Beruflich Dokumente
Kultur Dokumente
Hase00 Introduction
Configuring and Administering Domino Server 6.0
Introduction
About the Book
Domino is a tool that you can use to message, s chedule, maintain task lists, and to enable
employees of an organization to communicate, collaborate, and coordinate business processes.
This book starts with an introduction to a Domino network and the tools available for Domino
system administration. It discusses how to install and configure Domino servers and users. It also
explains the configuration of tasks in Domino and the server management and monitoring
activities.
This book provides a foundation for a Domino system administrator. It has an in-depth coverage of
the configuration of a Domino Network and the tasks required to administer the Domino Server.
This book caters to experienced Local Area Network (LAN) administrators who set up and manage
the networks in their organization and provide helpdesk to Lotus Notes users. To optimally utilize
this book, the practitioners should have prior knowledge of networking concepts and the Internet
protocols. They should also have a working knowledge of the Lotus Notes client.
Several platforms support Domino servers, including Windows, AIX, LINUX, and Solaris. As a
result, you can deploy Domino on a variety of platforms and mixed environments. In addition, you
can run Domino clients on various operating systems, such as Windows 95/98, Windows XP,
Windows NT, Windows 2000, or the Macintosh.
This chapter introduces Domino servers and clients. It describes the Domino Server Console and
the server commands you need to use with the console. It also explains the various administration
clients available with Domino. In addition, the chapter explains the Domino configuration file,
NOTES.INI.
You access Domino servers using clients, such as Lotus Notes or Web-based clients. To configure
the clients, you first register the users in the Domino directory, and then configure the client
software to connect to the server.
2
Introduction to Domino Servers
A Domino server is a powerful software platform that provides various facilities to users, such as
routing messages to Notes and the Internet, allowing users to browse the Web, hosting
applications for Notes, Web, and mobile users, and providing real-time integration with the
enterprise data.
Based on their functionality, Domino servers are categorized into three types:
Messaging: Supports Notes mail as well as Internet standards for mail, such as SMTP,
POP3, IMAP, and HTTP mail. Also known as a Mail server, this server is used only for
messaging.
Utility: Helps develop applications for Notes as well as Web clients. You use this server
for deploying Domino applications. In addition, you can create applications that integrate
with the back-end enterprise data.
Enterprise: Combines the features of the Mail and Utility servers. In addition, it provides
features such as clustering and partitioned servers. Clustering allows you to configure
servers as backup for each other for fail over and load balancing. Partitioned servers allow
you to install multiple Domino servers on the same computer. You can use this server for
messaging as well as application development.
The servers in a domain are configured to perform various activities, such as routing messages
between users, maintaining scheduling information for users, and hosting application databases for
Notes users. In addition, the servers host Web applications and services, provide directory
services to Internet clients, and provide discussion forums to Notes and Internet clients. Based on
the roles that may be assigned to a server, you configure various services on the server. You can
configure Domino servers as messaging, application, Web, or domain search servers.
Domino servers also provide several tools for monitoring server performance, such as statistics
monitoring, event monitoring, activity analysis, and log analysis.
Domino clients access the Domino server to perform various functions, such as sending e-mail,
accessing databases, and browsing the Web. There are three types of Domino clients:
Lotus Notes: For end users. You can use this client for messaging, browsing the Web,
organizing schedules, and accessing applications.
Domino Administration: For administrators. You can use this client for all types of
administrative tasks, such as registering the Domino server, registering users, and setting
up and managing the Domino infrastructure.
Domino Designer: For application developers. It provides an integrated development
environment that allows you to develop Domino applications for various purposes.
In addition to these three clients, there are some other clients that can access a Domino server:
Web browsers, such as Internet Explorer and Netscape Navigator.
Internet e-mail clients, such as Outlook Express
Mobile clients, such as WAP-enabled cellular phones
iNotes for Web Access
All the services on the Domino server, such as messaging, replication, and calendaring and
scheduling, run as tasks. You can start a task using the LOAD command. For example, the
following command starts the mail router task on the server:
LOAD ROUTER
Using the Domino Server Console, you can give instructions to certain tasks such as
Administration Process (AdminP). These instructions are given using TELL commands as shown in
following command:
TELL ADMINP PROCESS INTERVAL
Domino also provides the following SHOW commands that you can use to view information:
BROADCAST: Sends a message to specified users or to all users connected to a
server.
DROP: Closes one or more server sessions.
Help: Lists the server commands with their descriptions, arguments, and syntax.
SHOW DIRECTORY: Lists all database files in the Domino DATA directory and
identifies multiple replicas of a database.
SHOW DISKSPACE: Displays the amount of space, in bytes, available on the disk
drive.
SHOW OPENDATABASES: Lists the open databases on the server and
information about the databases.
SHOW SERVER: Displays server status information.
SHOW STATISTICS: Displays Domino server statistics for disk space, memory,
mail, replication, and network activity.
SHOW TASKS: Displays the server name, the Domino program directory path, and
the status of the active server tasks.
SHOW USERS: Lists the users who have established sessions with the server.
You can stop the Domino server by issuing QUIT or EXIT at the Server Console.
Domino R6 provides various administration clients to administer the server. The Domino
Administrator client is the most commonly used graphical user interface-based administration
client. To administer the Domino server using a browser, you can use the Web Administrator client.
Domino also includes a Java-based console that allows you to administer multiple Domino servers
from a single computer.
4
The Domino Administration Client
To perform administrative tasks on the server, you need to install the Domino Administrator client
separately from the Domino server. These administrative tasks include registering users and
servers, creating server configuration documents, and monitoring the server.
When you start the Domino Administrator client, it displays a Welcome page as shown in Figure 1-
2:
If you do not wish to view this page every time you start the client, check the Don’t show this again
option.
You need to close the Welcome page to access the Domino Administrator client interface. Figure
1-3 shows the Domino Administrator client screen:
In addition to the tabs and the panes, the Domino Administrator client contains two bars:
Menu: Contains the menu options for performing administrative tasks in the
Domino Administrator client. The Menu bar is located at the top of the Domino
Administrator client.
Bookmark: Contains bookmarks such as Favorites and Domain, links to Lotus
Notes clients and, if installed, the Domino Designer client. The Bookmark bar is
located to the left in the Domino Administrator client.
The Domino Administrator client also allows you to access the character-based Server Console.
Select Server-> Status. From the Status tabbed page, select Server Console in the Domino
Administrator client to access the character-based Server Console. Figure 1-6 shows the Domino
Server Console:
7
Figure 1-6: The Domino Server Console in the Domino Administrator Client
You can run the Domino Server Console as a live console by clicking the Live button. A live
console shows all the activities and messages appearing on the Domino Server Console.
You can enter Domino Server Console commands in this console by typing the commands or
selecting them from the Domino Command field.
In contrast to the Domino Administrator client, the Web Administrator client does not allow you to
register certifiers or configure any certification-related options. Another difference is that the Web
Administrator contains tools in the Replication tab that allow you to issue commands to the
REPLICATOR task on the server.
The Web Administrator client is based on the Web Administrator database (WEBADMIN.NSF).
Domino creates this database automatically when you start the Web Server task (HTTP) on the
server for the first time.
The Web Administration database contains roles that you can assign to various users to allow
them to perform different activities using the Web Administrator client. For example, you can
assign the [Files] role to a user to allow the user to use the tools in the Files tab. By using roles to
define which user can perform what activities, you can delegate administrative activities to users
who do not have access to the Domino Administrator client.
Note To learn how to assign roles to users, see Chapter 10, Domino Security.
To start the Server Controller, click Start -> Run from the Windows Start menu and run the
following command:
<Domino Program Folder Path>\nserver.exe–jc –c – s
In the above command, you can omit the –s option to start the Server Controller and the Domino
Server together. To start the Domino Console and the Server Controller together, you can omit the
–c option. To start all the three components together, you can omit both arguments, –c as well as –
s.
Figure 1-8 shows the Server Controller screen:
9
To start the Java-based Domino Console, run the following command using the Start-> Run option
from the Windows Start menu:
<DominoProgramFolder>\jconsole
Figure 1-9 shows the Java-based Domino Console window:
For example, the following entry updates the parameter LOG_REPLICATION in the NOTES.INI
and assigns it a value 0:
SET CONFIGURATION LOG_REPLICATION=0
Using the Configuration Settings document in the Domino Directory.
Note An accidental or incorrect change to the NOTES.INI file may cause Domino
or Notes to run unpredictably.
During the deployment of Domino servers and clients, you need to install and configure the servers
and clients. You must also set up other services on the servers.
This chapter explains how to install and configure the first Domino server and the administration
client. It also explains how to register, install, and configure the additional servers.
11
Overview of Domino Deployment
The Domino deployment for your organization includes deploying Domino servers, deploying the
clients, and configuring various services that are required in your setup. The deployment process
combines comprehensive planning, software installations and the various configurations.
Your sequence of actions for the deployment of Domino server should be:
1. Plan the number and location of servers in the organization.
2. Plan the naming conventions by creating the hierarchical tree on paper. Decide the
name of the domain and the names of the servers.
3. Plan the roles for each server to decide, which tasks should be enabled on each of
them.
4. Set up the network infrastructure between all the servers.
5. Install and set up the first server.
6. Install and set up the administration client.
7. Set up the administration preferences.
8. Register the additional organization units.
9. Set up password recovery for each certifier.
10. Register the additional servers.
11. Install and configure the additional servers.
12. Register users.
13. Install and set up clients.
14. Set up the rest of the services on the servers.
A Domino domain is a group of servers and users that share a common Domino directory.
Creating multiple domains leads to multiple Domino directories. For small to medium sized
organizations, a single Domino directory is ideal because you can administer the servers and
users from a central location. A single domain is easy to setup and manage.
Managing multiple domains requires additional configurations and extra administration efforts. You
may want to create multiple domains if your organization has independent business units and you
want each business unit to maintain its own Domino directory. You may also create multiple
domains, if the number of users and servers in your organization is too high and you find it difficult
to manage the Domino directory due to its size. It is ideal to split such a directory into two and this
also leads to two different domains. Another situation where you may want to create more than one
Domino domain for your organization is when the various offices are located at geographically
distant locations with slow and unreliable network connections that make it impossible to maintain
a single Domino directory at all these locations. You can setup a separate domain for each
location.
A sample hierarchical name is Amy James/Sales/HO/SNT. In this name, Amy James is the CN,
Sales and HO are the OUs, and SNT is the O component of the hierarchical name.
To implement a hierarchical naming tree, you create certifiers for each organization unit
component. The organization level certifier is created automatically when you configure the first
server in your domain. By creating different organization unit certifiers for distant geographical
locations and distributing the certifier IDs to the administrator for the location, you can distribute the
task of user registration and management to the local administrators for the locations.
Before you register the users and servers in your organization, you must have all the organization
and organization unit level certifiers in place. Plan the hierarchical naming tree for your
organization on paper, create the required certifiers and then proceed with the registration of
additional users and servers.
You decide the types of servers in your company based on the services that you want to provide to
your users. You can configure a Domino server for one or more of the following roles:
Messaging server: Hosts users mail databases and routes mails for users.
Directory server: Hosts the address books for users to lookup information on how
to communicate with other servers and users.
Application server: Hosts various applications for users.
Web server: Allows users to use a browser to access applications of the server.
Firewall: Protects internal servers and users from external users.
Clustered server: Provides failover and load balancing to ensure constant access
to information.
Domain Search server: Allows users to search for information in the entire domain.
Passthru server: Allows users to access all the servers in the domain by
connecting to a single server.
Based on the roles that you select for the server, you decide the type of server that you will install
and the services for which you will configure the server.
Figure 2-2: The Lotus Domino Installation Wizard - Selecting the Partition Server
Installation Option
4. Click Next. The next screen provides options to install Domino in the Program
and the Data folders, as shown in Figure 2-3:
Figure 2-3: Selecting the Destination Folders for the Domino Server
Note If you selected Partition Server Installation, the program folder for both the
partitions is common but the data folder is automatically taken as data1 and
data2, inside the program folder.
5. Select the appropriate folders and click Next. The next screen allows you to
choose the type of server that you want to install, as shown in Figure 2-4. This
screen also contains a Customize button. By clicking the Customize button, you
can choose the components that you want to install for the selected server type.
15
Figure 2-5: Specifying the Program Folder for the Lotus Domino Server Program Icon
7. Specify the folder and click Next. The Setup program starts copying the files
required for Lotus Domino Installation, as shown in Figure 2-6:
16
Figure 2-6: The Setup Window Displaying the Progress of Copying Files
8. After the installation is complete, a Thank you screen appears. Click the Finish
button on this screen to complete the installation of Lotus Domino Server.
When you run the Domino server for the first time after installing it, a Server Setup wizard appears.
This wizard provides you the options to configure the server. The configuration process performs
the following activities:
Creates a new Domino domain.
Creates a new Domino directory, names.nsf, using the Pubnames.ntf template and
places the directory in the Domino data folder.
Creates the certification log using the template, certlog.ntf, and places it in the
Domino data folder.
Creates an organization-level certifier, names it cert.id, and places it in the Domino
data folder.
Creates a certifier document for the organization-level certifier in the Domino
directory.
Creates an organization unit level certifier, certifies it using the cert.id, names it
oucert.id, and places it in the Domino data folder. The configuration process
performs this activity only if you have specified an organization unit for the server
at the time of configuring the server.
Creates a certifier document for the organization unit certifier in the Domino
directory if the organization unit has been specified.
Creates a server’s ID named server.id, certifies it using the cert.id or the oucert.id
as specified during the setup, and places it in the Domino data folder.
Creates a server document for the specified server in the Domino directory.
Creates a person document for the administrator in the Domino directory.
Creates a user ID for the administrator, names it user.id, certifies it using the
cert.id, and attaches it to the administrator’s person document in the Domino
directory.
Creates the mailfile for the administrator in the mail subfolder under the Domino
data folder.
Creates two group documents, LocalDomainServers and OtherDomainServers, in
the Domino directory.
Adds the server to the LocalDomainServers Group.
Add the server’s and the administrator’s name to the access control list (ACL) of
the Domino directory, and provides it with a Manager access.
17
Creates a group named LocalDomainAdmins if you have specified it during the
configuration process, adds it to the ACLs of all databases and templates on the
server, and provides it with a Manager access.
Adds the Anonymous entry with No access to all the databases and templates on
the server, if you specify this during the configuration process.
Creates a log file named Log.nsf and places it in the Domino data directory.
Enables the specified network and serial ports.
Creates the Reports.nsf database in the Domino data folder.
Updates the network settings in the server document.
Configures any additional services selected during the setup.
Figure 2-7: The Server Setup Wizard - Selecting the First or Additional Server
3. Select the Set up the first server or a stand-alone server option and click Next.
The Provide a server name and title screen appears, which prompts you to
specify the Server name and the Server title, as shown in Figure 2-8:
18
Figure 2-8: The Server Setup Wizard - Providing a Server Name and Title
4. Specify your first server’s name and a descriptive title for the server. A server
name can contain a maximum of 79 characters. If you are reconfiguring the first
server, you can use the existing server ID by selecting the I want to use an
existing server ID file option. Click Next. The Choose your organization name
screen appears, as shown in Figure 2-9:
Figure 2-9: The Server Setup Wizard - Choosing Your Organization Name
5. Specify the Organization name, which can have 3-64 characters. This creates
an organization-level certifier ID for your domain. You need to specify a
password for the organization certifier ID twice. You can use an existing certifier
ID by selecting the I want to use an existing certifier ID file option and clicking
the Browse button to specify the location of the ID file.
6. Click the Customize Button. The Advanced Organization Settings screen
appears, as shown in Figure 2-10:
19
Figure 2-10: The Server Setup Wizard - The Advanced Organization Settings Screen
Note In Domino 6.0, you can additionally specify an organization unit (OU) to certify
the server with the OU-level certifier.
7. Specify the Organizational Unit name and Org. Unit Certifier password in the
respective text boxes. The name can contain a maximum of 32 characters and
the password should contain a minimum of 5 characters. Confirm the password.
To use an existing OU certifier select the I want to use and existing organization
unit certifier ID file option.
8. To add a two-letter country code to the certifier ID, select a country from the
Country code list box and Click OK.
9. In the screen that appears, click Next. The Choose the Domino domain name
screen appears, which prompts you to specify a domain name for your Domino
setup, as shown in Figure 2-11: The domain name can be the same as the
organization name and should have a maximum of 31 characters. During the
first server setup, a new domain is created.
Figure 2-11: The Server Setup Wizard - Choosing the Domino Domain Name
10. Specify the domain in the Domino domain name field and click Next. The
Specify the Administrator name and password screen appears, which prompts
you to specify the administrator for the first server, as shown in Figure 2-12:
20
Figure 2-12: The Server Setup Wizard - Specifying an Administrator Name and
Password
11. Specify the name of the person who will administer the first server. You can also
create a generic ID, such as Administrator or Admin. It is mandatory to provide
the Last name. Provide a password for the administrator’s ID and confirm it by
re-entering the same password. The Administrator’s ID is stored in the Domino
directory as an attachment in the person document of the administrator. You can
also save the Administrator’s ID in the file system by selecting the Also save a
local copy of the ID file option. Click Next. The What Internet services should this
Domino Server provide? screen appears, as shown in Figure 2-13:
Figure 2-13: The Server Setup Wizard - Specifying the Internet Services
You can select one or more of the following Internet services:
Web Browsers (HTTP services): Enables you to configure the
Domino server as a Web server.
Internet Mail Clients (SMTP, POP3, and IMAP services): Enables
you to configure the Domino server to allow Internet mail clients
to access e-mail messages on Domino.
21
Directory services (LDAP services): Enables you to configure the
Domino as a directory server that can be accessed by Internet
clients.
If you wish to, you can configure these services later. To configure these services later,
do not select any option.
12. You can install the Domino server with default services or customize these
services. To customize all other services on Domino, click the Customize button.
The Advanced Domino Services dialog box appears, as shown in Figure 2-14:
Figure 2-15: The Server Setup Wizard - Specifying the Network Settings
14. Click the Customize button to customize the network settings. The Advanced
Network Settings dialog box appears, as shown in Figure 2-16:
22
Figure 2-17: The Server Setup Wizard - The Secure your Domino Server Screen
17. Select the Prohibit Anonymous access to all databases and templates option to
add the entry Anonymous with No Access to the ACLs of all databases and
templates on the server. This prevents users from accessing these databases
and templates from a Web browser without specifying their names and
passwords.
18. Select the Add LocalDomainAdmins group to all databases and templates option
to add the named group to all the database and template ACLs with Manager
access. This is useful because, when you create more administrators, you can
add their names to this group and do not need to grant individual access to the
administrators for all the databases and templates.
23
19. Click Next. A summary of entries and selections made by you during the
configuration process appears for you to review and confirm, as shown in the
Figure 2-18:
Figure 2-18: The Server Setup Wizard - Reviewing and Confirming Setup Options
20. Click Setup to start the configuration of the first Domino server in your domain.
The Domino Server Setup progress bar appears. When the setup is complete, a
Setup summary screen appears confirming that the setup is complete. Click the
Finish button to complete the Setup procedure.
To run the server, run the Lotus Domino Server program by selecting Start-> Programs-> Lotus
Applications-> Lotus Domino Server. The Domino server runs in a Character Interface, as shown in
Figure 2-19:
To shut down the server, type either QUIT or EXIT on the server console.
The Domino server does not have an interface to perform activities, such as registration of users or
servers. For this reason, to perform further deployment activities such as registering the servers or
users, you must install the Administrator client after configuring the first server.
Note For security reasons, it is advisable that you install the Administrator client
on a different computer from the server.
Platform Specifications
Table 2-2 lists the operating systems that support the Domino Administration client and their
hardware and network requirements:
Table 2-2: Hardware and Network Requirement to Install the Domino Administrator Client
Figure 2-20: The Installation Path Selection Screen of the Lotus Notes 6 - Install
Wizard
5. Select the appropriate folders by clicking the Change button and then click Next.
The Custom Setup screen appears. On this screen, you can select or clear the
components of Lotus Notes Client that you want to install, as shown in Figure 2-
21:
Figure 2-21: The Custom Setup Screen of the Lotus Notes 6 - Install Wizard
6. Click the button to the left of Domino Administrator and choose the option This
feature, and all subfeatures will be installed on local hard drive. Click Next. The
Ready to Install the Program screen appears, as shown in Figure 2-22:
26
Figure 2-22: The Ready to Install the Program Screen of the Lotus Notes 6 - Install
Wizard
7. Click Install to begin the installation of Lotus Notes 6 Administration client. The
Installing Lotus Notes 6 screen is displayed. When the installation is complete,
the Install Wizard Completed screen appears, as shown in Figure 2-23:
Figure 2-23: The Install Wizard Completed Screen of the Lotus Notes 6 - Install Wizard
8. Click Finish to complete the Lotus Notes Administration client installation.
You configure the Administration client using the Lotus Notes Client Configuration wizard.
Figure 2-24: The User Information Screen of the Lotus Notes Client Configuration
Wizard
3. In the Your name field, type the name of the Administrator as specified during the
configuration of the first server. In the Domino server field, type the name of the
first server.
4. Select the I want to connect to a Domino server option and click Next. The How Do
You Want to Connect to a Domino Server? screen appears, as shown in Figure 2-
25:
Figure 2-25: The How Do You Want to Connect to a Domino Server? Screen of the
Lotus Notes Client Configuration Wizard
5. Select the Set up a connection to a local area network (LAN) option to connect to
the Domino server over the LAN and click Next. The Additional Services screen
appears, as shown in Figure 2-26. In this screen, you can choose to configure one
or more services, such as Post Office Protocol (POP), Internet Message Access
Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), Network News Transport
Protocol (NNTP), Lightweight Directory Access Protocol (LDAP), Internet Proxy
servers, and Replication settings.
28
Figure 2-26: The Additional Services Screen of the Lotus Notes Client Configuration
Wizard
6. Select the required services and click Finish to complete the setup. A Notes setup
is Complete! message appears, as shown in Figure 2-27:
Figure 2-31: The Register New Server(s) Dialog Box with the Server Added to
the Registration Queue
Repeat the steps to add more servers to the queue.
11. Click Register All to register all the servers in the queue and then click Done
to close the dialog box.
This process creates a server document in the Domino directory for each server that is
successfully registered. It also creates a server ID at the location specified.
Figure 2-32: Where is the ID file for this additional Domino server? Screen of
the Server Setup Wizard
6. Select the first option, The server ID file is stored on a floppy disk, CD, or
network drive, if you saved the ID in the file. If you saved the ID file in the
directory at the time of server registration, select second option, The server ID
file is stored in the Domino Directory.
7. Specify the server ID password if you assigned a password to the server ID
during registration and click Next. The Provide the registered name of this
additional Domino server screen appears, as shown in Figure 2-33:
33
Figure 2-33: The Provide the registered name of this additional Domino
server Screen
8. Click Next. The What Internet services should this Domino server provide?
screen appears. Select the Internet services that you want to configure on the
additional server.
9. Customize the other services on Domino by clicking the Customize Button.
10. Click Next. The Domino network settings dialog box showing the network
ports and the Host name based on the computer’s network name appears.
11. To customize the network settings, click the Customize button and click OK.
12. Click Next. The Provide the system databases for this Domino server screen
appears, as shown in Figure 2-34:
Figure 2-34: The Provide the system databases for this Domino server
Screen
A few system databases created on the first server are replicated to the
additional servers at the time of additional server configuration. The Domino
directory is one such system database. The Provide the system databases for
this Domino server screen requires you to specify the name of the server from
34
where these databases must be replicated and the method by which the
connection to the other Domino server must be established.
You can choose to connect to the server directly over the network by
specifying the server name and the network address or choose from one of
the following options on this screen:
Use a proxy server to connect to the other Domino server.
Use a dialup connection.
Get system databases from CD or other media.
13. Specify the name of the first server in the Other Domino server name field and
click Next. The Specify the type of Domino directory for this server screen
appears, as shown in Figure 2-35:
Figure 2-35: The Specify the type of Domino directory for this server Screen
The Domino directory that is replicated to the additional server can be a full
replica containing all documents from the directory. Alternatively, you can
choose to do a partial replication.
14. Select Set up as a primary Domino Directory to include all types of documents
in the Domino Directory on the additional server.
15. Select Set up as a Configuration Directory to copy only the server
configuration documents to the replica on the additional server. In this case,
the additional server uses the primary Domino Directory located on a remote
server to look up information about users and groups.
16. Click Next. The Secure your Domino Server screen appears. Select the
Prohibit Anonymous access to all databases and templates option to add the
entry Anonymous with No Access to the ACLs of all databases and templates
on the server.
17. Select the Add LocalDomainAdmins group to all databases and templates
option to add the named group to all the database and template ACLs with
Manager access.
18. Click Next. A summary of entries and selections made by you during the
configuration process appears for you to review and confirm, as shown in the
Figure 2-36:
35
Figure 2-36: The Please review and confirm your chosen server setup
options Screen
19. To change any of the options, click the Back button to go back to the previous
screens.
20. Click Setup to start the configuration of the additional Domino server in your
domain. The Domino Server Setup progress bar appears. When the setup is
complete, a Setup summary screen appears confirming that the setup has
been completed.
21. Click the Finish button to complete the Setup procedure.
To configure the Lotus Notes clients, you must first register all the users on the server. The
registration process creates a Person document for each user in the Domino directory. It also
creates a user ID and a server-based e-mail database for each user. After you have successfully
registered the users, you must install the Lotus Notes client software on each user workstation and
configure it with the user ID created for the specific user.
Domino provides you several options to simplify and facilitate the registration and management of
users. These options include creating policy settings to define default registration, setup, desktop,
and security settings for the user so that you do not need to individually configure these settings on
the users workstations. Setting up ID and password recovery enables you to retrieve lost or
damaged IDs or forgotten passwords. To allow the Lotus Notes user to look up names in the user’s
native language, you can provide an alternate name language to the user.
This chapter explains how to register, install, and configure Lotus Notes clients. It also describes
the various tasks that need to be performed before you register users.
Pre-Registration Activities
36
Before you start registering the users on the Domino server, you must perform certain preliminary
procedures that will help smoothen the registration process and help manage the users later.
During the registration process, you are required to provide various types of information, such as
the e-mail and registration servers and the password options for the users. You can set default
values for most of this information so that the registration process becomes simple. You can set
the default values using the Administration preferences.
If you want to allow registration of users using a Web browser, without using the certifier ID, you
must configure the CA process on the Domino server.
To register users you require certifier IDs. You must ensure that you create all the certifier IDs
based on the hierarchical naming scheme you have defined for your organization. You must also
enable password recovery on these certifiers so that you can recover the user IDs that you
registered using the certifier IDs.
You can create policies to define the default registration, setup, desktop and security options for
the user. These policies are dynamic and you assign the policies to the users at the time of
registration. If you want to change any desktop or security setting for a user later, you only need to
change the policy.
Further, at the time of user registration, you can also assign users to various groups or provide
them with an alternate name and language.
Note Although you can perform most of these activities after you configure the
clients, performing the activities before registering the users saves a lot of
time and effort.
The administration preferences stored for a Domino administrator client allow you to customize
default options for the registrations that you perform using that specific client. The administration
preferences also allow you to customize the Domino Administrator client’s environment by
specifying which domain you want to manage from the client or the servers that you want to
connect to.
To access administration preferences, select the Administration Preferences menu option from the
File-> Preferences menu. The Administration Preferences dialog box appears, as shown in Figure
3-1:
You must set the options in the Registration tab of the administration preferences to simplify the
process of registration.
Figure 3-2: The Registration Tab of the Administration Preferences Dialog Box
2. Select the Registration domain as the default domain to register users and
server.
3. To create IDs for users during registration, select the Create Notes IDs for new
users option, and click the Certifier ID button to select the certifier ID that you
want to use to certify the user IDs during the registration process.
Note If you clear the Create Notes IDs for new users option, the Certifier ID button
and the Use CA Process options are replaced with the Certifier name list that
contains a list of certifiers from the Domino directory.
4. Optionally, you can select the Use CA process option to register users using the
CA process on the server.
Note The CA process allows you to register users without using a certifier ID. This is a
useful method for registering users from a Web browser.
5. If you have created an explicit policy for users, from the Explicit policy list, select
an explicit policy to be assigned to the users. If you have created an
organization policy that contains registration settings for the selected certifier,
the policy is automatically assigned to the users and the policy registration
settings are used for the registration settings.
6. Click the Registration Server button to specify the server in whose Domino
directory the documents of the users/servers/certifiers must be created.
7. If you have created user setup profiles and you want to assign one to the users,
select from the User setup profile list. You can apply a user setup profile to a
user only if you are not using a policy.
38
8. Click the Mail Options button to specify the options for creating the e-mail files of
the users. The Mail Registration Options dialog box appears, as shown in Figure
3-3:
When you register a user, server, or certifier, the options specified in the Administration
Preferences dialog box become the default options.
The CA Process is an automated task that runs on Domino server. You use this process to issue,
manage, and process certificates. You can issue certificates to Notes as well as Internet users.
The certificates you issue must comply with industry Internet certificate standards, such as X.509.
As a result, the certificates can be used on the Internet as well. The CA Process allows you to
register users and servers without using a certifier ID and password. As a result, you can register
users using the Web Administrator. The CA Process also allows an administrator to delegate
registration authority to certain users without distributing the certifier ID file to these users.
The CA Process creates and maintains an Issued Certificate List (ICL) database that records all
the certificates issued by the CA. The CA Process also issues a Certificate Revocation List (CRL)
that contains information about the expired or revoked certificates that have expired or been
revoked.
You can create CA Certifiers either by registering a new Internet certifier or by migrating an existing
Notes certifier. You use the Internet Certifiers to issue server and client Internet certificates.
Note To learn more about Internet Certificates, see Chapter 13, Configuring SSL
on Domino.
You can migrate an existing Notes certifier to work as a CA certifier. This allows you to register
users and servers using that CA certifier without requiring the Certifier ID file. The method is useful
if you want to allow an administrator to register users using the browser-based Web Administrator.
You can also allow administrators to register users using the Domino Administrator client without
the Certifier ID file. The certification takes place with the help of the CA process on the server and
the security for the certifier is controlled through roles defined while migrating the certifier.
43
To migrate an existing Notes certifier to a CA Process:
1. Select the Configuration tab of the Domino Administrator client.
2. In the Tools pane, click Certification-> Migrate Certificate. The Migrate Certifier
dialog box appears, as shown in Figure 3-9:
Figure 3-12: The Certificates Tab of the Migrate Certifier Dialog Box
10. Click OK to save the certifier information and close the Migrate Certifier dialog
box.
The above procedure creates the ICL database and adds a request to the Administration Requests
database.
Note To learn more about the Administration Requests database, see Chapter 8,
Managing Users and Servers Using the Administration Process.
If the CA process is not running on the server, issue the following command at the server console.
LOAD CA
45
If the CA process is already running, you must refresh the CA to add the certifier to the CA process
using the following commands:
TELL ADMINP PROCESS ALL
After you set up the first server, Domino creates the organization certifier. If you chose the option of
adding an organizational unit to the first server, Domino creates an organizational unit certifier as
well. Before you register the users or servers in your domain, you must plan the hierarchical
names of all the servers and users. Based on the hierarchical naming scheme that you have
planned, you must then register the certifiers.
A certifier document for the Organization certifier is added to the Server-> Certificates view of the
Domino directory.
The Certifier document is added to the Server->Certificates view of the Domino directory.
Domino allows a user to use more than one language. Each user can be given an alternate
language support for his native language as well as an alternate name for the specified language.
Using an alternate name allows users to use their native language and character set to type,
display, and look up names. Domino provides a user with alternate names and language support
for only those languages that have been enabled for the certifier.
Note You can enable an alternate language for the user at the time of registration.
You can also enable it at a later stage.
Figure 3-20: The Certify ID Dialog Box Showing the Alternate Language Names
Enabled for the Certifier
11. Click Certify to complete the process of certification and enabling the alternate
language support for the organization certifier.
Figure 3-21: The Specify Alternate Organization Unit Name Dialog Box
51
8. Select the language for which you want to add support.
9. Specify the Organization name in the Org Unit field.
10. Click OK to save and close the settings. The new name along with the
language is added to the Subject name list
11. Click Certify to complete the process of certification and enabling the alternate
language support for the organization unit certifier.
Without an ID file, a Lotus Notes user cannot access the server. As a result, the user cannot read
messages and any data that the user has encrypted with the ID. The user cannot even open the
encrypted databases located on the user’s local workstation without an ID file. For this reason, the
user should keep a backup of the ID file in a secure location. The ID recovery process helps
achieve this.
For the IDs to be recoverable, you should set the recovery information for the certifier to be used to
certify the user IDs. You should specify one or more recovery administrators, who will be able to
provide a recovery password in case a user forgets the ID password. You should also specify a
mail database to which Domino sends the backups of all the ID files registered with the certifier ID.
Domino sends these backups even if the user ID changes.
If the user forgets the password, each recovery administrator provides the user with a recovery
password. The user selects the recover ID option and types all the required recovery passwords.
Domino allows the user to change the password without specifying the original password.
If the user loses the ID or the ID gets corrupt, you can detach the ID file from the backup in the
specified mail database and provide it to the user.
Figure 3-23: The Edit Master Recovery Authority List Dialog Box
5. In the How Many Recover Authorities do you require field, specify 2. This
number indicates how many recovery passwords a user will need to specify to
recover the ID, if the user forgets the ID password.
6. To add the names of users to the Current Recovery Authorities list, click the Add
button. This allows you to select the names from the Domino Directory. Select
the names of users responsible to provide recovery passwords to the users to
recover their Ids.
7. After you set the recovery option, Domino automatically sends all the new or
modified ID files to you as attachments. You can receive these IDs in your own
mail box or create a separate mail box to receive these mails. To create a new
mailbox to store the IDs, select the option, I want to create a new mailbox.
8. Click the Address button to provide the information required to create the new
mailbox. The Create New Mailbox dialog box appears, as shown in Figure 3-24:
Creating Policies
Desktop: Enables you to update a user’s desktop and location document settings
dynamically. Domino applies this type of policy setting to a user’s workstation
whenever the user authenticates with the user’s mail server. The Desktop Settings
document contains the following settings:
Registration: Enables you to set the default options to be used at the time
of user registration. The Registration Settings document contains the
following settings:
o Registration server
o Password options, such as setting the password quality
scale and the Internet password
o Mail options, such as Mail system, Mail server, Mail
template, Internet domain, and Internet address format
o ID file settings, such as certificate expiration date, location
for storing user ID, and ID security type
o Group assignments
o Local administrator
Security: Enables you to define the local security options for a user, such as
the workstation ECL or the password management options. The Security
Settings document contains the following settings:
Setup: Enables you to define the default settings to be used when a Lotus
Notes client is configured. These settings are included in the user’s
Location document. This document contains options similar to the Desktop
settings document, but its settings are applied only once at the time of
configuring the Lotus Notes client.
The Settings documents appear in the Settings view, categorized by the Settings type.
You create organizational policies for an organizational unit. These policies automatically apply to
all the users who have been certified using that organization unit. For example, a policy */SNT
applies to all the users who have been certified by the certifier SNT.
You use a group document to group users and servers. Creating groups helps you to easily
manage users and servers. For example, you can create a group called administrators and assign
all the administrators in your domain to this group. Instead of assigning access on various
databases to individual administrators, you can now assign access to this group. Similarly, you can
create a group called AllUsers to send any message to all the users in your domain.
Registering Users
To configure Lotus Notes clients, you first need to register the users on the server. When you
register a user:
A person document for the user is added to the Domino Directory.
A user ID is created for the user.
A mail database is created for the user on the specified server.
Optionally, the user is added to a group.
You can either register users one at a time by filling in the information in the user registration
screen or create a text file using any editor, such as Notepad, with the required information of all
the users and use it for registration.
To register users by filling in the user registration screen, you need to fill in information about each
user one by one. This option is suitable when you have to register few users.
Figure 3-29: The Register Person Dialog Box with the Advanced Options
Note The default values for options in the Register Person dialog box are populated
from the registration settings in the organizational policy. This policy is activated
based on the certifier that you select for registering the user. If you assign an
Explicit policy to a user, the settings in the Explicit policy apply to the user
instead of the organizational policy. If there is no policy, or if the policy does not
include registration settings, the values are populated from the administration
preferences.
The Basics tab of the Register Person dialog box contains the following options:
Registration Server: The server on whose Domino directory the
person document of the user being registered must be added.
First name: First name of the user. This is an optional field.
Middle name: Middle name of the user. This is an optional field.
Last name: Last name of the user. This is a mandatory field. The
names fields can consist of uppercase and lowercase alphabets
(A-Z), numbers (0-9), and special characters such as ampersand
(&), dash (-), dot (.), space ( ) and underscore (_).
58
Short name: Short name of the user. Domino automatically
creates this name using one character from the first name and
rest of the characters from the last name.
Password: Password for the user ID. Domino validates this
password against the password quality scale specified in the
registration policy/administration preferences. You can override
the password quality scale by clicking the Password Options
button.
Mail system: The mail system that the user will use, such as
Lotus Notes, IMAP, POP, or iNotes
Explicit policy: A list of Explicit policies. If you have created an
Explicit policy for the user, select the policy from this list.
Create a Notes ID for this person: Enable this option to create a
Notes ID for the user.
You can view the synopsis of the registration settings in the Policy assigned to the user
by clicking the Policy Synopsis button. This shows the effective policy assigned to the
user.
4. Specify the required information and select the Mail tab. Figure 3-30 shows the
Mail tab of the Register Person dialog box:
Figure 3-30: The Mail Tab of the Register Person Dialog Box
The Mail tab of Register Person dialog box contains the following options:
Mail server: The server on which the user’s mail database must
be created.
Mail filename: The name of the mail database, which is created
in the mail folder inside the server’s data folder. Domino creates
the mail file name using one character from the user’s first name
and seven characters from the user’s last name.
Mail file template: The template file used to create the mail
database. The default template used is Mail (R6) (Mail6.ntf).
Create file now/Create file in background: Option buttons that
you can select. Selecting create file now creates the mail
database of the user at the time of registration. Selecting Create
file in the background creates the mail database later using the
administration process.
Mail file owner access: The access that the user must be given
for the user’s mail database. You can choose form Manager,
Designer, or Editor.
Create full text index: Creates a full text index for searching in
the mail database.
Set database quota: Defines a maximum mail database size for
the user.
59
Set warning threshold: Sends a warning to the user before the
mail database quota is full.
5. Specify the values in the fields.
6. To create replicas of the mail database on clustered servers, click the Mail File
Replicas button. The Mail Replica Creation Options dialog box appears, as
shown in Figure 3-31:
Figure 3-32: The Address Tab of the Register Person Dialog Box
The Address tab contains the following options:
Internet address: The Internet address of the user created
automatically using the following options.
Internet domain: The Internet domain for your Domino domain.
Address name format: The format in which the first and the last
names of the user must be combined to form the Internet
address of the user.
Separator: The special character that must be used to separate
the first and the last names of the user in the Internet address.
9. Click the ID Info tab to view the options related to the ID file, as shown in Figure
3-33:
60
Figure 3-33: The ID Info Tab of the Register Person Dialog Box
The ID Info tab contains the following options:
Use CA Process: Enables you to use the server-based CA to
register the user.
Certifier ID: Enables you to select the certifier ID to be used for
the registration of the user. This option appears when CA
Process is not selected.
Security Type: Enables you to select the security type. You
select from International or North American. North America IDs
are more secure compared to the international IDs.
Certificate expiration date: Enables you to select the date on
which the user’s certificate expires. The default is two years from
the date of registration.
Location for storing User ID: Enables you to select the location
for storing the User ID. You can store the ID file as an
attachment to the person document of the user in the Domino
directory. You can also store it in the file system. Use the Set ID
file button to specify the path for the ID file. The default path is
Ids\People\<user>.id in the admin client’s data folder.
10. Click the Groups tab to add the user to an existing group, as shown in Figure 3-
34:
61
Figure 3-34: The Groups Tab of the Register Person Dialog Box
11. From the list of groups shown under Assign person to group(s), select the group
and click the Add button to add the user to the group.
12. Click the Other tab to view more options for user registration, as shown in Figure
3-35:
Figure 3-35: The Other Tab of the Register Person Dialog Box
The Other Tab of the Register Person dialog box contains the following options:
Setup profile: The name of a setup profile to be assigned to the
user. The functionality of an R5 setup profile has been replaced
with policies in R6. As a result, if you are using Policies, this
option is disabled.
Unique org unit: A unique qualifier added to the user’s name to
distinguish between two users who have the same common
name and the same certifier.
Location: The geographical location of the user.
Local Administrator: Enables you to specify the name of a user
to whom you want to allow access to edit the user’s document.
The name specified must have Author access to the Domino
directory
Comment: Enables you to specify any comment for the user.
Alternate name language: Enables you to select a language from
the alternate languages enabled for the certifier in order to
provide alternate language support to the user.
Alternate name: Enables you to specify the name of the person
in the alternate language.
62
Alternate org unit: Enables you to specify an alternate unique org
unit for the user.
Preferred language: Enables you to specify the language that
the user prefers to use.
13. After specifying all the required information, click the green check mark to add
the user to the registration queue.
14. Add more users similarly and then click Register All to register all the users. You
can also register a single user by selecting the user in the queue and then
clicking the Register Button.
15. Click Done to close the Register Person dialog box.
By registering users using a text file, you can register a batch of users with the least effort. To
register users using this method, you first create a text file containing all the registration
information and then import the text file into the Register Person dialog box.
The text file that you use for registration has a fixed format and you must specify each person entry
on a separate line. In addition, you must separate the various registration parameters with a
semicolon (;).
Note If you want to use any other separator, you can specify this in the
NOTES.INI using the setting BatchRegSeparator.
The order of the registration parameters is fixed. Table 3-1 lists the registration parameters and
their order:
Table 3-1: Parameters for Creating a Text File to Register Users
Order Parameter
1 Last name
2 First name
3 Middle initial
4 Organizational unit
5 Password
6 ID file directory
7 ID file name
11 Location
12 Comment
13 Forwarding address
14 Profile
15 Local administrator
16 Internet address
17 Short name
18 Alternate name
Order Parameter
The order of these parameters is fixed and if you want to skip a parameter, you must specify the
subsequent parameters at the right position by using the right number of separators.
For example, in the following line, the last name, first name, password, and mail server fields have
been specified. These are the 1st, 2nd, 5th and 8th parameters.
Jones;Allan;;;password;;;Mainserver/ho/snt
To register the users from the text file after creating the text file:
1. Select the Configuration tab in the Domino Administrator client.
2. From the Tools pane, select Registration-> Person. Domino prompts you for the
password for the certifier ID specified as default in the Administration
Preferences.
3. To choose a different certifier ID, click Cancel and select the other certifier, or
just type the password and click OK. The Register Person - New Entry dialog
box appears.
4. Click the Import Text File button. The browse window appears, where you can
select the text file you have created for registration.
5. Select the text file and click Open to open the file. A message shows the number
of people successfully queued and the number of people queued with error
status. If there are any errors, you can edit and correct the entries.
6. Click Register All to register the users.
7. Click Done to close the Register Person dialog box.
Platform Specifications
Table 3-2 lists the operating systems that support the Lotus Notes Client and the hardware and
network requirements for each operating system:
Table 3-2: Hardware and Network Requirements for Installing Lotus Notes Client on Various
Platforms
Installation Procedure
Figure 3-36: The Customer Information Screen of the Lotus Notes 6 - Install Wizard
65
4. Specify your name and your company name in the User Name and Organization
fields.
5. Select the Anyone who uses this computer (Multi-User Install) option and click
Next. The Installation Path Selection dialog box appears, as shown in Figure 3-
37:
Figure 3-39: The Welcome Screen of the Lotus Notes Client Configuration
Wizard
2. Click Next. The User Information dialog box appears, as shown in Figure 3-
40:
Figure 3-40: The User Information Dialog Box of the Lotus Notes Client
Configuration Wizard
3. In the Your name field, specify the name of the user that you have registered
on the server and are trying to configure.
4. In the Domino server field, specify the name of the server that contains the
user’s document in the Domino directory, which is the registration server for
the user.
5. Select the I want to connect to a Domino server option and click Next. The
How Do You Want to Connect to a Domino Server? dialog box appears, as
shown in Figure 3-41:
Figure 3-41: The How Do You Want to Connect to a Domino Server? Dialog
Box of the Lotus Notes Client Configuration Wizard
67
6. Select the Set up a connection to a local area network (LAN) option and click
Next.
7. The Additional Services dialog box appears, as shown in Figure 3-42. This
dialog box provides options to configure services such as POP, IMAP, SMTP,
NNTP, LDAP, Internet Proxy servers, and Replication settings.
Figure 3-42: The Additional Services Dialog Box of the Lotus Notes Client
Configuration Wizard
The additional services that you can configure as part of the Lotus Notes
client configuration are:
Internet mail servers: Configures the Lotus Notes client to
access POP and IMAP mails.
Newsgroup Server: Configures the Lotus Notes client to
access a newsgroup server using NNTP.
Directory Server: Configures the Lotus Notes client to access
an LDAP server to access external directories.
8. Select the required options. For example, to configure the proxy settings for
the Lotus Notes client, select the Internet Proxy servers option and then click
Next. The Internet Proxy Settings dialog box appears, as shown in Figure 3-
43:
Figure 3-46: The Default Welcome Page of the Lotus Notes 6 Client
Messages within a Domino network are routed automatically when you set up Domino servers and
clients. If you want to route messages from your Domino network to another network, domain, or to
the Internet, you need to configure mail routing.
You can also configure Domino to provide messaging services to non-Notes mail clients. To
troubleshoot mail routing problems, you can configure mail monitoring options on the server. In
addition, you can also control messages on the server by creating mail rules and enabling
Journaling.
This chapter explains how to configure mail routing within a Domino domain and to the Internet. It
also describes how to configure the Domino server for access by non-Notes mail clients. In
addition, the chapter explains the various mail monitoring tools available in Domino, such as mail
trace and tracking, and describes mail rules and mail Journaling
The Domino mail server is installed as part of the Domino Messaging and the Domino Enterprise
server licenses. The ROUTER task on the server is responsible for routing messages on the
Domino server. The ROUTER task loads automatically when you start the Domino server. If
required, you can load the ROUTER manually by using the server console command:
LOAD ROUTER
The Domino mail server has an outgoing mail box file,(MAIL.BOX) that holds all the messages that
arrive on the server. The ROUTER keeps a record of the messages in the MAIL.BOX. If the
message is intended for a user on the current server, the ROUTER delivers the message to the
user’s mail file on the server. If the message is intended for another server, the ROUTER transfers
the message to the MAIL.BOX on the other server.
Note To improve the performance of the ROUTER on a server, you can configure
multiple outgoing mail box files on the server using the Configuration
Settings document. Domino then names these files as MAIL1.BOX,
MAIL2.BOX, and so on.
The Domino mail server can route messages to other Domino servers using the Notes Remote
Procedure Calls (NRPC). It can also route mails to the Internet. The Domino mail server supports
Internet mail protocols, such as SMTP, IMAP, and POP3.
70
Domino can send and receive messages in the Notes Rich Text format or in the MIME format.
Mail Files
Domino assigns a mail file to every registered Domino user. The server on which this mail file
resides is called the user’s Mail server. At the time of user registration, Domino creates the user’s
mail file based on the Mail (R6) template, MAIL6.NTF. By default, Domino creates the mail file in
the MAIL folder, which is inside the Domino DATA folder. The name of the mail file is taken from the
short name of the user. For example, for a user Tanya Rogers, the mail file name will be
TROGERS.NSF.
Users can access their mail files using the Lotus Notes client or other Internet clients, such as
IMAP-and POP3-based clients or Web browsers. To access their mail files using Lotus Notes
clients, users require their User IDs. To access their mail files using other Internet-based clients,
the users requires their names and Internet passwords, which are defined in their Person
documents in the Domino directory.
By default, each user has Manager access to the user’s mail file, but the administrator can assign
a lower access to the user at the time of user registration. At the minimum, the administrator can
assign Editor access to a user, which is sufficient for the user to send, receive, forward, and delete
messages as well as reply to messages.
To control the size of the user’s mail file, the administrator can assign a database quota for the file.
Mail Clients
Mail clients access mail on the Domino server. Domino supports multiple mail clients, such as:
Lotus Notes: Access their messages on the Domino server using the Notes routing
protocol. Lotus Notes is the default mail client for Domino. Lotus Notes users
require their user IDs to access their mail files on the server. They can also create
local replicas of their mail files and work offline.
IMAP: Access their messages directly on the server that runs the IMAP service or
download the messages into a local file. IMAP users use TCP/IP to connect to the
Domino server. They use the IMAP protocol to read their messages on the server
and use SMTP to send messages through the server. They authenticate with the
server using a name and an Internet password.
POP3: Download messages locally from the Domino server running the POP3
service. POP3 clients use TCP/IP to connect to the Domino server. These clients
authenticate with the server using a name and Internet password. The POP3 client
use POP3 protocol to download mails from the server and use SMTP to send mails
through the server.
iNotes Web Access: Access messages on the Domino server using a Web
browser. The Domino server must be running the HTTP task to allow iNotes users
to access messages. The iNotes users also authenticate using their names and
Internet passwords and connect to the server over TCP/IP. These users can work
offline by creating local replicas of their mail files.
The Mail section of the Person document has the following fields:
Mail System: The mail system used by the user. The default mail system is Notes, but
you can select other mail systems, such as cc:Mail, X.400, POP, or IMAP.
Domain: The domain with which the user is associated.
Mail server: The server on which the user’s mail file is located.
Mail file: The path of the of the mail file of the user. The path is relative to the Domino
DATA folder.
Forwarding address: The alternate address at which the user wants to receive
messages. This could be an external address that the user uses while away from
office.
Internet address: The user’s complete Internet address.
After the ROUTER figures out the mail server for a recipient, it can then decide the action it must
take on the message in its MAIL.BOX
If the sender and recipient have a common mail server, the ROUTER immediately delivers the
message to the recipient’s mail file. If the sender and the recipients have different mail servers, the
ROUTER finds out the Notes Named Network (NNN) of the recipient’s mail server.
The ROUTER can connect immediately to servers in a common NNN and transfer messages. To
connect to a server in a different NNN, you need to create Connection documents.
If the recipient belongs to an external Domino domain, you need to create Connection documents
between any two servers in the two domains. You can also create Domain documents to facilitate
the mail transfer.
NNN
The NNN groups servers in a Domino domain into logical networks. The servers in the NNN must
share a common protocol and be constantly connected.
The NNN of a server is defined when a server is registered. When two servers do not share a
common protocol or are not constantly connected, you need to assign them to different NNNs. You
can assign a server to a different NNN, if you want to schedule messages between two servers
that share a common protocol or are connected. You can change the NNN of a server in the Server
document.
Figure 4-3: The Notes Network Ports Tab of the Server Document
4. In the Notes Network field, specify the name of the NNN to which you want to
assign the server. This can be the name of an existing or new NNN.
5. Save and close the Server document.
You can view the various NNNs and the servers belonging to the NNNs in the Server Pane, as
shown in Figure 4-4:
73
The ROUTER handles messages on the Domino server differently in different scenarios. There are
four common scenarios:
The sender and the recipient have the same mail server.
The sender and the recipient have different mail servers that are in a common
NNN.
The sender and the recipient have different mail servers that are in different NNNs.
The sender and the recipient belong to different domains.
For example, the mail file of Arnold/HO/SNT is on MainServer/HO/SNT and the mail file of
Jessica/RO/SNT is on ROMailServer/RO/SNT. MainServer is in Network1 and ROMailServer is in
Network2. A Connection document exists between MainServer in Network1 and a third server,
ACTServer, in Network2. To send a message in this situation:
1. Arnold sends a message to Jessica using Arnold’s mail file on the MainServer.
2. The mail is deposited in the MAIL.BOX of MainServer.
3. The ROUTER task on MainServer checks Jessica’s Person document to find
out information about Jessica’s mail server.
4. When the ROUTER finds that Jessica’s mail server is ROMailServer, it checks
the NNN name for the ROMailServer. The ROUTER finds that the NNN for
ROMailServer is Network2.
5. The ROUTER looks for a Connection document between Network1 and
Network2. It finds that a Connection document exists between the MainServer
in Network1 and the ACTServer in Network2.
6. The ROUTER transfers the message to the MAIL.BOX on the ACTServer.
7. The ROUTER on ACTServer transfers the message to the MAIL.BOX on the
ROMailServer after checking the recipient’s Person document.
8. The ROUTER on the ROMailServer checks Jessica’s Person document and
finds that Jessica’s mail server is ROMailServer.
9. The ROUTER checks Jessica’s mail file name and delivers the message into
the mail file.
When a sender sends a message to a recipient, the sender must specify the domain name of the
recipient, such as Tony@xyz.com. Suppose your organization communicates with two domains,
DomainA and DomainB, and you have a physical connection only to DomainA. DomainA is
connected to DomainB. You can send messages to users in DomainB though DomainA. To send a
message to a user in DomainB, you must specify the user name, as in
user@DomainB@DomainA.
You can create a Domain document for DomainB specifying that all the messages to DomainB
should be routed through DomainA. This type of Domain document is called a Non-adjacent
75
Domain document. After you have created the Non-adjacent Domain document, you can send a
message to a user in DomainB by simply writing the user’s name, as in user@DomainB.
DomainA can create an Adjacent Domain document to restrict messages from your domain to
DomainB.
All these scenarios require you to do similar types of configurations. The configuration settings that
you need to perform in every scenario are:
Configuring inbound servers
Configuring outbound servers
Configuring relay hosts
To configure the Domino server as the inbound server that receives mail from the Internet, you
must enable the SMTP listener on the server. In addition, this server must be registered on the
Internet as the connecting server for your domain.
The Domino server that you enable to send SMTP mail must have a connection to the Internet.
You can connect the server directly to the Internet or enable it to transfer the outbound mail to
another server connected to the Internet. To enable a Domino server to send messages to the
Internet, you must enable the SMTP task on the server. In addition, you must enable the server to
send mail outside the local Internet domain.
To load the SMTP task on the server, use the following server console command:
LOAD SMTP
You can configure the servers to route mail to the Internet in the Configuration Settings document
on your server.
If one or more of the Domino servers in your domain can route SMTP mail to external domains, the
rest of the servers in the domain must route their SMTP mail to these outbound servers. You can
enable SMTP routing in all the servers in your domain and configure the SMTP outbound server as
a relay host for these servers. This routes all SMTP mail from the servers in your domain to the
outbound SMTP server.
To configure the internal Domino servers to route mail to the outbound SMTP server:
1. In the Domino Administrator client, select Configuration tab-> Server section->
Configurations view.
2. Click Add Configuration to create a new Configuration Settings document.
3. In the Basics tab of the Configuration Settings document, select the Use these
settings as the default settings for all servers option. This option creates a
Configuration Settings document that applies to all the servers in the domain
that do not have an explicit Configuration Settings document.
4. Click the Router/SMTP tab. In the SMTP used when sending messages outside
of the local internet domain field, choose Enabled. This option allows the servers
to which the Configuration Settings apply send SMTP mail.
5. To relay the SMTP mail to the SMTP outbound server, specify the name of the
SMTP outbound server in the Relay host for messages leaving the local internet
domain field.
6. Save and close the document.
By performing the above procedure, you have configured all SMTP mail from all the servers in the
domain to be routed to the SMTP outbound server. This server then routes the SMTP mail to the
Internet.
The clients who access the Domino server using the Internet authenticate with the Domino server
using their names and Internet passwords. Domino assigns the Internet password to a user at the
time of registration and you can synchronize this password with the user’s Notes ID password. The
Internet password for a user is stored in the user’s Person document in the Domino directory.
To allow the Internet clients to access the mail on the Domino server, you must run the appropriate
service on the server. For example, to allow POP3 clients to access the Domino server, you must
enable the POP3 task. Similarly, to allow access to IMAP clients, you need to enable the IMAP
task.
81
All Internet-based clients interact with the Domino server using the TCP/IP port. You need to
enable the TCP/IP port for each service configured on the server. To configure the TCP/IP port for
a service:
1. In the Domino Administrator client, select Configuration tab-> Server section-> All
Server Documents view.
2. Open the document for the server on which you have enabled the TCP/IP-based
service and click the Edit Server action to edit the Server document.
3. To enable the TCP/IP port for the Internet-based mail services, select the Ports->
Internet Ports tab in the Server document and click the Mail tab, as shown in
Figure 4-18:
Figure 4-18: Enabling the TCP/IP Port for the Internet Mail Services
4. Leave the TCP/IP port number to default. In the TCP/IP port status, select Enabled
for any service that you want to configure on the server.
5. Save and close the document.
You can configure the Domino server as a POP3 server. POP3 is an Internet mail access protocol
that allows clients based on POP3 to retrieve mail from a server that supports POP3. A POP3
client downloads mail from a POP3 server and stores them locally. To allow POP3 clients to send
mail, you must provide them access to an SMTP server. The SMTP server can be the same
Domino server that the clients' access for POP3, a different Domino server set up as an SMTP
server, or a non-Domino SMTP server.
POP3 clients use the standard Domino mail file to access their mail from the server. This allows
registered Notes users to access their mail files from both a POP3 client and the Lotus client.
To enable POP3 service on the Domino server, you must start the POP3 task by issuing the
following server console command:
LOAD POP3
You can configure any POP3 client, such as Outlook Express, to connect to the Domino server and
download the mail for a specific user by providing the name and Internet password for the user.
You can configure Domino to provide mail access to IMAP clients. IMAP is an Internet-based mail
protocol that allows clients to read their mail on the server. To ensure that the IMAP clients can
also send mail, you must provide them access to an SMTP server. The SMTP server can be the
82
same Domino server that the clients' access for IMAP, a different Domino server set up as an
SMTP server, or a non-Domino SMTP server.
As is the case with the other Internet-based protocols, the IMAP users authenticate with the server
using their names and Internet passwords.
To configure a Domino server for IMAP access, start the IMAP task on the server by issuing the
following server console command:
LOAD IMAP
To allow the IMAP clients access their mail, you need to convert the standard Domino mail files to
an IMAP usable format. By default, Domino converts the mail files to IMAP format automatically
when the user logs on the first time. The option to automatically convert the mail file to IMAP
format when the user logs on is available in the Configuration Settings document of the server.
To view the option to automatically convert a Domino mail file to an IMAP format:
1. In the Domino Administrator client, select Configuration tab-> Server section->
Configurations view.
2. Open the Configuration Settings document for the server on which you have
enabled IMAP and click the IMAP tab, as shown in Figure 4-19:
Load the ROUTER task after you finish enabling mail files for IMAP on this server by issuing the
following server console command:
LOAD ROUTER
The server holds all the undeliverable mail in the MAIL.BOX. The Domino Administrator client
provides views to check the status of undeliverable mail held on the server.
Mail Trace
A mail trace traces the routing path from the current administrator’s mail server to a specific user’s
mail server. A mail trace does not send any mail to the specified user, but returns a mail trace
report back to the sender. To send a mail trace:
1. In the Domino Administrator client, select Messaging tab-> Mail tab.
2. In the Tools pane, select Messaging-> Send Mail Trace, as shown in Figure 4-
20:
Domino sends a similar trace report from each server, if the routing path to the recipient contains
multiple servers. If any server cannot forward or deliver a trace message, you will not receive any
trace message from that server.
Message Tracking
Message tracking allows you to track the status of messages. You can track any message but
users can track only the messages they send.
The Mail Tracker Collector (MTC) task on the server tracks the mails on the server. The MTC task
collects and stores the mail tracking information in a Mail Tracker Store database, MTSTORE.NSF.
This database is created inside the MTDATA folder in the Domino DATA folder. When you track a
message, the MTC task retrieves the tracking information from the MTSTORE.NSF database.
You can also generate mail usage reports using the tracking information recorded in the
MTSTORE.NSF.
Figure 4-23: The Message Tracking Tab in the Configuration Settings Document
The Message Tracking tab contains the following options:
Message tracking: Tracks messages on the selected server if you select Enabled.
Don’t track messages for: A list of users whose messages you
do not want the MTC to track. This option considers names in
the From, SendTo, CopyTo or BlindCopyTo fields of the
message.
Log message subjects: Logs the subjects of messages, if you
select Yes.
Don’t log subjects for: A list of users whose message subjects
you do not want the MTC to track. This list applies to users
who are listed in the From field of the message.
Message tracking collection interval: The duration in minutes
after which the MTC logs the messages in the MTSTORE
database.
Allowed to track messages: A list of servers and users who
are allowed to track messages. If the tracking involves
multiple servers, you must include the server names in this
list.
Allowed to track subjects: A list of servers and users who are
allowed to track the subjects of messages. If the tracking
involves multiple servers, you must include the server names
in this list.
4. Select Enabled in the Message Tracking field, define the other fields, and click
Save & Close.
5. Restart the server to enable it to start message tracking.
Note You can also start the MTC task manually using the following server console
command:
LOAD MTC
The mail usage reports are created in the Reports database REPORTS.NSF, which is created
automatically on the server. A report can be a scheduled report or a one-time report. A scheduled
report can run daily, weekly or monthly.
The messages that are not delivered by the ROUTER are held in the MAIL.BOX as pending
messages or dead messages.
The MAIL.BOX holds a pending message because the destination server is not available. The
pending message is delivered when the destination server becomes available. If the ROUTER
cannot deliver a message to a user, it sends a delivery failure report to the sender. A dead
message is an undeliverable message for which the ROUTER cannot send the delivery failure
report to the sender because of an error with the sender’s address. The ROUTER stores these
dead messages in the MAIL.BOX.
To check the messages held in the MAIL.BOX on your server, in the Domino Administrator client,
select Messaging tab-> Mail tab-> <yourservername> Mailbox (mail.box) view, as shown in Figure
4-32:
You can release the messages on the server, by selecting the message and clicking the Release
action. The Release action provides five options:
Resend all dead messages to originally intended recipient
Resend selected dead messages to originally intended recipient
90
Return Non Delivery Report to sender of selected dead messages
Resend selected held messages
Resend selected held messages for a final time
The Domino Administrator client also allows you to check the status of dead and pending
messages on the server using the Mail Routing status view. This view is available in the Mail tab
on the Messaging tab of the Domino Administrator client, as shown in Figure 4-33:
Figure 4-33: The Mail Routing Status View in the Domino Administrator Client
Mail Rules
Mail rules allow you to take action on the messages deposited in the MAIL.BOX based
on the content of the message. You can create rules to control spam mail on the Domino
server or monitor the messages passing through your mail server.
Figure 4-34: The Configuration Settings Document Showing the Rules Tab
4. To create a new rule, click the New Rule action. The Server Mail Rule – New
Rule dialog box appears, as shown in Figure 4-35:
91
Figure 4-35: The Server Mail Rule – New Rule Dialog Box
5. In the Specify Conditions section, select Create Condition to define the
condition that the documents must satisfy to be considered in the rule. You
can also select Create Exception if you want the documents that satisfy the
condition to be ignored.
6. Build the condition using the options provided. For example, in the first box,
select size (in bytes). In the next box, select an operator, such as is greater
than, and in the last box specify a value, such as 2000000. Click Add to add
the condition to the conditions list.
Note To add multiple conditions, first select the logical operator, such as AND or OR,
and then build a second condition.
7. In the Specify Actions section, select the action that you want taken on the
messages that meet the condition you specified. You can select one from the
following actions:
8. Click Add Action to add the action to the list. You can also add multiple
actions.
9. Click OK to save and close the rule.
10. Click the Save & Close action to save and close the Configuration Settings
document.
Mail Journaling
Mail journaling allows you to maintain a copy of the messages sent through the server.
By default, Domino does not maintain any copy of the message routed through the
server. By enabling journaling, you can either journal all the messages coming to the
server or only those messages that satisfy a condition.
For mail journaling to work, you must enable a mail rule with Journal the message as the
action.
Figure 4-37: A Mail Rule to Journal all the Messages on the Server
3. Click OK to save and close the rule. Save and close the Configuration
Settings document.
Restart the server for the configuration settings to take effect.
Using their personal calendars, end users can schedule meetings and the resources required for
the meeting by looking up the free times of other users and the availability of rooms and resources.
The Domino server processes the Calendaring and Scheduling requests with the help of some
server tasks and databases. These server tasks and databases constitute the Free Time system
on the server.
This chapter explains the Free Time system that processes the Calendaring and Scheduling
requests on Domino. It also explains how to set up a resource and reservation database. In
addition, it explains how to create and import holidays into the calendars.
When users schedule a meeting and look up the availability of other users and resources, the Free
Time system on the Domino server provides them with this information.
When users update their personal calendars to add appointments or other entries, the Free Time
system updates the information at its end in the Free Time database.
If you want to provide the users on your server with the Calendaring and Scheduling services, you
must run the CALCONN and the SCHED tasks on the server. You can choose to start the
CALCONN and SCHED tasks automatically by selecting them at the time of configuring a server or
add them later to the SERVERTASKS = entry in the NOTES.INI.
The Free Time database is created automatically on the server when the SCHED tasks run for the
first time. This database contains an entry for every user who has a mail file on the concerned
server and has updated the calendar profile.
Tip You can update a calendar profile by opening the calendar and selecting
Action-> Tools-> Preferences from the menu. You can specify the days of the
week, the times at which you are available, and the users who can view your
free time.
When an end user schedules a meeting and looks up the free time for the list of invitees selected,
the Free Time system searches and returns their availability. If the end users are in the same
domain and have the same mail server, the Free Time system finds the information in the Free
Time database on the originator’s mail server.
Note The server that provides information about a user’s calendar is called user’s
calendar server.
If the mail server is different, the CALCONN task sends a query to the other user’s mail server. The
Free Time system on the other server finds the information and sends it back using the CALCONN
task. In this way, an end user obtains information about the availability of other end users.
By default, Domino does not allow end users to access free time data from other domains. An end
user who wants to schedule a meeting with an invitee from another domain may look up the
availability of the invitee and receive an error message that the information is not available. To
ensure that users can look up the free times of users from other domains, you must create Domain
documents. A Domain document defines an external domain with which the server in your local
Notes domain communicates.
You can create the following Domain documents to access the calendar information:
Adjacent: Create this Domain document if your domain communicates with the
other domain directly. In the Adjacent Domain document, you can specify the name
of the calendar server in the adjacent domain.
Non-adjacent: Create this Domain document if your domain communicates with the
other domain through an intermediate adjacent domain. In the Non-Adjacent
Domain document, you can specify the calendar server in the adjacent domain
through which free time requests to the non-adjacent domains should be routed.
Foreign: Create this Domain Document if users use IBM OfficeVision or Lotus
Organizer to manage their schedules. In the Foreign Domain document, you
specify the calendar system being used by the target users and the server that
maintains their scheduling information.
Figure 5-3: The Calendar Information Tab of the Adjacent Domain Document
5. Provide the required information in the Calendar Information tab. The
information you provide should be based on the Domain type you selected in the
Basics tab.
Table 5-1 describes the information you should specify for the domain types in the fields
provided in the Calendar Information tab:
Table 5-1: Information Required in the Calendar Information Tab
When a user sends free time query information to another domain, Domino Server 6.0 checks the
calendar server name specified in the domain document and the Free Time system sends a query
96
to the specified server. The Free Time system on the target server finds the availability of the user
and passes the required information to the server that originated the request.
The Schedule Manager (SCHED) is a task that runs on the server. When users schedule
appointments in the calendars or book the resources, SCHED updates the Free Time database
and maintains the correct information in this database.
You can issue commands to the SCHED task using the Domino server console. Some of the
commands that can be executed on the SCHED task are:
TELL SCHED STATS: Shows the total appointments for each user and the total
reservations for each resource in the Free Time database. It also shows the
consolidated number of appointments for all users and the consolidated number of
reservations for all the resources.
TELL SCHED SHOW <Username>: Shows the schedule for the specified user on
the server console. The administrator can view all the entries in the user’s
calendar.
TELL SCHED VALIDATE [<Username>]: Validates the Free Time database by
removing the old information and adding the new free time information. Optionally,
you can specify a user name to validate the free time information for a single user.
The validation of the Free Time database takes place by default at 2:00 A.M.
TELL SCHED QUIT: Stops the SCHED task on the server.
The Resource Reservation database is based on the Resource Reservations (6) template
(RESRC60.NTF) and contains three types of documents:
Site: Defines the locations where the resources are present.
Resource: Defines information about a resource, such as its name, the site where it is
located, and its availability.
Reservation: Defines the date and time for which a resource is reserved.
The administrator creates the Site and Resource documents and the end user does the
reservations.
Figure 5-4: The New Database Dialog Box for a Resource Reservation Database
The values accepted by the fields in the New Database dialog box are:
2. Open the Access Control List (ACL) of the newly created database. Figure 5-5
shows the Access Control List to: Resources Reservation dialog box:
Figure 5-5: The Access Control List to: Resources Reservation Dialog Box
3. Click your name in the ACL and from the list of Roles on the lower right, select the
[CreateResource] role to assign it to yourself, as shown in Figure 5-5. This role
allows you to create the site and the resource documents.
Note The user who creates a database is automatically added to the ACL.
The Resource Reservation database contains several views, as shown in Figure 5-6:
98
After configuring the Resource Reservations database, you can now use this database to create
the Site and Resource documents.
You use the Site Profile documents to define sites in the Resource Reservation database. Sites
are locations where the resources exist. A database must contain at least one Site Profile
document before you can add resources to it.
Note You must assign yourself Manager access with the [CreateResource] role in
the Resource Reservation database to add the Site Profiles.
You use resource documents to define resources at a specific site. You can create three types of
resources:
Rooms: Users reserve rooms for meetings based on the number of invitees. Each
room must have a seating capacity.
Online Meeting Place: Used to conduct online meetings using Sametime 3.0
running with Domino 6.0.
Other: These include resources such as laptops, LCD projectors, or any other
resource that is not a room or an online meeting place. These are reserved along
with the rooms for the meetings.
The resource is added to the Resource Reservation database and then it gets added to the
Domino directory after a few seconds.
Deleting a Resource
If a resource no longer exists, you may be required to delete it. When you delete a resource from
the Resource Reservation database, you must also delete it from the Domino directory. You can do
this through an Approve Resource Deletion request into the Administration requests database.
The AdminP request for deletion of resource needs to be approved by the administrator.
The Delete Resource request is carried out in a few seconds and the resource is deleted from the
Domino directory.
Editing a Resource
You can also modify a resource in a database. For example, the owner of the resource leaves the
organization and you need to assign a different owner for the resource. In this situation, you can
edit the resource in the Resource Reservation database. You can modify the following options for a
resource:
Availability Settings
Capacity
Description
Online Resource data
Other Comments and Ownership settings
For changing any other options, such as the name of the resource or the site to which it belongs,
you must delete the resource and recreate it.
The AdminP updates the modified resource options in the Domino directory and all its replicas. The
Administration Request generated is Modify Room/Resource in Domino Directory.
To edit a resource:
1. Open the Resource Reservation database.
2. Click the Resources view to see a list of resources in the database.
3. Open the Resource document that you want to edit and click the Edit Resource
button to go to the edit mode.
102
Note You must have the [CreateResource] role in the database ACL to edit the
resource.
4. Change any of the modifiable fields, such as the Capacity or the Availability
Settings in the document.
5. Click Save & Close to save the changes. A message box indicating that an
AdminP request has been submitted for the modification of the resource
appears, as shown in Figure 5-14:
The request is carried out automatically in a few hours and propagated to other servers when
replication of the Administration requests database and the Domino directory takes place. To force
the request to be carried out immediately, execute the following command at the server console:
TELL ADMINP PROCESS INTERVAL
Holiday Documents
Holiday documents define holidays that can be imported by users into their personal calendars.
The Holiday documents provide a way of centrally defining and controlling the scheduled holidays
in your organization.
The Holiday documents are categorized by a group name. Some of the default holiday groups
available in the Domino directory are Japan, Belgium, Brazil, or France. Each group contains
Holiday documents defining the local holidays for the respective country.
You can add more holidays to these existing groups or you can create a new group defining
holidays for your organization.
End users can import the holidays defined by the administrator into their personal calendars and
update their calendars to mark the holidays. The holidays are marked as anniversaries in the
calendars.
Figure 5-20: The Message Box Showing the Successful Import of Holidays
The import procedure updates the end user’s calendar with the holidays in the group.
Chapter 6: Configuring Domino Directories
A Domino directory NAMES.NSF is a database that describes a Domino domain. All the servers
and users sharing a Domino directory belong to the same Domino domain. A Domino directory
contains all the important configuration documents, such as the Connection Server and Person
documents for the domain. The information in the directory helps you to manage the domain. The
Domino directory also contains information required by the users to send mail to each other.
Domino R6 supports a Central Directory architecture in which some servers in the domain host full
Domino directories and the other servers host directories that contain only the configuration
documents.
Organizations often maintain multiple Domino directories to store information about external users
who are not listed in the organization’s Domino directory. The directories that store information
about these users are called secondary Domino directories.
This chapter explains how to manage the Domino directories on various servers in a domain. It
also explains the Central Directory architecture of Domino. In addition, the chapter explains how to
manage multiple Domino directories on a single server and describes the configuration of the
Lightweight Directory Access Protocol (LDAP).
When you configure the first server in a domain, the Domino directory gets created automatically.
You can also create the directory manually using the Domino Directory template,
PUBNAMES.NTF.
The servers in a domain can contain a central domino directory or a configuration directory that
contains only the configuration documents. The servers containing the configuration directory
connect to servers that store the complete information in order to handle any user-related queries.
The servers can replicate with each other to switch from one type of directory to another.
To secure the Domino directory you use the Access Control List (ACL). The ACL defines the
access each user has to the directory. The Domino directory in Domino R6 has an additional
security feature, an extended ACL.
The central domino directory architecture enables you to configure central directories on some of
the servers in your Domain and configure configuration directories on the rest of the servers. The
servers with the configuration directories use a remote Central Directory located on another server
to look up names of users and groups.
106
A configuration directory contains the documents used to configure the servers, such as the server,
configuration, and connection documents. The configuration directory does not include
documents ,such as Person, Group, Mail-in database, Resource, and other custom documents. In
contrast, a central domino directory is a full directory that contains all types of documents.
The configuration directories are smaller than the central directories because they do not contain
Person- and Group-related information. This saves disk space on the servers and makes access to
directories faster. Because the user and group information is located only on selective servers, you
can better manage and control the users.
You choose to set up a Configuration Directory on an additional server, at the time of configuring
the additional server.
Note To learn more about selecting a Configuration Directory at the time of
configuring additional servers, see Ch apter 2, Installing and
Configuring Domino Servers.
You can convert a Central Directory to a Configuration Directory and vice versa by selectively
replicating the Central Directory with any other Central Directory in the domain. To convert a
Central Directory to a configuration directory:
1. In the Domino Administrator client, click File -> Open Server to select the server
whose Central Directory you want to convert to configuration directory.
2. Click the Files tab. Select names.nsf from the files displayed in the Results
pane, as shown in Figure 6-1:
Figure 6-1: Selecting the Domino Directory from the Files Tab
3. Select File -> Replication -> Settings menu option. In the Replication Settings for
<database name> dialog box that appears, click the Space Savers tab, as
shown in Figure 6-2:
107
The selected Central Directory is converted to a configuration directory when you replicate it with
the Domino directory on another server.
To convert a configuration directory to a Central Directory, select All Fields in the Include List in the
Space Savers tab of the Replication Settings. The configuration directory is converted to a Central
directory when it replicates with another central domino directory.
Note To learn more about replication, see Chapter 7, Managing Replication.
To configure the Domino directory profile, you can open the Domino directory profile manually.
Cascading Directories enable you to configure multiple Domino directories using the NOTES.INI
file. It is one of the most basic methods of configuring multiple directories on a server. To set up
cascading directories on a server, edit the Server's NOTES.INI file using any text editor and add
the following entry:
NAMES=NAMES, ABOOK2, ABOOK3
In the above syntax, ABOOK2 and ABOOK3 are the names of the secondary directories copied
locally to the server.
Warning Do not write the extension of a directory.
If the secondary directory is located on a remote server, add the server name to the directory name
in the following format:
NAMES=NAMES, CN=SERVER2/OU=SALES/O=CAL!!NAMES
In the above syntax, the secondary directory is located on the server with the hierarchical name
server2/sales/CAL.
The server uses the secondary Domino directory to verify the names of recipients in messages
sent by users. This method has certain disadvantages:
The server searches the directories in the order in which they have been specified
in the NAMES entry. This increases the time taken by the ROUTER to verify a user
to whom a mail is sent. For example, if a user name exists in the directory
specified at the third position in the NOTES.INI, the ROUTER searches the name
in the first and the second directories before searching the third directory.
The server does not look up other types of configuration documents, such as the
Connection documents in additional directories. They need to be added to the
primary Domino directory.
The server stops as soon as the first match is found. It does not do an exhaustive
lookup in all directories.
The maximum allowable characters in NAMES entry in the NOTES.INI is 256.
To set up Cascading Directories, add the NAMES entry to the server’s NOTES.INI and restart the
server.
The Directory Assistance feature allows a server to look up multiple directories located at multiple
locations. The server can look up these directories for client authentication, mail addressing, and
group lookups.
You configure Directory Assistance using the Directory Assistance database. You need to create
this database on the server using the Directory Assistance (6) template (DA50.NTF).
In the Directory Assistance database, you create Directory Assistance documents for each
secondary directory that you want to set up. This document allows you to specify up to five replicas
for the specified Domino directory. If any directory is unavailable, the server can use any of the
other replicas.
The document also allows you to specify rules for searching a Domino directory, based on the
hierarchical names of the users in the specified directory. This speeds up the searches because a
directory is searched for a name only if the user name matches with the naming rules specified in
the Directory Assistance document for the directory.
For names that qualify for more than one directory, you can specify a directory-wise search order.
Figure 6-8: The Naming Contexts (Rules) Tab of the Directory Assistance Document
You can specify up to five naming rules. Each naming rule can contain up to six
components. Four components represent four organization units, one component is the
organization name, and one is the country code. An asterisk for any component
includes all entries for that level and a blank excludes all entries at the level. For
example, CAL at the organization level and asterisk at all other levels includes all users
having CAL as the organization in their hierarchical name and any component at the
other levels.
4. Specify one or more naming rules for the selected Domino directory. If you want
the server to authenticate Internet users, you must configure at least one naming
rule with the option Trusted for Credentials selected as Yes.
5. Click the Replicas tab to specify the location of the Domino directory for the
domain. You use the Replicas tab to specify up to five replicas located at various
servers as a fail-over for the selected Domino directory. If one of the replicas is
unavailable, the server using directory assistance can look up another replica.
Figure 6-9 shows the Replicas tab of the Directory Assistance document:
112
A directory catalog is an optional database that you can configure on a Domino server to allow the
clients and servers to look up information about people, groups, mail-in databases, and resources
in multiple directories. The directory catalog contains multiple directory information aggregated into
a single database. It contains only the documents required for name lookups and excludes the
server configuration documents. This leads to an extremely small size of the catalog database and
helps deploy information from multiple Domino directories locally on Lotus Notes clients.
To deploy the directory catalog on the server, you can choose one of the following options:
In the Condensed server directory catalog for the domain field in the Domino
directory profile, specify the name of the directory catalog database.
In the server document of the server on which you want to set up directory
catalog, specify the name of the directory catalog database in the field labeled
Name of condensed directory catalog on this server.
To deploy the directory catalog on the clients, you can use one of the following methods:
Create a Setup Policy Settings document: In the Mobile directory catalogs field
on the Databases tab, paste a link to the directory catalog database. The
condensed directory catalog gets replicated to the local client computer when
the user to whom the Policy has been assigned is set up.
Create a Desktop Policy Settings document: In the Mobile directory catalogs
field on the Databases tab, paste a link to the directory catalog database. The
condensed directory catalog gets replicated to the local client computer when
the user authenticates with the user’s home server.
116
Creating an Extended Directory Catalog
An extended directory catalog is based on the Domino Directory template. You can configure a
new database to set the extended directory catalog. You can also merge the extended directory
catalog with the primary Domino directory. This allows the users and servers to use a single
integrated corporate directory for all lookups.
If you have set up the extended directory catalog in the primary Domino directory, the catalog is
directly accessible. To set up the Domino server to use the extended directory catalog created as a
different database, you must add a directory assistance document for the extended directory
catalog to the Directory Assistance database on the server.
Figure 6-15: The Advanced Tab of the Extended Directory Catalog Document
The Advanced tab of the Extended Directory Catalog Document contains the following
options:
Version: The version of the Directory Catalog template.
Domino calculates this on its own.
Selection Formula: Allows you to specify a formula to select
the documents in the Directory Catalog. This field is optional.
Replication history: Shows the last time the directory catalog
was updated from the directories included. Click the Clear
History button to force the aggregator to re-aggregate
document from all the directories.
4. Fill in the fields and click Save & Close to save the configuration document.
5. To populate the extended directory catalog, run the following command on the
server console:
6. LOAD DIRCAT <CATALOG DATABASE NAME>
Open the extended directory catalog database. The various views show the documents populated
from the Domino directories included in the catalog. Optionally, replicate the extended directory
catalog database to other servers.
Note If you have setup the extended directory catalog in the primary Domino
directory, you can separate the extended directory catalog from the primary
Domino directory at a later stage, without affecting the original documents in
118
the directory. To separate the extended directory catalog from the Domino
directory, you must delete the Extended Directory Catalog document from
the primary Domino directory and run the directory cataloger on the
database with the –r option.
When you run the LDAP task on the server, the Domino server becomes an LDAP server
and the Domino directory becomes accessible to non-Notes clients. The LDAP task runs
automatically on the administration server for the Domino directory. For other servers,
you can manually load the LDAP task or add it to the NOTES.INI ServerTasks = entry for
automatic startup.
When the LDAP task starts, it runs with certain default settings. You can modify these
default settings using the Configuration Settings document.
You can now set up any Internet client, such as Microsoft Outlook Express, to access the
Domino directory. The information that will be required during the configuration of the
LDAP client is the Host name of the Domino LDAP server. In addition, if the server does
not allow anonymous queries, the Name and Password will also be required for you to
log on to the Domino server.
You must replicate the databases at regular intervals to ensure that the information in these
databases synchronizes. Each copy of a database that you synchronize with the original database
121
is called a replica. The various replicas of a database share a unique ID called the ReplicaID that
distinguishes a replica from the new copy of database. When you create a copy of a database
using the New copy option from the menu, the database has a different ReplicaID from the original
database.
You can deploy large or heavily used databases locally at different geographical locations by
creating a replica of a database. By doing this, you can ensure that the users always have fast
access to the database. When the users add, delete, or modify the content of the database, the
databases are replicated to synchronize these changes.
This chapter explains the process of server- to-server replication. It also describes the types and
methods of replication. In addition, it explains how to schedule and troubleshoot replication.
The server carries out the replication using a task called REPLICATOR. The REPLICATOR task
runs by default on every server. For servers with heavy load of replication, you can load multiple
replicators by issuing the server console command:
LOAD REPLICATOR
To load multiple replicators, you can also add the following entry in the NOTES.INI file:
REPLICATORS= <n>
To replicate databases:
1. The initiating and the target servers first authenticate with each other by finding a
common certificate and testing the validity of the certificates.
Note To learn more about the process of authentication, see Chapter 10, Domino
Security.
2. If the servers successfully authenticate with each other, the REPLICATOR task on
the initiating server constructs a list of local databases to replicate, called the
replica ID cache. The REPLICATOR of the initiating server compares its replica ID
cache with the replica ID cache on the target server to find a match.
You can view the ReplicaID of a database on the Info tab of the Database dialog box, as
shown in Figure 7-1:
Types of Replications
A server-to-server replication may take place in one direction, where the calling server sends the
changes in its replica to the replica on the target server. The calling server may also initiate
replication to receive the changes from the target server’s replica. The replication may also be
bidirectional, where both the calling and the target server exchange the changes in their replicas.
Further, the replication process may involve the REPLICATOR task of one of the servers or the
REPLICATOR task on both the calling and the target servers.
When you create a new replica manually, the creation takes place in the foreground and you need
to wait until the replica is completed to do any other activity. When you use the AdminP task to
create a replica, the creation takes place in the background. AdminP enables you to create replicas
of multiple databases on multiple servers in a single action.
You can manually create the replica of a database by using the New Replica menu option.
123
To create a replica on a destination server, you must have a Create Replica access on the
destination server. You must also have at least a Reader access in the source database ACL.
Note To learn more about granting access on the server, see Chapter 10, Domino
Security.
Figure 7-3: The Create Replica For Database IT Services Dialog Box
4. Select the name of the destination server in the Server field and specify the path
and name of the destination database in the File path field.
Note You can either specify the full path starting from the drive or specify a path
relative to the data folder on the server. For example, to create a replica in the
applications folder on the server, specify the file path as applications\IT
Services.nsf.
5. Click Replica Settings to view more options related to the replication, as shown
in Figure 7-4:
124
Figure 7-4: Replica Settings in the Create Replica For Database IT Services Dialog Box
The options available in Replica Settings are:
Encrypt the replica using: Encrypts the destination replica for a
user or a server.
Create full text index for searching: Creates a full text index for
the destination replica to enhance searching.
Copy Access Control List: Copies the ACL of the source
database to the destination replica.
Create Immediately: Forces the replication of the databases to
happen immediately. If you clear this option, replication takes
place at the next schedule.
More Settings: Shows the replication settings for the replica
database.
6. Click OK to close the dialog box and create a replica of the database.
The AdminP task enables you to automatically create replicas of multiple databases on multiple
servers using a single request. In this process, the user generates a request for creation of the
replicas. The replica creation happens in the background. You can even create replicas on servers
in a different Domino domain.
To create a replica of a database on a server using the AdminP task, the source and the
destination servers have the following access requirements:
The source server must have Create Replica access in the server documents of all
the destination servers. The server name must be explicitly listed in the Create
Replica access field of the server document. The AdminP request to create a new
replica on the destination server fails if you have used a wild card (*).
The destination servers and the user creating the replica must have at least a
Reader access in the ACLs of the source databases.
Ensure that both the source and the destination databases are running the AdminP task. In
addition, ensure that you have created Connection documents for replication between the source
and the destination databases. You create Connection documents to schedule server-to-server
replication.
Figure 7-6: The Files Tab Showing the Create Replica (s) Tool
Tip You can drag the selected databases to the Create Replica(s) tool.
The Create Replica dialog box appears, as shown in Figure 7-7:
Domino creates a Check Access for New Replica Creation administration request to check the
replica creation access of the initiating server on the destination server and executes the request
immediately. If this request is successful, Domino creates a Create Replica request and executes it
to create a replica of the databases on the destination servers. This replica is empty and Domino
populates the replica during the next scheduled replication.
Methods of Replication
After you have created the replica of a database on a server, you can replicate these on the source
and the target servers according to your requirement. For some databases, you might want a one-
time replica and may not want to synchronize them. For example, you may create a replica to back
up a database. You would want to use the replica only if the server database is corrupted. For the
rest of the databases, replication can be an ongoing process. This ensures that the replicas are
always synchronized.
You can replicate the databases manually using the menu option in the Lotus Notes client or by
issuing commands in the server console. You can also automate replication of databases by
scheduling replication using the Connection documents.
Using the File-> Replication-> Replicate menu option, you can replicate a database with another
replica residing on another server or the local server.
You can also use Domino Console commands to perform replication of databases. There are three
commands that you can use to replicate databases between two servers. One of these commands
is:
PULL <Server> [<Database>]
Server is the name of the destination server and database is the name of the database on the
source server that you want to replicate. You can omit the database, in which case the source
server replicates all the databases that have a replica on the destination server.
This command receives the changes in the replica of the database on the destination server and
updates them into the replica on the source server.
The above command sends the changes in the replica on the source server and updates them into
the replica on the destination server.
In addition, use the following command to replicate databases between two servers:
REPLICATE <Server> [<Database>]
Using the above command, you can perform a two-way replication. First, the source server pulls
the changes into its local replica from the destination server. Then, it pushes the changes in the
local replica to the replica on the destination server.
You can schedule replication between servers to automatically replicate databases between two
servers. To schedule the replication between any two servers, you require a Connection document.
Unlike mail routing, Connection documents for replication are required only if you want to schedule
replication to happen automatically. In this situation, you must create the Connection documents
even of the two servers are in the same Domino Named Network.
Note You must schedule replication between all the servers in the domain for all
the important databases, such as the Domino Directory and the
Administration Requests database.
To create and view the topology maps in the Domino administrator client:
1. Load the MAPS task by giving the following command on the server console:
2. LOAD MAPS
3. The MAPS task starts. Select the Replication tab of the Domino Administrator
client and click Replication Topology-> By Connections view. The topology map
showing the various Connection documents between the servers appears, as
shown in Figure 7-15:
You can create Connection documents between the servers in your domain based on
one of the following topologies:
End-to-End: You create Connection documents such that replication takes place
from one server to another in a chain. For example, if you have five servers,
Server1 to Server 5, you will create Connection documents between:
The Hub and Spoke topology is the most effective and efficient topology for large
organizations. In this topology, one central server is set up as the hub server. This server
replicates with all other servers called the spokes. The spoke servers update the hub
server, which in turn updates the spoke servers. For still larger organizations, multiple
hub servers can be set up and replication is set up between these hub servers.
This type of topology helps in centralized administration of the Domino directory because
you can give manager access to the hub server in Domino directories on all the spoke
servers and a Reader access to the spoke servers on the replica on the hub. This
ensures that the hub server can push changes to the spoke servers but the spoke
servers cannot push any changes to the hub server. The Hub and Spoke topology also
minimizes the network traffic and makes managing replication easier because in case a
scheduled replication on any server does not happen successfully, you need to check a
single Connection document.
Figure 7-16 shows a sample Hub and Spoke replication topology:
Troubleshooting Replication
Replication may sometimes not function properly, such as when you find that a replica does not
contain all the documents that it should. You may also find that the replicas are of different sizes or
132
the deleted documents keep coming back to your database. To handle these problems, you need
to troubleshoot replication.
Some of the common troubleshooting activities that you can perform on a server are:
Check the access of the servers on the destination servers and target databases.
Check the replication settings of the database.
Check the replication history of the database.
Troubleshoot replication and save conflicts.
Troubleshoot document deletions.
The replication may fail if appropriate access has not been assigned to servers and users.
To create a new replica on the server, a user should have the Create Replica access in the server
document. By default, no one has the access to create replicas on the server. If you are creating a
replica using the AdminP task, you must include the server name in the Create Replica access list
of the server.
Each database must provide appropriate access to the servers for server-to-server replication to
take place smoothly. You must give the server an access that is higher than any user-level access
on the database. For example, if users have a Designer access to the database, they will be able
to change the design. To replicate the design changes, you must assign the server at least a
Designer access to the database. To enable servers to replicate the database ACL, you must
assign them a manager access.
If a server is only required to pull the changes from a replica, you need to give it only a Reader
access on the source database. If the documents in a database contain a Readers type of field,
you must ensure that the server name is included in the field. Otherwise, the server will not be able
to replicate documents where the server is not a reader for the document.
Note To learn more about ACL, server access list, and Readers field, see Chapter
10, Domino Security.
Replication Settings
You need to check the replication settings of the database if you find that some of the databases
are not replicating at all. You can also check the replication settings if only selective views and
folders are being replicated, or if you find that the older documents keep disappearing from a
replica. The replication settings of a database contains options to:
Control the size of a replica.
Control the information that needs to be kept in the current replica.
Control the information that needs to be sent to other replicas.
Control other miscellaneous settings.
The Replication Settings for IT Services dialog box contains five tabs:
The Basics tab contains options related to the frequency of replication, the amount of replication,
and the preferred server for replication, as shown in Figure 7-17.
You can use the Advanced tab to define which computer receives what information from which
other computer during replication. You can specify a subset of folders and views to receive or
specify a formula for selection of documents that you want to receive. You can also specify
136
whether you want to receive changes to design elements, agents, replication formula, document
deletions, and ACL. These settings apply to all the replicas on the selected computer. You can
select a local computer, a server, or all servers that contain replicas of the database.
Replication History
The replication history of a database contains information about each successful replication of the
database with any server. The replication history contains the following information about a
successful replication:
Date and Time of replication with the other server
Action, whether the information was sent or received
Destination Server with which the replication took place
Destination File name of the replica on the other server
To access the Replication History of a database, select File-> Replication-> History. Figure 7-22
shows the Replication History dialog box:
Sometimes, during the replication of databases, the right documents are not replicated but the
replication history of the database gets stamped. When you try to replicate the databases again,
no replication takes place because the REPLICATOR does not detect any changes after the date
is stamped in the replication history. To handle these problems, you can clear the date time stamps
of successful replications by clearing the replication history of the database.
To clear a single entry from the replication history, select the entry and click the Clear button in the
Replication History dialog box. To clear the complete history, click Clear All.
After you clear the history, the REPLICATOR does a fresh replication considering all the
documents.
In a replica, a replication conflict is created if the same document is edited and saved by multiple
users in different replicas and then these are replicated. One of the documents becomes the main
document and the other becomes a response to the main document and shows as Replication or
Save Conflict in all the views. Under these conditions:
The document edited and saved the most times becomes the main document and
other documents become the Replication or Save Conflict documents.
If all of the documents are edited and saved the same number of times, the
document saved most recently becomes the main document, and the others
become Replication or Save Conflict documents
If a document is edited in one replica but deleted in another replica, the deletion
takes precedence unless the edited document is edited more than once or the
editing occurs after the deletion.
Troubleshooting Deletions
Replication synchronizes additions, modifications, and deletions done in replicas. When you delete
a document from one replica, the document is deleted from all the other replicas. When you delete
a document from a replica, it leaves behind a deletion stub. When replication takes place, the
REPLICATOR uses this mark to identify that the document has been deleted. Sometimes, you
might find the deleted documents reappearing in the database. To save disk space, Notes purges
deletion stubs according to the replication setting Remove documents not modified in the last <n>
days. The number of days specified here is called the purge interval. If the replication of the
databases does not take place before the purge interval, Notes purges the deletion stubs before
they have a chance to replicate and the deleted documents reappear.
A deleted document may also reappear if the document has been deleted from one replica but has
been edited after that on another. This is because the edit occurred after the deletion and so it
overrides the deletion.
For example, changing the common name of a user involves many tasks. You need to change the
user ID, the name in the Domino directory, and locate and change the name in the Access Control
Lists (ACLs) of all the databases. In addition, you need to change the Readers and Authors fields
in the documents in the databases and the calendar entries. Performing all these tasks manually
requires time and effort, and there is a chance that you might overlook a task or two.
The AdminP saves you the time and effort required to implement these tasks manually and
ensures that all necessary changes are implemented.
This chapter describes the various components of the AdminP. It also explains how to configure
these components on the server and how to carry out some common administration requests.
The Administration Requests database stores all requests for activities to be performed by the
AdminP task. The Administration Requests database also contains the responses to these
requests as response log documents, which show the status of any request. An activity to be
performed by the AdminP may involve more than one server. The Domino server regularly
replicates this database with other servers in the domain to distribute the requests to the other
servers.
Note Domino adds a large number of request and response log documents to the
Administration Requests database. It is advised that you control the size of
this database. To learn about controlling database size, see Chapter 11,
Managing Domino Databases.
The AdminP task is responsible for executing all the requests in the Administration Requests
database. The AdminP task starts automatically when you start a server. You can also start the
AdminP task manually by issuing the following console command:
LOAD ADMINP
To quit the AdminP task, you must issue the following command on the server console:
TELL ADMINP QUIT
The AdminP task executes requests based on predefined schedules. An AdminP request can be
executed immediately, after a few minutes, once in a day, or once in a week. You can issue
console commands to carry out these requests immediately. You can customize the schedules for
various types of AdminP requests using the Server document.
When the AdminP carries out these requests, the status of the request changes. Based on the
status, a different icon is shown with the request. The status of various AdminP requests is as
follows:
Reprocess: Reprocess requests are generated when a request fails and you
select the option on the request to perform the request again.
Attention: These requests are shown in the Administrative Attention Required
view and are not errors.
Processed: These are marked as processed by the administrator by selecting
the option Remove from view in the Administrative Attention Required, All Error
by Server and All Errors By Date views.
Completed: These requests have been successfully completed.
Error: These requests show an error status.
140
In Progress: These requests are in progress and are waiting for a task to be
completed.
The options to customize the AdminP task are available in the Server document. To customize the
AdminP task:
1. Select the Configuration tab of the Administrator client.
2. Expand the Servers view and select All Server Documents.
3. From the Results pane, double-click the document for your server to open it.
4. Select the Server Tasks tab. The Administration Process tab is selected by
default, as shown in Figure 8-2:
The administration server for a database is responsible for the administrative changes in that
database, such as updating the names of users, servers, or groups in various fields in the
database and deleting users and servers. It is mandatory to assign an administrator server for the
Domino directory. By default, the first server that you set up in the organization becomes the
administration server for the Domino directory.
A few other databases are also assigned the administration servers automatically. For example,
the e-mail servers to users are the administration servers for the e-mail databases. For other
databases, where you want the AdminP to update the ACL or readers and Authors fields with the
changed names of users and servers, you must assign an Administration server in the ACL of the
database.
The selected server takes responsibility for all the name changes in the database.
An extended administration server can be designated for the Domino directory to distribute the
administration responsibilities across multiple servers dispersed across various locations. When
you assign a single administration server to the Domino directory, all the AdminP activities
requiring changes to the Domino directory are performed by that server. This increases the load on
the server and requires multiple replications of the Administration Requests database and Domino
directory on this server with all other servers for the request to be completed.
For example, if you initiate a name change request for a user on a server other than the
administration server for the Domino directory, this request must be replicated to the Administration
Requests database on the administration server. When the server carries out the request, you
must replicate it back to the server initiating the request. The administration server carries out the
changes in its Domino directory. You must replicate the Domino directory with the other server for
the name change to be effective.
An extended administration server can modify any documents that belong to a namespace for
which the server has been assigned the required access. A namespace is an element of the
certification hierarchy. For example, OU=HO/O=SNT is a namespace for the organization SNT and
the organization unit HO.
Figure 8-4: The Advanced ACL Settings for the Domino Directory
Make sure that you select the Enforce a consistent Access Control List across all
replicas and Enable Extended Access options.
Note To learn more about enabling the Extended Access on the Domino directory, see
Appendix B, Extended ACL.
4. Click the Basics tab of the Access Control List dialog box and click the Extended
Access button. Figure 8-5 shows the Extended Access button on the Basics tab
of the Access Control List dialog box:
Figure 8-5: Access Control List Dialog Box Showing the Extended Access Button
Clicking the Extended Access button displays the Extended Access dialog box, as
shown in Figure 8-6:
144
The newly added server is now responsible for all the requests for the selected namespace. The
original Administration server for the Domino directory continues to handle requests for any other
namespace.
The Certification Log database (CERTLOG.NSF) is created when you set up the first server in your
domain. To create this database, you can use the Certification Log (CERTLOG.NTF) template.
When you register servers and users in Domino, the certification log records the following
information about each registration:
Name and license type of the registered ID.
Date of certification and date on which the certificate expires.
Name, license type, and ID number of the certifier ID used to create or recertify the
ID.
The certification log stores important information that is required for recertification and renaming by
the AdminP. If any entry is missing in the certification log, the user-management action fails.
All other servers in the domain that act as registration servers or used for renaming and
recertification requests must contain a replica of the certification log.
Figure 8-7 shows the Certification Log database:
To enable the server in one domain to mail AdminP requests to a server in another
domain, you must create a Cross Domain Configuration document.
Only users listed in the List of administrators, who are allowed to create Cross Domain
Configuration documents in the Administration Process Requests database field of the
Domino directory profile, can create these documents.
Note To learn more about the Domino directory profile, see Chapter 6, Configuring
Domino Directories.
Before the server can send the AdminP requests to the external domain, you must
ensure that the following exist in the Domino directory on the server:
A cross certificate for the external domain certifier. The other domain directory must
contain a cross certificate for your domain certifiers.
Note To learn more about cross certificates, see Chapter 10, Domino Security.
A Connection document for routing mail to the external domain. The other domain
must contain a Connection document to route mail to your domain.
To learn more about Connection documents, see Chapter 4, Configuring Mail
Note Routing.
Figure 8-10: The Select Keywords Dialog Box for Inbound Cross Domain
Requests
9. Select the requests that you want to accept from the other domain and click
OK to close the Select Keywords dialog box.
10. In the List of approved signers field, select the names of users from the
destination domain who are trusted signers for these requests. A request
signed by any other person will be rejected.
11. To configure the outbound requests, click the Configuration Type tab and
select the Type of cross domain configuration as Outbound. The next tab
changes to Outbound Request Configuration.
12. Click the Outbound Request Configuration tab. Figure 8-11 shows the
Outbound Request Configuration tab of the Cross Domain Request
Configuration document.
Renaming Users
The hierarchical name of a user may change. The common name component of a user’s
hierarchical name may also change. For example, in many communities, the last name of a girl
changes after marriage.
6.
Figure 8-14: The Choose a Certifier Dialog Box
7. Click the Server button to select the Registration server for the user.
8. Click the Certifier ID button to choose the certifier ID that was used to certify
the user and click OK.
9. Specify the password for the selected certifier ID and click OK. The Certificate
Expiration Date dialog box appears, as shown in Figure 8-15:
After this procedure, a series of requests are created in the Administration Requests database and
are performed by the AdminP. The user’s name is updated.
Figure 8-18: The Request Move for Selected People Dialog Box
9. From the New Certifier list, select the new certifier that you want to use to
certify the user ID. The Rename Person dialog box appears, as shown in
Figure 8-19:
As a result of the above procedure, a Name Move request is created in the Administration
Requests database. This request needs to be executed by the administrator who has access to the
new certifier.
Figure 8-20: The Name Move Request in the Administration Requests database
2. Select the entry and click the Complete Move for selected entries action. The
Choose a Certifier dialog box appears.
3. Select the new certifier, such as /RO/SNT, and click OK.
4. Specify the password for the certifier and click OK.
5. The Certificate Expiration Date dialog box appears. Accept the default or
specify a new expiration date for the user ID and click OK.
6. If you selected the Allow primary name to be changed when the name is
moved option, you are asked to specify the new first, middle, and last names
and other information, such as the Internet address. If you did not select the
option, you are asked to specify the Qualifying organization unit for the user.
Specify the required information and click OK.
7. The Processing Statistics dialog box confirms the status of the request.
After this procedure, a series of requests are created in the Administration Requests database and
are executed by the AdminP. The user’s name is updated.
When a user is transferred from one location to another, the user’s mail database must also be
moved to the new location. You may also want to move the users to a new server if the load on the
current server is high and you have decided to configure a new server in the domain.
A series of requests created in the Administration Requests database and executed by the AdminP
ensures that the user’s mail file is successfully moved to the destination server.
Deleting a User
When a user leaves an organization, the user’s entries in the Domino directory and other Domino
databases must be removed. For reasons of security, you may also want to delete the user to the
server access list to remove the user’s access to the server.
To delete a user:
1. From the Domino Administrator client, select People & Groups tab-> Domino
Directories-> your Domain’s directory-> People view.
2. From the Result pane, select the entry for the user whom you want to delete.
You can select multiple entries.
3. From the Tools menu, select People-> Delete. The Delete Person dialog box
appears, as shown in Figure 8-23:
153
The AdminP handles the deletion of the user name from the ACLs and Names fields and the
deletion of the user’s mail files.
Domino servers run various tasks, such as ROUTER, REPLICATOR, and CALCONN. The server
console displays any activity that these tasks perform on the server. You can color code the
messages that appear on the server console to identify errors by just looking at the console.
Domino logs the activities on the server into the Server Log. You can analyze the Server Log to
troubleshoot server errors.
The server tasks generate several statistics. For example, the ROUTER task generates statistics,
such as MAIL.WAITING, MAIL.TRANSFERRED, and MAIL.DEAD. These statistics enable you to
monitor and troubleshoot the server, improve its performance, and decide the expansion of the
servers for load balancing. The Domino Administrator client provides various options to view and
collect server statistics, such as the Statistics tab and the Domino Server Monitor and Statistics
154
Charting tools. The Domino Server provides the COLLECT and EVENT tasks to collect and
monitor the statistics and generate events to track problems on the server.
This chapter describes the various server-monitoring tools available in Domino. It also explains the
procedure to configure the Event Generators and Event Handlers to trap events on the server.
By default, all the messages on the server console appear in gray. To distinguish between regular
messages and the messages pertaining to errors or other types of events that require attention,
you can define colors for each type of message appearing on the server console. You can also
define the text and the background attributes for the console. Because you define different
attributes for different types of entries, an error draws your attention immediately.
To define the colors for the messages appearing on the server console, you must create a Server
Console Attributes document.
NOTES.INI Description
Parameter
Log_Tasks Specifies whether or not Domino should log the current status
of tasks on the server. Specify 0 to disable or 1 to enable
156
Table 9-1: NOTES.INI Parameters to Enable Logging for Specific Tasks
NOTES.INI Description
Parameter
Log_Update Specifies the level of information about the INDEXER task that
Domino records in the log. Setting this parameter to 0 records
only the start and shutdown of the INDEXER task. Setting this
parameter to 1, in addition to the start and shut down times,
records the times when the INDEXER updates the views and
the full text indexes. Setting this parameter to 2 also records the
view names that the INDEXER updates.
To troubleshoot specific problems on the server, you can enable or increase the amount of logging
for the selected task on the server.
Domino creates the Server Log when you start the server for the first time. You can view the
Server Log either by opening it directly from the Notes Client using File -> Database -> Open or by
using the Domino Administrator client.
To open the Server Log, select Server tab -> Analysis tab -> your server’s Log in Domino
Administrator client. The Server Log for your server opens, as shown in Figure 9-3:
Domino updates the Server Log with information about any activity, taking place on the server. As
a result, the Server Log database grows considerably and it becomes important to control its size.
You can control the size of the Server Log automatically by adding the following NOTES.INI entry:
LOG = LogFile, LogOption, Notused, Days, Size
For example, suppose the default entry in the NOTES.INI for LOG is:
LOG=LOG.NSF, 1, 0, 7, 40000
The above default entry means that the Server Log is the LOG.NSF. The entries sent to the Server
Log are also shown on the server console, the documents are deleted from the Log after seven
days and a log document can contain up to 40, 000 bytes.
158
Using Log Files to Troubleshoot Server Errors
The Domino Server Log contains information about the activities taking place on the server. If you
want to troubleshoot a problem on the server, you should look for clues in the Server Log. To
search for information in the Server Log, you can use the Log Analysis tool of the Domino
Administrator client. The Log Analysis tool helps you search for the required information by basing
your search on the type of event, the severity of the event, server tasks, specified messages, and
specified words.
For example, if users report that the documents in replicas of a database residing on two different
servers are not synchronizing for the past one week, you can analyze the log entries of one week
for any information related to replication. You can also specify the database name or other specific
information to filter the number of log entries returned. You can look for error messages in these
log entries, such as the insufficient access for replication, and use the information for
troubleshooting the problem. To use the Log Analysis tool:
1. In the Domino Administrator client, select Server tab -> Analysis tab.
2. In the Tools pane, select the Analyze -> Log tool.
3. The Log Analysis dialog box appears, as shown in Figure 9-4:
Figure 9-5: The Event Type Tab of the Log Analysis Dialog Box
7. From the list of event types, select the type of event that you want to include in
your search and click the Event Severity tab. A list of event severities appears,
as shown in Figure 9-6:
Figure 9-6: The Event Severity Tab of the Log Analysis Dialog Box
8. Select the severity that you want to include in the search and click the Server
Tasks tab. This tab shows a list of server tasks, as shown in Figure 9-7:
160
Figure 9-7: The Server Tasks Tab of the Log Analysis Dialog Box
9. Select the task that you want to include in the log analysis and click the Error
Code tab. A list of error codes and messages appears, as shown in Figure 9-8:
Figure 9-8: The Error Code Tab of the Log Analysis Dialog Box
10. If you want to search for a specific error message, select the error message from
the list, otherwise do not select anything and click the Words tab. The Words tab
appears, as shown in Figure 9-9:
161
Figure 9-9: The Words Tab of the Log Analysis Dialog Box
11. In the Search list, select from any of the words, all the words, or exact phrase
options. Specify the words in the Words field. In the Word Filters fields, specify
any words that the search must contain and must not contain.
12. Click the Queries tab to view the options specified in all the tabs. Figure 9-10
shows the Queries tab:
Figure 9-10: The Queries Tab of the Log Analysis Dialog Box
13. If you want to save the query for future use, select the Save this query as option,
specify a name for the query, and click the Save button. You can load a saved
query again by selecting the query from the Select stored query list.
14. Click OK to view the result of the log analysis.
15. The Log Analysis has been completed message box appears followed by the
result of the log analysis. Figure 9-11 shows the results of the log analysis:
162
You enable Activity Logging in the Server Configuration document. The information
collected is stored in the Domino Server Log.
Note The Server Log also records some of the information that Activity Logging
records, but the Activity Logging information is much more comprehensive.
Figure 9-12: The Activity Logging Tab of the Configuration Settings Document
4. To enable Activity Logging on the server, select the Activity logging is enabled
option. The Server Activity Logging Configuration options appear, as shown in
Figure 9-12:
163
5. In the Enabled logging types field, select the tasks for which you want to
enable Activity Logging.
6. In the Checkpoint interval field, specify the interval in minutes after which the
Activity Logging information is reported into the Log database. The default is
15 minutes.
7. Select the Log checkpoint at midnight option to log the ongoing session
activity at midnight.
8. Select the Log checkpoints for prime shift option to log the ongoing session
activity at the beginning and end of the specified time, and then specify the
time in the Prime shift interval field.
9. Save and Close the document.
Domino creates a different activity record for each type of activity. Although Domino
records the result of Activity Logging in the Server Log, it hides this information. As a
result, you cannot see this information when you open the Server Log. To view the
Activity Logging information in the Server Log, you need to use the Activity Analysis tool.
To view the Activity Logging information in the Server Log using the Activity Analysis tool:
1. From the Domino Administrator client, select Server tab -> Analysis tab.
2. In the Tools pane, select the Analyze -> Activity tool.
3. The Server Activity Analysis dialog box appears, as shown in Figure 9-13:
Server Statistics
To monitor the server, you can collect the statistics that Domino server generates and updates. For
example, if you want to view the number of dead messages on the server, you can check the value
of the statistic MAIL.DEAD.
By viewing the statistics generated on the server, you can find out whether or not the server is
running fine. An abnormally high or low value for a statistic indicates that you need to check the
related service on the server. You can view the statistics on the server either by issuing Domino
Console commands or by using the Domino Administrator client.
165
Using Domino Console Commands
You can view all the server statistics on the server console using the following Domino Console
command:
SHOW STATISTIC
Figure 9-16 shows the result of the SHOW STATISTIC command:
To view the value of a single server statistic, you can issue the following command:
SHOW STATISTIC <statisticname>
For example, the following command shows the number of dead messages on the server:
SHOW STATISTIC MAIL.DEAD
Figure 9-17: The Server -> Statistics Tab of the Domino Administrator client
Note When you select any statistic from the statistics shown on the Server ->
Statistics tab, the description of the statistic appears on the status bar.
166
Using the Domino Server Monitor
The Server -> Monitoring tab of the Domino Administrator client shows the Domino Server monitor
used to view the real-time statistics and the status of server tasks. The Domino Server monitor
contains a Start button that you can use to start monitoring the server tasks and statistics. If the
server monitor is already running, then instead of the Start button, a Stop button shows that you
can use to stop the server monitor.
From the Monitoring Profiles list, you can select the servers you want to include in the Monitoring
tab. The options are:
All Servers: Includes all the servers that you are administering using the Domino
Administrator client.
Favorites: Includes all the servers in the Favorites bookmark.
Domain: Includes all the servers from the domain.
Clusters: Includes clusters within the domain being monitored.
The By State view shows the status of selected Domino servers, tasks and statistics on the
selected servers. This view is divided into three panes:
Server: Shows the servers that you are monitoring. You can right-click in this
pane to add or remove a server.
Tasks: Shows the status of the tasks on the selected server. You can add or
remove tasks by right clicking in this pane. The status of the tasks is shown
using display indicators.
Statistics: Shows the values of the selected statistics on the servers. You can
right-click in this pane to add or remove the statistics being monitored. You can
sort the servers based on a numerical statistic by clicking on any statistic column
header.
Figure 9-18 shows the By State view of the Domino Server Monitor:
In the By Timeline view, using the Column scale selector, you can select the time interval for each
display.
You can right-click anywhere in this view to add or remove a server, task, or statistic.
You can specify the default monitoring preferences using the Administration Preferences. To
specify the monitoring preferences in the Domino Administrator client:
1. In the Domino Administrator client, select File -> Preferences -> Administration
Preferences. The Administration Preferences dialog box appears.
2. Select the Monitoring tab, as shown in Figure 9-20:
Figure 9-20: The Monitoring Tab of the Administration Preferences Dialog Box
3. In the Do not keep more than <x> MB of monitoring data in memory field,
specify the maximum amount of virtual memory to be used for storing the
monitoring data. The default is four.
4. Specify the duration in minutes after which the not responding status is shown
in the Not responding status displayed after <x> minutes of inactivity field.
5. To use the Server Health Monitor, select the Generate server health statistics
option. The Server Health Monitor is an add-on tool installed as part of the
IBM Tivoli Analyzer for Lotus Domino.
168
6. Select the location for which you want to configure monitoring from the When
using location list.
7. From the Monitor servers options, select the From this computer option to
monitor the servers from the local Domino Administrator client. You can also
select the From server option to select the server running the Statistic
Collector task for the servers being monitored.
8. In the Poll servers every <x> minutes field, specify the server’s polling
interval.
9. Select the Automatically monitor servers at startup option to start the Domino
Server monitor when you start the Domino Administrator client.
Domino provides tools to enable you to collect the server statistics over time and to chart these
statistics. You can use these charts and statistics to monitor the performance of various tasks on
the server and to find the load on the server.
You can either collect the statistics on the server using the Statistic Collector task (COLLECT) or
locally using the Domino Administrator client.
To start the Statistics Collector task on the server, issue the following server console command:
LOAD COLLECT
The Statistics Collector task can collect the statistics from one or multiple servers. You can specify
various parameters for the collection of these statistics. For example, you can specify which
servers the Statistic Collector should collect information from, where it should log the information,
and what the collection interval should be. To specify this information, you must create a Server
Statistic Collection document in the Monitoring Configuration database (EVENTS4.NSF).
Figure 9-21: The Basics Tab of the Server Statistic Collection Document
2. In the Collecting server field, select the name of the server that runs the
Statistic Collector task to collect the statistics.
169
3. In the Collect from field, select the From the following servers option and
specify the names of the servers from which you want to collect the statistics.
You can also choose to collect statistics from all the servers in the domain or
from all servers that are not explicitly listed to be collected.
4. Click the Options tab. Figure 9-22 shows the Options tab:
Figure 9-22: The Options Tab of the Server Statistic Collection Document
5. Select the Log statistics to a database option to record the statistics in a
database and, in the Database to receive reports field, specify the filename of
the database. The default filename is statrep.nsf.
6. In the Collection report interval field, specify the duration in minutes between
each subsequent report. The default duration is 120 minutes.
7. In the Collection alarm interval field, specify the duration between subsequent
alarms. Domino generates an alarm when a specific statistic exceeds a
specified threshold value defined using an alarm document.
8. From the Statistic Filters list, select the types of statistics that you do not want
to include in the statistic reports.
9. Save and close the document.
Domino collects the Statistics in the Monitoring Results database. To view the collected statistics:
1. In the Domino Administrator client, select Server tab -> Analysis tab ->
Monitoring Results -> Statistics Reports.
2. Select a view under the Statistics Reports section. Domino displays the
statistics report in the results pane, as shown in Figure 9-23:
170
Figure 9-23: The Monitoring Results Database Showing the Statistics Collection Report
3. Open the document and view the statistics.
At each collection interval, the Domino COLLECT task adds a new report to the Monitoring Results
database.
Figure 9-24: The Statistics Tab of the Administration Preferences Dialog Box
171
3. Select the Generate statistic reports while monitoring or charting statistics
option to create the statistics report document in the local Monitoring
Results database. Specify the interval for creating reports in the Generate
reports every <x> minutes field. The default is 45 minutes.
4. Select the Check statistic alarms while monitoring or charting statistics
option to report an alarm in the Monitoring Results database when the
statistic exceeds a threshold value. You can define the threshold in the local
Monitoring Configuration database (EVENTS4.NSF). Specify the interval for
checking the alarm in the Check alarms every <x> minutes field.
5. Specify an interval in the Chart statistics every <x> seconds field. The
default value is 20 seconds. Alternatively, you can select the Chart statistic
using same poll interval as monitoring option to use the server poll interval
specified in the Monitoring tab.
6. Click OK to save the settings.
Charting Statistics
To monitor the server statistics, you can view the collected statistics graphically by creating statistic
charts. You can create two types of statistic charts:
Real-time: Show real-time statistics.
Historical: Show the statistics collected in the Monitoring Results database on
the administrator client.
Figure 9-25: The Historical Statistics View in the Domino Administrator Client
2. To add a statistic to the chart, click the Add button and select the statistic
that you want to include in the chart using the Add Statistics dialog box, as
shown in Figure 9-26:
172
Figure 9-28: The Select Range for Historical Statistics Charting Dialog Box
6. From the Server list, select the server for which you want to retrieve the
statistics.
7. In the Start date and End date fields, specify the start and the end dates for
which you want to retrieve the statistics.
8. Select the Select time range option and specify a Start time and End time
for which you want to include the statistics.
9. Click OK to close the dialog box and start charting the statistics.
You create the event configurations and the event handlers in the Monitoring Configurations
database (EVENTS4.NSF) on the server. The Event Monitor (EVENT) task generates the events.
This task starts automatically when the server starts and creates the Monitoring Configurations
database when it runs the first time.
The Monitoring Configuration database contains various types of Event generators, such as
Database, Domino Server, Mail Routing, Statistic, Task Status, and TCP Server.
For the Mail Routing and TCP Server events, you must run an additional task called the ISpy. To
load this task, issue the following command on the server console:
LOAD RUNJAVA ISpy
Note The ISpy task is a Java-based task and the task name is case-sensitive.
An event generator must define the severity of the event. The following severities can be defined
for an event:
Fatal: Signifies that the event will cause system failure.
Failure: Signifies that the event will cause the severe failure of a service but not system
failure.
Warning (High): Signifies that the event will cause loss of functionality that requires
intervention.
174
Warning (Low): Signifies that the event will lead to degraded system performance.
Normal: Shows a status message.
Creating Events
You can create an event using the Monitoring Configuration database. To open the Monitoring
Configuration database:
1. In the Domino Administrator client, select Configuration tab -> Monitoring
Configuration section -> Event Generators.
2. Select a specific type of event generator view such as Database, as shown in
Figure 9-29:
Database Events
You use the Database Event Generator to monitor the databases on the server. You can monitor
the database for replication, unused space, user inactivity, or change in the Access Control List
(ACL).
Figure 9-31: The Other Tab of the Database Event Generator Document
The Event type for this document in automatically set to Database.
7. From the Generate a Database event of severity list, select a severity level.
8. Click the Create a new event handler for this event button to define the event
handler for this event. The Event Handler Wizard appears, as shown in Figure
9-32:
Figure 9-33: The Event Handler Method Screen of the Event Handler Wizard
10. Select the method by which you want to notify the event. You can broadcast a
message to users, send a message to an administrator, log into the
Monitoring Results database, or use any other method listed.
11. Click Next. The Event Handler Options screen appears requiring you to
specify information about the selected notification method. For example, if you
select the method as Log to a database, the Event Handler Options screen for
the Log to a database method appears, as shown in Figure 9-34:
Figure 9-34: The Event Handler Options Screen for the Log to a Database Method
12. Specify the file name to log the event. The default is the Monitoring Results
database. Select Log to the database on the same server where the event
occurred. Alternatively, specify Log to the database on this server, in which
case you will have to specify the server.
13. Click Next. The Finish screen appears. Click the Finish button to close the
wizard.
14. Save and close the Database Event Generator document.
After you complete the above procedure, whenever anyone changes the ACL of the Domino
directory (NAMES.NSF) database, Domino logs an event into the All Events view of the Monitoring
Results database, as shown in Figure 9-35:
177
Figure 9-35: The All Events View of the Monitoring Results Database
Figure 9-37: The Probe Tab of the Domino Server Event Generator Document
8. In the Ports to use list, specify the ports that you want the server to use for
probing. Alternatively, select the Perform probe using any available port
option, if you want the probing server to probe using any port that is available.
9. Specify a timeout threshold as the duration within which the source server
should access the target server. The default is 1000 Msecs.
10. Click the Other tab to specify the severity of the event and to generate an
event handler for the event. The event type for this event is Server.
11. Save and close the document.
Figure 9-39: The Probe Tab of the Mail Routing Event Generator Document
6. Specify the interval, in minutes, between each subsequent probe in the Send
interval field.
7. Specify the number of minutes the probing server will wait for a response
before logging a failure in the Timeout threshold field. The Resulting Statistic
shows the statistic generated because of the probe.
8. Click the Other tab to specify the severity of the event and to generate an
event handler for it. The event type for this event is Mail.
9. Save and close the document.
Figure 9-41: The Threshold Tab of the Statistic Event Generator Document
6. Select the threshold to generate the event in the Threshold section. In this
case, select the Generate the event when the statistic is GREATER THAN the
threshold value option. You can also select the LESS THAN or MULTIPLE
options, if required.
7. Click the Other tab to specify the severity of the event and generate an event
handler for this event. The event type for this event is Statistic.
8. Save and close the document.
Figure 9-44: The Probe Tab of the TCP Server Event Generator Document
6. Specify the interval in minutes between each subsequent probe in the Probe
interval field.
7. Specify the number of seconds the probing server will wait for a response
before logging a failure in the Service timeout threshold field.
8. In the Services section, select Probe these services and then select the
services you want probed. In this case, select HTTP. Alternatively, instead of
selecting Probe these services, you can select Probe all configured TCP
services. Domino adds extra tabs to the document based on the services you
select. For example, if you select HTTP, an HTTP tab appears.
9. Click the HTTP tab and select Probe just this port. Alternatively, select Fetch
this URL and specify the URL that you want fetched.
10. Click the Other tab to specify the severity of the event and to generate an
event handler for the event. The event type for this event is Mail.
183
11. Save and close the document.
An event handler defines the method by which the EVENT task handles the events. You define the
event handler based on the severity and type of the event and the message it generates. The
event handler applies to all the events that match the defined criteria.
You can create an event handler using the Event Handler Wizard or by creating an Event Handler
document.
After you create the event handlers and the event generators, the EVENT task on the Domino
server, monitors the activities that you have defined in the event generator documents. As soon as
any activity defined in the event generator document takes place, such as a statistic exceeds a
threshold or a database ACL is changed, the event handler, corresponding to the severity and type
of event defined in the event generator document handles the event, as defined in the event
handler document.
After the user has gained access to the server, the next layer of security begins at the level of the
application. Application-level security starts with the database Access Control List (ACL) for the
database that the user is trying to access. If the user has sufficient access to the database,
Domino checks for the security of the application design element. Domino presents only those
design elements to the user for which the user has access.
A users ID file identifies the user to the Domino server. It is very important to secure the ID file to
prevent unauthorized access on the server.
This chapter explains the various methods of securing ID files. It also explains the various levels of
the Domino security model, such as the server access list, database ACL, and design element
security. In addition, it explains how to configure local workstation security options using the
Administration Execution Control List (ECL).
185
ID Security
Domino provides an ID file to all certifiers, servers, and persons. Domino creates the ID file when
you register the certifier, the server, or the person. The Domino server uses this ID file to identify
users. An ID file contains:
The owner's name.
An alternate name. Optionally, the user ID file may contain one alternate name and a
certifier ID may contain multiple alternate names.
The ID file password.
A permanent license number and type that specifies whether the owner has a North
American or International license to run Domino or Notes.
At least one Notes certificate from a certifier ID. A Notes certificate is a digital signature
added to a user ID or server ID by the certifier who certified the ID file.
A private key. Domino assigns a pair of private and public keys to each user and server.
The public key is stored in the Domino directory, and the private key is stored in the
ID file. Notes uses the private key to sign messages sent by the owner of the private
key, to decrypt messages sent to its owner, and, if the ID belongs to a certifier, to sign
certificates.
Internet certificates. An Internet certificate is used to secure SSL connections, encrypt,
and sign Secure/MIME (S/MIME) mail messages. A Certification Authority (CA), who
verifies the identity of the user, issues an Internet certificate.
Encryption keys. The ID file may optionally include one or more encryption keys created
and distributed by users to allow other users to encrypt and decrypt fields in a
document.
Domino uses several methods to secure an ID file. These methods include password quality scale,
time delay and anti-spoofing mechanism, multiple passwords, and the verification of the password
and public key on the server.
Password quality scale defines the level of complexity for a password. A password secures every
ID file in Domino. Only users who know the ID file password can use the ID file. You can ensure
that users use sufficiently secure passwords for their ID files by assigning an appropriate password
quality scale at the time of user registration.
A password quality scale can have a value from 1 to 16. The higher the value, the more complex
the password allowed for the ID file. You can assign a password scale of about eight for User IDs.
This password scale requires the users to use a combination of alphanumeric characters for the
password. Server IDs are assigned a password scale of zero because these IDs are not usually
assigned a password. For the certifier Ids, you can use a password quality scale of 10.
To change the password quality scale for an ID, you must recertify the ID file. You can also use the
Security policy settings document to assign a different password quality scale to a user.
Note To learn more about Policy setting documents, see Chapter 3, Configuring
Lotus Notes Clients.
The time delay and anti-spoofing mechanism prevent the breaking of the ID file password. The ID
file has a built-in time delay mechanism. When a user specifies an incorrect password for the first
time, Domino informs the user about the wrong password and prompts for the correct password
almost immediately. The second time the user specifies an incorrect password, Domino takes
more time to prompt the user for the correct password. In this way, every time the user specifies an
incorrect password, Domino increases the time taken for the prompt. This discourages a user who
is trying to guess a password and deters a password-guessing program.
The ID file also has a built-in anti-spoofing mechanism that stores the password as a graphic
pattern that Domino creates when the user types the password, as shown in Figure 10-1:
186
The graphic pattern is unique for each ID file. If a password-stealing program presents a
password-like prompt to a user, the program cannot replicate the user’s picture combination and is
unable to break the password.
Multiple Passwords
You can set up more than one password for important IDs. There are two reasons why setting up
more than one password for an ID provides better security:
An unauthorized user, who has been able to guess one of the passwords, cannot
open the ID file because the file requires all the passwords to open. You can set
this security for important certifier IDs.
If the ID file requires any one password, different users can be assigned different
passwords and all users can use the ID with their own password.
Note You usually set up multiple passwords for certifier IDs because multiple
administrators use these IDs for certification.
Figure 10-3: The Choose ID File for Multi-password Management Dialog Box
2. Select the ID file, such as cert.id, for which you want to configure multiple
passwords and click Open. Domino prompts you for the ID file password.
3. Specify the ID file password and click OK. The Edit Multiple Passwords dialog
box appears, as shown in Figure 10-4:
You can access the ID file only after you provide the minimum number of passwords required.
End users may be logging onto Lotus Notes from various computers. They may leave their ID files
in different folders or folders that are shared on the network. This leads to a situation where you
have no control over the use of an ID file. Changing the password of the ID file copy that the user
possesses has no effect on the other copies of the IDs, which end users continue to access using
the old passwords. If an unauthorized user uses a user's ID, you can enable password checking
on the server.
When you enable password checking on the server, Domino stores the user’s password in the
Domino directory, as a password digest, in the user’s Person document. When the user logs on to
the server, Domino verifies the password against the password digest. If a user uses another copy
of the ID file with a different password to log on to the server, Domino does not allow the user to
log on and informs that the user must change the password on this copy of the ID to match the
password on another copy of the ID.
In addition to enabling password checking on the server, you must also enable password checking
for individual users.
189
To enable password checking for users:
1. In the Domino Administrator client, select People & Groups tab -> Domino
Directories section.
2. Select the Domino directory for your domain and click the People view, as
shown in Figure 10-9:
Figure 10-11: The Lotus Notes Dialog Box with Options to Set the Password Fields
6. In the Check Notes Password field, select Check Password.
7. In the Required Change Interval field, specify the interval after which the user
must change the password.
8. In the Allowed Grace Period field, specify the interval for which the user can use
the ID after the user’s password has expired.
9. Select the Force User to Change Internet Password on Next Login option.
10. Click OK to close the dialog box. The Completed Successfully message box
appears, as shown in Figure 10-12. This message box indicates that a request
has been submitted to the Administration Requests database.
Figure 10-14: The Updated Password Fields in the Person Document of a User
When the user logs on to the server for the first time, Domino creates a Change User Password in
the Domino directory request in the Administration Requests database. This request updates the
Password digest field with a value that matches with the user’s password. It also updates the Last
Change date field.
Domino creates the Change User Password request every time the user changes the password
and the request updates the Password digest and Last change date fields.
Domino assigns a unique private and public key pair to all users. The public key of the user must
always match with the user’s private key. Domino stores the public key in the Person document of
the user and the private key in the ID file.
An unauthorized user who gains access to an ID file can authenticate with the server and, by using
the private key stored in the ID file, gain access to the original user’s encrypted messages. In
addition, this unauthorized user can gain access to other encrypted data and sign messages on
the original user’s behalf.
To prevent unauthorized access, the user can generate a new public key and get it certified by the
administrator, who can enable public key verification on the server. Public key verification involves
matching the public key stored in the Domino Directory with the public key on the ID.
When the unauthorized user with original public key tries to access the server, the server does not
allow access.
Authentication
Authentication is the process of verifying whether a user or a server trying to connect to your
server is genuine and trusted. The authentication process has two steps:
Validation
Authentication
After the server successfully carries out the validation and authentication processes, it checks the
server access list for the access it can give to the user or the server.
Domino validates the client that is trying to access the server and the server that the client is trying
to access.
Note If the user or server does not trust the certificates of the other user or server,
you must create cross certificates. Cross certificates are trust certificates
that you create for users whose certificates you cannot trust.
During the authentication process, when a user is trying to access a server, the server sends a
random number challenge to the user. The user encrypts the number with the user’s private key
stored in the ID file and sends it back to the server. The server uses the public key of the user to
decrypt the response. If the server gets back the original number, it knows that the user is genuine.
Next, the user sends a random number challenge to the server. The server encrypts it using its
private key and the user decrypts the response using the public key of the server. If the user is
able to decrypt the response and get back the original number, the user knows that the server is
genuine and not some other server trying to pose as the original server.
192
Defining Server Access
The Domino server authenticates any user or server by checking the user or server’s certificates
and public key. Domino does not allow unauthenticated users access to any databases on the
server. If the user is authenticated, the Domino server checks the server access list to identify
whether or not the user is allowed access to the server. A user who is denied access to the server
cannot access any resources on the server.
The access to a Domino server is defined in the Server document for the server. The Server
document contains sections that define:
The administrators for the server.
Names of users who have access to the server.
Names of users who can use the server as a passthru server.
Name of users who can run various types of programs or agents on the server.
Note For the setting to take effect, you must restart the server after making any
change to the security settings on the server.
Figure 10-16: The Administrators Section on the Security Tab of the Server Document
The types of administrators that you can define for the Domino server are:
Full Access Administrators: Administrators with the highest access on the server.
They have all the access given to administrators. In addition, they have Manager
access to all the databases on the server, all passthru rights, all programmability
rights, and can issue operating system level commands.
Administrators: Administrators with Manager access to the Web Administrator
database. These administrators can perform database maintenance tasks, such
as creating, updating, and deleting folders, database links, directory ACLs, and
full text indexes. They can also compact, delete, and create databases, replicas,
and Master Templates, set database quotas, and use message tracking. Domino
allows these administrators to track the subjects and use the console to remotely
administer UNIX servers and issue any remote console command. The
administrator assigned at the time of server configuration automatically gets all
these accesses.
Database Administrators: Administrators who can perform database
maintenance tasks, such as setting the administration server in the database
ACLs, creating, compacting, and deleting databases, replicas, and Master
193
Templates. They can maintain full text indexes, directories, links and options,
such as database quotas.
Full Remote Console Administrators: Administrators who can issue any remote
console command.
View-only Administrators: Administrators who can issue certain limited server
commands to view system status, such as SHOW SERVER and SHOW TASKS.
These administrators cannot affect server operations.
System Administrator: Administrators who can issue operating system
commands using the Domino Server Controller.
Restricted System Administrator: Administrators who can issue a restricted set of
operating system commands. The restricted commands are defined in the
Restricted System Commands field.
Figure 10-17: The Server Access Section on the Security Tab of the Server Document
Figure 10-20: The Passthru Use Section on the Security Tab of the Server Document
Database Security
A user connects to the server to access the databases that exist on the server. If the server does
not authenticate a user, the server returns an error. If the server successfully authenticates the
user and allows access, the user can access various databases on the server. To control the rights
with which the user can access a database on the server, you can define the Database ACL.
The security of the elements inside the database, such as the forms, views, and fields, is defined
at the application design levels.
Figure 10-21: The Access Control List to: SNT’s Directory Dialog Box
User Types
You can set the ACL of a database to allow access to a user, a server, or a group. When you add
any of these entries in the ACL, you must specify the user type, such as Person or Server.
Specifying a user type is an extra security measure because it specifies the type of entry that you
have included in the ACL. For example, specifying a user type as Person ensures that a server or
a group with the same name does not gain access to the database.
Access Levels
Several users can access a database with different access levels. For example, you can use a
Company Policy database to store Company Policy documents and make this database accessible
to all the users in your organization. In this database, you can allow most users to only read the
documents while allowing the Personnel department to add new policies but not edit the existing
197
policies. You can allow a Reviewer, who is responsible for updating any policy changes, to make
changes to existing policies.
End users often want the form and view designs to be updated. You can allow a Developer group
to make design changes in the database. In addition, you want to allow the members of the
LocalDomainAdmins group to update the ACL.
There are eight access levels that you can assign to a user, based on the requirement:
No Access: Allows no permissions except the permission to Read and Write
public documents.
Depositor: Allows a user to create documents but not read or edit the
documents. You can provide this access to users in applications where a user
needs only to submit a document, such as a Feedback form or a Ballot box.
Reader: Allows a user to only read the documents in a database.
Author: Allows a user to read all the documents as well as create new
documents. With this access, a user can edit only those documents that the
user has created or authored not all the documents in the database.
Editor: Allows a user to create new documents, read, and edit all the
documents in the database regardless of who created the documents.
Designer: Allows a user to modify the design of the database. Users with this
access can also create new documents and read and edit all the documents
in the database regardless of who created the documents.
Manager: Allows a user to modify the ACL of the database. The Manager
access also allows users to perform the actions that the Designer can
perform. The Manager access is usually given to the administrators.
Additional Privileges
Each access level from No Access to Manager has a set of additional privileges, such as the
privilege to create private agents and shared folders and views. These privileges further refine the
access level for a user by allowing or disallowing certain actions within the purview of an access.
For example, a person with Manager Access has all the privileges assigned, by default. Out of
these privileges, Delete Document and Replicate or Copy Documents is activated, which you can
deactivate. You can also clear the Delete Document access button to prevent accidental deletion of
documents in an important database. This is because a Manager can change the ACL and assign
it back. Similarly, you can refine every access using these check boxes.
The Access list in the ACL lists all the additional privileges. When setting the access level for a
user, you can select or clear the privileges depending on the requirement. For example, the
Reader, by default privilege allows a user to create personal folders and views. You can clear this
check box to remove this privilege from a user who has Reader access. For each access level,
Domino automatically assigns some additional privileges. As a result, these privileges are disabled
and you cannot select or clear the privileges. For example, a Designer has the privilege to Create
Personal Folders/Views, which you cannot clear. You can assign or revoke the following privileges
for each access level:
Create Document
Delete Document
Create Private Agents
Create Personal Folders/Views
Create Shared Folders/Views
Create LotusScript/Java Agents
Read Public Documents
Write Public Documents
Replicate or Copy Documents
Roles
You use roles to define a group of users who may be assigned similar access. Roles are an
effective way to implement security in applications used by multiple users and different groups of
users who need to perform different tasks. For example, the Domino directory has 10 roles: Group
Creator, Group Modifier, Net Creator, Net Modifier, Policy Creator, Policy Modifier, Server Creator,
Server Modifier, User Creator, and User Modifier.
198
The roles in the Domino directory help define the access for users on various types of documents.
For example, a user with the [Group Creator] role can create group documents in the Domino
directory but not other types of documents. A user with the [Group Modifier] role can edit a group
document without an Editor access to the database.
You can create roles using the Roles tab. The Basics tab of the Access Control List dialog box
shows all the roles. You can use this tab to assign roles to different users.
To assign a role to a user using the Basics tab of the database ACL:
1. Select the name of the user to whom you want to assign a particular role. If
a user name is not listed, use the Add button to add the user name.
2. Select the appropriate role in the Roles list.
Repeat these steps for each entry that you add to the ACL. You can also change or delete any
entry from the ACL by clicking the Remove button.
When a user is a member of multiple groups and more than one group containing the user name is
added to the ACL, the effective access shows the level of access of the user, taking into account
all of the user's group memberships.
Figure 10-23: The Effective Access to: SNT’s Directory Dialog Box
The Access field shows the effective access level for the user. The Groups list shows the groups to
which the user belongs and the roles list shows the roles that have been assigned to the user.
You can find the effective access of a different user by using the Person icon and clicking the
Calculate Access button.
Figure 10-24: The Roles Tab of the Access Control List to: SNT’s Directory Dialog Box
2. Click Add to add a new role. The Add Role dialog box appears, as shown in
Figure 10-25:
Similarly, you can add more roles to implement the roles in the design elements of the database.
You can also define access on a section of the form, in the form access list, the view or folder
access list, and the Readers and Authors fields.
You can use the Rename and Remove buttons to change and delete a role, respectively.
Figure 10-26: The Log Tab of the Access Control List to: SNT’s Directory Dialog Box
201
The Advanced Tab
In the Advanced tab, define certain other access rights, such as the Maximum Internet name and
password access for the database. You can also select the Enforce a consistent Access Control
List across all replicas option to maintain a standard ACL on all replicas of the database. In
addition, you can select the Enable Extended Access option. Figure 10-27 shows the Advanced
tab of the database ACL:
Figure 10-27: The Advanced Tab of the Access Control List to: SNT’s Directory Dialog Box
The access that you define for a user in the database ACL provides similar access to all the design
elements in the database to the user. For example, a user with Reader access to the database can
read documents created using any form in the database. The design element security defines
access for individual design elements.
Formulas and other code written by mischievous users can affect the databases stored locally on
the workstation. You can control the execution of formulas on your workstation using the Execution
Control List (ECL).
To ensure that the ACL of a database is effective for a local database, you must select the Enforce
a consistent ACL across all replica of the database option in the Advanced tab of the ACL.
To prevent unauthorized access to a local database, you can encrypt the database locally. Domino
encrypts the database using the public key of a user. The public key can be decrypted using the
private key of the user. As a result, only a user with the correct user ID can open the database.
To encrypt a database:
1. Select the database that you want to encrypt and click File -> Database ->
Properties to open the Database dialog box, as shown in Figure 10-28:
203
Figure 10-29: The Encryption for Customer Complaint Tracking System Dialog Box
3. Select the Locally encrypt this database using option and select an encryption
level: The stronger the encryption, the more secure it will be and the more time it
will take to decrypt. Medium encryption is recommended.
4. Click OK. This encrypts the database, which nobody else can open.
The ECL
The Workstation ECL is the security provided by Lotus Notes client to prevent the effect of
formulas or other code run on the workstation from unknown or suspected sources. For example,
the ECL can control whether a formula can send a message from the user’s workstation with the
current user’s name.
204
The ECL restrictions can control anything that runs on a user workstation, including formulas,
scripts, agents, design elements in databases and templates, documents with stored forms,
actions, buttons, hot spots, as well as malicious code, such as viruses. The ECL controls access
based on the signatures with which the formula is executed.
Domino stores the Workstation ECL in the user's Personal Address Book and creates it when the
Notes client is first installed. The administrator uses the Administration ECL, which resides in the
Domino directory (NAMES.NSF), to define the Workstation ECL for all the users.
Figure 10-30: The Workstation Security: Execution Control List Dialog Box
3. The When signed by list shows the default signature entries. Click the Add
button to select a user, server, or group name from the address book.
4. In the Allow section, select the access that you want to give to formulas or codes
signed by the selected entry.
The access option in the Workstation Security: Execution Control List dialog box are:
Access to file system: Allows formulas and code to attach,
detach, read to, and write from workstation files.
Access to current database: Allows formulas and code to Read
and modify the current database.
Access to environment variables: Allows formulas and code to
use @function and LotusScript methods to access the
NOTES.INI file.
Access to non-Notes databases: Allows formulas and code to
use @DBLookup, @DBColumn, and @DBCommand to access
ODBC or other non-Notes databases.
Access to external code: Allows formulas and code to run
LotusScript classes and DLLs that are unknown to Notes.
Access to external programs: Allows formulas and code to
access other applications, including activating any OLE object.
Ability to send mail: Allows formulas and code to use @functions
and methods to send mail.
Ability to read other databases: Allows formulas and code to
read information in databases other than the current database.
205
Ability to modify other databases: Allows formulas and code to
modify information from databases other than the current
database.
Ability to export data: Allows formulas and code to print, copy to
the clipboard, import, and export data.
Access to Network: Allows formulas and code to access the
resources over the network.
Access to Workstation Security ECL: Allows formulas and code
to modify the workstation ECL.
5. Clear the Allow users to modify option if you do not want the users to change the
ECL settings for their workstation.
Note You can set the Java Applet and JavaScript security options in the
Administration ECL to control access to workstation data when you run a Java
applet or JavaScript on the workstation.
6. Click OK to save and close the Administration ECL.
To update the workstation ECLs on the user’s workstation, you must update the Security Policy
Settings document for the users.
Figure 10-32: The Execution Control List Tab of the Security Settings Document
4. Click Edit Settings action to edit the document.
5. In the Admin ECL field, ensure that Default shows. This updates the
Administration ECL from the Domino directory. You can click the Edit button to
update the Administration ECL from here. You can also create a new
Administration ECL by clicking the New button.
6. In the Update Mode field, select Refresh to update the changes to the
workstation ECL. Select Replace to replace the Workstation ECL with the
Administration ECL.
7. In the Update Frequency field, select When Admin ECL Changes to ensure that
the Workstation ECL is updated every time the Administration ECL is changed.
You can also select Once Daily to update the ECL once every day or Never to
never update the Workstation ECL.
8. Save and close the document.
The Workstation ECL for the users is updated whenever the users a uthenticate with their home
servers.
The Domino Administrator client provides various tools to improve the performance of a database
or fix corrupt databases. The Domino Administrator client also provides tools to work efficiently with
databases, such as signing a database or creating a full text index.
This chapter describes the various database management tools available in Domino 6.0. It also
explains how to optimize database performance and fix corrupt databases using these tools. In
addition, it describes the procedure to enable Transaction Logging on a server.
You can customize the Files pane to see the information you require and the way you want it. You
can filter the list of databases using the Show me option, which restricts the display to selected file
types. Filtering is useful when you need to work with specific types of files. The Show me list
contains the following options:
Databases only: Shows only the databases.
Templates only: Shows only the templates.
Mailboxes only: Shows only the mailbox databases
All database types: Shows all databases and templates.
All file types: Shows files of all types.
Database links only: Shows only the database links.
Custom: Allows you to select the types of files you want to display.
You can customize the information shown in the Files pane by using the Administration
Preferences. To customize the Files pane:
1. Select File -> Preferences-> Administration Preferences to open the
Administration Preferences dialog box and then click the Files tab, as shown in
Figure 11-2:
207
Figure 11-2: The Files Tab of the Administration Preferences Dialog Box
2. Select the columns that you want in the Files pane from the Available Columns
list and click the right arrow button to add them to the Use these Columns list. To
remove a column, use the left arrow button.
3. Use the up and down arrow buttons to change the order in which the columns
appear in the Files pane.
4. Click OK to close the dialog box.
The Tools pane contains tools that you can use to work with databases. The tools in the Tools pane
are divided into three groups:
Disk Space: Shows the disk size and the free disk space on the selected server’s
disk. Figure 11- 3 shows the Disk Space tool:
The databases deployed on the Domino server are kept in the DATA folder of the server. To group
related databases, you create subfolders in the DATA folder and store the databases in the
subfolders.
To save disk space on the server, or to hide the databases from users, you can store the
databases outside the server’s DATA folder. If you create a folder outside the DATA folder or store
the database anywhere outside the DATA folder, users are unable to access the database or the
folder.
To make a database or a folder outside the server’s DATA folder accessible to users, you must
create a link to the database or folder. You can create two types of links:
Directory: A link to a folder.
Database: Points to a single database.
A directory link points to a folder outside the server’s DATA folder. To a user, the link appears like a
subfolder in the DATA folder. It appears with the folder icon and shows the name of the link as the
folder name.
If you have not granted access to a user on the Directory link, an error message appears when the
user tries to open the folder.
211
Creating a Database Link
A database link points to a single database stored outside the server’s DATA folder. To a user, the
link appears with the database icon and the name of the link appears like other databases in the
DATA folder.
Figure 11-9: The Create New Link Dialog Box for a Database Link
4. Click OK to close the Create New Link dialog box.
The link appears in the Domino Administrator client, as shown in Figure 11-10:
Compacting a Database
You can use the Compact Database tool to compact a database and remove any unused space
that is created when documents or attachments are deleted from a database.
To compact a database:
1. Select the databases to be compacted on the Files pane and select the
Database-> Compact tool. The Compact Database dialog box appears, as
shown in Figure 11-12:
A full text index allows a user to quickly search a large database for a word or phrase by using the
search bar. To create a full text index for a single database, you can use the Database properties
dialog box. You can create full text indexes for multiple databases using the Files tab in the
Domino Administrator client.
Note To create a full text index you need to have at least Designer access to the
database.
To create a full text index for databases using the Files tab:
1. Select the databases for which you want to create full text indexes.
2. Select Database-> Full Text Index tool. The Full Text Index dialog box appears,
as shown in Figure 11-13:
214
You can assign a database quota to set a maximum size limit for a database. When the database
reaches a size specified in the database quota, the user gets the Cannot allocate database object -
database would exceed its disk quota message.
215
You can also set a warning threshold for a database so that before the database reaches the
quota, a warning appears that reads Warning, database has exceeded its size warning threshold.
Note The quota and warning threshold for the mail databases can be set at the
time of user registration.
Signing a Database
Signing a database vouches for the authenticity of a database. SSigning is useful for implementing
workstation security using the Execution Control List (ECL) because the ECL work is based on
signatures. Server agents run with the identity of the signer of the agent. Signing the agents with
the server’s ID in a database helps execute the agents without giving extra rights to users.
You can sign a database with a particular server or user’s ID. To sign a database with the current
user or server’s ID:
1. Log on with the user ID with which you want to sign the database.
2. In the Files tab, select the databases that you want to sign.
3. Select Database-> Sign tool. The Sign Database dialog box appears, as shown
in Figure 11-15:
216
Analyzing a Database
To analyze the activity in a database, you can use the Database Analysis tool. This analysis helps
you troubleshoot database performance or other issues. The Database Analysis tool helps collect
information about selected databases from various sources, such as the replication history, the
server’s log, and the user activity information in the database properties.
Domino saves the result of a database analysis in a database created using the Database Analysis
template, DBA4.NTF.
To analyze a database:
1. Select the databases to be analyzed in the Files pane of the Files tab.
2. Select Database-> Analyze tool. The Analyze Database dialog box appears, as
shown in Figure 11-16:
217
Managing Views
A view index is an internal table maintained by Domino database to build a list of documents to be
shown in a view. Domino uses these view indexes to display the documents to the users in a
sorted order, as specified in the view. As the number of views and folders increases, the indexes
associated with them also increase. If you can sort a view on multiple columns dynamically, each
sorting order requires a separate view index. You can improve the performance of the database by
purging the database view indexes occasionally.
You can use the Manage Views database tool to purge the view indexes for selected databases.
Figure 11-19: The Manage the views of this database Dialog Box
3. Select the view and click the Purge button. Click Yes when prompted for
confirmation. The View index is purged.
4. Click Done to close the Manage the views of this database dialog box.
Using the Domino Administrator client, you can configure the advanced database
properties of multiple databases.
You use the UPDALL task to update the view or full text search indexes on the server databases.
By default, UPDALL is included in the NOTES.INI setting ServerTasksAt2. As a result, it runs daily
at 2 A.M.
Running UPDALL daily helps save disk space because UPDALL also purges deletion stubs from
databases and discards view indexes for views that have been unused for 45 days.
You can run the UPDALL task by using the server console command:
222
LOAD UPDALL <database> <options>
You can specify options with this command to define what UPDALL does. For example, to rebuild
all the views in the database, use:
LOAD UPDALL <database> –R
You can use the Domino Administrator client to run the UPDALL task and specify the options
interactively.
The UPDALL task runs on the server and updates the specified indexes.
You use the FIXUP task to fix corrupt documents and views. The FIXUP task runs automatically on
the server when you restart the server after an abnormal shut down, to attempt to fix any
inconsistencies that resulted from partially written operations caused the shut down.
Transaction Logging
Transaction Logging records all the changes made to a database into log files called the
transaction logs. Domino writes the logged transactions to the disk in a batch, when resources are
available or when scheduled. If the server fails before the Domino has written the transactions to
the disk, the transaction log applies these changes to the database when you restart the server.
You can create regular backups of only the transaction logs instead of full database backups. In
case the server fails and you have to restore an old version of the database, you can replay the
changes from the transaction log backups. This saves time during the backup as well as the
restore process.
When you enable Transaction Logging, Domino assigns a unique DBIID to each Domino database.
When Domino records a transaction in the log, it includes this DBIID. During recovery, Domino
uses the DBIID to match transactions to databases.
To enable Transaction Logging for databases on the server, you must enable it in the server
document. In this document, you can specify information such as the log path, the maximum log
space, and how Domino should log checkpoints to enhance the performance of databases.
Domino R6 allows you to create Web Site documents, which help you to define the Web
configuration settings at one place and apply the same settings to multiple servers. The Web Site
227
documents also enables you to create Web Configuration documents, such as Web Rules, File
Protection documents, and authentication realms, just once for a Web site.
This chapter explains how to configure a Domino server as a Web server. It also explains how to
create Web Configuration documents. In addition, it describes the options to customize the Web
server and the Web server messages.
A Web Site document contains the configuration settings for the Domino Web server. The Domino
directory lists Web Site documents in the Internet Sites view. By default, Web Site documents are
not associated with specific Domino servers. All servers in a Domino domain automatically use the
same Web Site documents in the Internet Sites view. This ensures that each time you add a new
server to the domain, the server inherits the existing Web configuration. When you add or modify a
Web Site document, all the servers in the domain automatically pick up the change.
Note Optionally, in the Web Site document, you can specify the Domino servers
that will host a site. The servers that you do not specify in the Web Site
document will not load the site configuration.
To ensure that Domino receives the Internet protocol configuration information from the Web Site
documents, you must enable the Domino server to inherit the Internet configuration from the
Internet Sites view. Domino ignores the comparable configuration settings in the Server document.
If you do not enable the use of the Internet Sites view, Domino uses the Server document settings
to obtain protocol configuration information.
Note You can use the Internet Sites view for Domino 6 servers only.
To configure Domino as a Web server, you must start the HTTP task on the server. To start the
HTTP task, use the following server console command:
LOAD HTTP
This command starts the HTTP task on the server. When you load the HTTP task on the server for
the first time, Domino also creates a Domino Web Administrator database (WEBADMIN.NSF). You
use this database to perform administration activities using a browser.
A console message also indicates that the HTTP task is using Internet sites to obtain Internet
protocol configuration information.
You manage the security of Domino databases using the ACL. You also need to secure other Web
pages created using the HTML or CGI programs that a Web site contains. To manage the security
of non-Notes files, Domino allows you to create Web Site File Protection documents.
Further, to ensure that the Web users logon just once into the Web site so that they are not
prompted repeatedly for authentication, you can define Web Site Authentication Realms. You can
also create a Web SSO (Single Sign-On) Configuration document to ensure that Web users
authenticate for all the servers in the Domain when they logon to the Web site.
The Web Site document defines the default location for the HTML, JAVA, CGI, and other files on
the Domino Web server. If you want to keep these files in any other location or you want to move
these files without breaking any links on your Web site, you can define Web site rules.
A Web Site rule maps the new location of the files to the old URL. To manage files on your Web
Site, you can create three types of Web Site rules:
231
Directory: Allows you to access a directory on the Domino Web server file system
by a URL path.
Redirection: Allows you to redirect a URL to a different location or Web site.
Substitution: Allows you to replace a string in the URL with a different string.
Note In addition to these rules, you can also create an HTTP response header
rule. This rule allows the customization of the headers, such as Express or
Custom that Domino sends in response to HTTP requests.
You can create a File Protection document to protect files other than the Domino databases.
Domino protects the databases on a Domino server through the database ACL, but other files,
such as the HTML files or CGI programs residing on the Domino Web server, do not have any
access list. To define access on these files, you can create File Protection documents.
Figure 12-11: The Lotus Notes Dialog Box Showing the ACL for the Selected File
6. To add a name to the ACL, click the entry helper button in the Name field and
select a name from the Domino directory.
7. In the Access field, select the access that you want to give to the selected user.
You can assign Read/Execute access, Write/Read/Execute access, or No
Access.
8. Click OK to save the entries and close the dialog box.
9. Click Save & Close to save and close the File Protection document.
To test the Web Site File Protection document, restart the HTTP task on the server and access the
file for which you have created the File Protection document using the browser.
Domino prompts for your user name and Internet password, as shown in Figure 12-12:
234
Domino allows you to access the file if you have been granted access in the File Protection
document.
Figure 12-13: The Enter Network Password Dialog Box Showing a Realm String
The browser stores the realm string along with the user’s credentials to determine the realm for
which the user has been authenticated. If the user accesses more files in the same realm, the user
is not prompted for authentication.
By default, Domino sends the folder path that a user is trying to access as the realm. For example,
if a user accesses a database in the Domino DATA folder, Domino authenticates the user for
the/realm. If the user accesses the mail folder inside the domino DATA folder, Domino accesses
the user for the /mail realm. When Domino authenticates a user for a realm, it also authenticates
the user for all the child paths under the realm. For example, if Domino authenticates a user for
the/realm, it authenticates the user for the /mail realm as well. But if Domino authenticates a user
for the child realm first, it prompts the user for authentication when the user tries to access any file
in the parent realm.
You can create a Web Site Authentication Realm document to change the default realm returned
when a user accesses a file on the Domino Web server. You can use this to authenticate a user for
the parent folder when the user accesses a subfolder, so that the user is not prompted for
authentication while accessing the parent realm.
Single sign-on (SSO) allows Web users to logon once to a Domino server, and then access any
other Domino server in the same DNS domain without having to logon again. All the servers that
the user can logon to without authenticating again must be enabled for SSO.
Note User’s Web browsers must have cookies enabled to take advantage of SSO.
This is because the authentication token generated by the server is sent to
the browser in a cookie.
Figure 12-15: Internet Sites View Showing the Create Web SSO Configuration Action
The Web SSO Configuration for: document opens, as shown in Figure 12-16:
After you have created the Web SSO Configuration document, you need to enable multiserver-
based session authentication on the selected Domino servers. A session authentication enables a
Web client to actively logon to a server with a cookie for a specified duration. You can enable
session authentication using the Web Site document for the selected servers.
Figure 12-18: The Domino Web Engine Tab of a Web Site Document
4. Click the entry helper button in the Session authentication field. The Select
Keywords dialog box appears, as shown in Figure 12-19:
237
You use the Server document and the Web Site documents to customize the Domino Web Server.
The Web Site document contains options to customize the image conversions and the display
options for the view pages. These settings are also available in the Server document, but if you
use the Web Site document for a server, the settings from the Web site document apply. The Web
Site document also allows you to specify the amount of caching on the server. You use the Server
document to enable logging of user activity on the Web server and to specify the timeouts options
for the Web server.
Images and other graphics take time to load when a Web page opens. Domino allows you to
specify the format to which the images on a Web page should be converted. It also allows you to
238
specify the options to display images quickly and to customize the view display and the search
results.
The Domino Web Engine tab of the Web Site document contains the Conversion/Display options,
as shown in Figure 12-21:
You can log Domino Web server requests to record user activity on the Web server. You can log
the user requests to a database and to text files. Domino uses the DOMLOG.NSF database to log
the Web Server requests.
The HTTP tab of the Internet Protocols tab in the Server document contains the options to enable
logging on the Web server, as shown in Figure 12-23:
Open or inactive sessions between the Web client and the Web server prevent users from
accessing the server. You use timeout settings to define the duration after which Domino
terminates these sessions. This improves the Web server performance.
The Timeouts section in the Internet Protocols-> HTTP tab of the Server document contains the
Time out settings for a Domino Web server, as shown in Figure 12-25:
You can customize the following types of messages using the DOMCFG.NSF database:
Authentication failures: A user fails to authenticate with the server.
Authorization failures: A user does not have sufficient access to the resource that
he is trying to access.
Password expired errors: A user’s Internet password has expired.
Password change not allowed errors: A user, who does not have access to change
the Internet password, attempts to change the password.
Password change submitted response: A user successfully submits a request to
change the Internet password.
Document deleted responses: A user successfully deletes a document.
To customize the messages returned by the Domino Web server using the
DOMCFG.NSF database:
1. Create a new database titled DOMCFG.NSF on the Domino Web server. Use
the Domino Web Server Configuration (6), DOMCFG5.NTF template to create
the database.
2. Change the ACL of the database to add an Anonymous entry with Reader
access. This allows all the Web clients to read the DOMCFG.NSF database.
3. Using Domino Designer, create a form or a page for each type of message
that you want to customize.
4. Open the database using the Domino Administrator client. The database
contains three views:
Sign In Form Mappings: Allows you to customize the login
form shown to the Web user, when session authentication is
enabled on the Web server.
Change Password Form Mappings: Allows you to customize
the password change form shown to a Web user, when the
Web user requests for a change in the Internet password.
Error & Response Form Mappings: Allows you to customize
the message forms shown to the Web users in response to
the HTTP requests sent by the Web users.
Figure 12-26 shows the views in the DOMCFG.NSF database:
242
After you restart the HTTP task, any message that a user sees is customized using the
form that you have designed for the specific message type. This allows you to display
user-friendly messages to the users.
You can set up SSL on the Domino server on a protocol-by-protocol basis. You can set up SSL for
Internet clients using Web Server (HTTP), Simple Mail Transfer Protocol (SMTP), Internet Mail
Access Protocol (IMAP), Light Weight Directory Access Protocol (LDAP), Internet Inter ORB
Protocol (IIOP), Simple Authentication and Security Layer (SASL), or Post Office Protocol V3
(POP3).
This chapter explains how to set up SSL on a Domino Server. It also explains how to set up Notes
and Internet clients for server authentication and how to set up client authentication on the server
for SSL and Secure/MIME (S/MIME).
You use the Server Certificate Administration database (CERTSRV.NSF) to create and manage
server key ring files and SSL certificates on a server. This database is automatically created when
you set up a Domino server. The default access to this database is No Access. The Administrators
who handle the server key ring files must have a Manager access to the database.
The home page of this database provides you with the various options for enabling SSL on a
server, as shown in Figure 13-1:
Figure 13-1: The Home Page of the Server Certificate Administration Database
A Server key ring file is a binary file that uniquely identifies a server. It stores the Server Certificate
obtained from the Internet CA and a trust certificate for the Internet CA called the trusted root
certificate.
Note The server key ring can be compared to a server ID file in Domino.
Creating a server key ring is the first step to setting up SSL on a server.
A CA must certify the server key ring file. The CA can be an external one, such as Verisign that is
used to sign most commercial sites, such as Internet banking sites, to ensure secure transactions.
You can also set up an internal CA using the Domino Certifying Authority database.
To get the key ring file certified by the CA, you create a server certificate request.
Figure 13-6: The Home Page of the Domino CA Database as Viewed from the Browser
8. Click Request Server Certificate to paste the certificate request on the CA’s site.
The Request a Server Certificate screen appears, as shown in Figure 13-7:
Figure 13-8: The Your Certificate Request Has Been Submitted Screen
Before the server key ring accepts a server certificate signed by an external CA, the key ring must
trust the CA. The trust is established by installing a trusted root certificate of the CA into the server
key ring. You can pick up the trusted root certificate from the CA’s site.
247
To install the Domino CA certificate as a trusted root certificate into the server key ring file:
1. Click the Accept This Authority In Your Server option on the CA’s home page to
pick up the CA’s trusted root certificate. The Pick Up Certificate Authority Trusted
Root Certificate screen appears, as shown in Figure 13-9:
Figure 13-9: The Pick Up Certificate Authority Trusted Root Certificate Screen
2. Select the certificate and copy it to the clipboard by pressing Ctrl+C.
3. Open the Server Certificate Administration database and click the Install Trusted
Root Certificate into Key Ring option. The Install Trusted Root Certificate screen
appears, as shown in Figure 13-10:
Figure 13-11: The Merge Trusted Root Certificate Confirmation Message Box
6. Click OK to confirm that you want to merge the certificate. A message box
confirms that the trusted root certificate has been merged into the key ring file.
Close the message box by clicking OK.
When the CA approves and signs the certificate that you have submitted, it sends an e-mail
notification containing the URL to pick up the signed certificate. Access the URL to pick up the
certificate.
Note If you do not receive the e-mail notification, you can contact the CA to obtain
a Pickup ID for your certificate.
Figure 13-13: The Pick Up Signed Certificate Screen Showing the Signed Certificate
Information
4. Copy the signed certificate to the clipboard.
5. Open the Server Certificate Administration database and select the Install
Certificate into Key Ring option. The Install Certificate into Key Ring screen
appears, as shown in Figure 13-14:
To configure Notes and Internet clients for Server Authentication, the client requires:
A trusted root certificate for the CA.
A cross-certificate for the CA created from the trusted root certificate. This is required
only for the Lotus Notes users.
A software, such as a Web browser or a Notes workstation that supports the use of SSL.
Additionally, you can configure the Domino server for client authentication to enable server
administrators identify the client accessing the server and control access to applications based on
that identity. To configure client authentication on the server, in addition to the above tasks:
The clients require an Internet certificate issued by the CA. This certificate is used for
authenticating with an Internet server using SSL or sending signed and encrypted
mail using S/MIME over the Internet.
The Client Certificate authentication must be enabled on the Domino server.
The trusted root certificate is a trust certificate for the CA. This certificate is required to establish a
trust for the CA before you can accept the Internet certificate from the CA.
The CA certificate is installed into the browser that you are using. A Notes cross certificate is also
created in your personal address book if you are using the Notes browser.
For client certificate authentication, Notes users or the Internet clients must obtain an Internet
certificate from a CA. The Internet certificate contains a public key, a name, expiration date, and
the digital signature of the CA. Notes users store this certificate in their ID file and in the Domino
directory. The corresponding private key is stored separately in the ID file. Internet users store the
certificate in a local file.
Figure 13-19: The Request a Client Certificate for Lotus Notes or Netscape Browser
Screen
3. Fill in the required information, such as your name, organization, state, country
code, contact data, and size of public and private key pairs and click the Submit
the Certificate Request button.
4. When the CA approves the certificate request, you are informed through e-mail.
Access the URL specified in the e-mail or from the CA site, click Pick Up Client
Certificate and specify the Pickup ID. The Pick Up Signed Client Certificate for
Lotus Notes or Netscape Browser screen appears, as shown in Figure 13-20:
254
Figure 13-20: The Pick Up Signed Client Certificate for Lotus Notes or Netscape
Browser Screen
5. Click Accept Certificate to accept the signed client certificate into your ID file. A
confirmation message appears, as shown in Figure 13-21:
You can also generate an Internet certificate for Notes users using the existing public and private
key pairs by adding the Internet certificate to the person document of the user. When the user
authenticates with the home server, the certificate is automatically added to the user’s ID.
This process allows you to add the certificate for multiple users instead of asking the users to go to
the CA site and request for the certificate.
An Internet client can authenticate with the Domino server using any of the following methods:
Client certificate
User name and password
Anonymous, no authentication is done in this method
Enabling client certificate authentication on the server allows the server to verify a client’s identity
and allows you to control the client's access to databases by adding the client's name to the
database ACLs and design element access lists.
Note If the person document for a user contains multiple entries in the User name
field, the first name listed in the field is considered.
When an end user repeats the request for a page, it is directly retrieved from the database. This
leads to reduced Internet costs because Domino does not need to connect to the Internet
repeatedly. This also enables you to monitor Web-based activity. The Notes users can request,
view, and manage the Web pages by organizing them into folders or deleting them, using the
database itself. Troubleshooting also becomes simpler because you need to troubleshoot only one
Internet connection from the server, instead of troubleshooting one Internet connection per user.
This chapter explains how to set up the Web Navigator on the Domino server. In addition, it also
explains how to customize Web Navigator and the Web Navigator database.
You can connect the Web Navigator server directly to the Internet with the help of an Internet
Service Provider (ISP). The ISP provides you with access to the Internet and an Internet domain
256
name. Connecting the Domino server directly to the Internet can cause security problems because
this exposes the Domino server and all its databases including the Domino directory to the
Internet. For these reasons, you may connect to the Internet using a proxy server.
To configure the Web Navigator server on Domino, start the WEB task by typing the following
command at the server console:
LOAD WEB
When the task loads for the first time, it automatically creates the Web Navigator database using
the PUBWEB50.NTF template.
Note To automatically start the WEB task on the server, add WEB to the
SERVERTASKS= entry in the server’s NOTES.INI file.
To quit the WEB task, issue the following command on the server console:
TELL WEB QUIT
The Server document enables you to customize options for the Web Navigator server, such as the
number of concurrent users who can connect to the Internet, the name of the Web Navigator
database, and the amount of information sent to the Server log on the server.
You can individually configure the Lotus Notes client to use the Web Navigator server for
accessing the Internet. You can also configure a default Web Navigator server for all the clients.
You can either update the Location document of the users manually or automate the updation by
creating Policy documents.
Figure 14-4: The Location Document Showing the Internet Browser Tab
3. Select Notes as the Internet browser. In the Retrieve/open pages option,
select the from InterNotes server option. There are two other options
available, from Notes workstation and work offline. The from Notes
workstation option allows the user to use a personal Web navigator
database to retrieve pages locally. The work offline option allows the end
259
user to work with the existing pages in the local database without retrieving
any new pages.
4. Click the Servers tab of the Location document. In the InterNotes server
field, specify the name of the Web Navigator server, as shown in Figure 14-
5:
To specify a default Web Navigator server for the users of your server:
1. In the Domino Administrator client, select the Configuration tab-> Server
section-> All Server Documents view.
2. Open the Server document for the your server.
3. Scroll to the bottom of the document and expand the Server Location
Information section, as shown in Figure 14-8:
Figure 14-8: The Server Location Information Section of the Server Document
4. In the InterNotes server field, specify the name of the Web Navigator server.
5. Save and close the document.
The default access for this database is Editor but the administrator of the Domino server is
assigned manager access with the [WebMaster] role.
You can customize the Web Navigator database to specify information such as the maximum size
to which the database can increase, the font and styles for the Web pages, and the settings for the
Purge agent in the database. To customize the Web Navigator database, you must have the
[WebMaster] role in the ACL of the database.
You customize the Web Navigator database using the Web Navigator Administration document.
Figure 14-9: The Home Page of the Server Web Navigator Database
2. Click the Database Views link at the lower-left of this page to open the views in
this database, as shown in Figure 14-10:
Users can now use the Web Navigator database successfully to browse the Web.
To configure Domino as a CA, you require a CA Key ring file that contains CA certificates. You use
the CA Key ring file to sign the server and client Internet certificates. Domino contains the Domino
CA (6) (CCA50.NTF) template that enables you to configure Domino as a CA.
263
To configure Domino server as a CA, you must set up the server as a Web server. You must create
a CA database and create a CA Key ring file and CA certificate in this database. To ensure that the
certificate requests and pick ups of the certificates takes place over secure connections, you also
set up SSL on the CA server.
Creating a CA Database
You use the CA database to set up an internal CA for your organization. The CA database allows
you to issue certificates to servers and clients in the organization.
Figure A-2: The Access Control List to: Domino Certificate Authority Dialog Box
3. To allow all users to create certificate requests, ensure that the default access in
the ACL is Author with Create documents privilege. To all the users who will create
and manage the Internet certificates, assign at least an Editor access with the
Delete Document privilege and the [CAPrivlegedUser] role.
4. Click OK to save the ACL and close it. Close the About Database Document that
appears. The Navigator for the CA database appears, as shown in Figure A-3:
Figure A-5: The Message Box Confirming the Creation of the Key Ring
8. Click OK to close the message box.
The server key ring file is the file that the Domino CA server uses to configure SSL for itself. The
CA automatically certifies this server key ring in contrast to the certificate requests by other servers
that require approval.
Figure A-8: The Server SSL key ring created Message Box
10. To enable SSL on the server, the key ring file must be stored in the Data folder
on the server. Copy the server key ring file to the Domino data folder on the CA
server because the key file gets created in the Administrator client’s Notes Data
folder.
268
Configuring the SSL Port on the CA Server
To allow Web clients to connect to the CA server using a secure connection, you must enable the
SSL port on the server. Enabling the SSL port allows the Web clients to use HTTPS protocol to
connect to the server. Domino provides the following options to enable SSL port for a server:
Enable SSL port and disable TCP/IP port: Allows the Web client to use HTTPS only
to access the CA server. Using HTTP to connect to the server results in error.
Enable both SSL and TCP/IP ports: Allows the Web clients to use both HTTP and
HTTPS to connect to the CA server.
Redirect TCP/IP requests to the SSL port: Allows the Web clients to use both HTTP
and HTTPS to connect to the CA server. An HTTP request is automatically
converted to an HTTPS request.
You submit the request for a server certificate by pasting the request on the CA’s Web site. You
access the CA’s Web site using a Web browser. Similarly, clients can also request for a certificate
from the CA’s site. Domino stores the certificate requests in the CA database.
269
To review a server certificate request:
1. Open the CA database.
2. Click Server Certificate Requests on the side navigator. A list of requests waiting
for approval appears, as shown in Figure A-10:
This appendix describes the features of the extended ACL. It also explains how to set up the
extended ACL in the Domino directory.
Target Entry
A target entry defines the entry for which you want to restrict the access. You can define the entry
using the hierarchical naming directory structure for your organization. The entry that you select is
applicable to the documents for the persons, servers, and certifiers that the selected certifier has
certified and the policy documents applicable to the certifier. You can define the entry as the entire
organization, organization units, or specific documents.
You define the target entry in the Target section of the Extended Access at: <target entry> dialog
box, as shown in Figure B-2:
271
Figure B-2: Target Section in the Extended Access at: <target entry> Dialog Box
By default, root (/) is selected in the target entry box. The access applied to this entry is applicable
to all the documents in the Domino directory. You can select a subcategory, such as the
organization-level certifier, and the access applied to this entry becomes applicable to all
documents under the organization. For example, the access specified for an entry O=SNT applies
to all the documents for the persons and servers with SNT as the O-level certifier, such as
Tanya/SNT and MainServer/HO/SNT. The O=SNT entry has two subcategories, OU=HO and
OU=RO. The access specified for OU=HO applies to the MainServer/HO/SNT.
By default, the Target box section has the Show only containers option selected. This causes only
the certifier entries to show in the target box. If you clear this option, the target box shows all
documents under each certifier.
Access List
The access list defines the subject to whom you have assigned access on the target entry, as
shown in Figure B-3:
272
Figure B-3: The Access List Section of the Extended Access at: <target entry> Dialog Box
A subject can be a person, server, or a group. You can specify the following entries in the access
list:
Individual person or server name
Group name
Wild card entries, such as */SNT
Anonymous
Default
Self
Attributes
Attributes are the privileges that you assign to the subject on the target entry. You can apply a
privilege only to the selected target entry or the entry and all its descendants. Domino allows you
to define six types of privileges, as shown in Figure B-4:
273
Figure B-4: The Attributes Section of the Extended Access at: <target entry> Dialog Box
The Attributes section of the extended ACL allows you to define the following privileges:
Browse: Allows the subject to access a document.
Create: Allows the subject to create a document.
Delete: Allows the subject to delete a document.
Read: Allows the subject to read the content of a field in the document.
Write: Allows the subject to modify a field.
Administer: Allows the subject, with Designer or Editor access to the database ACL
access, to update the extended ACL. Users with Manager access to the database
ACL can update the extended ACL even without this access.
Figure B-5: The Access Control List to: <your domain’s directory> Directory Dialog Box
3. Click the Advanced tab of the Access Control List to: <your domain’s directory>
Directory dialog box. The advanced ACL settings appear, as shown in Figure B-6:
Figure B-6: The Advanced ACL Settings for the Domino Directory
4. To enable the extended ACL, select the Enable Extended Access check box. A
message box appears asking you to confirm the enabling of the extended ACL, as
shown in Figure B-7:
Figure B-9: Message Box that asks Administrator to Enable Document Locking to Avoid
Conflicts
8. Click OK to confirm.
9. Click OK to save the ACL settings and close the ACL. A message box suggesting
that enabling extended ACL may take a while appears.
10. Click OK to close the message box. Access the ACL again. The Extended Access
button appears on the Basics tab, as shown in Figure B-10:
Figure B-10: The Access Control List to: <your domain’s directory>Directory Dialog Box
Showing the Extended Access Button
Figure B-14: The Form and Field access at: <target entry> Dialog Box
7. In the Forms section, select the form on which you want to restrict access. For the
form that you select, select the access that you want to set. You can allow or deny
the access to Browse, Create, and Delete the form.
8. Optionally, in the Fields section, select the field from the selected form and select
the access on the field. You can allow or deny Read or Write access. For example,
you can allow end users to update the CellPhoneNumber field in the Person
document. This document uses the Person form.
9. Click OK to close the Form and Field access at: <target entry> dialog box.
10. Click OK to close the Extended ACL at: <target entry> dialog box.
11. In the Access Control List dialog box, click Yes to confirm saving the settings and
then click OK to close the dialog box.
This appendix describes the various methods of starting a Domino server task. It also provides a
brief description of the Domino server Tasks.
You can start a task manually from the server console using the following server console
command:
LOAD <TaskName>
In the above command, <TaskName> is the name of the task that you want to start on the server.
You can also start a task manually using the Domino Administrator client. To start a task from the
Domino Administrator client:
1. In the Domino Administrator client, select Server tab-> Status tab-> Server Tasks
view.
2. In the Tools pane, select Task-> Start, as shown in Figure C-1:
278
You can automatically start a task on the server by adding an appropriate entry into the NOTES.INI
file for the server.
To start the server task, you can make the following entry into the NOTES.INI file:
SERVERTASKS=<List of tasks>
The tasks that this entry specifies start each time the server starts.
You can also schedule a task to start at specific time using the following entry:
SERVERTASKSAT<time>=<List of tasks>
For example, the following NOTES.INI entry starts the DESIGN task at 2:00 A.M. every day:
SERVERTASKSAT2=DESIGN
To start a task at a scheduled time, you can create a Program document in the Domino directory.