domain.
 Address name format: The format in which the first and the last
names of the user must be combined to form the Internet
address of the user.
 Separator: The special character that must be used to separate
the first and the last names of the user in the Internet address.
9. Click the ID Info tab to view the options related to the ID file, as shown in Figure
3-33:
60

Figure 3-33: The ID Info Tab of the Register Person Dialog Box
The ID Info tab contains the following options:
 Use CA Process: Enables you to use the server-based CA to
register the user.
 Certifier ID: Enables you to select the certifier ID to be used for
the registration of the user. This option appears when CA
Process is not selected.
 Security Type: Enables you to select the security type. You
select from International or North American. North America IDs
are more secure compared to the international IDs.
 Certificate expiration date: Enables you to select the date on
which the user’s certificate expires. The default is two years from
the date of registration.
 Location for storing User ID: Enables you to select the location
for storing the User ID. You can store the ID file as an
attachment to the person document of the user in the Domino
directory. You can also store it in the file system. Use the Set ID
file button to specify the path for the ID file. The default path is
Ids\People\<user>.id in the admin client’s data folder.
10. Click the Groups tab to add the user to an existing group, as shown in Figure 3-
34:
61

Figure 3-34: The Groups Tab of the Register Person Dialog Box
11. From the list of groups shown under Assign person to group(s), select the group
and click the Add button to add the user to the group.
12. Click the Other tab to view more options for user registration, as shown in Figure
3-35:

Figure 3-35: The Other Tab of the Register Person Dialog Box
The Other Tab of the Register Person dialog box contains the following options:
 Setup profile: The name of a setup profile to be assigned to the
user. The functionality of an R5 setup profile has been replaced
with policies in R6. As a result, if you are using Policies, this
option is disabled.
 Unique org unit: A unique qualifier added to the user’s name to
distinguish between two users who have the same common
name and the same certifier.
 Location: The geographical location of the user.
 Local Administrator: Enables you to specify the name of a user
to whom you want to allow access to edit the user’s document.
The name specified must have Author access to the Domino
directory
 Comment: Enables you to specify any comment for the user.
 Alternate name language: Enables you to select a language from
the alternate languages enabled for the certifier in order to
provide alternate language support to the user.
 Alternate name: Enables you to specify the name of the person
in the alternate language.
62
 Alternate org unit: Enables you to specify an alternate unique org
unit for the user.
 Preferred language: Enables you to specify the language that
the user prefers to use.
13. After specifying all the required information, click the green check mark to add
the user to the registration queue.
14. Add more users similarly and then click Register All to register all the users. You
can also register a single user by selecting the user in the queue and then
clicking the Register Button.
15. Click Done to close the Register Person dialog box.

Registering Users Using a Text file

By registering users using a text file, you can register a batch of users with the least effort. To
register users using this method, you first create a text file containing all the registration
information and then import the text file into the Register Person dialog box.

The text file that you use for registration has a fixed format and you must specify each person entry
on a separate line. In addition, you must separate the various registration parameters with a
semicolon (;).
Note If you want to use any other separator, you can specify this in the
NOTES.INI using the setting BatchRegSeparator.
The order of the registration parameters is fixed. Table 3-1 lists the registration parameters and
their order:
Table 3-1: Parameters for Creating a Text File to Register Users

Order Parameter

1 Last name

2 First name

3 Middle initial

4 Organizational unit

5 Password

6 ID file directory

7 ID file name

8 Mail server name

9 Mail file directory

10 Mail file name

11 Location

12 Comment

13 Forwarding address

14 Profile

15 Local administrator

16 Internet address

17 Short name

18 Alternate name

19 Alternate org unit


63
Table 3-1: Parameters for Creating a Text File to Register Users

Order Parameter

20 Mail template file

The order of these parameters is fixed and if you want to skip a parameter, you must specify the
subsequent parameters at the right position by using the right number of separators.

For example, in the following line, the last name, first name, password, and mail server fields have
been specified. These are the 1st, 2nd, 5th and 8th parameters.
Jones;Allan;;;password;;;Mainserver/ho/snt

To register the users from the text file after creating the text file:
1. Select the Configuration tab in the Domino Administrator client.
2. From the Tools pane, select Registration-> Person. Domino prompts you for the
password for the certifier ID specified as default in the Administration
Preferences.
3. To choose a different certifier ID, click Cancel and select the other certifier, or
just type the password and click OK. The Register Person - New Entry dialog
box appears.
4. Click the Import Text File button. The browse window appears, where you can
select the text file you have created for registration.
5. Select the text file and click Open to open the file. A message shows the number
of people successfully queued and the number of people queued with error
status. If there are any errors, you can edit and correct the entries.
6. Click Register All to register the users.
7. Click Done to close the Register Person dialog box.

Installing a Lotus Notes Client


To configure a Lotus Notes client, you must first install the client software and then configure it.
Installing the Lotus Notes Client software copies the software to the client computer.

Platform Specifications
Table 3-2 lists the operating systems that support the Lotus Notes Client and the hardware and
network requirements for each operating system:
Table 3-2: Hardware and Network Requirements for Installing Lotus Notes Client on Various
Platforms

Supported RAM Disk Protocols supported


Platform Space

Windows 95/98 64 MB minimum, 275 MB NetBEUI/NetBIOS,


128 MB or more required NetBIOS over IP,
recommended
NetBIOS over IPX,
SPX, TCP/IP, X.PC

Windows 2000, 128 MB 275 MB NetBEUI/NetBIOS


Windows XP minimum, 256 required (only Windows 2000)
Professional MB or more NetBIOS over IP,
recommended
NetBIOS over IPX,
SPX, TCP/IP, X.PC

Window NT 4.0 64 MB minimum, 275 MB NetBEUI/NetBIOS,


128 MB or more required NetBIOS over IP,
recommended
NetBIOS over IPX,
64
Table 3-2: Hardware and Network Requirements for Installing Lotus Notes Client on Various
Platforms

Supported RAM Disk Protocols supported


Platform Space

SPX, SPX II,


TCP/IP, X.PC

Macintosh 128 MB (OS 9) TCP/IP, X.PC


OS 9.1, minimum, 256 175 MB
MB or more Required
OS x 10.1 recommended (OS 10)
250 MB
required

Installation Procedure

Lotus Notes 6.0 provides two types of client installations:


 Single User: For a single user. This creates a single program and a single data
folder.
 Multi-user: For multiple users who share a single workstation. The multi-user install
option is applicable only to the Windows (Win 32) platform. The multi-user option
also requires each user to have a local login name. When each user logs on using
the user’s own login name and password, Domino sets up a fresh Lotus Notes 6
client and creates individual files, such as the local address book and
bookmark.nsf. In a shared installation, Domino installs the program files in a
central location, such as c:\lotus\notes, and user-specific files in a data directory
located in the system’s application data directory for the user, such as
C:\Documents and Settings\user\Local Settings\Application Data\Lotus\Notes
Data. When each user logs on, Domino loads the user’s personal data files. As a
result, unlike previous releases of Lotus Notes, each user can maintain an
individual address book and individual desktop settings.

To install the Lotus Notes client:


1. Insert the CD-ROM into the CD-ROM drive. Locate the Setup.exe file in the
Client folder on the CD-ROM and run the file. The Lotus Notes 6 - Installation
Wizard starts and the Welcome message appears.
2. Click Next to proceed. The License Agreement for installing Lotus Notes
appears.
3. Read the agreement and select the option, I accept the terms in the license
agreement. Then, click Next. The Lotus Notes 6 - Install Wizard Customer
Information screen appears, as shown in Figure 3-36:

Figure 3-36: The Customer Information Screen of the Lotus Notes 6 - Install Wizard
65
4. Specify your name and your company name in the User Name and Organization
fields.
5. Select the Anyone who uses this computer (Multi-User Install) option and click
Next. The Installation Path Selection dialog box appears, as shown in Figure 3-
37:

Figure 3-37: The Installation Path Selection Dialog Box


6. Select the appropriate folder and click Next. The Custom Setup dialog box
allows you to select or clear the components of Lotus Notes Client, as shown in
Figure 3-38:

Figure 3-38: The Custom Setup Dialog Box


7. Click Next. The Ready to Install the Program dialog box appears. You can click
the Back button to go back and change any of the options. You can also click the
Cancel button to cancel and exit the installation.
8. Click the Install button to begin the installation of Lotus Notes 6 client. The
Installation begins and the Installing Lotus Notes 6 dialog box appears. When
the installation is complete, the Install Wizard Completed dialog box appears.
9. Click Finish to complete the Lotus Notes 6 client installation.
Configuring the Lotus Notes Client
After installing the Lotus Notes client, you need to configure it using the Lotus Notes
Client Configuration wizard.

To configure the Lotus Notes client:


1. Run Lotus Notes by selecting Programs-> Lotus Applications->Lotus Notes
from the Start menu. The Lotus Notes Client Configuration wizard starts and
Welcome dialog box appears, as shown in Figure 3-39:
66

Figure 3-39: The Welcome Screen of the Lotus Notes Client Configuration
Wizard
2. Click Next. The User Information dialog box appears, as shown in Figure 3-
40:

Figure 3-40: The User Information Dialog Box of the Lotus Notes Client
Configuration Wizard
3. In the Your name field, specify the name of the user that you have registered
on the server and are trying to configure.
4. In the Domino server field, specify the name of the server that contains the
user’s document in the Domino directory, which is the registration server for
the user.
5. Select the I want to connect to a Domino server option and click Next. The
How Do You Want to Connect to a Domino Server? dialog box appears, as
shown in Figure 3-41:

Figure 3-41: The How Do You Want to Connect to a Domino Server? Dialog
Box of the Lotus Notes Client Configuration Wizard
67
6. Select the Set up a connection to a local area network (LAN) option and click
Next.
7. The Additional Services dialog box appears, as shown in Figure 3-42. This
dialog box provides options to configure services such as POP, IMAP, SMTP,
NNTP, LDAP, Internet Proxy servers, and Replication settings.

Figure 3-42: The Additional Services Dialog Box of the Lotus Notes Client
Configuration Wizard
The additional services that you can configure as part of the Lotus Notes
client configuration are:
 Internet mail servers: Configures the Lotus Notes client to
access POP and IMAP mails.
 Newsgroup Server: Configures the Lotus Notes client to
access a newsgroup server using NNTP.
 Directory Server: Configures the Lotus Notes client to access
an LDAP server to access external directories.
8. Select the required options. For example, to configure the proxy settings for
the Lotus Notes client, select the Internet Proxy servers option and then click
Next. The Internet Proxy Settings dialog box appears, as shown in Figure 3-
43:

Figure 3-43: The Internet Proxy Settings Dialog Box


In the Additional Services dialog box shown in Figure 3-42, you can select the
Replication settings for sending and receiving mail option to specify how the
local mail box of the user is synchronized with the server mail box. When you
click Next, the Set Up Replication dialog box appears, as shown in Figure 3-
44:
68

Figure 3-44: The Set Up Replication Dialog Box


9. Configure the selected options and click Finish to complete the setup.
10. A Notes setup is Complete message confirms that the configuration has been
successfully completed.
11. Click OK to close the message box. The Welcome screen of the Lotus Notes
client appears, as shown in Figure 3-45:

Figure 3-45: The Welcome Screen of the Lotus Notes Client


12. Click 1 to create a new Welcome page or click the check mark to create a
default Welcome page, as shown in Figure 3-46:

Figure 3-46: The Default Welcome Page of the Lotus Notes 6 Client

This completes the configuration of the Lotus Notes 6 client.


69
Chapter 4: Configuring Mail Routing
Mail routing is one of the basic services offered by a Domino server. The Domino server can route
mail within the Domino network or to the Internet. Domino supports multiple mail clients. In addition
to the Lotus Notes clients, Domino supports other clients based on Internet protocols, such as
Simple Mail Transfer Protocol (SMTP), Internet Mail Access Protocol (IMAP), Post Office Protocol
version 3 (POP3), and HTTP. Domino uses the Notes Rich Text Format for Notes messages. For
Internet mail, Domino also supports the MIME message format.

Messages within a Domino network are routed automatically when you set up Domino servers and
clients. If you want to route messages from your Domino network to another network, domain, or to
the Internet, you need to configure mail routing.

You can also configure Domino to provide messaging services to non-Notes mail clients. To
troubleshoot mail routing problems, you can configure mail monitoring options on the server. In
addition, you can also control messages on the server by creating mail rules and enabling
Journaling.

This chapter explains how to configure mail routing within a Domino domain and to the Internet. It
also describes how to configure the Domino server for access by non-Notes mail clients. In
addition, the chapter explains the various mail monitoring tools available in Domino, such as mail
trace and tracking, and describes mail rules and mail Journaling

Components of the Domino Mail System


The Domino mail system allows users to send and receive messages. The Domino mail system
consists of three components:
 Mail server
 Mail files
 Mail clients

The Mail Server

The Domino mail server is installed as part of the Domino Messaging and the Domino Enterprise
server licenses. The ROUTER task on the server is responsible for routing messages on the
Domino server. The ROUTER task loads automatically when you start the Domino server. If
required, you can load the ROUTER manually by using the server console command:
LOAD ROUTER

To quit the ROUTER task, use:


TELL ROUTER QUIT
Note You may need to quit and reload the ROUTER when you make changes to
the Router/SMTP configurations on the server, to ensure that the changes
take effect immediately. You may also need to restart the ROUTER, when
you troubleshoot mails on the server, in case the ROUTER stops responding
or to route the pending mails on the server.

The Domino mail server has an outgoing mail box file,(MAIL.BOX) that holds all the messages that
arrive on the server. The ROUTER keeps a record of the messages in the MAIL.BOX. If the
message is intended for a user on the current server, the ROUTER delivers the message to the
user’s mail file on the server. If the message is intended for another server, the ROUTER transfers
the message to the MAIL.BOX on the other server.
Note To improve the performance of the ROUTER on a server, you can configure
multiple outgoing mail box files on the server using the Configuration
Settings document. Domino then names these files as MAIL1.BOX,
MAIL2.BOX, and so on.

The Domino mail server can route messages to other Domino servers using the Notes Remote
Procedure Calls (NRPC). It can also route mails to the Internet. The Domino mail server supports
Internet mail protocols, such as SMTP, IMAP, and POP3.
70
Domino can send and receive messages in the Notes Rich Text format or in the MIME format.

Mail Files

Domino assigns a mail file to every registered Domino user. The server on which this mail file
resides is called the user’s Mail server. At the time of user registration, Domino creates the user’s
mail file based on the Mail (R6) template, MAIL6.NTF. By default, Domino creates the mail file in
the MAIL folder, which is inside the Domino DATA folder. The name of the mail file is taken from the
short name of the user. For example, for a user Tanya Rogers, the mail file name will be
TROGERS.NSF.

Users can access their mail files using the Lotus Notes client or other Internet clients, such as
IMAP-and POP3-based clients or Web browsers. To access their mail files using Lotus Notes
clients, users require their User IDs. To access their mail files using other Internet-based clients,
the users requires their names and Internet passwords, which are defined in their Person
documents in the Domino directory.

By default, each user has Manager access to the user’s mail file, but the administrator can assign
a lower access to the user at the time of user registration. At the minimum, the administrator can
assign Editor access to a user, which is sufficient for the user to send, receive, forward, and delete
messages as well as reply to messages.

To control the size of the user’s mail file, the administrator can assign a database quota for the file.

Mail Clients

Mail clients access mail on the Domino server. Domino supports multiple mail clients, such as:
 Lotus Notes: Access their messages on the Domino server using the Notes routing
protocol. Lotus Notes is the default mail client for Domino. Lotus Notes users
require their user IDs to access their mail files on the server. They can also create
local replicas of their mail files and work offline.
 IMAP: Access their messages directly on the server that runs the IMAP service or
download the messages into a local file. IMAP users use TCP/IP to connect to the
Domino server. They use the IMAP protocol to read their messages on the server
and use SMTP to send messages through the server. They authenticate with the
server using a name and an Internet password.
 POP3: Download messages locally from the Domino server running the POP3
service. POP3 clients use TCP/IP to connect to the Domino server. These clients
authenticate with the server using a name and Internet password. The POP3 client
use POP3 protocol to download mails from the server and use SMTP to send mails
through the server.
 iNotes Web Access: Access messages on the Domino server using a Web
browser. The Domino server must be running the HTTP task to allow iNotes users
to access messages. The iNotes users also authenticate using their names and
Internet passwords and connect to the server over TCP/IP. These users can work
offline by creating local replicas of their mail files.

Configuring Mail Routing between Domino Servers


By default, Domino uses NRPC to route messages between Domino servers. Domino uses
information in the Domino directory to find paths to other Domino servers or to look up information
about the recipient. When you address a message to a user within the Domino domain, the
ROUTER looks up the Person document for the user for information about the user’s mail server
and mail file. Figure 4-1 shows the Person document for the user Arnold/SNT:
71

Figure 4-1: The Person Document Showing the Mail Section

The Mail section of the Person document has the following fields:
 Mail System: The mail system used by the user. The default mail system is Notes, but
you can select other mail systems, such as cc:Mail, X.400, POP, or IMAP.
 Domain: The domain with which the user is associated.
 Mail server: The server on which the user’s mail file is located.
 Mail file: The path of the of the mail file of the user. The path is relative to the Domino
DATA folder.
 Forwarding address: The alternate address at which the user wants to receive
messages. This could be an external address that the user uses while away from
office.
 Internet address: The user’s complete Internet address.

After the ROUTER figures out the mail server for a recipient, it can then decide the action it must
take on the message in its MAIL.BOX

If the sender and recipient have a common mail server, the ROUTER immediately delivers the
message to the recipient’s mail file. If the sender and the recipients have different mail servers, the
ROUTER finds out the Notes Named Network (NNN) of the recipient’s mail server.

The ROUTER can connect immediately to servers in a common NNN and transfer messages. To
connect to a server in a different NNN, you need to create Connection documents.

If the recipient belongs to an external Domino domain, you need to create Connection documents
between any two servers in the two domains. You can also create Domain documents to facilitate
the mail transfer.

NNN

The NNN groups servers in a Domino domain into logical networks. The servers in the NNN must
share a common protocol and be constantly connected.

The NNN of a server is defined when a server is registered. When two servers do not share a
common protocol or are not constantly connected, you need to assign them to different NNNs. You
can assign a server to a different NNN, if you want to schedule messages between two servers
that share a common protocol or are connected. You can change the NNN of a server in the Server
document.

To change the NNN of a server:


1. In the Domino Administrator client, select Configuration tab-> Server section->
All Server Documents view, as shown in Figure 4-2:
72

Figure 4-2: The All Server Documents View


2. Open the Server document for the server for which you want to change the
NNN.
3. Select Ports-> Notes Network Ports tab. The Notes Network Ports tab appears,
as shown in Figure 4-3:

Figure 4-3: The Notes Network Ports Tab of the Server Document
4. In the Notes Network field, specify the name of the NNN to which you want to
assign the server. This can be the name of an existing or new NNN.
5. Save and close the Server document.
You can view the various NNNs and the servers belonging to the NNNs in the Server Pane, as
shown in Figure 4-4:
73

Figure 4-4: The Server Pane

Mail Routing Scenarios

The ROUTER handles messages on the Domino server differently in different scenarios. There are
four common scenarios:
 The sender and the recipient have the same mail server.
 The sender and the recipient have different mail servers that are in a common
NNN.
 The sender and the recipient have different mail servers that are in different NNNs.
 The sender and the recipient belong to different domains.

Sending a Message to a Recipient on the Sender’s Mail Server


A user, Arnold/HO/SNT, whose mail server is mainserver/HO/SNT, sends a message to
Maggie/HO/SNT. Maggie’s mail server is the same as Arnold’s, MainServer/HO/SNT. To send a
message in this situation:
1. Arnold sends a message to Maggie using the mail file on the MainServer.
2. The mail is deposited in the MAIL.BOX of MainServer.
3. The ROUTER task on the MainServer checks Maggie’s Person document to
find out information about Maggie’s mail server.
4. When the ROUTER finds that Maggie’s mail server is MainServer, it checks
Maggie’s Person document for the name of Maggie’s mail file.
5. The ROUTER delivers the mail into Maggie’s mail file.

Sending a Message to a Recipient on Another Server in a


Common NNN
Arnold/HO/SNT, whose mail server is MainServer/HO/SNT, sends a mail to James/HO/SNT.
James’ mail file is on the server, AppServer/HO/SNT. Both MainServer and AppServer are in the
same NNN, Network1. To send a message in this situation:
1. Arnold sends a message to James using the mail file on the MainServer.
74
2. The mail is deposited in the MAIL.BOX of MainServer.
3. The ROUTER task on MainServer checks James’ Person document to find
out information about James’ mail server.
4. When the ROUTER finds that James’ mail server is AppServer, it checks the
NNN name for the AppServer. The ROUTER finds that the NNN for AppServer
is the same as the NNN for MainServer.
5. The ROUTER transfers the message to the MAIL.BOX on the AppServer.
6. The ROUTER on the AppServer checks the James’ Person document for the
name of James’ mail server. It finds that the James’ mail server is AppServer.
7. The ROUTER checks James’ Person document for the mail file name.
8. The ROUTER delivers the message into James’ mail file.

Sending a Message to a Recipient on another Server in a


Different NNN
The ROUTER cannot route mail to servers in a different NNN on its own. To route mail to a server
in a different NNN, you need to create Connection documents. A Connection document defines a
route for routing mail between any two servers in two NNNs. All messages between servers in the
two NNNs are routed through these servers. The Connection document also defines the schedule
for mail routing between the two NNNs.

For example, the mail file of Arnold/HO/SNT is on MainServer/HO/SNT and the mail file of
Jessica/RO/SNT is on ROMailServer/RO/SNT. MainServer is in Network1 and ROMailServer is in
Network2. A Connection document exists between MainServer in Network1 and a third server,
ACTServer, in Network2. To send a message in this situation:
1. Arnold sends a message to Jessica using Arnold’s mail file on the MainServer.
2. The mail is deposited in the MAIL.BOX of MainServer.
3. The ROUTER task on MainServer checks Jessica’s Person document to find
out information about Jessica’s mail server.
4. When the ROUTER finds that Jessica’s mail server is ROMailServer, it checks
the NNN name for the ROMailServer. The ROUTER finds that the NNN for
ROMailServer is Network2.
5. The ROUTER looks for a Connection document between Network1 and
Network2. It finds that a Connection document exists between the MainServer
in Network1 and the ACTServer in Network2.
6. The ROUTER transfers the message to the MAIL.BOX on the ACTServer.
7. The ROUTER on ACTServer transfers the message to the MAIL.BOX on the
ROMailServer after checking the recipient’s Person document.
8. The ROUTER on the ROMailServer checks Jessica’s Person document and
finds that Jessica’s mail server is ROMailServer.
9. The ROUTER checks Jessica’s mail file name and delivers the message into
the mail file.

Sending a Message to a Recipient on a Server in a Different


Domain
When you send a mail to a user in a different domain, the ROUTER looks for Connection
documents between any two servers in the domains. The Connection document from the source
server to the destination server resides in the source server’s Domino directory. The other
Connection document between the destination server and the source server resides in the
destination server’s Domino directory.

When a sender sends a message to a recipient, the sender must specify the domain name of the
recipient, such as Tony@xyz.com. Suppose your organization communicates with two domains,
DomainA and DomainB, and you have a physical connection only to DomainA. DomainA is
connected to DomainB. You can send messages to users in DomainB though DomainA. To send a
message to a user in DomainB, you must specify the user name, as in
user@DomainB@DomainA.

You can create a Domain document for DomainB specifying that all the messages to DomainB
should be routed through DomainA. This type of Domain document is called a Non-adjacent
75
Domain document. After you have created the Non-adjacent Domain document, you can send a
message to a user in DomainB by simply writing the user’s name, as in user@DomainB.

DomainA can create an Adjacent Domain document to restrict messages from your domain to
DomainB.

Creating an Adjacent Domain Document


To create an Adjacent Domain document:
1. In the Domino Administrator client, select Configuration tab-> Messaging
section-> Domains view, as shown in Figure 4-5:

Figure 4-5: The Domains View


2. Click Add Domain to create a new domain document. The Domain
document appears, as shown in Figure 4-6:

Figure 4-6: An Adjacent Domain Document


3. In the Domain type field, select Adjacent Domain.
4. Specify the name of the adjacent domain in the Adjacent Domain name
field and describe the domain in the Domain description field.
5. Click Restrictions to define the domains that can access your domain to
route mails to the specified domain, as shown in Figure 4-7:

Figure 4-7: The Restrictions Tab of the Adjacent Domain Document


6. In the Allow mail only from domains field, specify the domain names to
which you want to allow access to send messages to the adjacent domain.
Alternatively, you can restrict access to selected domains by adding their
names to the Deny mail from domains field.
7. Save and close the Domain document.

Creating a Non-Adjacent Domain Document


To create an Non-adjacent Domain document:
1. In the Domino Administrator client, select Configuration tab-> Messaging
section-> Domains view.
2. Click Add Domain to create a new Domain document. The Domain
document appears, as shown in Figure 4-8:
76

Figure 4-8: A Non-Adjacent Domain Document


3. In the Domain type field, select Non-adjacent Domain.
4. Specify the name of the Non-adjacent domain in the Mail sent to domain
field.
5. In the Route through domain field, specify the name of the Intermediate
adjacent domain that you want to use to route mail to the Non-adjacent
domain.
6. Save and close the Domain document.

Creating Connection Documents


To route mail from one NNN to another NNN, you need to create a Connection document. A
Connection document defines the server in the source NNN that connects to another server in the
destination NNN. The Connection document also defines the port used for the connection and the
schedule for connection. A Connection document provides for a one-way mail transfer from the
source NNN to the destination NNN. To route mail from the destination NNN back to the source
NNN, you must create another Connection document.

To create a Connection document between the servers MainServer/HO/SNT and the


ACTServer/RO/SNT:
1. In the Domino Administrator client, select Configuration tab-> Server->
Connections view, as shown in Figure 4-9:

Figure 4-9: The Connections View


2. Click the Add Connection action. This opens a New Connection document, as
shown in Figure 4-10:

Figure 4-10: A Sample Connection Document


3. In the Connection type field, select Local Area Network. A Connection type can
have other values for different types of connections.
In the Connection type field in the Basics tab, you can select one of the following
commonly used Connection types for a Connection Document:
 Local Area Network: Routes mail between servers connected
through a LAN.
 Notes Direct Dialup: Route mail between servers connected by a
modem, where each server has its own modem.
77
 Passthru Server: Connects to the destination server through an
intermediate server called the Passthru server.
 Network Dialup: Connects to a remote server that does not have
its own modem. In this case, the local Domino server connects
to a non-Domino server through Microsoft Remote Access
Service (RAS). It then connects to the Domino server using the
resources of the remote network.
4. In the Source server field, specify the name of the server in the source NNN that
will route the messages to one of the servers in the other NNN. For example,
specify MainServer/HO/SNT, as shown in the Basics tab in Figure 4-10.
5. In the Destination server field, specify the name of the server in the destination
NNN to whom the source server will send the mail. For example, specify
ACTServer/RO/SNT, as shown in the Basics tab in Figure 4-10.
6. Specify the names of the source and destination domains.
7. In the Use the port(s) field, select the port that you want to use for
communication by clicking the Choose Ports button. The Enabled Server Ports
dialog box appears, as shown in Figure 4-11:

Figure 4-11: The Enabled Server Ports Dialog Box


8. Specify a priority for the selected port in the Usage Priority field. You can select
Normal or Low priority. Domino attempts to connect to the destination using all
Connection documents with a usage priority of Normal. If the connection is not
successful, only then does it tries to connect using the documents with Low
usage priority.
9. Click the Replication/Routing tab to specify the Router-related options for the
connection, as shown in Figure 4-12:

Figure 4-12: The Replication/Routing Tab


The Replication/Routing tab of the Connection document contains the following fields:
 Routing Task: Provides the option to select the type of routing
task that you want performed over the connection. Select Mail
Routing to use the connection for routing messages between
Domino servers using Notes routing protocol.
 Route at once if: The minimum number of messages that must
collect in the MAIL.BOX for the ROUTER to connect to the
destination server to transfer the mail.
 Routing Cost: The routing cost of the connection. This value is a
user-defined number and is used to calculate the preferred path
for the ROUTER. The ROUTER always transfers messages over
the least cost path.
 Router type: The method by which Domino routes messages.
You can select from Push Wait, Pull Push, Push only, and Pull
only.
10. In the Replication/Routing tab, select Disabled in the Replication task field.
Select the Routing task as Mail Routing. Leave the other options to default.
78
11. Click the Schedule tab and specify the schedule for the router on the source
server to transfer the messages to the destination server in the other NNN, as
shown in Figure 4-13:

Figure 4-13: The Schedule Tab


12. In the Schedule field, select Enabled. In the Connect at times field, specify the
times at which the server calls the other server. You can specify distinct values,
such as 9:00 AM, 12:00 PM, or 3:00 PM, or a range, such as 10:00 AM-8:00 PM.
Specify the interval after which the call should be repeated. Specify 0 if you want
the server to call just once. Select the days of the week on which the server
should call.
13. Save and close the document.

Configuring SMTP Routing


You can configure Domino to send and receive mail from the Internet using SMTP. In a Domino
domain, you can configure the inbound and outbound servers based on the mail traffic and the
number of servers available for mail routing. Some sample configurations for SMTP routing in an
organization are:
 A single server is configured as the inbound as well as the outbound server for receiving
and sending SMTP mail.
 One Domino server is configured as the outbound SMTP server and a different server is
configured as the inbound SMTP server.
 All servers in the domain are configured to send SMTP mail but only one server can
receive SMTP mail.
 The Domino servers route mail to a third party SMTP server to send mail to the Internet.

All these scenarios require you to do similar types of configurations. The configuration settings that
you need to perform in every scenario are:
 Configuring inbound servers
 Configuring outbound servers
 Configuring relay hosts

Configuring the Inbound Server

To configure the Domino server as the inbound server that receives mail from the Internet, you
must enable the SMTP listener on the server. In addition, this server must be registered on the
Internet as the connecting server for your domain.

To enable SMTP listener on a server:


1. In the Domino Administrator client, select Configuration tab-> Server section->
All Server Documents view.
2. Open the Server document for the server on which you want to enable the
SMTP listener.
3. Click the Edit Server action to edit the server document. In the SMTP listener
task field on the Basics tab, select Enabled to enable the SMTP listener on the
server, as shown in Figure 4-14:
79

Figure 4-14: Enabling SMTP Listener on the Server


4. In the Fully qualified Internet host name field, specify the host name for the
Domino server as it is registered on the Internet. This server must be listed in
the DNS as the connecting server for your domain.

Configuring the Outbound Server

The Domino server that you enable to send SMTP mail must have a connection to the Internet.
You can connect the server directly to the Internet or enable it to transfer the outbound mail to
another server connected to the Internet. To enable a Domino server to send messages to the
Internet, you must enable the SMTP task on the server. In addition, you must enable the server to
send mail outside the local Internet domain.

To load the SMTP task on the server, use the following server console command:
LOAD SMTP

You can configure the servers to route mail to the Internet in the Configuration Settings document
on your server.

To configure a Domino server to send mail to the Internet:


1. In the Domino Administrator client, select Configuration tab-> Server section->
Configurations view, as shown in Figure 4-15:

Figure 4-15: The Configurations View


2. Click Add Configuration to create a new Configuration Settings document, as
shown in Figure 4-16:

Figure 4-16: A Configuration Settings Document


3. In the Group or Server name field on the Basics tab of the Configuration Settings
document, specify the name of the outbound SMTP server to which this
document will apply.
4. Click the Router/SMTP tab. This tab contains the options for configuring and
customizing the ROUTER and SMTP tasks on the server, as shown in Figure 4-
17:
80

Figure 4-17: The Router/SMTP Tab of the Configuration Settings Document


5. To enable the selected server to send mail to the Internet, in the SMTP used
when sending messages outside of the local internet domain field, choose
Enabled.
6. Save and close the document.

Configuring a Relay Host

If one or more of the Domino servers in your domain can route SMTP mail to external domains, the
rest of the servers in the domain must route their SMTP mail to these outbound servers. You can
enable SMTP routing in all the servers in your domain and configure the SMTP outbound server as
a relay host for these servers. This routes all SMTP mail from the servers in your domain to the
outbound SMTP server.

To configure the internal Domino servers to route mail to the outbound SMTP server:
1. In the Domino Administrator client, select Configuration tab-> Server section->
Configurations view.
2. Click Add Configuration to create a new Configuration Settings document.
3. In the Basics tab of the Configuration Settings document, select the Use these
settings as the default settings for all servers option. This option creates a
Configuration Settings document that applies to all the servers in the domain
that do not have an explicit Configuration Settings document.
4. Click the Router/SMTP tab. In the SMTP used when sending messages outside
of the local internet domain field, choose Enabled. This option allows the servers
to which the Configuration Settings apply send SMTP mail.
5. To relay the SMTP mail to the SMTP outbound server, specify the name of the
SMTP outbound server in the Relay host for messages leaving the local internet
domain field.
6. Save and close the document.

By performing the above procedure, you have configured all SMTP mail from all the servers in the
domain to be routed to the SMTP outbound server. This server then routes the SMTP mail to the
Internet.

Configuring Domino for Non-Notes Mail Clients


In addition to Lotus Notes clients, Domino supports several Internet-based mail clients, such as
POP3 and IMAP clients.

The clients who access the Domino server using the Internet authenticate with the Domino server
using their names and Internet passwords. Domino assigns the Internet password to a user at the
time of registration and you can synchronize this password with the user’s Notes ID password. The
Internet password for a user is stored in the user’s Person document in the Domino directory.

To allow the Internet clients to access the mail on the Domino server, you must run the appropriate
service on the server. For example, to allow POP3 clients to access the Domino server, you must
enable the POP3 task. Similarly, to allow access to IMAP clients, you need to enable the IMAP
task.
81
All Internet-based clients interact with the Domino server using the TCP/IP port. You need to
enable the TCP/IP port for each service configured on the server. To configure the TCP/IP port for
a service:
1. In the Domino Administrator client, select Configuration tab-> Server section-> All
Server Documents view.
2. Open the document for the server on which you have enabled the TCP/IP-based
service and click the Edit Server action to edit the Server document.
3. To enable the TCP/IP port for the Internet-based mail services, select the Ports->
Internet Ports tab in the Server document and click the Mail tab, as shown in
Figure 4-18:

Figure 4-18: Enabling the TCP/IP Port for the Internet Mail Services
4. Leave the TCP/IP port number to default. In the TCP/IP port status, select Enabled
for any service that you want to configure on the server.
5. Save and close the document.

Configuring Domino for POP3 Client Access

You can configure the Domino server as a POP3 server. POP3 is an Internet mail access protocol
that allows clients based on POP3 to retrieve mail from a server that supports POP3. A POP3
client downloads mail from a POP3 server and stores them locally. To allow POP3 clients to send
mail, you must provide them access to an SMTP server. The SMTP server can be the same
Domino server that the clients' access for POP3, a different Domino server set up as an SMTP
server, or a non-Domino SMTP server.

POP3 clients use the standard Domino mail file to access their mail from the server. This allows
registered Notes users to access their mail files from both a POP3 client and the Lotus client.

To enable POP3 service on the Domino server, you must start the POP3 task by issuing the
following server console command:
LOAD POP3

This enables the POP3 service on the Domino server.

You can configure any POP3 client, such as Outlook Express, to connect to the Domino server and
download the mail for a specific user by providing the name and Internet password for the user.

Configuring Domino for IMAP Client Access

You can configure Domino to provide mail access to IMAP clients. IMAP is an Internet-based mail
protocol that allows clients to read their mail on the server. To ensure that the IMAP clients can
also send mail, you must provide them access to an SMTP server. The SMTP server can be the
82
same Domino server that the clients' access for IMAP, a different Domino server set up as an
SMTP server, or a non-Domino SMTP server.

As is the case with the other Internet-based protocols, the IMAP users authenticate with the server
using their names and Internet passwords.

To configure a Domino server for IMAP access, start the IMAP task on the server by issuing the
following server console command:
LOAD IMAP

To allow the IMAP clients access their mail, you need to convert the standard Domino mail files to
an IMAP usable format. By default, Domino converts the mail files to IMAP format automatically
when the user logs on the first time. The option to automatically convert the mail file to IMAP
format when the user logs on is available in the Configuration Settings document of the server.

To view the option to automatically convert a Domino mail file to an IMAP format:
1. In the Domino Administrator client, select Configuration tab-> Server section->
Configurations view.
2. Open the Configuration Settings document for the server on which you have
enabled IMAP and click the IMAP tab, as shown in Figure 4-19:

Figure 4-19: The IMAP Tab of the Configuration Settings Document


3. The Enable IMAP during login option is set to Enabled. This ensures that the
mail files are converted automatically.
4. In the Maximum number of IMAP sessions field, you can specify the maximum
number of concurrent IMAP client sessions you want to allow on the server. By
default, the server imposes no limit on the number of concurrent IMAP sessions.
5. In the IMAP Session timeout field, you can specify the duration in minutes for
which the IMAP service waits for a client activity. If the client does not respond in
the specified duration, the server drops the session. The default value is 30
minutes.

Manually Converting Mail Files for IMAP access


To save users time when they log on the first time, you can manually convert the mail files of users
for IMAP access. By manually converting the mail files for IMAP access, you also prevent users
from encountering conversion errors while converting the mail files. You can run the mail
conversion utility on a single mail file or on all mail files in a folder.

To convert the mail file for IMAP access on a server:


1. Shut down the ROUTER task, to prevent Domino from routing mail to the mail
file while it is being converted. To shut down the ROUTER task, issue the
following server console command:
2. TELL ROUTER QUIT
3. Convert the mail file by issuing the server console command:
4. LOAD CONVERT -E <MAILFOLDER\MAILFILENAME>
In the above command, MAILFOLDER is the path of the folder that contains the user's
mail file. The path is relative to the server’s DATA folder. The MAILFILENAME is the
filename of the user's mail file.
83
Note You can convert all the files in a folder that contains only mail files by issuing the
following server console command:
LOAD CONVERT -E MAIL\*.NSF

Load the ROUTER task after you finish enabling mail files for IMAP on this server by issuing the
following server console command:
LOAD ROUTER

Mail Monitoring Tools


To monitor mail routing on a Domino server, the server provides several tools, such as mail trace.
These mail monitoring tools help you troubleshoot mail-related problems, such as mail not being
delivered to certain users or servers. You can also use the mail monitoring tools to control the load
of the mail that sent through the servers.

Domino provides three mail monitoring tools:


 Mail Trace: Traces the routing path to a specific user.
 Mail Tracking and Usage Reports: Collects data about the mail routed from a server in a
tracking database. You can use this data to track a specific message or create mail
usage reports.
 Mail Event Generators: Notify you of any mail-related problems.
Note To learn more about creating mail event generators, see Chapter 9,
Monitoring a Domino Server.

The server holds all the undeliverable mail in the MAIL.BOX. The Domino Administrator client
provides views to check the status of undeliverable mail held on the server.

Mail Trace

A mail trace traces the routing path from the current administrator’s mail server to a specific user’s
mail server. A mail trace does not send any mail to the specified user, but returns a mail trace
report back to the sender. To send a mail trace:
1. In the Domino Administrator client, select Messaging tab-> Mail tab.
2. In the Tools pane, select Messaging-> Send Mail Trace, as shown in Figure 4-
20:

Figure 4-20: Selecting the Send Mail Trace Option


The Send Mail Trace dialog box appears, as shown in Figure 4-21:

Figure 4-21: The Send Mail Trace Dialog Box


3. In the To field, select the user or group to which you want to send the trace
message by clicking the person icon.
84
4. Specify the subject of the of the trace message in the Subject field.
5. From the Send me a trace report from options, select the Each server on the
path option to test the connection to each server in the routing path to the
recipient. Select Last server only if you want to receive a trace report only from
the recipient’s mail server.
6. Click Send to send the trace to the selected user.
7. Click Done to close the dialog box.
8. Open your mail file to check the trace reports. Figure 4-22 shows a sample mail
trace report for a user who has the same mail server as the administrator:

Figure 4-22: A Sample Mail Trace Report

Domino sends a similar trace report from each server, if the routing path to the recipient contains
multiple servers. If any server cannot forward or deliver a trace message, you will not receive any
trace message from that server.

Message Tracking

Message tracking allows you to track the status of messages. You can track any message but
users can track only the messages they send.

The Mail Tracker Collector (MTC) task on the server tracks the mails on the server. The MTC task
collects and stores the mail tracking information in a Mail Tracker Store database, MTSTORE.NSF.
This database is created inside the MTDATA folder in the Domino DATA folder. When you track a
message, the MTC task retrieves the tracking information from the MTSTORE.NSF database.

You can also generate mail usage reports using the tracking information recorded in the
MTSTORE.NSF.

Enabling Message Tracking


You can enable message tracking on the server in the Server Configuration document. You can
also customize the MTC task in the Server Configuration document by specifying the required
information, such as the names of users allowed to track messages or message subjects, the
message tracking collection interval, and the names of users whose messages or message
subjects must not be tracked.

To enable message tracking on a server:


1. In the Domino Administrator client, select Configuration tab-> Server section->
Configurations view.
2. In the Results pane, double-click the Configuration Settings document for your
server. If a Configuration Settings document does not exist, click the Add
Configuration action to create a new Configuration Settings document and
specify the server name in the Group or Server name field on the Basics tab
of the document.
3. Select the Router/SMTP tab-> Message Tracking tab to view the options
related to message tracking, as shown in Figure 4-23:
85

Figure 4-23: The Message Tracking Tab in the Configuration Settings Document
The Message Tracking tab contains the following options:
Message tracking: Tracks messages on the selected server if you select Enabled.
 Don’t track messages for: A list of users whose messages you
do not want the MTC to track. This option considers names in
the From, SendTo, CopyTo or BlindCopyTo fields of the
message.
 Log message subjects: Logs the subjects of messages, if you
select Yes.
 Don’t log subjects for: A list of users whose message subjects
you do not want the MTC to track. This list applies to users
who are listed in the From field of the message.
 Message tracking collection interval: The duration in minutes
after which the MTC logs the messages in the MTSTORE
database.
 Allowed to track messages: A list of servers and users who
are allowed to track messages. If the tracking involves
multiple servers, you must include the server names in this
list.
 Allowed to track subjects: A list of servers and users who are
allowed to track the subjects of messages. If the tracking
involves multiple servers, you must include the server names
in this list.
4. Select Enabled in the Message Tracking field, define the other fields, and click
Save & Close.
5. Restart the server to enable it to start message tracking.
Note You can also start the MTC task manually using the following server console
command:
LOAD MTC

Mail Tracking Console Commands


To override the default MTC collection interval or to perform housekeeping of the MTSTORE
database, you can use the following server console commands:
 LOAD MTC: Loads the MTC task.
 TELL MTC QUIT: Quits the MTC task.
 TELL MTC PROCESS: Forces the MTC task to log the messages into the
MTSTORE.NSF database immediately by overriding the collection interval
specified in the Configuration Settings document.
 TELL MTC INTERVAL <N>: Resets the message tracking collection interval to
the specified value. The value specified is in seconds.
 TELL MTC PURGE <N>: Purges documents older than <N> days from the
MTSTORE.NSF database.
 TELL MTC REINDEX: Re-indexes the MTSTORE.NSF database.
 TELL MTC COMPACT: Compacts the MTSTORE.NSF database.
86
Tracking Mail Messages
You can track the messages that have been logged by the MTC task in the MTSTORE.NSF
database by using the Tracking Center in the Domino Administrator client.

To track messages using the Domino Administrator client:


1. Select Messaging Tab-> Tracking Center, as shown in Figure 4-24:

Figure 4-24: Tracking Center


2. To specify information about the message that you want to track, click the
New Tracking Request button. The New Tracking Request dialog box
appears, as shown in Figure 4-25:

Figure 4-25: New Tracking Request Dialog Box


3. In the Tracking Request dialog box, specify data about the messages that you
want to track in the From, To, and Sent fields. Use the Sent field to specify
which messages you want the MTC to track. You can choose from Today,
Yesterday, Last week, Last 2 weeks, Last month, and All times.
4. In the Start at field, select the Sender’s home server to start tracking from the
server where the mail originated or select Current server if you want to start
tracking the message from the current server.
5. If you enabled subject tracking on the server, specify the subject of the
message that you want to track or its message ID. Specify as much
information as you know to make your query effective.
6. Click OK. The tracking request is executed and all the messages that satisfy
the specified conditions are listed in the Tracking Center screen, as shown in
Figure 4-26:
87

Figure 4-26: Result of a Tracking Request


7. To check the status of a specific message, select the message from the list
and click the Track Selected Message button. The status bar shows the
message, Message Tracking Finished.
8. Select the server from the Select a server for transfer details section in the
lower-left pane, as shown in Figure 4-27:

Figure 4-27: Tracking Report for a Selected Message

Creating Mail Usage Reports


You can create mail usage reports using the data collected by the MTC task in the MTSTORE.NSF
database. A mail usage report is a graphical representation of the messages sent by users through
a server.

The mail usage reports are created in the Reports database REPORTS.NSF, which is created
automatically on the server. A report can be a scheduled report or a one-time report. A scheduled
report can run daily, weekly or monthly.

To create a mail usage report:


1. In the Domino Administrator client, select Messaging tab-> Mail tab-> Reports
for <servername> section, as shown in Figure 4-28:

Figure 4-28: Views in the Reports Database


88
The Reports for <Servername> section shows the views in the Reports database. The
views are organized into two sections:
 Report Results: Contains the reports that have been created
and saved. This section shows the reports categorized by the
date when the reports were created, the schedule type for a
scheduled report, the type of report selected at the time of
creation of the report, and the user who created the report.
 Scheduled Reports: Contains the definitions of the scheduled
reports categorized by their frequency.
2. To create a report, select any view and click the New Report action. The
Create New Report dialog box appears, as shown in Figure 4-29:

Figure 4-29: The Create New Report Dialog Box


3. Specify a descriptive name for the report in the Enter a Description field.
4. In the Basics tab, select the type of report that you want to create from the
Report Type field. Examples of report types are Top 25 Users By Count, Top
25 Users By Size, and Top 25 Largest Messages.
5. Select the time range for which you want to generate the report in the Time
Range field. Some of the options are Today, Yesterday, Over the last week,
Over the last month, and All available information.
6. Select the frequency of running the report in the Run this report field. You can
run the report once or daily, weekly, or monthly.
7. In the Report should be field, select Saved to save the report in the Reports
database. You can also select Mailed to e-mail the report to a user specified in
the Mail recipient field. If you want to save as well as e-mail the report, select
Saved & Mailed.
8. Click the Conditions tab to specify the conditions for selecting the messages
in the report, as shown in Figure 4-30:

Figure 4-30: The Conditions Tab


9. Specify the conditions for selecting messages in the report by selecting the
Sender’s Name, Recipient’s Name, Delivery Status, or Message Size option
and fill in the required information. You can select multiple conditions.
10. Click OK to create the report. Figure 4-31 shows a sample mail usage report:
89

Figure 4-31: A Sample Mail Usage Report

Checking Mail Status Using the Domino Administrator Client

The messages that are not delivered by the ROUTER are held in the MAIL.BOX as pending
messages or dead messages.

The MAIL.BOX holds a pending message because the destination server is not available. The
pending message is delivered when the destination server becomes available. If the ROUTER
cannot deliver a message to a user, it sends a delivery failure report to the sender. A dead
message is an undeliverable message for which the ROUTER cannot send the delivery failure
report to the sender because of an error with the sender’s address. The ROUTER stores these
dead messages in the MAIL.BOX.
To check the messages held in the MAIL.BOX on your server, in the Domino Administrator client,
select Messaging tab-> Mail tab-> <yourservername> Mailbox (mail.box) view, as shown in Figure
4-32:

Figure 4-32: The MAIL.BOX on the Server

To resolve the messages those have accumulated in the MAIL.BOX:


 Ensure that all the configurations required to route mails to the destination server,
such as the connection documents, are in place.
 Verify the Person document of the recipient for information such as the mail server
name and the mail file name.
 Ensure that the destination server is running.
 Restart the ROUTER and force the mail routing.

You can release the messages on the server, by selecting the message and clicking the Release
action. The Release action provides five options:
 Resend all dead messages to originally intended recipient
 Resend selected dead messages to originally intended recipient
90
 Return Non Delivery Report to sender of selected dead messages
 Resend selected held messages
 Resend selected held messages for a final time
The Domino Administrator client also allows you to check the status of dead and pending
messages on the server using the Mail Routing status view. This view is available in the Mail tab
on the Messaging tab of the Domino Administrator client, as shown in Figure 4-33:

Figure 4-33: The Mail Routing Status View in the Domino Administrator Client

Mail Rules
Mail rules allow you to take action on the messages deposited in the MAIL.BOX based
on the content of the message. You can create rules to control spam mail on the Domino
server or monitor the messages passing through your mail server.

To create a mail rule:


1. In the Domino Administrator client, select Configuration tab-> Server section->
Configurations view to select the Configuration Settings document for your
server.
2. Open the Configuration Settings document for your server and click Edit
Server Configuration to edit the document.
3. Select Router/SMTP tab-> Restrictions and Controls tab-> Rules tab. The
various Rules-related actions are displayed on the Rules tab, as shown in
Figure 4-34:

Figure 4-34: The Configuration Settings Document Showing the Rules Tab
4. To create a new rule, click the New Rule action. The Server Mail Rule – New
Rule dialog box appears, as shown in Figure 4-35:
91

Figure 4-35: The Server Mail Rule – New Rule Dialog Box
5. In the Specify Conditions section, select Create Condition to define the
condition that the documents must satisfy to be considered in the rule. You
can also select Create Exception if you want the documents that satisfy the
condition to be ignored.
6. Build the condition using the options provided. For example, in the first box,
select size (in bytes). In the next box, select an operator, such as is greater
than, and in the last box specify a value, such as 2000000. Click Add to add
the condition to the conditions list.
Note To add multiple conditions, first select the logical operator, such as AND or OR,
and then build a second condition.
7. In the Specify Actions section, select the action that you want taken on the
messages that meet the condition you specified. You can select one from the
following actions:

 journal this message


 move to database
 don’t accept message
 don’t deliver message
 change routing state

8. Click Add Action to add the action to the list. You can also add multiple
actions.
9. Click OK to save and close the rule.
10. Click the Save & Close action to save and close the Configuration Settings
document.
Mail Journaling
Mail journaling allows you to maintain a copy of the messages sent through the server.
By default, Domino does not maintain any copy of the message routed through the
server. By enabling journaling, you can either journal all the messages coming to the
server or only those messages that satisfy a condition.

To enable mail journaling on a server:


1. In the Domino Administrator client, select Configuration tab-> Server section->
Configurations view.
2. Open the Configuration Settings document for your server on which you want
to enable journaling.
3. Select the Router/SMTP tab-> Advanced tab and then select the Journaling
tab to view the options related to mail journaling, as shown in Figure 4-36:
92

Figure 4-36: The Journaling Tab of the Configuration Settings Document


4. To enable journaling on the server, select Enabled in the Journaling field.
The Journaling tab contains the following options:
 Journaling: Enables Journaling on the server if you select
Enabled. Default is Disabled.
 Field encryption exclusion list: Specifies the fields in the
journaled messages that must not be encrypted. Domino
encrypts the messages in the Mail Journal database using a
user’s public key. The default list includes Form, From,
Principal, and PostedDate.
 Method: The methods of sending the messages to the Journal
database. You can choose from Copy to a local database and
Send to mail-in database.
 Mail Destination: A person or a mail-in database name where
you want to journal the messages. This field is shown only if
you select the method as Send to mail-in database.
 Database Name: The database name where the journaled
messages are stored. To specify the database, you need to
select the Copy to local database option. The default is
MAILJRN.NSF
 Encrypt on behalf of user: The user whose public key is used
to encrypt the Mail Journal database. By selecting this option,
you ensure that only the authorized user can read these
messages.
 Database Management Method: A method to automatically
manage the size of the Mail Journal database. You can select
Periodic Rollover to specify the duration in number of days
after which Domino renames the Mail Journal database and
creates a new database with the original name. You can select
Select Purge/Compact to specify the data retention duration in
number of days after which Domino deletes the documents
and compacts the database. The Select Size Rollover option
specifies the maximum size in MB after which Domino
renames the Mail Journal database and creates a new
database with the original name. Select None if you do not
want any of these methods to be used.
5. Save the document to save the Journaling options.

For mail journaling to work, you must enable a mail rule with Journal the message as the
action.

To create a mail rule for journaling the messages:


1. Navigate to the Restrictions and Controls tab in the Router/SMTP tab of the
Configuration Settings document and then click the Rules tab.
2. Click Add Rule to add a new rule for journaling the messages. Figure 4-37
shows a sample rule that journals all the messages on the selected server:
93

Figure 4-37: A Mail Rule to Journal all the Messages on the Server
3. Click OK to save and close the rule. Save and close the Configuration
Settings document.
Restart the server for the configuration settings to take effect.

Chapter 5: Configuring Calendaring and


Scheduling
The Calendaring and Scheduling feature of Domino provides users with their personal calendars in
which they can create entries, such as appointments, anniversaries, and events. End users can
also update their calendars to set up reminders for themselves and let others know of their
availability. In addition, end users can update their calendars to reflect the holidays defined for the
organization by the administrator.

Using their personal calendars, end users can schedule meetings and the resources required for
the meeting by looking up the free times of other users and the availability of rooms and resources.

The Domino server processes the Calendaring and Scheduling requests with the help of some
server tasks and databases. These server tasks and databases constitute the Free Time system
on the server.

This chapter explains the Free Time system that processes the Calendaring and Scheduling
requests on Domino. It also explains how to set up a resource and reservation database. In
addition, it explains how to create and import holidays into the calendars.

The Free Time System


The Free Time system is the collective name used for the Calendar Connector or the CALCONN
task, the Schedule Manager or the SCHED task, and the Free Time database, BUSYTIME.NSF.
These features collectively provide the Calendaring and Scheduling functionality in Domino.

When users schedule a meeting and look up the availability of other users and resources, the Free
Time system on the Domino server provides them with this information.

When users update their personal calendars to add appointments or other entries, the Free Time
system updates the information at its end in the Free Time database.

Of the three components of the Free Time system:


 The CALCONN task connects to another server to retrieve the Free Time Information
about the users and resources on that server. This is required when a user tries to
look up free time information about users or resources on the other server or
scheduling applications.
 The SCHED task collects the information when a user updates the calendar or books a
resource and updates this information in the Free Time database.
94
 The Free Time database is used by the SCHED task to update and look up the free
times of users.
Note On a clustered server, the Free Time database is CLUBUSY.NSF, not
BUSYTIME.NSF.

If you want to provide the users on your server with the Calendaring and Scheduling services, you
must run the CALCONN and the SCHED tasks on the server. You can choose to start the
CALCONN and SCHED tasks automatically by selecting them at the time of configuring a server or
add them later to the SERVERTASKS = entry in the NOTES.INI.

The Free Time database is created automatically on the server when the SCHED tasks run for the
first time. This database contains an entry for every user who has a mail file on the concerned
server and has updated the calendar profile.
Tip You can update a calendar profile by opening the calendar and selecting
Action-> Tools-> Preferences from the menu. You can specify the days of the
week, the times at which you are available, and the users who can view your
free time.

Accessing Free Time Data Within a Domino Domain

When an end user schedules a meeting and looks up the free time for the list of invitees selected,
the Free Time system searches and returns their availability. If the end users are in the same
domain and have the same mail server, the Free Time system finds the information in the Free
Time database on the originator’s mail server.
Note The server that provides information about a user’s calendar is called user’s
calendar server.

If the mail server is different, the CALCONN task sends a query to the other user’s mail server. The
Free Time system on the other server finds the information and sends it back using the CALCONN
task. In this way, an end user obtains information about the availability of other end users.

Accessing Free Time Data from Other Domains

By default, Domino does not allow end users to access free time data from other domains. An end
user who wants to schedule a meeting with an invitee from another domain may look up the
availability of the invitee and receive an error message that the information is not available. To
ensure that users can look up the free times of users from other domains, you must create Domain
documents. A Domain document defines an external domain with which the server in your local
Notes domain communicates.

You can create the following Domain documents to access the calendar information:
 Adjacent: Create this Domain document if your domain communicates with the
other domain directly. In the Adjacent Domain document, you can specify the name
of the calendar server in the adjacent domain.
 Non-adjacent: Create this Domain document if your domain communicates with the
other domain through an intermediate adjacent domain. In the Non-Adjacent
Domain document, you can specify the calendar server in the adjacent domain
through which free time requests to the non-adjacent domains should be routed.
 Foreign: Create this Domain Document if users use IBM OfficeVision or Lotus
Organizer to manage their schedules. In the Foreign Domain document, you
specify the calendar system being used by the target users and the server that
maintains their scheduling information.

To create an Adjacent Domain document:


1. In the Domino Administrator client, select the Configuration tab-> Messaging
section-> Domains view. Figure 5-1 shows the Domains view:

Figure 5-1: The Domains View of the Domino Administrator Client


95
2. Click the Add Domain action. A New Domain document appears, as shown in
Figure 5-2:

Figure 5-2: A New Domain Document


3. Select the Domain type as Adjacent and specify the name of the domain in the
Adjacent domain name field on the Basics tab.
Note For a Non-Adjacent domain, you must specify the Domain type as Non-Adjacent
Domain, and for a Foreign Domain, you specify the Domain type as Foreign
Domain.
4. Click the Calendar Information tab. In this tab, specify the name of the server in
the other domain that provides the Free Time information, as shown in Figure 5-
3:

Figure 5-3: The Calendar Information Tab of the Adjacent Domain Document
5. Provide the required information in the Calendar Information tab. The
information you provide should be based on the Domain type you selected in the
Basics tab.
Table 5-1 describes the information you should specify for the domain types in the fields
provided in the Calendar Information tab:
Table 5-1: Information Required in the Calendar Information Tab

Domain Field(s) in the Information to be Specified


Type Calendar
Information
Tab

Adjacent Calendar server The name of the server in the adjacent


Domain name domain that provides the free time
information about users in that domain.

Non- Route requests The name of a calendar server that is in a


Adjacent through domain adjacent to both the source and the
Domain calendar server target domains. This server sends the free
time queries from the source to the target
non-adjacent domain.

Foreign Calendar server The name of the server running the


Domain name and the alternate scheduling application. In the
Calendar Calendar System, select OfficeVision or
System Organizer as the alternate calendar
system.
6. Click Save & Close to save the document and close it.

When a user sends free time query information to another domain, Domino Server 6.0 checks the
calendar server name specified in the domain document and the Free Time system sends a query
96
to the specified server. The Free Time system on the target server finds the availability of the user
and passes the required information to the server that originated the request.

The Schedule Manager

The Schedule Manager (SCHED) is a task that runs on the server. When users schedule
appointments in the calendars or book the resources, SCHED updates the Free Time database
and maintains the correct information in this database.

You can issue commands to the SCHED task using the Domino server console. Some of the
commands that can be executed on the SCHED task are:
 TELL SCHED STATS: Shows the total appointments for each user and the total
reservations for each resource in the Free Time database. It also shows the
consolidated number of appointments for all users and the consolidated number of
reservations for all the resources.
 TELL SCHED SHOW <Username>: Shows the schedule for the specified user on
the server console. The administrator can view all the entries in the user’s
calendar.
 TELL SCHED VALIDATE [<Username>]: Validates the Free Time database by
removing the old information and adding the new free time information. Optionally,
you can specify a user name to validate the free time information for a single user.
The validation of the Free Time database takes place by default at 2:00 A.M.
 TELL SCHED QUIT: Stops the SCHED task on the server.

Configuring the Resource Reservations Database


The Resource Reservations database defines resources, such as conference rooms, LCD
projectors, televisions, and laptops. End users can reserve these resources in this database. The
Free Time system on a server manages the availability of a resource in the same way that the Free
Time database manages a user’s availability. Users can look up the availability of a resource while
scheduling a meeting and reserve the resource if it is available.

The Resource Reservation database is based on the Resource Reservations (6) template
(RESRC60.NTF) and contains three types of documents:
 Site: Defines the locations where the resources are present.
 Resource: Defines information about a resource, such as its name, the site where it is
located, and its availability.
 Reservation: Defines the date and time for which a resource is reserved.

The administrator creates the Site and Resource documents and the end user does the
reservations.

To create the Resource Reservation database:


1. Create a new database using File-> Database-> New menu option. The New
Database dialog box appears, as shown in Figure 5-4:
97

Figure 5-4: The New Database Dialog Box for a Resource Reservation Database
The values accepted by the fields in the New Database dialog box are:

 Server: Name of the server on which you want to set up the


Resource Reservation database.
 Title: Any title for the database, such as Resources Reservation.
 File name: Any filename, such as RESOURCE.NSF.
 Template Server: SSelect the server, and select the Show
advanced templates option.
 Template Name: Resource Reservations (6) (RESRC60.NTF).

2. Open the Access Control List (ACL) of the newly created database. Figure 5-5
shows the Access Control List to: Resources Reservation dialog box:

Figure 5-5: The Access Control List to: Resources Reservation Dialog Box
3. Click your name in the ACL and from the list of Roles on the lower right, select the
[CreateResource] role to assign it to yourself, as shown in Figure 5-5. This role
allows you to create the site and the resource documents.
Note The user who creates a database is automatically added to the ACL.
The Resource Reservation database contains several views, as shown in Figure 5-6:
98

Figure 5-6: The Views in the Resource Reservation Database

The views in the Resource Reservation database are:


 Reservation-By Date: Shows the reservations made by users categorized by date of
reservation.
 Reservation-By Resource: Shows the reservations made by users categorized by the
resource reserved.
 Reservation-Waiting for approval: Shows the reservations requested by users that are
waiting for approval.
 Reservation-Declined: Shows the reservation requests that have been declined.
 Calendar: Shows the calendar for a resource.
 My Reservations: Shows the reservations made by the current user. This is a private
view.
 Resources: Shows the Resource documents.
 Sites: Shows the Site profile documents.

After configuring the Resource Reservations database, you can now use this database to create
the Site and Resource documents.

Creating Site Profile Documents

You use the Site Profile documents to define sites in the Resource Reservation database. Sites
are locations where the resources exist. A database must contain at least one Site Profile
document before you can add resources to it.
Note You must assign yourself Manager access with the [CreateResource] role in
the Resource Reservation database to add the Site Profiles.

To create a Site Profile document:


1. Open the Resource Reservation database.
2. Click the New Site action shown on the action bar or select Create-> Site Profile
from the menu. A Site Profile document opens, as shown in Figure 5-7:

Figure 5-7: A Site Profile Document


The fields and options in the Site Profile document are:
 Site name: The name of the site where the resource exists. The
site name must be longer than two characters.
 Domain name: The Domino domain where the resource
reservation database is set up.
 Resource reservation server: This field automatically shows the
server on which the database is set up.
 Resource reservation filename: This field automatically shows
the filename of the Resource Reservation database.
3. Specify a site name, such as Head Office and the Domino domain name for your
domain.
4. Click the Save & Close action to save and close the document.
99
Creating Resource Documents

You use resource documents to define resources at a specific site. You can create three types of
resources:
 Rooms: Users reserve rooms for meetings based on the number of invitees. Each
room must have a seating capacity.
 Online Meeting Place: Used to conduct online meetings using Sametime 3.0
running with Domino 6.0.
 Other: These include resources such as laptops, LCD projectors, or any other
resource that is not a room or an online meeting place. These are reserved along
with the rooms for the meetings.

To create a Resource document:


1. Open the Resource Reservations database.
2. Click the New Reservation action or select Create-> New Reservation from the
menu. The New Resource document opens, as shown in Figure 5-8:

Figure 5-8: A Sample New Resource Document


Note To create resources in the database, you must have at least an Author access to
the Resource Reservation database with the [CreateResource] role.
The fields and options in the Resource document are:
 Resource type: The type of resource, which can be Room,
Other, or Online Meeting place.
 Resource name: The unique name of the resource.
 Site: The site where you are creating the resource.
 Description: The description of the resource.
 Capacity: The capacity of the room, if the resource type is Room.
 Category: The category of the Other resource type, such as
Hardware or Software, to group the resource.
 Internet Address: The Internet address for the resource. Users
using iCalendar can use this address to reserve the resource.
 Owner restrictions: Defines the owner of the resource. Select
None-No owner to allow all users to reserve the resource. Select
Owner only to allow the owner to reserve the resource. The
other user’s reservation requests are forwarded to the owner for
approval. You can specify the owner’s name. To allow more than
one user to reserve the resource, select Specific people. If you
select Autoprocessing, you can define a list of names of users
who can reserve the resource without any approval. The rest of
the user’s reservation requests are sent for approval to the
owner defined in the Owner’s name field. Select Disable
reservations to disable reservations for the selected resource.
 Availability Settings: The time slots and days on which the
resource is available for reservation. You can select the 24 hours
everyday option to make the resource available at all times and
days of the week. If you do not select this option, you can define
a time slot for each day of the week when the resource is
available. You can also define the availability according to a
different time zone by selecting from the Time Zone list.
100
 Other Comments: Additional comments for the resource.
3. Fill in the document and click Save & Close to save and close the document.
To integrate the resources with the user’s calendars, you must add the resources to the
Domino directory. Domino uses the Administration Process (AdminP) to add the
resource to the Domino directory by posting an Add Resource request in the
Administration Requests database (admin4.nsf) on the server. A message to this effect
appears, as shown in Figure 5-9:

Figure 5-9: The Message Displayed on Saving a Resource


4. Click OK to close the message box.

The resource is added to the Resource Reservation database and then it gets added to the
Domino directory after a few seconds.

Deleting a Resource

If a resource no longer exists, you may be required to delete it. When you delete a resource from
the Resource Reservation database, you must also delete it from the Domino directory. You can do
this through an Approve Resource Deletion request into the Administration requests database.

To delete a resource from the Resource Reservation database:


1. Open the Resource Reservation database.
2. Click the Resources view to see the list of resources in the database.
3. Open the Resource document that you want to delete and then click the Delete
Resource button to delete the resource.
Note You must have the [CreateResource] role in the database ACL to delete the
resource.
4. Click OK to confirm the resource deletion. A Delete Request message box
indicating that an AdminP request has been submitted for the deletion of the
resource appears, as shown in Figure 5-10:

Figure 5-10: The Delete Request Message Box


5. Click OK to close the message box.

The AdminP request for deletion of resource needs to be approved by the administrator.

To approve the AdminP request for deletion of the resource:


1. Select the Server tab-> Analysis tab-> Administration Requests (6) from the
Domino Administrator client.
2. Select the Pending Administrator Approval-> By Age view, as shown in Figure 5-
11:
101

Figure 5-11: The Approve Resource Deletion AdminP Request


3. Open the Approve Resource Deletion request and click Edit document to change
the document to edit mode. The Approve Resource Deletion action and the
Reject Resource Deletion action appear on the action bar, as shown in Figure 5-
12:

Figure 5-12: The Approve Resource Deletion Request Document


4. Click the Approve Resource Deletion action to approve the request.
5. Click Yes to confirm the deletion. A message box indicates that another request
has been added to the Administration Requests database for deleting the
resource, as shown in Figure 5-13:

Figure 5-13: The Request Successful Message Box


6. Click OK to close the message box.

The Delete Resource request is carried out in a few seconds and the resource is deleted from the
Domino directory.

Editing a Resource

You can also modify a resource in a database. For example, the owner of the resource leaves the
organization and you need to assign a different owner for the resource. In this situation, you can
edit the resource in the Resource Reservation database. You can modify the following options for a
resource:
 Availability Settings
 Capacity
 Description
 Online Resource data
 Other Comments and Ownership settings

For changing any other options, such as the name of the resource or the site to which it belongs,
you must delete the resource and recreate it.

The AdminP updates the modified resource options in the Domino directory and all its replicas. The
Administration Request generated is Modify Room/Resource in Domino Directory.

To edit a resource:
1. Open the Resource Reservation database.
2. Click the Resources view to see a list of resources in the database.
3. Open the Resource document that you want to edit and click the Edit Resource
button to go to the edit mode.
102
Note You must have the [CreateResource] role in the database ACL to edit the
resource.
4. Change any of the modifiable fields, such as the Capacity or the Availability
Settings in the document.
5. Click Save & Close to save the changes. A message box indicating that an
AdminP request has been submitted for the modification of the resource
appears, as shown in Figure 5-14:

Figure 5-14: The Success Message Box


6. Click OK to close the message box.

The request is carried out automatically in a few hours and propagated to other servers when
replication of the Administration requests database and the Domino directory takes place. To force
the request to be carried out immediately, execute the following command at the server console:
TELL ADMINP PROCESS INTERVAL

Holiday Documents
Holiday documents define holidays that can be imported by users into their personal calendars.
The Holiday documents provide a way of centrally defining and controlling the scheduled holidays
in your organization.

The Holiday documents are categorized by a group name. Some of the default holiday groups
available in the Domino directory are Japan, Belgium, Brazil, or France. Each group contains
Holiday documents defining the local holidays for the respective country.

To view the Holiday documents available in the Domino directory:


1. From the Domino Administrator client, select the Configuration tab-> Miscellaneous
section-> Holidays view. The groups of holidays are shown in the Results pane, as
shown in Figure 5-15:

Figure 5-15: The Holidays View with the Groups of Holidays


2. Expand any group. The list of holidays belonging to the group appears, as shown
in Figure 5-16:

Figure 5-16: List of Holidays in a Group

Creating Holiday Documents

You can add more holidays to these existing groups or you can create a new group defining
holidays for your organization.

To create a Holiday document:


1. In the Holidays view, click the Add Holiday Action to create a new holiday. This
opens the Holiday document, as shown in Figure 5-17:
103

Figure 5-17: A Sample Holiday Document


The Holiday document contains the following fields:
 Group: The group to which the holidays belong.
 Title: The title for the holiday, such as Independence Day.
 Detailed description: A description for the holiday.
 Repeat: Used to define a schedule for a recurring holiday. A
holiday can repeat on a specific day, such as the first Monday of
every month, or a specific date, such as the 20 th of every month.
 Repeat Dates: If you specify Custom in the Repeat option,
specify the dates on which the custom holiday falls.
 Start Date: If you specify the Repeat type as anything other than
Custom, specify the date from which you want the holiday
pattern to start.
 Continuing: Choose from For or Until. The For option allows you
to specify the number of years for which the holiday pattern must
repeat. The Until option allows you to define a date until when
the holiday pattern should be repeated.
 Repeat For: This field appears only if you select Continuing as
the For option. Defines the number of years for which the holiday
pattern must be repeated.
 Repeat Until: This field appears only if you select Continuing as
the Until option. Defines the date until when the holiday pattern
must be repeated.
 Repeat Interval: If you select the Repeat type as Monthly by
Date or Monthly by Day, you can select the repeat frequency as
every month, every other month, every 3rd month and so on. For
Monthly by Date, you can select the date of the month on which
you want to define the holiday and for Monthly by Day, you can
select the day of the month on which you want to define the
holiday, such as the 1st Monday or the 2nd Saturday.
 If the date falls on a weekend: If you select the holiday Repeat
option as Yearly or Monthly by Date, this option specifies what
should be done if the holiday falls on a weekend. The choices
are: Don’t Move, Move to Friday, Move to Monday and Move to
Nearest Weekday.
 Mark time as: Select Busy to mark the user as busy in the user’s
personal calendar on the day on which the holiday falls. Free
does not mark the user’s time as busy.
2. Navigate to the Group field and click the entry helper button. This shows the
Select Keywords dialog box, as shown in Figure 5-18:
104

Figure 5-18: The Select Keywords Dialog Box


You pick the keywords from the Group field of the existing holidays documents. If you
want to add a holiday to an existing group, you must select from the existing keywords.
To create a new group, specify the group name in the New keyword field.
3. Click OK to close the Select Keywords dialog box.
4. Specify a title for the holiday in the Title field.
5. In the Holiday Information section, specify the dates and repeat frequencies for
the holiday.
6. Click the Save & Close button to save and close the Holiday document.

Importing Holidays into a Personal Calendar

End users can import the holidays defined by the administrator into their personal calendars and
update their calendars to mark the holidays. The holidays are marked as anniversaries in the
calendars.

To import a holiday group into a user’s personal calendar:


1. Start the Lotus Notes client on the user’s computer for whom you want to import
the holidays into the calendar.
2. Open the user’s calendar and select Tools-> Import Holidays from the Actions
menu or the Action bar.
The Import Holidays dialog box appears, as shown in Figure 5-19:

Figure 5-19: The Import Holidays Dialog Box


3. Select the Holiday group(s) that you want to import and click OK to import the
selected group(s) into the calendar.
4. A message box confirms the number of holidays added, updated, or deleted, as
shown in Figure 5-20:
105

Figure 5-20: The Message Box Showing the Successful Import of Holidays

The import procedure updates the end user’s calendar with the holidays in the group.
Chapter 6: Configuring Domino Directories
A Domino directory NAMES.NSF is a database that describes a Domino domain. All the servers
and users sharing a Domino directory belong to the same Domino domain. A Domino directory
contains all the important configuration documents, such as the Connection Server and Person
documents for the domain. The information in the directory helps you to manage the domain. The
Domino directory also contains information required by the users to send mail to each other.

Domino R6 supports a Central Directory architecture in which some servers in the domain host full
Domino directories and the other servers host directories that contain only the configuration
documents.

Organizations often maintain multiple Domino directories to store information about external users
who are not listed in the organization’s Domino directory. The directories that store information
about these users are called secondary Domino directories.

This chapter explains how to manage the Domino directories on various servers in a domain. It
also explains the Central Directory architecture of Domino. In addition, the chapter explains how to
manage multiple Domino directories on a single server and describes the configuration of the
Lightweight Directory Access Protocol (LDAP).

Managing Domino Directories in a Domain


The Domino directory is the main configuration database in a Domino domain. All the servers in
the domain contain a replica of the same Domino directory. The directory profile document in a
Domino directory on a server defines the domain to which the directory belongs. To maintain the
consistency of the Domino directory across servers in a domain, you must schedule the replication
of the Domino directory.
Note To learn more about scheduling replication, see Chapter 7, Managing
Replication.

When you configure the first server in a domain, the Domino directory gets created automatically.
You can also create the directory manually using the Domino Directory template,
PUBNAMES.NTF.

The servers in a domain can contain a central domino directory or a configuration directory that
contains only the configuration documents. The servers containing the configuration directory
connect to servers that store the complete information in order to handle any user-related queries.
The servers can replicate with each other to switch from one type of directory to another.

To secure the Domino directory you use the Access Control List (ACL). The ACL defines the
access each user has to the directory. The Domino directory in Domino R6 has an additional
security feature, an extended ACL.

Central Domino Directory Architecture

The central domino directory architecture enables you to configure central directories on some of
the servers in your Domain and configure configuration directories on the rest of the servers. The
servers with the configuration directories use a remote Central Directory located on another server
to look up names of users and groups.
106
A configuration directory contains the documents used to configure the servers, such as the server,
configuration, and connection documents. The configuration directory does not include
documents ,such as Person, Group, Mail-in database, Resource, and other custom documents. In
contrast, a central domino directory is a full directory that contains all types of documents.

The configuration directories are smaller than the central directories because they do not contain
Person- and Group-related information. This saves disk space on the servers and makes access to
directories faster. Because the user and group information is located only on selective servers, you
can better manage and control the users.

You choose to set up a Configuration Directory on an additional server, at the time of configuring
the additional server.
Note To learn more about selecting a Configuration Directory at the time of
configuring additional servers, see Ch apter 2, Installing and
Configuring Domino Servers.

You can convert a Central Directory to a Configuration Directory and vice versa by selectively
replicating the Central Directory with any other Central Directory in the domain. To convert a
Central Directory to a configuration directory:
1. In the Domino Administrator client, click File -> Open Server to select the server
whose Central Directory you want to convert to configuration directory.
2. Click the Files tab. Select names.nsf from the files displayed in the Results
pane, as shown in Figure 6-1:

Figure 6-1: Selecting the Domino Directory from the Files Tab
3. Select File -> Replication -> Settings menu option. In the Replication Settings for
<database name> dialog box that appears, click the Space Savers tab, as
shown in Figure 6-2:
107

Figure 6-2: The Space Savers Tab


4. Click Include and, in the drop-down list that appears, select Configuration
Documents only, as shown in Figure 6-3:

Figure 6-3: Including Configuration Documents


5. Click OK.

The selected Central Directory is converted to a configuration directory when you replicate it with
the Domino directory on another server.

To convert a configuration directory to a Central Directory, select All Fields in the Include List in the
Space Savers tab of the Replication Settings. The configuration directory is converted to a Central
directory when it replicates with another central domino directory.
Note To learn more about replication, see Chapter 7, Managing Replication.

Configuring the Directory Profile


A Domino directory contains a Directory Profile document. This document contains Domino
directory settings, such as the Domain name and the directory catalog name. The Directory Profile
document opens when you open the Domino directory the first time. Figure 6-4 shows the Domino
Directory Profile Document:
108

Figure 6-4: The Domino Directory Profile Document

The Domino directory profile document contains the following fields:


 Domain defined by this Domino Directory: The name of the Domino domain for
which the directory is configured.
 Condensed server directory catalog for domain: The name of the condensed
server directory catalog configured on the server. The condensed directory catalog
is explained later in the chapter.
 Sort all new groups by default: Allows you to specify whether or not the members
in a new group should be sorted automatically.
 Use more secure Internet Passwords: Allows you to specify whether or not Domino
should strongly encrypt the Internet password field in the Person document.
 Allow the creation of Alternate Language Information documents: Allows you to
specify whether or not Domino should allow the creation of Alternate Language
Information documents in the Domino directory. The Alternate Language
Information documents allow the LDAP clients to search user information in an
alternate language enabled for a user.
 List of administrators who are allowed to create Cross Domain Configuration
documents in the Administration Process requests database: The list of users who
are allowed to create the Cross Domain Configuration document in the
Administration Process (AdminP) requests database, ADMIN4.NSF. Domino allows
the processing of AdminP requests, such as requests to change the name of a
user or delete a user to be propagated to another domain, for processing. These
Administration Process are called Cross Domain requests and are configured
using the Cross Domain Configuration document in the Administration Process
requests database, ADMIN4.NSF.
 Comments: Any additional comments.
Note To learn more about AdminP, see Chapter 8, Managing Users and Servers
Using the Administration Process.

To configure the Domino directory profile, you can open the Domino directory profile manually.

To open the Domino directory profile document manually:


1. Open the Domino directory database.
2. Select the Edit Directory Profile option from the Actions menu.

Managing Multiple Directories


The Domino directory that a server uses to look up names and other configurations is called the
primary Domino directory. Secondary directories are either replicas of Domino directories in some
other domain or new directories configured on the server for storing certain additional users, such
as the customer information. Domino provides three methods of configuring multiple Domino
directories:
 Cascading Directories
 Directory Assistance
 Directory Catalog
109
Using Cascading Directories

Cascading Directories enable you to configure multiple Domino directories using the NOTES.INI
file. It is one of the most basic methods of configuring multiple directories on a server. To set up
cascading directories on a server, edit the Server's NOTES.INI file using any text editor and add
the following entry:
NAMES=NAMES, ABOOK2, ABOOK3

In the above syntax, ABOOK2 and ABOOK3 are the names of the secondary directories copied
locally to the server.
Warning Do not write the extension of a directory.

If the secondary directory is located on a remote server, add the server name to the directory name
in the following format:
NAMES=NAMES, CN=SERVER2/OU=SALES/O=CAL!!NAMES

In the above syntax, the secondary directory is located on the server with the hierarchical name
server2/sales/CAL.

The server uses the secondary Domino directory to verify the names of recipients in messages
sent by users. This method has certain disadvantages:
 The server searches the directories in the order in which they have been specified
in the NAMES entry. This increases the time taken by the ROUTER to verify a user
to whom a mail is sent. For example, if a user name exists in the directory
specified at the third position in the NOTES.INI, the ROUTER searches the name
in the first and the second directories before searching the third directory.
 The server does not look up other types of configuration documents, such as the
Connection documents in additional directories. They need to be added to the
primary Domino directory.
 The server stops as soon as the first match is found. It does not do an exhaustive
lookup in all directories.
 The maximum allowable characters in NAMES entry in the NOTES.INI is 256.

To set up Cascading Directories, add the NAMES entry to the server’s NOTES.INI and restart the
server.

Using Directory Assistance

The Directory Assistance feature allows a server to look up multiple directories located at multiple
locations. The server can look up these directories for client authentication, mail addressing, and
group lookups.

You configure Directory Assistance using the Directory Assistance database. You need to create
this database on the server using the Directory Assistance (6) template (DA50.NTF).

In the Directory Assistance database, you create Directory Assistance documents for each
secondary directory that you want to set up. This document allows you to specify up to five replicas
for the specified Domino directory. If any directory is unavailable, the server can use any of the
other replicas.

The document also allows you to specify rules for searching a Domino directory, based on the
hierarchical names of the users in the specified directory. This speeds up the searches because a
directory is searched for a name only if the user name matches with the naming rules specified in
the Directory Assistance document for the directory.

For names that qualify for more than one directory, you can specify a directory-wise search order.

To configure Directory Assistance:


1. Create a Directory Assistance database on the server. Specify a meaningful
name and title for the database, select the Directory Assistance (6)template,
DA50.NTF from the advanced templates on the server, as shown in Figure 6-5:
110

Figure 6-5: The New Database Dialog Box


2. Open the Directory Assistance database, close the About database document,
and click the Add Directory Assistance Action, as shown in Figure 6-6:

Figure 6-6: The Add Directory Assistance Action


The Directory Assistance document appears, as shown in Figure 6-7:

Figure 6-7: The Directory Assistance Document


This Directory Assistance document contains three tabs:
 Basics: Contains information about the domain for which you are
setting up the Directory Assistance.
 Naming Contexts (Rules): Contains options to specify the rules
based on the hierarchical names of the users. These rules define
the user names that must be looked up in the selected domain’s
Domino directory.
 Replicas: Contains options to specify the locations of the replicas
of the domain’s Domino directory.
The Basics tab of the Directory Assistance document contains the following options:
 Domain type: Allows you to specify the domain type as Notes or
LDAP.
111
 Domain name: Allows you to specify a name for the Domino
domain for which you are setting up Directory Assistance. You
can specify any unique name if you have created the directory
manually and it does not belong to any domain.
 Company name: Allows you to specify the name of the company
to which the Domino directory belongs.
 Search order: Allows you to specify the order in which Domino
must search this directory, with respect to the other directories
configured in the Directory Assistance database.
 Make this domain available to: Allows you to specify the type of
clients who can access the directories defined for the domain.
Select Notes client & Internet Authentication/Authorization to
make this directory available to Notes clients and Internet clients,
such as POP3, HTTP, IMAP, and LDAP. Select LDAP clients to
make this directory available to LDAP servers.
 Group Authorization: Allows you to specify whether or not
Domino should use Directory Assistance to verify Web user
membership in a group that resides in this directory. Domino
needs to do this verification for access control.
 Enabled: Allows you to specify whether or not to enable the
Directory Assistance document.
3. Select the Domain type as Notes and specify the domain name for the
secondary Domino directory. Select other options and click the Naming Contexts
(Rules) tab. Figure 6-8 shows the Naming Contexts (Rules) tab:

Figure 6-8: The Naming Contexts (Rules) Tab of the Directory Assistance Document
You can specify up to five naming rules. Each naming rule can contain up to six
components. Four components represent four organization units, one component is the
organization name, and one is the country code. An asterisk for any component
includes all entries for that level and a blank excludes all entries at the level. For
example, CAL at the organization level and asterisk at all other levels includes all users
having CAL as the organization in their hierarchical name and any component at the
other levels.
4. Specify one or more naming rules for the selected Domino directory. If you want
the server to authenticate Internet users, you must configure at least one naming
rule with the option Trusted for Credentials selected as Yes.
5. Click the Replicas tab to specify the location of the Domino directory for the
domain. You use the Replicas tab to specify up to five replicas located at various
servers as a fail-over for the selected Domino directory. If one of the replicas is
unavailable, the server using directory assistance can look up another replica.
Figure 6-9 shows the Replicas tab of the Directory Assistance document:
112

Figure 6-9: The Replicas Tab of the Directory Assistance Document


6. Specify the name of the server on which the directory is located and the
filename of the directory and select Yes in the Enabled field. Specify more
replicas similarly.
Note You can also paste the database links of the directory in the Database links field.
7. Click Save & Close to save and close the Directory Assistance document.
8. Close the Directory Assistance database.
9. Replicate the Directory Assistance database to all the servers where you want to
configure Directory Assistance.

To update the Directory assistance information on the server:


1. Open the Domino directory on the Administration server.
2. Navigate to the Servers view and select the server documents for all the servers
on which Directory Assistance needs to be enabled.
3. Select Actions -> Set Directory Assistance Information. The Directory Assistance
Information dialog box appears, as shown in Figure 6-10:

Figure 6-10: The Directory Assistance Information dialog Box


4. Specify the name of the Directory Assistance database and click OK.
An Administration Process Request Set Directory Assistance field is submitted. This
request updates the Directory Assistance database name field on the Basics tab of the
server document.
The request is completed after a few minutes and the server document is updated with
the Directory Assistance database name. You can issue the following command on the
server console to execute the request immediately:
TELL ADMINP PROCESS INTERVAL
5. Replicate the Domino directory to all other servers to update the Directory
assistance information.
6. Restart the servers to enable Directory Assistance.

Using Directory Catalog

A directory catalog is an optional database that you can configure on a Domino server to allow the
clients and servers to look up information about people, groups, mail-in databases, and resources
in multiple directories. The directory catalog contains multiple directory information aggregated into
a single database. It contains only the documents required for name lookups and excludes the
server configuration documents. This leads to an extremely small size of the catalog database and
helps deploy information from multiple Domino directories locally on Lotus Notes clients.

There are two types of Directory catalogs:


113
 Condensed: Mainly used by Lotus Notes clients because the catalogs are small.
This type of catalog is based on the DIRCAT5.NTF template that contains very few
sorted views compared to the Domino directory. The DIRCAT5.NTF template
contains a unique design that can combine multiple entries from the Domino
directory into single documents. As a result, a major reduction in size is affected in
the catalogs, which makes these catalogs ideal for mobile clients.
 Extended: Combines entries from multiple Domino directories into a single
directory database but retains the individual documents and the multiple, sorted
views available in the Domino directory to facilitate quick name lookups. The
extended directory catalog uses the Domino Directory template, PUBNAMES.NTF.

Creating a Condensed Directory Catalog


You create a condensed directory catalog database using the DIRCAT5.NTF template. The
database contains a Configuration document that you use to specify the configuration settings for
the condensed directory catalog. After creating the configuration document, you use the DIRCAT
task to populate the directory catalog with the contents of the various directories included in the
catalog.

To configure a condensed directory catalog:


1. To create a new database, select File -> Database -> New. The New
Database dialog box appears, as shown in Figure 6-11:

Figure 6-11: The New Database Dialog Box


The New Database dialog box contains the following fields:
 Server: Allows you to specify the name of the server on which
you want to setup the directory catalog.
 Title: Allows you to specify any title for the directory catalog
database. For example, Directory Catalog.
 File name: Allows you to specify any filename. For example,
dircat.nsf.
 Template Server: Allows you to specify the server from which
you want to select the template. Select the option, Show
advanced templates, to view advanced templates on the
server.
 Template Name: Allows you to specify the name of the
template for creating the Directory catalog. Select Directory
Catalog (DIRCAT5.NTF).
114
2. Open the database and select Create -> Configuration from the menu. This
opens the Directory Catalog Configuration document, as shown in Figure 6-
12:

Figure 6-12: The Directory Catalog Configuration Document


The Directory Catalog Configuration document contains two tabs, Basics and
Advanced.
The Basics tab contains the following fields:
 Directories to include: Allows you to specify the filenames of
the directories that you want to include in the directory
catalog.
 Additional fields to include: Allows you to specify the fields
other than the default list that must be included in the catalog
documents.
 Sort by: Allows you to specify the order in which the entries
from the directory catalog are shown in the Address dialog.
You can choose to sort the entries by Distinguished Name,
Last Name, or Alternate Fullname. The type ahead for
addresses in the catalog also works on the basis of the option
selected here.
 Use Soundex: Allows you to specify whether or not users can
search names on the basis of phonetics.
 Remove duplicate users: Allows you to specify whether the
catalog should include all entries in the Domino directories or
only the first entry if multiple users with same name are found.
 Group Types: Allows you to select the type of groups that you
want to include in the directory catalog. The options are Mail
and Multi-purpose, Mail only, All, All in First Directory only, and
None.
 Include Mail-in Databases: Allows you to specify whether or
not the directory catalog should include the Mail-in database
documents.
 Restrict aggregation to this server: Allows you to specify the
name of the server that can run the DIRCAT task to build and
update the directory catalog. Running the task on any other
replica will return an error.
115
 Send Directory Catalog reports to: Allows you to specify the
name to the person to whom the Directory Catalog Status
Report Agent mails the directory catalog report.
 Comments: Any additional comments.
3. Fill in the fields on the Basics tab and select the Advanced tab.
The Advanced tab of the Catalog Configuration Document contains the following fields:
 Version: The version of the Directory Catalog template. This is
automatically computed.
 Selection Formula: An optional formula to select the
documents in the Directory Catalog.
 Total number of people/group/mail-in databases and
resources: A computed value that shows the total number of
entries in the directory catalog.
 Packing density: Allows you to specify the number of entries to
be combined in each aggregated document. The default value
is 255. Decreasing this value increases the performance of
searches but increases the size of the catalog.
 Incremental fields: Allows you to store the changes in
temporary fields before writing to the permanent fields in the
aggregated documents. Select Yes to store the changes in
temporary fields and No to write the changes directly to the
permanent fields.
 Merge factor: Allows you to specify a value that represents the
percentage of total entries that must change before the
changes in the temporary fields are moved into the permanent
fields in the aggregated documents.
 Replication history: Shows the last time the directory catalog
was updated from the directories included. Click the Clear
History button to force the aggregator to re-aggregate
document from all the directories.
4. Fill in the fields. Next, save and close the configuration document.
5. To populate the condensed directory catalog, run the following command on
the server console:
6. LOAD DIRCAT <CATALOG DATABASE NAME>
7. Open the directory catalog database. The Users view shows the person,
group, mail-in database, and resource documents from all the directories
included in the catalog.

Deploying the Condensed Directory Catalog


You can deploy the condensed directory catalog either on the server or on the clients. The
condensed directory catalog deployed on the client is called a mobile catalog.

To deploy the directory catalog on the server, you can choose one of the following options:
 In the Condensed server directory catalog for the domain field in the Domino
directory profile, specify the name of the directory catalog database.
 In the server document of the server on which you want to set up directory
catalog, specify the name of the directory catalog database in the field labeled
Name of condensed directory catalog on this server.

You must restart the server after updating these fields.

To deploy the directory catalog on the clients, you can use one of the following methods:
 Create a Setup Policy Settings document: In the Mobile directory catalogs field
on the Databases tab, paste a link to the directory catalog database. The
condensed directory catalog gets replicated to the local client computer when
the user to whom the Policy has been assigned is set up.
 Create a Desktop Policy Settings document: In the Mobile directory catalogs
field on the Databases tab, paste a link to the directory catalog database. The
condensed directory catalog gets replicated to the local client computer when
the user authenticates with the user’s home server.
116
Creating an Extended Directory Catalog
An extended directory catalog is based on the Domino Directory template. You can configure a
new database to set the extended directory catalog. You can also merge the extended directory
catalog with the primary Domino directory. This allows the users and servers to use a single
integrated corporate directory for all lookups.

If you have set up the extended directory catalog in the primary Domino directory, the catalog is
directly accessible. To set up the Domino server to use the extended directory catalog created as a
different database, you must add a directory assistance document for the extended directory
catalog to the Directory Assistance database on the server.

To configure an extended directory catalog on the server, by creating a new database:


1. To create a new database, click File -> Database -> New. Figure 6-13 shows
the New Database dialog box:

Figure 6-13: The New Database Dialog Box


2. Open the database and select Create -> Extended Directory Catalog from the
menu. This opens the Extended Directory Catalog document, as shown in
Figure 6-14:

Figure 6-14: The Extended Directory Catalog Document


Note To merge the extended directory catalog with the primary Domino directory,
create the Extended Directory Catalog document in the Domino directory itself.
The Basics tab of the Extended Directory Catalog document contains the following
options:
117
 Directories to include: Allows you to specify the filenames of
the directories that you want to include in the directory
catalog.
 Additional fields to include: Allows you to specify the fields
other than the default list that must be included in the catalog
documents.
 Remove duplicate users: Allows you to specify, how Domino
should handle duplicate entries for user names. Select Yes to
include only the first entry if multiple users with same name
are found in the Domino directories. Select No to include all
the entries. The user is prompted to select the entry when
multiple matches are found.
 Group Types: Allows you to select the type of groups that you
want to include in the catalog. The options are Mail and Multi-
purpose, All, All in First Directory only, and None.
 Include Mail-in Databases: Allows you to include the Mail-in
database documents in the directory catalog. Select Yes to
include the documents and No to exclude.
 Include Servers: Allows you to include server documents in
the directory catalog. Select Yes to include and No to exclude
the server documents.
 Restrict aggregation to this server: Allows you to specify the
name of the server that can run the DIRCAT task to build and
update the directory catalog. Running the task on any other
replica will return an error.
 Send Aggregation reports to: Allows you to specify the name
of the person or group to whom the Directory Catalog Status
Report Agent mails the aggregation report.
3. Fill in the fields on the Basics tab and select the Advanced tab, as shown in
Figure 6-15:

Figure 6-15: The Advanced Tab of the Extended Directory Catalog Document
The Advanced tab of the Extended Directory Catalog Document contains the following
options:
 Version: The version of the Directory Catalog template.
Domino calculates this on its own.
 Selection Formula: Allows you to specify a formula to select
the documents in the Directory Catalog. This field is optional.
 Replication history: Shows the last time the directory catalog
was updated from the directories included. Click the Clear
History button to force the aggregator to re-aggregate
document from all the directories.
4. Fill in the fields and click Save & Close to save the configuration document.
5. To populate the extended directory catalog, run the following command on the
server console:
6. LOAD DIRCAT <CATALOG DATABASE NAME>

Open the extended directory catalog database. The various views show the documents populated
from the Domino directories included in the catalog. Optionally, replicate the extended directory
catalog database to other servers.
Note If you have setup the extended directory catalog in the primary Domino
directory, you can separate the extended directory catalog from the primary
Domino directory at a later stage, without affecting the original documents in
118
the directory. To separate the extended directory catalog from the Domino
directory, you must delete the Extended Directory Catalog document from
the primary Domino directory and run the directory cataloger on the
database with the –r option.

Configuring LDAP on Domino


LDAP is a TCP/IP based protocol that provides a common means of access to
directories in heterogeneous environments, such as the Internet, for clients, applications,
and servers.

When you run the LDAP task on the server, the Domino server becomes an LDAP server
and the Domino directory becomes accessible to non-Notes clients. The LDAP task runs
automatically on the administration server for the Domino directory. For other servers,
you can manually load the LDAP task or add it to the NOTES.INI ServerTasks = entry for
automatic startup.

The Domino LDAP server:


 Supports LDAP v3 and v2 clients.
 Allows LDAP operations to be performed on the secondary Domino Directories and
Directory catalogs in addition to the primary Domino directories.
 Refers LDAP clients to remote LDAP directories if processing is unsuccessful in
any Domino directory or directory catalog.
 Supports LDAP search, add, modify, modifyDN, compare, and delete operations.
 Supports LDAP searches in alternate languages.
 Supports LDAP searches of document text in databases configured in a Domain
Catalog.
 Allows anonymous access, name-and-password authentication, Secure Sockets
Layer (SSL) connections and X.509 certificate authentication, and the Simple
Authentication and Security Layer (SASL) protocol.

When the LDAP task starts, it runs with certain default settings. You can modify these
default settings using the Configuration Settings document.

To configure LDAP on the server:


1. In the Domino Administrator client, select Configuration tab -> Server section-
>Configurations view, as shown in Figure 6-16:

Figure 6-16: The Configurations View


2. Click the Add Configuration action to create a new Configuration Settings
document. This opens the Configuration Settings document, as shown in
Figure 6-17:
119

Figure 6-17: The Basics Tab of the Configuration Settings Document


3. On the Basics tab, select the Use these settings as default settings for all
servers option. This adds the LDAP tab after the Basics tab.
Note If a default Configuration Settings document already exists, you can edit the
same document instead of creating a new one.
4. Click the LDAP tab, as shown in Figure 6-18:

Figure 6-18: The LDAP Tab of the Configuration Settings Document


The LDAP tab of the Configuration Settings document contains the following
options:
 Choose fields that anonymous users can query via LDAP:
Allows you to select the fields from the Domino directory
documents that an authenticated user can access using an
LDAP client.
120
 Allow LDAP users write access: Allows you to specify whether
or not Domino should allow the LDAP clients to modify the
Domino Directory documents. The Default value is No.
 Timeout: Allows you to specify the maximum number of
seconds, after which an LDAP query is timed out. The default
value is 0, which means that there is no limit.
 Maximum number of entries returned: Allows you to specify
the maximum number of entries that an LDAP search can
return. The default value is 0, which means that there is no
limit.
 Minimum characters for wild card search: Allows you to
specify the minimum number of characters that the user must
specify before the first wild card character in an LDAP query.
 Allow Alternate Language Information processing: Allows you
to specify whether or not the LDAP clients can query on the
basis of alternate language information.
 Rules to follow when this directory is the primary directory and
there are multiple matches on the distinguished name being
compared/modified?: Allows you to specify what must be done
when a duplicate distinguished name is found during any
LDAP query. You can select the options, Don’t modify any,
Modify first match, or Modify all matches.
 Automatically Full Text Index Domino Directory: Allows you to
specify whether or not Domino should create full text indexes
for all Domino directories served by LDAP, when LDAP is
started. This speeds up the LDAP queries.
 Enforce schema?: Allows you to specify whether or not the
LDAP task should reject write operations and return error
messages for operations that do not follow the schema rules.
A schema is a set of rules that define what can be stored in an
entry in the LDAP directory.
 Maximum number of referrals: Allows you to specify the
maximum number of URL referrals to other LDAP servers that
can be returned in response to any LDAP query. The default
value is 1.
 Activity Logging truncation size: Allows you to specify the
maximum length in bytes of an attribute’s value that can be
logged by the Activity Logging feature. An attribute is any
information about an entry that the directory contains. This
option applies only if you have enabled activity logging for
LDAP.
Note The Domino LDAP schema is stored in the LDAP Schema database
SCHEMA.NSF that is created on any server running the LDAP task.
5. Click the Save & Close action to save and close the document.

You can now set up any Internet client, such as Microsoft Outlook Express, to access the
Domino directory. The information that will be required during the configuration of the
LDAP client is the Host name of the Domino LDAP server. In addition, if the server does
not allow anonymous queries, the Name and Password will also be required for you to
log on to the Domino server.

Chapter 7: Managing Replication


Replication is the process of synchronizing databases to maintain consistency. Domino servers
contain many system databases, such as the Domino Directory, which must contain similar
information on all the servers in the domain. Replication synchronizes the information in these
databases. In addition to the system databases, a server may also contain certain customized
application databases deployed on multiple servers located at distant geographical locations.

You must replicate the databases at regular intervals to ensure that the information in these
databases synchronizes. Each copy of a database that you synchronize with the original database
121
is called a replica. The various replicas of a database share a unique ID called the ReplicaID that
distinguishes a replica from the new copy of database. When you create a copy of a database
using the New copy option from the menu, the database has a different ReplicaID from the original
database.

You can deploy large or heavily used databases locally at different geographical locations by
creating a replica of a database. By doing this, you can ensure that the users always have fast
access to the database. When the users add, delete, or modify the content of the database, the
databases are replicated to synchronize these changes.

This chapter explains the process of server- to-server replication. It also describes the types and
methods of replication. In addition, it explains how to schedule and troubleshoot replication.

Understanding Server-to-Server Replication


Server-to-server replication occurs when one Domino server calls another Domino server to
synchronize all its databases or a specific database. Replication is an ongoing process on the
Domino servers because all the servers in a domain need to synchronize databases, such as the
Domino directory or the administration Requests database.

The server carries out the replication using a task called REPLICATOR. The REPLICATOR task
runs by default on every server. For servers with heavy load of replication, you can load multiple
replicators by issuing the server console command:
LOAD REPLICATOR

To load multiple replicators, you can also add the following entry in the NOTES.INI file:
REPLICATORS= <n>

In the above NOTES.INI entry, n represents the number of replicators to be loaded.

To replicate databases:
1. The initiating and the target servers first authenticate with each other by finding a
common certificate and testing the validity of the certificates.
Note To learn more about the process of authentication, see Chapter 10, Domino
Security.
2. If the servers successfully authenticate with each other, the REPLICATOR task on
the initiating server constructs a list of local databases to replicate, called the
replica ID cache. The REPLICATOR of the initiating server compares its replica ID
cache with the replica ID cache on the target server to find a match.
You can view the ReplicaID of a database on the Info tab of the Database dialog box, as
shown in Figure 7-1:

Figure 7-1: The Info Tab of the Database Dialog Box


3. When the REPLICATOR finds a match on the target server, it checks the
replication history of the local database to find the last time the replicas were
122
replicated. The replication history of a database typically contains one entry for
sending the changes to the target server and another entry for receiving the
changes from the target server. The REPLICATOR searches the source replica for
the changes that have occurred since the last replication.
Note If there is no entry in the replication history, if access rights have changed, or if
the selective replication settings have changed, the REPLICATOR has to search
all documents in the source database, not only those that have changed since
the last replication.
4. The REPLICATOR constructs a list of the documents, the design elements, and
the Access Control List (ACL) changes in the source database since the last
successful replication. While constructing the list, the REPLICATOR also considers
the replication settings of the databases.
5. If the data in the source database has not changed since the last successful
replication to the destination database, no replications take place. If the data has
changed, replication occurs between the source and the destination databases.
6. The REPLICATOR task updates the replication history of both the source and
destination databases only if any replication has taken place. If replication is not
successful, the REPLICATOR does not update the replication history and the next
replication searches the same databases again.

Types of Replications
A server-to-server replication may take place in one direction, where the calling server sends the
changes in its replica to the replica on the target server. The calling server may also initiate
replication to receive the changes from the target server’s replica. The replication may also be
bidirectional, where both the calling and the target server exchange the changes in their replicas.
Further, the replication process may involve the REPLICATOR task of one of the servers or the
REPLICATOR task on both the calling and the target servers.

Based on these factors, the replication process can be of four types:


 PULL only: The calling server pulls the changes from the replica on the target server.
This is a one-way replication where only the REPLICATOR task on the calling server
is involved.
 PUSH only: The calling server pushes the changes to the replica on the target server.
This is also a one-way replication where only the REPLICATOR task on the calling
server is involved.
 PULL PUSH: The calling server pulls the changes from the replica on the target server.
Then, the calling server pushes the changes to the replica on the target server. This
is a two-way replication where only the REPLICATOR task of the calling server is
involved.
 PULL PULL: The calling server pulls the changes from the replica on the target server.
Then, the target server pulls the changes from the replica on the calling server. This
is a two-way replication where the REPLICATOR task of the calling server functions
first. The control then passes to the REPLICATOR task on the target server for further
replication.

Methods of Creating New Replicas


To set up replication of a database between two servers, you must first create a new replica on the
destination server. You can create a new replica manually or by using the Administration Process
(AdminP) task.

When you create a new replica manually, the creation takes place in the foreground and you need
to wait until the replica is completed to do any other activity. When you use the AdminP task to
create a replica, the creation takes place in the background. AdminP enables you to create replicas
of multiple databases on multiple servers in a single action.

Creating a New Replica Manually

You can manually create the replica of a database by using the New Replica menu option.
123
To create a replica on a destination server, you must have a Create Replica access on the
destination server. You must also have at least a Reader access in the source database ACL.
Note To learn more about granting access on the server, see Chapter 10, Domino
Security.

To create a new replica manually:


1. Select the Files tab in the Domino Administrator client.
2. In the Results pane, select the database for which you want to create a new
replica, as shown in Figure 7-2:

Figure 7-2: Databases in the Files Tab


3. Open the selected database and select the File-> Replication-> New Replica
menu option. The Create Replica For Database IT Services dialog box appears,
as shown in Figure 7-3:

Figure 7-3: The Create Replica For Database IT Services Dialog Box
4. Select the name of the destination server in the Server field and specify the path
and name of the destination database in the File path field.
Note You can either specify the full path starting from the drive or specify a path
relative to the data folder on the server. For example, to create a replica in the
applications folder on the server, specify the file path as applications\IT
Services.nsf.
5. Click Replica Settings to view more options related to the replication, as shown
in Figure 7-4:
124

Figure 7-4: Replica Settings in the Create Replica For Database IT Services Dialog Box
The options available in Replica Settings are:
 Encrypt the replica using: Encrypts the destination replica for a
user or a server.
 Create full text index for searching: Creates a full text index for
the destination replica to enhance searching.
 Copy Access Control List: Copies the ACL of the source
database to the destination replica.
 Create Immediately: Forces the replication of the databases to
happen immediately. If you clear this option, replication takes
place at the next schedule.
 More Settings: Shows the replication settings for the replica
database.
6. Click OK to close the dialog box and create a replica of the database.

Creating a Replica Using AdminP

The AdminP task enables you to automatically create replicas of multiple databases on multiple
servers using a single request. In this process, the user generates a request for creation of the
replicas. The replica creation happens in the background. You can even create replicas on servers
in a different Domino domain.

To create a replica of a database on a server using the AdminP task, the source and the
destination servers have the following access requirements:
 The source server must have Create Replica access in the server documents of all
the destination servers. The server name must be explicitly listed in the Create
Replica access field of the server document. The AdminP request to create a new
replica on the destination server fails if you have used a wild card (*).
 The destination servers and the user creating the replica must have at least a
Reader access in the ACLs of the source databases.

Ensure that both the source and the destination databases are running the AdminP task. In
addition, ensure that you have created Connection documents for replication between the source
and the destination databases. You create Connection documents to schedule server-to-server
replication.

To create a new replica using the AdminP task:


1. Select the Files tab in the Domino Administrator client.
2. In the Results pane, select the databases that you want to replicate, as shown in
Figure 7-5:
125

Figure 7-5: Selecting Databases in the Files Tab


Tip You can select multiple databases by pressing the CTRL key and clicking the
databases. For a continuous selection of databases, you can press the SHIFT key
and click the first and the last database in the selection.
3. In the Tools pane, select Database-> Create Replica(s), as shown in Figure 7-6:

Figure 7-6: The Files Tab Showing the Create Replica (s) Tool
Tip You can drag the selected databases to the Create Replica(s) tool.
The Create Replica dialog box appears, as shown in Figure 7-7:

Figure 7-7: The Create Replica Dialog Box


Note You can also activate the Create Replica dialog box by dragging the selected
126
databases and dropping them over the destination server in the Servers pane.
4. Click the Add button to add the names of the servers on which you want to
create the replicas.
5. The Destination database and server list in the dialog box shows one entry for
every database on every server selected. Click any entry in the list to change the
destination file name in the Destination file path field.
6. Clear the Copy Access Control List check box if you do not want to copy the ACL
of the source database to the destination database.
7. Select the Create full text index for searching check box to create a full text
index in the new replica.
8. Click OK to close the dialog box.

Domino creates a Check Access for New Replica Creation administration request to check the
replica creation access of the initiating server on the destination server and executes the request
immediately. If this request is successful, Domino creates a Create Replica request and executes it
to create a replica of the databases on the destination servers. This replica is empty and Domino
populates the replica during the next scheduled replication.

Methods of Replication
After you have created the replica of a database on a server, you can replicate these on the source
and the target servers according to your requirement. For some databases, you might want a one-
time replica and may not want to synchronize them. For example, you may create a replica to back
up a database. You would want to use the replica only if the server database is corrupted. For the
rest of the databases, replication can be an ongoing process. This ensures that the replicas are
always synchronized.

You can replicate the databases manually using the menu option in the Lotus Notes client or by
issuing commands in the server console. You can also automate replication of databases by
scheduling replication using the Connection documents.

Using the Menu Option

Using the File-> Replication-> Replicate menu option, you can replicate a database with another
replica residing on another server or the local server.

To replicate a database using the Replicate menu option:


1. In the Domino Administrator client, select the Files tab.
2. Select the database that you want to replicate and double-click to open it.
3. From the File menu, select Replication-> New Replica.
The Replicate IT Services dialog box appears, as shown in Figure 7-8:

Figure 7-8: The Replicate IT Services Dialog Box


4. If you select the Replicate via background Replicator option, the replication
happens in the background with the options set in the Replicator page. To
change the server and the type of replication, select Replicate with options and
click OK. The options appear in the Replicate IT Services dialog box, as shown
in Figure 7-9:
127

Figure 7-9: The Replicate IT Services Dialog Box


5. In the with field, select the name of the destination server. To push the changes
from the source database to the destination database, select the Send
documents to server check box. To pull the changes from the destination
database to the source database, select Receive documents from server.
Depending on the type of replication that you require, you can select one or both
check boxes.
6. Click OK to replicate the databases.
Note In this method, the replication happens in the foreground and you need to
wait until the replication is over to perform any other action.

Using the Domino Console Commands

You can also use Domino Console commands to perform replication of databases. There are three
commands that you can use to replicate databases between two servers. One of these commands
is:
PULL <Server> [<Database>]

Server is the name of the destination server and database is the name of the database on the
source server that you want to replicate. You can omit the database, in which case the source
server replicates all the databases that have a replica on the destination server.

This command receives the changes in the replica of the database on the destination server and
updates them into the replica on the source server.

Another command to replicate databases between two servers is:


PUSH <Server> [<Database>]

The above command sends the changes in the replica on the source server and updates them into
the replica on the destination server.

In addition, use the following command to replicate databases between two servers:
REPLICATE <Server> [<Database>]

Using the above command, you can perform a two-way replication. First, the source server pulls
the changes into its local replica from the destination server. Then, it pushes the changes in the
local replica to the replica on the destination server.

Using Scheduled Replication

You can schedule replication between servers to automatically replicate databases between two
servers. To schedule the replication between any two servers, you require a Connection document.
Unlike mail routing, Connection documents for replication are required only if you want to schedule
replication to happen automatically. In this situation, you must create the Connection documents
even of the two servers are in the same Domino Named Network.
Note You must schedule replication between all the servers in the domain for all
the important databases, such as the Domino Directory and the
Administration Requests database.

To create a Connection document between two servers:


1. In the Domino Administrator client, select the Configuration tab-> the Server
section-> Connections view, as shown in Figure 7-10:
128

Figure 7-10: The Connections View


2. Click the Add Connection action. This opens a New Connection document, as
shown in Figure 7-11:

Figure 7-11: A Sample Server Connection Document


The Basics tab of the Connection document contains the following options:
 Connection type: The method by which the source server
connects to the destination server, such as a LAN, Notes Direct
Dialup, or Network Dialup.
 Source server: The name of the calling server.
 Destination server: The name of the server being called. You can
also include a group of servers to enable replication with multiple
servers.
 Source domain: The name of the calling server’s domain
 Destination domain: The name of the destination server’s
domain.
 Use the port(s): The port over which the source server connects
to the destination server, such as TCPIP.
 Usage priority: You can select a Usage priority as Normal or
Low. Domino attempts to connect to the destination using all
Connection documents with a usage priority of Normal. If the
connection is not successful, only then does it try to connect
using the documents with a Low usage priority.
 Optional network address: The network address of the
destination server. This is an optional field.
3. Fill in the information about the source and the destination servers and click the
Replication/Routing tab, as shown in Figure 7-12:
129

Figure 7-12: The Replication/Routing Tab


The Replication/Routing tab of the Connection document contains the following options:
 Replication task: Select Enabled to enable replication
 Replicate databases of: The priority of databases to replicate
during this scheduled replication. You can choose to replicate the
High priority databases, Medium & High priority databases or
Low & Medium & High priority databases. The replication priority
of a database is set from the Replication Settings.
 Replication Type: The type of replication to perform during the
connection. You can select the type as PULL PULL, PULL
PUSH, PULL only or PUSH only.
 File/Directory Paths to Replicate: The database file names and
the folders under the data folder that you want to replicate, such
as names.nsf and mail\arogers.nsf. To replicate a complete
folder, such as mail, specify the folder name as mail\.
 File/Directory Paths to NOT Replicate: The database file names
and the folder under the data folder that you do not want to
replicate.
 Replication Time Limit: The time limit in minutes for the
replication to finish.
4. Fill in the replication options and click the Schedule tab to specify the schedule
for the replication, as shown in Figure 7-13:

Figure 7-13: The Schedule Tab


The Schedule tab of the Connection document contains the following options:
 Schedule: Select Enabled to enable the schedule. Otherwise,
select Disabled.
 Connect at times: The times at which the source server calls the
destination server. You can specify distinct values, such as 09:00
AM, 12:00 PM, or 03:00 PM, or a range, such as 10:00 AM-
08:00 PM.
 Repeat interval of: The interval in minutes after which the source
server should repeat a call. Specify 0 if you want the server to
call just at the time specified.
 Days of week: The days of the week on which the server should
call.
5. Fill in the fields in the Schedule tab to specify the schedule for replication.
6. Click the Save & Close action to save and close the document.

Viewing Replication Schedules and Topology Maps


130
The Domino server runs a task called MAPS that creates topology maps depicting the connections
created for replication between various servers in a domain. You can view this graphical
representation of the replication topology in the Domino Administrator client. The Domino
Administrator client also shows the replication schedules graphically.

To view the replication schedules on a server:


1. Select the Replication tab of the Domino Administrator client.
2. Click Replication Schedule. The replication schedule is shown graphically, as
shown in Figure 7-14:

Figure 7-14: Graphical Representation of Replication Schedules

To create and view the topology maps in the Domino administrator client:
1. Load the MAPS task by giving the following command on the server console:
2. LOAD MAPS
3. The MAPS task starts. Select the Replication tab of the Domino Administrator
client and click Replication Topology-> By Connections view. The topology map
showing the various Connection documents between the servers appears, as
shown in Figure 7-15:

Figure 7-15: The Topology Map Showing the Server Connections

Planning Replication Topologies


When replication has to take place between multiple servers, a proper planning of
Connection documents results in an effective replication topology. If you do not plan the
Connection documents properly, troubleshooting replication errors becomes difficult
because you do not know which connection has the problem.

You can create Connection documents between the servers in your domain based on
one of the following topologies:
 End-to-End: You create Connection documents such that replication takes place
from one server to another in a chain. For example, if you have five servers,
Server1 to Server 5, you will create Connection documents between:

o Server1 and Server2


o Server2 and Server3
o Server3 and Server4
o Server4 and Server5
131
 Ring: You create Connection documents such that the replication takes place
from one server to the next in a closed loop. For five servers, Server1 to
Server5, you will create Connection documents between:

o Server1 and Server2


o Server2 and Server3
o Server3 and Server4
o Server4 and Server5
o Server5 and Server1

 Peer-to-Peer: You create Connection documents between all the servers in


the domain. This topology is ideal for small setups because the changes
are quickly updated to all. This topology is not suitable for large setups
because managing the Connection documents and troubleshooting
replication becomes difficult because of the large number of Connection
documents.
 Hub and Spoke: You consider one of the servers as the hub server and the
rest of the servers as the spokes. You create Connection documents
between the hub server and the spoke servers. For example, for servers
Server1 to Server5, if you consider Server1 as the hub server, you will
create Connection documents between:
o Server1 and Server2
o Server1 and Server3
o Server1 and Server4
o Server1 and Server5

The Hub and Spoke topology is the most effective and efficient topology for large
organizations. In this topology, one central server is set up as the hub server. This server
replicates with all other servers called the spokes. The spoke servers update the hub
server, which in turn updates the spoke servers. For still larger organizations, multiple
hub servers can be set up and replication is set up between these hub servers.

This type of topology helps in centralized administration of the Domino directory because
you can give manager access to the hub server in Domino directories on all the spoke
servers and a Reader access to the spoke servers on the replica on the hub. This
ensures that the hub server can push changes to the spoke servers but the spoke
servers cannot push any changes to the hub server. The Hub and Spoke topology also
minimizes the network traffic and makes managing replication easier because in case a
scheduled replication on any server does not happen successfully, you need to check a
single Connection document.
Figure 7-16 shows a sample Hub and Spoke replication topology:

Figure 7-16: A Sample Hub and Spoke Replication Topology

Troubleshooting Replication
Replication may sometimes not function properly, such as when you find that a replica does not
contain all the documents that it should. You may also find that the replicas are of different sizes or
132
the deleted documents keep coming back to your database. To handle these problems, you need
to troubleshoot replication.

Some of the common troubleshooting activities that you can perform on a server are:
 Check the access of the servers on the destination servers and target databases.
 Check the replication settings of the database.
 Check the replication history of the database.
 Troubleshoot replication and save conflicts.
 Troubleshoot document deletions.

Access on Servers and Databases

The replication may fail if appropriate access has not been assigned to servers and users.

To create a new replica on the server, a user should have the Create Replica access in the server
document. By default, no one has the access to create replicas on the server. If you are creating a
replica using the AdminP task, you must include the server name in the Create Replica access list
of the server.

Each database must provide appropriate access to the servers for server-to-server replication to
take place smoothly. You must give the server an access that is higher than any user-level access
on the database. For example, if users have a Designer access to the database, they will be able
to change the design. To replicate the design changes, you must assign the server at least a
Designer access to the database. To enable servers to replicate the database ACL, you must
assign them a manager access.

If a server is only required to pull the changes from a replica, you need to give it only a Reader
access on the source database. If the documents in a database contain a Readers type of field,
you must ensure that the server name is included in the field. Otherwise, the server will not be able
to replicate documents where the server is not a reader for the document.
Note To learn more about ACL, server access list, and Readers field, see Chapter
10, Domino Security.

Replication Settings

You need to check the replication settings of the database if you find that some of the databases
are not replicating at all. You can also check the replication settings if only selective views and
folders are being replicated, or if you find that the older documents keep disappearing from a
replica. The replication settings of a database contains options to:
 Control the size of a replica.
 Control the information that needs to be kept in the current replica.
 Control the information that needs to be sent to other replicas.
 Control other miscellaneous settings.

To access the replication settings of a database:


1. Open the database whose replication settings you want to change.
2. Select File-> Replication-> Settings. This opens the Replication Settings for IT
Services dialog box, as shown in Figure 7-17:
133

Figure 7-17: The Replication Settings for IT Services Dialog Box

The Replication Settings for IT Services dialog box contains five tabs:
The Basics tab contains options related to the frequency of replication, the amount of replication,
and the preferred server for replication, as shown in Figure 7-17.

The Basics tab contains the following options:


 Scheduled replication is enabled: Adds the replica to the local replication schedule
for the current location.
 Replicate using schedule for priority databases: Includes the current replica in the
additional replication schedule for high priority databases.
 Send documents to server: Pushes the changes to the destination server’s replica
 Receive documents from server: Receives the changes from the destination
server’s replica. Select Full documents to receive the complete document from the
replica. Select Partial documents to receive the basic document information and 40
KB of rich text. If you select this option, you can choose to truncate documents
larger than 40 KB or limit attachment size to 40 KB. Select Summary to receive
only the basic document information and select Smallest first to receive documents
in the order of size starting with the smallest document. This may be useful if you
do not expect the replication to complete.
 Preferred server: The server with which the replication should preferably be done.
 The Space Savers tab controls the size of the current replica. Figure 7-18 shows
the options on the Space Savers tab:
134

Figure 7-18: The Space Savers Tab

The Space Savers tab contains the following options:


 Remove documents not modified in the last <n> days: Deletes all documents from
the current replica that are older that the specified number of days.
 Receive only a subset of the documents: Allows you to select the views or folders
that you want to replicate or specify a selection formula for the documents that you
want to replicate.
 The Send tab controls the information that is sent to other replicas from the current
replica, as shown in Figure 7-19:

Figure 7-19: The Send Tab

The Send tab contains the following options:


 Do not send deletions made in this replica to other replicas: Retains any
documents deleted in the current replica in other replicas.
 Do not send changes in database title and catalog info to other replicas: Allows you
to keep different database titles and catalog information for different replicas.
 Do not send changes in local security to other replicas: Does not replicate the ACL
of the local replica to other replicas.
 The Other tab contains special replication limitations, as shown in Figure 7-20:
135

Figure 7-20: The Other Tab

The Other tab contains the following options:


 Temporarily disable replication for this replica: Disables the replication of the
selected database replica.
 Set scheduled replication priority for this: Assigns a replication priority to a
database. You can assign as the Low, Medium, or High priority. This option helps
you to categorize the databases for consideration during scheduled replication.
 Only replicate incoming documents saved and modified after: Defines the cutoff
date for the documents replicated in the current replica.
 CD-ROM publishing date: Defines the CD-ROM Publishing date for the replica, if
you distribute the replica on a CD-ROM, so that Notes can replicate only the new
or changed documents and does not need to replicate all the documents to this
replica.
The Advanced tab controls the information that the current replica receives from other replicas, as
shown in Figure 7-21:

Figure 7-21: The Advanced Tab

You can use the Advanced tab to define which computer receives what information from which
other computer during replication. You can specify a subset of folders and views to receive or
specify a formula for selection of documents that you want to receive. You can also specify
136
whether you want to receive changes to design elements, agents, replication formula, document
deletions, and ACL. These settings apply to all the replicas on the selected computer. You can
select a local computer, a server, or all servers that contain replicas of the database.

Replication History

The replication history of a database contains information about each successful replication of the
database with any server. The replication history contains the following information about a
successful replication:
 Date and Time of replication with the other server
 Action, whether the information was sent or received
 Destination Server with which the replication took place
 Destination File name of the replica on the other server
To access the Replication History of a database, select File-> Replication-> History. Figure 7-22
shows the Replication History dialog box:

Figure 7-22: The Replication History Dialog Box

Sometimes, during the replication of databases, the right documents are not replicated but the
replication history of the database gets stamped. When you try to replicate the databases again,
no replication takes place because the REPLICATOR does not detect any changes after the date
is stamped in the replication history. To handle these problems, you can clear the date time stamps
of successful replications by clearing the replication history of the database.

To clear a single entry from the replication history, select the entry and click the Clear button in the
Replication History dialog box. To clear the complete history, click Clear All.

After you clear the history, the REPLICATOR does a fresh replication considering all the
documents.

Replication and Save Conflicts

In a replica, a replication conflict is created if the same document is edited and saved by multiple
users in different replicas and then these are replicated. One of the documents becomes the main
document and the other becomes a response to the main document and shows as Replication or
Save Conflict in all the views. Under these conditions:
 The document edited and saved the most times becomes the main document and
other documents become the Replication or Save Conflict documents.
 If all of the documents are edited and saved the same number of times, the
document saved most recently becomes the main document, and the others
become Replication or Save Conflict documents
 If a document is edited in one replica but deleted in another replica, the deletion
takes precedence unless the edited document is edited more than once or the
editing occurs after the deletion.

To reduce or eliminate replication conflicts, you can:


 Select the Form property Merge replication conflicts to automatically merge
conflicts into one document using Domino designer client. If the same field has
been modified in both the replicas, a conflict is created even if this property has
been selected. The Form property adds a field $ConflictAction with a value 1 to the
document that has the property selected.
 Specify a Form property for versioning so that edited documents automatically
become new documents.
137
 Lock documents in a database. Locking documents prevents a user from editing a
document if another user has already opened it in the Edit mode.

Troubleshooting Deletions

Replication synchronizes additions, modifications, and deletions done in replicas. When you delete
a document from one replica, the document is deleted from all the other replicas. When you delete
a document from a replica, it leaves behind a deletion stub. When replication takes place, the
REPLICATOR uses this mark to identify that the document has been deleted. Sometimes, you
might find the deleted documents reappearing in the database. To save disk space, Notes purges
deletion stubs according to the replication setting Remove documents not modified in the last <n>
days. The number of days specified here is called the purge interval. If the replication of the
databases does not take place before the purge interval, Notes purges the deletion stubs before
they have a chance to replicate and the deleted documents reappear.

A deleted document may also reappear if the document has been deleted from one replica but has
been edited after that on another. This is because the edit occurred after the deletion and so it
overrides the deletion.

Chapter 8: Using the Administration Process


The Administration Process (AdminP) is a task that runs on the Domino server. AdminP helps you
automate administrative activities, such as renaming and deleting users and servers, moving and
deleting mail files, and creating replicas on multiple servers. Each of these activities involves many
additional activities. After you initiate the main activity, AdminP ensures the execution of the others.

For example, changing the common name of a user involves many tasks. You need to change the
user ID, the name in the Domino directory, and locate and change the name in the Access Control
Lists (ACLs) of all the databases. In addition, you need to change the Readers and Authors fields
in the documents in the databases and the calendar entries. Performing all these tasks manually
requires time and effort, and there is a chance that you might overlook a task or two.

The AdminP saves you the time and effort required to implement these tasks manually and
ensures that all necessary changes are implemented.

This chapter describes the various components of the AdminP. It also explains how to configure
these components on the server and how to carry out some common administration requests.

Introducing the AdminP


Whenever an activity needs to be performed by the AdminP, Domino logs a request into the
administration requests database. Each request has a scheduled time at which it is performed, and
each activity is assigned a server at which it is executed. The connection documents in the Domino
directory ensure that the administration requests database are replicated to all the servers in the
domain at regular intervals. When a request reaches the server that is designated to perform the
request, the server processes the request. In addition, at the next scheduled replication, the server
replicates the status of the request back to all other servers.

The components of the AdminP are:


 The Administration Requests database
 The AdminP task
 The Administration Server for the Domino directory
 The Certification Log database

The Administration Requests Database

The Administration Requests database (ADMIN4.NSF) is created automatically when you


configure and start the first server. All other servers in the domain contain a replica of the
138
Administration Requests database on the first server. The database is based on the template
Administration Requests (6) (ADMIN4.NTF).

The Administration Requests database stores all requests for activities to be performed by the
AdminP task. The Administration Requests database also contains the responses to these
requests as response log documents, which show the status of any request. An activity to be
performed by the AdminP may involve more than one server. The Domino server regularly
replicates this database with other servers in the domain to distribute the requests to the other
servers.
Note Domino adds a large number of request and response log documents to the
Administration Requests database. It is advised that you control the size of
this database. To learn about controlling database size, see Chapter 11,
Managing Domino Databases.

To open the Administration Requests database on the server:


From the Domino Administrator client, click the Server tab-> Analysis tab-> Administration
Requests (6) section. Figure 8-1 shows the views available in the Administration Requests (6)
section:

Figure 8-1: Views Under the Administration Requests Section

The views in the Administration Requests section are:


 Administrative Attention Required: Contains requests that need to be attended by
the administrator.
 All Activity by Server: Contains responses to all the requests categorized by server.
 All Errors by Date: Contains responses for all requests that have encountered
errors. The responses are categorized by date.
 All Errors by Server: Contains responses for all requests that have encountered
errors. The server categorizes the responses.
 All Requests by Action: Contains all requests and their responses categorized by
action.
 All Requests by Name: Contains all requests and their responses categorized by
name.
 All Requests by Originating Author: Contains all requests and their responses
categorized by the names of persons who initiated the requests.
 All Requests by Server: Contains all requests and their responses categorized by
server.
 All Requests by Time Initiated: Contains all requests and their responses
categorized by the date and time at which the request was initiated.
 CA Modification Requests: Contains all requests that need to update the Certifier
document in the Domino Directory and the Certificate Authority Configuration
document in the Issued Certificate List (ICL) database.
 CA Recovery Updates: Contains all requests to update the recovery information for
a certifier. This view is also for use by the Certification and Registration Authorities
for a CA certifier.
 Certificate Requests: Contains all requests to create an Internet certificate and
requests to create a Notes certificate. This view contains the requests for the CA
process and is monitored by the Certification and Registration Authorities.
139
 Cross Domain - Configuration: Contains domain-wise cross-domain configuration
documents. The view also contains the inbound and the outbound requests that
are accepted.
 Cross Domain – Delivery Failures: Contains all the requests that could not be
delivered to the inbound domain.
 Enrollment Requests: Contains all the requests for certificates created through the
Internet, using the Certificate Requests database.
 Individual Approval Required: Contains all requests that need to be approved by
the administrator before being executed.
 Name Move Requests: Contains all requests to move users names in the name
hierarchy.
 Pending Administrator Approval: Contains requests that need to be approved by
the administrator before being executed.
 Revocation Requests: Contains all requests to revoke an Internet certificate using
the CA process. The Certification Authority and the Registration Authority
designated for a certifier monitors this view.

The AdminP Task

The AdminP task is responsible for executing all the requests in the Administration Requests
database. The AdminP task starts automatically when you start a server. You can also start the
AdminP task manually by issuing the following console command:
LOAD ADMINP

To quit the AdminP task, you must issue the following command on the server console:
TELL ADMINP QUIT

The AdminP task executes requests based on predefined schedules. An AdminP request can be
executed immediately, after a few minutes, once in a day, or once in a week. You can issue
console commands to carry out these requests immediately. You can customize the schedules for
various types of AdminP requests using the Server document.

Types of AdminP Requests


You create administration requests automatically when you perform activities on the server that
require intervention by the AdminP. All new requests created in the Administration Requests
database are executed according to a predefined schedule. An icon on the request indicates the
execution schedule for the request. The various types of requests generated in the Administration
Request database are:
 Immediate: Executed within a minute.
 Interval: Executed after a few minutes as specified in the Server document.
 Daily: Executed once in a day as scheduled in the Server document.
 Delayed: Executed on specified days of the week at the specified time. These
values are specified in the Server document.
 Needs Approval: These requests require the administrator’s approval.
 Approved: These are requests that have been approved by the administrator.
 Rejected: These are requests that have been rejected by the administrator.

When the AdminP carries out these requests, the status of the request changes. Based on the
status, a different icon is shown with the request. The status of various AdminP requests is as
follows:
 Reprocess: Reprocess requests are generated when a request fails and you
select the option on the request to perform the request again.
 Attention: These requests are shown in the Administrative Attention Required
view and are not errors.
 Processed: These are marked as processed by the administrator by selecting
the option Remove from view in the Administrative Attention Required, All Error
by Server and All Errors By Date views.
 Completed: These requests have been successfully completed.
 Error: These requests show an error status.
140
 In Progress: These requests are in progress and are waiting for a task to be
completed.

AdminP Console Commands


Each request in the administration requests database has a predefined schedule at which it is
performed. If you need to expedite a request, you can specify console commands to execute the
requests immediately.

The Domino console commands for AdminP are:


 TELL ADMINP PROCESS ALL: Processes all the new and modified AdminP
requests.
 TELL ADMINP PROCESS INTERVAL: Processes all the new and modified
AdminP requests scheduled to execute according to the Interval setting.
 TELL ADMINP PROCESS NEW: Processes all the new AdminP requests.
 TELL ADMINP PROCESS PEOPLE: Processes all the new and modified
AdminP requests to update person documents in the Domino directory.
 TELL ADMINP PROCESS DAILY: Processes all the new and modified AdminP
requests scheduled to execute at daily settings.
 TELL ADMINP PROCESS DELAYED: Processes all the new and modified
AdminP requests scheduled to execute at delayed settings.
 TELL ADMINP PROCESS TIME: Processes all new and modified requests to
delete the unlinked mail files.

Customizing the AdminP task


You can customize the AdminP task for settings such as the duration for an Interval type request,
the time at which a daily request is scheduled, or the day and time of the week when a Delayed
type request must be carried out. You can also suspend the AdminP task temporarily on a server at
specific times.

The options to customize the AdminP task are available in the Server document. To customize the
AdminP task:
1. Select the Configuration tab of the Administrator client.
2. Expand the Servers view and select All Server Documents.
3. From the Results pane, double-click the document for your server to open it.
4. Select the Server Tasks tab. The Administration Process tab is selected by
default, as shown in Figure 8-2:

Figure 8-2: Administration Process Options in the Server document


The Administration Process options in the Server Document are:
 Maximum number of threads: The maximum number of server
threads that the AdminP can use to process a request. The
default value is 3. Increasing the number of threads improves
the performance of the AdminP task.
 Interval: The duration in minutes after which the AdminP
carries out the requests scheduled as Interval requests. The
default duration is 60 minutes.
141
 Execute once a day requests at: The time at which the
AdminP carries out the requests scheduled as Daily requests.
The default time is 12:00 A.M.
 Start executing on: The day of the week on which the AdminP
executes the requests scheduled as Delayed requests. The
default day is Sunday.
 Start executing at: The time of the day specified in the Start
executing on field at which the AdminP executes the requests
scheduled as Delayed requests. The default is 12:00 A.M.
 Interval between purging mail file and deleting when using
object store: The number of days for which a mail file that
uses shared mail is kept before deletion. The default is 14
days.
 Mail file move expires after: The number of days after which a
request for moving a mail file expires.
 Store Admin Process log entries when status of no change is
recorded: Selecting Yes logs the AdminP entries even if the
status of an entry shows no change.
 Suspend Admin Process at: The time of the day at which the
AdminP stops.
 Restart Admin Process at: The time of the day at which the
AdminP restarts.
5. Specify the Interval and the Daily and Delayed request settings. Change other
options if required.
6. Save and close the Server document.

Configuring Administration Server for a Database

The administration server for a database is responsible for the administrative changes in that
database, such as updating the names of users, servers, or groups in various fields in the
database and deleting users and servers. It is mandatory to assign an administrator server for the
Domino directory. By default, the first server that you set up in the organization becomes the
administration server for the Domino directory.

A few other databases are also assigned the administration servers automatically. For example,
the e-mail servers to users are the administration servers for the e-mail databases. For other
databases, where you want the AdminP to update the ACL or readers and Authors fields with the
changed names of users and servers, you must assign an Administration server in the ACL of the
database.

To assign the administration server for a database:


1. Select the Files tab of the Domino Administrator client.
2. Select the database for which you want to set or change the administration
server.
3. From the Tools pane, select Database-> Manage ACL, to change the ACL of the
selected databases. Alternately, you can also access the ACL using the Select
File-> Database-> Access Control option.
4. Click the Advanced tab on the Access Control List to Employees dialog box that
appears to access the option for setting the administration server for the
database, as shown in Figure 8-3:

Figure 8-3: Setting the Administration Server for a Database


142
5. In the Administration server field, select the Server option and then select the
name of the server from the drop-down list.
6. Click the Action field. The field shows the following three options:
 Do not modify Names fields: Select this option if you do not want
the name changes to be reflected in fields of the type Names.
 Modify all Readers and Authors fields: Select this option if you do
not want the name changes to be reflected in all the Readers
and Authors type of fields.
 Modify all Names fields: Select this option if you want the name
changes to be reflected in fields of the type Names.
7. Click OK to save and close the changes in the Access Control List to Employees
dialog box:

The selected server takes responsibility for all the name changes in the database.

Configuring an Extended Administration Server

An extended administration server can be designated for the Domino directory to distribute the
administration responsibilities across multiple servers dispersed across various locations. When
you assign a single administration server to the Domino directory, all the AdminP activities
requiring changes to the Domino directory are performed by that server. This increases the load on
the server and requires multiple replications of the Administration Requests database and Domino
directory on this server with all other servers for the request to be completed.

For example, if you initiate a name change request for a user on a server other than the
administration server for the Domino directory, this request must be replicated to the Administration
Requests database on the administration server. When the server carries out the request, you
must replicate it back to the server initiating the request. The administration server carries out the
changes in its Domino directory. You must replicate the Domino directory with the other server for
the name change to be effective.

An extended administration server can modify any documents that belong to a namespace for
which the server has been assigned the required access. A namespace is an element of the
certification hierarchy. For example, OU=HO/O=SNT is a namespace for the organization SNT and
the organization unit HO.

To assign an extended administration server for the Domino directory:


1. Select the Files tab of the Domino Administrator client.
2. Select the Domino directory for your domain from the Results pane. Select File->
Database-> Access Control. The Access Control List to: SNT’s Directory dialog
box for the Domino directory appears.
3. Click the Advanced tab of the Access Control List to: SNT’s Directory dialog box.
The Advanced ACL settings appear, as shown in Figure 8-4:
143

Figure 8-4: The Advanced ACL Settings for the Domino Directory
Make sure that you select the Enforce a consistent Access Control List across all
replicas and Enable Extended Access options.
Note To learn more about enabling the Extended Access on the Domino directory, see
Appendix B, Extended ACL.
4. Click the Basics tab of the Access Control List dialog box and click the Extended
Access button. Figure 8-5 shows the Extended Access button on the Basics tab
of the Access Control List dialog box:

Figure 8-5: Access Control List Dialog Box Showing the Extended Access Button
Clicking the Extended Access button displays the Extended Access dialog box, as
shown in Figure 8-6:
144

Figure 8-6: The Extended Access Dialog Box


5. In the Name list, select the namespace for which you are assigning an
administration server, as shown in Figure 8-6. This namespace should be for an
organization or one or more organizational units.
6. In the Access List, add the server that you are designating as an administration
server by clicking the Add button.
7. In the Scope of Target drop-down list, select the This container only option to
assign the selected administration server to the selected namespace only.
Namespaces that are subordinate to the selected namespace are not affected
by this selection.
8. For the Administer Access field, select the Allow column.
9. Click OK to close the dialog box, then click Yes to confirm saving the settings.
10. Click OK to close the Access Control List dialog box.

The newly added server is now responsible for all the requests for the selected namespace. The
original Administration server for the Domino directory continues to handle requests for any other
namespace.

Certification Log Database

The Certification Log database (CERTLOG.NSF) is created when you set up the first server in your
domain. To create this database, you can use the Certification Log (CERTLOG.NTF) template.

When you register servers and users in Domino, the certification log records the following
information about each registration:
 Name and license type of the registered ID.
 Date of certification and date on which the certificate expires.
 Name, license type, and ID number of the certifier ID used to create or recertify the
ID.

The certification log stores important information that is required for recertification and renaming by
the AdminP. If any entry is missing in the certification log, the user-management action fails.

All other servers in the domain that act as registration servers or used for renaming and
recertification requests must contain a replica of the certification log.
Figure 8-7 shows the Certification Log database:

Figure 8-7: Certification Log Database


145

Configuring Cross Domain Processing of Administration


Requests
Domino allows you to process administration requests from other domains. The following
types of requests can be processed across domains:
 Delete person in Domino directory
 Delete server in Domino directory
 Rename person in Domino directory
 Rename server in Domino directory
 Create replica
 Get replica information for deletion

To enable the server in one domain to mail AdminP requests to a server in another
domain, you must create a Cross Domain Configuration document.

Only users listed in the List of administrators, who are allowed to create Cross Domain
Configuration documents in the Administration Process Requests database field of the
Domino directory profile, can create these documents.
Note To learn more about the Domino directory profile, see Chapter 6, Configuring
Domino Directories.

Before the server can send the AdminP requests to the external domain, you must
ensure that the following exist in the Domino directory on the server:
 A cross certificate for the external domain certifier. The other domain directory must
contain a cross certificate for your domain certifiers.
Note To learn more about cross certificates, see Chapter 10, Domino Security.
 A Connection document for routing mail to the external domain. The other domain
must contain a Connection document to route mail to your domain.
To learn more about Connection documents, see Chapter 4, Configuring Mail
Note Routing.

To create a Cross Domain Configuration document in the Administration Requests


database:
1. Click the Server tab of the Domino Administration client.
2. Click the Analysis tab and select the Administration Requests (6) database
from the View pane.
3. Select the Cross Domain Configuration view.
4. Click the Add Configuration action. This opens a new Cross Domain Request
Configuration document, as shown in Figure 8-8:

Figure 8-8: The Cross Domain Request Configuration Document


5. To configure the requests coming from other domains, select Inbound.
6. Click the Inbound Request Configuration tab. Figure 8-9 shows the Inbound
Configuration tab of the Cross Domain Request Configuration document:
146

Figure 8-9: The Inbound Request Configuration Tab


7. In the Receive AdminP requests from domains field, specify the names of the
external Notes domains from which you want to allow AdminP requests.
8. Click the entry helper button in the List of AdminP requests allowed from other
domains. The Select Keywords dialog box appears, as shown in Figure 8-10.
This dialog box shows the types of cross domain requests to select from:

Figure 8-10: The Select Keywords Dialog Box for Inbound Cross Domain
Requests
9. Select the requests that you want to accept from the other domain and click
OK to close the Select Keywords dialog box.
10. In the List of approved signers field, select the names of users from the
destination domain who are trusted signers for these requests. A request
signed by any other person will be rejected.
11. To configure the outbound requests, click the Configuration Type tab and
select the Type of cross domain configuration as Outbound. The next tab
changes to Outbound Request Configuration.
12. Click the Outbound Request Configuration tab. Figure 8-11 shows the
Outbound Request Configuration tab of the Cross Domain Request
Configuration document.

Figure 8-11: The Outbound Request Configuration Tab


13. In the Domains to submit AdminP requests to field, specify the names of the
external Notes domains to which you want to send AdminP requests.
14. In the List of AdminP requests to submit field, select the requests that you
want to send to the other domain.
15. In the List of approved signers field, select the names of users from your
domain who are trusted signers for submitting these requests.
16. Click Save & Close action on the action bar to save and close the Cross
Domain Request Configuration document.
147

Performing User Management Tasks


Over time, users in your company may be transferred from one department or location to another,
requiring a change in their name hierarchy. The common name component of a person’s
hierarchical name may require a change. Some users leave the company and their information
must be removed from the entire Domino domain. All these tasks require multiple activities
because the name of a user is recorded in multiple locations such as the Domino directory, the
ACLs of various databases, the Readers and Authors fields in the databases, calendar entries, and
the busy time database. Using AdminP, you can automate these tasks.

Renaming Users

The hierarchical name of a user may change. The common name component of a user’s
hierarchical name may also change. For example, in many communities, the last name of a girl
changes after marriage.

Changing the Common Name of a User


To change the common name of a user:
1. From the Domino Administrator client, select the People & Groups tab->
Domino Directories-> Your domain’s Domino Directory-> People view, as
shown in Figure 8-12:

Figure 8-12: The People View in the Domino Administrator Client


2. From the Results pane, select the user whose name needs to be changed.
3. From the Tools pane, select People-> Rename. The Rename Selected Notes
People dialog box appears, as shown in Figure 8-13:

Figure 8-13: The Rename Selected Notes People Dialog Box


4. To change the common name of a user, click the Change Common Name
button.
Note You can change the period for which the old name remains valid from the default
12 days to any value between 14 to 60 days. During this period, the user
148
continues to receive messages under his former name.
5. The Choose a Certifier dialog box appears, as shown in Figure 8-14:

6.
Figure 8-14: The Choose a Certifier Dialog Box
7. Click the Server button to select the Registration server for the user.
8. Click the Certifier ID button to choose the certifier ID that was used to certify
the user and click OK.
9. Specify the password for the selected certifier ID and click OK. The Certificate
Expiration Date dialog box appears, as shown in Figure 8-15:

Figure 8-15: The Certificate Expiration Date Dialog Box


10. The user ID is certified by default for two years. Accept the default expiration
date or specify a new certificate expiration date and click OK.
The Rename Person dialog box appears, as shown in Figure 8-16:
149

Figure 8-16: The Rename Person Dialog Box


11. Change the user’s first, middle, or last name and other fields as shown in the
Figure 8-16 and then click OK. A Processing Statistics message box indicates
whether the renaming has been successful or has failed, as shown in Figure
8-17:

Figure 8-17: The Processing Statistics Message Box

After this procedure, a series of requests are created in the Administration Requests database and
are performed by the AdminP. The user’s name is updated.

Moving a User to a Different Certifier


When a user is transferred from one department or location to another department or location, the
name hierarchy of the user needs to be changed. For example, a user, Arnold/HO/SNT, moves to
the regional office. The name must be changed to Arnold/RO/SNT. You may also need to change
the name hierarchy if you change the hierarchical structure for your organization. For example,
initially you certified all the users with the Organization-level certifier. Now, you have created a new
organization unit certifier for the location and want to certify them with this certifier.

To change the name hierarchy of a user:


1. From the Domino Administrator client, select the People & Groups tab.
150
2. Select Domino Directories-> your Domain’s Directory-> People view.
3. From the Results pane, select the user whose name needs to be changed.
4. From the Tools pane, select People-> Rename. The Rename Selected Notes
People dialog box appears, as shown in Figure 8-13.
5. To change the name hierarchy of the user, click the Request Move to New
Certifier. The Choose a Certifier dialog box appears.
6. Click the Server button to select the Registration server for the user.
7. Click the Certifier ID button to choose the certifier ID that was originally used
to certify the user, such as /SNT, and click OK.
8. Specify the password for the selected certifier ID and click OK. The Request
Move for Selected People dialog box appears, as shown in Figure 8-18:

Figure 8-18: The Request Move for Selected People Dialog Box
9. From the New Certifier list, select the new certifier that you want to use to
certify the user ID. The Rename Person dialog box appears, as shown in
Figure 8-19:

Figure 8-19: The Rename Person Dialog Box


10. The Rename Person dialog box shows the primary name of the user. If you
want to change certain name fields of the users during the rename process,
select the Allow the primary name to be changed when the user is moved
option in the dialog box.
11. Click OK to save and complete the procedure. The Processing Statistics
message box appears, showing the status of the request.

As a result of the above procedure, a Name Move request is created in the Administration
Requests database. This request needs to be executed by the administrator who has access to the
new certifier.

To execute the Name Move request:


1. From the Domino Administration client, select the Server tab-> Analysis tab->
Administration Requests (6) section-> Name Move Requests view. The
request appears in the view, as shown in Figure 8-20:
151

Figure 8-20: The Name Move Request in the Administration Requests database
2. Select the entry and click the Complete Move for selected entries action. The
Choose a Certifier dialog box appears.
3. Select the new certifier, such as /RO/SNT, and click OK.
4. Specify the password for the certifier and click OK.
5. The Certificate Expiration Date dialog box appears. Accept the default or
specify a new expiration date for the user ID and click OK.
6. If you selected the Allow primary name to be changed when the name is
moved option, you are asked to specify the new first, middle, and last names
and other information, such as the Internet address. If you did not select the
option, you are asked to specify the Qualifying organization unit for the user.
Specify the required information and click OK.
7. The Processing Statistics dialog box confirms the status of the request.

After this procedure, a series of requests are created in the Administration Requests database and
are executed by the AdminP. The user’s name is updated.

Moving a User to Another Server

When a user is transferred from one location to another, the user’s mail database must also be
moved to the new location. You may also want to move the users to a new server if the load on the
current server is high and you have decided to configure a new server in the domain.

To move the mail database of the user to a new server:


1. From the Domino Administrator client, select the People & Groups tab-> Domino
Directories-> your Domain’s directory-> People view.
2. From the Result pane, select the entry for the user whom you want to move to a
different server. You can select multiple entries.
3. From the Tools menu, select People-> Move to Another Server. The Move
User(s) to Another Server dialog box appears, as shown in Figure 8-21:
152

Figure 8-21: The Move User(s) to Another Server Dialog Box


4. In the Destination field, select the name of the destination server for the mail file.
5. In the Move mail file into this folder field, change the folder name if you want to
move the mail file to a folder different from mail on the destination server.
6. Select the Link to Object Store option if you use shared mail on the destination
server. Click Delete old replicas in current cluster to delete the replicas from the
current server’s cluster.
7. Click OK to complete the request. A message box appears, as shown in Figure
8-22, confirming that a request has been created in the Administration Requests
database to move the mail file of the user to the destination server:

Figure 8-22: The Domino Administrator Message Box

A series of requests created in the Administration Requests database and executed by the AdminP
ensures that the user’s mail file is successfully moved to the destination server.

Deleting a User

When a user leaves an organization, the user’s entries in the Domino directory and other Domino
databases must be removed. For reasons of security, you may also want to delete the user to the
server access list to remove the user’s access to the server.

To delete a user:
1. From the Domino Administrator client, select People & Groups tab-> Domino
Directories-> your Domain’s directory-> People view.
2. From the Result pane, select the entry for the user whom you want to delete.
You can select multiple entries.
3. From the Tools menu, select People-> Delete. The Delete Person dialog box
appears, as shown in Figure 8-23:
153

Figure 8-23: The Delete Person Dialog Box


4. In the What should happen to user’s mail database(s) section, select Delete the
mail database on the user’s home server. In addition, select the Delete mail
replicas on all other servers to delete all replicas of the mail file. You can choose
to keep the mail file by selecting the Do not delete the mail database option.
5. To remove access for the user to the server, you can add the user to a Deny
Access group that is denied access in the server access list of the Server
document. Add the user to a deny access group by clicking the Groups button
that shows a list of deny access groups in the Domino directory.
6. If your Notes users have been synchronized with Windows NT/2000 accounts,
select the Delete users’ Windows NT/2000 accounts if existing option to delete
the users from the Windows NT/2000 account as well.
7. If you want to delete the user from the Domino directory immediately, select the
Delete users from this Domino Directory immediately option. If you do not select
this option, the AdminP deletes the user from the Domino directory later.
8. Click OK to complete the action.

The AdminP handles the deletion of the user name from the ACLs and Names fields and the
deletion of the user’s mail files.

Chapter 9: Monitoring a Domino Server


The performance of the Domino Servers in your company is critical for your communication
network and various other activities in your company that use Domino. You should monitor the
Domino Server to ensure that end users are able to efficiently use messaging, Web, scheduling,
database, and other services that Domino provides.

Domino servers run various tasks, such as ROUTER, REPLICATOR, and CALCONN. The server
console displays any activity that these tasks perform on the server. You can color code the
messages that appear on the server console to identify errors by just looking at the console.
Domino logs the activities on the server into the Server Log. You can analyze the Server Log to
troubleshoot server errors.

The server tasks generate several statistics. For example, the ROUTER task generates statistics,
such as MAIL.WAITING, MAIL.TRANSFERRED, and MAIL.DEAD. These statistics enable you to
monitor and troubleshoot the server, improve its performance, and decide the expansion of the
servers for load balancing. The Domino Administrator client provides various options to view and
collect server statistics, such as the Statistics tab and the Domino Server Monitor and Statistics
154
Charting tools. The Domino Server provides the COLLECT and EVENT tasks to collect and
monitor the statistics and generate events to track problems on the server.

This chapter describes the various server-monitoring tools available in Domino. It also explains the
procedure to configure the Event Generators and Event Handlers to trap events on the server.

Monitoring Domino Server by Color Coding the Server Console


The Domino server console shows messages related to all the activities that take place on the
server, such as replications, mail routing, and indexing. You can use the server console to view the
activity that is taking place on the server, the result of the activity, or any errors encountered by the
activity.

By default, all the messages on the server console appear in gray. To distinguish between regular
messages and the messages pertaining to errors or other types of events that require attention,
you can define colors for each type of message appearing on the server console. You can also
define the text and the background attributes for the console. Because you define different
attributes for different types of entries, an error draws your attention immediately.

To define the colors for the messages appearing on the server console, you must create a Server
Console Attributes document.

To create a Server Console Attributes document:


1. In the Domino Administrator client, select the Configuration tab.
2. In the View pane, select Monitoring Configuration section -> Console Attributes.
3. Open the Server Console Attributes document for your server, if one exists, or click
the New Console Attributes button to create a new document. The Server Console
Attributes document appears, as shown in Figure 9-1:

Figure 9-1: The Server Console Attributes Document


4. In the Server name(s) field, select the servers to which you want to apply the
attributes.
5. Choose colors for the Console Background and the following types of events:
Normal, Fatal, Failure, Warning (High), and Warning (Low).
6. Click the Save & Close action to save and close the document.
Figure 9-2 shows the server console after the console attributes have been set:
155

Figure 9-2: The Server Console Showing Messages in Different Colors

The Domino Server Log


The Domino Server Log (LOG.NSF) contains information about all the activities that take place on
the server. It contains information about any messages that appear on the Domino Server
Console, all the replication and mail routing activities taking place on the server, and the
information about the usage of the server and the databases on the server. It also contains
information about any errors taking place on the server. You can refer to the Server Log whenever
you need to troubleshoot a problem on the server.

Selecting Logging Information for a Server


You can choose the server activities for which you want to enable logging by using the NOTES.INI
parameters. Table 9-1 lists the NOTES.INI parameters that you can use to enable logging for
specific tasks:
Table 9-1: NOTES.INI Parameters to Enable Logging for Specific Tasks

NOTES.INI Description
Parameter

Log_AgentManager Specifies whether or not Domino should record the execution of


an agent into the log file. If you set this parameter to 0, Domino
does not log agent executions. If you set this parameter to 1,
Domino logs all partially as well as completely successful
agents into the log. Setting this parameter to 2, logs only
completely successful agents into the log file.

Log_Connections Specifies whether or not Domino should log connection related


information on the server, such as the Note network port, the
network address of the requesting system, and the destination
server. Specify 0 to disable or 1 to enable connection logging on
a server.

Log_Replication Specifies the amount of replication information that Domino


should log into the Server Log. Set this parameter to 0 to
disable logging of replication events. You can assign a value
from 1 to 4 to specify how much information you want to log.

Log_Sessions Specifies whether or not Domino should log information about


the individual sessions. Specify 1 to enable logging or 0 to
disable logging of individual sessions.

Log_Tasks Specifies whether or not Domino should log the current status
of tasks on the server. Specify 0 to disable or 1 to enable
156
Table 9-1: NOTES.INI Parameters to Enable Logging for Specific Tasks

NOTES.INI Description
Parameter

logging of server task status to the Server Log.

Log_Update Specifies the level of information about the INDEXER task that
Domino records in the log. Setting this parameter to 0 records
only the start and shutdown of the INDEXER task. Setting this
parameter to 1, in addition to the start and shut down times,
records the times when the INDEXER updates the views and
the full text indexes. Setting this parameter to 2 also records the
view names that the INDEXER updates.

Log_View_Events Specifies whether or not Domino logs the messages generated


while rebuilding the views into the Server Log. Set this
parameter to 1 to enable logging and to 0 to disable logging of
view rebuilding messages.

To troubleshoot specific problems on the server, you can enable or increase the amount of logging
for the selected task on the server.

Viewing the Server Log

Domino creates the Server Log when you start the server for the first time. You can view the
Server Log either by opening it directly from the Notes Client using File -> Database -> Open or by
using the Domino Administrator client.
To open the Server Log, select Server tab -> Analysis tab -> your server’s Log in Domino
Administrator client. The Server Log for your server opens, as shown in Figure 9-3:

Figure 9-3: The Server Notes Log

The Server Log contains the following views:


 Database-Sizes: Shows the size and activity of all databases on the server. The
documents in the view show information about the percentage of each database's
disk space that is in use, the total disk space of each database, and the weekly
usage of the database.
 Database-Usage: Shows session-wise usage information about the databases on
the server. The information includes the kilobytes transferred, documents and
bytes read and written, and the related network usage.
157
 Log Analysis Results: Contains the results of log analysis that you perform. The
information in the documents in this view includes the start time of the analysis and
the name of server.
 Mail Routing Events: Contains mail routing information that is not available in the
Miscellaneous Events view. This information includes the date and time when the
Mail Router started or shut down.
 Miscellaneous Events: Shows all those events that do not appear in any other
view, such as the modem I/O, script I/O, and server task messages. The
information is sorted by date.
 NNTP Events: Shows information related to Network News Transfer Protocol
(NNTP), if you have configured NNTP on the server.
 Object Store Usage: Shows information related to the shared mail setup on the
server. This includes information about Object Store Usage, the Object store and
the mail database file names, the mail database title, the number of documents
referenced in the object store, and the total size of the documents in the object
store.
 Passthru Connections: Shows the start and end times, the destination, and the
protocol for each passthru connection on the server.
 Phone Calls-By Date: Shows information about calls made and received by a
server, categorized by date.
 Phone Calls-By User: Shows information about calls made and received by a
server, categorized by user.
 Replication Events: Shows all the replications between servers, categorized by the
target server. The information in the documents in this view includes the name of
the initiating server, the time and duration of replication, the port used, and the
number of documents added, deleted, or modified.
 Usage-By Date: Shows the sessions the server had with users or other servers,
categorized by date. The information includes sessions opened, session duration,
databases opened, database-access duration, number of transactions, and
network usage. It also includes totals by date, and for all usage.
 Usage-By User: Shows information similar to the Usage-By Date view but the
information is categorized according to username.

Controlling the Server Log Size

Domino updates the Server Log with information about any activity, taking place on the server. As
a result, the Server Log database grows considerably and it becomes important to control its size.

You can control the size of the Server Log automatically by adding the following NOTES.INI entry:
LOG = LogFile, LogOption, Notused, Days, Size

In the above syntax:


 LogFile: The name of the Server Log file. The default name is LOG.NSF.
 LogOption: A number that specifies an option for logging. You can specify 1 to log
to the server console, 2 to force database fixup when opening the log file, and 4 to
perform a full document scan of the log file.
 Notused: An obsolete parameter that is always set to zero.
 Days: The number of days for which the log documents must be retained.
 Size: The size of the log text in the documents.

For example, suppose the default entry in the NOTES.INI for LOG is:

LOG=LOG.NSF, 1, 0, 7, 40000

The above default entry means that the Server Log is the LOG.NSF. The entries sent to the Server
Log are also shown on the server console, the documents are deleted from the Log after seven
days and a log document can contain up to 40, 000 bytes.
158
Using Log Files to Troubleshoot Server Errors

The Domino Server Log contains information about the activities taking place on the server. If you
want to troubleshoot a problem on the server, you should look for clues in the Server Log. To
search for information in the Server Log, you can use the Log Analysis tool of the Domino
Administrator client. The Log Analysis tool helps you search for the required information by basing
your search on the type of event, the severity of the event, server tasks, specified messages, and
specified words.

For example, if users report that the documents in replicas of a database residing on two different
servers are not synchronizing for the past one week, you can analyze the log entries of one week
for any information related to replication. You can also specify the database name or other specific
information to filter the number of log entries returned. You can look for error messages in these
log entries, such as the insufficient access for replication, and use the information for
troubleshooting the problem. To use the Log Analysis tool:
1. In the Domino Administrator client, select Server tab -> Analysis tab.
2. In the Tools pane, select the Analyze -> Log tool.
3. The Log Analysis dialog box appears, as shown in Figure 9-4:

Figure 9-4: The Range Tab of Log Analysis Dialog Box


4. The Range tab appears by default. Select Analyze all log event entries to search
the entire log file or select Analyze specific date/time range only to specify a date
or time range for the documents that you want to select for searching. If you
choose to analyze by a specific date/time range, then specify the start date and
time and the end date and time for the range.
5. If you want to search the log file for a server in a different time zone, then select
the Convert time range to the Server’s time zone option. If you do not want to
change the date/time range for different time zones, select the Use above time
range in any time zone option.
6. Click the Event Type tab to select the event type on the basis of which you want
to search the log file, as shown in Figure 9-5:
159

Figure 9-5: The Event Type Tab of the Log Analysis Dialog Box
7. From the list of event types, select the type of event that you want to include in
your search and click the Event Severity tab. A list of event severities appears,
as shown in Figure 9-6:

Figure 9-6: The Event Severity Tab of the Log Analysis Dialog Box
8. Select the severity that you want to include in the search and click the Server
Tasks tab. This tab shows a list of server tasks, as shown in Figure 9-7:
160

Figure 9-7: The Server Tasks Tab of the Log Analysis Dialog Box
9. Select the task that you want to include in the log analysis and click the Error
Code tab. A list of error codes and messages appears, as shown in Figure 9-8:

Figure 9-8: The Error Code Tab of the Log Analysis Dialog Box
10. If you want to search for a specific error message, select the error message from
the list, otherwise do not select anything and click the Words tab. The Words tab
appears, as shown in Figure 9-9:
161

Figure 9-9: The Words Tab of the Log Analysis Dialog Box
11. In the Search list, select from any of the words, all the words, or exact phrase
options. Specify the words in the Words field. In the Word Filters fields, specify
any words that the search must contain and must not contain.
12. Click the Queries tab to view the options specified in all the tabs. Figure 9-10
shows the Queries tab:

Figure 9-10: The Queries Tab of the Log Analysis Dialog Box
13. If you want to save the query for future use, select the Save this query as option,
specify a name for the query, and click the Save button. You can load a saved
query again by selecting the query from the Select stored query list.
14. Click OK to view the result of the log analysis.
15. The Log Analysis has been completed message box appears followed by the
result of the log analysis. Figure 9-11 shows the results of the log analysis:
162

Figure 9-11: Log Analysis Results

Configuring Activity Logging


You use Activity Logging to monitor the activity on the servers in the organization. By
logging the activity, you can monitor the load on the server and the usage of resources
on the server and use this information to charge users for their usage of the system.

You enable Activity Logging in the Server Configuration document. The information
collected is stored in the Domino Server Log.
Note The Server Log also records some of the information that Activity Logging
records, but the Activity Logging information is much more comprehensive.

To enable Activity Logging on a server:


1. In the Domino Administrator client, select Configuration tab -> Server section
-> Configurations view.
2. Select the Configuration Settings document for your server and click Edit
Configuration to edit the document or create a new Configuration document if
one does not exist.
3. Select the Activity Logging tab. This tab provides the options to enable Activity
Logging on the server, as shown in Figure 9-12:

Figure 9-12: The Activity Logging Tab of the Configuration Settings Document
4. To enable Activity Logging on the server, select the Activity logging is enabled
option. The Server Activity Logging Configuration options appear, as shown in
Figure 9-12:
163
5. In the Enabled logging types field, select the tasks for which you want to
enable Activity Logging.
6. In the Checkpoint interval field, specify the interval in minutes after which the
Activity Logging information is reported into the Log database. The default is
15 minutes.
7. Select the Log checkpoint at midnight option to log the ongoing session
activity at midnight.
8. Select the Log checkpoints for prime shift option to log the ongoing session
activity at the beginning and end of the specified time, and then specify the
time in the Prime shift interval field.
9. Save and Close the document.

Domino creates a different activity record for each type of activity. Although Domino
records the result of Activity Logging in the Server Log, it hides this information. As a
result, you cannot see this information when you open the Server Log. To view the
Activity Logging information in the Server Log, you need to use the Activity Analysis tool.
To view the Activity Logging information in the Server Log using the Activity Analysis tool:
1. From the Domino Administrator client, select Server tab -> Analysis tab.
2. In the Tools pane, select the Analyze -> Activity tool.
3. The Server Activity Analysis dialog box appears, as shown in Figure 9-13:

Figure 9-13: The Server Activity Analysis Dialog Box


4. From the Select server activity types to search for list, select the activities that
you want to analyze and click the Add button to add them to the Selected
activity types list.
5. Specify the Start Date and Start Time and the End Date and End Time for the
range of activities that you want to consider for analysis.
6. Click the Results Database button to specify the location for the database in
which you want to store the result of the Activity Analysis. The Results
Database dialog box appears, as shown in Figure 9-14:
164

Figure 9-14: The Results Database Dialog Box


7. From the Server list, select the server on which you want to create the result
database. Select Local to create the database on the local drive.
8. Specify a Title and File Name for the result database. The default title is
Activity Analysis and the default file name is loga4.nsf.
9. Click OK to close the Results Database dialog box.
10. In the Server Activity Analysis dialog box, select the Overwrite this database
option to overwrite the Activity Analysis database, if it exists, or select the
Append to this database option to add to the existing Activity Analysis
database.
11. Click OK to view the result of the analysis. Figure 9-15 shows the Mail and
Database activities generated when Tanya/SNT sent two e-mail messages to
Nancy Hopkins/SNT:

Figure 9-15: The Activity Analysis Database

Server Statistics
To monitor the server, you can collect the statistics that Domino server generates and updates. For
example, if you want to view the number of dead messages on the server, you can check the value
of the statistic MAIL.DEAD.

Viewing Server Statistics

By viewing the statistics generated on the server, you can find out whether or not the server is
running fine. An abnormally high or low value for a statistic indicates that you need to check the
related service on the server. You can view the statistics on the server either by issuing Domino
Console commands or by using the Domino Administrator client.
165
Using Domino Console Commands
You can view all the server statistics on the server console using the following Domino Console
command:
SHOW STATISTIC
Figure 9-16 shows the result of the SHOW STATISTIC command:

Figure 9-16: Server Console Showing the Server Statistics

To view the value of a single server statistic, you can issue the following command:
SHOW STATISTIC <statisticname>

For example, the following command shows the number of dead messages on the server:
SHOW STATISTIC MAIL.DEAD

Using the Server -> Statistics Tab of Domino Administrator Client


You can also use the Domino Administrator client’s Server -> Statistics tab to view the statistics on
the server, as shown in Figure 9-17:

Figure 9-17: The Server -> Statistics Tab of the Domino Administrator client
Note When you select any statistic from the statistics shown on the Server ->
Statistics tab, the description of the statistic appears on the status bar.
166
Using the Domino Server Monitor
The Server -> Monitoring tab of the Domino Administrator client shows the Domino Server monitor
used to view the real-time statistics and the status of server tasks. The Domino Server monitor
contains a Start button that you can use to start monitoring the server tasks and statistics. If the
server monitor is already running, then instead of the Start button, a Stop button shows that you
can use to stop the server monitor.

From the Monitoring Profiles list, you can select the servers you want to include in the Monitoring
tab. The options are:
 All Servers: Includes all the servers that you are administering using the Domino
Administrator client.
 Favorites: Includes all the servers in the Favorites bookmark.
 Domain: Includes all the servers from the domain.
 Clusters: Includes clusters within the domain being monitored.

You can choose to view the statistics by state or by timeline.

The By State view shows the status of selected Domino servers, tasks and statistics on the
selected servers. This view is divided into three panes:
 Server: Shows the servers that you are monitoring. You can right-click in this
pane to add or remove a server.
 Tasks: Shows the status of the tasks on the selected server. You can add or
remove tasks by right clicking in this pane. The status of the tasks is shown
using display indicators.
 Statistics: Shows the values of the selected statistics on the servers. You can
right-click in this pane to add or remove the statistics being monitored. You can
sort the servers based on a numerical statistic by clicking on any statistic column
header.
Figure 9-18 shows the By State view of the Domino Server Monitor:

Figure 9-18: Monitoring Server Statistics by State


You use the By Timeline view to view the status of the server tasks and statistics over specified
time intervals, as shown in Figure 9-19:
167

Figure 9-19: Monitoring Server Statistics by Timeline

In the By Timeline view, using the Column scale selector, you can select the time interval for each
display.

You can right-click anywhere in this view to add or remove a server, task, or statistic.

You can specify the default monitoring preferences using the Administration Preferences. To
specify the monitoring preferences in the Domino Administrator client:
1. In the Domino Administrator client, select File -> Preferences -> Administration
Preferences. The Administration Preferences dialog box appears.
2. Select the Monitoring tab, as shown in Figure 9-20:

Figure 9-20: The Monitoring Tab of the Administration Preferences Dialog Box
3. In the Do not keep more than <x> MB of monitoring data in memory field,
specify the maximum amount of virtual memory to be used for storing the
monitoring data. The default is four.
4. Specify the duration in minutes after which the not responding status is shown
in the Not responding status displayed after <x> minutes of inactivity field.
5. To use the Server Health Monitor, select the Generate server health statistics
option. The Server Health Monitor is an add-on tool installed as part of the
IBM Tivoli Analyzer for Lotus Domino.
168
6. Select the location for which you want to configure monitoring from the When
using location list.
7. From the Monitor servers options, select the From this computer option to
monitor the servers from the local Domino Administrator client. You can also
select the From server option to select the server running the Statistic
Collector task for the servers being monitored.
8. In the Poll servers every <x> minutes field, specify the server’s polling
interval.
9. Select the Automatically monitor servers at startup option to start the Domino
Server monitor when you start the Domino Administrator client.

Collecting Server Statistics

Domino provides tools to enable you to collect the server statistics over time and to chart these
statistics. You can use these charts and statistics to monitor the performance of various tasks on
the server and to find the load on the server.

You can either collect the statistics on the server using the Statistic Collector task (COLLECT) or
locally using the Domino Administrator client.

Collecting Server Statistics on the Server


You use the Statistics Collector task (COLLECT) to collect the server statistics and record them in
a database on the server. The collector stores the collected statistics in the Monitoring Results
database (STATREP.NSF) on the server.

To start the Statistics Collector task on the server, issue the following server console command:
LOAD COLLECT

The Statistics Collector task can collect the statistics from one or multiple servers. You can specify
various parameters for the collection of these statistics. For example, you can specify which
servers the Statistic Collector should collect information from, where it should log the information,
and what the collection interval should be. To specify this information, you must create a Server
Statistic Collection document in the Monitoring Configuration database (EVENTS4.NSF).

To create a Server Statistic Collection document:


1. In the Domino Administrator client, select Configuration tab -> Monitoring
Configuration section -> Server Statistic Collection view.
The Server Statistic Collection document opens, as shown in Figure 9-21:

Figure 9-21: The Basics Tab of the Server Statistic Collection Document
2. In the Collecting server field, select the name of the server that runs the
Statistic Collector task to collect the statistics.
169
3. In the Collect from field, select the From the following servers option and
specify the names of the servers from which you want to collect the statistics.
You can also choose to collect statistics from all the servers in the domain or
from all servers that are not explicitly listed to be collected.
4. Click the Options tab. Figure 9-22 shows the Options tab:

Figure 9-22: The Options Tab of the Server Statistic Collection Document
5. Select the Log statistics to a database option to record the statistics in a
database and, in the Database to receive reports field, specify the filename of
the database. The default filename is statrep.nsf.
6. In the Collection report interval field, specify the duration in minutes between
each subsequent report. The default duration is 120 minutes.
7. In the Collection alarm interval field, specify the duration between subsequent
alarms. Domino generates an alarm when a specific statistic exceeds a
specified threshold value defined using an alarm document.
8. From the Statistic Filters list, select the types of statistics that you do not want
to include in the statistic reports.
9. Save and close the document.

Domino collects the Statistics in the Monitoring Results database. To view the collected statistics:
1. In the Domino Administrator client, select Server tab -> Analysis tab ->
Monitoring Results -> Statistics Reports.
2. Select a view under the Statistics Reports section. Domino displays the
statistics report in the results pane, as shown in Figure 9-23:
170

Figure 9-23: The Monitoring Results Database Showing the Statistics Collection Report
3. Open the document and view the statistics.

At each collection interval, the Domino COLLECT task adds a new report to the Monitoring Results
database.

Collecting Server Statistics on the Domino Administrator Client


When you collect the server statistics using the Domino Administrator client, Domino collects the
statistics in the local Monitoring Results database (STATREP.NSF). You can configure this
database for charting the statistics. The settings for collection of statistics from the Domino
Administrator client are specified in the Administration Preferences. The charting of these statistics
is done using the Domino Administrator client.

Configuring Statistics Collection


To specify the Statistics Preferences in the Domino Administrator client:
1. In the Domino Administrator client, select File -> Preferences ->
Administration Preferences. The Administration Preferences dialog box
appears.
2. Click the Statistics tab to specify the settings for monitoring the statistics, as
shown in Figure 9-24:

Figure 9-24: The Statistics Tab of the Administration Preferences Dialog Box
171
3. Select the Generate statistic reports while monitoring or charting statistics
option to create the statistics report document in the local Monitoring
Results database. Specify the interval for creating reports in the Generate
reports every <x> minutes field. The default is 45 minutes.
4. Select the Check statistic alarms while monitoring or charting statistics
option to report an alarm in the Monitoring Results database when the
statistic exceeds a threshold value. You can define the threshold in the local
Monitoring Configuration database (EVENTS4.NSF). Specify the interval for
checking the alarm in the Check alarms every <x> minutes field.
5. Specify an interval in the Chart statistics every <x> seconds field. The
default value is 20 seconds. Alternatively, you can select the Chart statistic
using same poll interval as monitoring option to use the server poll interval
specified in the Monitoring tab.
6. Click OK to save the settings.

Charting Statistics
To monitor the server statistics, you can view the collected statistics graphically by creating statistic
charts. You can create two types of statistic charts:
 Real-time: Show real-time statistics.
 Historical: Show the statistics collected in the Monitoring Results database on
the administrator client.

To create a historical statistic chart using the Domino Administrator client:


1. Select Server tab -> Performance tab -> Statistic Charts -> Historical
Statistics. Figure 9-25 shows the Historical Statistics view:

Figure 9-25: The Historical Statistics View in the Domino Administrator Client
2. To add a statistic to the chart, click the Add button and select the statistic
that you want to include in the chart using the Add Statistics dialog box, as
shown in Figure 9-26:
172

Figure 9-26: The Add Statistics Dialog Box


3. Select the Statistic from the list of statistics shown and click Add to add the
statistic to the chart. You can add multiple statistics.
4. Click OK to close this dialog box. The selected statistics appear in the
Historical Statistics view, as shown in Figure 9-27:

Figure 9-27: The Historical Statistics View After Adding Statistics


5. Click the Range button to specify the time range for which you want to
include the data in the chart. Domino retrieves this data from the local
Monitoring Results database. Figure 9-28 shows the Select Range for
Historical Statistics Charting dialog box that appears when you click the
Range button:
173

Figure 9-28: The Select Range for Historical Statistics Charting Dialog Box
6. From the Server list, select the server for which you want to retrieve the
statistics.
7. In the Start date and End date fields, specify the start and the end dates for
which you want to retrieve the statistics.
8. Select the Select time range option and specify a Start time and End time
for which you want to include the statistics.
9. Click OK to close the dialog box and start charting the statistics.

Configuring Event Monitoring


The Domino server generates a number of statistics. You monitor these statistics to ensure that the
server is running smoothly. Sometimes the value of a statistic may reach a level where it fails a
service or even the server. To ensure that the statistics do not reach these levels, you can define
an event generator and an event handler. An event generator compares a statistic with a threshold
value and defines an event of a specific severity and type, when the statistic reaches the threshold
value. The event handler defines the action that Domino must take when the event is generated.

You create the event configurations and the event handlers in the Monitoring Configurations
database (EVENTS4.NSF) on the server. The Event Monitor (EVENT) task generates the events.
This task starts automatically when the server starts and creates the Monitoring Configurations
database when it runs the first time.

The Monitoring Configuration database contains various types of Event generators, such as
Database, Domino Server, Mail Routing, Statistic, Task Status, and TCP Server.

For the Mail Routing and TCP Server events, you must run an additional task called the ISpy. To
load this task, issue the following command on the server console:
LOAD RUNJAVA ISpy
Note The ISpy task is a Java-based task and the task name is case-sensitive.

To quit ISpy, issue the following command on the server console:


TELL RUNJAVA QUIT

Alternatively, issue the following command to quit ISpy:


TELL RUNJAVA ISpy QUIT

An event generator must define the severity of the event. The following severities can be defined
for an event:
 Fatal: Signifies that the event will cause system failure.
 Failure: Signifies that the event will cause the severe failure of a service but not system
failure.
 Warning (High): Signifies that the event will cause loss of functionality that requires
intervention.
174
 Warning (Low): Signifies that the event will lead to degraded system performance.
 Normal: Shows a status message.

Creating Events

You can create an event using the Monitoring Configuration database. To open the Monitoring
Configuration database:
1. In the Domino Administrator client, select Configuration tab -> Monitoring
Configuration section -> Event Generators.
2. Select a specific type of event generator view such as Database, as shown in
Figure 9-29:

Figure 9-29: The Event Generators Section

Database Events
You use the Database Event Generator to monitor the databases on the server. You can monitor
the database for replication, unused space, user inactivity, or change in the Access Control List
(ACL).

To create a Database Event Generator:


1. Select the Database view in the Event Generators section.
2. Click the New Database Event Generator action. A Database Event Generator
document opens, as shown in Figure 9-30:

Figure 9-30: Database Event Generator Document


3. Specify the database you wish to monitor in the File name field.
175
4. In the Server(s) section, select Only the following and then specify the
Server(s) on which you want to monitor the specified database. You can also
monitor all the servers in the domain.
5. Select the activity that you want to monitor. In this case, select Monitor ACL
Changes. You can also select replication, unused space, and user inactivity, if
required.
6. Click the Other tab to define the type and severity of the event, as shown in
Figure 9-31:

Figure 9-31: The Other Tab of the Database Event Generator Document
The Event type for this document in automatically set to Database.
7. From the Generate a Database event of severity list, select a severity level.
8. Click the Create a new event handler for this event button to define the event
handler for this event. The Event Handler Wizard appears, as shown in Figure
9-32:

Figure 9-32: The Event Handler Wizard


9. Click Next. The Event Handler Method screen of the Wizard appears, as
shown in Figure 9-33:
176

Figure 9-33: The Event Handler Method Screen of the Event Handler Wizard
10. Select the method by which you want to notify the event. You can broadcast a
message to users, send a message to an administrator, log into the
Monitoring Results database, or use any other method listed.
11. Click Next. The Event Handler Options screen appears requiring you to
specify information about the selected notification method. For example, if you
select the method as Log to a database, the Event Handler Options screen for
the Log to a database method appears, as shown in Figure 9-34:

Figure 9-34: The Event Handler Options Screen for the Log to a Database Method
12. Specify the file name to log the event. The default is the Monitoring Results
database. Select Log to the database on the same server where the event
occurred. Alternatively, specify Log to the database on this server, in which
case you will have to specify the server.
13. Click Next. The Finish screen appears. Click the Finish button to close the
wizard.
14. Save and close the Database Event Generator document.
After you complete the above procedure, whenever anyone changes the ACL of the Domino
directory (NAMES.NSF) database, Domino logs an event into the All Events view of the Monitoring
Results database, as shown in Figure 9-35:
177

Figure 9-35: The All Events View of the Monitoring Results Database

The Domino Server Event Generator


You use the Domino Server Event Generator to monitor the availability of servers in the network
over specific ports. You can check just the availability of the target servers over the specified port
or the ability of the source server to open a database on the target server.

To create a Domino Server Event Generator:


1. Select the Domino Server view in the Event Generators section.
2. Click New Domino Servers Event Generator action. A Domino Server Event
Generator document opens, as shown in Figure 9-36:

Figure 9-36: The Domino Server Event Generator Document


3. In the Target server(s) section, select the servers whose accessibility you
want to monitor.
4. In the Probing server section, select the source server name.
5. In the Access section, select the interval between subsequent connectivity
checks. In this case, select 3 minutes.
178
6. Select the Check just the ability to access the destination server option. You
can also select the Check the ability to access the destination server and
open this database option, in which case you will have to specify the database
whose availability you want to check.
7. Click the Probe tab to specify the network port using which you want the
source server to probe the target server, as shown in Figure 9-37:

Figure 9-37: The Probe Tab of the Domino Server Event Generator Document
8. In the Ports to use list, specify the ports that you want the server to use for
probing. Alternatively, select the Perform probe using any available port
option, if you want the probing server to probe using any port that is available.
9. Specify a timeout threshold as the duration within which the source server
should access the target server. The default is 1000 Msecs.
10. Click the Other tab to specify the severity of the event and to generate an
event handler for the event. The event type for this event is Server.
11. Save and close the document.

The Mail Routing Event Generator


You use the Mail Routing Event Generator to monitor the availability of a user over mail. This type
of monitor sends a mail trace to the user's mail server and gathers statistics indicating the amount
of time, in seconds; it takes to deliver the message.

To create a Mail Routing Event Generator:


1. Select the Mail view in the Event Generators section.
2. Click the New Mail Routing Event Generator action. A Mail Routing Event
Generator document opens, as shown in Figure 9-38:
179

Figure 9-38: The Mail Routing Event Generator Document


3. In the Recipient field, specify the e-mail address to which you want the server
to send the mail trace to check the accessibility. Specify only one address.
Alternatively, you can select the All Domino servers in the domain will probe
themselves option to configure each server to probe only the local mailbox.
4. In the Probing server(s) section, select the servers from which you want the
probe to start. If you want to track times taken at intermediate hops, you can
select the Show intermediate hop times option.
5. Click the Probe tab to specify more information about the probe, as shown in
Figure 9-39:

Figure 9-39: The Probe Tab of the Mail Routing Event Generator Document
6. Specify the interval, in minutes, between each subsequent probe in the Send
interval field.
7. Specify the number of minutes the probing server will wait for a response
before logging a failure in the Timeout threshold field. The Resulting Statistic
shows the statistic generated because of the probe.
8. Click the Other tab to specify the severity of the event and to generate an
event handler for it. The event type for this event is Mail.
9. Save and close the document.

The Statistic Event Generator


The Statistic Event Generator monitors a server statistic. This type of monitor compares the value
of a statistic to a specified threshold and when the value exceeds the threshold, it generates an
event.
Note To generate statistic events, you must enable the statistic alarms on either
the Domino Server or the Domino Administrator. When a threshold is
exceeded, an alarm document is created in the Monitoring Results
180
database. The first time Domino reports an alarm, a statistic event is
generated, but after the first alarm, subsequent events are generated only
once a day.

To create a Statistic Event Generator:


1. Select the Statistic view in the Event Generators section.
2. Click the New Statistic Event Generator action. A Statistic Event Generator
document opens, as shown in Figure 9-40:

Figure 9-40: The Statistic Event Generator Document


3. In the Server(s) to monitor section, select the Only the following option and
specify the server name. Alternatively, select the All in the domain option to
monitor the selected statistic on all the servers in the domain.
4. In the Statistic to monitor section, select the statistic that you want to monitor.
For example, MAIL.DEAD. The description for the selected statistic appears
below the Statistic.
5. Click the Threshold tab to specify the threshold for the selected statistic, as
shown in Figure 9-41:

Figure 9-41: The Threshold Tab of the Statistic Event Generator Document
6. Select the threshold to generate the event in the Threshold section. In this
case, select the Generate the event when the statistic is GREATER THAN the
threshold value option. You can also select the LESS THAN or MULTIPLE
options, if required.
7. Click the Other tab to specify the severity of the event and generate an event
handler for this event. The event type for this event is Statistic.
8. Save and close the document.

The Task Status Event Generator


You use the Task Status Event Generator to monitor the status of the Domino server tasks. The
Task Status Event Generator can generate an event when the specified server task is down, up,
stalled, or not stalled.
181
To create a Task Status Event Generator:
1. Select the Task Status view in the Event Generators section.
2. Click the New Task Status Event Generator action. A Task Status Event
Generator document opens, as shown in Figure 9-42:

Figure 9-42: The Task Status Event Generator Document


3. Form the Tasks to monitor list, select the tasks that you want to monitor. In this
case, select Admin Process.
4. From the options in the Server(s) section, select the Only the following option
and specify the server name. You can also select the All in the domain option
to monitor the selected tasks on all the servers in the domain.
5. In the What to monitor section, select the Monitor task down and Monitor task
stalled options. You can also select the other two options, task up and task
unstalled, if required.
6. Click the Other tab to specify the severity of the event and to generate an
event handler for this event. The event type for this event is Statistic.
7. Save and Close the document.

The TCP Server Event Generator


The TCP Server Event Generator monitors the availability of Internet ports, such as HTTP, SMTP,
IMAP, FTP, and NNTP.

To create a TCP Server Event Generator:


1. Select the TCP Server view in the Event Generators section.
2. Click the New TCP Server Event Generator action. A TCP Server Event
Generator document opens, as shown in Figure 9-43:
182

Figure 9-43: The TCP Server Event Generator Document


3. In the Target Server(s) section, select the Only the following option and
specify the server name on which you want to monitor the port. You can also
select the All in the domain option to monitor the TCP port on all the servers in
the domain, if required.
4. In the Probing server(s) section, select the servers from which you want the
probe to start. Alternatively, to configure each server to probe its own
configured ports only, select the All Domino Servers in the domain will probe
their own configured ports checkbox.
5. Click the Probe tab to specify more information about the probe, as shown in
Figure 9-44:

Figure 9-44: The Probe Tab of the TCP Server Event Generator Document
6. Specify the interval in minutes between each subsequent probe in the Probe
interval field.
7. Specify the number of seconds the probing server will wait for a response
before logging a failure in the Service timeout threshold field.
8. In the Services section, select Probe these services and then select the
services you want probed. In this case, select HTTP. Alternatively, instead of
selecting Probe these services, you can select Probe all configured TCP
services. Domino adds extra tabs to the document based on the services you
select. For example, if you select HTTP, an HTTP tab appears.
9. Click the HTTP tab and select Probe just this port. Alternatively, select Fetch
this URL and specify the URL that you want fetched.
10. Click the Other tab to specify the severity of the event and to generate an
event handler for the event. The event type for this event is Mail.
183
11. Save and close the document.

Creating Event Handlers

An event handler defines the method by which the EVENT task handles the events. You define the
event handler based on the severity and type of the event and the message it generates. The
event handler applies to all the events that match the defined criteria.

You can create an event handler using the Event Handler Wizard or by creating an Event Handler
document.

To create an Event Handler document:


1. In the Domino Administrator client, select Configuration tab -> Monitoring
Configuration section -> Event Handlers.
2. Select the All view. This shows the default event handlers existing in the
database.
3. To create a new event handler, click the New Event Handler action. The Event
Handler document opens, as shown in Figure 9-45:

Figure 9-45: The Event Handler Document


4. In the Server(s) to monitor section, choose Notify of the event on any server in
the domain or Notify of the event only on the following servers and specify the
server names.
5. In the Notification trigger section, select Any event that matches a criteria as the
trigger. Then, select the Event tab. You use the Event tab to define the event
criteria. Figure 9-46 shows the Event tab:

Figure 9-46: The Event Tab of the Event Handler Document


6. In the Criteria to match section, select the Events must be this type option and
then select the type from the list. You can also select the Events can be any type
option, if required.
184
7. Select Events must be one of these severities option and then select Fatal and
Failure from the severities list. You can also select the Events can be any
severity option, if required.
8. Select the Events can have any message option. You can also select the Events
must have this text in the event message option, in which case you will have to
specify the text of the message.
9. Click the Action tab to specify the notification method. Figure 9-47 shows the
Action tab:

Figure 9-47: The Action Tab of the Event Handler Document


10. In the Enablement section, select Enable this notification to enable the
notification during all hours. You can also select Disable this notification to
disable the notification or Enabled only during these times to specify the start
and end time during which this event handler is enabled.
11. Save and close the document.

After you create the event handlers and the event generators, the EVENT task on the Domino
server, monitors the activities that you have defined in the event generator documents. As soon as
any activity defined in the event generator document takes place, such as a statistic exceeds a
threshold or a database ACL is changed, the event handler, corresponding to the severity and type
of event defined in the event generator document handles the event, as defined in the event
handler document.

Chapter 10: Domino Security


The Domino server is secured using the multi-layered security model. The security begins after a
user access network resources and tries to connect to a Domino server. The first layer of Domino
security operates at the server level. The Domino server authenticates every user and server trying
to connect to the server. If the server cannot authenticate a user, it does not allow access. If the
Domino server authenticates the user, it checks the authenticated user against the server access
list in the Server document for the types of resources that the user can access on the server.

After the user has gained access to the server, the next layer of security begins at the level of the
application. Application-level security starts with the database Access Control List (ACL) for the
database that the user is trying to access. If the user has sufficient access to the database,
Domino checks for the security of the application design element. Domino presents only those
design elements to the user for which the user has access.

A users ID file identifies the user to the Domino server. It is very important to secure the ID file to
prevent unauthorized access on the server.

This chapter explains the various methods of securing ID files. It also explains the various levels of
the Domino security model, such as the server access list, database ACL, and design element
security. In addition, it explains how to configure local workstation security options using the
Administration Execution Control List (ECL).
185
ID Security
Domino provides an ID file to all certifiers, servers, and persons. Domino creates the ID file when
you register the certifier, the server, or the person. The Domino server uses this ID file to identify
users. An ID file contains:
 The owner's name.
 An alternate name. Optionally, the user ID file may contain one alternate name and a
certifier ID may contain multiple alternate names.
 The ID file password.
 A permanent license number and type that specifies whether the owner has a North
American or International license to run Domino or Notes.
 At least one Notes certificate from a certifier ID. A Notes certificate is a digital signature
added to a user ID or server ID by the certifier who certified the ID file.
 A private key. Domino assigns a pair of private and public keys to each user and server.
The public key is stored in the Domino directory, and the private key is stored in the
ID file. Notes uses the private key to sign messages sent by the owner of the private
key, to decrypt messages sent to its owner, and, if the ID belongs to a certifier, to sign
certificates.
 Internet certificates. An Internet certificate is used to secure SSL connections, encrypt,
and sign Secure/MIME (S/MIME) mail messages. A Certification Authority (CA), who
verifies the identity of the user, issues an Internet certificate.
 Encryption keys. The ID file may optionally include one or more encryption keys created
and distributed by users to allow other users to encrypt and decrypt fields in a
document.

Domino uses several methods to secure an ID file. These methods include password quality scale,
time delay and anti-spoofing mechanism, multiple passwords, and the verification of the password
and public key on the server.

Password Quality Scale

Password quality scale defines the level of complexity for a password. A password secures every
ID file in Domino. Only users who know the ID file password can use the ID file. You can ensure
that users use sufficiently secure passwords for their ID files by assigning an appropriate password
quality scale at the time of user registration.

A password quality scale can have a value from 1 to 16. The higher the value, the more complex
the password allowed for the ID file. You can assign a password scale of about eight for User IDs.
This password scale requires the users to use a combination of alphanumeric characters for the
password. Server IDs are assigned a password scale of zero because these IDs are not usually
assigned a password. For the certifier Ids, you can use a password quality scale of 10.

To change the password quality scale for an ID, you must recertify the ID file. You can also use the
Security policy settings document to assign a different password quality scale to a user.
Note To learn more about Policy setting documents, see Chapter 3, Configuring
Lotus Notes Clients.

Time Delay and Anti-Spoofing Mechanism

The time delay and anti-spoofing mechanism prevent the breaking of the ID file password. The ID
file has a built-in time delay mechanism. When a user specifies an incorrect password for the first
time, Domino informs the user about the wrong password and prompts for the correct password
almost immediately. The second time the user specifies an incorrect password, Domino takes
more time to prompt the user for the correct password. In this way, every time the user specifies an
incorrect password, Domino increases the time taken for the prompt. This discourages a user who
is trying to guess a password and deters a password-guessing program.
The ID file also has a built-in anti-spoofing mechanism that stores the password as a graphic
pattern that Domino creates when the user types the password, as shown in Figure 10-1:
186

Figure 10-1: The Password Prompt

The graphic pattern is unique for each ID file. If a password-stealing program presents a
password-like prompt to a user, the program cannot replicate the user’s picture combination and is
unable to break the password.

Multiple Passwords

You can set up more than one password for important IDs. There are two reasons why setting up
more than one password for an ID provides better security:
 An unauthorized user, who has been able to guess one of the passwords, cannot
open the ID file because the file requires all the passwords to open. You can set
this security for important certifier IDs.
 If the ID file requires any one password, different users can be assigned different
passwords and all users can use the ID with their own password.
Note You usually set up multiple passwords for certifier IDs because multiple
administrators use these IDs for certification.

To configure multiple passwords for an ID file:


1. In the Domino Administrator client, select the Configuration tab and click
Certification -> Edit Multiple Passwords, as shown in Figure 10-2:

Figure 10-2: The Edit Multiple Passwords Tool


The Choose ID File for Multi-password Management dialog box appears, as shown in
Figure 10-3:
187

Figure 10-3: The Choose ID File for Multi-password Management Dialog Box
2. Select the ID file, such as cert.id, for which you want to configure multiple
passwords and click Open. Domino prompts you for the ID file password.
3. Specify the ID file password and click OK. The Edit Multiple Passwords dialog
box appears, as shown in Figure 10-4:

Figure 10-4: The Edit Multiple Passwords Dialog Box


4. Specify the minimum passwords required to access the ID file in the With how
many passwords do you want to protect this ID file? section.
5. In the Authorized user field, specify the name of the user who you wish to
authorize to use the ID file. In the New password and Confirm password fields,
specify the passwords for the authorized user.
Note The name in the Authorized user field may be any name and not necessarily a
name that exists in the Domino directory.
6. Click Add to add the user name to the list of authorized users. Add as many
authorized users and passwords, as you want.
7. Click OK to close the dialog box.
When you access the ID file for certification or any other purpose, Domino prompts you to provide
multiple passwords, as shown in Figure 10-5:

Figure 10-5: The Multiple Password Prompt


188
When you specify any of the authorized user’s passwords, the name of the authorized user
disappears from the list of remaining authorized users.

You can access the ID file only after you provide the minimum number of passwords required.

Verifying Password on the Server

End users may be logging onto Lotus Notes from various computers. They may leave their ID files
in different folders or folders that are shared on the network. This leads to a situation where you
have no control over the use of an ID file. Changing the password of the ID file copy that the user
possesses has no effect on the other copies of the IDs, which end users continue to access using
the old passwords. If an unauthorized user uses a user's ID, you can enable password checking
on the server.

When you enable password checking on the server, Domino stores the user’s password in the
Domino directory, as a password digest, in the user’s Person document. When the user logs on to
the server, Domino verifies the password against the password digest. If a user uses another copy
of the ID file with a different password to log on to the server, Domino does not allow the user to
log on and informs that the user must change the password on this copy of the ID to match the
password on another copy of the ID.

To enable password checking on the server:


1. In the Domino Administrator client, select Configuration tab -> Server section ->
All Server Documents view, as shown in Figure 10-6:

Figure 10-6: The All Server Documents View


2. Open the Server document for the server on which you want to enable password
checking.
3. Click Edit Server to edit the Server document.
4. Select the Security tab of the Server document, as shown in Figure 10-7:

Figure 10-7: The Security Tab of the Server Document


5. In the Security Settings section, set the Check passwords on Notes IDs option to
Enabled, as shown in Figure 10-8:

Figure 10-8: Enabling Password Checking on a Server

In addition to enabling password checking on the server, you must also enable password checking
for individual users.
189
To enable password checking for users:
1. In the Domino Administrator client, select People & Groups tab -> Domino
Directories section.
2. Select the Domino directory for your domain and click the People view, as
shown in Figure 10-9:

Figure 10-9: The People View of the Domino directory


3. Select the person documents for the users for whom you want to enable
password checking on the server.
4. From the Actions menu, select the Set Password Fields option. The Set
Password Fields message box appears, as shown in Figure 10-10:

Figure 10-10: The Set Password Fields Message Box


5. Click Yes to confirm. The Lotus Notes dialog box with options to update the
password fields in the person documents appears, as shown in Figure 10-11:

Figure 10-11: The Lotus Notes Dialog Box with Options to Set the Password Fields
6. In the Check Notes Password field, select Check Password.
7. In the Required Change Interval field, specify the interval after which the user
must change the password.
8. In the Allowed Grace Period field, specify the interval for which the user can use
the ID after the user’s password has expired.
9. Select the Force User to Change Internet Password on Next Login option.
10. Click OK to close the dialog box. The Completed Successfully message box
appears, as shown in Figure 10-12. This message box indicates that a request
has been submitted to the Administration Requests database.

Figure 10-12: The Completed Successfully Message Box


11. Click OK to close the message box. A Set password field request is added to the
Administration Requests database, as shown in Figure 10-13:
190

Figure 10-13: The Set Password Information Request


Domino carries out the request after a few minutes and updates the password fields in the
Administration tab of the Person document, as shown in Figure 10-14:

Figure 10-14: The Updated Password Fields in the Person Document of a User

When the user logs on to the server for the first time, Domino creates a Change User Password in
the Domino directory request in the Administration Requests database. This request updates the
Password digest field with a value that matches with the user’s password. It also updates the Last
Change date field.

Domino creates the Change User Password request every time the user changes the password
and the request updates the Password digest and Last change date fields.

Verifying Public Key on the Server

Domino assigns a unique private and public key pair to all users. The public key of the user must
always match with the user’s private key. Domino stores the public key in the Person document of
the user and the private key in the ID file.

An unauthorized user who gains access to an ID file can authenticate with the server and, by using
the private key stored in the ID file, gain access to the original user’s encrypted messages. In
addition, this unauthorized user can gain access to other encrypted data and sign messages on
the original user’s behalf.

To prevent unauthorized access, the user can generate a new public key and get it certified by the
administrator, who can enable public key verification on the server. Public key verification involves
matching the public key stored in the Domino Directory with the public key on the ID.

When the unauthorized user with original public key tries to access the server, the server does not
allow access.

To enable Public Key checking on the server:


1. In the Domino Administrator client, select Configuration tab -> Server section ->
All Server Documents view.
2. Open the server document for the server on which you want to enable password
checking.
3. Click Edit Server to edit the server document.
4. Select the Security tab of the server document.
5. In the Security Settings section, select the Compare Notes public keys against
those stored in Directory option, as shown in Figure 10-15:

Figure 10-15: Enabling Public Key Verification on a Server


191
Server-Level Security
When a user tries to connect to a Domino server, the Domino server verifies the user’s credentials.
After authenticating the user, the server checks the server access list. This list defines whether the
user has access to the server and the various resources on the server.

Authentication

Authentication is the process of verifying whether a user or a server trying to connect to your
server is genuine and trusted. The authentication process has two steps:
 Validation
 Authentication

After the server successfully carries out the validation and authentication processes, it checks the
server access list for the access it can give to the user or the server.

The Validation Process


The validation process checks whether the public key of a user or server trying to gain access to
your server can be trusted. Validation is a two-way process where the client validates the server
that it is trying to access and the server validates the client that is trying to gain access.

Validation uses three rules to establish the trust of a public key:


 Trust the public key of any of the server or client's ancestors in the hierarchical
name tree because the ancestor's public key is stored in the server or client's ID
file. For example, a user Arnold/HO/SNT will trust the public key of SNT because
SNT is an ancestor of Arnold in the hierarchical naming tree.
 Trust any public key obtained from a valid certificate issued by any of the server
or client's ancestors in the hierarchical name tree. For example, Arnold/HO/SNT
will trust the public key of HO because HO is a certificate issued by SNT. For
similar reasons, Arnold/HO/SNT will trust the RO public key in RServer/RO/SNT.
 Trust any public key certified by any trusted certifier and belonging to one of the
certifier's descendants. For example, Arnold/HO/SNT will trust the public key of
Rserver in Rserver/RO/SNT because Rserver has been certified by RO/SNT
who is a trusted certifier.

Domino validates the client that is trying to access the server and the server that the client is trying
to access.
Note If the user or server does not trust the certificates of the other user or server,
you must create cross certificates. Cross certificates are trust certificates
that you create for users whose certificates you cannot trust.

The Authentication Process


Authentication ascertains that the user or the server trying to gain access to your server is
genuine. Authentication is also a two-way process. The server authenticates the user who is trying
to gain access to the server and the user authenticates the server that the user is trying to access.
The authentication process takes place by a challenge/response interaction.

During the authentication process, when a user is trying to access a server, the server sends a
random number challenge to the user. The user encrypts the number with the user’s private key
stored in the ID file and sends it back to the server. The server uses the public key of the user to
decrypt the response. If the server gets back the original number, it knows that the user is genuine.

Next, the user sends a random number challenge to the server. The server encrypts it using its
private key and the user decrypts the response using the public key of the server. If the user is
able to decrypt the response and get back the original number, the user knows that the server is
genuine and not some other server trying to pose as the original server.
192
Defining Server Access

The Domino server authenticates any user or server by checking the user or server’s certificates
and public key. Domino does not allow unauthenticated users access to any databases on the
server. If the user is authenticated, the Domino server checks the server access list to identify
whether or not the user is allowed access to the server. A user who is denied access to the server
cannot access any resources on the server.

The access to a Domino server is defined in the Server document for the server. The Server
document contains sections that define:
 The administrators for the server.
 Names of users who have access to the server.
 Names of users who can use the server as a passthru server.
 Name of users who can run various types of programs or agents on the server.
Note For the setting to take effect, you must restart the server after making any
change to the security settings on the server.

To define access to the server:


1. In the Domino Administrator client, select Configuration tab -> Server section ->
All Server Documents.
2. Open the Server document for the server for which you want to set the access.
Then, click the Security tab, which contains the various sections that are used to
define the server access.

Defining Server Administrators


The Server Administrators section on the Security tab of the Server document defines several
types of Administrators for a Domino server, as shown in Figure 10-16:

Figure 10-16: The Administrators Section on the Security Tab of the Server Document

The types of administrators that you can define for the Domino server are:
 Full Access Administrators: Administrators with the highest access on the server.
They have all the access given to administrators. In addition, they have Manager
access to all the databases on the server, all passthru rights, all programmability
rights, and can issue operating system level commands.
 Administrators: Administrators with Manager access to the Web Administrator
database. These administrators can perform database maintenance tasks, such
as creating, updating, and deleting folders, database links, directory ACLs, and
full text indexes. They can also compact, delete, and create databases, replicas,
and Master Templates, set database quotas, and use message tracking. Domino
allows these administrators to track the subjects and use the console to remotely
administer UNIX servers and issue any remote console command. The
administrator assigned at the time of server configuration automatically gets all
these accesses.
 Database Administrators: Administrators who can perform database
maintenance tasks, such as setting the administration server in the database
ACLs, creating, compacting, and deleting databases, replicas, and Master
193
Templates. They can maintain full text indexes, directories, links and options,
such as database quotas.
 Full Remote Console Administrators: Administrators who can issue any remote
console command.
 View-only Administrators: Administrators who can issue certain limited server
commands to view system status, such as SHOW SERVER and SHOW TASKS.
These administrators cannot affect server operations.
 System Administrator: Administrators who can issue operating system
commands using the Domino Server Controller.
 Restricted System Administrator: Administrators who can issue a restricted set of
operating system commands. The restricted commands are defined in the
Restricted System Commands field.

Defining Server Access


You use the Server Access section on the Security tab of the Server Document to define who can
access the server, create replica databases and Master Templates, and use monitors on the
server. You also use it to define the names of the trusted server, as shown in Figure 10-17:

Figure 10-17: The Server Access Section on the Security Tab of the Server Document

The Server Access Section contains the following fields:


 Access server: Enables you to specify the list of users who should be allowed to
access the Domino server. The default value in this field is blank, which means
that all users have access to the server. When you add an entry to this field,
Domino allows access only to the user you specify and denies access to the
other users.
 Not access server: Enables you to specify the list of users who should be denied
access to the server.
 Create databases & templates: Enables you to specify the list of users who can
create databases and templates. By default, all users can create databases and
templates on the server.
 Create new replicas: Enables you to specify the list of users who should be
allowed to create new replicas of databases on the server. By default, Domino
does not allow any user to create a replica on the server.
 Create Master Templates: Enables you to specify the names of users who
should be allowed to create Master Templates on the server. A master template
has a template name specified in the database properties. By default, Domino
does not allow any user to create Master Templates.
 Allowed to use monitors: Enables you to specify the list of users who should be
allowed to use monitors on the server. A blank field indicates that no users can
monitor the server. The default value in this field is an asterisk (*), which means
that all users are allowed to use monitors.
 Not allowed to use monitors: Enables you to specify the list of users who should
not be allowed to use monitors on the server.
 Trusted servers: Enables you to specify the list of servers trusted on the current
server. Domino allows the agents running on the servers specified in this field to
access databases on this server.

Defining Programmability Restrictions


The Programmability Restrictions section defines the names of the users or servers who can run
various types of agents on the server. Figure 10-18 shows the Programmability Restrictions
section:
194

Figure 10-18: The Programmability Restrictions Section

The Programmability Restrictions section contains the following options:


 Run unrestricted methods and operations: Enables you to specify the list of
users who should be allowed to run LotusScript, Java, JavaScript, or any other
type of agents without restrictions. The unrestricted agents can access the file
system, manipulate system date and time, and execute operating system
commands. By default, Domino does not allow this access to any user.
 Sign agents to run on behalf of someone else: Enables you to specify the list of
users who should be allowed to sign the scheduled agents to run on behalf of
some other user or server.
 Sign agents to run on behalf of the invoker of the agent: Enables you to specify
the list of users who should be allowed to sign the Web agents to run on behalf
of the invoker.
 Run restricted LotusScript/Java agents: Enables you to specify the list of users
who should be allowed to run LotusScript and Java agents that do not perform
any unrestricted operations.
 Run Simple and Formula agents: Enables you to specify the names of users and
groups who should be allowed to run shared and private agents written using
simple action of formula language. By default, all users have this access.
 Sign LotusScript libraries to run on behalf of someone else: Enables you to
specify the list of users who should be allowed to sign the script libraries in
agents executed by someone else.

Defining Internet Access and Passthru Use


You use the Internet Access section to define how Internet clients can authenticate with the
Domino server. Figure 10-19 shows the Internet Access section:

Figure 10-19: The Internet Access Section

The Internet authentication field provides two choices:


 Fewer name variations with higher security: Allows users to authenticate by
specifying their full hierarchical names, common name components of the full
hierarchical names, alias names in the username field of the Person document
and the Internet addresses. This is the default option for the Internet
authentication field.
 More name variations with lower security: Allows Internet users to use their first,
last, and short names and soundex values to authenticate with the Domino
server. This is in addition to their full hierarchical names, common name
components of the full hierarchical names, alias names in the username fields of
the Person document and the Internet addresses.
You use the Passthru Use section to define options such as who can access the servers as a
passthru server, who can route through the server, who can cause the server to call, and which
destination a user can access using the passthru server. Figure 10-20 shows the Passthru Use
section on the Security Tab of the Server Document:
195

Figure 10-20: The Passthru Use Section on the Security Tab of the Server Document

The Passthru Use section contains the following fields:


 Access this server: Enables you to specify the list of users, servers, and groups
who can access the server as a passthru destination. The default value of this
field is blank, which means that no one can access the server as a passthru
destination.
 Route through: Enables you to specify the list of users, servers, and groups who
can access the server as a passthru server to connect to a destination server.
The default value of this field is blank, which means that no one can access the
server as a passthru server.
 Cause calling: Enables you to specify the list of users, servers, and groups who
can access the server to place a phone call to a destination server. The default
of this field is blank, which means that no one can cause the server to dial-up
another server.
 Destinations allowed: Enables you to select the names of the destination servers
that users can access through this server. The default value of this field is blank,
which indicates that all passthru destinations can be accessed through this
server.

Database Security
A user connects to the server to access the databases that exist on the server. If the server does
not authenticate a user, the server returns an error. If the server successfully authenticates the
user and allows access, the user can access various databases on the server. To control the rights
with which the user can access a database on the server, you can define the Database ACL.

The security of the elements inside the database, such as the forms, views, and fields, is defined
at the application design levels.

The Database ACL


The Database ACL defines the rights for users on a selected database. You can access the ACL of
a selected database by selecting File -> Database -> Access Control. Figure 10-21 shows the ACL
of the Domino Directory:
196

Figure 10-21: The Access Control List to: SNT’s Directory Dialog Box

The ACL of a database contains four tabs:


 Basics
 Roles
 Log
 Advanced

The Basics Tab


You use the Basics tab to add, rename, or remove a user, server, or group to the ACL. For each
user, server, or group, you can set the user type, the access level, additional privileges, and roles.
Figure 10-21 shows the Basics tab of the database ACL for the Domino directory for SNT’s
domain.

User Types
You can set the ACL of a database to allow access to a user, a server, or a group. When you add
any of these entries in the ACL, you must specify the user type, such as Person or Server.
Specifying a user type is an extra security measure because it specifies the type of entry that you
have included in the ACL. For example, specifying a user type as Person ensures that a server or
a group with the same name does not gain access to the database.

You can specify the following user types:


 Person: A user.
 Server: A server.
 Person Group: A group of users.
 Server Group: A group of servers.
 Mixed Group: A group of users as well as servers.
 Unspecified: Default and anonymous entries.

Access Levels
Several users can access a database with different access levels. For example, you can use a
Company Policy database to store Company Policy documents and make this database accessible
to all the users in your organization. In this database, you can allow most users to only read the
documents while allowing the Personnel department to add new policies but not edit the existing
197
policies. You can allow a Reviewer, who is responsible for updating any policy changes, to make
changes to existing policies.

End users often want the form and view designs to be updated. You can allow a Developer group
to make design changes in the database. In addition, you want to allow the members of the
LocalDomainAdmins group to update the ACL.

There are eight access levels that you can assign to a user, based on the requirement:
 No Access: Allows no permissions except the permission to Read and Write
public documents.
 Depositor: Allows a user to create documents but not read or edit the
documents. You can provide this access to users in applications where a user
needs only to submit a document, such as a Feedback form or a Ballot box.
 Reader: Allows a user to only read the documents in a database.
 Author: Allows a user to read all the documents as well as create new
documents. With this access, a user can edit only those documents that the
user has created or authored not all the documents in the database.
 Editor: Allows a user to create new documents, read, and edit all the
documents in the database regardless of who created the documents.
 Designer: Allows a user to modify the design of the database. Users with this
access can also create new documents and read and edit all the documents
in the database regardless of who created the documents.
 Manager: Allows a user to modify the ACL of the database. The Manager
access also allows users to perform the actions that the Designer can
perform. The Manager access is usually given to the administrators.

Additional Privileges
Each access level from No Access to Manager has a set of additional privileges, such as the
privilege to create private agents and shared folders and views. These privileges further refine the
access level for a user by allowing or disallowing certain actions within the purview of an access.
For example, a person with Manager Access has all the privileges assigned, by default. Out of
these privileges, Delete Document and Replicate or Copy Documents is activated, which you can
deactivate. You can also clear the Delete Document access button to prevent accidental deletion of
documents in an important database. This is because a Manager can change the ACL and assign
it back. Similarly, you can refine every access using these check boxes.

The Access list in the ACL lists all the additional privileges. When setting the access level for a
user, you can select or clear the privileges depending on the requirement. For example, the
Reader, by default privilege allows a user to create personal folders and views. You can clear this
check box to remove this privilege from a user who has Reader access. For each access level,
Domino automatically assigns some additional privileges. As a result, these privileges are disabled
and you cannot select or clear the privileges. For example, a Designer has the privilege to Create
Personal Folders/Views, which you cannot clear. You can assign or revoke the following privileges
for each access level:
 Create Document
 Delete Document
 Create Private Agents
 Create Personal Folders/Views
 Create Shared Folders/Views
 Create LotusScript/Java Agents
 Read Public Documents
 Write Public Documents
 Replicate or Copy Documents

Roles
You use roles to define a group of users who may be assigned similar access. Roles are an
effective way to implement security in applications used by multiple users and different groups of
users who need to perform different tasks. For example, the Domino directory has 10 roles: Group
Creator, Group Modifier, Net Creator, Net Modifier, Policy Creator, Policy Modifier, Server Creator,
Server Modifier, User Creator, and User Modifier.
198
The roles in the Domino directory help define the access for users on various types of documents.
For example, a user with the [Group Creator] role can create group documents in the Domino
directory but not other types of documents. A user with the [Group Modifier] role can edit a group
document without an Editor access to the database.

You can create roles using the Roles tab. The Basics tab of the Access Control List dialog box
shows all the roles. You can use this tab to assign roles to different users.

To assign a role to a user using the Basics tab of the database ACL:
1. Select the name of the user to whom you want to assign a particular role. If
a user name is not listed, use the Add button to add the user name.
2. Select the appropriate role in the Roles list.

Assigning Access in the ACL


You can use the Add and Remove buttons in the Basics tab of the ACL to add or remove entries
from the ACL. You must have a Manager access in the database ACL to modify it.

To add an entry in the ACL of a database using the Basic tab:


1. Click Add to add a user, a server, or a group to the list. The Add User dialog
box appears, as shown in Figure 10-22:

Figure 10-22: The Add User Dialog Box


2. Type the name in the People, Servers, Groups field, or select from the
address books using the Person button.
3. Click OK to close the Add User dialog box and add the entry to the ACL.
4. Select an appropriate user type and appropriate access for the entry. To
further refine the access level, you can optionally select or clear the
additional privileges.
5. Assign a role for the entry if you have created roles.

Repeat these steps for each entry that you add to the ACL. You can also change or delete any
entry from the ACL by clicking the Remove button.

Determining the Effective Access


You use the Effective Access button on the Basics tab of the database ACL to view the effective
access level and privileges and the effective roles of a user.

When a user is a member of multiple groups and more than one group containing the user name is
added to the ACL, the effective access shows the level of access of the user, taking into account
all of the user's group memberships.

To determine the effective access of a user:


1. In the Basics tab of the database ACL, select the entry that you want to
access.
2. Click the Effective Access button. The Effective Access to: SNT’s Directory
dialog box appears, as shown in Figure 10-23:
199

Figure 10-23: The Effective Access to: SNT’s Directory Dialog Box

The Access field shows the effective access level for the user. The Groups list shows the groups to
which the user belongs and the roles list shows the roles that have been assigned to the user.

You can find the effective access of a different user by using the Person icon and clicking the
Calculate Access button.

The Roles Tab


In the Roles tab, you can add, remove, or rename the roles that appear in the Basics tab of the
database ACL. Roles are different from groups created in the address books because, unlike
groups, roles are applicable only to the database in which you create them.

To create a role in the database ACL:


1. Click the Roles tab in the database ACL. The Roles tab shows the list of roles
defined in the database, as shown in Figure 10-24:
200

Figure 10-24: The Roles Tab of the Access Control List to: SNT’s Directory Dialog Box
2. Click Add to add a new role. The Add Role dialog box appears, as shown in
Figure 10-25:

Figure 10-25: The Add Role Dialog Box


3. Specify the role you want to add in the Role Name field. You can specify a
maximum of 15 characters.
4. Click OK. The role gets added to the ACL

Similarly, you can add more roles to implement the roles in the design elements of the database.
You can also define access on a section of the form, in the form access list, the view or folder
access list, and the Readers and Authors fields.

You can use the Rename and Remove buttons to change and delete a role, respectively.

The Log Tab


The Log tab of the database ACL shows the history of ACL change, such as the names of users
who changed the ACL, the changes made by these users, and the date and time of the changes.
Figure 10-26 shows the Log tab of the Access Control List to: SNT’s Directory dialog box:

Figure 10-26: The Log Tab of the Access Control List to: SNT’s Directory Dialog Box
201
The Advanced Tab
In the Advanced tab, define certain other access rights, such as the Maximum Internet name and
password access for the database. You can also select the Enforce a consistent Access Control
List across all replicas option to maintain a standard ACL on all replicas of the database. In
addition, you can select the Enable Extended Access option. Figure 10-27 shows the Advanced
tab of the database ACL:

Figure 10-27: The Advanced Tab of the Access Control List to: SNT’s Directory Dialog Box

The Advanced tab contains the following options:


 Administration server: Enables you to specify the name of the administration
server for the database. The server specified in this field will be responsible for
all the name changes in the database using the Administration Process task.
 Action: Enables you to specify the types of name fields that Domino should
update when you assign an administration server to the database.
 Enforce a consistent Access Control List across all replicas: Enables you to
ensure that Domino maintains a standard ACL on all replicas of the database.
 Enable Extended ACL: Enables you to set the extended ACL for the Domino
directory using the Basics tab. This option is available only for the Domino
directory and the Administration Requests database.
 Maximum Internet name and password: Enables you to specify the maximum
access that a user gets when the user uses a browser to access the database.
 Look Up User Types for Unspecified Users: Enables automatic assignment of
the user types for the users listed in the Basics tab of the ACL.

Application Design Element Security

The access that you define for a user in the database ACL provides similar access to all the design
elements in the database to the user. For example, a user with Reader access to the database can
read documents created using any form in the database. The design element security defines
access for individual design elements.

Domino provides design element security at the following levels:


 Views: A read access list for a view defines the users who can see the view.
 Folders: A read and edit access list for a folder defines the users who can see and
edit the contents of the folder.
 Forms: A create and read access list for forms defines the users who can create
documents using a form or read documents created using a form.
 Reader and Author fields: Readers and Authors fields control access to
documents. Only users whose names are included in the Readers field can read a
document that contains a Readers field. Even users with Manager access to the
database, whose names are not included in the Readers field, cannot access a
document that contains a Readers field. The Authors field controls the editing rights
to a document. The Authors field is applicable only to users with Author access to
202
the database. A user whose name is included in the Authors field on a document
can edit the document even if the user did not create it.
 Signed fields: Signing a field helps verify that the author of the document has
originated the data in the field and that the data has not been tampered. In the
application, the option to attach the signature of the author to the field needs to be
enabled at the design time.
 Encrypted fields: Encrypted fields hide the content of the fields from unauthorized
users. Field encryption can be enabled at design time for selected fields. Domino
encrypts these fields using the default encryption key specified at design time or a
key specified by the author of the document. To view these fields, a user must have
the encryption key in the ID file.
 Controlled access sections: A controlled access section in a form controls the
access to a section of a document. A controlled access section has a set of editors
defined at either the design time or when a user creates a document, using the
form. Only the defined editors can edit the fields in a controlled access section.

Local Database Security


The ACL of a database is effective only if you open the database on the server. For local security
of a database, you can encrypt the database with a specific ID. This ensures that only the
authorized user can open the database.

Formulas and other code written by mischievous users can affect the databases stored locally on
the workstation. You can control the execution of formulas on your workstation using the Execution
Control List (ECL).

Encrypting a Database for Local Security

To ensure that the ACL of a database is effective for a local database, you must select the Enforce
a consistent ACL across all replica of the database option in the Advanced tab of the ACL.

To prevent unauthorized access to a local database, you can encrypt the database locally. Domino
encrypts the database using the public key of a user. The public key can be decrypted using the
private key of the user. As a result, only a user with the correct user ID can open the database.

To encrypt a database:
1. Select the database that you want to encrypt and click File -> Database ->
Properties to open the Database dialog box, as shown in Figure 10-28:
203

Figure 10-28: The Database Dialog Box


2. Click the Encryption Settings button to access the Encryption settings for the
selected database, Figure 10-29 shows the Encryption for Customer Complaint
Tracking System dialog box:

Figure 10-29: The Encryption for Customer Complaint Tracking System Dialog Box
3. Select the Locally encrypt this database using option and select an encryption
level: The stronger the encryption, the more secure it will be and the more time it
will take to decrypt. Medium encryption is recommended.
4. Click OK. This encrypts the database, which nobody else can open.

The ECL

The Workstation ECL is the security provided by Lotus Notes client to prevent the effect of
formulas or other code run on the workstation from unknown or suspected sources. For example,
the ECL can control whether a formula can send a message from the user’s workstation with the
current user’s name.
204
The ECL restrictions can control anything that runs on a user workstation, including formulas,
scripts, agents, design elements in databases and templates, documents with stored forms,
actions, buttons, hot spots, as well as malicious code, such as viruses. The ECL controls access
based on the signatures with which the formula is executed.

Domino stores the Workstation ECL in the user's Personal Address Book and creates it when the
Notes client is first installed. The administrator uses the Administration ECL, which resides in the
Domino directory (NAMES.NSF), to define the Workstation ECL for all the users.

To define or edit the Administration ECL:


1. Open the Domino directory on the server.
2. From the menu, select Action -> Edit Administration ECL. The Workstation
Security: Execution Control List dialog box appears, as shown in Figure 10-30:

Figure 10-30: The Workstation Security: Execution Control List Dialog Box
3. The When signed by list shows the default signature entries. Click the Add
button to select a user, server, or group name from the address book.
4. In the Allow section, select the access that you want to give to formulas or codes
signed by the selected entry.
The access option in the Workstation Security: Execution Control List dialog box are:
 Access to file system: Allows formulas and code to attach,
detach, read to, and write from workstation files.
 Access to current database: Allows formulas and code to Read
and modify the current database.
 Access to environment variables: Allows formulas and code to
use @function and LotusScript methods to access the
NOTES.INI file.
 Access to non-Notes databases: Allows formulas and code to
use @DBLookup, @DBColumn, and @DBCommand to access
ODBC or other non-Notes databases.
 Access to external code: Allows formulas and code to run
LotusScript classes and DLLs that are unknown to Notes.
 Access to external programs: Allows formulas and code to
access other applications, including activating any OLE object.
 Ability to send mail: Allows formulas and code to use @functions
and methods to send mail.
 Ability to read other databases: Allows formulas and code to
read information in databases other than the current database.
205
 Ability to modify other databases: Allows formulas and code to
modify information from databases other than the current
database.
 Ability to export data: Allows formulas and code to print, copy to
the clipboard, import, and export data.
 Access to Network: Allows formulas and code to access the
resources over the network.
 Access to Workstation Security ECL: Allows formulas and code
to modify the workstation ECL.
5. Clear the Allow users to modify option if you do not want the users to change the
ECL settings for their workstation.
Note You can set the Java Applet and JavaScript security options in the
Administration ECL to control access to workstation data when you run a Java
applet or JavaScript on the workstation.
6. Click OK to save and close the Administration ECL.

To update the workstation ECLs on the user’s workstation, you must update the Security Policy
Settings document for the users.

To update the Security Policy Settings document for your users:


1. In the Domino Administrator client, select People & Groups tab -> Settings view.
2. From the Security Settings, select the Security Settings document that you want
to update, as shown in Figure 10-31:

Figure 10-31: Selecting the Security Settings Document


3. Open the document and click the Execution Control List tab, as shown in Figure
10-32:

Figure 10-32: The Execution Control List Tab of the Security Settings Document
4. Click Edit Settings action to edit the document.
5. In the Admin ECL field, ensure that Default shows. This updates the
Administration ECL from the Domino directory. You can click the Edit button to
update the Administration ECL from here. You can also create a new
Administration ECL by clicking the New button.
6. In the Update Mode field, select Refresh to update the changes to the
workstation ECL. Select Replace to replace the Workstation ECL with the
Administration ECL.
7. In the Update Frequency field, select When Admin ECL Changes to ensure that
the Workstation ECL is updated every time the Administration ECL is changed.
You can also select Once Daily to update the ECL once every day or Never to
never update the Workstation ECL.
8. Save and close the document.

The Workstation ECL for the users is updated whenever the users a uthenticate with their home
servers.

Chapter 11: Managing Databases in Domino


The Domino server hosts many databases, which may be system databases used by Domino or
application databases created for end users. The performance of these databases might
deteriorate with the continuous use of databases. Access to the database becomes slower due to
206
the increased number of documents, increased unused space, or other factors. The database may
even get corrupted.

The Domino Administrator client provides various tools to improve the performance of a database
or fix corrupt databases. The Domino Administrator client also provides tools to work efficiently with
databases, such as signing a database or creating a full text index.

This chapter describes the various database management tools available in Domino 6.0. It also
explains how to optimize database performance and fix corrupt databases using these tools. In
addition, it describes the procedure to enable Transaction Logging on a server.

The Database Tools


The database tools are available on the Files tab in the Domino Administrator client. The Files tab
provides a convenient way to manage databases in Domino. It provides you the tools to work on
the databases as well as information about the various files on the server. Figure 11-1 shows the
Files tab of the Domino Administrator client:

Figure 11-1: The Files Tab of the Domino Administrator Client

The Files tab contains three panes:


 Folder: Shows the data folder of the selected server and all its subfolders. It cannot
show any folders outside the data folder.This is the pane on the left.
 Files: Shows information about the databases, templates, or other types of files in the
folder selected in the Folder pane. The Files pane is located in the middle.
 Tools: Contains the tools for database management. This is the pane on the right.

Customizing the Files Pane

You can customize the Files pane to see the information you require and the way you want it. You
can filter the list of databases using the Show me option, which restricts the display to selected file
types. Filtering is useful when you need to work with specific types of files. The Show me list
contains the following options:
 Databases only: Shows only the databases.
 Templates only: Shows only the templates.
 Mailboxes only: Shows only the mailbox databases
 All database types: Shows all databases and templates.
 All file types: Shows files of all types.
 Database links only: Shows only the database links.
 Custom: Allows you to select the types of files you want to display.

You can customize the information shown in the Files pane by using the Administration
Preferences. To customize the Files pane:
1. Select File -> Preferences-> Administration Preferences to open the
Administration Preferences dialog box and then click the Files tab, as shown in
Figure 11-2:
207

Figure 11-2: The Files Tab of the Administration Preferences Dialog Box
2. Select the columns that you want in the Files pane from the Available Columns
list and click the right arrow button to add them to the Use these Columns list. To
remove a column, use the left arrow button.
3. Use the up and down arrow buttons to change the order in which the columns
appear in the Files pane.
4. Click OK to close the dialog box.

Using the Tools Pane

The Tools pane contains tools that you can use to work with databases. The tools in the Tools pane
are divided into three groups:
 Disk Space: Shows the disk size and the free disk space on the selected server’s
disk. Figure 11- 3 shows the Disk Space tool:

Figure 11-3: The Disk Space Tool


 Folder: Contains tools to create a new folder, create, update, and delete database
or directory links, and manage the directory Access Control List (ACL). Figure 11-4
shows the Folder Tools:

Figure 11-4: The Folder Tools

The tools in the Folder group include:


o New: Creates a new folder within the DATA folder.
o New Link: Creates a directory or a database link.
o Update Link: Updates a directory or a database link.
o Delete: Deletes a folder or a link.
208
o Manage ACL: Defines access on the subfolders in the DATA folder.
 Database: Includes various tools to manage databases. Figure 11- 5 shows the
Database tools:

Figure 11-5: The Database Tools

Directory and Database Links


The Folder tools on the Files tab of the Domino Administrator client, contains the option to create
database and directory links. You can use these links to display the databases that reside outside
the Domino DATA folder.

The databases deployed on the Domino server are kept in the DATA folder of the server. To group
related databases, you create subfolders in the DATA folder and store the databases in the
subfolders.

To save disk space on the server, or to hide the databases from users, you can store the
databases outside the server’s DATA folder. If you create a folder outside the DATA folder or store
the database anywhere outside the DATA folder, users are unable to access the database or the
folder.

To make a database or a folder outside the server’s DATA folder accessible to users, you must
create a link to the database or folder. You can create two types of links:
 Directory: A link to a folder.
 Database: Points to a single database.

Creating a Directory Link

A directory link points to a folder outside the server’s DATA folder. To a user, the link appears like a
subfolder in the DATA folder. It appears with the folder icon and shows the name of the link as the
folder name.

To create a Directory link:


1. In the Domino Administrator client, select the Files tab and then select the Folder
-> New Link tool. The Create New Link dialog box appears, as shown in Figure
11-6:
209

Figure 11-6: The Create New Link Dialog Box


2. In the Link name field, specify a suitable name for the link that clearly identifies
the folder. Domino appends the .DIR extension to the name.
3. To create a Directory link, select Folder from the Link to a option. In the Path and
filename to that folder or database field, specify the path where you have
created the folder.
4. To restrict access to the Directory link, specify the user names to which you want
to grant access in the Who should be able to access this link? box. All other
users are denied access. Click the person icon to add the names to the list.
5. Click OK to close the Create New Link dialog box.
6. Press the F9 key or click Refresh to view the Directory link. The link appears in
the Domino Administrator client, as shown in Figure 11-7:
210

Figure 11-7: A Directory Link


When a user accesses the Open Database dialog box, the link appears like another folder, as
shown in Figure 11-8:

Figure 11-8: A Directory Link in the Open Database Dialog Box

If you have not granted access to a user on the Directory link, an error message appears when the
user tries to open the folder.
211
Creating a Database Link

A database link points to a single database stored outside the server’s DATA folder. To a user, the
link appears with the database icon and the name of the link appears like other databases in the
DATA folder.

To create a Database link:


1. In the Domino Administrator client, select the Files tab and then select the
Folder->New Link tool. The Create New Link dialog box appears.
2. In the Link name field, specify a suitable name for the link that clearly identifies
the database. Domino appends the .NSF extension to the name.
3. To create a Database link, select Database from the Link to a options. In the
Path and filename to that folder or database field, specify the path where you
have stored the database, as shown in Figure 11-9:

Figure 11-9: The Create New Link Dialog Box for a Database Link
4. Click OK to close the Create New Link dialog box.
The link appears in the Domino Administrator client, as shown in Figure 11-10:

Figure 11-10: A Database Link


When a user accesses the Open Database dialog box, the link appears like other databases, as
shown in Figure 11-11:
212

Figure 11-11: A Database Link in the Open Database Dialog Box


Note The Filename field for the database links shows the link name.

Using Database Tools


The database tools on the Files tab of the Domino Administrator client contain various tools that
allow you to control access to databases, repair corrupt databases, replicate databases, or perform
other database management activities. You can use these tools on a single database or on
multiple databases.

Compacting a Database

You can use the Compact Database tool to compact a database and remove any unused space
that is created when documents or attachments are deleted from a database.

To compact a database:
1. Select the databases to be compacted on the Files pane and select the
Database-> Compact tool. The Compact Database dialog box appears, as
shown in Figure 11-12:

Figure 11-12: The Compact Database Dialog Box


213
The Compact Database dialog box contains the following options:
 Compact only if unused space is greater than <n> %: Specifies
the minimum unused space in % in a database, before Domino
considers it for compacting.
 Discard any built view indexes: Discards all the view indexes in
the database while compacting.
 Set maximum size of database to 4GB: Sets the maximum size
of database to 4GB. This option is applicable only to R4
databases.
 Keep or revert back to R5 format: Retains the R6 file format for
the compacted R5 databases or converts the R6 databases to
R5 format.
 Archive database: Moves the documents eligible for archiving to
the archive database. Select this option if you have set the
archiving options for the database.
2. Select the options for compacting and select a style for the database to be
compacted. You can choose from three styles for compacting the database:
 In-place: Compacts the database without copying the file to
another location. As a result, does not require extra disk space
while compacting. Users can continue using the database while
it is being compacted. The file size of the database remains the
same although the unused space is released. This is the
compact style used for databases enabled for Transaction
Logging because the databases retain their Database Instance
ID (DBIID).
 In-place with file size reduction: Releases unused space in the
database and reduces the file size of the database. You can use
this style of compacting for databases that are not enabled for
Transaction Logging because a new DBIID is assigned to the
databases.
 Copy style: Creates a copy of database in a different location
and then deletes the original database. This style requires extra
disk space. Users cannot use the database while the compacting
takes place and a new DBIID is assigned to the database.
3. After you select the style, click OK to compact the database.

Creating a Full Text Index

A full text index allows a user to quickly search a large database for a word or phrase by using the
search bar. To create a full text index for a single database, you can use the Database properties
dialog box. You can create full text indexes for multiple databases using the Files tab in the
Domino Administrator client.
Note To create a full text index you need to have at least Designer access to the
database.

To create a full text index for databases using the Files tab:
1. Select the databases for which you want to create full text indexes.
2. Select Database-> Full Text Index tool. The Full Text Index dialog box appears,
as shown in Figure 11-13:
214

Figure 11-13: The Full Text Index Dialog Box


3. Select Create to create a full text index.
4. Select the options for the full text index.
The Full Text Index dialog box contains the following options:
 Create, Update, or Delete: Creates, updates, or deletes a full
text index.
 Index attached files: Indexes the attachments. Select the With
found text option to include only the ASCII text from the
attachment in the index. Select the With file filters option to
include full binary content of the attachment.
 Index encrypted fields: Includes the encrypted text in the index.
 Index sentence and paragraph breaks: Includes sentence and
paragraph breaks in addition to word breaks in the index. This
option allows users to search for phrases.
 Enable case sensitive searches: Enables case-sensitive
searching. This option increases the size of the full text index.
 Index update frequency: Sets the frequency at which you want
the full text index to be updated. The Index update frequency
can be daily, scheduled, hourly or immediate.
5. Click OK to create the full text indexes for the selected databases.
Note Full text indexes create extra files on the disk. To save disk space on the
server, you must create full text indexes only for those databases that
require searching by text.

Setting Database Quotas and Warning Thresholds

You can assign a database quota to set a maximum size limit for a database. When the database
reaches a size specified in the database quota, the user gets the Cannot allocate database object -
database would exceed its disk quota message.
215
You can also set a warning threshold for a database so that before the database reaches the
quota, a warning appears that reads Warning, database has exceeded its size warning threshold.
Note The quota and warning threshold for the mail databases can be set at the
time of user registration.

To setup the Database Quota and warning threshold for a database:


1. Select Database-> Quotas tool from the Files tab. The Set Quotas dialog box
appears, as shown in Figure 11-14:

Figure 11-14: The Set Quotas Dialog Box


2. In the Database size quota section, select the Set database quota to option and
specify the quota size in MBs.
3. In the Quota warning threshold section, select the Set warning threshold to
option and specify a value that is lesser than the database quota.
4. Click OK to update the database quota and warning threshold.

Signing a Database

Signing a database vouches for the authenticity of a database. SSigning is useful for implementing
workstation security using the Execution Control List (ECL) because the ECL work is based on
signatures. Server agents run with the identity of the signer of the agent. Signing the agents with
the server’s ID in a database helps execute the agents without giving extra rights to users.

You can sign a database with a particular server or user’s ID. To sign a database with the current
user or server’s ID:
1. Log on with the user ID with which you want to sign the database.
2. In the Files tab, select the databases that you want to sign.
3. Select Database-> Sign tool. The Sign Database dialog box appears, as shown
in Figure 11-15:
216

Figure 11-15: The Sign Database Dialog Box


4. Select Active User’s ID to sign the database with the user ID with which you
have logged on. Select Active Server’s ID to sign the database with the currently
selected server’s ID.
5. In the What do you want to sign field, select the database elements that you
want to sign. You can select:
 All design documents: Signs all the design elements in the
database, such as the forms, views, and agents.
 All data documents: Signs only the documents in the database.
 All documents of type: Signs a specific type of design
documents. You can select the type as Form, View, Icon, ACL,
Help, Agent, Shared Field, or Repl Formula.
 The specific Note ID: Signs a specific data or design document.
A Note ID uniquely identifies each document in a database. You
can specify the Note ID that you want to sign.
6. Select Update existing signatures only to update previously signed documents.
7. Click OK to sign the databases with the selected ID.

Analyzing a Database

To analyze the activity in a database, you can use the Database Analysis tool. This analysis helps
you troubleshoot database performance or other issues. The Database Analysis tool helps collect
information about selected databases from various sources, such as the replication history, the
server’s log, and the user activity information in the database properties.

Domino saves the result of a database analysis in a database created using the Database Analysis
template, DBA4.NTF.

To analyze a database:
1. Select the databases to be analyzed in the Files pane of the Files tab.
2. Select Database-> Analyze tool. The Analyze Database dialog box appears, as
shown in Figure 11-16:
217

Figure 11-16: The Analyze Database Dialog Box


3. In the Analyze Database dialog box, select the check boxes for the information
that you want to include in the analysis. You can select:
 Changes in Data documents: Includes any changes to the
documents in the database. The changes include additions,
modifications, and deletions of the documents.
 Changes in Design documents: Includes any changes to the
database ACL and design elements.
 User reads: Includes information about the total number of times
the users opened the documents in the database or the servers
read the database.
 User writes: Includes information about the total number of times
that the users or servers added, edited, or deleted documents in
the database.
 Find replicas on other servers: Includes data from other replicas.
 Replication history: Includes data about the successful
replications of the database from the replication history.
 Miscellaneous Events view in the log file: Includes any
information related to the database appearing in the
Miscellaneous Events view in the log file.
 Database usage view in the log file: Includes any information
related to the database activity appearing in the Usage - By User
view in the log file.
4. In the Analyze last <n> days of activity field, Specify how old are the entries. The
entries that are n days old are considered in the analysis.
5. Click the Results button to specify the name and location for the result database.
The Results Database dialog box appears, as shown in Figure 11-17:
218

Figure 11-17: The Results Database Dialog Box


6. Select the server on which you want to place the result database and, if
required, change the Database title and the filename. The default Database title
is DB Analysis and the default Filename is dba4.nsf.
7. Select Overwrite database to overwrite the DB Analysis database if it exists or
select Append to this database to add to the existing contents of the database.
8. Click OK to close the Results Database dialog box.
9. Click OK to analyze the database for the selected options.
10. Open the DB Analysis database to view the results of the analysis, as shown in
Figure 11-18:

Figure 11-18: The DB Analysis Database

Managing Views

A view index is an internal table maintained by Domino database to build a list of documents to be
shown in a view. Domino uses these view indexes to display the documents to the users in a
sorted order, as specified in the view. As the number of views and folders increases, the indexes
associated with them also increase. If you can sort a view on multiple columns dynamically, each
sorting order requires a separate view index. You can improve the performance of the database by
purging the database view indexes occasionally.

You can use the Manage Views database tool to purge the view indexes for selected databases.

To purge view indexes using the Manage Views tool:


1. Select the database in the Files pane.
2. Select Database -> Manage Views tool. The Manage the views of this database
dialog box appears, as shown in Figure 11-19:
219

Figure 11-19: The Manage the views of this database Dialog Box
3. Select the view and click the Purge button. Click Yes when prompted for
confirmation. The View index is purged.
4. Click Done to close the Manage the views of this database dialog box.

Optimizing Database Performance Using Advanced Database


Properties
Configuring the advanced database properties for a Domino database can optimize the
database performance. This is because these properties help reduce the size of a
database and discard redundant information from it. In addition, these properties disable
features that may not be required for a database. If enabled, these features consume
unnecessary resources.
The advanced database properties of a database are located on the Advanced tab of the
Database dialog box, as shown in Figure 11-20. To access this dialog box, select File->
Database-> Properties.

Figure 11-20: The Advanced Tab of the Database Dialog Box

The advanced database properties include:


 Don’t maintain unread marks: Unread marks show which documents in a database
have not been read by a user. Maintaining unread marks consumes resources
because Domino maintains this information for every user. The databases where
220
this information is redundant, such as the Domino directory or Reference
databases, can benefit a lot by enabling this property.
Note You must compact the database after setting this property, otherwise the database
does not purge the unread marks information it already contains.
 Optimize document table map: When updating a view, Domino refers to the tables
of document information that are stored internally. By default, during the view
updates, Domino searches each table for documents that appear in the view that
is being updated. If you enable this property, the tables get associated with the
forms used by the documents contained in the table. Then, during a view
update, Domino searches only the tables associated with the forms used by
documents in the view being updated. This significantly improves the speed of
view updates.
Note If you select or clear the Document table bitmap optimization property, you must
compact the database so that the setting takes effect.
 Don't overwrite free space: When you delete data from a database, Domino
overwrites the deleted data on the disk with a pattern to prevent unauthorized
access to deleted data. This activity involves disk I/O every time you delete data
from the database and affects the database performance. You can enable this
property for databases that are secured from unauthorized disk access or the
databases for which security is not an issue.
 Maintain LastAccessed property: Every database maintains a last accessed
property that contains the date and time when the document was last modified
or read. By default, this property is not enabled. Enabling this property can have
a negative performance effect because updating the last accessed property for
read sessions requires disk I/O that is otherwise not needed for reading the
documents. You can enable this property for databases where you archive the
documents based on the period of inactivity.
 Don't support specialized response hierarchy: By default, every document stores
information about its parent and response documents. This information is used
by the views or replication formulas to select documents using the @AllChildren
and @AllDescendants functions. If the database does not use these functions,
you can enable this property to improve the database performance significantly.
If you select or clear the Don’t support specialized response hierarchy property,
Note you must compact the database so that the setting takes effect.
 Don’t allow headline monitoring: Users can set up headline monitoring to subscribe
to information in databases that is of interest to them. If many users subscribe to
a database this way, it affects performance. You can enable this property to
prevent users from monitoring a database.
 Use LZ1 compression for attachments: LZ1 is a quick and efficient method for
compressing attachments. This method works only in R6 Domino environments.
 Limit entries in $UpdatedBy field: Every document contains a $UpdatedBy field that
stores, by default, the name of the user or server who edited the document.
Maintaining a complete history of names requires disk space and affects
database performance. You can enable this property and specify the number of
entries that the $UpdatedBy field can contain. When the $UpdatedBy field
reaches this limit, the oldest entry is removed.
 Limit entries in $Revisions field: Every document contains a $Revisions field that
stores, by default, the date and time when the document was edited. By default,
the $Revisions field stores a history of up to 500 edits, each of which requires 8
bytes of disk space. You can enable this property to conserve disk space and
improve database performance. Specify the number of entries that the
$Revisions field can contain. When the $Revisions field reaches this limit, the
oldest entry is removed.

Using the Domino Administrator client, you can configure the advanced database
properties of multiple databases.

To configure the Advanced Database Properties for multiple databases:


1. From the Domino Administrator client, select the Files tab.
2. Select the databases for which you want to set the properties and select
Database-> Advanced Properties tool. The Advanced Database Properties
dialog box appears, as shown in Figure 11-21:
221

Figure 11-21: The Advanced Database Properties Dialog Box


Each property in the dialog box has two check boxes. The check box on the
left is used to select the property that must be updated in the selected
databases. Selecting the check box on the right enables the property and
clears it disables the property in the selected databases.
3. Select the properties that you want to update and enable using the check box
on the right.
4. Click OK to update the database properties.

Fixing Corrupt Databases


Domino provides various tools to fix corrupt databases. If documents or views in a database are
corrupted, you will be unable to access them. A database may be corrupted if your server is shut
down due to power failure or hardware failure causing the transaction taking place on the database
to remain incomplete.

To repair a corrupt database, you can use the following tasks:


 Update All (UPDALL): Repair corrupted views.
 Fixup: Repair corrupted views and documents.
 Compact with –c option: Rebuild all the views by pressing the CTRL+SHIFT+F9 keys
simultaneously.

The UPDALL Task

You use the UPDALL task to update the view or full text search indexes on the server databases.
By default, UPDALL is included in the NOTES.INI setting ServerTasksAt2. As a result, it runs daily
at 2 A.M.

Running UPDALL daily helps save disk space because UPDALL also purges deletion stubs from
databases and discards view indexes for views that have been unused for 45 days.

You can run the UPDALL task by using the server console command:
222
LOAD UPDALL <database> <options>

You can specify options with this command to define what UPDALL does. For example, to rebuild
all the views in the database, use:
LOAD UPDALL <database> –R

You can use the Domino Administrator client to run the UPDALL task and specify the options
interactively.

To run the UPDALL task using the Domino Administrator client:


1. Select the Server tab-> Status tab-> Server Tasks view.
2. To start the UPDALL task, select Task-> Start in the Tools pane, as shown in
Figure 11-22:

Figure 11-22: Starting the UPDALL Task


The Start New Task dialog box appears, as shown in Figure 11-23:

Figure 11-23: The Start New Task Dialog Box


3. Select Update all (Database Indexer) from the list of tasks.
223
4. Select the Select advanced options option and click the Start Task button. The
Lotus Notes dialog box used to specify options for the UPDALL appears, as
shown in Figure 11-24:

Figure 11-24: The Basics Tab of Lotus Notes Dialog Box


5. To run UPDALL on all the databases on the server, select Index all databases.
Select Index only this database or folder to specify the name of a database or a
folder. To run UPDALL on a single view, select the Update this view only option
and specify the view name.
6. Click the Update tab to specify options to update the existing view, as shown in
Figure 11-25:

Figure 11-25: The Update Tab of Lotus Notes Dialog Box


7. Select the All built views option to update only the already built views. To update
the full text indexes, select the Full text indexes option, and select All to update
all full text indexes in the database. You can also choose to update selective
indexes based on the frequency of index update by selecting the Only those with
frequency setting set to option.
8. Click the Rebuild tab to specify the indexes that UPDALL should rebuild. The
Rebuild tab appears, as shown in Figure 11-26:
224

Figure 11-26: The Rebuild Tab of Lotus Notes Dialog Box


9. Select the Rebuild options only if the views and indexes have been corrupted
because this is a resource intensive option. To rebuild views, select the Full text
indexes and additionally: option, and then select All used views.
10. Click OK to start the index update process on the server.
11. Click Done to close the Start New Task dialog box.

The UPDALL task runs on the server and updates the specified indexes.

The FIXUP Task

You use the FIXUP task to fix corrupt documents and views. The FIXUP task runs automatically on
the server when you restart the server after an abnormal shut down, to attempt to fix any
inconsistencies that resulted from partially written operations caused the shut down.

You can run FIXUP on a database using any of three options:


 The server console command:
LOAD FIXUP <Database> <Options>
This command helps you to fix any database inconsistencies caused because of partially
written operations on the databases.
 The Task-> Start tool in Server-> Status tab: The Start tool allows you to start a
task on the Domino server by using the Domino Administrator client.
 The Fixup tool in the Database tools on the Files Tab: The Fixup tool allows you to
fix selected databases using the Domino Administrator client.

To fix a database using the Fixup tool in the File tab:


1. Select the Files tab in the Domino Administrator client.
2. Select the database on which you want to run Fixup from the Files pane and
select Database -> Fixup tool from the Tools pane. The Database Fixup dialog
box appears, as shown in Figure 11-27:

Figure 11-27: The Database Fixup Dialog Box


225
3. Select the fixup options in the Database Fixup dialog box. The fixup options are
as follows:
 Report all processed databases to logfile: Logs every database
that fixup opens and checks for corruption.
 Exclude views: Excludes views from the fixup so that it happens
fast. You can select this option if the views of a database are not
corrupt.
 Perform quick fixup: Performs the fixup less thoroughly but fast.
 Scan only since last fixup: Runs fixup only on documents
modified since the last fixup. If you do not select this option, fixup
runs on all documents.
 Optimize user unread lists: Reverts the ID table in a database to
a previous release format. This option is not recommended.
 Don’t purge corrupted documents: Retains the deletion stubs of
corrupt documents. By default, fixup deletes the corrupt
documents and purges the deletion stubs so that the documents
can be retrieved from a replica. You can select this option if you
do not have a replica and the corruption is minor
 Fixup transaction-logged databases: Runs fixup on databases
that are enabled for Transaction Logging. By default, fixup does
not run on transaction-logged databases.
4. Click OK to fix the selected databases.

Transaction Logging
Transaction Logging records all the changes made to a database into log files called the
transaction logs. Domino writes the logged transactions to the disk in a batch, when resources are
available or when scheduled. If the server fails before the Domino has written the transactions to
the disk, the transaction log applies these changes to the database when you restart the server.

You can create regular backups of only the transaction logs instead of full database backups. In
case the server fails and you have to restore an old version of the database, you can replay the
changes from the transaction log backups. This saves time during the backup as well as the
restore process.

When you enable Transaction Logging, Domino assigns a unique DBIID to each Domino database.
When Domino records a transaction in the log, it includes this DBIID. During recovery, Domino
uses the DBIID to match transactions to databases.

Domino assigns a new DBIID to a database when:


 You enable Transaction Logging for the first time.
 You run the Compact task.
 You run the Fixup task on corrupted databases.
 You move a Domino database to a logged server.

Configuring Transaction Logging on a Server

To enable Transaction Logging for databases on the server, you must enable it in the server
document. In this document, you can specify information such as the log path, the maximum log
space, and how Domino should log checkpoints to enhance the performance of databases.

To configure Transaction Logging on a server:


1. Select Configuration tab-> Server section-> All Server Documents view in the
Domino Administrator client.
2. Open the Server document for the Domino server on which you want to enable
Transaction Logging.
3. Click the Edit Server action to edit the Server document.
4. Select the Transaction Logging tab, as shown in Figure 11-28:
226

Figure 11-28: The Transaction Logging Tab of the Server Document


5. Select Enabled in the Transaction logging field to enable Transaction Logging on
the server.
The options you can select in the Transaction Logging Tab are:
 Log Path: Specify the path for the transaction log files. The path
is relative to the server’s DATA folder. Specify the full path for
folders located outside the DATA folder.
 Logging Style: Choose Circular to reuse the log files and
overwrite the old transactions. Choose Archived to reuse log files
after they have been archived. Choose Linear to reuse the log
files for log size greater than 4 GB.
 Use all available space on the log device: Select Yes if you are
using a separate log device and to use all the space on the
device for logging.
 Maximum log space: The maximum space that the log can
occupy.
 Automatic fixup of corrupt databases: Select Enabled to
automatically fixup a database that transaction logging cannot
recover. Fixup assigns a new DBIID to the database.
 Runtime/Restart performance: This field controls how often
Domino records a recovery checkpoint in the transaction log.
You can select Favor runtime to record less checkpoints and
improve the runtime performance. Select Standard to record
regular checkpoints and select Favor restart recovery time to
record more checkpoints so that the log is applied at regular
intervals and restart recovery is faster.
 Quota enforcement: Select how the quota on a database should
be applied. You can select Check space used in file when adding
a note, Check file size when extending a file, or Check file size
when adding a note.
6. Click the Save & Close action to save and close the document.

Restart the server to enable Transaction Logging on the server.


Note You can disable Transaction Logging for individual databases using
Advanced Database properties.

Chapter 12: Configuring Domino as a Web Server


The Domino Web server allows Web clients, such as browsers, to access the databases and other
files on the Domino server. The Domino server automatically converts all Notes database design
elements and documents to Web pages, which enables you to access the Notes databases
through a Web browser. In addition, the Domino Web server provides logging, configuration, and
security management features. The Domino Web server uses HTTP to accept and respond to the
user requests sent from a Web browser. If a Web client requests information from a database, the
Domino Web engine converts the information to HTML on the fly.

Domino R6 allows you to create Web Site documents, which help you to define the Web
configuration settings at one place and apply the same settings to multiple servers. The Web Site
227
documents also enables you to create Web Configuration documents, such as Web Rules, File
Protection documents, and authentication realms, just once for a Web site.

This chapter explains how to configure a Domino server as a Web server. It also explains how to
create Web Configuration documents. In addition, it describes the options to customize the Web
server and the Web server messages.

Configuring a Web Server


You can configure a Domino server as a Web server to allow Web clients to access the databases
on the server. You can configure the Domino server as an internal Web server to set up an Intranet
or connect it to the Internet. To allow users to connect to the server over the Internet, you must
connect the server to an Internet Server Provider (ISP) and register the server's domain name and
IP address on the ISP's Domain Naming System (DNS) server.

To configure the Domino Web server:


 Create a Web Site document, which contains the Web site configuration information.
 Enable the Domino server to inherit the Internet configuration from the Web site
document. The Server document contains the option to enable the Domino server.
 Start the Web Server task. The Domino server must run the HTTP task to become a
Web server.

Creating a Web Site Document

A Web Site document contains the configuration settings for the Domino Web server. The Domino
directory lists Web Site documents in the Internet Sites view. By default, Web Site documents are
not associated with specific Domino servers. All servers in a Domino domain automatically use the
same Web Site documents in the Internet Sites view. This ensures that each time you add a new
server to the domain, the server inherits the existing Web configuration. When you add or modify a
Web Site document, all the servers in the domain automatically pick up the change.
Note Optionally, in the Web Site document, you can specify the Domino servers
that will host a site. The servers that you do not specify in the Web Site
document will not load the site configuration.

To create a Web Site document:


1. In the Domino Administrator client, select Configuration tab-> Web section->
Internet Sites view, as shown in Figure 12-1:

Figure 12-1: The Internet Sites View


2. Click the Add Internet Site action to add a create a Web Site document, as
shown in Figure 12-2:
228

Figure 12-2: A Sample Web Site Document


3. In the Descriptive name for this site field, type a name that describes the Web
site you are creating. This name appears in the Internet Sites view.
4. In the Organization field, specify the name of your organization-level certifier.
5. Enable the Use this web site to handle requests, which cannot be mapped to
any other web sites option. When you enable this option, the Web Site
document becomes the default Web Site document for the domain.
6. In the Host name or addresses mapped to this site field, specify the DNS names
or IP addresses that you want to map to the Web site. When a user connects to
any server using a browser, the user sees the first Web site where this field
contains the server name.
7. In the Domino servers that host this site field, specify the name of the Domino
servers in your domain that will host the selected Web site.
8. Click the Configuration tab to specify the default directories for the Web site, as
shown in Figure 12-3:

Figure 12-3: The Configuration Tab of a Web Site Document


The Configuration tab of the Web Site document contains the following fields:
 Home URL: Allows you to specify the URL of the page that
appears when a user opens the Web site.
 HTML directory: Allows you to specify the location of HTML files
on the Web server. You can specify either the path relative to the
Domino DATA folder or the full path. The default path is
domino\html.
 Icon directory: Allows you to specify the directory in which
Domino stores the default icons used in the databases. Specify
the path relative to the Domino DATA folder or the full path. The
default path is domino\icons.
 Icon URL path: Allows you to specify the URL that is used to
access an icon in the Icon directory. The default URL is /icons.
 CGI directory: Allows you to specify the location of Common
Gateway Interface (CGI) program files on the Web server. You
229
can specify either the path relative to the Domino DATA folder or
the full path. The default path is domino\cgi-bin.
 CGI URL path: Allows you to specify the URL that is used to run
a CGI program in the CGI directory. The default URL is /cgi-bin.
 Java applet directory: Allows you to specify the directory in which
Domino stores the Java applets and other Java programs.
Specify the path relative to the Domino DATA folder or the full
path. The default path is domino\java.
 Java URL path: Allows you to specify the URL that is used to
access the Java programs in the Java applet directory. The
default URL is /domjava.
 DSAPI filter file names: Allows you to specify the names of the
Domino Web Server Application Programming Interface (DSAPI)
filter files. DSAPI is a C API that you can use to write your own
extensions to the Domino Web Server that let you customize the
authentication of Web users.
 Allowed Methods: Allows you to select the HTTP methods
allowed on the Web server. Every HTTP request that a user
sends to the Web server uses an HTTP method, such as GET,
POST, or DELETE, for execution. Select from GET, HEAD,
POST, OPTIONS, TRACE, PUT, and DELETE methods.
 WebDAV: Allows you to enable Web-based Distributed Authoring
and Versioning (WebDAV) support on the Domino Web server.
WebDAV support in the Domino Web Server enables application
designers to work with design elements, such as HTML files,
images, and other file-based resources using Web-based
authoring and development tools.
9. Save and close the document.

Loading the Internet Configuration from the Web Site Documents

To ensure that Domino receives the Internet protocol configuration information from the Web Site
documents, you must enable the Domino server to inherit the Internet configuration from the
Internet Sites view. Domino ignores the comparable configuration settings in the Server document.
If you do not enable the use of the Internet Sites view, Domino uses the Server document settings
to obtain protocol configuration information.
Note You can use the Internet Sites view for Domino 6 servers only.

To enable use of Internet Sites view on the Domino server:


1. In the Domino Administrator client, select Configuration tab-> Server section->
All Server Documents View, as shown in Figure 12-4:

Figure 12-4: The All Server Documents View


2. Open the Server documents for the server for which you want to enable the use
of Internet Sites view and click Edit Server.
3. On the Basics tab, enable the Loads Internet configurations from Server\Internet
Sites documents option, as shown in Figure 12-5:
230

Figure 12-5: The Basics Tab of the Server Document


4. Save and close the document.
5. Restart the server.
6. Starting the Web Server Task.

To configure Domino as a Web server, you must start the HTTP task on the server. To start the
HTTP task, use the following server console command:
LOAD HTTP

This command starts the HTTP task on the server. When you load the HTTP task on the server for
the first time, Domino also creates a Domino Web Administrator database (WEBADMIN.NSF). You
use this database to perform administration activities using a browser.

A console message also indicates that the HTTP task is using Internet sites to obtain Internet
protocol configuration information.

Creating Documents to Manage a Web Site


You need to manage a Web site to ensure that all users can access the site without encountering
errors. A Web site may undergo changes if you move the databases or other Web pages to new
locations or remove the pages. The Web site may contain links that still point to the old Web
pages. When Web users access these links, they see error messages. Domino Web server allows
you to create Web Site Rule documents to handle these broken links.

You manage the security of Domino databases using the ACL. You also need to secure other Web
pages created using the HTML or CGI programs that a Web site contains. To manage the security
of non-Notes files, Domino allows you to create Web Site File Protection documents.

Further, to ensure that the Web users logon just once into the Web site so that they are not
prompted repeatedly for authentication, you can define Web Site Authentication Realms. You can
also create a Web SSO (Single Sign-On) Configuration document to ensure that Web users
authenticate for all the servers in the Domain when they logon to the Web site.

Creating Web Site Rules

The Web Site document defines the default location for the HTML, JAVA, CGI, and other files on
the Domino Web server. If you want to keep these files in any other location or you want to move
these files without breaking any links on your Web site, you can define Web site rules.

A Web Site rule maps the new location of the files to the old URL. To manage files on your Web
Site, you can create three types of Web Site rules:
231
 Directory: Allows you to access a directory on the Domino Web server file system
by a URL path.
 Redirection: Allows you to redirect a URL to a different location or Web site.
 Substitution: Allows you to replace a string in the URL with a different string.
Note In addition to these rules, you can also create an HTTP response header
rule. This rule allows the customization of the headers, such as Express or
Custom that Domino sends in response to HTTP requests.

Creating a Directory Rule


You can create a Directory rule if you have moved a directory from the default path to a new
location. A Directory rule maps the new directory to the original URL path. For example, Domino
stores the default icons used in databases in the domino\icons directory on the server. The URL
path for accessing these icons is /icons. If you move this directory to a new location, such as
c:\icons, the icons on the pages that you view will not display because the icons do not lie in the
specified path. To ensure that the icons keep displaying even if the directory path is changed, you
can create a Directory rule.

To create a Directory rule:


1. In the Domino Administrator client, select Configuration tab-> Web section->
Internet Sites view.
2. Open the Web Site document of your Internet site and select Web-> Create
Rule action, as shown in Figure 12-6:

Figure 12-6: Creating a Web Site Rule


A Web Site Rule document opens, as shown in Figure 12-7:

Figure 12-7: A Directory Web Site Rule Document


3. In the Description field, describe the purpose of the rule.
4. Select Directory in the Type of rule field.
5. In the Incoming URL pattern field, specify the URL that you want to map to the
target server directory. For example, in this case, specify /icons.
6. In the Target server directory field, specify the directory that you want to map
to the URL pattern. For example, to specify that the URL icons must retrieve
the Domino default icons from the C:\ICONS directory, specify c:\icons.
7. Specify an access level in the Access level field. To allow the Web users to
read the content of the directory, specify Read. You can also specify Execute
to allow Web users to load and run the CGI programs from the directory.
8. Save and close the document.
232
Creating a Redirection Rule
You can create a Redirection rule if you have moved a database or any other file to a different
location on the server. If your Web site is under maintenance, you can also use this rule to redirect
the user to a different Web site. When a Web user tries to access the site under maintenance, the
server redirects the user to the alternate site. The user can see the alternate URL to which the user
has been redirected. For example, if the e-mail file for a user Tanya moves to a server named,
app_server, you can create a Redirection rule so that all links to Tanya’s e-mail file redirect the
user to the new server.

To create a Redirection rule:


1. Open the Web Site document of your Internet site and select Web-> Create
Rule action.
2. In the Description field, describe the purpose of the rule.
3. Select Redirection in the Type of rule field, as shown in Figure 12-8:

Figure 12-8: A Redirection Web Site Rule


4. In the Incoming URL pattern field, specify the URL that you want to redirect.
For example, /mail/Tanya.nsf?opendatabase.
5. In the Redirect to this URL field, specify the URL to which the request should
be redirected. For example, http://app_server/mail/tanya.nsf?opendatabase.
6. Save and close the document.

Creating a Substitution Rule


You can create a Substitution rule to allow users to use multiple URLs to access a resource. This is
helpful if you have migrated Web pages from a different Web server platform to the Domino server.
You can continue using the old URL links by creating Substitution rules. For example, if the old
links use /images to access the Web page icons on the Web server, you can substitute /images
with /icons to ensure that the links work on Domino Web server.

To create a Substitution rule:


1. Open the Web Site document of your Internet site and select the Web->
Create Rule action.
2. In the Description field, describe the purpose of the rule.
3. Select Substitution in the Type of rule field, as shown in Figure 12-9:

Figure 12-9: A Substitution Web Site Rule


4. In the Incoming URL pattern field, specify the URL string that you want to
replace. In this case, specify /images.
233
5. In the Replacement pattern field, specify the URL string that you want to
substitute in the incoming URL. In this case, specify /icons.
6. Save and close the document.

Creating a File Protection Document

You can create a File Protection document to protect files other than the Domino databases.
Domino protects the databases on a Domino server through the database ACL, but other files,
such as the HTML files or CGI programs residing on the Domino Web server, do not have any
access list. To define access on these files, you can create File Protection documents.

To create a File Protection document:


1. In the Domino Administrator client, select Configuration tab-> Web section->
Internet Sites view.
2. Open the Web Site document of your Internet site and select the Web-> Create
File Protection action. The Web Site File Protection document appears, as
shown in Figure 12-10:

Figure 12-10: The Web Site File Protection Document


3. In the Description field, specify the purpose of the Web Site File Protection
document that you are creating.
4. In the Directory or file path field, specify the folder or a file for which you want to
restrict access.
5. The Current access control list shows the current access for the document. To
change the current access, click the Set/Modify Access Control List button. This
shows the ACL in a Lotus Notes dialog box, as shown in Figure 12-11:

Figure 12-11: The Lotus Notes Dialog Box Showing the ACL for the Selected File
6. To add a name to the ACL, click the entry helper button in the Name field and
select a name from the Domino directory.
7. In the Access field, select the access that you want to give to the selected user.
You can assign Read/Execute access, Write/Read/Execute access, or No
Access.
8. Click OK to save the entries and close the dialog box.
9. Click Save & Close to save and close the File Protection document.

To test the Web Site File Protection document, restart the HTTP task on the server and access the
file for which you have created the File Protection document using the browser.
Domino prompts for your user name and Internet password, as shown in Figure 12-12:
234

Figure 12-12: The Enter Network Password Dialog Box

Domino allows you to access the file if you have been granted access in the File Protection
document.

Creating a Web Site Authentication Realm


An authentication realm specifies the text string that must be returned to the user when Domino
prompts the user for the name and password in a browser, as shown in Figure 12-13:

Figure 12-13: The Enter Network Password Dialog Box Showing a Realm String

The browser stores the realm string along with the user’s credentials to determine the realm for
which the user has been authenticated. If the user accesses more files in the same realm, the user
is not prompted for authentication.

By default, Domino sends the folder path that a user is trying to access as the realm. For example,
if a user accesses a database in the Domino DATA folder, Domino authenticates the user for
the/realm. If the user accesses the mail folder inside the domino DATA folder, Domino accesses
the user for the /mail realm. When Domino authenticates a user for a realm, it also authenticates
the user for all the child paths under the realm. For example, if Domino authenticates a user for
the/realm, it authenticates the user for the /mail realm as well. But if Domino authenticates a user
for the child realm first, it prompts the user for authentication when the user tries to access any file
in the parent realm.

You can create a Web Site Authentication Realm document to change the default realm returned
when a user accesses a file on the Domino Web server. You can use this to authenticate a user for
the parent folder when the user accesses a subfolder, so that the user is not prompted for
authentication while accessing the parent realm.

To create a Web Site Authentication Realm document:


1. In the Domino Administrator client, select Configuration tab-> Web section->
Internet Sites view.
2. Open the Web Site document of your Internet site and select Web-> Create
Authentication Realm. The Web Site Authentication Realm document appears,
as shown in Figure 12-14:
235

Figure 12-14: The Web Site Authentication Realm Document


3. Specify the description for the Authentication Realm document in the Description
field.
4. In the Directory or file path, specify the folder or files for which you want to
define the realm.
5. Specify the realm string in the Realm label returned to browser field.
6. Save and close the document.
7. Restart the HTTP task for the authentication realm to take effect.

Enabling Single Sign-On

Single sign-on (SSO) allows Web users to logon once to a Domino server, and then access any
other Domino server in the same DNS domain without having to logon again. All the servers that
the user can logon to without authenticating again must be enabled for SSO.
Note User’s Web browsers must have cookies enabled to take advantage of SSO.
This is because the authentication token generated by the server is sent to
the browser in a cookie.

To enable SSO for a domain:


 Create a Web SSO Configuration document in the domain’s Domino directory. This
procedure creates a Domino SSO key.
 Enable session authentication for the Domino Web servers and apply the SSO key.

To create a Web SSO Configuration document:


1. In the Domino Administrator client, select Configuration tab-> Web section->
Internet Sites view.
2. Click the Create Web SSO Configuration action, as shown in Figure 12-15:

Figure 12-15: Internet Sites View Showing the Create Web SSO Configuration Action
The Web SSO Configuration for: document opens, as shown in Figure 12-16:

Figure 12-16: The Web SSO Configuration for: Document


3. In the Configuration Name field, specify a unique name for the Web SSO
Configuration document.
236
4. In the Organization name field, specify the name of the Organization for the Web
Site.
5. In the DNS Domain field, specify the DNS domain for the servers included in the
SSO.
6. In the Domino Server Names field, select the servers participating in SSO. All
the selected servers must belong to the same DNS domain.
7. In the expiration field, specify the interval in minutes after which the SSO token
for a user expires. The default is 30 minutes.
8. Click the Keys action. A drop-down list appears containing various options, as
shown in Figure 12-17:

Figure 12-17: Keys Action in the Web SSO Configuration Document


9. To create a key for setting up SSO only for Domino server, select the Create
Domino SSO Key option. A message box indicates that the Domino SSO key
has been successfully created.
10. Save and close the document.

After you have created the Web SSO Configuration document, you need to enable multiserver-
based session authentication on the selected Domino servers. A session authentication enables a
Web client to actively logon to a server with a cookie for a specified duration. You can enable
session authentication using the Web Site document for the selected servers.

To enable session authentication for a Domino server:


1. In the Domino Administrator client, select Configuration tab-> Web section->
Internet Sites view.
2. Open the Web Site document for your site and click Edit Web Site.
3. Select the Domino Web Engine tab on the Web Site document, as shown in
Figure 12-18:

Figure 12-18: The Domino Web Engine Tab of a Web Site Document
4. Click the entry helper button in the Session authentication field. The Select
Keywords dialog box appears, as shown in Figure 12-19:
237

Figure 12-19: The Select Keywords Dialog Box


5. Select Multiple Servers (SSO) to enable SSO on the participating servers and
click OK to close the dialog box.
6. In the Web SSO Configuration field, select the Web SSO Configuration
document created, as shown in Figure 12-20:

Figure 12-20: Selecting a Web SSO Configuration Document


7. Save and close the document.
8. Restart the HTTP task on the Domino Web server for the settings to take effect.

Customizing the Web Server


You can customize the Domino Web server to improve server performance, enable logging of
client activity, or specify the conversion and display format for pages on the Web.

You use the Server document and the Web Site documents to customize the Domino Web Server.
The Web Site document contains options to customize the image conversions and the display
options for the view pages. These settings are also available in the Server document, but if you
use the Web Site document for a server, the settings from the Web site document apply. The Web
Site document also allows you to specify the amount of caching on the server. You use the Server
document to enable logging of user activity on the Web server and to specify the timeouts options
for the Web server.

Customizing Conversion and Display Options

Images and other graphics take time to load when a Web page opens. Domino allows you to
specify the format to which the images on a Web page should be converted. It also allows you to
238
specify the options to display images quickly and to customize the view display and the search
results.
The Domino Web Engine tab of the Web Site document contains the Conversion/Display options,
as shown in Figure 12-21:

Figure 12-21: The Conversion/Display Section

The Conversion/Display section contains the following options:


 Image conversion format: Allows you to select the format to which you want to
convert the images in the Web documents. The options are GIF and JPEG.
 Interlaced rendering: Allows you to specify how a GIF image must be loaded.
Select Enabled to display each line of the image individually. Select Disabled to
wait for the complete image to be loaded. Rendering displays the image quickly,
even before the entire image is loaded.
 Progressive Rendering: Allows you to specify how a JPEG image must be loaded.
Select enabled to load the image in several passes. Select Disabled to wait for the
entire image to download.
 JPEG image quality: Allows you to select the quality of a JPEG image. The higher
the value in this field, the longer it takes to load the image.
 Default lines per view page: Allows you to specify the default number of lines that
should be displayed in a view page. A user can select the desired number of lines
by specifying the value as an argument with the URL. The default is 30.
 Maximum lines per view page: Allows you to specify the maximum number of lines
that a user can view in a Notes view page.
 Default search limit result: Allows you to specify the default number of results that
should be returned for a search request. A user can specify the number of results
as an argument with the search URL. The default is 250.
 Maximum search limit result: Allows you to specify the maximum number of search
results that Domino can return to a user.
 Make this site accessible to Web search site crawlers: Allows you to make this site
accessible to Web search site crawlers. Domino URLs use the ? sign extensively
to specify arguments. Web crawlers ignore the ? sign. Enable this option to force
Domino to use an ! sign instead of a ? sign for the links on generated pages.
 Redirect to resolve external links: Allows you to specify whether Domino server
should accept or create redirect URL commands.

Managing Web Server Cache


Caching of database design elements and user information on the Web server improves the
response time of the server. The Domino Web Engine tab of the Web Site document contains
options to customize the Web server cache, as shown in Figure 12-22:
239

Figure 12-22: The Memory Caches Section

The Memory Caches section contains the following options:


 Maximum cached designs: Allows you to specify the number of database design
elements that Domino caches for users. The default is 128. When Domino
retrieves a design element cached in the memory, it retrieves it quickly.
 Maximum cached users: Allows you to specify the number of users that Domino
can cache. The default is 64. For an authenticated user, Domino stores the name
of the user and the password and groups to which the user belongs in the memory.
 Cached user expiration interval: Allows you to specify the time interval in seconds
after which Domino removes the user names, passwords, and group memberships
from the cache. The default is 120.

Enabling Logging on the Web Server

You can log Domino Web server requests to record user activity on the Web server. You can log
the user requests to a database and to text files. Domino uses the DOMLOG.NSF database to log
the Web Server requests.
The HTTP tab of the Internet Protocols tab in the Server document contains the options to enable
logging on the Web server, as shown in Figure 12-23:

Figure 12-23: Options to Enable Logging on the Domino Web Server

To enable logging on the Web server:


1. In the Enable Logging to section, set the Log files field to Enabled to enable
logging to text files. Set the Domlog.nsf field to Enabled if you want to log to the
database as well.
2. In the Directory for log files field of the Log File Names section, specify the
directory in which you want to create the log files.
3. In the Access log field, specify the prefix to be used for the log file name that
records the Web Server access statistics. Domino sends an entry into this file
every time a Web user sends a request.
4. In the Agent log field, specify the prefix for the log file name that records the user
agent used to access the Domino server.
5. In the Referer log, specify the prefix for the log file name that records the URL
used to send a request to the Web server.
6. In the Error log field, specify the prefix for the log file name to record any errors
sent to the user. This setting is only applicable to Domino R4 and R5 users.
7. In the CGI error log, specify the prefix for the log file name for the errors
encountered during execution of CGI programs.
8. In the Exclude from Logging section, you can specify the URLs, Methods, MIME
types, User agents, Return codes, Hosts, and domains that you do not record to
the log.
In the Log File Setting Section, you can specify the format and frequency of logging, as shown in
Figure 12-24:
240

Figure 12-24: The Log File Settings Section

The Log File Settings section has the following options:


 Access log format: Allows you to specify the files to be created for logging. Select
the format as Common to create three separate files for access, referrer, and agent
logging. Select Extended Common to create a single file to log all types of
information.
 Time format: Allows you to specify the time format to be used for logging. You can
log the Local time or the GMT.
 Log file duration: Allows you to specify the duration for each log file. You can create
a new log file Daily, Weekly, Monthly, or Never. Based on the log file duration and
the log file name prefix specified, Domino creates the new log files. For example, if
the duration is daily and the access log file prefix is access, Domino creates a new
file daily by prefixing access to the current server date.
 Maximum log entry length: Allows you to specify the maximum length allowed for a
log entry. The default is 10 KB.
 Maximum size of access log: Allows you to specify the maximum size to which the
access log can grow. The default is unlimited.

Specify Timeout Settings

Open or inactive sessions between the Web client and the Web server prevent users from
accessing the server. You use timeout settings to define the duration after which Domino
terminates these sessions. This improves the Web server performance.
The Timeouts section in the Internet Protocols-> HTTP tab of the Server document contains the
Time out settings for a Domino Web server, as shown in Figure 12-25:

Figure 12-25: The Timeouts Section

The Timeouts section contains the following fields:


 HTTP persistent connections: Allows you to enable persistent HTTP connections.
These connections are not limited by the network activity.
 Maximum requests per persistent connection: Allows you to specify the maximum
number of HTTP requests that can be handled on one persistent connection. The
default is 5.
241
 Persistent connection timeout: Allows you to specify the duration for which you
want persistent connections to remain active. The default is 180 seconds.
 Request timeout: Allows you to specify the time for which the server waits to
receive an entire request. The default is 60 seconds. If the server does not receive
the entire request in the specified time interval, it terminates the connection.
 Input timeout: Allows you to specify the maximum time within which a client has to
send a request after connecting to the server. The default is 15 seconds. If the
client does not send a request in the specified time interval, then the server
terminates the connection.
 Output timeout: Allows you to specify the maximum time in which a server has to
send the output to the client. The default is 180 seconds.
 CGI timeout: Allows you to specify the maximum time in which a CGI program
started by the server has to finish. The default is 180 seconds.

Customizing Web Server Messages


You can customize some of the error and response messages that the Web server
returns to a browser. To customize these messages, you need to configure the Domino
Web Server Configuration database, DOMCFG.NSF. You use this database to design the
forms or pages with the customized error messages. After you customize the forms for
different types of messages, you need to create mapping documents in the database.

You can customize the following types of messages using the DOMCFG.NSF database:
 Authentication failures: A user fails to authenticate with the server.
 Authorization failures: A user does not have sufficient access to the resource that
he is trying to access.
 Password expired errors: A user’s Internet password has expired.
 Password change not allowed errors: A user, who does not have access to change
the Internet password, attempts to change the password.
 Password change submitted response: A user successfully submits a request to
change the Internet password.
 Document deleted responses: A user successfully deletes a document.

To customize the messages returned by the Domino Web server using the
DOMCFG.NSF database:
1. Create a new database titled DOMCFG.NSF on the Domino Web server. Use
the Domino Web Server Configuration (6), DOMCFG5.NTF template to create
the database.
2. Change the ACL of the database to add an Anonymous entry with Reader
access. This allows all the Web clients to read the DOMCFG.NSF database.
3. Using Domino Designer, create a form or a page for each type of message
that you want to customize.
4. Open the database using the Domino Administrator client. The database
contains three views:
 Sign In Form Mappings: Allows you to customize the login
form shown to the Web user, when session authentication is
enabled on the Web server.
 Change Password Form Mappings: Allows you to customize
the password change form shown to a Web user, when the
Web user requests for a change in the Internet password.
 Error & Response Form Mappings: Allows you to customize
the message forms shown to the Web users in response to
the HTTP requests sent by the Web users.
Figure 12-26 shows the views in the DOMCFG.NSF database:
242

Figure 12-26: Views in the DOMCFG.NSF Database


5. Select the Error & Response Form Mappings view and click the Add Mappings
action, as shown in Figure Figure 12-26. The ‘Error & Response’ Form
Mapping document appears, as shown in Figure 12-27:

Figure 12-27: The ‘Error & Response’ Form Mapping Document


6. In the Applies to field of the Site Information section, select the All Web
Sites/Entire Server option to apply the mapping to all the Web sites hosted on
the server. You can also select the Specific Web Site/Virtual Server option to
apply the mapping to a specific Web site or virtual server.
7. In the Target Form field for the message type that you want to customize,
specify the name of the form or page that you have designed for the message.
Leave the Target database to the default, which isDomcfg.nsf.
8. Save and close the document.

After you restart the HTTP task, any message that a user sees is customized using the
form that you have designed for the specific message type. This allows you to display
user-friendly messages to the users.

Chapter 13: Configuring SSL on Domino


Secure Sockets Layer (SSL) is a TCP/IP-based security protocol that ensures communication
privacy and authentication between servers and clients. Any information that is exchanged
between the servers and the clients is encrypted, which ensures complete privacy. An encoded
message digest also accompanies the data and detects tampering of data during transit.

You can set up SSL on the Domino server on a protocol-by-protocol basis. You can set up SSL for
Internet clients using Web Server (HTTP), Simple Mail Transfer Protocol (SMTP), Internet Mail
Access Protocol (IMAP), Light Weight Directory Access Protocol (LDAP), Internet Inter ORB
Protocol (IIOP), Simple Authentication and Security Layer (SASL), or Post Office Protocol V3
(POP3).

This chapter explains how to set up SSL on a Domino Server. It also explains how to set up Notes
and Internet clients for server authentication and how to set up client authentication on the server
for SSL and Secure/MIME (S/MIME).

Creating Key Ring and Certificates for SSL


243
To set up SSL on a server, you require a server key ring file that contains a certificate from an
Internet Certificate Authority (CA). The key ring should also contain a trusted root certificate for the
Internet CA. After acquiring the required certificates, you enable the SSL port in the server
document.
Note The procedures to request and accept the server and client certificates
depend on the CA’s site. The CA’s site may be developed using Domino or
some other software. Each CA’s site has its own procedures for requesting
and accepting server and client certificates.

You use the Server Certificate Administration database (CERTSRV.NSF) to create and manage
server key ring files and SSL certificates on a server. This database is automatically created when
you set up a Domino server. The default access to this database is No Access. The Administrators
who handle the server key ring files must have a Manager access to the database.
The home page of this database provides you with the various options for enabling SSL on a
server, as shown in Figure 13-1:

Figure 13-1: The Home Page of the Server Certificate Administration Database

Creating a Server Key Ring

A Server key ring file is a binary file that uniquely identifies a server. It stores the Server Certificate
obtained from the Internet CA and a trust certificate for the Internet CA called the trusted root
certificate.
Note The server key ring can be compared to a server ID file in Domino.

Creating a server key ring is the first step to setting up SSL on a server.

To create a key ring file:


1. Click the Create Key Ring option on the home page of the Server Certificate
Administration database. The Create Key Ring screen appears as shown in
Figure 13-2:
244

Figure 13-2: The Create Key Ring Screen


2. Specify a name for the key ring file in the Key Ring File Name field.
3. Specify a key ring password to prevent unauthorized access of the key ring file
and repeat it in the Confirm Password field.
4. Select a key size for the key ring file. The default value is 512 bits. A value of
1024 bits ensures stronger encryption of data.
5. In the Distinguished Name section, specify the fully qualified DNS name for the
server on which you want to set up SSL in the common name field. This name
must match the URL of your site. Specify the company name in the Organization
field. Optionally, specify an organization unit and the city name. Specify the state
name in the State or Province field and specify a 2-letter country code for the
country where the server is located. This information appears in the certificates
created on this server.
6. Click the Create Key Ring button to create the key ring file. The Key Ring
Created screen confirms the creation of the key ring file, as shown in Figure 13-
3:

Figure 13-3: The Key Ring Created Message Box


7. Click OK to close the message box.
Note The server key ring is created in the Administrator client’s data folder. You
must copy this file to the server’s data folder to implement SSL on the
server.
245
Creating a Server Certificate Request

A CA must certify the server key ring file. The CA can be an external one, such as Verisign that is
used to sign most commercial sites, such as Internet banking sites, to ensure secure transactions.
You can also set up an internal CA using the Domino Certifying Authority database.

To get the key ring file certified by the CA, you create a server certificate request.

To create a server certificate request:


1. Click the Create Certificate Request option on the home page of the Server
Certificate Administration database. The Create Server Certificate Request
screen appears, as shown in Figure 13-4:

Figure 13-4: The Create Server Certificate Request Screen


2. Select No in the Log Certificate Request option if you do not wish to log the
certificate request.
3. Select a method for submitting the certificate request to the CA. Selecting Send
to CA by e-mail sends the request in an e-mail message to the CA. Select Paste
into form on CA’s site to copy the request to the clipboard and paste it to the
CA’s site.
4. Click Create Certificate Request in the Create Server Certificate Request screen
to generate the request. You are prompted for the key ring file password.
5. Specify the password. The Certificate request is generated, as show in Figure
13-5:

Figure 13-5: The Certificate Request Created Message Box


246
6. Copy the request to the clipboard by selecting all the text, including the BEGIN
and the END statements, and press Ctrl + C.
7. Access the CA’s site from a browser by specifying the https://mainserver/ca.nsf?
opendatabase URL. The home page of the CA appears, as shown in Figure 13-
6:

Figure 13-6: The Home Page of the Domino CA Database as Viewed from the Browser
8. Click Request Server Certificate to paste the certificate request on the CA’s site.
The Request a Server Certificate screen appears, as shown in Figure 13-7:

Figure 13-7: The Request a Server Certificate Screen


9. Specify the Administrator’s full name, e-mail address, phone, and comments in
the Contact Information section. The CA uses this information to contact the
Administrator who has requested for the certificate.
10. In the Paste the certificate request box, paste the request from the clipboard by
pressing Ctrl+V.
11. Click the Submit Certificate Request button to submit the request that you have
pasted. The Your Certificate Request Has Been Submitted screen appears, as
shown in Figure 13-8:

Figure 13-8: The Your Certificate Request Has Been Submitted Screen

Trusting the CA Certificate in the Key Ring File

Before the server key ring accepts a server certificate signed by an external CA, the key ring must
trust the CA. The trust is established by installing a trusted root certificate of the CA into the server
key ring. You can pick up the trusted root certificate from the CA’s site.
247
To install the Domino CA certificate as a trusted root certificate into the server key ring file:
1. Click the Accept This Authority In Your Server option on the CA’s home page to
pick up the CA’s trusted root certificate. The Pick Up Certificate Authority Trusted
Root Certificate screen appears, as shown in Figure 13-9:

Figure 13-9: The Pick Up Certificate Authority Trusted Root Certificate Screen
2. Select the certificate and copy it to the clipboard by pressing Ctrl+C.
3. Open the Server Certificate Administration database and click the Install Trusted
Root Certificate into Key Ring option. The Install Trusted Root Certificate screen
appears, as shown in Figure 13-10:

Figure 13-10: The Install Trusted Root Certificate Screen


4. Specify a certificate label for the CA, select Certificate Source as the clipboard,
and paste the certificate into the Certificate from Clipboard field by pressing
Ctrl+V.
5. Click the Merge Trusted Root Certificate into Key Ring button to install the CA
certificate. You are prompted for the Key ring password. Specify the password.
The Merge Trusted Root Certificate Confirmation message box appears, as a
shown in Figure 13-11:
248

Figure 13-11: The Merge Trusted Root Certificate Confirmation Message Box
6. Click OK to confirm that you want to merge the certificate. A message box
confirms that the trusted root certificate has been merged into the key ring file.
Close the message box by clicking OK.

Picking Up the Signed Server Certificate

When the CA approves and signs the certificate that you have submitted, it sends an e-mail
notification containing the URL to pick up the signed certificate. Access the URL to pick up the
certificate.
Note If you do not receive the e-mail notification, you can contact the CA to obtain
a Pickup ID for your certificate.

To pick up the signed certificate using a Pickup ID:


1. Open the CA’s site using the Web browser.
2. From the home page, select Pick Up Server Certificate. The Pick Up Signed
Certificate screen appears, as shown in Figure 13-12:

Figure 13-12: The Pick Up Signed Certificate Screen


3. In the Enter the certificate Pickup ID below field, specify the Pickup ID provided
to you and click the Pick Up Signed Certificate button. The signed certificate
information appears, as shown in Figure 13-13:
249

Figure 13-13: The Pick Up Signed Certificate Screen Showing the Signed Certificate
Information
4. Copy the signed certificate to the clipboard.
5. Open the Server Certificate Administration database and select the Install
Certificate into Key Ring option. The Install Certificate into Key Ring screen
appears, as shown in Figure 13-14:

Figure 13-14: The Install Certificate into Key Ring Screen


6. In the Certificate from Clipboard field, paste the certificate by pressing Ctrl+V
and click the Merge Certificate into Key Ring button. You are prompted for the
key ring file password.
7. After you specify the password, the Merge Signed Certificate Confirmation
message box appears, as shown in Figure 13-15:
250

Figure 13-15: The Merge Signed Certificate Confirmation Message Box


8. Review the Certificate Subject and Certificate Issuer information and click OK to
confirm. The Certificate received into key ring message box confirms that the
certificate has been merged into your key ring.
9. Click OK to close the message box.

Configuring the SSL Port on the Server


After you have obtained all the required certificates in the server key ring file, you are ready to
enable the SSL port on the server. When you enable SSL on a server, the port reference in the
URL changes from HTTP to HTTPS. You can either enable SSL or disable TCP/IP to allow only
HTTPS or Redirect TCPIP to SSL, in which case all HTTP requests automatically become HTTPS.
You can also enable SSL for specific databases.

To configure the SSL port on the CA server:


1. Expand the Servers view and click All Server Documents on the Configuration tab
of the Domino Administrator client. Double-click the CA server’s document to open
it.
2. Click the Ports tab and then click Internet Ports to enable the SSL port on the
server. Figure 13-16 shows the Internet Ports tab of the server document:

Figure 13-16: The Internet Ports Tab of the Server Document


3. In the SSL key file name, ensure that the key ring file you have created for the
server is specified. If you have not copied the server key ring file to the server’s
data folder, specify the complete path.
4. On the Web tab, select the TCP/IP port status as Redirect to SSL to redirect all
TCP/IP requests on this server to the SSL port.
251
5. In the SSL port status, select Enabled to enable the SSL port.
6. Save and close the document.
7. Restart the HTTP task on the server using the command:
8. TELL HTTP RESTART
The HTTP task restarts and now you must access the server from the browser over the
HTTPS port.

Configuring Clients for Authentication


Enabling SSL on the server for authentication enables the clients verify the identity of the server to
which they are connecting. It also encrypts the transaction between the client and the server and
validates the data. The clients can access the Domino server either anonymously or by specifying
their name and password.

To configure Notes and Internet clients for Server Authentication, the client requires:
 A trusted root certificate for the CA.
 A cross-certificate for the CA created from the trusted root certificate. This is required
only for the Lotus Notes users.
 A software, such as a Web browser or a Notes workstation that supports the use of SSL.

Additionally, you can configure the Domino server for client authentication to enable server
administrators identify the client accessing the server and control access to applications based on
that identity. To configure client authentication on the server, in addition to the above tasks:
 The clients require an Internet certificate issued by the CA. This certificate is used for
authenticating with an Internet server using SSL or sending signed and encrypted
mail using S/MIME over the Internet.
 The Client Certificate authentication must be enabled on the Domino server.

Accepting a Trusted Root Certificate

The trusted root certificate is a trust certificate for the CA. This certificate is required to establish a
trust for the CA before you can accept the Internet certificate from the CA.

To accept the trusted root certificate for the CA:


1. Open the CA’s site using the browser.
2. Click the Accept This Authority In Your Browser option. A Trust This Authority in
Your Browser screen appears, as shown in Figure 13-17:

Figure 13-17: The Trust This Authority in Your Browser Screen


3. Click the Accept This Authority In Your Browser link to accept the trust certificate
of the CA into the browser.
4. If you are using the Notes browser, an Issue Cross Certificate dialog box
appears, as shown in Figure 13-18:
252

Figure 13-18: The Issue Cross Certificate Dialog Box


5. Click Cross certify to issue a cross certificate.

The CA certificate is installed into the browser that you are using. A Notes cross certificate is also
created in your personal address book if you are using the Notes browser.

Requesting an Internet Certificate from the CA

For client certificate authentication, Notes users or the Internet clients must obtain an Internet
certificate from a CA. The Internet certificate contains a public key, a name, expiration date, and
the digital signature of the CA. Notes users store this certificate in their ID file and in the Domino
directory. The corresponding private key is stored separately in the ID file. Internet users store the
certificate in a local file.

To request an Internet certificate for the client:


1. Open the CA’s site using a browser.
2. Click the Request Client Certificate option. The Request a Client Certificate for
Lotus Notes or Netscape Browser screen appears, as shown in Figure 13-19:
253

Figure 13-19: The Request a Client Certificate for Lotus Notes or Netscape Browser
Screen
3. Fill in the required information, such as your name, organization, state, country
code, contact data, and size of public and private key pairs and click the Submit
the Certificate Request button.
4. When the CA approves the certificate request, you are informed through e-mail.
Access the URL specified in the e-mail or from the CA site, click Pick Up Client
Certificate and specify the Pickup ID. The Pick Up Signed Client Certificate for
Lotus Notes or Netscape Browser screen appears, as shown in Figure 13-20:
254

Figure 13-20: The Pick Up Signed Client Certificate for Lotus Notes or Netscape
Browser Screen
5. Click Accept Certificate to accept the signed client certificate into your ID file. A
confirmation message appears, as shown in Figure 13-21:

Figure 13-21: The Domino Administrator Confirmation Message


6. Click OK to close the message box.

You can also generate an Internet certificate for Notes users using the existing public and private
key pairs by adding the Internet certificate to the person document of the user. When the user
authenticates with the home server, the certificate is automatically added to the user’s ID.

This process allows you to add the certificate for multiple users instead of asking the users to go to
the CA site and request for the certificate.

Enabling Client Certificate Authentication on Server

An Internet client can authenticate with the Domino server using any of the following methods:
 Client certificate
 User name and password
 Anonymous, no authentication is done in this method

Enabling client certificate authentication on the server allows the server to verify a client’s identity
and allows you to control the client's access to databases by adding the client's name to the
database ACLs and design element access lists.
Note If the person document for a user contains multiple entries in the User name
field, the first name listed in the field is considered.

To enable client certificate authentication on the server:


255
1. Expand the Servers view and click All Server Documents on the Configuration
tab of the Domino Administrator client. Double-click the CA server’s document to
open it.
2. Click the Ports tab and then click Internet Ports to enable the SSL port on the
server.
3. To enable client authentication, on the Web tab, select Client certificate as Yes in
the SSL authentication options, as shown in Figure 13-22:

Figure 13-22: Setting Up Client Certificate Authentication


4. Restart the HTTP task on the server.

The server is now set up for client certificate authentication.

Chapter 14: Configuring the Web Navigator


The Domino Web Navigator allows Notes users to browse the Web without having a direct
connection to the Internet. End users use the Web Navigator database WEB.NSF to browse Web
pages. When an end user requests a page from the Web Navigator, the Web Navigator connects
to the Internet, retrieves the page, and copies the page in the Web Navigator database.

When an end user repeats the request for a page, it is directly retrieved from the database. This
leads to reduced Internet costs because Domino does not need to connect to the Internet
repeatedly. This also enables you to monitor Web-based activity. The Notes users can request,
view, and manage the Web pages by organizing them into folders or deleting them, using the
database itself. Troubleshooting also becomes simpler because you need to troubleshoot only one
Internet connection from the server, instead of troubleshooting one Internet connection per user.

This chapter explains how to set up the Web Navigator on the Domino server. In addition, it also
explains how to customize Web Navigator and the Web Navigator database.

Configuring the Web Navigator Server


The Domino server that provides the Web Navigation service to the Notes users is called a Web
Navigator server or an InterNotes server. To configure a Domino server as a Web Navigator server,
you need to:
 Connect the Web Navigator server to the Internet.
 Run a task called WEB on the server. This task automatically creates a Web Navigator
database, WEB.NSF.
 Configure the Web Navigator database.
 Update the Location document of the end users who want to use the Web Navigator
server, to specify their browser as Notes and provide the name of the Web Navigator
server.

Connecting the Web Navigator Server to the Internet

You can connect the Web Navigator server directly to the Internet with the help of an Internet
Service Provider (ISP). The ISP provides you with access to the Internet and an Internet domain
256
name. Connecting the Domino server directly to the Internet can cause security problems because
this exposes the Domino server and all its databases including the Domino directory to the
Internet. For these reasons, you may connect to the Internet using a proxy server.

To connect to the Internet using a Proxy server:


1. From Domino Administrator Client, select the Configuration tab-> All Server
Documents view, as shown in Figure 14-1:

Figure 14-1: The All Server Documents View


2. Open the Server document for the Web Navigator server.
3. In the Sever document, select the Ports tab-> Proxies, as shown in Figure 14-2:

Figure 14-2: The Proxies Tab of the Server Document


4. In the HTTP proxy field, specify the name or IP address of the HTTP Proxy
server. You can also specify the names or IP addresses of other Proxy servers
such as the FTP proxy or SSL Security proxy in this tab to direct any Internet
request to the Web Navigator server to the specified proxy server.
5. Save and close the Server document.
257
Starting the WEB Task

To configure the Web Navigator server on Domino, start the WEB task by typing the following
command at the server console:
LOAD WEB

When the task loads for the first time, it automatically creates the Web Navigator database using
the PUBWEB50.NTF template.
Note To automatically start the WEB task on the server, add WEB to the
SERVERTASKS= entry in the server’s NOTES.INI file.

To quit the WEB task, issue the following command on the server console:
TELL WEB QUIT

Customizing the Web Navigator Server

The Server document enables you to customize options for the Web Navigator server, such as the
number of concurrent users who can connect to the Internet, the name of the Web Navigator
database, and the amount of information sent to the Server log on the server.

To customize the Web Navigator server:


1. In the Domino Administrator client, select the Configuration tab-> Server section-
> All Server Documents view.
2. Open the Server document for the Web Navigator server and select the Servers
Tasks tab-> Web Retriever tab, as shown in Figure 14-3:

Figure 14-3: The Web Retriever Tab of the Server Document


The Web Retriever tab contains the following options:
 Web Navigator database: Allows you to specify the name of the
Web Navigator database. The default name is WEB.NSF.
 Services: Allows you to specify the Internet services that the
users can access using this Web Navigator server. You can
choose from FTP, GOPHER, HTTP, HTTPS, and Finger.
 Concurrent retrievers: Allows you to specify the maximum
number of users who can simultaneously access the Web
Navigator. The default number is 50.
 Retriever log level: Allows you to specify the amount of
information that the WEB task sends to the Server Log
database, LOG.NSF. Selecting None does not log any activity.
This is a default option. Selecting Terse sends minimal
messages. The Verbose option sends all the messages to the
Log database.
 Update cache: Allows you to select the number of times the
server checks whether the pages in the Web Navigator database
are up to date. The options are Never, Once per session, Every
time, and which is the default.
258
 SMTP Domain: Allows you to specify the SMTP domain. This
option is applicable only if your site uses the Lotus SMTP Mail
Gateway for Domino 4.6 and earlier versions.
 Allow access to these Internet sites: Allows you to specify the
name or IP addresses of the Internet sites to which you want to
allow access. You can use an asterisk (*) to allow access to all
the sites except those listed in the Deny access to these Internet
sites field. Specify *.com or *.org to allow access to sites of a
specific type.
 Deny access to these Internet sites: Allows you to specify the
name or IP addresses of the Internet sites to which you want to
deny access. You can use an asterisk (*) to deny access to all
the sites or *.com or *.org to deny access to sites of a specific
type. If a site is listed in both the allow and deny access fields,
the allow access overrides the deny access.
3. Save and close the Server document.

Configuring Lotus Notes Clients to Use the Web Navigator

You can individually configure the Lotus Notes client to use the Web Navigator server for
accessing the Internet. You can also configure a default Web Navigator server for all the clients.

Configuring Individual Clients


To configure the Lotus Notes client to use the Web Navigator to access the Internet, end users
need to specify Notes as their Internet browser in their Location document. They must also specify
that the Web pages that they request should be retrieved from the Web Navigator server. In
addition, they must specify the name of the Web Navigator in the InterNotes server field of the
Location document.

You can either update the Location document of the users manually or automate the updation by
creating Policy documents.

Updating the Location Document Manually


You update the Location document manually by opening the Location document on the workstation
of a user and making changes to it.

To update a user’s Location document manually:


1. Select File-> Mobile-> Edit Current Location on the computer of user. This
opens the currently selected Location document.
2. In the Location document, select the Internet Browser tab, as shown in
Figure 14-4:

Figure 14-4: The Location Document Showing the Internet Browser Tab
3. Select Notes as the Internet browser. In the Retrieve/open pages option,
select the from InterNotes server option. There are two other options
available, from Notes workstation and work offline. The from Notes
workstation option allows the user to use a personal Web navigator
database to retrieve pages locally. The work offline option allows the end
259
user to work with the existing pages in the local database without retrieving
any new pages.
4. Click the Servers tab of the Location document. In the InterNotes server
field, specify the name of the Web Navigator server, as shown in Figure 14-
5:

Figure 14-5: The Servers Tab of the Location Document


5. Save and close the document.

Automating the Updating of the Location Document


You can automate the updating of the Location document by updating the desktop policy document
created for users with the browser and InterNotes server options. When the user connects to the
server, the desktop policy updates these settings in the Location document for the user.

To update the Desktop Settings document:


1. From the Domino Administrator client, select the People & Groups tab->
Settings view, as shown in Figure 14-6:

Figure 14-6: The Settings View


2. Click Settings in the View pane and double-click the Desktop Settings
document to open it or create a new Desktop Settings document.
Note To learn more about creating and assigning a Desktop Settings document, see
Chapter 3, Configuring Lotus Notes Clients.
3. In the Browser Options section of the Basics tab of the Desktop Settings
document, specify the Internet browser as Notes and the Retrieve/open
pages option as from InterNotes server, as shown in Figure 14-7:

Figure 14-7: The Browser Options Section of a Desktop Settings Document


4. When you select from InterNotes server in the Retrieve/open pages field,
an additional field, InterNotes server appears. Specify the name of the Web
Navigator server.
5. Save and close the Desktop Settings document.
260
Whenever the users to whom desktop policy has been assigned connect to their home server, this
information is updated in their Location documents.

Specifying a Default Web Navigator Server


An end user’s location document may not always contain the name of the Web Navigator server. In
this situation, you can specify a default Web Navigator server in the Server document of the server
on which users have their mail files.

To specify a default Web Navigator server for the users of your server:
1. In the Domino Administrator client, select the Configuration tab-> Server
section-> All Server Documents view.
2. Open the Server document for the your server.
3. Scroll to the bottom of the document and expand the Server Location
Information section, as shown in Figure 14-8:

Figure 14-8: The Server Location Information Section of the Server Document
4. In the InterNotes server field, specify the name of the Web Navigator server.
5. Save and close the document.

The Web Navigator Database


The Web Navigator database stores all the pages that users request through the Web Navigator
server. When a user requests the same page again, it is returned from the database and the server
does not need to fetch it. Although this reduces the connection cost, the size of the database
increases quickly. Another disadvantage is that the users might see a page that is outdated instead
of the current content of the Web page. To manage these issues, the Web Navigator database
uses agents. The Web Navigator database contains three agents:
 Purge: Purges the documents that match specified criteria. The purge agent helps
control the size of the database.
 Refresh: Updates the content of the stored pages to prevent them from being outdated.
 Averaging: Creates an average rating of pages recommended by users and shows the
top ten pages in the home page of the database in the folder Recommended.

The default access for this database is Editor but the administrator of the Domino server is
assigned manager access with the [WebMaster] role.

Customizing the Web Navigator Database

You can customize the Web Navigator database to specify information such as the maximum size
to which the database can increase, the font and styles for the Web pages, and the settings for the
Purge agent in the database. To customize the Web Navigator database, you must have the
[WebMaster] role in the ACL of the database.

You customize the Web Navigator database using the Web Navigator Administration document.

To customize the Web Navigator database:


1. Open the Server Web Navigator (R5) database on the server. The home page of
the database opens, as shown in Figure 14-9:
261

Figure 14-9: The Home Page of the Server Web Navigator Database
2. Click the Database Views link at the lower-left of this page to open the views in
this database, as shown in Figure 14-10:

Figure 14-10: The Database Views in the Web Navigator Database


3. Select Actions-> Administration to open the Web Navigator Administration
document, as shown in Figure 14-11:

Figure 14-11: The Web Navigator Administration Document


The Web Navigator Administration document is segregated into three sections:
 Server Basics: Use the options in this section to define settings
such as the name of the default InterNotes server, the maximum
size for the Web Navigator database, and whether or not to save
the author information about the documents retrieved.
 Purge Agent Settings: Use the settings in this section to define
the settings for the purge agent in the Web Navigator database.
 HTML Preferences: Use the options in this section to specify the
font and color options for the HTML pages.
262
The Server Basics section of the Web Navigator Administration document contains the
following options:
 InterNotes server name: Specify the hierarchical name of the
server that has been configured as the Web Navigator server.
 Maximum database size: Specify the maximum size in
megabytes for the Web Navigator database.
 Save author Information: Select this option to save the name of
the person who retrieved the page.
 HTML Save Options: The HTML source for a Web page saved
as a Notes document is stored in the Body field in that
document. Select the option Save as Rich Text only to save the
rich text in the document in the field named Body. Select Save
as Rich Text and HTML to save the rich text in one Body field
and the HTML tags in another Body field. Select Save as MIME
only to store the document in MIME format in the Body field.
The Purge Agent Settings section of the Web Navigator Administration document
contains the following options:
 Purge agent action: The action taken by the purge agent to
reduce the size of the database. Select the option Delete Page
to remove the page completely. Select the Reduce page option
to delete the pages from the database. The URL for the page still
lists in the views.
 Purge to what % of maximum database size: Specify up to what
percentage of the maximum size of the database, should the
agent function. The default is 60%.
 Purge documents older than: Specify the number of days after
which a document in the database must be deleted. The default
is 30 days.
 Purge documents larger than: Specify the maximum size after
which the document must be deleted from the database. The
default is 512 KB.
 Purge Private documents: When a user visits pages that require
the user to authenticate, the pages are stored in a private folder
created for the user. Select this option to delete documents from
the private folders as well.
The HTML Preferences Options in the Web Navigator Administration document allow
you to specify the style for the elements on a page. The styles you can specify include
Anchors, Body Text, Plain, Fixed, Listing, and Address. You can also change the color of
style for various elements or accept the default values.
4. To enable the Purge agent, click the Enable Purge agent action in the Web
Navigator Administration document. Select Web Navigator server when you are
prompted to choose the server for the agent to run on.
5. Click the Enable Refresh agent action to enable the Refresh agent in the
database on the Web Navigator server. By default, this agent runs at 3:00 A.M.
6. Save and close the document.

Users can now use the Web Navigator database successfully to browse the Web.

Appendix A: Configuring Domino Certificate


Authority
A Certificate Authority (CA) issues certificates to servers and clients for enabling Secure Sockets
Layer (SSL). Domino enables you to set up an internal CA for your company. You can configure
Domino as a CA to issue your own Notes and Internet Certificates for use on your intranet.

To configure Domino as a CA, you require a CA Key ring file that contains CA certificates. You use
the CA Key ring file to sign the server and client Internet certificates. Domino contains the Domino
CA (6) (CCA50.NTF) template that enables you to configure Domino as a CA.
263
To configure Domino server as a CA, you must set up the server as a Web server. You must create
a CA database and create a CA Key ring file and CA certificate in this database. To ensure that the
certificate requests and pick ups of the certificates takes place over secure connections, you also
set up SSL on the CA server.

This appendix explains how to configure a Domino CA.

Creating a CA Database
You use the CA database to set up an internal CA for your organization. The CA database allows
you to issue certificates to servers and clients in the organization.

To create the CA database using the Domino CA (6) CCA50.NTF template:


1. Click File-> Database-> New. The New database dialog box appears, as shown in
Figure A-1:

Figure A-1: The New Database Dialog Box


The New Database dialog box contains the following options:
 Server: Name of the server on which you want to configure the CA.
 Title: Any title for the CA database. For example, you can specify
Domino Certificate Authority.
 File name: Any filename. For example, you can specify ca.nsf.
 Template Server: The template server that you will use for creating
the CA database. Select Local and then select the options, Show
advanced templates and Inherit future design changes.
 Template Name: The name of the template that you will use for
creating the CA database. Select Domino Certificate Authority (6)
(CCA50.NTF).
2. Open the database ACL by clicking the File-> Database-> Access Control menu
options. The Access Control List to: Domino Certificate Authority dialog box opens,
as shown in Figure A-2:
264

Figure A-2: The Access Control List to: Domino Certificate Authority Dialog Box
3. To allow all users to create certificate requests, ensure that the default access in
the ACL is Author with Create documents privilege. To all the users who will create
and manage the Internet certificates, assign at least an Editor access with the
Delete Document privilege and the [CAPrivlegedUser] role.
4. Click OK to save the ACL and close it. Close the About Database Document that
appears. The Navigator for the CA database appears, as shown in Figure A-3:

Figure A-3: The Navigator for the CA Database

The Navigator provides you with the following options:


 Certificate Authority Configuration: Enables you to configure the CA. This option is
selected by default.
 Server Certificate Requests: Allows you to view the approved and denied server
certificate requests and to approve and deny fresh requests for certificates.
 Client Certificate Requests: Allows you to view the approved and denied client certificate
requests, and to approve and deny fresh requests for certificates.
 Client Registration Requests: Contains a list of client certificates submitted by external
CAs for adding to the Domino Directory.
 Certificate Authority Key Ring: Contains options to view the CA key ring, change its
password, and export it to a text file.

Creating a CA Key Ring File and Certificate


The CA key ring file is a password-protected binary file that contains the certificate that the Domino
CA uses to issue certificates to the servers and clients. To create a CA key ring file and the
certificates:
1. Open the CA database.
2. Click the Create Certificate Authority Key Ring and Certificate option to create a
certificate and a key ring file. The Certificate Authority Key Ring screen appears, as
shown in Figure A-4:
265

Figure A-4: The Certificate Authority Key Ring Screen


3. In the Key Ring File Name field, specify a name for the key ring file. The default is
CAKey.kyr. Domino saves the file in the Administrator client’s data folder.
4. Specify the password for the key ring file in the Key Ring Password field to prevent
any unauthorized access. Repeat the password in the Password Verify field.
5. Select 512 or 1024 as the Key Size. This is the size of the public/private key pair in
bits. You create a bigger key for stronger encryption.
6. In the Distinguished Name section, specify a unique name for the certifier in the
Common Name field. Specify the company name in the Organization field.
Optionally, you can specify an organization unit and the city name. Specify the
state in the State or Province field and specify a two-letter country code for the
country where the CA is located.
7. Click the Create Certificate Authority Key Ring button. A message box confirms the
creation of the Key ring with a self-signed trusted root certificate, as shown in
Figure A-5:

Figure A-5: The Message Box Confirming the Creation of the Key Ring
8. Click OK to close the message box.

Updating the Certificate Authority Profile


The Certificate Authority Profile document in the CA database associates a key ring file
with the CA. It also contains information about the CA server and the default options,
such as the validity period of a certificate issued by the CA.
Note When you issue the certificate, you can change the default options specified
in this document for individual certificates.

To update the CA profile:


1. Open the CA database.
2. On the Navigator, click Configure Certificate Authority Profile. The Certificate
Authority Profile document appears, as shown in Figure A-6:
266

Figure A-6: The Certificate Authority Profile Document


3. In the CA Key File field, specify the name and location of the CA key ring file.
The field shows the default path where the key ring file is stored, but if you
move the file to a different location, you must update this field.
4. When users request a CA certificate, Domino sends them an e-mail
confirmation when the CA approves the certificate informing them where to
pick the certificate. This e-mail confirmation includes information about the CA
server to enable users to pick up their approved certificates. To generate this
information, specify the DNS name of the CA server in the Certificate Server
DNS Name field.
5. Select the Use SSL for certificate transactions? option if you want that the
users should pick up their certificates over a secure connection. Selecting this
option includes a reference to the SSL port in the e-mail confirmation sent to
the client. In addition, specify the TCP/IP port number for the CA server.
6. Select the Mail confirmation of signed certificate to requestor? option to send
an e-mail confirmation to the requestor when the CA approves the certificate
request.
7. The Submit signed certificates to AdminP for addition to the Directory? option
is selected by default. Accept this option to add an AdminP request for adding
the certificate to the Domino Directory.
8. In the Default validity period field, specify a default validity period for the
certificates issued by the CA. The default value is 2 years.
9. Click Save and Close to save & close the profile document.

Setting up SSL on the CA Server


You access a CA database using the browser. To ensure that the certificate requests and the
approved certificate pickup take place as a secure transaction, you must set up SSL on the CA
server. To set up SSL on the CA server, you need to create a server key ring for the CA server.
After you have created the server key ring file, you must enable the SSL port on the server so that
administrators and clients are able to connect to the CA server using SSL.

Creating a Server Key Ring for the CA Server

The server key ring file is the file that the Domino CA server uses to configure SSL for itself. The
CA automatically certifies this server key ring in contrast to the certificate requests by other servers
that require approval.

To create a server key ring for the CA server:


1. Open the CA database.
2. Click Create Server Key Ring and Certificate. A Create CA Server Key Ring
screen appears, as shown in Figure A-7:
267

Figure A-7: The Create CA Server Key Ring Screen


3. Specify a name for the key ring file in the Key Ring File Name field.
4. Specify a key ring password to prevent unauthorized access of the key ring file
and repeat it in the Password Verify field.
5. Select a key size for the key ring file. The default value is 512 bits. You must
purchase a Verisign Global Server ID to qualify for creating a 1024-bit key size in
the international edition of Domino.
6. Specify a CA certificate label to identify the CA certificate in the server key ring.
7. In the Distinguished Name section, specify the fully qualified DNS name for the
server in the common name field. Specify the company name in the
Organization field. Optionally, you can specify an organization unit and the city
name. Specify the name of the state in the State or Province field and specify a
two-letter country code for the country where the CA server is located.
8. Click the Create Server Key Ring button to create the server key ring file with
specified information. Domino prompts you for the password of the CA key ring
file created earlier.
9. Type the password and click OK. A Server SSL key ring created message box
confirms the creation of the server key ring file for the CA server, as shown in
Figure A-8:

Figure A-8: The Server SSL key ring created Message Box
10. To enable SSL on the server, the key ring file must be stored in the Data folder
on the server. Copy the server key ring file to the Domino data folder on the CA
server because the key file gets created in the Administrator client’s Notes Data
folder.
268
Configuring the SSL Port on the CA Server

To allow Web clients to connect to the CA server using a secure connection, you must enable the
SSL port on the server. Enabling the SSL port allows the Web clients to use HTTPS protocol to
connect to the server. Domino provides the following options to enable SSL port for a server:
 Enable SSL port and disable TCP/IP port: Allows the Web client to use HTTPS only
to access the CA server. Using HTTP to connect to the server results in error.
 Enable both SSL and TCP/IP ports: Allows the Web clients to use both HTTP and
HTTPS to connect to the CA server.
 Redirect TCP/IP requests to the SSL port: Allows the Web clients to use both HTTP
and HTTPS to connect to the CA server. An HTTP request is automatically
converted to an HTTPS request.

To configure the SSL port on the CA server:


1. In the Domino Administrator client, select Configuration tab-> Server section->
All Server Documents view.
2. Open CA server’s Server document and click the Edit Server action to edit the
document.
3. Click Ports-> Internet Ports tab to access the option to enable the SSL port on
the server. Figure A-9 shows the Internet Ports tab of the Server document:

Figure A-9: The Internet Ports Tab of the CA Server Document


4. Ensure that the name of the SSL key file contains the name of the key ring file
you have created for the CA server. If you have not copied the server key ring
file to the server’s data folder, specify the complete path.
5. On the Web tab, select the TCP/IP port status as Disabled to disable all non-SSL
transactions on this server.
6. In the SSL port status field, select Enabled to enable the SSL port.
7. Save and Close the document.
8. Restart the HTTP task on the server using the following command:
9. TELL HTTP RESTART

Issuing Certificates Using the Domino CA

You submit the request for a server certificate by pasting the request on the CA’s Web site. You
access the CA’s Web site using a Web browser. Similarly, clients can also request for a certificate
from the CA’s site. Domino stores the certificate requests in the CA database.
269
To review a server certificate request:
1. Open the CA database.
2. Click Server Certificate Requests on the side navigator. A list of requests waiting
for approval appears, as shown in Figure A-10:

Figure A-10: Server Certificate Requests Waiting for Approval


3. Open the request that you want to review. The Certificate Request Approval
screen appears, as shown in Figure A-11:

Figure A-11: The Certificate Request Approval Screen


4. In the Choose an Action for this Request section, click the Approve button to
approve the certificate. If required, change the validity period of the certificate
from the default period of 2 years. You can also reject the server certificate
request by clicking the Deny button but you should specify a reason for rejecting
the request.
5. When you click the Approve button, Domino prompts you for the CA key ring file
password. Specify the password. The request moves to the Approved Server
Certificate Requests view.
Note When you approve a certificate request, the Domino CA sends an e-mail
message to the requestor with the URL to access the certificate. If the
requestor does not receive the e-mail message, you can provide the Pickup
ID for the certificate to the requestor.

Appendix B: Extended Access Control List


The extended Access Control List (ACL) allows you to define access to various elements in the
Domino directory. The elements include various subsets of users and various subsets of
documents, forms, and fields. The extended ACL also allows you to implement design element
security for the Domino directory without accessing the design of the database. In addition, it
transfers complete control of the application security to the ACL.

This appendix describes the features of the extended ACL. It also explains how to set up the
extended ACL in the Domino directory.

Features of Extended ACL


You use the extended ACL to fine tune the access to the Domino directory by applying restrictions.
You cannot use the extended ACL to assign an access that is more than the access of user in the
Database ACL. An extended ACL allows you to control access to documents and fields from the
ACL.
Figure B-1 shows a sample extended ACL:
270

Figure B-1: A Sample Extended ACL

The extended ACL has three sections:


 Target: The entry on which you want to restrict the access.
 Access List: The people, servers, or groups whom you want to restrict.
 Attributes: The privileges that you want to assign to the entry selected in the Access List.

Target Entry

A target entry defines the entry for which you want to restrict the access. You can define the entry
using the hierarchical naming directory structure for your organization. The entry that you select is
applicable to the documents for the persons, servers, and certifiers that the selected certifier has
certified and the policy documents applicable to the certifier. You can define the entry as the entire
organization, organization units, or specific documents.
You define the target entry in the Target section of the Extended Access at: <target entry> dialog
box, as shown in Figure B-2:
271

Figure B-2: Target Section in the Extended Access at: <target entry> Dialog Box

By default, root (/) is selected in the target entry box. The access applied to this entry is applicable
to all the documents in the Domino directory. You can select a subcategory, such as the
organization-level certifier, and the access applied to this entry becomes applicable to all
documents under the organization. For example, the access specified for an entry O=SNT applies
to all the documents for the persons and servers with SNT as the O-level certifier, such as
Tanya/SNT and MainServer/HO/SNT. The O=SNT entry has two subcategories, OU=HO and
OU=RO. The access specified for OU=HO applies to the MainServer/HO/SNT.

By default, the Target box section has the Show only containers option selected. This causes only
the certifier entries to show in the target box. If you clear this option, the target box shows all
documents under each certifier.

Access List
The access list defines the subject to whom you have assigned access on the target entry, as
shown in Figure B-3:
272

Figure B-3: The Access List Section of the Extended Access at: <target entry> Dialog Box

A subject can be a person, server, or a group. You can specify the following entries in the access
list:
 Individual person or server name
 Group name
 Wild card entries, such as */SNT
 Anonymous
 Default
 Self

Attributes
Attributes are the privileges that you assign to the subject on the target entry. You can apply a
privilege only to the selected target entry or the entry and all its descendants. Domino allows you
to define six types of privileges, as shown in Figure B-4:
273

Figure B-4: The Attributes Section of the Extended Access at: <target entry> Dialog Box

The Attributes section of the extended ACL allows you to define the following privileges:
 Browse: Allows the subject to access a document.
 Create: Allows the subject to create a document.
 Delete: Allows the subject to delete a document.
 Read: Allows the subject to read the content of a field in the document.
 Write: Allows the subject to modify a field.
 Administer: Allows the subject, with Designer or Editor access to the database ACL
access, to update the extended ACL. Users with Manager access to the database
ACL can update the extended ACL even without this access.

Enabling the Extended ACL


To configure the extended ACL, you need to first enable it in the ACL of the Domino directory.
Enabling the extended ACL adds the Extended Access button to the ACL. You use this button to
configure the extended ACL.

To enable the extended ACL for the Domino directory:


1. In the Domino Administrator client, select the Files tab and in the Results pane,
click the Domino directory for your domain.
2. Select File-> Database-> Access Control. The Access Control List to: <your
domain’s directory> Directory dialog box appears, as shown in Figure B-5:
274

Figure B-5: The Access Control List to: <your domain’s directory> Directory Dialog Box
3. Click the Advanced tab of the Access Control List to: <your domain’s directory>
Directory dialog box. The advanced ACL settings appear, as shown in Figure B-6:

Figure B-6: The Advanced ACL Settings for the Domino Directory
4. To enable the extended ACL, select the Enable Extended Access check box. A
message box appears asking you to confirm the enabling of the extended ACL, as
shown in Figure B-7:

Figure B-7: Confirming the Enabling of the Extended ACL


5. Click Yes to confirm the enabling of the extended ACL.
6. To enable the Extended ACL, you must also enable the Enforce a consistent
Access Control List across all replicas option. When Domino prompts you to
confirm whether or not you want to enable consistent access control, click Yes, as
shown in Figure B-8:
275

Figure B-8: Confirming the Enabling of Consistent ACL Across Replicas


7. Click Yes to confirm. A message box appears asking you to enable document
locking, as shown in Figure B-9:

Figure B-9: Message Box that asks Administrator to Enable Document Locking to Avoid
Conflicts
8. Click OK to confirm.
9. Click OK to save the ACL settings and close the ACL. A message box suggesting
that enabling extended ACL may take a while appears.
10. Click OK to close the message box. Access the ACL again. The Extended Access
button appears on the Basics tab, as shown in Figure B-10:

Figure B-10: The Access Control List to: <your domain’s directory>Directory Dialog Box
Showing the Extended Access Button

Configuring the Extended ACL


You configure the extended ACL to define access on specific documents and fields for selected
users. You use the database ACL to configure the extended ACL.

To configure the extended ACL for the Domino directory:


1. Click the Extended Access button on the Basics tab of the ACL for the Domino
directory, as shown in Figure B-10. The Extended Access at: / dialog box appears,
as shown in Figure B-11:
276

Figure B-11: The Extended Access at: / Dialog Box


2. In the Target section, click the root (/) entry to expand it and select the organization
or organization unit for which you want to restrict the access, as shown in Figure B-
12:

Figure B-12: Selecting a Target Entry


3. In the Access List, click the Add button to select the subject for whom you want to
define the access. The Add button provides you four options to select the subject,
as shown in Figure B-13:

Figure B-13: Options in the Add Button


4. In the Scope of Target field of the Attributes section of the Extended Access at: /
dialog box, select the This container only option to assign access to the documents
that are certified directly by the selected target entry and not by any of its
descendants.
5. In the Access section, select the Allow option to grant the selected privilege or
select Deny to revoke the privilege from the subject selected in the Access List
section.
6. To further refine the access for the subject, click the Form and Field Access button
in the Attributes section. The Form and Field access at: <target entry> dialog box
appears, as shown in Figure B-14:
277

Figure B-14: The Form and Field access at: <target entry> Dialog Box
7. In the Forms section, select the form on which you want to restrict access. For the
form that you select, select the access that you want to set. You can allow or deny
the access to Browse, Create, and Delete the form.
8. Optionally, in the Fields section, select the field from the selected form and select
the access on the field. You can allow or deny Read or Write access. For example,
you can allow end users to update the CellPhoneNumber field in the Person
document. This document uses the Person form.
9. Click OK to close the Form and Field access at: <target entry> dialog box.
10. Click OK to close the Extended ACL at: <target entry> dialog box.
11. In the Access Control List dialog box, click Yes to confirm saving the settings and
then click OK to close the dialog box.

Appendix C: Domino server Tasks


The Domino server provides various services to users, such as routing messages, replicating
databases, and acting as a Web server. The services are handled by multiple tasks that run on the
Domino server.

This appendix describes the various methods of starting a Domino server task. It also provides a
brief description of the Domino server Tasks.

Running a Domino server Task


You must start a task on the server to allow the task to carry out its activities. You can start a
server task manually or configure it to start automatically when the server starts or at specific
times. There are four methods to start a Domino server task:
 Manually, using the server console
 Manually, using the Domino Administrator client
 Automatically, using the NOTES.INI file
 Automatically, using the Program document

Starting a Task Using the Server Console

You can start a task manually from the server console using the following server console
command:
LOAD <TaskName>

In the above command, <TaskName> is the name of the task that you want to start on the server.

Starting the Task Using the Domino Administrator Client

You can also start a task manually using the Domino Administrator client. To start a task from the
Domino Administrator client:
1. In the Domino Administrator client, select Server tab-> Status tab-> Server Tasks
view.
2. In the Tools pane, select Task-> Start, as shown in Figure C-1:
278

Figure C-1: Starting a Task from the Domino Administrator Client


The Start New Task dialog box appears, as shown in Figure C-2:

Figure C-2: The Start New Task Dialog Box


3. In the Start New Task dialog box, select the task that you want to start and click
Start Task.
4. Click Done to close the dialog box.

Starting the Task Using the NOTES.INI File

You can automatically start a task on the server by adding an appropriate entry into the NOTES.INI
file for the server.

To start the server task, you can make the following entry into the NOTES.INI file:
SERVERTASKS=<List of tasks>

The tasks that this entry specifies start each time the server starts.

You can also schedule a task to start at specific time using the following entry:
SERVERTASKSAT<time>=<List of tasks>

For example, the following NOTES.INI entry starts the DESIGN task at 2:00 A.M. every day:
SERVERTASKSAT2=DESIGN

Starting the Task Using a Program Document

To start a task at a scheduled time, you can create a Program document in the Domino directory.

To create a Program document:


1. In the Domino Administrator client, select Configuration tab-> Server section->
Programs view, as shown in Figure C-3:
279

Figure C-3: The Programs View in the Domino Administrator client


2. Click the Add Program action to create a Program document. The Program
document appears, as shown in Figure C-4:

Figure C-4: A Sample Program Document


The Program document contains the following options:
 Program name: Allows you to specify the name of the server
task that you want to schedule.
 Command line: Allows you to specify the command line
arguments required to start the task on the server.
 Server to run on: Allows you to specify the server on which you
want the task to run.
 Comments: Allows you to write any comments for the document.
 Enabled/disabled: Allows you to specify whether the Program
document is enabled or disabled.
 Run at times: Allows you to specify the times at which you want
the task to run.
 Repeat interval of: Allows you to specify the interval in minutes
after which the task runs again. You specify this option if you
want the task to run more than once.
 Days of week: Allows you to specify the days of the week on
which the task must run.
3. Specify the options for the task that you want to start and click the Save & Close
action to save and close the document.

Domino server Tasks


The Domino server runs several tasks to carry out various types of user requests:
 Administration process: Runs as the AdminP task. This task automates the
administrative activities, such as renaming a user or server, creating replicas on
multiple servers, and moving user mail files on the server.
 Agent manager: Runs as the AMGR task. This task runs the agents on the server.
 Billing: Runs as the BILLING task. This task collects the billing information in the
Billing database.
 Calendar connector: Runs as the CALCONN task. The CALCONN task connects to
another server to retrieve the free time information about the users and resources on
that server when a user tries to look up this information.
 Cataloger: Runs as the CATALOG task. This task updates the database catalog on
the server with information about the databases present on that server.
 Certificate authority process: Runs as the CA task. This task automates server CA-
based activities, such as registering users or servers from the Web.
280
 Collector: Runs as the COLLECT task. This task collects statistics from the Domino
servers and logs them into the Monitoring Results database.
 Compactor: Runs as the COMPACT task. This task compacts the databases on the
server. You can also use this task to update an older version of a database to the
latest On Disk Structure (ODS).
 DECS server: Runs as the DECS task. This task allows real-time access to back end
enterprise databases, such as Oracle or Sybase.
 Designer: Runs as the DESIGN task. This task updates all the databases on the
server that are based on templates using the design changes in the template.
 DIIOP server: Runs as the DIIOP task. This task allows Java applets or Java-based
programs to access the Domino data remotely using Common Object Request Broker
Architecture.
 Directory cataloger: Runs as the DIRCAT task. This task populates and updates the
directory catalogs on the server.
 Domain indexer: Runs as the DOMIDX task. This task creates a central, full-text
index for all specified databases and file systems in a domain for domain wide
searching.
 Event monitor: Runs as the EVENT task. This task monitors the events on the server.
You configure these events in the Monitoring Configuration database.
 Fixup: Runs as the FIXUP task. This task fixes the corrupt documents and views in a
database.
 HTTP web server: Runs as the HTTP task. This task configures the Domino servers a
Web server and allows Web clients, such as browsers, to access the Domino server.
 IMAP mail server: Runs as the IMAP task. This task allows the IMAP-based clients to
access their messages on the Domino server.
 Internet cluster manager: Runs as the ICM task. This task provides fail over and
workload balancing to the HTTP clients that access the Domino Web server.
 ISpy: Runs as the runjava ISpy task. This task sends probes to other servers or users
to monitor connectivity.
 LDAP server: Runs as the LDAP task. This task enables the Domino server to
provide directory services to the LDAP clients.
 Maps extractor: Runs as the MAPS task. This task creates and updates the
connection topology maps for replication and mail routing in the Domino Administrator
client.
 Message tracking collector: Runs as the MTC task. This task collects the information
about the messages on a server and stores them in the Message Tracking Store
database. You use this information to track messages on a server and to generate
mail usage reports.
 Object store manager: Runs as the OBJECT task. This task manages the databases
and user mail files that use shared mail.
 POP3 mail server: Runs as the POP3 task. This task allows POP3 mail clients to
access the Domino server to download their messages.
 Replicator: Runs as the REPLICATOR task. This task replicates databases between
servers.
 Router: Runs as the ROUTER task. This task routes messages to users and servers.
 Run Java: Runs as the RUNJAVA task. This task runs Java-based server add-in
tasks, such as ISpy and the Change Manager.
 Schedule manager: Runs as the SCHED task. This task collects the information
when a user updates the calendar or books a resource and updates this information
in the Free Time database.
 SMTP server: Runs as the SMTP task. This task allows Domino to transfer messages
to the Internet.
 Stats: Runs as the STATS task. This task generates statistics for a remote server, on
demand.
 Web retriever: Runs as the WEB task. This task retrieves the Web pages for Domino
users, converts them into Notes documents, and stores them in the Web Navigator
database.
281

Das könnte Ihnen auch gefallen