Lotus Notes Interview Questions for L1 Level 1. What is ACL ? Access Control List 2.

What are the diff types of ACL access? Manager, Designer, Editor, Author, Reader, Depositor, No access 3. iff !etween "ana#er access and esi#ner access?

Manager : can create the Database with manager access, delete, encrypt and compact the documents Designer : can access designer elements like iew ,!orms" can create the #$ inde% , he can delete the documents with manger access& $. iff !etween %ditor access and Author access? Editor : 'e can create , read and modi!y the document, he can delete the document with Manger access Author : 'e can read the document and delete the document i! authour is the owner o! the document& &. What is clusterin#? (roup o! two or more ser er pro ides the users with constant access& Domino cluster continually communicate with each other to keep updated on the status o! each ser er and to keep database replicas synchroni)ed& '. (ransaction Lo# pro!le)s * (rou!leshootin#? *n alid transaction log path : Check the log path + path is correct + restart the ser er Not sol ed, edit $RAN,L-( . /A$' setting in notes&ini to point to di!!erent log path + restart the ser er $ransaction log damaged or corrupted : 0e can see the error message 1$ransaction log damaged or corrupted 1 on the console promt. restart the ser er *! continues + delete the transaction log !ile + restart the ser er. ser er create the new log !ile. load !i%up + per!orm the database backup& +. ,esource and ,eservation data!ases- !usyti)e data!ases. Resource reser ation database : 2sers can schedule and manage meeting resources& 2ser can select the resource and reser e the time !or it 3 RE,RC45&N$# 6 7usytime databases : 0hen not in a cluster, each ser er contains a database that includes scheduling in!ormation !or all users who use that ser er as their mail ser er&

..

Co)ponents or tas/s involved in

o)ino Clusterin#?

Components : ,er er : Domino 4&8 or Domino 4 enterprise ser er or Domino 4 utility ser er Cluster with LAN or 0AN . $cp*/, *t should be with same domain and share a common domino directory, ,er er shud ha e ade9uate C/2 and Memory capacity& Client : Notes client must run notes release :&8 or later& $asks in ol ed in Domino Clustering : ; 0. 1ort used !y Notes? NR/C + Notes remote process call 3 <=8> 6 12. What is %CL? E%ecution control list 11. What is replication? Replication is the process o! synchroni)ing documents !rom the same databases on di!!erent workstations or ser ers& 12. ifferent types of replication? a& ser er + to + ser er replication b& workstation + to + ser er replication /ull + pull /ull + push /ull + only /ush only *n pull + push, the initiating ser er replicator pulls changes !rom the called ser er and the pushes data to the called ser er, only the initiating ser ers does te work writing in both ser ers& 13. If replication !etween 2 data!ases does not wor/- then what are the trou!leshootin# steps ta/en? Check replication history and log, Replicate with ser er ""not responding : check network communication Check cross certi!ication !or the database Miscellaneous e ent log

1$. If users recieve error 34na!le to find path to server3 * what would !e the pro!le) ? DN, issue or host entry or connection document problem& 1&. 5)tp routin# ? $o sending mail to internet users& 1'."ail routin# ? A ser er base task that allows users to e%change mail ia a LAN, 0AN , (ateways& 1+. ifference !etween replica and new copy? New replica ha e same replica *D, New copy will not the same& 1.. (o have console access what do you re6uire in 5erver 10. (ransactional Lo##in#? $ransaction logging captures all the changes made to a database and writes them to a transaction log& $ransactions are recordered se9uentially in the log !iles,which is much 9uicker than database updates to random& 22. iifference !etween refresh desin# and replace? Re!resh : Re!resh page contain up to date in!ormation Replace : Change the e%isting one to new one 21. Co)pact tas/s and types. $asks : ; $ypes : *n.place compacting with space reco ery *n.place compacting with space reco ery and reduction in !ile si)e Copy.style compacting >>& ifference updall and update 2pdate : 2pdate is loaded at ser er by de!ault and runs continually & *t will update iew inde%& 2pdall : 2pdall dosen?t continually or work !rom 9eue, run updall when it is needed, *t will update iew inde%& 23. 7i8up details and it9s synta8 2$. ,& and ,' differences- new in ,'? 2&. Can e8ternal L A1 directory !e used in No o)ino ? ocu)ent ?

2'. What is directory Assitance? what is the !enefit usin# this? Directory assistance : Directory assistance is a !eature a ser er can use to look up in!ormation in a directory other than a local primary Domino Directory 3NAME,&N,#6 7ene!it : ; 2+. What is the step to recover fro) a 5erver Crash? 2.. What is the steps to recreate a corrupt lo#.nsf? 20. o)ino up#rade steps fro) & to ' or '.& ?

Lotus Notes Interview Questions for L2 Level <& Di!!erence between Ad@acent Domain Document and Non Ad@acent Domain Document; >& 0hat is the #oreign Domain Document; =& 0hat is the #oreign ,M$/ Domain Document; :& 0hat is the (lobal Domain Document; 8& Di!!erence between Domino and Domain; 4& 'ow many ways to open Notes&ini; A& Di!!erence between ACL and ECL; B& Di!!erence between R8 and R4; C& 0hat is the NR/C; 0hat is /ort number; <5& 0hat are the port numbers !or ,M$/, /-/=, *MA/, '$$/, LDA/ and ,,L; <<& Di!!erence between Replace and Re!resh; <>& Di!!erence between 2pdall and 2pdate; <=& Di!!erence between compact and !i%up; <:& 0hat is the transaction logging; 'ow many types are there !or $ransaction logging; 'ow do you disable transaction logging; <8& 0hat are the !eatures in R4; <4& 0hat is Minimum con!iguration and Ma%imum con!iguration !or Domino; <A& 'ow do you monitor the ser er; <B& 'ow do you replicate the address book !rom location to another location; <C& 0hat are the necessary !iles !or backup; >5& 'ow many partitions can support domino; ><& 'ow many cluster ser ers can support domino; >>& 0hat do you know about pass.through ser er; >=& 0hat is the CA; >:& Di!!erence between connection document and /rogram document; >8& Di!!erence between ser er document and con!iguration document; >4& 0hat are the tasks run ser er when clustering is started; >A& Di!!erence between Newcopy and replication; >B& Di!!erence between NNN and DNN; >C& 0hat is the in!ormation is contain id !ile; =5& 0hat is *,/D; =<& Di!!erence between /ublic key and pri ate key; =>& 0hat are the $opologies !or the Domino; ==& 'ow many -rgani)ations we can create; =:& 'ow many -rgani)ations 2nits we can create; =8& 'ow many ways are there to create E Register user;

=4& 'ow can you identi!y whether it is a main ser er or additional ser er; =A& 'ow many ACL le els are there; =B& Can you describe ACL le el 3Manager, Editor, Author, Designer, Depositor, Reader and 2nassigned6; =C& 0hat is the *CL; :5& 0hat is CRL; Lotus Notes Interview Questions. <>& Di!!erence between Ad@acent Domain Document and Non Ad@acent Domain Document; http:EEwww&codestore&netEhelpEhelp4Fadmin&ns!E!:bB>!bbA8eC:>a4B8>844ac55=A!>B: EC<Be4bAB:b5!b8>dB8>84c<d55=C8>Ae;-penDocument

"AIL Creatin# an Ad:acent do)ain docu)ent Dou create an Ad@acent domain document when you need to restrict the trans!er o! mail !rom one ad@acent domain to another& #or e%ample, i! you are in domain 7 and want to pre ent mail !rom an ad@acent domain A !rom tra ersing your domain to reach another ad@acent domain C, create an Ad@acent domain document that names C as the ad@acent domain and denies mail !rom A&

$he restrictions you de!ine in the Ad@acent domain document apply to the domain o! the pre ious hop only& $hat is, in the Ad@acent domain document created in the pre ious e%ample, adding A to the Deny list pre ents mail originating in A !rom routing to C& $his includes mail that domain A may recei e !rom domain G !or e entual trans!er to C& 7ut suppose you want to allow mail !rom A, but deny mail !rom domain G, which uses A and 7 as intermediate domains to reach C& *! the administrator in domain 7 remo es domain A !rom the deny list o! the Ad@acent domain document !or domain C, and adds domain G, domain G is allowed to route mail to C& $his is because once the message

arri es in domain 7 the domain o! origin appears to be A, rather than G& *n the absence o! restrictions on trans!erring mail !rom A to C, Domino allows the message to route&

Dou also use Ad@acent domain documents to allow #ree $ime searches across domains& #or more in!ormation, see ,etting up scheduling& Note Restrictions set in an Ad@acent domain document work in con@unction with those in the Con!iguration ,ettings document& Domino always de!aults to the most restricti e entry& Ad@acent Domain documents do not pro ide connecti ity to ad@acent domains, and are not re9uired to enable connections between ad@acent domains& $o de!ine routes between ad@acent domains, create a Connection document& 4sin# Ad:acent do)ain docu)ents to restrict )ail 7y de!ault, a domain that can route mail to your domain can also route mail through your domain to another ad@acent domain& 0hen mail routes !rom one domain to another through your domain, it ties up your resources& $o pre ent your ser ers !rom being used to trans!er mail between other domains, you can selecti ely allow and deny mail routing through your domain to the domain named in the Ad@acent domain document& $he Allow and Deny !ields on the Restrictions tab o! the Ad@acent domain document let you control the !low o! messages !rom other domains to the ad@acent domain& Entries in these !ields must be the names o! ad@acent domainsH the Router ignores entries !or non.ad@acent domains beyond the pre ious hop& *! you deny a domain !rom sending mail through your domain, the Router denies all mail recei ed !rom that domain, including messages the domain may ha e passed on !rom another, non.ad@acent domain& $here is no way to restrict speci!ic users !rom routing to a Notes domain& Restrictions apply to all users in speci!ied domain&

$he settings in the Allow and Deny !ields work in con@unction with the Allow and Deny !ields on the RouterE,M$/ . Restrictions and Controls . Restrictions tab o! the Con!iguration ,ettings document& *n the e ent o! any con!lict between settings, Domino applies the most restricti e entry& Messages may be !urther restricted by Ad@acent Domain documents, Non.ad@acent Domain documents, and Con!iguration ,ettings documents set up between domains along the routing path& (o create a Ad:acent do)ain docu)ent <& #rom the Domino Administrator, click the Con!iguration tab and then e%pand the Messaging section& >& Choose Domains& =& Click Add Domain to create a new Domain document& :& -n the 7asics tab, complete these !ields: 7ield Domain type Ad@acent domain name %nter Choose Ad@acent domain $he name o! the ad@acent Domino domain& $he current domain must ha e a Connection document to this domain&

Domain description -ptional description o! the domain 8& $o restrict other domains !rom routing mail through the current domain to the ad@acent domain, click the Restrictions tab, complete the !ollowing !ields, and then click ,a e and Close: 7ield %nter

Allow mail only !rom Enter the names o! ad@acent Domino domains that are allowed to domains route mail to this ad@acent domain& $o allow any domain to route mail through the local domain to this ad@acent domain, lea e this !ield blank& Deny mail !rom domains Enter the names o! ad@acent Domino domains that are not allowed to route mail to this ad@acent domain& $o allow any domain to route mail through the local domain to this ad@acent domain lea e this !ield blank& Note Dou cannot use wildcards in the Restrictions !ields& Dou must enter e%plicit domain names& 4& Create a Connection document to speci!y how ser ers in the current domain connect to the ad@acent domain& "AIL

5ettin# up routin# to non*ad:acent o)ino do)ains Non.ad@acent domains are Domino domains that are not directly connected, but ha e an intermediary domain, ad@acent to both o! them in common& #or e%ample, domain A and domain 7 are ad@acent and ha e Connection documents de!ining the route between them& ,imilarly, domain 7, in turn, is ad@acent to domain C and mutual Connection documents e%ist between themH and domains C and D are likewise ad@acent to each other and linked by Connection documents& Domain 7 is thus ad@acent to domain A on one side, and domain C on the otherH and domain C is ad@acent to 7 and D, respecti ely& *! no direct connection e%ists between A and C, these two domains are considered to be non.ad@acent domains& ,imilarly i! there is no direct connection between 7 and D, these two domains are also non.ad@acent&

7ecause there is no direct connection between two non.ad@acent domains, you cannot de!ine the routing path between them in a Connection document& Connection documents can only be used between two directly.connected, ad@acent domains& 'owe er, users in non.ad@acent domains can send mail to each other by routing it through the intermediary domain& -ne way to do this is to use e%plicit addressing .. telling the Router how to reach the destination domain through the intermediary domain by placing the entire routing path in the address !ield& #or e%ample, i! Iathy 7urke in domain A wants to send a message to Robin Ruther!ord in the non.ad@acent domain C, she addresses the message by way o! domain 7, as !ollows:

Robin Ruther!ordJCJ7 *n processing the message, the Router on the domain A mail ser er looks only at the last part o! the address, and uses the Connection document to determine the route to domain 7& $he domain 7 ser er then uses the Connection document in its Domino Directory to trans!er the message to domain C& Although the use o! e%plicit addressing is an e!!ecti e method !or directing mail to non. ad@acent domains, because it relies on a complete knowledge o! the inter.domain

routing topology, itKs also not a ery practical solution& $his in!ormation is not readily a ailable to a typical user& $o simpli!y routing and addressing to non.ad@acent domains, you can create a Non.ad@acent domain document in the Domino Directory to de!ine the path between the non.ad@acent domains& 4sin# a Non*ad:acent do)ain docu)ent Administrators can create a Non.ad@acent domain document to control message routing to a non.ad@acent domain& A Non.ad@acent Domain documents ser es three !unctions: ,peci!ies a routing path to the non.ad@acent domain by supplying ne%t.hop domain in!ormation Restricts mail !rom other domains !rom routing to the non.ad@acent domain De!ines the Calendar ser er used to enable !ree time lookups between two non. ad@acent domains&

Non.ad@acent domain documents are only re9uired to speci!y routing restrictions to a non.ad@acent domain& 'owe er, to simpli!y addressing on messages destined !or a non. ad@acent domain, itKs use!ul to ha e a Non.ad@acent domain document !or that domain& 0ithout a Non.ad@acent domain document in the Directory, the Router has no de!ined routing path to the non.ad@acent domain& $he Router can trans!er a message to the non.ad@acent domain i! the recipient address uses e%plicit path routing 32serJAd@acentDomainJNonAd@acentDomain6, but cannot trans!er a message with a simple domain address 32serJNonAd@acentDomain6& 0hen e%plicit addressing is used the Router uses the Connection documents between domains to calculate the path to the ne%t.hop domain& 7ut when a Non.ad@acent domain document is a ailable, the Router obtains intermediary domain in!ormation !rom that document& $his eliminates the need !or users sending mail to a non.ad@acent domain to use comple%, e%plicit addressing& $hus, i! domain A has a Non.ad@acent domain document !or domain C, when Iathy 7urke in domain A sends mail to Robin Ruther!ord in domain C, she uses the address Robin Ruther!ordJC 3rather than Robin Ruther!ordJCJ76& 7ecause the Router !inds the intermediate domain in!ormation in the Non.ad@acent domain document, the message is trans!erred success!ully to domain C by way o! domain 7& 4sin# Non*Ad:acent do)ain docu)ents to restrict )ail 2sing Non.ad@acent domain documents to simpli!y addressing makes them aluable enough& 7ut Non.ad@acent domain documents play another e9ually signi!icant role& Although they are not strictly re9uired to enable routing between non.ad@acent domains, they are needed i! you want to restrict routing o! messages !rom certain domains& 7y de!ault, any domains that can route mail to your domain can also route mail to the destination domains named in a Non.ad@acent domain document& Mail routed !rom one domain to another through your domain consumes your network resources& $o pre ent your ser ers !rom being used to trans!er mail between other domains, you can selecti ely allow and deny mail routing through your domain&

$he Allow and Deny !ields on the Restrictions tab o! the Non.ad@acent domain document let you control the !low o! messages !rom other domains to the non.ad@acent domain& Entries in these !ields must be the names o! ad@acent domainsH the Router ignores entries !or non.ad@acent domains beyond the pre ious hop& *! you deny a domain !rom sending mail through your domain, the Router denies all mail recei ed !rom that domain, including messages the domain may ha e passed on !rom another, non. ad@acent domain& $he LDeny mail !rom domains !ieldL in a Non.ad@acent domain document does not block messages that use e%plicit domain addressing, that is, addresses that e%plicitly name e ery domain on the routing path& A Non.ad@acent domain document can only block mail that relies on in!ormation in the Non.ad@acent domain document to supply the name o! a a missing intermediate domain& *! the entire routing path is contained in the recipient address, the Router doesnKt need to check the document to determine where to route the message, and thus cannot block it& #or e%ample, i! in the pre ious e%ample, the administrator in domain 7 creates a a Non.ad@acent domain document !or domain D and adds domain A to the Deny mail !rom domains !ield& Iathy 7urke in domain A can still send mail to Mudy Iaplan in domain D by speci!ying the !ollowing e%plicit domain address: Mudy IaplanJDJCJ7& $o pre ent Iathy 7urke !rom sending this message, the administrator in Domain 7 would ha e to create an Ad@acent domain document !or domain C that names domain A in the Deny mail !rom domains !ield& $he settings in the Allow and Deny !ields work in con@unction with the Allow and Deny !ields on the RouterE,M$/ . Restrictions and Controls . Restrictions tab o! the Con!iguration ,ettings document& *n the e ent o! any con!lict between settings, Domino applies the most restricti e entry& Messages may be !urther restricted by Ad@acent Domain documents, Non.ad@acent Domain documents, and Con!iguration ,ettings documents set up between domains along the routing path& (o create a Non*ad:acent do)ain docu)ent <& #rom the Domino Administrator, click the Con!iguration tab and then e%pand the Messaging section& >& Choose Domains& =& Click Add Domain to create a new Domain document& :& -n the 7asics tab, complete these !ields: 7ield Domain type %nter Choose Non.ad@acent domain

Mail sent to domain $he name o! the non.ad@acent Domino domain you want to route mail to& Route through domain $he name o! the intermediary Domino domain through which you want to route mail !or the destination domain& $he current domain must ha e a Connection document to this domain&

Also, the Domino Directory in the intermediary domain must ha e a Connection document to the destination domain& Domain description An optional description o! the domain 8& Click the Restrictions tab, complete one or both o! these !ields, and then sa e the document: 7ield %nter

Allow mail only !rom Enter the names o! Domino domains ad@acent to the current domain domains that are allowed to route mail to this non.ad@acent domain& Lea e this !ield blank to allow any domain to route mail through the local domain to the non.ad@acent domain& Deny mail !rom domains Enter the names o! Domino domains ad@acent to the current domain that are not allowed to route mail to this non.ad@acent domain& Lea e this !ield blank to allow any domain to route mail through the local domain to the non.ad@acent domain& Note Dou cannot use wildcards in the Restrictions !ields& Dou must enter e%plicit domain names& 4& Create a Connection document to speci!y how ser ers in the current domain connect to the intermediary ad@acent domain& Note ,ince, by de!inition, all ser ers in a domain use the same Domino Directory, only one Non.ad@acent domain document is re9uired !or each non.ad@acent domain& Dou do not ha e to create a separate document !or each ser er&

<=& 0hat is the #oreign Domain Document; http:EEwww&codestore&netEhelpEhelp4Fadmin&ns!E5EdCeC:<55>8!Ad:<!B8>84c<d55=C8= <a;-penDocument

"AIL 5ettin# up routin# to e8ternal application #ateways Domino treats e%ternal messaging applications, such as !a% or pager gateways, as !oreign domains& $o route mail !rom a Domino domain to an e%ternal application, create a #oreign domain document& Creatin# a 7orei#n do)ain docu)ent

A #oreign domain document de!ines the path between a Domino domain and an e%ternal application, such as a !a% or pager gateway& A #oreign domain document identi!ies the Domino ser er that acts as the gateway to the e%ternal application& Applications such as N&:55 and cc:Mail use their own speciali)ed ersions o! the #oreign domain document to direct the messages through a message trans!er agent 3M$A6& #or more in!ormation about M$As, see the documentation !or the speci!ic M$A& Although #oreign domains are mostly used !or third party applications, you can also use them to trans!er messages between a Release 8&5 or later ser er and a Release =&% ,M$/ ser er& Restrictions that you set on this #oreign domain document apply only to the #rom domain o! the pre ious hop& $hese restrictions work in con@unction with those in the Con!iguration ,ettings document& Domino always de!aults to the most restricti e entry& (o create a 7orei#n do)ain docu)ent <& #rom the Domino Administrator, click the Con!iguration tab and then e%pand the Messaging section& >& Choose Domains& =& Click Add Domain to create a new Domain document& :& Click the 7asics tab, and complete these !ields: 7ield Domain type #oreign Domain Name Domain description %nter Choose #oreign domain& $he domain name o! the !oreign mail system& $his name was chosen when the M$A or gateway was installed& An optional description o! the gateway or M$A&

8& Click the Restrictions tab, and then complete these !ields: 7ield Allow mail only !rom domains %nter $he names o! Domino domains that are allowed to route messages to this !oreign domain& Lea e this !ield blank to allow any domain to route mail through the local domain to the !oreign domain&

Deny mail !rom domains $he names o! Domino domains that are not allowed to route messages to this !oreign domain& Lea e this !ield blank to allow any domain to route mail through the local domain to the !oreign domain& 4& Click the Mail *n!ormation tab and complete these !ields, and then sa e the document:

7ield (ateway ser er name (ateway mail !ilename

%nter $he name o! the Domino ser er running the gateway so!tware& $he gatewayKs mail !ile name& ,ee the documentation that came with the gateway !or the proper !ile name&

A& Create a Connection document to speci!y how ser ers in the current domain connect to the !oreign domain&

<:& 0hat is the #oreign ,M$/ Domain Document; http:EEwww&et!&europa&euEhelpEhelp48Fadmin&ns!E!:bB>!bbA8eC:>a4B8>844ac55=A!>B :EB!:=<=d5=B4B!ddcB8>84d!!55:b<a8A;-penDocument "AIL ;verview of routin# )ail usin# 5"(1 7y de!ault, Domino uses the Notes routing protocol to trans!er mail between ser ers& Dou can con!igure Domino to use ,M$/ to route mail instead o! or in addition to using Notes routing& Message trans!er o er ,M$/ routing is per!ormed as a point.to.point e%change between two ser ers& $he sending ,M$/ ser er contacts the recei ing ,M$/ ser er directly and establishes a two.way transmission channel with it& $o send a message o er ,M$/: <& $he sending ser er checks the recipientKs address, which is in the !ormat localpart@domain, and looks up the domain in the Domain Name ,ystem 3DN,6& >& DN, returns the Mail E%changer 3MN6 record !or the domain, indicating the */ address o! the ser ers in the domain that accept mail o er ,M$/& =& $he sending ser er connects to the destination ser er o er $C/E*/, establishes an ,M$/ connection on port >8, trans!ers the message, and closes the connection& %na!lin# 5"(1 on the o)ino server

Domino supports sending and recei ing mail o er ,M$/ by means o! the ,M$/ listener task and ,M$/ Router, respecti ely, each o! which you enable separately& $he ,M$/ listener task handles incoming ,M$/ connections and deli ers messages recei ed o er those connections to MA*L&7-N& *t does not handle subse9uent deli ery or trans!er o! those messages& Dou con!igure the ,M$/ listener task !or recei ing mail on the 7asics tab o! the ,er er document& #or more in!ormation about con!iguring Domino to recei e ,M$/ mail !rom other ser ers in your organi)ation andEor !rom the *nternet o er ,M$/, see the chapter, L,etting 2p Mail Routing&L $he Router task !or ,M$/ is the same Router task that handles Notes routing& 0hen a message in MA*L&7-N re9uires trans!er to another ser er, the Router determines where to send it and whether to send it o er Notes routing or ,M$/&

7y de!ault, ,M$/ is disabled& $o con!igure Domino to use ,M$/ to send mail, you must change settings on the RouterE,M$/.7asics tab o! the Con!iguration ,ettings document& Dou can con!igure Domino to use ,M$/ when sending mail to destinations: -utside the local *nternet domain 0ithin the local *nternet domain

<ow the ,outer deter)ines when to use 5"(1 -n ser ers that support both ,M$/ and Notes routing, each time the Router detects a new message in MA*L&7-N, it chooses the protocol by which to trans!er the message& $he routing decision is based on the messageKs address and !ormat, and whether the ser er is con!igured to send ,M$/ within the local Domino domain, outside the local *nternet domain, or both& 4sin# 5"(1 to send )ail to local do)ain addresses Enabling ,M$/ within the local Domino domain allows the Router to consider ,M$/ as an alternati e routing protocol when trans!erring mail to another Domino ser er in the same Domino domain& 0hen con!iguring ser ers to send ,M$/ within the local Domino domain, you ha e the !ollowing options: ,M$/ allowed !or M*ME messages only . *! the destination is a Domino ser er running the ,M$/ listener and the message deposited in MA*L&7-N is already in M*ME !ormat, the Router sends it using ,M$/& Messages in Notes rich te%t !ormat are sent o er Notes routing& ,M$/ allowed !or all messages . *! the destination is a Domino ser er running the ,M$/ listener, the Router always uses ,M$/ when trans!erring a message to another Domino ,M$/ host, regardless o! the messageKs current !ormat& *! a message deposited in MA*L&7-N is in Notes !ormat, the Router con erts the messages to M*ME be!ore sending&

0hen the Router picks up a message in MA*L&7-N, it reads the address to determine whether the recipient is in the local domain& *! the recipient is local, the Router looks in the 3O2sers6 iew o! the Domino Directory !or a /erson document containing that address& *! ,M$/ is allowed within the domain and the message !ormat matches the !ormat speci!ied in this setting, the Router uses $C/E*/ to connect to the destination ser er, establishes an ,M$/ connection, and trans!ers the message& 7y de!ault, enabling ,M$/ within the local Domino domain allows the Router to use ,M$/ to trans!er mail to any other Domino ,M$/ host in the same Domino domain& Dou can restrict the use o! ,M$/ within the local domain so that ,M$/ is allowed only !or message trans!ers that take place between ser ers in the same Domino named network& $o set this restriction, use the !ield L,er ers within the local Domino domain are reachable ia ,M$/ o er $C/*/L on the RouterE,M$/ . 7asics tab o! the Con!iguration ,ettings document& *! the recei ing ser er is running the ,M$/ listener, ser ers con!igured to send ,M$/ within the local Domino domain always use ,M$/ to send M*ME messages to

destinations within the same Domino named network& #or messages in Notes !ormat, the Router sends ,M$/ only i! the ser er is con!igured to send all messages o er ,M$/& 5endin# 5"(1 outside the local Internet do)ain Enabling Domino to send ,M$/ to e%ternal *nternet domains allows the ser er to trans!er outbound *nternet mail either directly to a host in the recei ing domain or indirectly to an *nternet host& *! a message in MA*L&7-N has a recipient address that contains an J sign and a domain part 3the part o! the address to the right o! the J sign6 that does not resol e to the local Domino domain, the Router identi!ies the message destination as non.local& A non.local address can be an R#C B>< *nternet address 3where the domain part contains a period and is in the !orm localpartJorg&domain6 or an address in another Domino domain 3including #oreign domains such as a pager or !a% gateway6& $o determine whether an *nternet address is local, the Router checks whether the domain part o! the address matches any o! the local *nternet domains de!ined in the (lobal Domain document in the Domino Directory& Local *nternet domains include any domains listed in the Local primary *nternet domain and Alternate *nternet domain aliases !ields in the (lobal Domain document& *! there is no (lobal Domain document, the Router compares the domain in the recipientKs address to the ser erKs host name& #or e%ample, i! the message is addressed to @doeJmailhost=&acme&com and the Router is on the ser er mailhub&acme&com, the Router knows that the recipient is in the local *nternet domain& Connectin# the o)ino )ail syste) to the Internet

7ecause Domino routes mail using the *nternet.standard ,M$/ routing protocol, itKs easy to con!igure the Domino system to send and recei e mail !rom e%ternal *nternet domains& #or outgoing mail you can use a gateway routing architecture in which only designated ser ers use ,M$/ to route mail to e%ternal domains, or you can enable all mail ser ers to use ,M$/ to route mail to e%ternal domains& #or inbound mail, you need to decide how to route mail coming in to your *nternet domain !rom a !irewall to Domino ser ers& 'ow you set up inbound mail depends on whether your organi)ation uses a single *nternet domain name or multiple names and on the distribution o! your ser ers& #or in!ormation on connecting Domino to the *nternet, see the topics /reparing to send and recei e mail to the *nternet and Routing mail to e%ternal *nternet domains& 4sin# a relay host A relay host is an ,M$/ ser er or !irewall that connects to the *nternet and !orwards, or relays, inbound or outbound *nternet mail& A relay host can also be a DN, name that maps to multiple MN records& $o con!igure Domino to use a relay host, you use two !ields on the Con!iguration ,ettings document o! the sending ser er& Add the relayKs DN, or host name to the LRelay host !or messages lea ing the local *nternet domainL !ield and enable L,M$/ used when sending messages outside o! the local *nternet domain&L

Note R: ,M$/ M$A ser ers use the relay host speci!ied in the ,M$/ Connection document& 4sin# Notes routin# to transfer out!ound Internet )ail to an 5"(1 server -n internal Domino ser ers that do not use ,M$/ to route mail, Domino uses Notes routing to trans!er outbound *nternet messages to a Domino ,M$/ ser er, which then trans!ers the messages to the *nternet, either directly or through a relay host& $o con!igure ser ers that use Notes routing to trans!er *nternet mail to a Domino ,M$/ ser er re9uires use o! a #oreign ,M$/ Domain document and an ,M$/ Connection document&

"AIL %na!lin# a server to receive )ail sent over 5"(1 routin# $o set up a ser er to recei e ,M$/.routed messages, you must enable the ,M$/ Listener& $hen the ser er can LlistenL !or ,M$/ tra!!ic o er the $C/E*/ port 3usually port >86 and recei e ,M$/ messages in the MA*L&7-N database3s6& Enabling the ,M$/ listener causes the ser er ,M$/ task to start up automatically e ery time the ser er starts& Disabling the ,M$/ listener pre ents the ,M$/ task !rom starting up when the ser er starts& Note Do not add ,M$/ as a task to the task list in the N-$E,&*N* !ile or this !eature will not work& (o ena!le or disa!le the 5"(1 Listener <& #rom the Domino Administrator, click the Con!iguration tab and then e%pand the ,er er section& >& ,elect the ,er er document to be edited it and then click Edit ,er er& =& -n the 7asics tab, complete these !ields: 7ield #ully 9uali!ied *nternet host name %nter $he ser erKs complete combined host name and domain name, including the top.le el domain& #or e%ample, smtp&acme&comH smtp is the host nameH acme is the second.le el domainH and &com is the top le el domain& *n the absence o! a (lobal Domain document, the Router uses the entry in this !ield to determine the local *nternet domain& $ypically, the !ully 9uali!ied host name is added to the ,er er document during ser er setup or by the Administration process 3Admin/6& A routing loop can result i! this !ield does not contain a alid entry& ,M$/ listener task Choose one: Enabled to turn on the Listener so that the ser er can

recei e messages routed ia ,M$/ routing Disabled 3de!ault6 to pre ent the ser er !rom recei ing messages routed ia ,M$/ routing

:& Click the /orts . *nternet /orts . Mail tab& 8& *n the Mail 3,M$/ *nbound6 column, ensure that the $C/E*/ port status is set to Enabled, and then click ,a e and Close&

<8& 0hat is the (lobal Domain Document; "AIL <ow o)ino uses =lo!al do)ain docu)ents durin# in!ound and out!ound 5"(1 routin# 0hen Domino recei es an inbound ,M$/ message, it attempts to determine whether the message is !or a local recipient& 0hen the Domino Directory does not include a (lobal Domain document, Domino accepts only messages addressed to users in the same *nternet domain as the ser er, as indicated in the #ully.9uali!ied *nternet host name that appears in the ,er er document& 7ut i! the Domino Directory includes a (lobal domain document, Domino can recei e mail !or multiple *nternet domains& $o determine whether to accept a message, Domino compares the domain part to the local primary *nternet domain listed in the (lobal domain document& *! it does not !ind a match in this !ield, it e%amines the secondary *nternet domains .. the Lalternate *nternet domain aliasesL .. listed in that document& (he role of =lo!al do)ain docu)ents in deter)inin# whether to accept in!ound 5"(1 )ail *! the Domino Directory contains multiple (lobal domain documents, Domino uses a similar process to determine whether a recipient is local: it !irst checks the primary *nternet domain in each (lobal Domain document, and then, i! it still hasnKt !ound a match, it continues by checking the alternate *nternet domains& *! the domain in the address does not match any o! the domain entries in any (lobal domain document, the message is considered an attempt to relay, and Domino re@ects the message& In!ound address loo/up when the o)ain docu)ents o)ino irectory contains )ultiple =lo!al

A!ter Domino accepts a message, the Router attempts to match the recipientKs *nternet address to an entry in the Domino Directory& 0hen looking up the recipient in the Domino Directory, i! the domain su!!i% in the address matches an alternate *nternet domain aliases de!ined in a (lobal Domain document, and no /erson document includes this address, the Router per!orms a secondary lookup& *n this secondary lookup, the

Router pairs the local part o! the address with the domain su!!i% o! the primary *nternet domain speci!ied in the (lobal domain document& #or e%ample, a ser er recei es a message !or craigFbowkerJacmewest&com& $he Router searches all o! the /erson documents in the Domino Directory !or this *nternet address, but cannot !ind a match& 'owe er, in the Domino Directory, there is a (lobal domain document that includes the domain su!!i% acmewest&com as an alternate *nternet domain alias& *n this same (lobal Domain document, the primary *nternet domain is acme&com& A!ter the primary lookup !ails, Domino per!orms a secondary lookup, using the address craigFbowkerJacme&com& Domino per!orms secondary lookups only i! the Router is con!igured to per!orm !ullname, or !ullname, then local part lookups& *n cases where the Domino Directory contains multiple (lobal domain documents, and a secondary lookup is re9uired, when replacing the domain su!!i% in the original address with the domain su!!i% o! the primary *nternet domain, the Router only considers (lobal domain documents that list the alternate *nternet domain alias& $hat is, Domino always replaces the domain su!!i% !rom within a gi en documentH it ne er replaces an alternate domain listed in one document with a primary domain !rom another document& $o pre ent the Router !rom using domain aliases when looking up addresses, do not include alternate *nternet domain aliases in a (lobal domain document& *nstead, create multiple (lobal Domain documents, each speci!ying a di!!erent primary *nternet domain& Controllin# out!ound addresses construction with )ultiple =lo!al do)ain docu)ents 0hen the Domino Directory contains a single (lobal Domain document, the address construction rules in that document determine how a ser er !orms the senderKs address in an outbound ,M$/ message& 'owe er, i! the Domino Directory contains multiple (lobal Domain documents, when constructing the senderKs address, Domino uses the *nternet domain speci!ied in the ,er er document and the address construction rules de!ined in the (lobal Domain document listed last, alphabetically, in the directory& *! you want Domino to !orm the senderKs outbound address !rom the primary *nternet domain and the address construction rules contained in a particular (lobal domain document, designate that document as the de!ault (lobal Domain document& esi#natin# a default =lo!al do)ain docu)ent 0hen there are multiple (lobal Domain documents in the Domino Directory, designate one as the de!ault so that when a ser ers construct a senderKs outbound *nternet address, the addresses created are based on the primary *nternet domain and address construction rules speci!ied in the designated document& <& #rom the Domino Administrator, click the Con!iguration tab and then e%pand the Messaging section& >& Choose Domains, and click (lobal Domain

=& ,elect the (lobal Domain document you want to designate as the de!ault and click Edit Domain& :& -n the 7asics tab, complete !ollowing !ield, and then click ,a e P Close: 7ield %nter

2se as de!ault (lobal Domain ,elect Des to designate this (lobal Domain document as 3!or use with all *nternet the de!ault (lobal domain !or this Domino Directory& protocols e%cept '$$/6

<4& Di!!erence between Domino and Domain; <A& 'ow many ways to open Notes&ini; <B& Di!!erence between ACL and ECL; <C& Di!!erence between R8 and R4; ifferences !etween o)ino ,& and o)ino ,' $he !ollowing options are di!!erent !or Domino R8 and Domino R4: o)ino ,& $he LAccess ,er erL, LRun restricted Ma aEMa ascriptEC-ML and LRun unrestricted Ma aEMa ascriptEC-ML lists in the ,ecurity ,ection o! the ,er er Document must contain the name o! the *nternet user& 2sing the Lotus Domino Administrator 8 client you can enable this option by clicking the LCon!igurationL tab, then L,er er E Current ,er er DocumentL and then the L,ecurityL tab& -n the L,ecurityL tab in the L,er er AccessL section there is the LAccess ,er erL list, in the LMa aEC-M restrictionsL section are the LRun restricted Ma aEMa ascriptEC-ML and LRun unrestricted Ma aEMa ascriptEC-ML lists& Add to these three lists the name o! the *nternet user& o)ino ,' $he LRun unrestricted methods and operationsL list on the ,ecurity tab o! the Current ,er er Document must contain the *nternet user name& 2sing the Lotus Domino Administrator 4 client you can enable this option by clicking the LCon!igurationL tab, then L,er er E Current ,er er DocumentL and then the L,ecurityL tab& -n the L,ecurityL tab in the L/rogrammability RestrictionsL section there is the LRun unrestricted methods and operationsL& Add to this list the name o! the *nternet user&

>5& 0hat is the NR/C; 0hat is /ort number; Notes remote /rocedure call " /ort Number <=8> <56 0hat are the port numbers !or ,M$/, /-/=, *MA/, '$$/, LDA/ and ,,L; <<6 Di!!erence between Replace and Re!resh; http:EEwww.<&ibm&comEsupportEdoc iew&wss;rsQ:4=PuidQswg><5CA>8= 1ro!le) 0hat are the di!!erences between Replace Design and Re!resh Design;

Note: $his in!ormation applies to all ersions o! Notes R=, R:, and R8 and 4& Cause

5olution $here are a !ew key di!!erences between Replace Design and Re!resh Design& #irst, ,eplacin# the Design o! a database will remo e all design elements in a database and replace them with those !rom a new template& $his process also resets the Database properties 3speci!ically the Database properties you see on the Design tab in the *n!o7o% 3a&k&a& /roperties 7o%6 when you select #ile, Database, /roperties&6 *n contrast, ,efresh Design will use this in!ormation to do essentially the same @ob with the design elements, but the Design properties o! the database will not change& ,efresh Design is the process which runs e ery night on the ser er by de!ault 3Design ser er task6& ,econd, ,efresh Design will not gi e an option to select a new template& Dou can only select a di!!erent ser er to use as a template ser er !or the Re!resh process& An important side note to this in!ormation in ol es the attribute, KDo not Allow Design ReplaceERe!resh $o Modi!y&K $his property o! speci!ic design elements will pre ent the Replace Design or Re!resh Design task !rom modi!ying the element& 0hen the database as a whole inherits its design !rom a template, all new design elements will ha e this option selected by de!ault& *n contrast, i! the database as a whole does not inherit its design !rom a template, all new design elements will ha e this option deselected& $his is important because i! the database property is changed, the design element property is not changed& *t is also possible !or a single design element to inherit its design !rom a di!!erent template than the database as a whole& 5upportin# Infor)ation> esi#n*,efresh details> . Design Re!resh locates the template the database is based on by the template name 3you can determine the template name by checking the Design tab in the *n!o7o% !or Database properties& ,elect #ile, Database, /roperties and switch to the Design tab, which is :th tab !rom the le!t6& . *t scans both the database and the template !or design elements& Design elements are considered to be corresponding ersions based on the O$*$LE !ield o! the design note& . *! there are Design elements in the database that do not ha e a corresponding element in the template, these design notes are deleted in the database& . *! there are Design elements in the template that do not ha e a corresponding element in the database, these design notes are added to the database& Additionally: . *! there is a Design element in the database which has a Design element o! the same name in the $emplate, !irst the se9uence times are compared to check the

re isions& *n case there is no di!!erence .R skip Design Element& (i en the ,e9uence time o! the $emplate is di!!erent .R update Design Element Actually when updating the design element it checks whether there really are changes to the Design element, !or e%ample, by looking in the OAssistSersion !ield o! an agent& *n case there is no di!!erence the update is only logged but not doneEe%ecuted& 0hene er you apply changes to an agent using the Notes Client, e en changes o! the aliases in the $itle, the OAssistSersion !ield is updated& Notes: . $his does not apply to pri ate iews or !olders that are stored in the clientKs Desktop&dsk !ile& . Design Re!resh does not use the 2ni ersal *Ds o! the Design elements, but only names and aliases to identi!y what to updateEaddEremo e& . $he Designer $ask has an issue customers should be aware o!H !or more in!ormation re!er to the document LLoad Design ,er er $ask -nly Re!reshes Databases the #irst $imeL 3T<4>4>> 6 & esi#n*,eplace details> $he only di!!erence !rom Design.Re!resh is that !irst the template name the database is inherited !rom is changed to the new one& A!ter this a regular design re!resh runs& $his means: . $he e%isting Design notes are not swept !rom the database in the !irst step& *n case there are Design elements o! the same name, these are LupdatedL using the logic described abo e& What if you have duplicate desi#n ele)ents in your data!ase? esi#ner re)ove one of these? oes

$his might happen when replicating the templates andEor databases containing design elements that do ha e the same $itle but di!!erent uni ersal *D& 2n!ortunately, neither the Design task nor Design . Replace or Design . Re!resh detect this& $hey update only the !irst design note !ound ha ing the same title in the template& $he other design note is le!t untouched& -ne must manually remo e the obsolete design element !rom the database or replace the design& Additionally> A design element may be inherited !rom a di!!erent template than speci!ied in the Database properties& Dou will !ind this on the Design tab in the properties o! the design element itsel!& 0hen doing a Design Re!resh these are taken !rom the appropriate database& ,elated ocu)ents>

Load Design ,er er $ask -nly Re!reshes Databases the #irst $ime Document T: <5C=A8> 3<4>4>>6 Replacing R8 Design with $emplate 'a ing 'idden Design Does not Delete E%isting Design Elements Document T: <5BA>8> 3<A<B8<6 L*nherit Design !rom $emplateL -ption 2nchecked A!ter 2ser *s Renamed 2sing Admin/ Document T: <5C>5<: 3<4:55>6 Re!resh Design Does not Replace Design Elements which 'a e 7een Modi!ied in the Db Document T: <<84:>C ,elated ;ld 1roduct ocu)ent> 0hich Mail $emplate *s 2sed when Registering a New Notes 2ser; Document T: <:B:A5

<>& Di!!erence between 2pdall and 2pdate; Database Indexing Inde8in# ?iew inde8es are used to display the list o! documents in a database& $hey are created automatically, and are kept up to date by the system 2/DA$E task& $his means that i! you create a new document, it will not appear on the inde% until the 2/DA$E task runs, or you run an update manually& 7ull*te8t inde8es are used to speed up document searches& #ull.te%t *nde%es are created manually, and are also maintained automatically by 2/DA$E, or by manually !orcing an update& *nde%es are not replicated across ser ers, so each replicated copy o! a database needs a !ull.te%t inde% de!ined& *! you want to update a speci!ic database !ull.te%t inde%, ,elect Files tab !or the re9uired database, then Tools - Database - Full Text Index - Update - OK *nde%es are updated automatically by the 2/DA$E task& Dou set the !re9uency o! update in the same panel& -ptions are Daily 'ourly *mmediate ,cheduled 3by 2/DALL ser er task6

$o create a !ull.te%t inde%, select the files tab, then select Tools - Database - Full-text Index and !ollow the instructions on the screen&

*! you inde% an encrypted !ield, other users may be able to read the encrypted te%t without the encryption key& #ull.te%t inde%es are stored in a subdirectory, which is in the same directory as the main database& $he subdirectory will be called databasename&!t *! an inde% becomes corrupt then do not delete the subdirectory manually, but use the *nde% tool described abo e to delete it& Dou can also search multiple databases using a "ultiple data!ase inde8 !or e%ample srchsite&nt!, de!ine the search scope by speci!ying which databases to include then ,elect Files - Tools - Database - Multi-database Index #ollow the instructions shown to create a !ull.te%t inde% !or the ,earch.,ite database 41 A(% and 41 ALL tas/s 2/DA$E is usually scheduled to run continuously on the ser er, 2/DALL will be scheduled to run o ernight, and can also be run on demand& $he main di!!erences between them are 2/DALL will re!resh the !ull.test inde%es on all databases, 2/DA$E only re!reshes those which are set to immediate or hourly 2/DALL will purge deletion stubs 2/DALL can be run manually with options 2/DALL will delete unused iew inde%es

$o run 2/DALL 3maybe to !i% a corrupt inde%6, enter the command

L;A

41 ALL PATH OPTIONS

!rom the ser er console& /A$' is the pathname to the database or databases you want re!reshed& -ptions include .# only update !ull.te%t inde%es .S only update iews .N only rebuild iews .R rebuild both !ull.te%t inde%es and iew inde%es& 2se care!ully, it will use loads o! resource

$here are loads o! other options, which restrict the actions depending on database re!resh settings&

<=& Di!!erence between compact and !i%up;

1ro!le) 'ow can a Domino administrator iew the 2/DALL, #*N2/, and C-M/AC$ options !rom the Domino ser er console;

Dou do not ha e access to client 'elp !iles as the ser er is in a secure area and no client is a ailable, and you need to !ind in!ormation about the di!!erent options !or 2pdall, #i%up, and Compact& 5olution $o display online 'elp in!ormation !or these commands, you enter the command !ollowed by a hypen and 9uestion mark 3.;6& E%amples o! the complete command to enter and the output are below& *ssue the command Lload updall .;L at the Domino ser er console to get !ollowing output:

,imilarly, the commands you issue to see the online help te%t !or the other tasks are as !ollows: load !i%up .; load compact .; #or more in!ormation on the Load command, see the section titled LLoadL in the Domino Administrator 'elp&

<:& 0hat is the transaction logging; 'ow many types are there !or $ransaction logging; 'ow do you disable transaction logging; <8& 0hat are the !eatures in R4;

Microsoft Word Docum ent

<4& <A& <B& <C& >5&

0hat is Minimum con!iguration and Ma%imum con!iguration !or Domino; 'ow do you monitor the ser er; 'ow do you replicate the address book !rom location to another location; 0hat are the necessary !iles !or backup; 'ow many partitions can support domino;

IN5(ALLA(I;N 1artitioned servers 2sing Domino ser er partitioning, you can run multiple instances o! the Domino ser er on a single computer& 7y doing so, you reduce hardware e%penses and minimi)e the number o! computers to administer because, instead o! purchasing multiple small computers to run Domino ser ers that might not take ad antage o! the resources a ailable to them, you can purchase a single, more power!ul computer and run multiple instances o! the Domino ser er on that single machine& -n a Domino partitioned ser er, all partitions share the same Domino program directory, and thus share one set o! Domino e%ecutable !iles& 'owe er, each partition has its own Domino data directory and N-$E,&*N* !ileH thus each has its own copy o! the Domino Directory and other administrati e databases& *! one partition shuts down, the others continue to run& *! a partition encounters a !atal error, DominoKs !ault reco ery !eature restarts only that partition, not the entire computer& #or in!ormation on setting up !ault reco ery, see the topic #ault reco ery& /artitioned ser ers can pro ide the scalability you need while also pro iding security& As your system grows, you can migrate users !rom a partition to a separate ser er& A partitioned ser er can also be a member o! a cluster i! you re9uire high a ailability o! databases& ,ecurity !or a partitioned ser er is the same as !or a single ser er& 0hen you set up a partitioned ser er, you must run the same ersion o! Domino on each partition& 'owe er, i! the ser er runs on 2N*NUV, there is an alternati e means to run multiple instances o! Domino on the ser er: on 2N*N, you can run di!!erent ersions o! Domino on a single computer, each ersion with its own program directory& Dou can e en run multiple instances o! each ersion by installing it as a Domino partitioned ser er& #or more in!ormation, see the topic *nstalling Domino on 2N*N systems& ecidin# whether to use partitioned servers 0hether or not to use partitioned ser ers depends, in part, on how you set up Domino domains& A partitioned ser er is most use!ul when the partitions are in di!!erent Domino domains& #or e%ample, using a partitioned ser er, you can dedicate di!!erent Domino domains to di!!erent customers or set up multiple 0eb sites& A partitioned ser er with partitions all in the same Domino domain o!ten uses more computer resources and disk space than a single ser er that runs multiple ser ices&

0hen making the decision to use partitioned ser ers, remember that it is easier to administer a single ser er than it is to administer multiple partitions& 'owe er, i! your goal is to isolate certain ser er !unctions on the network .. !or e%ample, to isolate the messaging hub !rom the replication hub or isolate work groups !or resource and acti ity logging .. you might be willing to take on the additional administrati e work& *n addition, running a partitioned ser er on a multiprocessor computer may impro e per!ormance, e en when the partitions are in the same domain, because the computer simultaneously runs certain processes& $o gi e Notes users access to a Domino ser er where they can create and run Domino applications, use a partitioned ser er& 'owe er, to pro ide customers with *nternet access to a speci!ic set o! Domino applications, set up an %,/ ser er en ironment& ecidin# how )any partitions to have 'ow many partitions you can install without noticeably diminishing per!ormance depends on the power o! the computer and the operating system the computer uses& #or optimal per!ormance, partition multiprocessor computers that ha e at least one, and pre!erably two, processors !or each partition that you install on the computer&

><& 'ow many cluster ser ers can support domino; 0orkLoad 7alancing with Domino Clusters& Le el: Ad anced Michael Iistler, ,enior ,o!tware Engineer , ,o!tware ,olutions Di ision $his article e%plores some o! the common approaches to workload balancing a ailable to Domino administrators, with special emphasis on the ser er workload balancing capabilities o! Domino Ad anced ,er icesK clustering !eature& Many customers today are looking !or ways to make their Domino ser ers highly a ailable& Domino clustering satis!ies this need by pro iding !ailo er o! databases and ser er !acilities to other ser ers in the cluster& $his is an important capability, but it has been co ered by a number o! other articles, most notably the articles, LLotus Domino Ad anced ,er ices: 'igh A ailability /owered by NotesL and LNotes&Net e%posed: 2sing Domino clusters !or your 0eb site&L Another key re9uirement !or customers using Domino !or enterprise.class, business. critical applications is scalability& 7asically, scalability is the ability to add computing power to an e%isting system in a seamless !ashion& A key aspect o! scalability is workload balancing, which is the ability to distribute workload to the a ailable computer resources in a way that ma%imi)es the utili)ation o! these resources& 0orkload balancing is not new to Domino& $here are a number o! mechanisms a Domino administrator can use to balance workload across a set o! Domino ser ers& $he clustering !eature o! Domino Ad anced ,er ices takes workload balancing a giant step !orward by enabling you to scale your Domino installation in a way that is relati ely transparent to end users& Many o! the plat!orms that support the Domino ser er also pro ide some !orm o! built. in clustering support& *n particular, there has been considerable attention paid to the newly introduced Microso!t Cluster ,er er 3code named L0ol!packL6& 0hile these -,. le el clustering solutions ha e some distinct bene!its, most pro ide support only !or application !ailo er, not workload balancing& *n particular, the Microso!t Cluster ,er er

will not support workload balancing until its Lphase twoL release, which isnKt e%pected until late <CCB at the earliest& $here!ore, customers looking to build truly scaleable Domino installations need to strongly consider Domino clustering& $his article will e%plore some o! the common approaches !or workload balancing a ailable to Domino administrators, with special emphasis on the ser er workload balancing capabilities in the clustering !eature o! Domino Ad anced ,er ices& 0orkload balancing in Domino Domino administrators can use a number o! techni9ues !or balancing workload across ser ers in a Domino domain& $wo o! the most e!!ecti e techni9ues are: W Allocating users and applications to ser ers& $he administrator can assign users to home ser ers in a way that spreads the load across this set o! ser ers& ,imilarly, the administrator can spread applications 3databases6 across a set o! ser ers, and create replicas when necessary, to spread the application load across a set o! ser ers& W ,etting the ma%imum number o! users !or a ser er& $hrough a Notes&ini setting, ,er erFMa%2sers, the administrator can speci!y the ma%imum number o! user sessions allowed on a ser er& 0hen the ser er reaches this limit, it re@ects re9uests !or additional sessions until the number o! sessions again !alls below the ,er erFMa%2sers alue& $hese techni9ues work on any Domino ser er, whether or not it is part o! a Domino cluster& 0hile these techni9ues are generally e!!ecti e, they are somewhat static and coarse grained& $he real ad antages come when you use Domino clusters !or workload balancing& *n Domino clustering, ser er workload balancing allows hea ily.used ser ers to pass re9uests to other cluster ser ers& $his !orm o! workload balancing is dynamic, !ine grained, and generally transparent to the user, which means that work can be e enly distributed across the ser ers in the cluster& Clusters let you grow your system as the number o! users you support increases& Dou can distribute user accounts across clusters and balance additional workloads to optimi)e system per!ormance& Dou can create multiple database replicas to ma%imi)e data a ailability and mo e users to other ser ers or clusters as you plan !or !uture growth& ;verview of wor/load !alancin# in o)ino clusters $he Domino ser er and Notes client work together to pro ide workload balancing& 0hen running as part o! a cluster, the Domino ser er constantly monitors its own workload& $o measure the workload, the Cluster Manager process on the ser er monitors the a erage response time o! a representati e set o! ser er operations initiated by Notes clients 3network time is not considered6& $he Cluster Manager also polls all the other ser ers in the cluster to determine their workload& 0hen the workload on a ser er e%ceeds a certain le el designated by the administrator, the ser er becomes Lbusy,L and the Domino ser er re@ects subse9uent database open re9uests until the workload !alls back below the speci!ied le el& 0hen the cluster.aware client 3Notes R: or later6 tries to access a database on a busy ser er, it recei es an error code indicating the ser er is busy& $he client then contacts the Cluster Manager on one o! the ser ers in the cluster& 30hene er the client accesses a ser er that is a member o! a cluster, it stores a list o! ser ers in the cluster in a persistent cache&6 $he Cluster Manager uses the Cluster Database Directory 3CLD7D*R6 to determine which other ser ers in the cluster ha e replicas o! the database being re9uested, and then selects the least hea ily loaded o! these ser ers to handle the client re9uest& $he client then reissues the open re9uest to this ser er& Note that this target ser er could be the same as the original ser er& -n this second re9uest, the open will succeed e en i! the target ser er is busy& #igure :& 0orkload balancing animation

,imilar to !ailo er, an icon !or the new database will appear in the workspace, either stacked on top o! the original icon or in a !ree area on the same workspace page as the original icon& 0orkload balancing can be triggered in a wide ariety o! situations, such as: W A user double.clicks on a database icon in the workspace& W A user tries to launch a doclink, iew link, or database link that is connected to a ser er that is busy& W A user acti ates a !ield, action, or button that contains an JCommand3#ile-penDatabase6 !ormula and the speci!ied ser er is busy& W A Lotus,cript routine issues a D7&-/EN0*$'#A*L-SER call to open a database on a ser er that is busy& W An agent written in Ma a issues an openDatabase method with the !ailo er parameter set to $rue !or a database on a ser er that is busy& W A C A/* program issues an N,#Db-penE%tended call to open a database on a ser er that is busy& istri!ution of data!ases in the cluster *n a cluster, the distribution o! users and databases takes on a new importance& 0hen a ser er in the cluster !ails, user re9uests are automatically redirected to other ser ers in the cluster& *deally, this load should be spread e9ually across all other ser ers in the cluster& 'owe er, this can only happen when replicas o! the databases on the !ailed ser er are spread roughly e9ually across the other ser ers in the cluster& An e%ample can illustrate this best& ,uppose you ha e <>55 mail users that you want to put on a cluster with !our ser ers& $o start, you will probably allocate =55 users to each ser er& Now, to gi e these users high a ailability to their mail databases, you want to create a replica o! each userKs mail !ile on another ser er in the cluster& Dou might take all users on ,er er < and put a replica o! their mail !ile on ,er er >& $his is not a good idea& *! ,er er < !ails, all =55 o! its users will be redirected to ,er er >& ,er ers = and :

will not absorb any o! this !ailo er load, because the necessary databases are only a ailable on ,er er >& Clearly, a better approach is to spread the replicas !or ,er er <Ks users across the other three ser ers& *! these are spread e enly .. that is, <55 o! ,er er <Ks users on ,er er >, <55 on ,er er =, and <55 on ,er er : .. a !ailure o! ,er er < should result in a roughly e9ual increase in workload !or the other three ser ers in the cluster& #igure <& Mail user distribution across !our ser ers

$he ser er a ailability inde% As mentioned abo e, each ser er in a cluster periodically determines its own workload, based on the a erage response time o! re9uests recently processed by the ser er& $he workload on the ser er is e%pressed as the ser er a ailability inde%, which is a alue between 5 and <55, where <55 indicates a lightly loaded ser er 3!ast response times6, and 5 is a hea ily loaded ser er 3slow response times6& Despite the !act that the ser er a ailability inde% is a number between 5 and <55, it is not a percentage& ,ome people think that a ser er a ailability inde% o!, say B8, means that the ser er is B8X a ailable& $his is not the case .. in !act, it is !ar !rom it& $he actual !ormula !or determining the a ailability inde% is not described anywhere in the Notes publications& 0hat * am about to tell you is accurate !or the Notes :&8 and :&4 releases, but may change in !uture releases& $he ser er a ailability inde% is closely related to a common per!ormance metric called the e%pansion !actor& $he e%pansion !actor is simply the ratio o! the response time !or a !unction under the current load to the response time !or this same !unction in an optimum 3light load6 condition& ,o, !or e%ample, i! the system currently takes = seconds to per!orm a database open, but could per!orm the same database open in &= seconds under optimum conditions, the e%pansion !actor !or this operation is <5& $he e%pansion !actor !or a set o! operations can be computed as a simple weighted a erage& $o compute the ser er a ailability inde%, the Domino ser er computes the e%pansion !actor !or a representati e set o! Notes R/C transactions o er a recent time inter al 3roughly the last minute6& $he ser er a ailability inde% is then set to <55 minus this e%pansion !actor&

#igure >& ,er er a ailability inde% !ormula Remember that the ser er a ailability inde% only considers the response time as measured at the ser er, which is typically only a small portion o! the o erall response time as seen by clients& *n particular, the network time between the client and ser er o!ten accounts !or a signi!icant portion o! client response time& ,o a ser er a ailability inde% o! C5 does not indicate that the response time as seen by clients is ten times the optimal alue .. only that the ser er processing o! this re9uest took ten times longer than the optimal alue& (he server availa!ility threshold Now that you know how Domino measures ser er load, you are ready to con!igure the ser er to indicate when it is busy& $his is done with a Notes&ini setting called ,er erFA ailabilityF$hreshold& 0hen Domino recalculates the ser er a ailability inde% 3appro%imately once a minute6, it checks to see i! the inde% is below the ser er a ailability threshold& *! the ser er a ailability inde% is less than the ser er a ailability threshold, the ser er is marked as busy& *n other words, the ser er a ailability threshold speci!ies the lowest alue o! the ser er a ailability inde% !or which the ser er should be considered to be a ailable& $o set the ser er a ailability threshold, edit the Notes&ini !ile !or the ser er and add the !ollowing: ,er erFA ailabilityF$hresholdQYthreshold alueR -r you can set the threshold !rom the Domino ser er console with the command: ,et Con!ig ,er erFA ailabilityF$hresholdQYthreshold alueR 0hen set !rom the ser er console, the new threshold alue takes e!!ect immediately& 0hen set by editing Notes&ini, the new threshold alue takes e!!ect the ne%t time the ser er is started& $he de!ault alue !or the ser er a ailability threshold is 5, which means load balancing is e!!ecti ely disabled& ,peci!ying a threshold alue o! <55 puts the ser er into the busy state regardless o! its actual a ailability& 5electin# the proper server availa!ility threshold As you ha e probably guessed, the ser er a ailability threshold is a key con!iguration setting !or workload balancing& $here!ore, you should choose this parameter with some care& ,etting the threshold too high can cause user re9uests to !ail unnecessarily& ,etting the threshold too low can result in poor per!ormance !or some users that may ha e recei ed better ser ice !rom another ser er& -ne point * must stress is that workload balancing is not a solution !or a general capacity problem& *! your Domino ser ers are struggling to keep up with the workload they ha e, and there arenKt other a ailable ser ers to handle the e%cess workload, enabling workload balancing will only e%acerbate the problem& *n other words, donKt think that increasing the ser er a ailability threshold will necessarily make your ser er more responsi e& *! there is nowhere else to send client re9uests, they will continue to be handled by the busy ser er, and the process o! looking !or another a ailable ser er !or each re9uest will only worsen the workload on the ser er& $o determine the proper alue !or the ser er a ailability threshold, you should start by simply monitoring the ser er a ailability inde% during periods o! normal to hea y load& $here are a number o! ways to do this& -ne way is to use the built.in statistics monitoring o! Domino 3described in more detail later6& *! your ser er is running 0indows N$, you can also use the 0indows N$ /er!ormance Monitor to monitor any o!

the Domino ser er statistics 3see Maintaining the Domino ,ystem !or details on how to enable this !eature6& *n particular, this gi es you a way to graphically monitor the ser er a ailability inde% 3statistic ,er er&Cluster&A ailability*nde%6& * recommend you set the 2pdate $ime 3under ChartE-ptions6 to 45 seconds, since this is how o!ten the ,tats package 3which is the source !or this data6 is updated& *t may seem natural to set the ser er a ailability threshold to the same alue on all ser ers in the cluster& 0hile this may be a good rule o! thumb, di!!erences in hardware, operating systems, and le els o! the Domino ser er can in!luence the ser er a ailability inde% and thus the proper setting o! the ser er a ailability threshold& -nce you ha e gathered some data on the range o! typical alues o! the ser er a ailability inde% !or a ser er, the ne%t step is to select an initial alue !or the ser er a ailability threshold& $his should be a alue toward the lower end o! the range o! typical alues& Dou should also consider how a ser er outage may impact ser er workload& *! a ser er in the cluster !ails, the !ailo er capability in Domino clustering will direct clients to other ser ers in the cluster& $o allow !or this case, you may want to set the ser er a ailability threshold to allow some Le%traL capacity to handle the !ailo er workload& Note that the e%tra capacity needed !or !ailo er depends on how many ser ers are in the cluster& #or a cluster with @ust two ser ers, you would need to allow !or an almost <55X increase in workload in the e ent o! a ser er !ailure& 0hen there are si% ser ers in the cluster, each ser er would only need to handle roughly >5X increase in workload& -nce youK e selected an initial alue, con!igure this on the ser er and monitor its operations& Domino gathers a number o! statistics on cluster !ailo er and workload balancing that you can use to monitor how well things are going& Dou can see these statistics by using the ,how ,tatistics ser er command at the ser er console& Dou can also report statistics to any database designed !or this purpose, although typically the database is the ,tatistics database 3,$A$RE/&N,#6& $he Collector or Reporter task creates the ,tatistics database automatically i! you choose to report statistics to it and i! it doesnKt e%ist already& Cluster statistics are a ailable in the ,tatistics Report E Cluster iew& $he statistics related to clustering all ha e the pre!i% L,er er&ClusterL& $hese are all documented in the Domino Administration 'elp& -! particular interest when e aluating the workload balancing !or a ser er are the !ollowing:

>>& >=& >:& >8& >4& >A& >B&

0hat do you know about pass.through ser er; 0hat is the CA; Di!!erence between connection document and /rogram document; Di!!erence between ser er document and con!iguration document; 0hat are the tasks run ser er when clustering is started; Di!!erence between Newcopy and replication; Di!!erence between NNN and DNN;

http:EEwww&leadershipbynumbers&comEM,&ns!Ed4plinksE7MMA.4BMIM# >C& 0hat is the in!ormation is contain id !ile; /assword /ublic IED /ri ate Iey

=5& 0hat is *,/D; http:EEwww&alise&l EAL*,EEtechnolog&ns!E5Ee4C=:C88:BBBdB48:>>84C5455:A5dBc; -penDocument (he Ispy o)ino 5erver (as/

#rom L'ow Dou Can 2se New Capabilities o! Domino R8 and the Administrator Client to Meet Administrati e ,er ice Le el Agreements,L by Dwight Morse, the Lotus product manager !or Domino administration and management, which originally appeared in the MarchEApril >555 edition o! $he Siew, http:EEwww&e iew&com& *n addition to ,er er probes, you can con!igure probes that monitor Mail and *nternet ser ices in your network& $he new Domino R8 ser er task, *spy, must be running in order !or your Mail and *nternet probes to work 3the *spy task is not re9uired !or ,er er probes6& $o enable the *spy ser er task, add *,/D to the ,er er$asksQ line in the ser erKs N-$E,&*N* !ile& $he ,er er$asks parameter is not dynamic, so @ust adding a task will not cause that task to start& $o get *spy to launch immediately, start the task !rom the Administrator Client in the ,er er ,tatus tab, or type LLoad *,/DL at the ser er console 3or remote ser er console6& DouKll still want to add *spy to the N-$E,&*N* to ensure that it launches e ery time the ser er does& Confi#urin# "ail elivery 1ro!es Dou can set up a probe that monitors Mail deli ery time in the same general area o! the Administration Client as you con!igure a ,er er probe, and in much the same way& Mail probes are con!igured on the Con!iguration tab, under ,tatistics P E ents3alternati ely, you can con!igure them right in the ,tatistics P E ents database6& *n the Administrator Client, click LMail,L then LNew Mail /robe&L A mail probe measures the message deli ery time !rom a speci!ied ser er to a particular user& $his measurement allows you to keep tabs on how long it takes new mail to get !rom point A to point 7 in your network, or to monitor the deli ery times o! messages sent to important e%ecuti es& 0hen con!iguring a Mail probe, itKs a good idea to set up an e ent noti!ication i! the response time goes beyond a desired threshold& Dou do this the same way you did !or the ser er response time& Notice that you can set the probe inter al !or a Mail probe in the L,end inter alL !ield& 'ow long you set this inter al depends on how important it is to you and your organi)ation to get response time data& Ieep in mind that Mail probes initiate network tra!!ic between ser ers& *! bandwidth is a concern when considering Mail response times, adding many probes will add to the problem& $he statistics associated with Mail probes all start with the letters Z-,, which stand !or LZuality -! ,er ice&L Z-, is the !irst string in a group o! ser ice le el type statistics, including the *nternet ser ices statistics that are created when you con!igure $C/ ,er er probes&

=<& Di!!erence between /ublic key and pri ate key;

http:EEwww&codestore&netEhelpEhelp4Fadmin&ns!Eb=>44a=c<A!CbbA5B8>84bBA554Cc5a CEe4Ad>b:b4:4d8A8CB8>84c<d55=CC=Ba;-penDocument

5%C4,I(@ %ncryption Encryption protects data !rom unauthori)ed access& 2sing Notes and Domino, you can encrypt: Messages sent to other users& $hen an unauthori)ed user cannot read the message while it is in transit& Dou can also encrypt sa ed and incoming messages& Network ports& Encrypting in!ormation sent between a Notes workstation and a Domino ser er, or between two Domino ser ers, pre ents unauthori)ed users !rom reading the data while it is in transit& ,,L transactions& Dou can use ,,L to encrypt in!ormation sent between an *nternet client, such as a Notes client, and an *nternet ser er, to pre ent unauthori)ed users !rom reading the data while it is in transit& #ields, documents, and databases& Application de elopers can encrypt !ields within a document, an entire document, and local databases& $hen only the speci!ied users can read the in!ormation&

#or in!ormation on ,,L encryption, see the topic ,etting up ,,L on a Domino ,er er& #or in!ormation on !ield, document, and database encryption, see Lotus Domino Designer 4 'elp& 1u!lic and private /eys #or all types o! encryption e%cept network port encryption, Domino uses public and pri ate keys so that data encrypted by one o! the keys can be decrypted only by the other& $he public and pri ate keys are mathematically related and uni9uely identi!y the user& 7oth are stored in the *D !ile& 0ithin the *D !ile, the public key is stored in a certi!icate, but the pri ate key is stored separately !rom the certi!icate& $he certi!icate containing the public key is also stored in the Domino Directory, where it is a ailable to other users& Domino uses two types o! public and pri ate keys .. Notes and *nternet& Dou use the Notes public key to encrypt !ields, documents, databases, and messages sent to other Notes users, while the Notes pri ate key is used !or decryption& ,imilarly, you use the *nternet public key !or ,EM*ME encryption and the *nternet pri ate key !or ,EM*ME decryption& #or both Notes and *nternet key pairs, electronic signatures are created with pri ate keys and eri!ied with public keys& Dou can use one set o! *nternet public and pri ate keys or you can set up Notes to use a set o! *nternet keys !or ,EM*ME signatures and ,,L and another set !or ,EM*ME encryption&

#or in!ormation on dual *nternet certi!icates, see the topic Dual *nternet certi!icates !or ,EM*ME encryption and signatures& 0hen you register a user, Domino automatically creates a Notes certi!icate, which contains the userKs public keys, and adds it to the *D !ile and the Domino Directory& $he pri ate key is created and stored in the *D !ile& Dou can also create *nternet public and pri ate keys a!ter user registration& Domino stores *nternet certi!icates, which contain public keys, in the *D !ile and also in the Domino Directory& $he *nternet pri ate key is stored in the *D !ile, separately !rom the certi!icate& $o create Notes public and pri ate keys, Domino uses the dual.key R,A Cryptosystem and the RC> and RC: algorithms !or encryption& $o create the *nternet public key, Domino uses the %&85C certi!icate !ormat, which is an industry.standard !ormat that many applications, including Domino, understand& 7oth the Notes client and Domino ser er support <5>:.bit R,A key and <>B.bit symmetric key !or ,EM*ME and ,,L& $he Notes proprietary protocols use a 4=5.bit key !or key e%change, and a 4:.bit symmetric key& %ncryption stren#th All Notes *Ds contain two publicEpri ate key pairs& /rior to 8&5&:, key lengths were restricted !or the purposes o! encrypting data, but not !or authentication or signing& Anything o er 8<>.bit R,A key and 84.bit symmetric key was considered strong encryption and was not allowed !or e%port by the 2&,& (o ernment& Customers were re9uired to order and choose among kits o! di!!erent cryptographic strengths& 0ith the rela%ation o! 2, go ernment regulations on the e%port o! cryptography, the Domino ser er and the Domino Administrator, Domino Designer, and Lotus Notes client products ha e consolidated all pre ious encryption strengths .. North American, *nternational, and #rance .. into one strong encryption le el resulting in a single L(lobalL release o! the products& $he (lobal release adopts the encryption characteristics pre iously known as North American& ,trong encryption in (lobal products can be used worldwide, e%cept in countries whose import laws prohibit it, or e%cept in those countries to which the e%port o! goods and ser ices is prohibited by the 2&,& go ernment& Customers are no longer re9uired to order Notes so!tware according to cryptographic strength& 0hen you upgrade to a (lobal release o! Domino and Notes, stronger cryptography will be used without a re9uirement to reissue e%isting *Ds& $hese changes are seamless to users as well as administrators& 0hen two di!!erent ersions o! so!tware are communicating, the encryption negotiation will result in a step.down to the weaker le el& $here!ore, the !ull bene!its o! stronger encryption will only be reali)ed when all so!tware has been upgraded to the (lobal 3release 8&5&: and later6 le el& 'owe er, any mi%ed ersions o! the so!tware will interoperate& $he LRegister New 2serL dialog bo% still o!!ers a choice between North American and *nternational *ds& *t was le!t this way because administrators o!ten use the North American or *nternational distinction !or administration purposes, or there may be older ersions o! the so!tware still in use in some companies& *n addition, countries ha e their own import rules& /reser ing this distinction will allow Lotus to respond to speci!ic country changes, i! re9uired&

Note $hese regulations pertain only to e%port !rom the 2nited ,tates& #or other countries with import regulations, customers need to check the re9uirements o! the speci!ic country& 0hile Lotus takes all steps to ac9uiesce with go ernmental encryption regulations worldwide, Lotus recommends that customers !amiliari)e themsel es with local encryption regulations to remain in compliance& Interopera!ility issues 5upport for I types. 7oth North American and *nternational *D types continue to be supported !or the (lobal release& $his is !or backward compatibility with pre.8&5&: clients& Lotus Notes users can keep their e%isting *nternational *Ds i! the (lobal ersion o! the so!tware is installed& $he (lobal ersion will automatically allow the use o! stronger encryption& 7rowser users can keep their e%isting key ring, but users must !ollow the manu!acturerKs recommendations !or upgrading the browser to stronger encryption& Interopera!ility with post*&.2.$ releases& *! your organi)ationKs clients and ser ers are all running release 8&5&: or later, it makes no di!!erence whether you create North American or *nternational *Ds& 7oth types o! *D will work the same way& Interopera!ility with pre*&.2.$ releases & Lotus Notes users, as well as Domino ser ers which ha e been upgraded to release 8&5&: and later, can authenticate and continue day.to.day operations securely with clients and ser ers running on earlier releases o! so!tware& 'owe er, i! your organi)ation has clients or ser ers running releases earlier than Notes and Domino 8&5&:, you should continue to create the same types o! *Ds you created with the earlier ersions& *nternational ersions o! releases prior to 8&5&: do not allow users to switch to North American *Ds, so when registering new international users, you shouldnKt create only North American *Ds& ,imilarly, North American ersions o! earlier releases use weaker cryptography when running with *nternational *Ds, so you shouldnKt create only *nternational *Ds&

$he best strategy !or deciding between North American and *nternational *Ds is to continue using the decision process that was in place !or earlier releases o! Notes and Domino& E entually, as you upgrade the Notes clients and Domino ser ers, the decision will not matter& =>& 0hat are the $opologies !or the Domino; Replication $opology MailRouting $opology ==& 'ow many -rgani)ations we can create; =:& 'ow many -rgani)ations 2nits we can create; =8& 'ow many ways are there to create E Register user; http:EEwww&codestore&netEhelpEhelp4Fadmin&ns!E5E=C5<5a>B4bd8:48>B8>84c<d55=C< C!a;-penDocument

45%, AN

5%,?%, C;N7I=4,A(I;N

4sin# Advanced Notes user re#istration with the o)ino Ad)inistrator Ad anced registration o!!ers all the settings included in 7asic registration and also allows you to change de!ault settings and apply ad anced settings to users& Note Dou can modi!y user settings at any time once you add the user to the 2ser Registration Zueue by selecting the user !rom the 9ueue and then making changes& Dou can also modi!y certain settings !or multiple users at once by selecting the users in the 9ueue and making changes& Dou can cancel user registration and clear all !ields at any time by clicking the red N& <osted %nviron)ents *! you are working in a hosted en ironment, when registering users, ensure that you are using a certi!ier that was created !or the hosted organi)ation into which you are registering the users& $his applies regardless o! whether you are using a certi!ier and password or the ser er.based CA& (o use Advanced re#istration with the o)ino Ad)inistrator

<& Make sure you ha e the !ollowing access be!ore you begin registration: Access to the certi!ier *D and its password, i! you are not using the Lotus Domino 4 ser er.based certi!ication authority 3CA6& Access to the Domino Directory !rom the machine you work on Editor access or Author access with Create Documents role and the 2serCreator pri ilege in the Domino Directory on the registration ser er Create new databases access on the mail ser er i! you plan to create user mail !iles during registration Create e%plicit policies and settings documents i! you plan to use policy.based system administration Access to the certi!ication log 3CER$L-(&N,#6 on the registration ser er

>& #rom the Domino Administrator, click the /eople P (roups tab& =& #rom the ,er ers pane, choose the ser er to work !rom& :& ,elect Domino Directories, and then select /eople& 8& #rom the $ools pane, click /eople . Register& 4& Enter the certi!ier password and click -I& Note $he Certi!ier *n!ormation Reco ery 0arning dialog bo% appears& Re iew the in!ormation in the dialog bo%, select the check bo% and click -I& A& Click Ad anced& B& #rom the 7asic tab, complete these !ields:

7ield Registration ,er er

%nter Click Registration ,er er to change the registration ser er 3which is the ser er that initially stores the /erson document until the Domino Directory replicates6, select the ser er that registers all new users, and then click -I& *! you ha e not de!ined a registration ser er in Administration /re!erences, this ser er is by de!ault one o! these: $he local ser er i! it contains a Domino Directory $he ser er speci!ied in New2ser,er er setting o! the N-$E,&*N* !ile $he administration ser er

#irst name, Middle name, $he userKs !irst and last names and 3i! necessary6 middle Last name name& $he userKs ,hort name and *nternet address are automatically generated& $o change the ,hort name or *nternet address, click the appropriate space and enter the new te%t& ,hort name A short name in the !ormat #irst*nitialLastName is automatically created as you enter the userKs name& #or e%ample, M,mith is the short name !or Mohn ,mith& Dou can modi!y this !ield& A password !or the user *D& Click /assword options to set a le el !or the password in the /assword Zuality ,cale& $he de!ault le el is B& #or more in!ormation, see L2nderstanding the password 9uality scale&L Click the check bo% L,et *nternet passwordL to gi e *nternet users name and password access to a Domino ser er and to set an *nternet password in the /erson document& $his !ield is automatically selected i! you select the -ther *nternet, /-/, iNotes, or *MA/ mail types& Click L,ynch *nternet password with Notes *D passwordL to make the *nternet password in the /erson document the same as the Notes password& $his is a re9uirement !or users who want to use iNotes 0eb Access to read encrypted mail or work o!!line& Mail system Click to change the userKs mail system !rom the de!ault o! Lotus Notes to an *nternet.based system or iNotes 0eb Access& ,elect the e%plicit policy to apply to this user& #or more in!ormation on policies, see L/olicies&L Click to see a summary o! this userKs e!!ecti e policies& Click to enable roaming capabilities !or this user& Doing so enables the Roaming tab&

/assword /assword options

E%plicit policy /olicy synopsis Let this person roam

Create a Notes *D !or this Click to create a Notes *D !or this person during the person registration process&

C& Click the Mail tab and complete any o! these !ields& Domino uses de!ault alues 3i! a ailable6 !or any !ields you do not modi!y& 7ield Mail system %nter Choose one o! the a ailable mail types and complete the necessary associated !ields: Lotus Notes 3de!ault6 -ther *nternet /-/ *MA/ iNotes -ther None *! you select Lotus Notes, /-/, or *MA/, the *nternet address is automatically generated& *! you select -ther *nternet, /-/, or *MA/, the *nternet password is set by de!ault& *! you select iNotes 3iNotes 0eb Access6, you can change other user registration selections to iNotes 0eb Access de!aults by clicking Des when prompted& *! you select -ther or -ther *nternet, enter a !orwarding address& $his address is the userKs current address, where the user wants mail to be sent& #or e%ample, i! a user temporarily works at a di!!erent location andEor uses a di!!erent mail system, the user can ha e her mail !orwarded to that new address& -r, a user may resign !rom the company but lea e a !orwarding address so that mail addressed to the old address is !orwarded to the new location& Mail ser er $he userKs mail ser er& *! you ha e not de!ined a mail ser er in Administration /re!erences, this ser er is 3by de!ault6 the local ser er i! it contains a Domino DirectoryH otherwise, it is the Administration ser er& $he !ile name o! the mail !ile& 7y de!ault, the path and !ile name are mail\<firstinitial><first c!aractersoflastname>"nsf" Choose one: Create !ile now 3de!ault6 Create !ile in background . Creating mail !iles in the background !orces the Administration /rocess to create the !iles and sa es time during the user registration process& 0hen you migrate users who ha e mail to con ert, this !ield is automatically set to Create !ile now& Mail !ile template A mail template !rom the list o! a ailable mail templates& #or a description o! the template, select the template and click About& $he de!ault is Mail3R46 3MA*L4&N$#6&

Mail !ile name Create !ile nowECreate !ile in background

Create !ull te%t inde% Click to generate a !ull.te%t inde% o! the mail database& Mail !ile replicas Click to open the Mail Replica Creation -ptions dialog bo% on which you can select the ser ers to which the mail !ile will replicate& $his option only applies to clustered ser ers& ,elect the le el o! access in the access control list to assign to the user o! the mail database !rom the Mail !ile owner access list& 7y de!ault, mail users ha e Editor with Delete documents access to their own mail !ilesH all other users ha e no access& $his option can be used to pre ent mail users andEor owners !rom deleting their own mail !ile& *! the mail owner access is Designer or Editor, the administrator *D currently being used is added to the mail !ile ACL as Manager& Click to enable, and then speci!y a si)e limit 3ma%imum o! <5(76 !or a userKs mail database& Click to generate a warning when the userKs mail database reaches a certain si)e, and then enter the warning si)e 3ma%imum o! <5(76&

Mail !ile owner access

,et database 9uota ,et warning threshold

<5& Click the Address tab, and enter alues in any o! these !ields& Domino uses de!ault alues 3i! a ailable6 !or any !ields you do not modi!y& 7ield *nternet address *nternet Domain Address name !ormat ,eparator %nter $he *nternet e.mail address assigned to this user& $he domain to be used in the *nternet address .. !or e%ample, Acme&com& $he !ormat o! the *nternet address& $he de!ault !ormat is #irstNameLastNameJ*nternet domain without a separator .. !or e%ample, RobinRuther!ordJAcme&com& $he character inserted between names and initials in the *nternet address& $he de!ault is None&

<<& Click the *D *n!o tab, and enter alues in any o! these !ields& Domino uses de!ault alues 3i! a ailable6 !or any !ields you do not modi!y& 7ield %nter

Create a Notes *D !or Click to create a Notes *D !or this user& this person Certi!ier Name list Choose a certi!ier *D to use when creating the user name during user registration when a Notes user *D is not being created !or the user& $his !ield appears i! the check bo% LCreate a Notes *D !or this personL is not selected& *! you are working in a hosted en ironment and are registering a user to a hosted organi)ation, be sure to register that user with a

certi!ier created !or that hosted organi)ation& 2se CA process Click to use the Lotus Domino 4 ser er.based certi!ication authority 3CA6 to register this user& $he certi!ier *D and password will not be needed to complete the user registration process i! you use the Lotus Domino 4 CA& *! you are working in a hosted en ironment and are registering a user to a hosted organi)ation, be sure to register that user with a certi!ier created !or that hosted organi)ation& $his !ield appears i! the check bo% LCreate a Notes *D !or this personL is selected& Certi!ier *D Click i! you want to use a certi!ier *D and password instead o! the ser er.based CA& $o change to a di!!erent certi!ier *D, click Certi!ier *D, select the new *D, enter the password, and then click -I& *! you are working in a hosted en ironment and are registering a user to a hosted organi)ation, be sure to register that user with a certi!ier created !or that hosted organi)ation& $his !ield appears i! the check bo% LCreate a Notes *D !or this personL is selected& ,ecurity type Choose either North American or *nternational& $he security type determines the type o! *D !ile created and a!!ects encryption when sending and recei ing mail and encrypting data& North American is the stronger o! the two types& $his !ield appears i! the check bo% LCreate a Notes *D !or this personL is selected& Certi!ication e%piration date $he e%piration date o! the user *D in mm-dd-## !ormat& $he de!ault is two years !rom the current date& $his !ield appears i! the check bo% LCreate a Notes *D !or this personL is selected& Location !or storing user *D Choose one: *n Domino Directory 3de!ault6& $he *D !ile is stored as an attachment to the userKs /erson document& *n !ile 3de!ault location: <datadirector#>[ids[people[user"id6& Click ,et *D !ile to change path& *n mail !ile& $his option is only a ailable with iNotes 0eb Access and allows Notes users to read their encrypted mail while using iNotes 0eb Access& $his !ield appears i! the check bo% LCreate a Notes *D !or this personL is selected&

<>& 3-ptional6 $o add the user to an e%isting group: Click the (roups tab with the user highlighted 3you can highlight multiple users also6& ,elect the group or groups to assign and click Add&

#or more in!ormation on adding users to groups, see the topic Adding members to a group& <=& 3-ptional6 *! you ha e enabled roaming capabilities !or the user, click the Roaming tab, and complete any o! these !ields& $he !ields do not appear i! you did not click LLet this person roamL on the 7asic tab and LCreate a Notes *D !or this person&L Domino uses de!ault alues 3i! a ailable6 !or !ields you do not modi!y&

7ield

%nter

/ut roaming user Click to store the userKs roaming in!ormation on the same ser er !iles on mail ser er used !or mail& Roaming ,er er Click Roaming ,er er to open the Choose Roaming 2ser #iles ,er er dialog bo% on which you speci!y the ser er that stores the userKs roaming in!ormation& *! you select /ut roaming user !iles on mail ser er, the Roaming ,er er de!aults to the userKs mail ser er& $he subdirectory that contains the userKs roaming in!ormation& 7y de!ault, this is based on the sub.!older !ormat you speci!y, but you can customi)e it& $he method used to name roaming subdirectories on the roaming ser er& $his determines the de!ault /ersonal roaming !older !or each user& Choose one o! these: Create !ile now . De!ault Create roaming !iles in background . Click to create the userKs roaming !iles the ne%t time the Administration /rocess runs& Creating roaming !iles in the background !orces the Administration /rocess to create the !iles and sa es time during the user registration process&

/ersonal roaming !older ,ub.!older !ormat

Create roaming !iles nowECreate roaming !iles in background

Clean.up option

Choose one o! the !ollowing roaming user client clean.up options& Clean.up will only occur on clients that ha e been installed and con!igured !or multiple users& Do not clean.up 3de!ault6& .. Roaming user data will ne er be deleted !rom the Notes client workstation to which the user roamed& Clean.up periodically& .. Enables the LClean up e ery N daysL !ield on which you speci!y the number o! days that should pass be!ore roaming user data is deleted !rom the Notes client workstation& Clean.up at Notes shutdown& .. Roaming user data will be

deleted !rom the Notes client workstation immediately upon Notes shutdown& /rompt user .. $he user is prompted on e%iting the client as to whether they want to clean up their personal !iles& *! the user chooses Des, the data directory on that client workstation is deleted& *! the user chooses No, the user is prompted as to whether they want to be asked again on that client& *! the user chooses No, the user is not prompted again& *! the user chooses Des, the user is prompted again the ne%t time the user e%its the client on that workstation&

Roaming Replicas

Click this button to open the LRoaming #iles Replica Creations -ptionsL dialog bo% on which you can designate to which ser ers a userKs roaming !iles should replicate& $his option only applies to clustered ser ers&

<:& Click the -ther tab, and complete any o! these !ields& Domino uses de!ault alues 3i! a ailable6 !or !ields you do not modi!y& 7ield ,etup pro!ile %nter Name o! an R8 2ser ,etup pro!ile to assign& Note *! you are using policies, you cannot use a user setup pro!ile& 2ni9ue org unit Location Local administrator A word that distinguishes two users who ha e the same name and are certi!ied by the same certi!ier *D& Departmental or geographical location o! the user& $he name o! a user who has Author access to the Domino Directory but who does not ha e the 2serModi!ier role& $his setting allows the local administrator to edit /erson documents& A comment about the user, regarding the userKs registration& Choice o! alternate name language& $he certi!ier *D used to register this user must contain the alternate name language !or it to appear here& #or more in!ormation, see Adding an alternate name and language& Alternate name $he alternate name o! the user& $he certi!ier *D used to register this user must contain the alternate name language !or it to appear here& A word that distinguishes two users who ha e the same name and are certi!ied by the same certi!ier *D& $he certi!ier *D used to register this user must contain the alternate name language& Choose a pre!erred language !or the user, that is, the language that the user pre!ers to use& Click to set user options !or 0indows N$ or 0indows >555&

Comment Alternate name language

Alternate org unit

/re!erred language 0indows 2ser -ptions

-pens the LAdd /erson to 0indows N$E>555L dialog bo% on which you can speci!y whether to add the user to 0indows N$ andEor the 0indows >555 Acti e Directory& Enter the 0indows account name !or the user, and select the name o! the 0indows N$ or 0indows >555 group to which you are adding the user& <8& Click the green check mark& $he user name appears in the Registration status iew 3the user registration 9ueue6& <4& Click Register and then click Done&

=4& 'ow can you identi!y whether it is a main ser er or additional ser er; =A& 'ow many ACL le els are there; Access control lists An access control list 3ACL6 determines access to a gi en database, and the type o! access allowed& $he !ollowing table lists the access le els !or Domino& ACL levels Level No Access 4ser Access No access to the database 5erver Access No access to the database 3e%cept, optionally, !or a special class o! documents called public documents6 Cannot replicate Depositor Can create documents in the database, but cannot read, edit, Note: $his ACL le el is not normally or delete documents, including assigned to ser ers& those they create Reader Can read documents, but cannot create, edit, or delete them Can create and read documents, and edit own documents i! Authors !ields are used Note: Designers can modi!y a database to allow users to edit their own documents& Can replicate to recei e only 3not send documents6 Minimum access !or ser ers to get data Can replicate new documents, but cannot modi!y documents Minimum access !or ser ers to send data

Author

Note: $his ACL le el is not normally assigned to ser ers

Editor

Can create, read, and edit all documents

Can replicate all new and changed documents

Designer

Can modi!y the database design, Can replicate all new and changed but cannot modi!y the ACL or documents, and replicate design delete the database elements Can per!orm all operations on Can replicate ACL changes as well as the database, including changing all document and design changes ACLs and deleting the database

Manager

=B& Can you describe ACL le el 3Manager, Editor, Author, Designer, Depositor, Reader and 2nassigned6; =C& 0hat is the *CL; http:EEwww&codestore&netEhelpEhelp4Fadmin&ns!E!:bB>!bbA8eC:>a4B8>844ac55=A!>B: EC:4aC:e:>!c8B!8bB8>84c<d55=CBb:B;-penDocument

5%C4,I(@ o)ino server*!ased certification authority Dou can set up a Domino certi!ier that uses a ser er task, the CA process, to manage and process certi!icate re9uests& $he CA process runs as an automated process on Domino ser ers that are used to issue certi!icates& 0hen you set up a Notes or *nternet certi!ier, you link it to the CA process on the ser er in order to take ad antage o! CA process acti ities& -nly one instance o! the CA process can run on a ser erH howe er, the process can be linked to multiple certi!iers& Dou can set up Notes and *nternet certi!iers to use the CA process& Consider using the CA process because it: /ro ides a uni!ied mechanism !or issuing Notes and *nternet certi!icates& ,upports the registration authority 3RA6 role, which you use to delegate the certi!icate appro alEdenial process to lower.echelon administrators in the organi)ation& Does not re9uire access to the certi!ier *D and *D password& A!ter you enable certi!iers !or the CA process, you can assign the registration authority role to administrators, who can then register users and manage certi!icate re9uests without ha ing to pro ide the certi!ier *D and password& ,impli!ies the *nternet certi!icate re9uest process through a 0eb.based certi!icate re9uest database& *ssues certi!icate re ocation lists, which contain in!ormation about re oked or e%pired *nternet certi!icates&

Creates and maintains the *ssued Certi!icate List 3*CL6, a database that contains in!ormation about all certi!icates issued by the certi!ier& *s compliant with security industry standards !or *nternet certi!icates .. !or e%ample, N&85C and /I*N&

$o manage the CA process !rom the Domino console, you use a set o! ser er $ell commands& Issued Certificate List AICLB Each certi!ier has an *ssued Certi!icate List 3*CL6 that is created when the certi!ier is created or migrated to the CA process& $he *CL is a database that stores a copy o! each une%pired certi!icate that it has issued, certi!icate re ocation lists, and CA con!iguration documents& Con!iguration documents are generated when you create the certi!ier and sign it with the certi!ierKs public key& A!ter you create these documents, you cannot edit them& CA con!iguration documents include: Certi!icate pro!iles, which contain in!ormation about certi!icates issued by the certi!ier& CA con!iguration document, which contains in!ormation about the certi!ier itsel!& RAECA association documents, which contain in!ormation about the RAs who are authori)ed to appro e and deny certi!icate re9uests& $here is one document !or each RA& *D !ile storage document, which contains in!ormation about the certi!ier *D&

Another CA con!iguration document, the Certi!ier document, is created in the Domino Directory when you set up the a certi!ier& $his document can be modi!ied& #or more in!ormation, see the topic Modi!ying a certi!ier& Certificate ,evocation List AC,LB A CRL is a time.stamped list identi!ying re oked *nternet certi!icates .. !or e%ample, certi!icates belonging to terminated employees& $he CA process issues and maintains CRLs !or each *nternet certi!ier& A CRL is associated with a certi!ier, is signed by that certi!ier, and resides in the certi!ierKs *CL database& A copy o! the CRL is also stored in the Domino Directory, where it is used to assert certi!icate alidity by entities that re9uire certi!icate authentication& Dou con!igure the CRL when you create a new *nternet certi!ier& Dou can speci!y the length o! time !or which a CRL is alid and the inter al between publication o! new CRLs& A!ter CRLs are con!igured, the certi!ier issues them on a regular basis and they operate unattended& 2sing CRLs, you can manage the certi!icates issued in your organi)ation& Dou can easily re oke a certi!icate i! the sub@ect o! the certi!icate lea es the organi)ation or i! the key has been compromised& '$$/ ser ers and 0eb browsers check the CRLs to determine

whether a gi en certi!icate has been re oked, and is there!ore no longer trusted by the certi!ier& 0hen you use *nternet ,ite documents to con!igure *nternet protocols on the Domino, you can also enable CRL.checking !or each protocol& $here are two kinds o! CRLs: regular and non.regular& #or regular CRLs, you con!igure a duration inter al .. the time period !or which the CRL is alid .. and the inter al at which new CRLs are issued& Each certi!ier issues a CRL at the speci!ied time, e en i! no certi!icates ha e been re oked since the last CRL was issued& $his means that i! an administrator re okes a certi!icate, it appears in the ne%t scheduled CRL issued by the certi!ier& $he CRL duration period should be greater than the time period between each CRL issuance& $his ensures that the CRL remains alid& -therwise, the CRL could e%pire be!ore a new one is issued& 'owe er, in the e ent o! a critical security break .. !or e%ample, i! the administrator needs to re oke a particularly power!ul certi!icate or the certi!ier certi!icate is compromised .. you can manually issue a non.regular CRL . that is, an unscheduled CRL . to en!orce the emergency re ocation& $his type o! re ocation does not a!!ect either the timing or the content o! the ne%t scheduled CRL& Dou use a $ell command to issue a non.regular CRL& #or more in!ormation on re oking a certi!icate, see the topic Re oking a certi!icate& #or more in!ormation on enabling CRL.checking !or *nternet ,ite documents, see the topic ,etting up security !or *nternet ,ite documents& #or more in!ormation on con!iguring a regular CRL, see the topic Creating a certi!ier !or a ser er.based CA& #or more in!ormation on issuing a nonscheduled CRL, see the topic Certi!icate authority process tell commands&

:5& 0hat is CRL; http:EEwww&codestore&netEhelpEhelp4Fadmin&ns!E!:bB>!bbA8eC:>a4B8>844ac55=A!>B: Ee:=!B:CAe!!bC<AdB8>84c<d55=a=:8A;-penDocument Certificate Authority process tell co))ands $his table describes additional $ell commands you can use with the Domino CA process& Co))and tell ca 9uit tell ca stat ,esult ,tops CA process& Displays summary in!ormation !or the certi!iers using the CA processH this includes the certi!ierKs number, its hierarchical name, certi!ier type 3Notes or *nternet6, whether it is acti e, and name o! the *CL database&

tell ca show 9ueue Display a list o! pending certi!icate re9uests, re ocation re9uests, and certi!ier number con!iguration modi!ication re9uests !or a speci!ic certi!ier, using its number !rom the results o! the Ltell ca statusL command& Dou can also use \ to show this in!ormation !or all certi!iers that are using the

CA process& tell ca acti ate certi!ier number password Acti ate a certi!ier i! the certi!ier is created with LRe9uire password to acti ate certi!ier,L or use this !or any certi!ier that has been deacti ated& Acti ation is enabled during CA setup and creation& Acti ate a speci!ic certi!ier by entering its number !rom the results o! the Ktell ca statusK command& -r you can actually unlock all ser er *DEpassword.protected certi!iers at one time with this command, i! you speci!y L\L !or the certi!ier number& $he CA process then prompts you !or the password !or each certi!ier& Deacti ate a certi!ier& Dou will need to acti ate it again in order !or it to process any re9uest& 2se \ to deacti ate e erything, or deacti ate a speci!ic certi!ier by entering its number !rom the results o! the Ktell ca statusK command& Lock all certi!iers that were set up with a lock *D, as speci!ied during CA setup&

tell ca deacti ate certi!ier number

tell ca lock id!ile

tell ca unlock id!ile 2nlock all certi!iers using the *D and password that comprise the lock password *D& $he lock *D is speci!ied during CA setup& tell ca CRL issue certi!ier number tell ca CRL push certi!ier number tell ca CRL in!o certi!ier number ]sE,EnEN^ tell ca re!resh *ssue a non.regular CRL !or a speci!ic certi!ier, where certi!ier number is the number o! the certi!ier speci!ied in the results o! the Ltell ca statusL command& /ush a certi!ierKs latest regularly scheduled CRL to the Domino Directory, where certi!ier number is the number o! the certi!ier speci!ied in the results o! the Ltell ca statusL command& Display CRL in!ormation !or a speci!ied certi!ier, where certi!ier number is the number o! the certi!ier speci!ied by the Ktell ca statusK command& 2se s or , !or regularly scheduled CRLs, and n or N !or non.regularly scheduled CRLs& #orce the CA process to re!resh its list o! certi!iers& As a result: newly con!igured certi!iers will be added to the CA process pre iously unlocked certi!iers will need to be unlocked again pre iously acti ated certi!iers may need to be acti ated again, i! the acti ation password has changed the Notes certi!ier *D !ile in idstorage will be updated with the latest certi!icate in!ormation

tell ca help

List tell ca options