Академический Документы
Профессиональный Документы
Культура Документы
Lotus Domino 6
Disclaimer THIS DOCUMENTATION IS PROVIDED FOR REFERENCE PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS DOCUMENTATION, THIS DOCUMENTATION IS PROVIDED AS IS WITHOUT ANY WARRANTY WHATSOEVER AND TO THE MAXIMUM EXTENT PERMITTED, IBM DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE SAME. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION, DIRECT, INDIRECT, CONSEQUENTIAL OR INCIDENTAL DAMAGES, ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS DOCUMENTATION OR ANY OTHER DOCUMENTATION. NOTWITHSTANDING ANYTHING TO THE CONTRARY, NOTHING CONTAINED IN THIS DOCUMENTATION OR ANY OTHER DOCUMENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING ANY WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT GOVERNING THE USE OF THIS SOFTWARE. Copyright Under the copyright laws, neither the documentation nor the software may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form, in whole or in part, without the prior written consent of IBM, except in the manner described in the documentation or the applicable licensing agreement governing the use of the software. Copyright IBM Corporation 1985, 2002 All rights reserved. Lotus Software IBM Software Group One Rogers Street Cambridge, MA 02142 US Government Users Restricted Rights Use, duplication or disclosure restricted by GS ADP Schedule Contract with IBM Corp. List of Trademarks 1-2-3, cc:Mail, Domino, Domino Designer, Freelance Graphics, iNotes, Lotus, Lotus Discovery Server, Lotus Enterprise Integrator, Lotus Mobile Notes, Lotus Notes, Lotus Organizer, LotusScript, Notes, QuickPlace, Sametime, SmartSuite, and Word Pro are trademarks or registered trademarks of Lotus Development Corporation and/or IBM Corporation in the United States, other countries, or both. AIX, AS/400, DB2, IBM, iSeries, MQSeries, Netfinity, OfficeVision, OS/2, OS/390, OS/400, S/390, Tivoli, and WebSphere are registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Pentium is a trademark of Intel Corporation in the United States, other countries, or both. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. All other trademarks are the property of their respective owners.
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . xv Volume 1 1 Deploying Domino . . . . . . . . . . . . 1-1
Starting and shutting down the Domino server . . . . . . . . . . . . . . . . . .
...
3-46
. . . . . . . . . . . 2-1 Network security . . . . . . . . . . . . . . . . . . 2-6 Planning the TCP/IP network . . . . . . . . . 2-10 Planning the NetBIOS network . . . . . . . . 2-26 Planning the IPX/SPX network . . . . . . . . 2-29 Setting up Domino servers on the network . . 2-32 Server setup tasks specific to TCP/IP . . . . 2-43 Server setup tasks specific to NetBIOS . . . . 2-58 Server setup tasks specific to IPX/SPX . . . . 2-61 NOTES.INI settings for networks . . . . . . . 2-64
Lotus Domino and networks
. . . . . 4-1 How a server connects to another server . . . 4-4 Internet connections . . . . . . . . . . . . . . . 4-21 Passthru servers and hunt groups . . . . . . 4-23 Planning the use of passthru servers . . . . . 4-25 Setting up a server as a passthru server . . . 4-27 Setting up a server as a passthru destination . . 4-28 Planning for modem use . . . . . . . . . . . . 4-33 Commands for acquire and connect scripts . . 4-53 Connecting Notes clients to servers . . . . . . 4-55
Planning server-to-server connections
...............
... Setting up client installation for users . . . . Managing users . . . . . . . . . . . . . . . . . . License Tracking . . . . . . . . . . . . . . . . . Custom welcome page deployment . . . . .
... Using the Domino Server Setup program . . The Certification Log . . . . . . . . . . . . . . . Server registration . . . . . . . . . . . . . . . . Optional tasks to perform after server setup . .
..................... Creating and modifying groups . . . . . . . . . Managing groups . . . . . . . . . . . . . . . . . . Assiging a policy to a group . . . . . . . . . . .
Using groups
iii
......
. . . . . . . . 7-6 . . . . . . . . . . 7-11
7-17 7-20 7-22 7-23 7-24 7-27 7-28 7-29 7-30 7-31 7-31 7-32 7-33 7-34
.... Scheduling server-to-server replication . . . Customizing server-to-server replication . . Specifying replication direction . . . . . . . . Scheduling times for replication . . . . . . . . Replicating only specific databases . . . . . . Replicating databases by priority . . . . . . . Limiting replication time . . . . . . . . . . . . Using multiple replicators . . . . . . . . . . . Refusing replication requests . . . . . . . . . . Forcing immediate replication . . . . . . . . . Disabling database replication . . . . . . . . . Forcing a server database to replicate . . . .
Viewing replication schedules and topology maps . . . . . . . . .
. . 8-20 9 Using Policies . . . . . . . . . . . . . . . 9-1 Policies . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Policy hierarchy and the effective policy . . . 9-3 Planning and assigning policies . . . . . . . . . 9-6 Creating policies . . . . . . . . . . . . . . . . . . 9-7 Mail archiving and policies . . . . . . . . . . . 9-22 Managing policies . . . . . . . . . . . . . . . . 9-35 Viewing policy relationships . . . . . . . . . . 9-37 10 Setting Up Domain Search . . . 10-1 Domain Search . . . . . . . . . . . . . . . . . . . 10-1 Planning the Domain Index . . . . . . . . . . 10-4 Creating and updating the Domain Index . 10-14 Customizing Domain Search forms . . . . . 10-18 Setting up Notes users for Domain Search . 10-19 Setting up Web users for Domain Search . 10-20 Using content maps with Domain Search . 10-21 NOTES.INI settings for Domain Search . . 10-23
11 Setting Up Domino Off-Line Services . . . . . . . . . . . . . . . . . . . . . 11-1
Domino Off-Line Services
............
11-1
......
.... ..
Using Domino features in a hosted server environment . . . . . . . . . . . . . . Example of planning a hosted environment . . . . . .
Setting up the Resource Reservations database . . . . . . . . . . . . . . Creating Site Profile and Resource documents . . . . . . . . . .
.........
. . . . . . . . 8-9 Editing and deleting Resource documents . . 8-13 Creating Holiday documents . . . . . . . . . . 8-17
iv Administering the Domino System, Volume 2
... .......
Setting up the Domino certificate authority for hosted organizations Using policies in a hosted environment
.. ...
13-3 13-4
. 13-5 Example of registering a hosted organization . . 13-8 Registering a hosted organization . . . . . 13-11
Using Internet and Web Site documents in a hosted environment . . . . . . . . . 13-18 Global Web Settings documents and the service provider environment . . Configuring activity logging for billing hosted organizations . . . . . . .
..... ..
Processing administration requests across domains . . . . . . . . . . . . . . . . . Setting up ACLs for the Administration Process . . . . . . . . . . . . . . . . .
..
13-21 13-23
...
.. The Administration Requests database . . Customizing the Administration Process . Adminstration Process Statistics . . . . . . . Administration request messages . . . . . .
......
14-1
Adding a hosted organization to an additional server to provide new Web applications . . . . . . . . . Deleting a hosted organization Temporarily disabling services for a hosted organization . . . . . .
14-2 14-3 14-4 14-4 14-5 14-10 14-11 14-12 14-12 14-14 14-14 14-15
........... Installing the Domino Administrator . . . . Setting up the Domino Administrator . . . . Starting the Domino Administrator . . . . . Navigating Domino Administrator . . . . . .
The Domino Administrator Selecting a server to administer in the Domino Administrator . . . . .
Moving a hosted organization to another server . . . . . . . . . . . . . . . . . . . Removing a hosted organization from a backup or load-balancing server . Restoring a hosted environment after a server crash . . . . . . . . . . . . . Using a browser to access a hosted organizations Web site . . .
..
...
.....
. . . . . 16-4 Setting Domino Administration preferences . . 16-5 Domino Administrator tabs . . . . . . . . . 16-13 Web Administrator . . . . . . . . . . . . . . . 16-17 Setting up the Web Administrator . . . . . 16-17 Starting the Web Administrator . . . . . . . 16-22 Using the Web Administrator . . . . . . . . 16-23
The Server Controller and the Domino Console . . . . . . . . . . . . . . .
...
16-28
... ..
17-1 17-6
Contents v
Using the Windows NT Performance Monitor to view Domino . . . Setting up Domino Active Directory synchronization . . . . . . . .
.....
19-16
....
17-23
. . . . . 17-25 18 Planning Directory Services . . 18-1 Overview of Domino directory services . . . 18-1
Using directory servers in a Domino domain . . . . . . . . . . . . . . .
18-1 18-3 18-7 18-7 18-9 18-10 18-12 18-15 18-18 18-19 18-20
. . . . 19-17 20 Setting Up the LDAP Service . . 20-1 The LDAP service . . . . . . . . . . . . . . . . . 20-1 How the LDAP service works . . . . . . . . . 20-2 Setting up the LDAP service . . . . . . . . . . 20-7 Starting and stopping the LDAP service . . . 20-8
Customizing the LDAP service configuration . . . . . . .
..... .
Planning the management of entries in the Domino Directory . . . . . . . . . . . . Planning directory services for Notes clients . . . . . . . . . . . . . . . Planning directory services in a multiple-directory environment Directory search order
....
... .............
. . . . . . . . . 20-9 Setting up clients to use the LDAP service . 20-34 Using LDAP to search a Domain index . . 20-36 Monitoring the LDAP service . . . . . . . . 20-37 NOTES.INI settings for the LDAP service . 20-41 RFCs supported by the LDAP service . . . 20-42 21 Managing the LDAP Schema . . 21-1 LDAP schema . . . . . . . . . . . . . . . . . . . 21-1 The Domino LDAP schema . . . . . . . . . . . 21-2 The schema daemon . . . . . . . . . . . . . . . 21-5 Domino LDAP Schema database . . . . . . . 21-7 Methods for extending the schema . . . . . 21-10
Extending the schema using the Schema database . . . . . . . . . . . . . . . .
.............. .... .. ..
Using a central directory architecture in a Domino domain . . . . . . . . . . . . Managing Domino Directories in a central directory architecture . . . . . . . . Controlling access to the Domino Directory . . . . . . . . . . . Corporate hierarchies
. . . . . . . 19-9 . . . . . . . . . . . . . 19-13 .
19-15
.... .........
Specifying the Domino Directories for the Dircat task to aggregate . . . . . . . Controlling which information is aggregated into a directory catalog Full-text indexing directory catalogs Planning issues specific to Extended Directory Catalogs . . . . . . . Planning issues specific to condensed Directory Catalogs . . . . . . . Multiple directory catalogs Overview of setting up a condensed Directory Catalog . . . . . . . The Dircat task
. . . . . . . . . . . . . . . 23-1 How directory assistance works . . . . . . . . 23-2 Directory assistance services . . . . . . . . . . 23-3 Directory assistance concepts . . . . . . . . 23-12 Directory assistance and naming rules . . . 23-12 Directory assistance and domain names . . 23-18
Directory assistance Directory assistance and failover for a directory . . . . . . . . . . . . . . . Directory assistance for an Extended Directory Catalog . . . . . . . .
. .... ....
.... ..........
...
.... .
..... ..................
Directory assistance in conjunction with a condensed Directory Catalog . . . . Directory assistance for the primary Domino Directory . . . . . . .
..... Number of directory assistance databases . Setting up directory assistance . . . . . . . . Directory assistance examples . . . . . . . . Monitoring directory assistance . . . . . . .
24-1 24-2
.. Extended Directory Catalogs . . . . . . . . . . Overview of directory catalog setup . . . . . Planning directory catalogs . . . . . . . . . . .
Directory catalogs and client authentication . . . . .
. . . . . 25-2 Elements of an extended ACL . . . . . . . . . 25-3 Extended ACL access settings . . . . . . . . . 25-3 Extended ACL subject . . . . . . . . . . . . . . 25-9 Extended ACL target . . . . . . . . . . . . . . 25-12 Extended ACL examples . . . . . . . . . . . 25-19 Extended ACL guidelines . . . . . . . . . . . 25-22
Setting up and managing an extended ACL . . . . . . . . . . . . . . . . .
...
25-22
..........
...............
...
Contents vii
Overview of routing mail using SMTP The Domain Name System (DNS) and SMTP mail routing . . . . . . . .
...
26-21
. . . . . 28-98 . . . . . . . . . . . . . . . . . 28-105
. . . 26-25 27 Setting Up Mail Routing . . . . . 27-1 The Domino mail router . . . . . . . . . . . . . 27-1 Planning a mail routing topology . . . . . . . 27-2 Sample mail routing configurations . . . . . 27-9
Creating a Configuration Settings document . . . . . . . . . . . Setting up Notes routing
...... ........... . .
Configuring Domino to send and receive mail over SMTP . . . . . . . . . . . . Setting up how addresses are resolved on inbound and outbound mail . . . . Configuring Domino to send mail to a relay host or firewall . . . . . . .
. . . . . . . . . . . . . . . . . 28-1 Controlling messaging . . . . . . . . . . . . . . 28-1 Improving mail performance . . . . . . . . . . 28-2 Controlling message delivery . . . . . . . . . 28-8 Setting server mail rules . . . . . . . . . . . . 28-20 Customizing message transfer . . . . . . . . 28-26 Setting transfer limits . . . . . . . . . . . . . 28-33
Customizing mail Setting advanced transfer and delivery controls . . . . . . . . . . . . . . .
. 28-115 29 Setting Up Shared Mail . . . . . . 29-1 Shared mail overview . . . . . . . . . . . . . . 29-1 Setting up shared mail databases . . . . . . . 29-5 Managing a shared mail database . . . . . 29-11 Disabling shared mail . . . . . . . . . . . . . 29-25 30 Setting Up the POP3 Service . . 30-1 The POP3 service . . . . . . . . . . . . . . . . . 30-1 Setting up the POP3 service . . . . . . . . . . 30-2 Setting up POP3 users . . . . . . . . . . . . . . 30-7 31 Setting Up the IMAP Service . . 31-1 The IMAP service . . . . . . . . . . . . . . . . . 31-1 Setting up the IMAP service . . . . . . . . . . 31-4 Customizing the IMAP service . . . . . . . . 31-5 Setting up IMAP users . . . . . . . . . . . . . 31-22
IMAP settings in the server NOTES.INI file . . . . . . . . . . . . . . . . . . . .
..
31-39
... Customizing Notes routing . . . . . . . . . . Customizing SMTP Routing . . . . . . . . . Changing SMTP port settings . . . . . . . . Restricting SMTP inbound routing . . . . .
Preventing unauthorized SMTP hosts from using Domino as a relay
. . . . . . . . . . . . . . . . 32-1 iNotes Access for Microsoft Outlook . . . . 32-11 33 Monitoring Mail . . . . . . . . . . . . 33-1 Tools for mail monitoring . . . . . . . . . . . . 33-1 Setting up mail monitoring . . . . . . . . . . . 33-3 Viewing mail usage reports . . . . . . . . . 33-16
iNotes Web Access
.............
34-1
.... ..
. . . . . 34-4 . . . . . . . . . . . . . . 34-15
................ Web Site rules and global Web settings . . Custom Web server messages . . . . . . . . Improving Web server performance . . . .
Hosting Web sites
Certificates
..................... ......
39-2 39-4
Password-protection for Notes and Domino IDs . . . . . . . . . . . Verifying user passwords during authentication . . . . . . . .
....
35-1
. .
39-27 39-29
. . . . . . . . . . . . . . . . 36-1 Setting up a Web Navigator server . . . . . . 36-2 Customizing the Web Navigator . . . . . . . 36-6 The Web Navigator database . . . . . . . . . 36-10 Customizing the Web Navigator database . 36-11
The Web Navigator
. . . . . . . . 40-1 Default ACL entries . . . . . . . . . . . . . . . 40-2 Acceptable entries in the ACL . . . . . . . . . 40-4 Configuring a database ACL . . . . . . . . . 40-11 Access levels in the ACL . . . . . . . . . . . 40-13 Access level privileges in the ACL . . . . . 40-16 User types in the ACL . . . . . . . . . . . . . 40-19 Roles in the ACL . . . . . . . . . . . . . . . . 40-20 Managing database ACLs . . . . . . . . . . . 40-22
The database access control list Using the Administration Process to update ACLs . . . . . . . . . . .
.... .
Setting up the Administration Process for database ACLs . . . . . . . . . . . . . Managing database ACLs with the Web Administrator . . . . . . . . . . . . Editing entries in multiple ACLs
...
38-1 38-2
....
. . . . 38-4 Customizing access to a Domino server . . . 38-7 Physically securing the Domino server . . 38-23
39 Protecting and Managing Notes IDs . . . . . . . . . . . . . . . . . . . . 39-1
Domino server and Notes user IDs
.. ...... Enforcing a consistent access control list . Setting up database access for Internet users .
Maximum Internet name-and-password access . . . . . . . . . . . . . . . . . .
..
......
39-1
............
41-1
Contents ix
.............
41-6
...
42-1 42-6
46-25
.....
..........
47-1
. . . 47-3 Internet certificates for SSL and S/MIME . . 47-5 Setting up Notes clients for S/MIME . . . . 47-13
Dual Internet certificates for S/MIME encryption and signatures . .
......
.... ..
47-17 47-18
Setting up Notes and Internet clients for SSL client authentication . . . . . Using SSL when setting up directory assistance for LDAP directories
....... .......
44-1 44-5
45-1 45-1
.......
49-1
46-1 46-2
....
50-1
.................
... Server Health Monitor . . . . . . . . . . . . . . Table of Server Health Monitor statistics . . Table of Server Health Monitor ratings . . . Server Health Monitor configuration . . . . . Using the Server Health Monitor . . . . . . .
IBM Tivoli Analyzer for Lotus Domino Working with Server Health Monitor statistics . . . . . . . . . . . . . .
54-1 54-2 54-3 54-5 54-6 54-8 54-13 54-17 54-18 54-22 54-26 54-27 54-34 54-37 54-48 54-51 54-53 54-61
. . . . . . . . 52-1 Monitoring events on the Domino system . . 52-2 Event generators . . . . . . . . . . . . . . . . . 52-3 Event handlers . . . . . . . . . . . . . . . . . . 52-14 Viewing an event report . . . . . . . . . . . . 52-20
Monitoring the Domino system Viewing event messages, causes, and solutions . . . . . . . . . . . . . .
....
52-20
Customizing the appearance of the Domino server console and Domino Administrator console . . . . . . . .
.....
..... Charting statistics . . . . . . . . . . . . . . . . Domino server monitor . . . . . . . . . . . . Profiles and the Domino server monitor .
.....
Contents xi
. . . . . . 55-8 View logging . . . . . . . . . . . . . . . . . . . . 55-9 Using transaction logging for recovery . . . 55-9 Fault recovery . . . . . . . . . . . . . . . . . . 55-10 56 Using Log Files . . . . . . . . . . . . 56-1 The Domino server log (LOG.NSF) . . . . . . 56-1
Controlling the size of the log file (LOG.NSF) . . . . . . . . . . The Domino Web server log (DOMLOG.NSF) . . .
. . . . . . . . . . . . . . . . . 59-1 Decommissioning a Domain Search server . 59-12 Uninstalling a Domino partitioned server . 59-13
Managing servers
56-1 56-8
... .. .. . ..
Improving partitioned server performance and capacity . . . . . . . . . . . . . . . Improving Agent Manager performance Improving database and Domino Directory performance . . . Tips for tuning mail performance
. . . . . . . . . . . . . . . . . . 57-1 The information in the log file . . . . . . . . . 57-1 Configuring activity logging . . . . . . . . . 57-12 Viewing activity logging data . . . . . . . . 57-13 58 Maintaining Databases . . . . . . 58-1 Database maintenance . . . . . . . . . . . . . . 58-1 The Files tab in the Domino Administrator . . 58-2 Monitoring replication of a database . . . . . 58-6 Replication or save conflicts . . . . . . . . . . 58-8 Monitoring database activity . . . . . . . . . 58-11 Updating database indexes and views . . . 58-14 Managing view indexes . . . . . . . . . . . . 58-23
Activity logging Synchronizing databases with master templates . . . . . . . . . . . . .
Improving Windows NT and Windows 2000 server performance . . . . . Improving UNIX server performance
....
61-1
.... Fixing corrupted databases . . . . . . . . . . Using Fixup . . . . . . . . . . . . . . . . . . . Moving databases . . . . . . . . . . . . . . . . Deleting databases . . . . . . . . . . . . . . . Database analysis . . . . . . . . . . . . . . . .
. . . . . . . 61-3 The database cache . . . . . . . . . . . . . . . . 61-9 Controlling database size . . . . . . . . . . . 61-12 Tools for monitoring database size . . . . . 61-13 Monitoring database size . . . . . . . . . . . 61-13 Compacting databases . . . . . . . . . . . . . 61-13 Ways to compact databases . . . . . . . . . . 61-16 Database size quotas . . . . . . . . . . . . . . 61-23 Deleting inactive documents . . . . . . . . . 61-25
Using an agent to delete and archive documents . . . . . . . . . . . . Allowing more fields in a database
.... .....
61-27 61-29
. . . . . . . 62-12 Idle Workload script . . . . . . . . . . . . . . 62-14 R5 IMAP Workload test . . . . . . . . . . . . 62-15 R5 Simple Mail Routing test . . . . . . . . . 62-20 R5 Shared Database test . . . . . . . . . . . . 62-24 SMTP and POP3 Workload test . . . . . . . 62-26 Web Idle Workload test . . . . . . . . . . . . 62-30 Web Mail test . . . . . . . . . . . . . . . . . . 62-31 63 Troubleshooting . . . . . . . . . . . 63-1 Troubleshooting the Domino system . . . . . 63-1 Troubleshooting tools . . . . . . . . . . . . . . 63-2 Overview of server maintenance . . . . . . . 63-6 Server maintenance checklist . . . . . . . . . . 63-6 Backing up the Domino server . . . . . . . . . 63-7
Administration Process Troubleshooting . .
. . . . 63-89 Server access Troubleshooting . . . . . . 63-91 Server crashes Troubleshooting . . . . . 63-96 Transaction logging Troubleshooting . 63-102
Web server, Web Navigator, and the Web Administrator Troubleshooting
. 63-104 Server.Load Troubleshooting . . . . . . . 63-110 Appendix A Server Commands . . A-1 Appendix B Server Tasks . . . . . . . B-1 Appendix C NOTES.INI File . . . . . C-1
Appendix D System and Application Templates . . . . . . . . . D-1 Appendix E Customizing the Domino Directory . . . . . . . . . . . . . . E-1 Appendix F Administration Process Requests . . . . . . . . . . . . . . F-1 Appendix G Novell Directory Service for the IPX/SPX Network . . G-1 Appendix H Accessibility and Keyboard Shortcuts in Domino Administrator . . . . . . . . . . . . . . . . . H-1 Appendix I Server.Load Command Language . . . . . . . . . . . . I-1 Appendix J Server.Load Scripts . . . J-1 Index . . . . . . . . . . . . . . . . . . . . . . Index-1
............
63-8 63-12 63-16 63-21 63-36 63-45 63-48 63-52 63-55 63-74
....
....
........
Contents xiii
Preface
The documentation for IBM Lotus Notes, IBM Lotus Domino, and IBM Lotus Domino Designer is available online in Help databases and, with the exception of the Notes client documentation, in print format.
License information
Any information or reference related to license terms in this document is provided to you for your information. However, your use of Notes and Domino, and any other IBM program referenced in this document, is solely subject to the terms and conditions of the IBM International Program License Agreement (IPLA) and related License Information (LI) document accompanying each such program. You may not rely on this document should there be any questions concerning your right to use Notes and Domino. Please refer to the IPLA and LI for Notes and Domino that is located in the file LICENSE.TXT.
System requirements
Information about the system requirements for Lotus Notes and Domino is listed in the Release Notes.
Related information
In addition to the documentation that is available with the product, other information about Notes and Domino is available on the Web sites listed here. IBM Redbooks are available at www.redbooks.ibm.com.
xv
A technical journal, discussion forums, demos, and other information is available on the Lotus Developer Domain site at www-10.lotus.com/ldd.
Table of conventions
This table lists conventions used in the Notes and Domino documentation.
Convention italics
monospaced type
Description Variables and book titles are shown in italic type. Code examples and console commands are shown in monospaced type. File names are shown in uppercase, for example NAMES.NSF. Hyphens are used between menu names, to show the sequence of menus.
Description Describes how to upgrade existing Domino servers and Notes clients to Notes and Domino 6. Also describes how to move users from other messaging and directory systems to Notes and Domino 6. Describes how to plan a Domino installation; how to configure Domino to work with network protocols such as Novell SPX, TCP/IP, and NetBIOS; how to install servers; and how to install and begin using Domino Administrator and the Web Administrator. Describes how to register and manage users and groups, and how to register and manage servers including managing directories, connections, mail, replication, security, calendars and scheduling, activity logging, databases, and system monitoring. This book also describes how to use Domino in a service provider environment, how to use Domino Off-Line Services, and how to use IBM Tivoli Analyzer for Lotus Domino. Describes how to set up, manage, and troubleshoot Domino clusters.
Documentation for Domino Designer The following table describes the books that comprise the Domino Designer documentation set. The information in these books is also found online in the Lotus Domino Designer 6 Help database (HELP6_DESIGNER.NSF) with one exception: Domino Enterprise Connection Services (DECS) Installation and User Guide is available online in a separate database, DECS User Guide Template (DECSDOC6.NSF). The printed documentation set also includes Domino Objects posters. In addition to the books listed here, the Domino Designer Templates Guide is available for download in NSF or PDF format. This guide presents an in-depth look at three commonly used Designer templates: TeamRoom, Discussion, and Documentation Library.
Title Application Development with Domino Designer Description Explains how to create all the design elements used in building Domino applications, how to share information with other applications, and how to customize and manage applications.
Domino Designer Programming Introduces programming in Domino Designer and Guide, describes the formula language. Volume 1: Overview and Formula Language continued Preface xvii
Title
Description
Domino Designer Programming Describes the LotusScript/COM/OLE classes for access to databases and other Domino structures. Guide, Volumes 2A and 2B: LotusScript/COM/OLE Classes Domino Designer Programming Provides reference information on using the Java and CORBA classes to provide access to databases Guide, Volume 3: Java/CORBA Classes and other Domino structures. Domino Designer Programming Describes the XML and JSP interfaces for access to Guide, databases and other Domino structures. Volume 4: XML Domino DTD and JSP Tags LotusScript Language Guide Domino Enterprise Connection Services (DECS) Installation and User Guide Lotus Connectors and Connectivity Guide Describes the LotusScript programming language. Describes how to use Domino Enterprise Connection Services (DECS) to access enterprise data in real time. Describes how to configure Lotus Connectors for use with either DECS or IBM Lotus Enterprise Integrator for Domino (LEI). It also describes how to test connectivity between DECS or LEI and an external system, such as DB2, Oracle, or Sybase. Lastly, it describes usage and feature options for all of the base connection types that are supplied with LEI and DECS. This online documentation file name is LCCON6.NSF. Describes how to use the LC LSX to programmatically perform Lotus Connector-related tasks outside of, or in conjunction with, either LEI or DECS. This online documentation file name is LSXLC6.NSF. Describes installation, configuration, and migration information and instructions for LEI. The online documentation file names are LEIIG.NSF and LEIIG.PDF. This document is for LEI customers only and is supplied with LEI, not with Domino. Provides information and instructions for using LEI and its activities. The online documentation file names are LEIDOC.NSF and LEIDOC.PDF. This document is for LEI customers only and is supplied with LEI, not with Domino.
IBM Lotus Enterprise Integrator for Domino (LEI) Activities and User Guide
Security
37-1
Once you have an understanding of the business requirements, you can then begin to plan the specifics of your Domino infrastructure, including: Will more than one Domino domain be needed, or will the new domain need to interact with existing domains? What is the best method to expose Domino data to the Internet? What service levels are needed to support the business? Who should have what level of access to the Domino Directory?
You should also understand the Domino security model, in order to better understand the Domino assets you need to protect and how they can be protected. For more information, see the topic The Domino security model later in this chapter.
Security
For more information on change control, see the chapter Using IBM Tivoli Analyzer for Lotus Domino.
Once you have your incident-handling plans in place, you will be better able to determine your requirements for: Domino logging Domino HTTP logging Domino backup and restoring Parameters for Domino event monitoring
For more information on the Domino server and Web server logs, see the chapter Using Log Files. For information on backing up Domino, see the chapter Troubleshooting. For more information on event monitoring, see the chapter Monitoring the Domino Server.
Note The National Institute of Standards and Technology published a document about the relationship among security awareness, training, and education, titled Information Technology Security Training Requirements: A Role- and Performance-Based Model (NIST Special Publication 800-16).
Security
Physical security
Physically securing servers and databases is equally as important as preventing unauthorized user and server access. It is the first line of defense against unauthorized or malicious users, by preventing them from having direct access to your Domino servers. Therefore, we strongly recommend that you locate all Domino servers in a ventilated, secure area, such as a locked room. If servers are not physically secure, unauthorized users might circumvent security features for example, ACL settings and access applications directly on the server, use the operating system to copy or delete files, or physically damage the server hardware itself. Physical network security concerns should also include disaster planning and recovery.
Network security
The goal for securing your network is to prevent unauthorized users from gaining access to servers, users, and data. Physical network security is beyond the scope of this book, but you must set it up before you set up Notes and Domino connection security. Physical network security is established through the use of devices such as filtering routers, firewalls, and proxy servers that enable network connections for various network services (such as LDAP, POP3, FTP, and STMP) that you want to provide for your users. Network connection security access is also controlled using these devices, as you can define what connections can be accessed, and who is authorized to used them. Properly configured, these devices prevent unauthorized users from: Breaking through into the network and accessing the server via the operating system and its native services (such as file sharing). Impersonating an authorized Notes user Eavesdropping on the network to collect data
Server security The Domino server is the most critical resource to secure and is the first level of security that Domino enforces after a user or server gains access to the server on the network. You can specify which users and servers have access to the server and restrict activities on the server for example, you can restrict who can create new replicas and use passthru connections. You can also restrict and define administrator access, by delegating access based on the administrator duties and tasks. For example, you can enable access to operating system commands through the server console for system administrators, and grant database access to those administrators who are responsible for maintaining Domino databases. If you set up servers for Internet/intranet access, you should set up SSL and name-and-password authentication to secure network data transmitted over the network and to authenticate servers and clients. For more information, see the topic Server security later in this chapter. ID security A Notes or Domino ID uniquely identifies a user or server. Domino uses the information contained in IDs to control the access that users and servers have to other servers and applications. One of the responsibilities of the administrator is to protect IDs and make sure that unauthorized users do not use them to gain access to the Domino environment.
Security
Some sites may require multiple administrators to enter passwords before gaining access to a certifier or server ID file. This prevents one person from controlling an ID. In such cases, each administrator should ensure each password is secure to prevent unauthorized access to the ID file. For more information, see the topic Notes and Domino ID security later in this chapter. You can also secure Notes user IDs with Smartcards. Smartcards reduce the threat of user ID theft, as a user who has a Smartcard needs their user ID, their Smartcard, and their Smartcard PIN to access Notes. For more information on Smartcards, see Lotus Notes 6 Help. Application security Once users and servers gain access to a Domino server, you can use the database access control list (ACL) to restrict access that specific users and servers have to individual Domino applications on the server. In addition, to provide data privacy, encrypt the database with an ID so unauthorized users cannot access a locally stored copy of the database, sign or encrypt mail messages users send and receive, and sign the database or template to protect workstations from formulas. For more information on database ACLs, see the topic Application security later in this chapter. Application design element security Although users may have access to an application, they may not have access to specific design elements in the application for example, forms, views, and folders. When designing a Domino application, an application developer can use access lists and special fields to restrict access to specific design elements. For more information on securing design elements, see the topic Application design element security later in this chapter. Workstation data security Notes users may keep and use important applications and information on their workstations. This information can be protected through the use of an execution control lists (ECL), which defines the access that active content from other users has to the user workstation. For more information on execution control lists, see the topic Workstation data security later in this chapter.
Getting started
You need to develop a set of security documentation for your organization. There are four basic types of security documents needed for any security implementation: Policies are the driving documents for the business. These are typically high level statements about the security needs of the business. Your organization probably already has policy documents for the organization as a whole. You build and, if necessary, expand on these to develop the security policies for your Domino environment. Guidelines provide overall guidance on how to support and maintain security in the enterprise. Standards are established rules on what will and will not happen in an enterprise. Audits may cover all four types of documents, but the auditor will really focus on the standards set down by a company. Standards typically cover things like minimum password strength, password expiration intervals, server operating systems and physical environments, Internet and dial-in access controls, background checks for administrators, and auditing requirements. Procedures typically include specific steps on how to implement security within an enterprise. This will be the bulk of your Domino security documentation, covering everything from how to control Domino and X.509 certifiers to what to do when users have forgotten their Notes or Internet passwords to what steps to take when an employee leaves an organization. Procedures are developed after the security framework is in place.
The Domino security team is responsible for initial direction, feedback, and auditing of these documents. The team must include representatives from each department within the enterprise. With this approach, the security documents created will meet the needs of the entire company. This has the added benefit of creating buy-in from the participating departments.
Security
Most companies will have a matrix of responsibility similar to the one below:
Role CEO Responsibility The CEO needs to be a virtual member of the team. Security must flow from the both the top-down and the bottom-up. All technology officers need to be members of the team. It is appropriate for these members to delegate their role to someone else, as long as the delegate has the authority to make decisions. This person will be the driver of security in the organization.
CIO / CTO
Security officer
Representatives from each These representatives specify business needs and requirements. They must have decision-making functional department authority. Accounting IT Department HR / Training They will provide the information for risk analysis. These team members can translate business needs and requirements into technology. HR needs to assist with user training. HR is also involved with background checks, privacy of personal information, and termination policies and procedures. These team members provide information on the legal implications of anything to do with employees, risk management, or publication of information. This group creates and edits the documents. This team will handle incidents that are not covered by implemented security practices.
Legal
Communication specialists Communication to the end users about security is critical. Domino administrators Provide expertise on the Domino computing environment.
Leveraging end users Your users are a critical part of your security implementation. You should communicate to them the importance of your security planning efforts, as well as security guidelines and standards that you develop. Technology alone cannot keep your organization secure. Your users are as important as any firewall or certificate authority in ensuring the success of your security infrastructure.
Planning Security 37-9
One way to involve users in security planning is to conduct a survey to determine the level of enterprise security that users expect, as well as the assets they feel should be protected. An anonymous survey is a good way to discover security issues that users may not be willing to express openly. Note The most respected and commonly used standard source for security policies and procedures is the ISO17799 standard. The National Institute for Standards and Technology has multiple guidelines for developing security policies, standards, and procedures, including information about ISO I7799.
Security
Database managers Database managers are responsible for one or more Lotus Notes databases or database applications. A major responsibility of a database manager includes managing database access control lists (ACLs). Some organizations will use the concept of a database owner for management of sensitive data. Certificate authority administrators Certificate authority administrators create and manage Domino server-based certification authorities and Domino 5 certificate authorities. They have access to all certifier ID files. For the server-based certification authority, CA administrators can delegate user registration and certificate approval to registration authorities. Otherwise, they are responsible for approving and issuing Internet server and client certificates. Since certification is the cornerstone of Notes and Domino security, delegate responsibility for it with the utmost care. For more information on the server-based certification authority, see the chapter Setting Up a Domino Server-Based Certification Authority. Registration authority administrators The registration authority role is new for Domino 6 and is unique to the server-based certification authority. A registration authority can register new Notes users and Domino servers without requiring access to the certifier ID and password. Registration authorities can also recertifiy users and, for Internet certifiers, approve client certificate requests and revoke certificates. For more information on the registration authority role, see the chapter Setting Up a Domino Server-Based Certification Authority.
Server security
To secure Domino servers, you allow and prevent user and server access. In addition, you restrict the activities that users and servers may perform on the server.
Task Choose an internal or external Internet certificate authority Use Set up a certifier that will be used to issue Internet certificates in your organization.
Cross-certify Notes Allow Notes users and Domino servers in different user IDs and Domino hierarchically certified organizations to ascertain the server and certifier IDs identity of users and servers in other Notes organizations. Allow or deny access to Specify which Notes users, Internet clients, and a server Domino servers are authorized to access the server. Allow anonymous server access Give server access to Notes users and Domino servers outside of the organization without issuing a cross-certificate.
Allow anonymous Determine whether Internet/intranet users are Internet/Intranet client allowed to access the server anonymously. access Secure the server with name-and-password authentication Enable session-based authentication Identify Internet and intranet users accessing the server and control access to applications based on the user name. Allow Web browser clients to authenticate and maintain state with the server by using cookies. using session-based name-and-password authentication. Session-based authentication lets administrators provide a customized sign-in form and configure session expiration to log users off the server after a specified period of inactivity. Also provides capability for single single-on between Domino and WebSphere servers, using the same cookie.
Controlling the level of Specify the level of refinement that the server should authentication for Web use when searching for names and authenticating clients Web users. Limit access to create new databases, replicas, or templates Control access to a servers network port Allow specified Notes users and Domino servers to create databases and replica databases on the server. Limiting this access avoids a proliferation of databases and replicas on the server. Allow specified Notes users and Domino servers to access the server over a port. continued 37-12 Administering the Domino System, Volume 2
Security
Task Encrypt servers network port Password protect the server console Restrict administrator access Restrict server agents
Use Encrypt data sent from the servers network port to prevent network eavesdropping. Prevent unauthorized users from entering commands at the server console. Assign different types of administrator access to individuals based on the tasks they need to do on the Domino server. Specify which Notes users and Domino servers are allowed to run which kinds of agents on the server.
Restrict passthru access Specify which Notes users and Domino servers can access the server as a passthru server and specify the destinations they may access. Restrict server access by browser users running Java or JavaScript programs Secure the server with SSL Specify which Web browser users can use Domino ORBs to run Java or JavaScript programs on the server. Set up SSL security for Internet/intranet users to authenticate the server, encrypt data, prevent message tampering, and, optionally, authenticate clients. This is mandatory for e-commerce and secure business-to-business messaging. Restrict mail routing based on Domino domains, organizations, and organizational units. Restrict inbound mail to prevent Domino from accepting unwanted commercial e-mail. Use S/MIME to encrypt outgoing mail. This is often mandatory for secure business-to-business messaging. Enhance SMTP router security. Specify who can access files for example, HTML, GIF, or JPEG on a servers hard drive. Authenticate Web clients who use name-and-password or SSL client authentication in secondary Domino or LDAP Directories marked as trusted by your domain. Allow Web users to access a certain drive, directory, or file on a Domino server and prevent Domino from prompting users for a name-and-password for different realms. continued Planning Security 37-13
Set mail router restrictions Set inbound SMTP restrictions Use S/MIME Prevent relaying through MTA Use file protection documents Authenticate Internet clients using a secondary Domino Directory or LDAP directory Authenticate Web clients for a specific realm
Task Locate the server in a secure area Secure the server console with a Smartcard
Use Prevent unauthorized access to unencrypted data and server and certifier IDs that are stored on the servers hard drive. Prevent unauthorized access to the server console by requiring the use of a Smartcard to log in to Domino.
Use a firewall to protect Control unauthorized access to a private network access to a server from the public Internet.
For more information on securing Domino servers, see the chapter Controlling Access to Domino Servers.
Application security
Restrict access to Domino applications to prevent unauthorized users from gaining access to information.
Task Use the ACL to restrict application access Enforce a consistent ACL Use Control Notes and Internet/intranet user and Domino server access to an application. Protects databases and templates on the server by forcing all changes to the ACL at a single location. Prevent unauthorized users from accessing an application locally on a server or workstation. Identify the creator of an application or template. When a user accesses the application, the signature is checked to determined whether the action is allowed. For example, on a Domino server the Agent Manager verifies the signature of an agent and checks whether the signer has the rights to perform the action. On a Notes client, the signature is checked against the signers rights in the workstation ECL. Ensure that only the intended recipient can read mail.
Encrypt applications
Electronically sign mail messages Verify that the person who sends the message is the author and that no one has tampered with the data.
For more information on securing Domino applications, see the chapter Controlling User Access to Databases.
37-14 Administering the Domino System, Volume 2
Security
For more information on securing Notes mail, see the chapter Encryption and Electronic Signatures.
Create Readers and Authors fields Specify which Notes and Internet/intranet users can create, modify, or read specified documents Create signed fields Verify that the Notes user who originated the data is the author and that no one has tampered with the data Control which Notes users can access a field in a form Control which Notes and Internet/intranet users can access a field in a form Specify which Notes and Internet/intranet users can access a section in a document
Create encrypted fields Create hidden fields Create Read and Edit access lists for sections
For more information on securing application design elements, see the book Application Development with Domino Designer.
Compare a password with Prevent an unauthorized user from using an the password stored in the illicitly obtained ID to authenticate with a server Domino Directory and require users to change their passwords periodically Compare a Domino public key with the public key stored in the Domino Directory Prevent an unauthorized user from using an illicitly obtained ID to authenticate with a server
Recover lost or damaged IDs Regain access to a user ID file instead of issuing a new ID Set up a security settings policy document Lock the user ID after x minutes of inactivity Use F5 to log off Manage Notes and Internet password properties, such as password synchronization and expiration settings, on an organizational level Automatically log off servers to prevent an unauthorized user from using the workstation Immediately log off servers to prevent an unauthorized user from using the workstation
Save user IDs on a disk Physically protect user IDs instead of on the workstation and keep disks in a safe place Locate workstations in a Prevent unauthorized access to the ID files secure area for example, a locked room Install Smartcard readers on user workstations and have users log in to Notes with Smartcards Physically protect user IDs and private Internet keys
Security
For more information on execution control lists, see the chapter Protecting and Managing Notes IDs.
Configure the Administration ECL Prevent unauthorized users from gaining and deploy to client workstations. access to data and applications on client workstations, by defining authorized users and authorized actions Set up a security settings policy document Use security settings policy documents to: Set up and configure one or more administration ECLs Specify how and when you want workstation ECLs to be refreshed or replaced Encourage users to use operating Discourage unauthorized workstation system and screen saver passwords access Encourage users to shut off workstations before leaving Discourage unauthorized workstation access
For more information on execution control lists, see the chapter Protecting User Workstations with Execution Control Lists.
Security policies
Domino policies are a way of distributing administrative settings, standards, and configurations to users, groups, or entire organizations. A policy is a collection of administrative settings that addresses an administrative area, such as security. You then use this document to establish and enforce administrative standards, and to distribute them throughout the organization. In addition, you can easily modify and maintain standards across an organization by simply editing a settings document. You can set up a security settings document to manage and deploy execution control lists (ECLs) and Notes and Internet password settings and synchronization. As these two areas of security are user-specific and are frequently changed by users, you can use a security policy to enforce settings for these areas across the organization, and control the extent to which users can adjust or change these settings. For more information, see the chapter Using Policies.
Planning Security 37-17
Security
Domino Internet certifiers: server-based certification authority vs. Domino 5 certificate authority You can choose to set up a Domino certification authority that uses the server-based CA process, or a Domino 5 certificate authority, which uses a CA key ring.
Server-based certification authority Administrators can manage both Notes and Internet certifiers through the CA process. Issues Internet certificates that are compliant with security industry standards (such as X.509v3 and PKIX). Does not require administrator access to the certifier ID and ID password in order to register users and servers. This allows administrators to delegate these tasks without potentially compromising the certifier. Supports the PKIX registration authority (RA) role, which allows administrators to delegate the certificate approval/denial process. Issues certificate revocation lists (CRLs), which contain information about revoked or expired Internet certificates. Required if you plan to use the Web Administrator client to register Notes users. Domino 5 certificate Provides a simple means by which to set up an authority Internet certifier for testing or demonstration purposes.
Security
2. Randi sends Mail-E information in her user ID. Mail-E reads Randis user ID for the certificate issued by Acme to East. Mail-E uses the Acme public key, which it now trusts, to verify that the East certificate is valid. According to the second rule above, if the certificate is valid, Mail-E trusts the public key assigned to East. 3. Mail-E then reads Randis user ID for the certificate issued by East/Acme to Marketing. Mail-E uses the East/Acme public key to verify that the Marketing/East/Acme certificate is valid. Again, the second rule states that Mail-E now trusts the public key assigned to Marketing/East/Acme. 4. Mail-E reads Randis user ID for the certificate issued by Marketing/East/Acme to Randi. Mail-E uses the Marketing/East/Acme public key, which it now trusts, to verify that Randis certificate is valid. According to the third rule above, if the certificate is valid, Mail-E trusts the public key assigned to Randi. 5. After Mail-E establishes trust of Randis public key, the authentication process begins. 6. Mail-E sends a random number challenge to Randi. 7. Randis workstation encrypts the challenge with her private key and sends the newly encrypted number back to Mail-E. 8. Mail-E uses Randis public key to decrypt the response. If this yields the original challenge, Mail-E knows Randi is who she claims to be. 9. The process is then reversed. Randis workstation validates Mail-Es public key by processing Mail-Es certificates and then uses the challenge/response procedure just described to authenticate the server.
Server access for Notes users, Internet users, and Domino servers
To control user and server access to other servers, Domino uses the settings you specify on the Security tab in the Server document as well as the rules of validation and authentication. If a server validates and authenticates the Notes user, Internet user, or server, and the settings in the Server document allow access, the user or server is allowed access to the server. Grant server access to users and servers who need to access resources stored on the server. Deny access to prevent specified users and servers from having access to all applications on the server.
Security
Access settings in the Server document control server access for both Notes and Internet users. By default, the Server access settings apply only to Notes clients. You can enable these settings for each of the Internet protocols through the Ports tab of the Server document. For more information, see the topic Setting up Notes user, Domino server, and Internet user access to a Domino server later in this chapter.
server access, Domino does not record the names of users and servers in the log file (LOG.NSF) or in the User Activity dialog box. When users attempt to connect to a server set for anonymous access and the server cant authenticate them, they see this message: Server X cannot authenticate you because the servers Domino Directory does not contain any cross-certificates capable of authenticating you. You are now accessing the server anonymously. You can also set up Internet clients to access servers anonymously. For more information on setting up anonymous access for Internet/intranet clients, see the chapter Setting Up Name-and-Password and Anonymous Access to Domino Servers. Network port access Network port access allows or denies access to specified Notes users and Domino servers, based on the network port they try to use. For example, you can deny access to Alan Jones/Sales/East/Acme when he dials into the server but allow access when he uses TCP/IP to connect to the server. For more information, see the topic Controlling access to a specific server port later in this chapter.
Setting up Notes user, Domino server, and Internet user access to a Domino server
You can specify Notes users and Domino servers that are allowed to access the server, as well as users who access the server using Internet protocols (HTTP, IMAP, LDAP, POP3). If your system uses multiple Domino Directories, Domino searches only the first Domino Directory specified in the Names setting in the NOTES.INI file for Notes users. If you have enabled the server access settings for Internet protocols, you can also specify users from secondary Domino directories and external LDAP directories in the Allow or Deny access lists. Note It is not necessary to specify Anonymous for the Access server and Not access server fields. Anonymous access for Notes users is enabled through the Allow anonymous Notes connections field, and anonymous access for Internet users is enabled in the Internet Site document for each Internet protocol (or the Server document if you are not using Internet Sites to configure Internet protocols).
Security
Tip To improve log-in performance for a group of frequent users and still allow access to everyone listed in the Domino Directory, create a group named Frequent Users and then enter that group name first in the Access server field. If Domino finds a user in the Frequent Users group first, it doesnt check the Domino Directory for the individual name. For example, enter the following in the Access server field:
Frequent Users, *
For more information on creating groups, see the chapter Setting Up and Managing Groups.
Enter Any of these: Names of users, servers, and groups. An asterisk, followed by a certificate name for example, */Sales/East/Acme to deny access to all users certified by a particular certifier. An asterisk followed by the name of the view for example, *($Users) to deny access to all names that appear in a specific view in the Domino Directory. Access time is quicker if you specify a group name rather than a view name. The default value for this field is blank, which means that all names entered in the Access server field can access the server. Names entered in the Not access server field take precedence over names entered in the Access server field. For example, if you enter a group name in the Access server field and enter the name of an individual member of this group in the Not access server field, the user will not be able to access the server. Note An alternative way to deny Notes user access to a server is to lock out an individual users ID from the server. Separate multiple names with a comma or semicolon.
Trusted servers
Names of servers that are trusted to assert the identities of users to this server, and thus are trusted by the current server to have authenticated those users. Used for remote agent access and xSP.
Security
3. Choose Actions - Set Password Fields, and then click Yes when prompted to continue. 4. In the Check Notes password field, select Lockout ID, and then click OK. 5. Click the Configuration tab, open the Server document for the server to which you want to deny user access, and then click the Security tab. 6. In the Security Settings section, select Enabled for the Check passwords on Notes IDs field. 7. Repeat Step 4 for each server to which you want to deny the user access.
You do not need to list a user individually in each field. Adding a user to the highest level of administrator access automatically grants that user all privileges listed for more restricted access levels below in the hierarchy. To restrict administrator access 1. From the Domino Administrator, click the Configuration tab, and open the Server document. 2. Click the Security tab. 3. In the Administrators section, complete one or more of these fields, and then save the document.
Security
For all of these fields, you can specify individual hierarchical names, groups, and wildcards (for example, */Sales/Acme). Separate multiple entries with commas. Note With the exception of the Administrators field, all of these fields are blank by default, meaning that no one has these access rights.
Field Action Enter the names of administrators who have full access to Full access administrators administer the server. This is the highest level of administrative privilege. For more information, see below. Administrators Enter the names of administrators who can administer the server. The default value for this field is the name of the administrator who initially set up the server. Administrators listed here have the following rights: Manager access to the Web Administrator database (WEBADMIN.NSF). Create, update, and delete folder and database links Create, update, and delete directory link ACLs Compact and delete databases Create, update, and delete full text indexes Create databases, replicas, and Master Templates Get and set certain database options (for example, in/out of service, database quotas, and so on)
Use message tracking and track subjects Use the console to remotely administer UNIX servers Issue any remote console command Database Enter the names of administrators who will be responsible administrators for administering databases on the server. Note that database administrators are not automatically granted Manager access to databases on the server, nor do they have any access to the Web Administrator database. Users listed here have the following rights only: Create, update, and delete Folder and Database links Create, update, and delete directory link ACLs Compact and delete databases Create, update, and delete full text indexes Create databases, replicas, and Master Templates Get and set certain database options (e.g., in/out of service, database quotas, etc.) continued
Field
Action
Full remote Enter the names of administrators who can use the remote console console to issue commands to this server. administrators Enter the names of administrators who can use the remote View-only administrators console to issue only those commands that provide system status information, such as SHOW TASKS and SHOW SERVER View-only administrators cannot issue commands that affect the servers operation. Enter the names of administrators who are allowed to System administrators issue a full range of operating system commands to the server. The type and range of commands depends on the server operating system. For example, if the Domino server is an NT server, then these administrators can issue NT commands at the system command level prompt. Similarly, administrators for a UNIX server would be able to issue UNIX commands. Note This feature requires that you run the Domino server controller on the server machine. For more information, see the topic The Server Controller and Domino Console in the chapter Setting Up and Using Domino Administration Tools. Enter the names of administrators who are allowed to Restricted issue only the operating system commands that are listed system administrators in the Restricted System Commands field (see below). Note This feature requires that you run the Domino server controller on the server machine. For more information, see the topic The Server Controller and Domino Console in the chapter Setting Up and Using Domino Administration Tools. Restricted system commands Enter the subset of operating system commands that Restricted System Administrators can issue. The type and range of commands depends on the server operating system and the tasks that restricted system administrators need to do. For example, you may want to have a restricted system administrator for managing UNIX print queues. Enter the UNIX commands for managing print queues in this field. Any names you enter in the Restricted system administrators field will then have access to these commands only. continued
Security
Action This setting applies only to pre-Domino 6 servers for the purposes of backwards compatibility. The Domino 6 Web Administrator client will only work with Domino 6 servers. In the case where an Domino 5 to Domino 6, those servers that have not been upgraded will still need to have this setting in their Server documents so they can use earlier versions of the Web Administrator.
Caution Administrators who are listed in the Full Access Administrators, Administrators, and Database Administrators fields on the Security tab of a server document are allowed to delete any database on that server, even if they are not listed as managers in the database ACL.
Enabling full access administrator mode In order to work in full access administrator mode, an administrator must: Be listed in the Full Access Administrators field in the Administrators section of the Security tab in the Server document. By default, this field is empty. Enable Full Access Administration mode in the Administrator client by selecting Administration - Full Access Administration. If this mode is not enabled, then users will not have full administrator access to the server, even if they are listed as a full access administrator in the Server document. They will instead be granted Administrator rights.
When full access administrator mode is enabled, the clients window title, tab title, and status bar indicate this. This is to remind users that they are accessing the server with the highest level of privilege and should therefore proceed with caution. If an administrator enables full administration mode in the Administration client, this mode is also enabled for the Domino Designer and for the Lotus Notes clients. Full administrator access is also reflected in their window titles, tab titles, and status bars. If a user attempts to switch to full access administrator mode, but is not listed as one in the Server document, the user is denied full access and a message appears in the status bar and on the server console. The client will be in full access mode, but that user will not have full administrator access to that particular server. If the user attempts to switch servers, that persons access is checked against the server document of the new server. Disabling the full access administrator feature You can disable the Full Access Administrators field by setting SECURE_DISABLE_FULLADMIN = 1 in the NOTES.INI file. This setting disables full access adminstrator privilege and overrides any names listed in that field in the Server document. This NOTES.INI parameter can only be set by a user with physical access to the server who can edit the NOTES.INI file for the server. This parameter cannot be set using the server console, the remote console, or set in the Server document.
Security
Options for managing the full access administrator feature There are several ways to grant full access administrator: Create a special Full Admin ID file for example, Full Admin/Sales/Acme and only put that name in the Full Admin field. You must then either log in with or switch to this user ID in order to gain this level of access. Optionally, you could set up this ID file to require multiple passwords. Create an OU-level certifier for granting full administrator access, and issue additional IDs to trusted administrators for example, Jane Admin/Full Admin/Acme. Leave the Full Access Administrator field empty. Add the name of a trusted individual for emergency situations, and remove it when the situation has been resolved. Populate the Full Access Administrator field with a limited set of trusted administrators. Configure the Event Handler to send notification through EVENTS4.NSF when full access administration privileges are invoked. Any database activity done using full access administrator access is recorded in the database activity log, under Database Properties. Use of the feature is logged by the server.
Setting up anonymous server access for Notes users and Domino servers
When a server is set up for anonymous access, Notes users and Domino servers do not need a valid certificate to access the server, since the server does not validate or authenticate them. Use anonymous access to allow users and servers outside your organization to access a server without first obtaining a certificate for the organization. You can also set up anonymous access for Internet/intranet users. For more information on anonymous Internet/intranet access, see the chapter Setting Up Name-and-Password and Anonymous Access to Domino Servers. 1. From the Domino Administrator, click the Configuration tab, and open the Server document. 2. Click the Security tab. 3. In the Security Settings section, enable Allow anonymous Notes connections.
Controlling Access to Domino Servers 38-13
4. Save the document. 5. Create an entry named Anonymous in the ACL of all databases to which you want to allow anonymous access. Assign the appropriate access level typically Reader access. If you dont add Anonymous as an entry in the ACL, anonymous users and servers get -Defaultaccess. 6. Stop and restart the server so that the changes take effect.
Security
3. In the Server Access section, complete one or more of these fields, and then save the document:
Field Create new databases and templates Action Enter any of these: Names of specific servers, users, and groups. An asterisk (*) followed by a certificate name for example, */Sales/East/Acme to allow all users certified by a particular certifier to create databases. An asterisk (*) followed by a view name for example, *($Users) to allow all names that appear in a specific view in the Domino Directory to create databases. Access time is quicker if you specify a group name rather than a view name. The default value for this field is blank, which means that all users can create new databases. Separate multiple names with commas or semicolons. Create replica databases Enter any of these: Names of specific servers, users, and groups. An asterisk (*) followed by a certificate name for example, */Sales/East/Acme to allow all users certified by a particular certifier to create replicas. An asterisk (*) followed by a view name for example, *($Users) to allow all names that appear in a specific view in the Domino Directory to create replicas. Access time is quicker if you specify a group name rather than a view name. Note Servers, users, and groups who cannot create new databases on the server (see above) cannot create replicas. The default value for this field is blank, which means that no one can create new replicas. Separate multiple names with commas or semicolons. continued
Action Enter any of these: Names of specific servers, users, and groups. An asterisk (*) followed by a certificate name for example, */Sales/East/Acme to allow all users certified by a particular certifier to create templates. An asterisk (*) followed by a view name for example, *($Users) to allow all names that appear in a specific view in the Domino Directory to create replicas. Access time is quicker if you specify a group name rather than a view name. Note Servers, users, and groups who cannot create new databases or replicas on the server (see above) cannot create or update templates. The default for this field is blank, which means that no one can create master database templates on the server. Separate multiple names with commas or semicolons.
For information on creating groups, see the chapter Setting Up and Managing Groups.
Security
3. In the Server Access section, complete one or both of these fields, and then save the document:
Field Allowed to use monitors Action Enter any of these: Names of specific users and groups. An asterisk (*) followed by a certificate name for example, */Sales/East/Acme to allow all users certified by a particular certifier to use a monitor. An asterisk (*) followed by a view name for example, *($Users) to allow all names that appear in a specific view in the Domino Directory to use monitors. Access time is quicker if you specify a group name rather than a view name. Separate multiple names with commas or semicolons. The default for this field is * (all users). Leave the field blank to allow no one to use headline monitors. Not allowed to use monitors Enter any of these: Names of specific users and groups. An asterisk (*) followed by a certificate name for example, */Sales/East/Acme to prevent users certified by a particular certifier from using monitors. An asterisk (*) followed by a view name for example, *($Users) to prevent all names that appear in a specific view in the Domino Directory from using monitors. Access time is quicker if you specify a group name rather than a view name. Separate multiple names with commas or semicolons. The default for this field is blank, meaning that no one is restricted from using monitors. Use an asterisk (*) to prevent all users from using monitors.
You can also restrict users from monitoring an individual database. For more information, see the chapter Improving Database Performance.
If your system uses multiple Domino Directories, Domino searches only the first Domino Directory specified in the Names setting in the NOTES.INI file. Internet and intranet clients cannot use passthru; therefore, these settings are valid only for Notes users and Domino servers. 1. From the Domino Administrator, click Configuration, and open the Server document. 2. Click the Security tab. 3. In the Passthru Use section, complete one or more of these fields, and then save the document:
Field Access this server Action Enter any of these: Names of specific servers, users, and groups. An asterisk (*) followed by a certificate name for example, */Sales/East/Acme to allow all users certified by a particular certifier to access the server. An asterisk (*) followed by a view name for example, *($Users) to allow access to all names that appear in a specific view in the Domino Directory. Access time is quicker if you specify a group name rather than a view name. Any users or servers listed in this field can use a passthru server to access this server. This field does not take precedence over other access fields for example, the Access server and Not access server fields. For example, if the Access server field specifies that only users listed in the Domino Directory can access this server, users who are not in the local domain cannot access this server. The default for this field is blank, which means that users and servers are prevented from using a passthru connection to access this server. Separate multiple names with commas or semicolons. continued
Security
Action Enter any of these: Names of specific servers, users, and groups. An asterisk (*) followed by a certificate name for example, */Sales/East/Acme to allow all users certified by a particular certifier to access the server. An asterisk (*) followed by a view name for example, *($Users) to allow access to all names that appear in a specific view in the Domino Directory. Access time is quicker if you specify a group name rather than a view name. Any users or servers listed in this field can use the server as a passthru server, regardless of whether or not they are also included in the Access server or Not access server fields. The default for this field is blank, which means that users and servers are prevented from using this server for passthru access. Separate multiple names with commas or semicolons.
Cause calling
Enter any of these: Names of specific servers, users, and groups. An asterisk (*) followed by a certificate name for example, */Sales/East/Acme to allow all users certified by a particular certifier to initiate calling. An asterisk (*) followed by a view name for example, *($Users) to allow all names that appear in a specific view in the Domino Directory to allow calling. Access time is quicker if you specify a group name rather than a view name. Any users or servers listed in this field can instruct this server to call that is, place a phone call to another server in order to establish a routing path to that server. If no names are entered, no calling is allowed. In general, if the Replicator on another server uses the modem on a server to reach its targets, the server name of the Replicator must be included in this list on the server with the modem. Otherwise, the replication will frequently fail. The default for this field is blank, which means that users and servers are prevented from using this server to route a path to another server. Separate multiple names with commas or semicolons. This field corresponds to the Allow_Passthru_Callers setting in the NOTES.INI file. If a conflict exists, the Cause calling field takes precedence. continued Controlling Access to Domino Servers 38-19
Action Enter the names of destination servers to which this server may route clients. The default for this field is blank, which means that all servers may be routed to. This field corresponds to the Allow_Passthru_Targets setting in the NOTES.INI file. If a conflict exists, the Destinations allowed field takes precedence.
Security
3. In the Programmability Restrictions section, complete one or more of these fields, and then save the document:
Field Run unrestricted methods and operations Action Enter the names of users and groups who are allowed to select, on a per agent basis, one of three levels of access for agents signed with their ID. Users with this privilege select one of these access levels when they are using Domino Designer 6 to build an agent: restricted mode unrestricted mode unrestricted mode with full administration rights. Only users who have this access can choose an option other than do not allow restricted operations. This access is enabled by default for the current server and Lotus Notes Template developers. If users in this list are also listed as a database administrator in the Server document, they are allowed to perform database operations without having to be listed explicitly in the database ACL. (for example, they can delete databases without being listed in the ACL of those databases). To have the ability to run agents in unrestricted mode with full administration rights, the agent signer should be listed in this field, or in the Full Access Administrator field, as well as have this mode selected in the Agent Builder. Being listed in Full Access Administrator list alone is not sufficient to run agents in this mode.
Sign agents to run Enter the names of users and groups who are allowed to on behalf of sign agents that will be executed on anyone elses someone else behalf. The default is blank, which means that no one can sign agents in this manner. This privilege should be used with caution, as the name for whom the agent is signed on behalf of is used to check ACL access. Sign agents to run on behalf of the invoker of the agent Enter the names of users and groups who are allowed to sign agents that will be executed on behalf of the invoker, when the invoker is different from the agent signer. This setting is ignored if the agent signer and the invoker are the same. This is used currently only for Web agents. The default is blank, which means that everyone can sign agents invoked in this manner (this is for backwards compatability). continued
Field
Action
Run restricted Enter the names of users and groups allowed to run LotusScript/Java agents created LotusScript and Java features, but agents excluding privileged methods and operations, such as reading and writing to the file system. Leave the field blank to deny access to all users and groups. Run simple and formula agents Enter the names of users and groups allowed to run to run simple and formula agents, both private and shared. Leave the field blank to allow all users and groups to run simple and formula agents, both private and shared. Enter the names of users and groups who are allowed to sign script libraries in agents executed by someone else. For the purposes of backwards compatibility, the default value is to leave the field empty, to allow all.
Controlling server access by browser clients that use Java and JavaScript
Note These settings are for use only with R5.x and earlier servers. They should not be used with a Domino 6 server and are included for the purpose of backwards compatibility only, to be used to manage prior releases of Domino servers with the Lotus Notes 6 client. For more information on the DIIOP task, see the chapter Setting Up the Domino Web Server. 1. From the Domino Administrator, click Configuration, and open the Server document. 2. Click the Security tab. 3. In the Programmability Restrictions section, complete one or both of these fields, and then save the document:
Field Action Run restricted Enter the names of authenticated browser users Java/JavaScript/COM and/or groups allowed to run server programs created with a specific set of Java and JavaScript features. Leave the field blank (default) to deny access to all users and groups. Run unrestricted Enter the names of authenticated browser users Java/JavaScript/COM and/or groups allowed to run server programs created with all Java and JavaScript features. Leave the field blank (default) to deny access to all users and groups.
Security
For a list of restricted Java and JavaScript classes, see Application Development with Domino Designer.
Caution If you do not modify the servers NOTES.INI file to include the PKCS11_Library variable, when you try to launch the Domino server, it will shut down and return a Login aborted by user error. 1. On the Domino server workstation, install a Smartcard reader and Smartcard driver files. 2. On a Notes client workstation, install a Smartcard reader and the same Smartcard driver files as you installed on the Domino server. This workstation will be used to configure the Smartcard for the server. 3. Copy the server.id from the Domino server onto a diskette. Insert the diskette into the Notes workstation. 4. Launch the Notes client with a User ID from the domain for which the server has a certificate. 5. Place the Smartcard designated for the server into the card reader of the Notes client. If required, enter the Smartcard PIN.
38-24 Administering the Domino System, Volume 2
Security
6. Click File - Security - Switch ID to switch to the copy of the server.id file. 7. Do the following to enable the server.id file for the associated Smartcard a. Click File - Security - User Security, and enter the password for the server.id. b. Click Smartcard Options. c. Click Enable Smartcard Login. d. Enter password (if needed) and the Smartcard PIN. After approximately 10 to 15 seconds, the Smartcard will be configured for the server.id file. 8. Copy the Smartcard-enabled server.ID file back to the servers Domino\data directory. 9. Place the Smartcard in the Domino server card reader, and launch Domino. 10. At the server command console, enter the Smartcard PIN when prompted and Domino will launch.
Security
39-1
Note If a user is in the process of requesting a new private key or a name change, the pending information is also stored in the ID file. If a Notes private key is changed, then the obsolete information is also stored in the ID file for backwards compatibility. For example, you would need the obsolete information to read old encrypted e-mail.
Certificates
A certificate is a unique digital signature that identifies a user or server. Server and user IDs contain one or more Notes certificates. In addition, user IDs may contain one or more Internet certificates that identify users when they use SSL to connect to an Internet server or send a signed S/MIME mail message. A certificate contains: The name of the certifier that issued the certificate. The name of the user or server to whom the certificate was issued. A public key that is stored in both the Domino Directory and the ID file. Notes uses the public key to encrypt messages that are sent to the owner of the public key and to validate the ID owners signature. A digital signature. The expiration date of the certificate.
Certificates are stored in ID files and in Person, Server, and Certifier documents in the Domino Directory. They are also referred to as Notes certified public keys. Public keys are not secret. Any user may look up another users public key and use it to send encrypted mail to or authenticate the user. It is important that someone looking up a public key learn it reliably since Domino uses it for identification. Users must be able to obtain the public key of the certifier that issued the certificate before they can authenticate the certificates owner. If a user has a certificate issued by the same certifier as another user or server, the first user can verify the public key for the certificate and then reliably know the public key associated with the server or user name. If a user doesnt have a certificate issued by the same certifier, the user needs a cross-certificate for authentication. When you register users and servers, Domino automatically creates a Notes certificate for each user and server ID. In addition, you can use a Domino or third-party certificate authority (CA) to create Internet certificates for user IDs. Domino uses the x.509 certificate format to create Internet certificates.
Security
Notes certificates have expiration dates. Therefore, you must recertify Notes IDs when their expiration dates approach. In addition, if a user or server name changes, you must recertify the corresponding Notes ID so that a new certificate will bind the public key to the new name. Changing a name on a user ID may also affect Internet certificates. For example, a user who has changed the name on a user ID may receive warning messages when sending signed S/MIME mail, warning the user that recipients of the message may receive a signature by a name that isnt on the original certificate used for signing.
To view certificates 1. From the Domino Administrator, click Configuration - Certification. 2. Click ID Properties. 3. Choose the ID file to view. 4. Enter the password and click OK.
5. In the ID Properties dialog box, do the following: a. Click Your Identity - Your Certificates to display a list of all Notes and Internet certificates issued to this ID file. b. Select the certificate in the Certificates box to display additional information about the certificate. c. To get more information about a certificate, highlight it in the list and click Advanced Details. Here you can specify a default Internet signing certificate if there are multiple Internet certificates in the ID file. For more information on using Internet certificates, see the chapter Setting Up Clients for S/MIME and SSL. For more information on how Notes users can view certificates in their IDs, see Lotus Notes 6 Help.
Password-protection features
Password quality When you register a user or server or create a certifier ID, you use a scale of 0 to 16 to specify the level of password quality you want enforced for the ID. The higher the level, the more complex the password and, therefore, the more difficult it is for an unauthorized user to guess the password. For optimal security, specify a password quality level of at least 8. The password quality level you assign is enforced when you enter a password for new IDs or when users change the password for an existing ID. When users change their passwords, Notes displays information about the password quality level required by the ID file. Users must enter a password that meets the criteria for the level; otherwise, they are not allowed to change the password.
39-4 Administering the Domino System, Volume 2
Security
When choosing a password, it is best to specify a random, alphanumeric string that includes mixed uppercase and lowercase letters, numbers, and punctuation. Also, it is better to specify an entire phrase, rather than a single word. A passphrase is easy to remember, difficult to guess, and generally longer than a single-word password. If you choose to use a phrase, you should misspell one or more of the words to make it more difficult for attackers to guess at the phrase. To change the password quality level assigned to an ID, you must recertify the ID or use a security settings policy document. For more information about using a security settings policy document to manage IDs, see the chapter Using Policies. For more information on password quality, see the topic Understanding the password quality scale later in this chapter. Time-delay and anti-spoofing mechanisms All passwords for Notes IDs have built-in time-delay and anti-spoofing mechanisms, both of which deter password-guessing programs and prevent password theft by programs that resemble the password-prompt dialog box. The time-delay mechanism delays the time it takes to be able to proceed after an incorrect password is typed. When a user types a password, the anti-spoofing mechanism creates a graphic pattern that other programs cannot reproduce. Password and public-key verification during authentication By default, Notes and Domino use passwords only to protect information stored in ID files. However, you can configure servers to verify passwords and Notes public keys during authentication. Password and public-key verification reduces the unauthorized use of IDs. If you set up a server to verify passwords and an unauthorized user obtains an ID and its password, the authorized user just needs to change the password for the ID. Then, the next time the unauthorized user attempts to authenticate, that user will not be allowed access to the server because Domino informs the user that they must change the password on this copy of the ID to match that on another copy of their ID (which the unauthorized user doesnt know). Along with verifying passwords, you can set up servers to require users to change their password periodically. For more information on verifying passwords, see the topic Verifying user passwords during authentication later in this chapter. For more information on verifying public keys, see the topic Public key security later in this chapter.
Multiple passwords To provide tighter security for certifier and server IDs, assign multiple passwords to those IDs. Using multiple passwords requires that a group of administrators work together to access an ID. For example, this feature is useful when you want to avoid giving authority for a certifier ID to one person. You can specify that only a subset of the assigned passwords be required to access the ID. For example, you can assign four passwords to the ID but require that only any two of the four passwords be entered to gain access to the ID. Requiring only a subset of the passwords allows administrators to access the ID, even when all of the administrators are not available. Note User IDs can also be secured with multiple passwords. For more information on multiple passwords, see the topic Assigning multiple passwords to server and certifier IDs later in this chapter. ID file recovery If you have ID recovery in place, when a user loses an ID file or forgets the password to the ID file, a group of administrators can work together to recover the ID file. Losing an ID file normally prevents users from accessing servers and reading messages and other data that they encrypted with the ID. Using the ID file recovery feature, administrators can prevent this loss of access and prevent unauthorized users from illicitly recovering IDs. For more information on ID file recovery, see the topic ID file recovery later in this chapter. Using a Smartcard to secure a Notes ID When using Smartcards to log into Notes, users are essentially locking and unlocking their user IDs. The advantage of using a Smartcard with Notes is that the users Internet private keys can be stored on the Smartcard instead of on the workstation. Then users can take Smartcards with them when they are away from their computers. For both regular and roaming users, Smartcards increase user ID security. Caution In order for Notes users to set up Smartcards, you must disable password checking, change/grace intervals and expiration in the users Person document. Otherwise, Smartcard users will eventually be locked out. For more information on how Notes users can use Smartcards, see Lotus Notes 6 Help.
Security
7-12
continued
Password quality scale Description 13-16 Require a strong password, even though the user may have difficulty remembering it.
Example 4891spyONu (password quality scale 13) lakestreampondriverocean, stRem2pO() (password quality scale 15) stream8pond1river7lake2ocean (password quality scale 16)
Security
unauthorized user could use an ID and password even after the user changed the password on the ID, since, by default, the password is used only to decrypt the ID file and is not verified against the password stored in the Domino Directory. If you set up password verification, require users to change the passwords on their IDs on a regular basis. As the time for the required password change approaches (after two-thirds of the current change interval has passed, but at a minimum of two days remaining), a prompt appears to remind the user to change the password. When users change the password, the current ID and Person document are updated with the new password. If a user has multiple ID files, the user change the password in each of them to match the new password. You cannot use password verification on ID files that contain multiple passwords. Each time a user changes a password, the user must specify a unique password. Notes keeps a record of up to 50 passwords that have been previously used. If you enable password history checking (through the use of a security settings document), you can configure the number of new passwords that must be used before a given password can be reused. An expired password doesnt prevent a user from reading encrypted mail or creating new signed documents on local replicas; however, without specifying a new password, users cannot access databases on servers. Note that password verification during authentication will not work for Internet users because they do not have Notes user IDs (unless their Notes and Internet passwords have been synchronized). Caution Do not enable password expiration for users whose ID files are locked with Smartcards. Otherwise, it is possible that a users ID could be locked out until the password digest can be cleared.
The first time the user logs onto a server that requires password verification, the Administration Process generates a Change User Password in Domino Directory request in the Administration Requests database. This request enters a corresponding password digest in the Password digest field in the Administration section of the Person document. It also records the date the user provided the password in the Last change date field in the Administration section of the Person document. To authenticate with servers that are enabled for password verification, the user must provide the password that corresponds to the digest. From then on, when a user changes a password, the Administration Process generates a new Change User Password in Domino Directory request in the Administration Requests database. This request updates the Password digest and Last change date fields in the Person document. Note that if you modify the change interval or grace period after you enable password verification, the Administration Process must update the fields in the Person document and then user must change the password for the change to take effect. For information on the Administration Process, see the chapter Setting Up the Administration Process.
Security
7. (Optional) You can also choose to force individual users to change their Internet passwords the next time they log in. In the Force users to change Internet password on next login dialog box, click Yes. Caution Do not enable password expiration for users whose ID files are locked with Smartcards. Otherwise, it is possible that a users ID could be locked out until password expiration can be cleared. You should also be sure that the required change interval and allowed grace period is set at zero.
To disable password verification for an individual user When you disable password verification for a user, Domino does not check passwords for the user even if password verification is enabled for the server. 1. From the Domino Administrator, click People & Groups using a network connection to the Domino Directory. 2. Select each Person document for which you want to enable password checking. 3. Choose Actions - Set Password Fields, and then click Yes to continue. 4. In the Set Passwords Fields dialog box, select Dont check password, and then click OK. To lock out an individual user's ID 1. From the Domino Administrator, click People & Groups using a network connection to the Domino Directory. 2. Select the Person document of the user whose ID will be locked out. 3. Choose Actions - Set Password Fields, and then click Yes to continue. 4. In the Set Passwords Fields dialog box, select Lockout ID, and then click OK. To enable password verification on servers To use password verification for Notes users, you must enable password verification for both users and servers. Do the following to enable password verification on each server with which these users authenticate: 1. From the Domino Administrator, click Configuration. 2. Open the Server document of the server for which you want to enable password verification. 3. Click Security, and then in the Check passwords on Notes IDs field, select Enabled. 4. Repeat for each server on which you want to enable password verification. To disable password verification for a server When you disable password verification for a server, Domino does not check passwords for any users who access the server, even if the user has password verification enabled. 1. From the Domino Administrator, click Configuration. 2. Open the server document of the server for which you want to disable password verification.
39-12 Administering the Domino System, Volume 2
Security
3. Click Security, and then in the Check passwords on Notes IDs field, select Disabled. 4. Repeat for each server on which you want to disable password verification.
7. In the Confirm password field, retype the new password. 8. Click Modify, and then click OK. To delete a password 1. From the Domino Administrator, click the Configuration tab, and then click Certification. 2. Choose Edit Multiple Passwords. 3. Select the ID from which you want to remove an authorized password. 4. Enter the passwords required. 5. Select a currently authorized user, and then click Remove. 6. Repeat Step 5 to delete the password for each additional authorized user. 7. Click OK.
ID recovery
To recover from loss of, or damage to, an ID file, recommend to your users that they keep backup copies of their ID files in a secure place for example, on a disk stored in a locked area. Losing or damaging an ID file or forgetting a password has serious consequences. Without an ID, users cannot access servers or read messages and other data that they encrypted with the lost ID. To prevent problems that occur when users lose or damage ID files or forget passwords, set up Domino to recover ID files. Ideally, you should designate several administrators who will act as a group to recover IDs and passwords. Although you can designate a single administrator to manage ID recovery, you should consider having two or more administrators work together to recover ID files. Designating a group of administrators helps to prevent a breach of security by one administrator who has access to all ID files. When you designate a group of administrators, you can specify that only a subset of them be present during the actual ID recovery. For example, if you designate five administrators for ID recovery but require only three administrators to unlock the ID file, any three of the five can unlock the ID file. Designating a group of administrators and requiring only a subset also prevents problems that occur if one administrator is unavailable or leaves the company.
Security
Before you can recover ID files, an administrator who has access to the certifier ID file must specify recovery information, and the ID files themselves must be made recoverable. There are three ways to do this: At registration, administrators create the ID file with a certifier ID that contains recovery information. Administrators export recovery information from the certifier ID file and have the user accept it. (Only for servers using the server-based certification authority) Users authenticate to their home server after an administrator has added recovery information to the certifier.
Domino stores ID recovery information in the certifier ID file. The information stored includes the names of administrators who are allowed to recover IDs, the address of the mail or mail-in database where users send an encrypted backup copy of their ID files, and the number of administrators required to unlock an ID file. The mail or mail-in database contains documents that store attachments of the encrypted backup ID files. These files are encrypted using a random key and cannot be used with Notes until they are recovered. An encrypted backup copy of the ID file is required to recover a lost or corrupted ID file. Recovering an ID file for which the password has been forgotten is a bit easier. If the original ID file contains recovery information, administrators can recover the ID file, even if an encrypted backup ID file doesnt exist. You can set up ID recovery for user IDs at any time. If you do so before you register users, ID recovery information is automatically added to user IDs the first time that users authenticate with their home servers. If you set up ID recovery information after you have registered Notes users, recovery information is automatically added to the user IDs the next time users authenticate with their home servers. Caution If your users will be enabling Smartcards to use with their Notes IDs, it is extremely important to set up ID recovery information for these IDs before any Internet keys are pushed onto the Smartcard. Otherwise, the ID file recovery process will not be able to restore those keys. Additionally, acquiring recovery information, through any means, makes any Internet keys that had been previously pushed to the Smartcard unrecoverable.
Security
Setting up ID recovery
Before users can recover their ID files, you must set up a centralized mail or mail-in database to store encrypted backups of ID files and specify information about which administrators known here as recovery authorities are allowed to recover IDs. You must perform these steps before anyone loses or corrupts an ID ideally before you begin registering users. 1. From the Domino Administrator, click Configuration, and then click Certification. 2. Click Edit Recovery Information. 3. In the Choose a Certifier dialog box, click Server and select the registration server name from the Domino Directory (only if the correct server name does not appear). 4. Choose the certifier for which you are creating recovery information. If you are using a server-based certification authority, click Use the CA process and select a certifier from the drop-down list. You must be a Certificate Authority (CA) administrator for the certifier in order to change ID recovery information. If you are not using a server-based certification authority, click Supply certifier ID and password. If the certifier ID path and file name does not appear, click Certifier ID and select the certifier ID file and enter the password. 5. Click OK. The Edit Master Recovery Authority List dialog box appears. 6. Enter the number of recovery authorities that are required to recover an ID file. It is recommended that you choose at least three. 7. Click Add and select the names of the administrators who are the designated recovery authorities. 8. Choose whether you want to use an existing mailbox for recovery information or create a new one. If you have a mail or mail-in database already set up for recovery information, click I want to use an existing mailbox. Click Address and select the database from the Domino Directory. If you want to create a new database to store recovery information, click I want to create a new mailbox. In the Create New Mailbox dialog box, enter the name of the server on which the database is to be created, and the database title. You can use the file name that is created from the database title, or you can create a new one.
Note Whenever you make changes in this dialog box, the Export button is disabled. You cannot export recovery information until you save the new or updated information. 9. Click OK. 10. If you are using a server-based certification authority, at the server console type:
load ca
This starts the CA process with the new recovery information, or refreshes it if it is already running. Then type:
tell adminp process all
to process the request to add recovery information to the certifier. 11. In the mail-in database ACL, set the -Default- access to No access and give administrators Reader access. Note If you have created additional O-level Notes certifiers, be sure to cross-certify them with the initial Notes certifier prior to setting up recovery information.
To send recovery information to the user The administrator completes these steps. 1. From the Domino Administrator, click the Configuration tab, and then click Certification. 2. Click Edit Recovery Information.
39-18 Administering the Domino System, Volume 2
Security
3. In the Choose a Certifier dialog box, if the correct server name does not appear, click Server and select the registration server name from the Domino Directory. 4. Choose the certifier for which you are creating recovery information. If you are using a server-based certification authority, click Use the CA process and select a certifier from the drop-down list. If you are not using a server-based certification authority, click Supply certifier ID and password. If the certifier ID path and file name do not appear, click Certifier ID and select the certifier ID file and enter the password. 5. Choose Export, and then enter the certifier IDs password. 6. Complete these fields, and then click Send:
Field To CC Subject Enter Names of users and groups whose ID files you want to back up. Names of users and groups to whom you want to send a copy of the message. Information for users and groups that will appear in the Subject field of the message. If this field is blank, Notes uses the following text: New ID file recovery information is attached. Please add it to your ID file by using the Actions menu Accept Recovery Information option. Information for users and groups that will appear in the Body field of the message. Domino automatically attaches the encrypted backup file information to the message you do not need to specify it in this field.
Memo
To accept recovery information in the ID file The user completes these steps. 1. After the administrator sends the recovery information, open the message in your mail database. 2. Choose Actions - Accept Recovery Information, and then enter your password.
CC Subject
Information for administrators that will appear in the Body field of the message. Domino automatically attaches the backup of the ID file to the message; you do not need to specify it in this field.
Domino automatically sends the encrypted backup ID file to the centralized mail or mail-in database specified by the administrator. Note You can store multiple copies of the ID file in the centralized mail or mail-in database. Domino creates a new document every time an ID file is backed up. When attempting to recover an ID file, use the most recent backup. If this fails, use the older versions.
Recovering an ID
If a user loses or damages an ID file or forgets a password, the user can work with administrators to recover the ID file from backup. To recover a user ID from a backup ID The user completes these steps. 1. If you have recovery information set up for your user ID, contact your administrator to obtain the password(s) needed to recover your ID. The recovery password is randomly generated and unique to each recoverable ID file and administrator. Note If you do not have access to your user ID file, contact your administrator, who can provide you with an encrypted backup of your user ID. Once you have the backup user ID, continue with the following steps. 2. When you first log in to Notes and the Password dialog box appears, do not enter your password. Just click OK. 3. Click Recover Password in the Wrong password dialog box.
39-20 Administering the Domino System, Volume 2
Security
4. Select the user ID file to recover in the Choose ID File to Recover dialog box. 5. Enter the password(s) given to you by your administrator(s) in the Enter Passwords dialog box, and repeat until you have entered all of the passwords, and you are prompted to enter a new password for your user ID. 6. Enter a new password for your user ID, and confirm the password when prompted. Note that if you do not enter a new password, you will need to recover your user ID again.
7. Replace all backups and copies of your user ID file with the newly recovered user ID file. To obtain the ID file recovery password For security reasons, the administrators must complete these steps from their own workstations, rather than from the same workstation. Using separate workstations prevents an unauthorized user from using a program to capture the keystrokes that the administrators enter on the same workstation. If an unauthorized user obtains an administrators ID file and password, the unauthorized user can obtain the administrators recovery password for all ID files. Therefore, you must protect the administrators ID file and require that multiple administrators work together to recover any given user ID file. 1. Detach the encrypted backup of the users ID file from the mail or mail-in database to the local hard drive. 2. If the users ID file is damaged, send a copy of the ID file from the centralized mail or mail-in database to the user. 3. From the Domino Administrator, click the Configuration tab, and choose Certification - Extract Recovery Password. 4. Enter the password to the administrators ID file. 5. Specify the ID file you want to recover. This is the same ID you detached in Step 1. 6. Give the user the recovery password that is displayed.
To add or delete administrators An administrator with access to the certifier ID completes these steps. 1. From the Domino Administrator, click the Configuration tab, and then click Certification. 2. Click Edit Recovery Information. 3. In the Choose a Certifier dialog box, if the correct server name does not appear, click Server and select the registration server name from the Domino Directory. 4. Choose the certifier for which you are creating recovery information. If you are using a server-based CA, click Use the CA process and select a certifier from the drop-down list. If you are not using a server-based CA, click Supply certifier ID and password. If the certifier ID path and file name does not appear, click Certifier ID and select the certifier ID file and enter the password. 5. Do one: To delete an administrator, highlight the administrators name, and then click Remove. To add new administrators, click Add and then select the names of administrators who are authorized to recover ID files. 6. (Optional) Change the number of administrators required to unlock an ID. 7. When you finish adding or deleting names, click OK. 8. Prepare IDs for recovery.
Security
Creating a new Notes public key and adding it to the Domino Directory
Creating and certifying a new public key requires the following procedures, which are described below: The user creates the new public key and submits it for certification. The certification administrator certifies the users public key with a Notes certificate and adds it to the Domino Directory. The user merges the new certificate into the users ID file.
To create a new Notes public key The ID owner performs these steps. 1. Choose File - Security - User Security. 2. Type the password (if required). 3. Click Your Identity - Your Certificates, and click Other Actions. Choose Create New Public Keys. 4. In the New Public Keys Confirmation dialog box, click Continue to use Notes mail to send your request for adopting new public keys. Note If you want to create a new public key without using Notes mail, click Export ID to create a safe copy of your ID file, and then click Do not continue. Use another e-mail program to send the exported file to the administrator. 5. In the Mail New Public Key Request dialog box, address the request to one of the following: The certification administrator for the certifier. The certifier for example /East/Acme. Domino mails the request to the person indicated in the Administration section of the corresponding Certifier document in the Certificates view of the Domino Directory. 6. Click Send. To recertify the ID with a Notes certificate and add the Notes public key to the Domino Directory The certification administrator performs these steps. 1. Open the certification request in your mail file. 2. Choose Actions - Certify Attached ID File. 3. Select whether to use a server-based certification authority or the certifier ID, and click OK. 4. If you chose to use the certifier ID, enter the password for the ID, and click OK.
39-24 Administering the Domino System, Volume 2
Security
5. (Optional) Change the expiration date for the certificate. 6. (Optional) Click Add to specify alternate user name information. 7. (Optional) Specify a minimum password length. 8. Click Certify. The ID owners name appears in the To field and explanatory text appears in the Subject field of the Mail Certified ID dialog box. 9. Click Send. To merge the new Notes certificate with the ID The ID owner performs these steps. 1. Choose File - Security - User Security. 2. Click Your Identity - Your Certificates. 3. Click Get Certificates, and then click Import (Merge) Notes Certificates. 4. Select the recertified ID sent to you by the certification administrator, and then click OK. To verify a Notes public key Verifying Notes public keys against those in the Domino Directory helps prevent an unauthorized user or server from accessing another server. 1. From the Domino Administrator, click Configuration and open the Server document for the server. 2. Click Security. 3. In the Security Settings section, select Yes in the Compare Notes public keys against those stored in Directory field. 4. Save the document. 5. Restart the server so that the changes take effect.
4. In the Mail, Copy Certificate (Public Key) dialog box, click Mail Certificate. 5. Address the request to the person who will paste the key into a Domino Directory or Personal Address Book. 6. (Optional) Next to CC, type the name of any other people you want to notify of the request. 7. (Optional) Click Sign to prove you are the sender of the ID. 8. (Optional) Click Encrypt to protect the message as it is being sent to the recipient. 9. Click Send. To copy a public key to a file 1. Choose File - Security - User Security. 2. Select the ID and enter the password. 3. Click Your Identity - Your Certificates - Other Actions. Choose Publish (Mail, Copy) Certificate. 4. In the Publish (Mail, Copy) Certificate dialog box, click Copy Certificate and click OK to copy the key to the clipboard. 5. Save the contents of the clipboard to a file. 6. Deliver the file by hand or postal service to someone to paste into a Domino Directory or Personal Address Book. To paste the public key into a Personal Address Book 1. In your Personal Address Book, create a Contact document for the owner of the public key. 2. Click the Advanced tab, and then use the clipboard viewer to open the file or mail message that contains the public key. 3. Copy the public key from the clipboard and paste it into the Certified public key field of the Contact document. 4. Save the document. To paste the public key into a Domino Directory 1. From the Domino Administrator, do one of the following: a. Click the People & Groups tab and edit the Person document. b. Click the Configuration tab and edit the Server document. 2. Click Certificates - Flat Name Key in the Person document, or click Administration in the Server document. 3. Use the clipboard viewer to open the file or mail message that contains the public key.
Security
4. Copy the public key from the clipboard, and paste it into one of the following fields: Certified public key field (hierarchical Domino certificates) (Person documents only) Flat name key (non-hierarchical Domino certificates) Note You cannot paste Internet certificates into Person or Server documents. 5. Save the Person or Server document.
Notes cross-certificates
To allow users and servers from the different hierarchically-certified organizations to access servers in the other organization, and to verify the digital signature of a user from another organization, you use cross-certificates. Domino servers store cross-certificates in the Domino Directory. To access Domino servers, Notes clients obtain cross-certificates for those servers and store them in their Personal Address Books. These cross-certificates can be used only by the user to whom they are issued. For example, if Alan Jones/Sales/East/Acme wants to access the Support/Seascape server, he needs a cross-certificate from /Seascape, and the Support/Seascape server needs a cross-certificate for /Sales/East/Acme. When Alan tries to authenticate with the Support/Seascape server, it checks for the cross-certificate in Alans Personal Address Book. If Support/Seascape finds a valid cross-certificate, the server then checks whether Alan is allowed to access the server. Cross-certification can occur at various levels of an organization. For example, to allow every user within one organization to authenticate with every server in another, each user has a cross-certificate for the others organization certifier in the Personal Address Book. Servers in each organization have a cross-certificate for the others organization certifier in the Domino Directory. Cross-certification can also occur at the
Protecting and Managing Notes IDs 39-27
level of an individual user or server ID. For example, to allow a single user to authenticate with any server in another organizational unit or verify a digital signature from a user in that organizational unit, the user ID needs a cross-certificate for the organizational unit certifier in the other company, and that organizational unit certifier needs a cross-certificate for the user ID. Two-way cross-certification does not need to be symmetric. For example, one organization can have a cross-certificate for an organizational unit certifier and another organization can have a cross-certificate for an organization certifier. If you have cross-certificates for an organization or organizational unit certifier, set up server access restrictions to prevent the other organization from accessing specific servers that store confidential information. To allow your organization to access servers in another organization but prevent that organization from accessing your servers, exchange cross-certificates as required, but then set up server access lists on all servers to prevent access by the other organization.
Internet cross-certificates
An Internet cross-certificate is a certificate that validates the identity of a user or server. An Internet cross-certificate ensures the recipient of an encrypted S/MIME message that the senders certificate can be trusted and that the certificate used to sign an S/MIME message is valid. It also validates the identity of a server when a Notes client uses SSL to access an Internet server. An Internet cross-certificate is stored in a Certificate document in the users Personal Address Book and can be used only by the user to whom it is issued. An Internet cross-certificate can be issued for a leaf certificate that is, a certificate issued to a user or server by a CA or the CA itself. Creating a cross-certificate for a leaf certificate indicates trust for only the owner of the certificate for example, the sender of the signed message or recipient of an encrypted message. A cross-certificate for a CA indicates trust for all owners who have a certificate issued by that CA. If you cross-certify a CA, you trust the CA to issue certificates to users and servers lower in the hierarchical name tree. For example, after cross-certifying Sales/ABC, you trust Sales/ABC to issue a certificate to Fred/Sales/ABC. Alternatively, after creating a cross-certificate for Fred/Sales/ABC, you trust only Fred/Sales/ABC.
Security
Accessing a server
If a user attempts to access a server in a foreign domain, and the user does not already have a certificate in common with the domain, a dialog box gives the recipient the option to add the cross-certificate on demand. Users can add a Notes cross-certificate this way. This is usually the quickest and easiest way for a user to obtain a cross-certificate. For more information, see the topic Adding a Domino or Internet cross-certificate on demand in this chapter.
By phone
Users can add a cross-certificate by providing the name and public key of the certificate by phone. Users can use this method to add a Notes certificate only. For more information, see the topic Adding a Notes cross-certificate by phone later in this chapter.
Security
Examples of cross-certification
To authenticate with all servers in another organization This example describes what the Acme company and the ABC company do to allow all users and servers in both organizations to authenticate. 1. The Acme organization certifier (/Acme) obtains a cross-certificate for the ABC organization certifier (/ABC) and stores it in Acmes Domino Directory. 2. The ABC organization certifier (/ABC) obtains a cross-certificate for the Acme organization certifier (/Acme) and stores it in ABCs Domino Directory. To authenticate with a specific server in another organization The Acme company wants to let Seascape users who have the hierarchical certification AppDevelopment/Seascape to access their customer support server, CSSUPPORT/East/Acme. 1. The Acme organizational unit certifier (/East/Acme) has a cross-certificate for the Seascape organizational unit certifier (/AppDevelopment/Seascape) and stores it in Acmes Domino Directory. 2. The Seascape organizational unit certifier (/AppDevelopment/Seascape) has a cross-certificate for the Acme organizational unit certifier (/East/Acme) and stores it in Seascapes Domino Directory. This cross-certification enables Kelly Jones/AppDevelopment/Seascape and Jonathan Moutal/AppDevelopment/Seascape to authenticate with the server CSSUPPORT/East/Acme. However, it does not allow these users to authenticate with the Acme server Mail-W/West/Acme. To send signed S/MIME messages Alan Jones has an Internet certificate issued from the Acme CA, and Dave Lawson has an Internet certificate issued from the ABC CA. If Alan wants to send Dave an encrypted S/MIME message and Dave wants to send Alan an encrypted S/MIME message: 1. Alan has a trusted cross-certificate for ABC and stores it in his Personal Address Book. 2. Dave has a trusted cross-certificate for Acme and stores it in his Personal Address Book. Both Dave and Alan can now also send encrypted S/MIME messages to each other.
Server
Expiration Date when the cross-certificate will expire. date 39-32 Administering the Domino System, Volume 2
Security
5. Click Cross Certify. Domino places the cross-certificate in the Server Certificates view of the Domino Directory of the server you specified in Step 4 or in the Advanced/Certificates view of the Personal Address Book.
6. Look at the Certificate Issued To field to verify that you selected the correct certificate. Write down the name exactly as it appears, including any forward slashes (/) for example, /Acme. 7. Look at the Issuer Key Identifier field and write down the public key exactly as it appears, including spaces. 8. Call the organization that will add the cross-certificate, and provide the name and public key exactly as you recorded them. To add a cross-certificate to a Domino Directory or Personal Address Book After someone from another organization provides the name and public key over the phone, use these steps to add a cross-certificate for the ID. 1. From the Domino Administrator, click the Configuration tab. 2. Choose Certification, and then choose Cross Certify Key. 3. Select whether to use a CA-enabled certifier or use the Certifier ID, and click OK. 4. If you chose to use the certifier ID, enter the password for the ID, and click OK. 5. In the Subject name field, type the full hierarchical name for the ID you are cross-certifying exactly as provided over the phone, including any forward slashes (/). 6. Type the public key for the ID you are cross-certifying exactly as it was provided over the phone, including spaces. 7. (Optional) Change the expiration date for the certificate. The default is 10 years. 8. (Optional) Click Certifier to select a different certifier to issue the cross-certificate. 9. (Optional) Click Server and select a different registration server whose Domino Directory will store the cross-certificate. To store the cross-certificate in a users Personal Address Book, choose Local as the server. Then click OK. 10. Click Cross Certify. Domino places the cross-certificate in the Server Certificates view of the Domino Directory of the selected registration server.
Security
You cannot use this procedure to create an Internet cross-certificate. To create a safe copy of an ID Use these steps to create a safe copy of the user, server, or certifier ID that you want to cross-certify. 1. From the Domino Administrator, click the Configuration tab. 2. Choose Certification and then choose ID Properties. 3. Select the user, server, or certifier ID file, and then click Open. 4. Type the password (if required). The ID Properties dialog box appears. 5. Click Your Identity - Your Certificates - Other Actions, and then select Export Notes ID (Safe Copy). 6. Enter a path and name for the safe copy, and then click OK. The default name is SAFE.ID. 7. Copy the file to a disk. 8. Use the postal service to send the disk to the certification administrator at the other organization. To add a cross-certificate for the safe copy Use these steps to add the cross-certificate to the Domino Directory. 1. From the Domino Administrator, click the Configuration tab. 2. Click Certification, and then click Cross Certify. 3. Select whether to use a CA-enabled certifier or use the certifier ID, and click OK. 4. If you chose to use the certifier ID, enter the password for the ID, and click OK. 5. Select the safe copy of the ID to be cross-certified, and then click OK. 6. Complete one or more of these fields:
Field Certifier Server Subject name Enter Name of your organizations certifier ID Location of the Domino Directory where you want to copy the cross-certificate Organization or organizational unit certifier to be cross-certified for example, /Acme
Subject alternate An alternate name that identifies the certifier ID. Alternate name list names allow you to assign more than one name to an ID, which is recognizable in a users native language. Expiration date Date when the cross-certificate will expire Protecting and Managing Notes IDs 39-35
7. Click Cross Certify. Domino places the cross-certificate in the Server Certificates view of the Domino Directory of the server you specified in Step 6.
Subject alternate An alternate name for the subject of the certificate. Alternate names allow you to assign names that are name list recognizable in a users native language to an ID file. Expiration date Certifier Server Date when the cross-certificate will expire File name of your organizations certifier ID Location of the Domino Directory where you want to copy the cross-certificate
Security
5. Click Cross Certify. Domino places the cross-certificate in the Server Certificates view of the Domino Directory of the server you specified in Step 5.
Server
Subject name
5. Repeat Steps 3 and 4 for every user for whom you want to create cross-certificates.
Server
Subject name
Subject alternate An alternate name for the subject of the certificate. name list Alternate names allow you to assign names that are recognizable in a users native language to an ID file. Expiration date Date when the cross-certificate will expire.
4. Repeat Steps 2 and 3 for every certifier for which you want to create cross-certificates.
Displaying cross-certificates
To view cross-certificates, from the Domino Administrator, click the Configuration tab and choose the Certificates/Certificates view. The view lists certificates according to type: Internet certifiers Notes certifiers Notes cross-certificates Internet cross-certificates
Security
Caution Domino administrators with full access administration rights, as well as users who are allowed to run agents with unrestricted access, can access databases without being explicitly listed in the database ACLs. For more information on full access administration rights and running agents with unrestricted access, see the chapter Controlling Access to Domino Servers.
40-1
Note The database ACL should not be confused with other types of ACLs used by Domino administrators. One such ACL is the extended ACL, which is used only in the Domino Directory and the Extended Directory Catalog to restrict access to specific documents and fields within those databases. You must enable extended access to use this feature. The other type of access control list is the .ACL file, which is used by administrators to restrict user access to server directories.
Of the default ACL entries, Anonymous and the database creators user name are the only entries that are defined as a Person in the ACL. Anonymous and -Default- are the only entries that are specific to a database, and not related to an entry in the Domino Directory. For example, LocalDomainServers is created automatically in the Domino Directory, and added to the ACL when a database is created. Anonymous is created as an ACL entry only when the database is created.
-DefaultUsers and servers receive the access assigned to the -Default- entry if they have not specifically been assigned another access level, either individually or as a member of a group, or from a wildcard entry. In addition, if the database ACL does not contain an entry for Anonymous, then users accessing the database anonymously get the -Default- level of access. The default access for -Default- depends on the design of the database template and varies among the different templates.
Security
The access level you assign to the -Default- entry depends on how secure you want the database to be. Select No Access if you want a database available to a limited number of users. Select Author or Reader access to make a database available for general use. The -Default- entry should have a user type of Unspecified. You cannot delete the -Default- entry from an ACL.
Anonymous
Anonymous database access is given to Internet users and to Notes users who have not authenticated with the server. The default ACL entry for Anonymous for all database templates (.NTF files) has an access level of Reader, so that users or servers can successfully read from the template when creating or refreshing .NSF files based on that template. The default ACL entry for Anonymous for database (.NSF files) files is No Access. For more information about Anonymous access, see the topic Acceptable entries in the ACL later in this chapter.
LocalDomainServers
The LocalDomainServers group lists the servers in the same domain as the server on which the database is stored, and is provided by default with every Domino Directory. When you create a new database, the default access for LocalDomainServers is Manager. The group should have at least Designer access to allow replication of database design changes across the domain. The LocalDomainServers group is typically given higher access than the OtherDomainServers group.
OtherDomainServers
The OtherDomainServers group lists the servers outside the domain of the server on which the database is stored, and is provided by default with every Domino Directory. When you create a new database, the default access for OtherDomainServers is No Access.
Each ACL entry can have a maximum of 255 characters. Add names to the ACL in hierarchical format for better security. For example:
Sandra E Smith/West/Acme/US Randi Bowker/Sales/FactoryCo
For more information about creating hierarchical name schemes, see the chapter Installing and Setting Up Domino Servers.
Security
You can use a wildcard only at the leftmost portion of the ACL entry. For example, you cant use the entry: */Illustration/*/Acme/US to represent these entries: Michael Bowling/Illustration/West/Acme/US Karen Richards/Illustration/East/Acme/US When you use a wildcard ACL entry, set the user type as Unspecified, Mixed Group, or Person Group. User names You can add to an ACL the names of any individuals with certified Notes user IDs or Internet users who authenticate using name-and-password or SSL client authentication. For Notes users, enter the full hierarchical name for each user; for example, John Smith/Sales/Acme, regardless of whether the user is in the same hierarchical organization as the server that stores the database. For Internet users, enter the name that appears as the first entry in the User name field of the Person document. Note Many alias names can be entered in the user name field and used for authentication; however, it is the first name in the list that is used to perform the security authorization check. This is the name that should be used on all Domino database ACLs, in the security settings on the Server document, and in .ACL files. For more information about setting a maximum level of access for Internet users, see the topic Maximum Internet name-and-password access later in this chapter. Server names You can add server names to an ACL to control the changes a database receives from a database replica. To ensure tighter security, use the full hierarchical name of the server for example, Server1/Sales/Acme regardless of whether the name of the server being added is in a different hierarchical organization than that of the server that stores the database. Group names You add a group name for example, Training to the ACL to represent multiple users or servers that require the same access. Users must be listed in groups with a primary hierarchical name or an alternate name. Groups can also have wildcard entries as members. Before you can use a group name in an ACL, you must create the group in the Domino Directory or in either a secondary Domino Directory or an external
Controlling User Access to Domino Databases 40-5
LDAP Directory that has been configured for group authorization in the Directory Assistance database. Tip Use individual names rather than group names for the managers of a database. Then when users choose Create - Other - Memo to Database Manager, theyll know whom they are addressing. Groups provide a convenient way to administer a database ACL. Using a group in the ACL offers the following advantages: Instead of adding a long list of individual names to an ACL, you can add one group name. If a group is listed in more than one ACL, modify the group document in the Domino Directory or the LDAP Directory, rather than add and delete individual names in multiple databases. If you need to change the access level for several users or servers, you can do so once for the entire group. Use group names to reflect the responsibilities of group members or the organization of a department or company.
Tip You can also use groups to let certain users control access to the database without giving them Manager or Designer access. For example, you can create groups in the Domino Directory for each level of database access needed, add the groups to the ACL, and allow specific users to own the groups. These users can then modify the groups, but they cant modify the database design. Terminations group When employees leave an organization, you should remove their names from all groups in the Domino Directory and add them to a Deny List Only group used to deny access to servers. The Deny Access list in the Server document contains the names of Notes users and groups who no longer have access to Domino servers. You should also make sure that the names of terminated employees are removed from the ACLs of all databases in your organization. When you delete a person from the Domino Directory, you have the option to Add deleted user to deny access group, if such a group has been created. (If no such group exists, the dialog box displays No Deny Access group selected or available.) For more information on Deny List Only groups, see the chapter Setting Up and Managing Groups. For more information on the Deny Access list, see the chapter Controlling Access to Domino Servers.
Security
Alternate names An alternate name is an optional alias name that an administrator assigns to a registered Notes user. You can add alternate names to an ACL. An alternate name provides the same level of security as the users primary hierarchical name. For a user whose primary name is Sandra Brown/West/Sales/Acme, an example of an alternate name format would be Sandy Smith/ANWest/ANSales/ANAcme, where AN is an alternate name. For more information about alternate names, see the chapter Setting Up and Managing Notes Users. LDAP users You can use a secondary LDAP directory to authenticate Internet users. You can then add the names of these Internet users to database ACLs to control user access to databases. You can also create groups in the secondary LDAP directory that include the Internet user names and then add the groups as entries in Notes database ACLs. For example, an Internet user may try to access a database on a Domino Web server. If the Web server authenticates the user, and if the ACL contains a group named Web, the server can look up the Internet users name in the group Web located in the foreign LDAP directory, in addition to searching for the entry in the primary Domino Directory. Note that for this scenario to work, the Directory Assistance database on the Web server must include an LDAP Directory Assistance document for the LDAP directory with the Group Expansion option enabled. You can also use this feature to look up the names of Notes users stored in foreign LDAP directory groups for database ACL checking. When you add the name of an LDAP directory user or group to a database ACL, use the LDAP format for the name, but use a forward slash (/), rather than a comma (,), as a delimiter. For example, if the name of a user in the LDAP directory is: uid=Sandra Smith,o=Acme,c=US enter the following in the database ACL: uid=Sandra Smith/o=Acme/c=US To enter the name of a nonhierarchical LDAP directory group in an ACL, enter only the attribute value, not the attribute name. For example, if the nonhierarchical name of the LDAP group is: cn=managers in the ACL enter only: managers
Controlling User Access to Domino Databases 40-7
To enter the name of a hierarchical group name, include LDAP attribute names in ACL entries. For example, if the hierarchical name of the group is: cn=managers,o=acme in the ACL enter: cn=managers/o=acme Note that if the attribute names you specify exactly correspond to those used in Notes cn, ou, o, c the ACL wont display the attributes. For example, if you enter this name in an ACL: cn=Sandra Smith/ou=West/o=Acme/c=US because the attributes exactly correspond to those used by Notes, the name appears in the ACL as: Sandra Smith/West/Acme/US Acceptable ACL entries for LDAP users
LDAP DN ACL entry cn=Scott Davidson+ id=1234, ou= cn=Scott Davidson+id=1234/ou=Sales/o= Sales,o=Acme Acme cn=Scott Davidson,o=Acme\, Inc cn=Scott Davidson/o=Acme, Inc Note If the LDAP name includes a backslash followed by another character, omit that backslash when you specify the name in the database ACL. uid=smd12345,dc=Acme,dc=Com uid=smd12345/dc=Acme/dc=Com uid=Sandra Smith,o=Acme,c=US uid=Sandra Smith/o=Acme/c=US
Anonymous Any user or server that accesses a server without first authenticating is known by the name Anonymous at that server. Anonymous database access is given to Internet users and to Notes users who have not authenticated with the server. Anonymous access is generally used in databases that reside on servers available to the general public. You can control the level of database access granted to an anonymous user or server by entering the name Anonymous in the access control list, and assigning an appropriate level of access. Typically you assign Anonymous users Reader access to a database.
Security
The table below describes the different conditions for access that an anonymous user would have to a database:
Anonymous access enabled for Internet protocol Anonymous access enabled in database ACL Users access the database with the Anonymous entrys access level. For example, if Anonymous access is set to Reader, anonymous users who access the database will be granted Reader access. Anonymous access not enabled for Internet protocol
Users are prompted to authenticate when they attempt to access any resource on the server. If the user is not listed in the database (through a group entry, a wildcard entry, or if the user name is Anonymous If Anonymous has been granted explicitly listed), then the No Access (and the Read & given no user accesses the database Write public documents access in with the -Default- entrys privileges are not enabled) database access level. Anonymous users are not ACL allowed access to the database and they will be prompted to authenticate. When they authenticate, the name is checked in the database ACL to determine the level of database access that should be granted. Anonymous not listed in database ACL Anonymous users access the database with the -Defaultentrys access level. For example, if -Default- access is set to Reader, and there is no Anonymous entry in the ACL, anonymous users who access the database will be granted Reader access.
Anonymous users (both those who are given access to a database through the Anonymous entry and those who have access through the -Default- entry) who attempt to do something in the database that is not allowed for their access level will be prompted to authenticate. For example, if Anonymous is set to Reader, and an anonymous user tries to create a new document, that user is prompted to authenticate with a name and password. Tip If you want all users to authenticate with a database, then make sure that Anonymous is in the database ACL with an access level of No Access, and be sure that the Read Public Documents and Write Public Documents are not enabled. Add the Internet users name to the ACL with the level of access you want them to have.
Controlling User Access to Domino Databases 40-9
The Domino server uses the group name Anonymous solely for access control checks. For example, if Anonymous has Author access in the database ACL, the true name of the user appears in the Authors field of those documents. The Domino server can display only the true name of anonymous Notes users, but not of anonymous Internet users, in the Authors field of the document. Authors fields are never a security feature, regardless if anonymous access is used; if the validity of the authors name is needed for security, then the document should be signed. Replica IDs To allow an agent in one database to use @DbColumn or @DbLookup to retrieve data from another database, enter the replica ID of the database containing the agent in the ACL of the database containing the data to be retrieved. The database containing the agent must have at least Reader access to the database containing the data to be retrieved. Both databases must be on the same server. An example of a replica ID in a database ACL is 85255B42:005A8fA4. You can enter the replica ID in uppercase or lowercase letters, but do not enclose it in quotation marks. If you do not add the replica ID to the access control list, the other database can still retrieve data if the -Default- access level of your database is Reader or higher. Order of evaluation for ACL entries ACL entries are evaluated in a specific order to determine the access level that will be granted to an authenticated user trying to access the database. If a user fails to authenticate with a server, and the server permits access anyway, access will be computed as though the users name was Anonymous. The ACL first checks the user name to see if it matches an explicit entry in the ACL. The ACL checks all matching user names. For example, Sandra E Smith/West/Acme would match the entries Sandra E Smith/West/Acme/US and Sandra E Smith. In the event that two different entries for an individual have different access levels (for example, applied at different times by different administrators), the user trying to access the database would be granted the highest access level, as well as the union of the access privileges of the two entries for that user in the ACL. This can also happen if the user has alternate names. Note If you enter only the common name in the ACL (for example, Sandra E Smith), then that entry matches only if the users name and the database server are in the same domain hierarchy. For example,
Security
if the user is Sandra E Smith, whose hierarchical name is Sandra E Smith/West/Acme, and the database server is Manufacturing/FactoryCo, then the entry Sandra E Smith will not get the correct level of access for ACLs on the server Manufacturing/FactoryCo. The name must be entered in full hierarchical format in order for the user to obtain the correct level of access to ACLs on servers in other domains. If no match is made on the user name, the ACL then checks to see if there is a group name entry that can be matched. If an individual trying to access the database happens to match more than one group entry for example, if the person is a member of Sales and there are two group entries for Sales - Acme Sales and Sales Managers then the individual is granted the highest access level, as well as the union of the access privileges of the two entries for that group in the ACL. Note If the user matches an explicit entry in the ACL, and is a member of a group that is also listed in the ACL, then the user always gets the level of access assigned to the explicit entry, even if the group access level is higher. If no match is made on the group name, the ACL then checks to see if there is a wildcard entry that can be matched. If the individual trying to access the database happens to match more than one wildcard entry, the individual is granted the highest access level, as well as the union of the access privileges of all of the wildcard entries that match. Lastly, if no match can be made from among the database ACL entries, the individual is granted the level of access defined for the -Default- entry.
Security
Administrators who run the Notes client directly on the server machine or on a machine that has file level access to the server database files. Users may still have access to a database by running agents with the Unrestricted with Full Access privilege, even if they are not listed in the database ACL. This privilege bypasses the ACL and reader lists.
This table shows the user access levels, listed from highest to lowest.
Access level Allows users to Manager Modify the database ACL. Encrypt the database. Modify replication settings. Delete the database. Perform all tasks allowed by lower access levels. Modify all database design elements. Create a full-text search index. Perform all tasks allowed by lower access levels. Create documents. Edit all documents, including those created by others. Read all documents unless there is a Readers field in the form. If an editor is not listed in the Readers field, the user with Editor ACL access cannot read or edit the document. Assign to Two people who are responsible for the database. Then if one person is absent, the other can manage the database. A database designer and/or the person responsible for future design updates. Any user allowed to create and edit documents in a database.
Designer
Editor
Author
Users who need to Create documents if the user or server contribute documents to also has the Create documents access level privilege. When you assign Author a database. access to a user or server, you must also specify the Create documents access level privilege. Edit the documents where there is an Authors field in the document and the user is specified in the Authors field. Read all documents unless there is a Readers field in the form. continued
Security
Assign to
Read documents where there is a Readers Users who only need to field in the form and the user name is read documents in a specified in the field. database but not create or edit documents. Create documents, but otherwise has no access, with the exception of options to Read public documents and Write public documents. These are privileges that designers may choose to grant. Users who only need to contribute documents but who do not need to read or edit their own or other users documents. For example, use Depositor access for a ballot box application. Terminated users, users who do not need access to the database, or users who have access on a special basis. Note You may want to specifically assign No Access to individuals who should not have access to a database, but who may be members of a group that does.
Depositor
No Access
Has no access, with the exception of options to Read public documents and Write public documents. These are privileges that designers may choose to grant.
Designer
Editor
Delete documents Create private agents Create personal folders/views Create shared folders/views Create LotusScript/Java agents Replicate or copy documents Create documents Delete documents Create private agents Create personal folders/views Create LotusScript/Java agents Write public documents Replicate or copy documents Create private agents Create personal folders/views Create LotusScript/Java agents Write public documents Replicate or copy documents continued
Author
Reader
Security
Optional privileges Read public documents Write public documents Read public documents Write public documents
No Access None
Create documents
Select this privilege for all users with Author access. If you deselect this privilege to prevent Authors from adding any more documents, they can continue to read and edit documents theyve already created.
Delete documents
Authors can delete only documents they create. If this privilege is deselected, an author cant delete documents, no matter what the access level. If the form contains an Authors field, Authors can delete documents only if their name, or a group or a role that contains their name, appears in the Authors field.
Security
6. On the Advanced panel of the ACL dialog, click Lookup User Types for Unspecified Users. The server uses the Domino Directory to look up each entry in the ACL and assign a user type of Person, Server, or Mixed Group. If it cannot find a match in the Directory, then the entry in the ACL will be left as Unspecified.
Security
To restrict who can View and read documents in a specific view View and read documents in a specific folder Read documents created with a specific form Create documents with a specific form
The designer uses View properties Folder properties Form properties Form properties
Using roles to restrict access to database elements is not a foolproof security measure. For example, if a designer restricts access to certain documents in a database, the database manager or Domino administrator must remember that documents inherit their Reader access list from the Reader access option that is set in the Form Properties box for the form used to create the document. Therefore, anyone with Editor access or above in the database ACL can change a documents Reader access list.
Note In Domino Administrator, you do not need to include any brackets in the role name when adding or removing a role. However, when you rename a role, you must type the role name exactly as it appears in the ACL, including the brackets and case-sensitive characters. To assign a role to an ACL entry Because roles are specific to a database, you must modify database ACLs on an individual basis in order to assign roles to users. 1. Make sure that you have Manager access in the database ACL. 2. Open the database ACL that you want to modify. 3. Highlight the user to whom you want to assign a role. 4. In the Roles list box, select the role that you want to assign to that user. 5. Repeat steps 3 and 4 for each user to whom you want to assign a role. 6. Click OK to save your changes.
To monitor changes to ACLs Display the ACL log to view a chronological list of changes to the ACL Create an ACL monitor to automatically send you e-mail when any changes are made to the database ACL.
Security
Security
Set the Maximum Internet name & password access option on the Advanced panel of the Access Control List dialog box to Manager on all the databases you want to modify, if you are not using SSL with X.509 client certificates. This option is set to Manager by default in the WEBADMIN.NSF so you can add more user names to the ACL of the WEBADMIN.NSF from a browser.
You can use the Web Administrator to perform the following tasks for Internet or Notes users: Add an ACL entry Remove an ACL entry Rename an ACL entry Add, remove, or rename a database role View the ACL change history Create a new database on the server based on templates Create a new copy of the database Delete a database Compact a database Create or update a full-text index of a database Force manual replication of a database with a remote server
5. Type the entry, or select it from the Domino Directory by clicking the button next to the list box 6. Click OK.
To rename an entry
1. From the Domino Administrator Server pane, select the server that stores the databases. 2. Click Files, and select one or more databases from the Domino data directory. 3. Click Tools - Database - Manage ACL. 4. Click Modify. 5. In the From box, type the name of the person, server, or group that you want to rename. 6. Select Modify Name. 7. In the To box, type the new name of the person, server, or group that you want to rename. 8. Click OK to save your changes.
Security
Security
4. Click Tools - Database - Manage ACL. 5. Click Advanced. 6. Select Modify Administration Server setting. 7. Choose Modify fields of type Reader or Author, and click OK.
Security
For example, a user, Sandra Smith/West/Sales/Acme can use name and password to access a server using a Web browser. If Sandra Smith/West/Sales/Acme is assigned Editor access in the ACL and the Maximum Internet name & password access setting is Reader, the lower of the two access levels applies and Sandra is allowed only Reader access. Similarly, if Sandra Smith/West/Sales/Acme is assigned Reader access in the ACL and the Maximum access setting is Editor, Sandra is allowed only Reader access. However, if Sandra Smith also uses a Notes client to access the database, the Maximum access setting is ignored and Sandra is allowed Editor access. The default for this option is Editor access. Tasks such as creating folders, views, and agents do not apply to Internet users. Tip You can use this setting to prevent Internet users from accessing the database using name-and-password authentication. By setting it to No Access, the database would then be accessible only to Notes users or Internet users who authenticate using SSL client certificates.
If the server is not configured to require an SSL connection, clients will be able to use either SSL or unsecured TCP/IP to connect to the server; for example, in a browser, by using HTTP (for non-SSL) or HTTPS (for SSL). For more information about Internet client access to Domino servers and databases, see the chapter Setting Up Name-and-Password and Anonymous Access to Domino Servers. To require an SSL connection to a database 1. Make sure you have Manager access in the database ACL. 2. From the Domino Administrator Server pane, select a server that stores the database(s) for which you want to require an SSL connection. 3. Click Files, and open the database from the Domino data directory. 4. Choose File - Database - Properties. 5. On the Basics tab, choose Web access: Require SSL connection.
Security
41-1
Development. Likewise, every template and database that your organization designs should contain the signature of either the application developer or the administrator. For each signature, the ECL contains settings that control the actions that active content signed with that signature can perform and the workstation system resources it can access. For a description of ECL access options, see the topic ECL security access options in this chapter. How the workstation ECL works When active content runs on a user workstation and attempts a potentially harmful action for example, programmatically sending mail the following occurs: 1. Notes verifies that the active content is signed and looks up the signer of the code in the workstation ECL. 2. Notes checks the signers ECL settings to determine whether the action is allowed. 3. One of the following occurs: a. If the signer of the code is listed in the workstation ECL and the appropriate setting is enabled, the active content runs. b. If the active content attempts an action that is not enabled for the signer, or if the signer is not listed in the ECL, Notes generates an Execution Security Alert (ESA), which specifies the attempted action, the signers name, and the ECL setting that is not enabled. The ESA gives the user four options: Do not execute the action to deny the signer access to perform the specified action. Execute the action this one time to allow the signer access to perform the action only once. The ESA appears again if the same action is attempted in the future. This option does not modify the ECL. Start trusting the signer to execute this action to allow the action to be performed and modify the ECL configuration to add the signature of the active content to the ECL. This grants permission for the signer to execute the specific action any time on that workstation.
Security
More Info to display a dialog box that provides information about the design type, design name, Notes ID, signature status, and parent database of the code that caused the ESA. For example, locally scheduled agents, as well as manual agents, can generate ESAs. Click More Info to get information about the agent that generated the alert. Note The administration ECL has a setting that prevents users from changing their workstation ECLs. If this setting is enabled, then the users option to trust the signer is disabled.
Workstation security access options Choose from these options when setting up access to workstation data for active content, such as Notes databases:
Access option Access to file system Access to current database Access to environment variables If enabled, allows formulas and code to Attach, detach, read to, and write from workstation files Read and modify the current database Use the @SetEnvironment and @GetEnvironment variables and LotusScript methods to access the NOTES.INI file
Access to non-Notes databases Use @DBLookup, @DBColumn, and @DBCommand to access databases when the first parameter for these @ functions is a database driver of another application Access to external code Access to external programs Ability to send mail Run LotusScript classes and DLLs that are unknown to Notes Access other applications, including activating any OLE object Use functions such as @MailSend to send mail
Ability to read other databases Read information in databases other than the current database Ability to modify other databases Modify information in databases other than the current database continued Protecting User Workstations with Execution Control Lists 41-3
If enabled, allows formulas and code to Print, copy to the clipboard, import, and export data Modify the ECL
Java applet options Choose from these options when setting up access to workstation data for Java applets that run in Notes:
Access option Access to file system Access to Notes Java classes Access to network addresses If enabled, allows the applet to Read and write files on the local file system. Load and call the Domino objects for Java and CORBA. Bind to and accept connections on a privileged port (a port outside the range 0 to 1024) and establish connections with other servers. Submit print jobs. Read system properties such as color settings and environment variables. Access the system clipboard. Also disables the security banner that is displayed in the top-level window to indicate that a Java applet created the window. Displaying the security banner reminds users not to enter security-sensitive information into a dialog that masquerades as a password dialog, for example. Create threads and threadgroups, fork and run external processes, load and link external libraries, access nonpublic members of classes using Java core reflection, and access the AWT event queue.
Process-level access
JavaScript options These options control access to workstation data for JavaScript that runs in the Notes client, on a Notes form or on a Web page rendered by the Notes browser. These options do not control JavaScript run by other browsers, including the Microsoft Internet Explorer browser, even when the browser is embedded in the Notes client. JavaScript ECL settings control whether JavaScript code can read and/or modify JavaScript properties of the Window object. You can allow read access from, and write access to, the properties of the Window object. As the top-level object in the JavaScript document object model, the Window
41-4 Administering the Domino System, Volume 2
Security
object has properties that apply to the entire window. Securing access to the Window object secures access to other objects on the page since the JavaScript program cannot access the objects further down in the object model hierarchy without first traversing the Window object. Window object classes are described in the following table:
Window object class Source window Description Default
Allow read Controls JavaScript access to the Window and write object on the same page as the JavaScript code. Selecting this option does not prevent a access JavaScript directly to the object on the source window, because doing so circumvents the Window object; therefore this ECL option is not enforced. Controls JavaScript access to the Window Allow read object on a different page from the JavaScript and write code, but from a page using the same host. access For example, JavaScript code on a page on www.lotus.com can access the Window object on another page on www.lotus.com. This allows two pages to interact if they are within the same frameset. Controls JavaScript access to the Window Not allow object on a different page within a frameset read and write access that uses a different host. For example, JavaScript code on a page on www.lotus.com can access the Window object on a page on any other server. Enabling this option poses a high security risk because of the possibility of malicious code on one page of the frameset accessing data on another page.
Two additional ECL options control whether JavaScript that runs in the Notes client is authorized to open a new Web page or Notes document. You can enable open access for these options, described in the following table:
Option URL on same host Description Controls access for opening a page or Notes document on the same host as the JavaScript code. Default Allow open access
URL on different Controls access for opening a page or Notes Not allow host document on a different host as the JavaScript open access code.
Security
Use these guidelines to create secure ECLs: Do not grant access to unsigned content. This creates a security hole that allows potentially harmful code, malicious or otherwise, to access user workstations. Keep the default access options for unsigned content. Do not let your users trust unsigned content. To prevent users from changing their ECLs for example, by giving access to unsigned content, or to content signed by signers who are not listed in the ECL, deselect Allow user to modify in the Administration ECL. Know your signers. Trusting signed active content, especially from other organizations, is risky. Before adding an active content author to an ECL, decide if you trust that the author has created safe code. Create a separate certifier for an organizational unit to issue IDs specifically for users who must sign templates and applications for example, Enterprise ECLApp Signer/West/Acme. Then users who create templates and applications use those IDs to sign templates and applications. You can then set up the administration ECL to trust any user in that special organizational unit, or fine-tune it on a per-user basis.
Formulas and code that contain a None signature, and that signature is verified by Domino, but the signature does not match any entry in the ECL. For example, if the signer is John Andrews/Atlas, but the ECL does not contain this signature, the ECL uses the -Default- signature to assign access. continued
Applies to
Formulas and code that contain an None invalid or corrupted signature, are unsigned, or are signed by an identity or organization that cant be verified by Domino. For example, if the code is not signed, or is signed by a user unknown to the Domino server, the ECL matches -No Signature-. Every template related to Binary Tree Mail and Calendar Migration Tools. If your organization isnt using this tool, you can remove this entry from the ECL. Access to file system, Access to current database, Access to environment variables, Access to external code, Ability to read other databases, Ability to modify other databases Access to current database, Access to environment variables, Access to external code, Access to external programs, Ability to send mail, Ability to read other databases, Ability to modify other databases Access to current database, Access to environment variables, Ability to read other databases, Ability to modify other databases continued
Every template related to Domino Unified Communications Services. If your organization isnt using this tool, you can remove this entry from the ECL.
Every template related to Lotus Fax for Domino. If your organization isnt using this tool, you can remove this entry from the ECL.
Security
Applies to Every template shipped with Domino and Notes. For example, the signer matches this type only if it has the Lotus Notes Template Development/Lotus Notes signature.
All except Access to Every template related to workstation security Sametime. If your organization isnt using this ECL tool, you can remove this entry from the ECL.
You can also add additional users or signature types to the ECL. You could add the hierarchical names of specific users or groups for example, Phyllis Spera/Sales/East/Acme. If you create a special certifier to certify the IDs of a group of trusted signers, you could use a wildcard character to name all signers for example, */Trusted Signers/Acme. The table below describes the access that these users (or signature types) in an ECL would have:
Signature */Trusted Signers/Acme Applies to Formulas and code that have */Trusted Signers/Acme signature. For example, if the signer is anyname/Trusted Signers/Acme such as Emily Marks/Trusted Signers/Acme or Alan Jones/Sales/East/Trusted Signers/Acme the ECL uses the */Trusted Signers/Acme signature to match access. Formulas and code that have Phyllis Spera/Sales/East/Acme as the signature. For example, the signer matches this type only if the ECL contains the Phyllis Spera/Sales/East/Acme signature.
Phyllis Spera/Sales/East/Acme
4. For a designated time period (a week should be sufficient), when the Execution Security Alert dialog box appears, click Trust signer, with the following exceptions: Do not trust any actions with -No Signature-. Check with the administrator before trusting odd or unfamiliar signatures or before clicking Execute once for templates and applications signed with odd or unfamiliar signatures. Note Users who use the Lotus Notes Client 5.01 or earlier should choose No in the dialog box that asks if you want to trust everybody in the organization of the user whose signature you are about to trust.
41-10 Administering the Domino System, Volume 2
Security
The resulting ECLs for these users should contain more signers than what the ECL originally contained, unless your organization has managed the signing process up front and only uses objects signed by a small number of known trustworthy signers. After the designated time period is complete, the administrator should combine the signatures in the users ECLs to create an updated administration ECL. The workstation ECL log The Lotus Notes 6 Client logs ECL-related operations in the Client log (LOG.NSF) in Miscellaneous Events. This includes: Results of Execution Security Alert (ESA) dialogs, as well as additional ESA details. These details include information about the code that caused the ESA, such as the design type, design title, NoteID, database title, and path. Any ECL modifications. This includes information on which ECL was modified; the ECL entries that were changed, added or deleted; and the rights that were granted or revoked. It also includes all ECL modifications resulting from such operations as dynamic ECL update, programmatic ECL refresh (@ECLRefresh function), setup ECL refresh/creation and manual ECL changes made in the ECL Editor or through the User Security Panel.
It is possible to write an agent to run on Notes clients and parse the ECL logging data to provide administrators with specific information on how users are managing their workstation ECLs, as well as current information about applications or other code that should be added to Admin ECLs.
For more information, see the topic Editing the administration ECL in this chapter. 3. Deploy the new ECL to user workstations. This happens automatically when Notes client software is first installed on user workstations. 4. Update user workstation ECLs, as required.
Security
10. To let users modify their workstation ECLs or enable Java applets from trusted senders, select Allow users to modify. 11. Click OK.
To use the @RefreshECL function to update workstation ECLs This procedure enables users to update their workstation ECL by running a macro that copies the current administration ECL to the local workstation ECL. 1. Make sure the Domino Directory with the ECL changes has replicated throughout the domain. 2. Address a memo to users whose ECLs you want to update. 3. Add a button to the memo that executes this formula: @RefreshECL (server : database ; name) Where server : database is a text list that specifies the server location and file name of the Domino Directory (NAMES.NSF) that contains the administration ECL; and name is text that specifies the name of the administration ECL. Specify (null) if you have not named the administration ECL. For example, for an unnamed administration ECL located in NAMES.NSF on the server SERVER1, the @RefreshECL formula is:
@RefreshECL("server1":"names.nsf";"")
Note For MIME-enabled users who lose their active content in mail messages, add the button to a document in a particular Notes database and tell those users to go there to update their ECLs.
Protecting User Workstations with Execution Control Lists 41-13
4. Describe the purpose of the memo and instruct users to click the button. 5. Mail the memo. Tip Add the @Refresh ECL function to a common database event, so that all users in the organization can use it to update their ECLs. To use the Refresh button to update workstation ECLs 1. Make sure the Domino Directory with the ECL changes has replicated throughout the domain. 2. Address a memo to users whose ECLs you want to update. 3. Describe the purpose of the memo and instruct the users to do the following: a. Choose File - Security - User Security. b. Click What Others Do, and then click Using LotusScript, Using Java, or Using JavaScript. c. Click Refresh All 4. Mail the memo. Note Even after you distribute an updated ECL, users might still encounter Execution Security Alerts. Make sure that users: Do not trust any actions with -No Signature- Check with you before trusting any odd or unfamiliar signatures, or before clicking Execute once for templates or applications signed with odd or unfamiliar signatures. Investigate those signatures, and if necessary, update and redistribute the administration ECL.
as an entry in the Admin ECL. You then give that entry the ECL rights that are appropriate for a workstation user. For example, if you want to give users the ability to write and execute basic Notes programs on their own workstations, you would enable the appropriate rights for this entry.
Security
When a workstation ECL is refreshed or replaced, the <ECLOwner> entry is replaced with the name of the current user. This updates the users workstation ECL rights with those set in the Admin ECL for the key string entry. If this key string entry is not included in the Admin ECL, and if Allow user to modify is not enabled, the current user entry is removed from the workstation ECL during ECL replace. If Allow user to modify is enabled, the current user remains in the Workstation ECL Refreshing the ECL without the key string leaves the current users entry as is.
Security
enable client certificate authentication for HTTP connections but require name-and-password security for LDAP connections that use TCP/IP. Or you might use name-and-password security with anonymous and SSL client authentication for example, to allow users with SSL client certificates to authenticate using SSL client authentication and to allow other users to enter a name and password if they do not have an SSL client certificate. Note Name-and-password authentication is not supported when a Domino server acts as an SMTP client for example, when a Domino server connects to an SMTP server to route mail. Name-and-password security is supported only when a Domino server acts as an SMTP server that is, when SMTP clients access a Domino server. If you are setting up name-and-password authentication for an HTTP server, you have an additional method to use with name-and-password authentication: session-based authentication. Name and password authentication sends the name and password in unencrypted format and is sent with each request. Session-based authentication differs in that the user name and password is replaced by a cookie. The user name and password is sent over the network only the first time the user logs in to a server. Thereafter the cookie is used for authentication. Session-based name-and-password authentication offers greater control over user interaction than basic name-and-password authentication and lets you customize the form in which users enter their name and password information. It also allows users to log out of the session without closing the browser.
Security
To enable basic name-and-password authentication for Internet Site documents 1. From the Domino Administrator, click Configuration - Web - Internet Sites. 2. In the Internet Sites view, select the Internet Site document for which you want to enable name-and-password authentication.
Setting Up Name-and-Password and Anonymous Access to Domino Servers 42-3
3. In the Internet Site document, click Security. If you want clients to use name-and-password authentication when they connect using TCP/IP, select Yes in the Name & password field in the TCP Authentication section. If you set up SSL on the server and you want clients to use name-and-password authentication when they connect using SSL, select Yes in the Name & password field in the SSL Authentication section. 4. Save the document. To enable basic name-and-password authentication in the Server document 1. From the Domino Administrator, click Configuration, and open the Server document. 2. Click Ports - Internet Ports. This displays four tabs: Web, Directory, Mail, and IIOP. Each tab lists protocols appropriate for its name for example, the Web tab lists HTTP/HTTPS, and the Mail tab lists IMAP, POP3, and SMTP. 3. Click the protocol for which you want to specify name-and-password authentication. For each protocol, do the following: If you want clients to use name-and-password authentication when they connect using TCP/IP, select Yes in the Name & password field in the TCP/IP section. If you set up SSL on the server and you want clients to use name-and-password authentication when they connect using SSL, select Yes in the Name & password field in the SSL section. 4. Save the document. Note If you want LDAP clients to access the server using name-and-password authentication, you must also allow anonymous access for LDAP on the server as well. LDAP clients who access the server using a browser supply an e-mail address for authentication, and the client searches for the address anonymously before Domino can authenticate the user. For information on setting up anonymous access, see the topic Setting up Internet/intranet clients for anonymous access later in this chapter. To create Person documents for Internet/intranet users 1. In the Domino Directory, create a Person document for each user who needs to access the server. (You can also edit the Person document of an existing user.)
Security
Note Users can also be created in secondary Domino directories or external LDAP directories, if your server is configured to use them. 2. In each Person document, complete these fields, and then save the document:
Field Action First name, Middle Enter the users first name, middle initial, and last initial, Last name name. The users last name is required. User name (Required) Enter the users full name. This is the name the user enters when trying to access a server. This field can contain multiple names. However, Domino uses the first name in this field to validate a user in database ACLs, design access lists, groups, and File Protection documents. For example, this field can contain these names: Alan Jones/Sales/Acme Alan Jones Al Jones AJ When prompted for his name and password, the user can enter Al Jones as his name. However, Domino uses Alan Jones/Sales/Acme to validate him in database ACLs and design access lists. Therefore, the name Alan Jones must be the one that appears in ACLs and design access lists. Note You should always use the users hierarchical name for example, Alan Jones/Acme/US to help eliminate ambiguous or duplicate user names. Internet password (Required) Specify the users Internet password.
To edit database ACLs After you edit the Server document and create Person documents, edit the database ACL of each database to which you want to give users access. For more information on setting up a database ACL, see the chapter Controlling User Access to Domino Databases.
Security
Domino provides a default HTML form ($$LoginUserForm), which is provided and configured in the Domino Configuration database (DOMCFG.NSF). You can customize the form or create your own to contain additional information. Default logout time period You can specify a default logout time period to log the Web client off the server after a specified period of inactivity. This forces the cookie that Domino uses to track the user session to expire. Automatically logging a user off the server prevents others from using the Web client to impersonate a user if the user leaves the workstation before logging off. If you enable session-based name-and-password authentication for a server, users can also append ?logout at the end of a URL to log off a session for example: http://acmeserver/sessions.nsf?logout. You can also redirect the logout to a design element or URL. For example: http://acmeserver/sessions.nsf?logout&redirectto=/logoutDB.nsf/ logoutApp?OpenPage http://acmeserver/sessions.nsf?logout&redirectto=http://www. sales.com You can build this expression into an application for example, using it in a button or type it in as a URL. Maximum user sessions You can specify the maximum number of concurrent user sessions allowed on the server for single-server session-based authentication only. If server performance is slow, you can reduce this number. Internet password management Domino 6 provides features for managing Internet passwords for session-based authentication. Multi-server session-based authentication Multi-server session-based authentication, also known as single sign-on, allows Domino cookies to span servers. It also allows Domino and Websphere servers to interoperate and share cookies. Note If your servers are set up for round-robin DNS, you should use the multi-server (or single sign-on) option for session-based name-and-password authentication. Servers cannot store the session information in memory when using round-robin DNS with the single server cookie. In addition, if a server is restarted or crashes, session
Setting Up Name-and-Password and Anonymous Access to Domino Servers 42-7
information is lost, and then users must re-enter their names and passwords. This will not occur with the multi-server session authentication option.
To enable single-server session-based authentication for Web Site documents 1. From the Domino Administrator, click Configuration - Web - Internet Sites. 2. In the Internet Sites view, select the Web Site document for which you want to enable session authentication. 3. In the Web Site document, click Domino Web Engine. 4. In the HTTP Sessions section, complete these fields:
Field Idle session timeout Maximum active sessions Action Enter a default time period to log an inactive Web client off the server. Default is 30 minutes. Enter the maximum number of user sessions allowed on the server at the same time. Default is 1000. Session authentication Select single server. This is disabled by default.
5. Click Security, and enable name-and-password authentication for the TCP and for SSL (if using SSL). 6. Save the document. To edit the Server document for single-server session-based name-and-password authentication 1. From the Domino Administrator, click Configuration, and open the Server document. 2. Click Internet Protocols - Domino Web Engine.
42-8 Administering the Domino System, Volume 2
Security
4. Click Ports - Internet Ports - Web, and enable name-and-password authentication for the TCP/IP port and for the SSL port (if using SSL). 5. Save and close the Server document. To create Person documents for Web users 1. In the Domino Directory, create a Person document for each Web user who needs to access the server. (You can also edit the Person document of an existing user.) 2. In each Person document, complete these fields, and then save the document:
Field Action First name, Middle Enter the users first name, middle initial, and last initial, Last name name. The users last name is required. User name (Required) Enter the users full name. This is the name the user enters when trying to access a server. This field can contain multiple names. However, Domino uses the first name in this field to validate a user in database ACLs, design access lists, groups, and File Protection documents. For example, this field can contain these names: Alan Jones/Sales/Acme Alan Jones Al Jones AJ When prompted for his name and password, the user can enter Al Jones as his name. However, Domino uses Alan Jones/Sales/Acme to validate him in database ACLs and design access lists. Therefore, the name Alan Jones must be the one that appears in ACLs and design access lists. Note You should always use the users hierarchical name for example, Alan Jones/Acme/US to help eliminate ambiguous or duplicate user names.
Internet password (Required) Specify the users Internet password. Setting Up Name-and-Password and Anonymous Access to Domino Servers 42-9
To edit database ACLs After you edit the Server document and create Person documents, edit the database ACL of each database to which you want to give users access. For more information on setting up a database ACL, see the chapter Controlling User Access to Domino Databases. Customizing the HTML log-in form Note The terms log-in and sign-in are used interchangeably. Domino provides a default HTML log-in form to allow a user to enter a name and password, and then use that name and password for the entire user session. The Web browser sends the users name and password to the server using the servers character set. Therefore, a user can enter a name and password in a character set other than ASCII or Latin-1. The available set of characters to use for user name are different for basic authentication and session-based authentication.
Authentication type User name Password
Basic authentication Any printable characters in Any printable characters in ISO-8859-1 US-ASCII HTTP session authentication Any printable characters in Any printable characters in Unicode US-ASCII
This form is created and configured in the Domino Web Server Configuration database (DOMCFG.NSF). You can customize the form to contain additional information. To do this, the Domino Web server must be set up. For more information on setting up the Web server, see the chapter Setting Up the Domino Web Server. To create and use a custom sign-in form, you must complete these procedures: Create the Domino Web Server Configuration database. If you do not create the database, Domino uses a generic log-in form. Create a custom form. Specify the custom form as the sign-in form. If the Domino Web Server Configuration database exists on the Web server but you have not created and specified a custom sign-in form, Domino uses the form $$LoginUserForm.
Security
To create the Domino Web Server Configuration database (DOMCFG.NSF) 1. Open the Notes client and choose File - Database - New. 2. Enter the name of the Web server in the Server field. 3. Select the Domino Web Server Configuration template (DOMCFG5.NTF). 4. Enter a title for the database and name the database DOMCFG.NSF. Note The name of the database is not optional, because the Web server has this name incorporated into its code. The name of the database must be DOMCFG.NSF. 5. Click OK. 6. Add an entry named Anonymous to the database ACL, and give the entry Reader access. To create a custom form The simplest way to create a custom log-in form is to modify a copy of $$LoginUserForm, the example log-in form provided in the Domino Configuration database. You can also create a new log-in form. You must have the Domino Designer 6 client to create and edit forms. 1. In the Domino Designer client, open the Domino Configuration database (DOMCFG.NSF). 2. Choose View - Design. 3. Do one of the following: To create a custom form using $$LoginUserForm, make a copy of $$LoginUserForm, then double-click the copy to open it. (You can rename the copy if necessary for example, CustomLoginForm.) Click New Form to create a new form. 4. When you finish designing the custom form, save and close it. To specify the custom form as the log-in form 1. In the Notes client, open the Domino Configuration database (DOMCFG.NSF) and open the Sign In Form Mappings view. 2. Click Add Mapping. 3. Under Site Information, choose one: All Web Sites/Entire Server to use the custom log-in form for all Web Sites on the server, or for the entire Web server. Specific Web Sites/Virtual Servers to map the custom log-in form to specific Web Site documents or Virtual Servers. If you choose this option, a new field appears, in which you specify the IP addresses of the Web Site documents or Virtual Servers
Setting Up Name-and-Password and Anonymous Access to Domino Servers 42-11
4. (Optional) Enter a comment. 5. Enter the file name of the database that contains the custom form. This should be DOMCFG.NSF unless you store the custom form in a different database. 6. Enter the name of the custom log-in form. 7. Save and close the document. Configuring error messages You can enable session-based Web authentication to return error messages for log-in failures and session time-outs. This is accomplished by configuring two fields on your custom login form the reasontext and reasontype fields. DOMCFG.NTF includes these two fields in the default form provided, $$LoginUserForm. (To obtain the changes, you must refresh or replace the design of DOMCFG.NSF with the most current DOMCFG5.NTF). The four cases that cause the Login form to appear are encoded in the field reasontype and include: Prompt for the user to log in, at which no error message will display. User Name, you are not authorized to access application.nsf. Please sign in with a name which has sufficient access rights. The user is authenticated with correct credentials for the server but is not authorized to the database or file, for example. You provided an Invalid username or password. Please sign in again. The user has given an incorrect name or password. Your connection has expired. Please sign in again. This occurs when the browser has not sent a request to the server in the given amount of time as configured in the server document (default=30 minutes). If the session times out, they will lose what hasnt been saved. Administrators should lengthen the servers session timeout, if this occurs frequently, to the length of a workday.
Security
User Web browsers must have cookies enabled since the authentication token that is generated by the server is sent to the browser in a cookie. You set this up by doing one of the following: Creating a domain-wide configuration document the Web SSO Configuration document in the Domino Directory. (You can have multiple Web SSO Configuration documents in a Domino Domain or directory.) Enabling the Multi-server option for session-based authentication in the Web Site or in the Server document.
You can enable single sign-on across multiple Domino domains. See the topic Setting up the Web SSO Configuration document for more than one Domino domain later in this chapter.
WebSphere issues WebSphere and Domino should both be configured for the same LDAP directory. The authentication token used for SSO stores the full Distinguished Name of the user (DN) for example, cn=john smith,ou=sales, o=ibm, c=us. To set up LDAP for SSO, set up Directory Assistance in Domino and configure it to point to an LDAP server that the WebSphere server uses. Or, load LDAP on the Domino Directory and configure WebSphere to use the Domino LDAP server.
Setting Up Name-and-Password and Anonymous Access to Domino Servers 42-13
If the group of servers participating in single sign-on includes WebSphere servers that use a Domino LDAP directory, users with flat names in that directory cannot use SSO (if the participating servers are all Domino, then SSO will work with flat user names).
Security
Organization Name
DNS Domain
7. Save the Web SSO Configuration document. A message on the status bar indicates the number of servers/people for whom the document was encrypted. The document(s) will appear in the Internet Sites view.
To create a Web SSO configuration document if you are using the Web Server Configurations view Use this procedure to create a Web SSO configuration document if your server is a Release 5.0x server, or if you are using Domino 6 but you do not use Web Site documents to manage your Web sites. 1. In the Domino Administrator, click Files, and open the servers Address Book (NAMES.NSF). 2. Select the Servers view. 3. Click Create Web SSO Configuration. 4. In the Web SSO Configuration document, click Keys. 5. Initialize the Web SSO Configuration with the shared secret key in one of two ways: Choose Domino only (no WebSphere servers participating in single sign-on), and then select Create Domino SSO Key. Choose Domino and WebSphere (single sign-on with WebSphere), and then do the following: a. Select Import WebSphere LTPA Keys. b. Browse and select the WebSphere LTPA export file. (See WebSphere documentation for details about generating ltpatoken keys). c. Enter the password (specified when generating the keys in WebSphere). The document is updated to reflect the information in the export file. 6. Complete the rest of the document as follows:
Field Action Configuration Enter the name of the SSO configuration. Name Note If the single sign-on configuration includes both Domino 6 and Release 5.0x servers, the Configuration Name must be LtpaToken, as Release 5.0x servers only work with this configuration name. Organization Name DNS Domain Leave this field blank, and this document will appear in the Web Configurations view. (Required) Enter the DNS domain (for example, lotus.com) for which the tokens will be generated. The servers enabled for single sign-on must all belong to the same DNS domain. continued
Security
Field
Action
Domino Server Enter the names of the servers that will be participating in single sign-on (for example server1/acme, Names server2/acme). This document will be encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in the Domino Server Names field. Note Groups, wildcards, and the names of WebSphere servers are not allowed in this field. Only Domino Servers can be listed as participating servers in the Server Names field. Expiration (minutes) Specify the time period, in minutes, for which the token will be valid. This time period begins at the time the token is issued. The token is valid for only the number of minutes specified; it does not expire based on inactivity. Default is 30 minutes.
7. Save the Web SSO Configuration document. A message on the status bar indicates the number of servers/people for whom the document was encrypted. The document(s) will appear in the Internet Sites View. Note If you receive messages on the client indicating that a particular key was not found for encrypting the document, you may have to change your clients location document to point to a different mail/directory server that will have all the public keys included in server and person documents.
6. Click Security. For both TCP and SSL authentication, enable Name & Password. 7. Save and close the Web Site document. 8. At the server console, start the HTTP process by typing:
load HTTP
Note If something is wrong with the configuration, the browser will receive an Error 500 message stating that single sign-on is not configured. To enable single sign-on and basic authentication in the Server document Use this procedure to enable single sign-on for Domino Release 5.0x servers, or for Domino 6 servers not configured with Web Site documents. 1. Open the Server document. 2. Click Ports - Internet Ports - Web, and enable Name-and-password authentication for the Web (HTTP/HTTPS) port. 3. Click Internet Protocols - Domino Web Engine, and select Multiple Servers (SSO) in the Session authentication field. Note The Idle session timeout and Maximum active sessions fields will be disabled. 4. In the Web SSO Configuration field, select the Web SSO Configuration for this server from the drop-down list. 5. Save and close the Server document.
Setting up the Web SSO Configuration document for more than one Domino domain
This procedure lets you enable servers in other domains for SSO with servers in your current domain, by setting up both domains to use the same key information. Two conditions must exist in order to do this: You must be a registered Notes user and your server must be a registered server. This gives you and the server the rights to decrypt the Web SSO Configuration document in your current domain, and the right to create documents in the Domino Directory for the new domain.
Security
The server document and the administrators person document must exist in the domain for which you will be creating the Web SSO Configuration, as the public keys that are used for encryption and decryption are stored in each registered person and server document.
To set up the Web SSO Configuration document for more than one Domino domain 1. Copy the Web SSO Configuration document from the Domino Directory in which it was created, and paste it into the Domino Directory in the new domain. 2. Open the Web SSO Configuration document for the new domain and edit the Participating Domino Servers field to include only those servers with server documents in the new domain that will be enabled for single sign-on. 3. The client must be able to find server documents for the participating single sign-on servers. Make sure that the home server specified in your clients location document is pointing to a server in the same domain as those servers participating in single sign-on, so that lookups will be able to find the public keys of the servers. If the home server cannot find participating servers, then the SSO document cannot be encrypted and SSO will fail. 4. Save the document. It is encrypted for the participating servers in the new domain, and should enable those servers in the new domain to participate in single sign-on with servers in the current domain.
a guessed password matches. It requires users to enter only the following in the name-and-password dialog box in a Web browser or other Internet client:
Domino Directory authentication Full hierarchical name Common name or Common name with CN= prefix Not applicable LDAP Directory authentication DN CN or CN with CN=prefix UID or UID with UID= prefix
Alias name (a name listed in the User name field Not applicable of the Person document, excluding the first name listed in the field) Internet address (users e-mail address as listed Mail in the Internet address field in the users Person document)
More name variations with lower security Domino tries to authenticate users based on the name and password entered. This authentication method can be vulnerable to hackers who guess names and passwords in an attempt to use a legitimate user account to access a server. This option allows users to enter any of the following in the name and password dialog box in a Web browser:
Domino Directory authentication Last name First name Common name or Common name with cn=prefix Full hierarchical name (canonical) Full hierarchical name (abbreviated) Short name LDAP Directory authentication Surname Givenname Common name (CN) or CN with CN=prefix DN DN UID or UID with UID=prefix
Alias name (a name listed in the User name field Not applicable of the Person document, excluding the first name listed in the field) Soundex number Not applicable Internet address (users e-mail address as listed Mail in the Internet address field in the users Person document)
Security
To select the level of authentication for Internet clients 1. From the Domino Administrator, click Configuration, and open the Server document. 2. Click Security. 3. In the Internet Access section, choose one of the following in the Internet Authentication field: Fewer name variations with higher security (default). More name variations with lower security. 4. Save and close the document. See the topic Examples of names allowed for Internet client authentication later in this chapter. Note The Domino Web Server Application Programming Interface (DSAPI) is a C API tool that lets you write your own extensions to the Domino Web server. These extensions, or filters, let you customize the authentication of Web users. For more information on DSAPI and filters, see the current Lotus C API Toolkit for Domino and Notes, which is available at www.lotus.com/techzone.
cn=Alan Jones/ou=East/ou=Sales/o=Acme/c=us Full hierarchical name (canonical) cn=Alan Jones alan_jones@acme.com Common name with CN=prefix Internet (e-mail) address
If you want to authenticate Alan in an LDAP Directory, he can use a browser to enter the following names:
Example Alan Jones Alan Jones Ajones Description Common name Givenname Surname UID
cn=Alan Jones, cn=recipients, ou=Sales, Full hierarchical name (canonical) ou=East, o=Acme, c=us (valid for a Microsoft Exchange server) cn=Alan Jones (valid for Domino Directory) Common name with CN=prefix
uid=ajones, ou=Sales, ou=East, o=Acme, Full hierarchical name (canonical) c=us (valid for a Netscape Directory Server) uid=ajones (valid for Netscape Directory UID with UID=prefix Server) Alan Jones/Sales/East/Acme/US alan_jones@acme.com Full hierarchical name (abbreviated) LDAP mail attribute
Fewer name variations with higher security Using the Fewer name variations authentication level, Alan Jones/Sales/East/Acme can enter only the following names when using a browser to authenticate with a Domino Directory:
Example Alan Jones/Sales/East/Acme CN=Alan Jones Alan Jones cn=Alan Jones/ou=East/ou=Sales/o= Acme/c=us alan_jones@acme.com Description Full hierarchical name (abbreviated) Common name with CN= prefix Common name Full hierarchical name (canonical) Internet (e-mail) address
Security
If you want to authenticate Alan in an LDAP Directory, he can use a browser to enter the following names:
Example AJones Alan Jones Description UID CN
cn=Alan Jones, cn=recipients, ou=Sales, ou=East, DN o=Acme, c=us (valid for a Microsoft Exchange server) cn=Alan Jones (valid for a Domino Directory) uid=ajones, ou=Sales, ou=East, o=Acme, c=us (valid for a Netscape Directory Server) uid=Ajones (valid for a Netscape Directory Server) alan_jones@acme.com CN with CN=prefix DN UID with UID= prefix LDAP mail attribute
Security
For new Person documents 1. From the Domino Administrator, click Configuration, and select All Server Documents. 2. Choose Actions - Edit Directory Profile. 3. Select Yes in the Use more secure Internet passwords field. 4. Save and close the document.
Security
3. Click the tab that lists the protocol for which you want to allow anonymous access. For each protocol, do the following: If you want to allow clients anonymous access when they connect using TCP/IP, select Yes in the Anonymous field in the TCP/IP section. If you set up SSL on the server and you want to allow clients anonymous access when they connect using SSL, select Yes in the Anonymous field in the SSL section. 4. Save and close the document. 5. Restart the Internet protocol that you modified. To edit database ACLs for anonymous access In the ACL of each database on the server for which you want to enable anonymous access, do the following: 1. Create an entry named Anonymous. If you dont add Anonymous as an entry in the ACL, users and servers who access the server anonymously get -Default- access. 2. Assign the appropriate access level typically Reader access. 3. Leave user type set to Unspecified. For more information on database ACLs, see the chapter Controlling User Access to Domino Databases. For information on setting up SSL on a server, see the chapter Setting Up SSL on a Domino Server.
For example, when a user tries to open a database that has an ACL with No Access as the -Default-, Domino challenges the user for a valid user name and password. Authentication succeeds only if the user provides a name and password that matches the name and password stored in the users Person document and if the database ACL gives access to that user. Anonymous users are not authenticated.
You can use name-and-password and anonymous access with TCP/IP and SSL. Name-and-password and anonymous access with TCP/IP are described below. This section also applies to Web clients who are accessing a Domino Web server for which session authentication has been enabled. Note The Domino Web Server Application Programming Interface (DSAPI) is a C API that you use to write extensions to the Domino Web server. Using these extensions, or filters, you can customize the authentication of Web users. For more information on DSAPI, see the Lotus C API Toolkit for Domino and Notes. The toolkit is available at www.lotus.com/techzone.
Security
c. If a match is found for the user name Andrew entered, and the password that Andrew entered matches the password in the Internet password field of his Person document, then Andrew will be authenticated. The server checks the primary Domino Directory for the Person document. The server also checks secondary Domino Directories and LDAP directories if it is configured to search secondary Domino Directories and LDAP directories. Note When Domino authenticates an Internet user, it uses the distinguished name, which is the first name that appears in the Full Name field of a Person document. This name should be used in entries for groups, delegated server administration, database ACLs, and file protection documents. d. Next, the server compiles a grouplist, which contains Andrews distinguished name, plus any wildcard entries and any groups of which he is a member on that server. e. The server then checks the database ACL to determine if Andrews name is listed explicitly on the ACL, or if any of the grouplist entries for his name appear in the ACL. f. If Andrews distinguished name, or the name of any group of which is a member, matches an entry in the ACL, then Andrew gets access to the database using the access level specified for that entry in the ACL. Otherwise, he is denied access.
Security
Encryption
Encryption protects data from unauthorized access. Using Notes and Domino, you can encrypt: Messages sent to other users. Then an unauthorized user cannot read the message while it is in transit. You can also encrypt saved and incoming messages. Network ports. Encrypting information sent between a Notes workstation and a Domino server, or between two Domino servers, prevents unauthorized users from reading the data while it is in transit. SSL transactions. You can use SSL to encrypt information sent between an Internet client, such as a Notes client, and an Internet server, to prevent unauthorized users from reading the data while it is in transit. Fields, documents, and databases. Application developers can encrypt fields within a document, an entire document, and local databases. Then only the specified users can read the information.
For information on SSL encryption, see the chapter Setting Up SSL on a Domino Server. For information on field, document, and database encryption, see the book Application Development with Domino Designer.
containing the public key is also stored in the Domino Directory, where it is available to other users. Domino uses two types of public and private keys Notes and Internet. You use the Notes public key to encrypt fields, documents, databases, and messages sent to other Notes users, while the Notes private key is used for decryption. Similarly, you use the Internet public key for S/MIME encryption and the Internet private key for S/MIME decryption. For both Notes and Internet key pairs, electronic signatures are created with private keys and verified with public keys. You can use one set of Internet public and private keys or you can set up Notes to use a set of Internet keys for S/MIME signatures and SSL and another set for S/MIME encryption. For information on dual Internet certificates, see the chapter Setting Up Clients for S/MIME and SSL. When you register a user, Domino automatically creates a Notes certificate, which contains the users public keys, and adds it to the ID file and the Domino Directory. The private key is created and stored in the ID file. You can also create Internet public and private keys after user registration. Domino stores Internet certificates, which contain public keys, in the ID file and also in the Domino Directory. The Internet private key is stored in the ID file, separately from the certificate. To create Notes public and private keys, Domino uses the dual-key RSA Cryptosystem and the RC2 and RC4 algorithms for encryption. To create the Internet public key, Domino uses the x.509 certificate format, which is an industry-standard format that many applications, including Domino, understand. Both the Notes client and Domino server support 1024-bit RSA key and 128-bit symmetric key for S/MIME and SSL. The Notes proprietary protocols use a 630-bit key for key exchange, and a 64-bit symmetric key.
Encryption strength
All Notes IDs contain two public/private key pairs. Prior to 5.0.4, key lengths were restricted for the purposes of encrypting data, but not for authentication or signing. Anything over 512-bit RSA key and 56-bit symmetric key was considered strong encryption and was not allowed for export by the U.S. Government. Customers were required to order and choose among kits of different cryptographic strengths. With the relaxation of US government regulations on the export of cryptography, the Domino server and the Domino Administrator, Domino Designer, and Lotus Notes client products have consolidated all previous encryption strengths North American, International, and
43-2 Administering the Domino System, Volume 2
Security
France into one strong encryption level resulting in a single Global release of the products. The Global release adopts the encryption characteristics previously known as North American. Strong encryption in Global products can be used worldwide, except in countries whose import laws prohibit it, or except in those countries to which the export of goods and services is prohibited by the U.S. government. Customers are no longer required to order Notes software according to cryptographic strength. When you upgrade to a Global release of Domino and Notes, stronger cryptography will be used without a requirement to reissue existing IDs. These changes are seamless to users as well as administrators. When two different versions of software are communicating, the encryption negotiation will result in a step-down to the weaker level. Therefore, the full benefits of stronger encryption will only be realized when all software has been upgraded to the Global (release 5.0.4 and later) level. However, any mixed versions of the software will interoperate. The Register New User dialog box still offers a choice between North American and International IDs. It was left this way because administrators often use the North American or International distinction for administration purposes, or there may be older versions of the software still in use in some companies. In addition, countries have their own import rules. Preserving this distinction will allow Lotus to respond to specific country changes, if required. Note These regulations pertain only to export from the United States. For other countries with import regulations, customers need to check the requirements of the specific country. While Lotus takes all steps to acquiesce with governmental encryption regulations worldwide, Lotus recommends that customers familiarize themselves with local encryption regulations to remain in compliance. Interoperability issues Support for ID types. Both North American and International ID types continue to be supported for the Global release. This is for backward compatibility with pre-5.0.4 clients. Lotus Notes users can keep their existing International IDs if the Global version of the software is installed. The Global version will automatically allow the use of stronger encryption. Browser users can keep their existing key ring, but users must follow the manufacturers recommendations for upgrading the browser to stronger encryption. Interoperability with post-5.0.4 releases. If your organizations clients and servers are all running release 5.0.4 or later, it makes no difference whether you create North American or International IDs. Both types of ID will work the same way.
Encryption and Electronic Signatures 43-3
Interoperability with pre-5.0.4 releases. Lotus Notes users, as well as Domino servers which have been upgraded to release 5.0.4 and later, can authenticate and continue day-to-day operations securely with clients and servers running on earlier releases of software. However, if your organization has clients or servers running releases earlier than Notes and Domino 5.0.4, you should continue to create the same types of IDs you created with the earlier versions. International versions of releases prior to 5.0.4 do not allow users to switch to North American IDs, so when registering new international users, you shouldnt create only North American IDs. Similarly, North American versions of earlier releases use weaker cryptography when running with International IDs, so you shouldnt create only International IDs.
The best strategy for deciding between North American and International IDs is to continue using the decision process that was in place for earlier releases of Notes and Domino. Eventually, as you upgrade the Notes clients and Domino servers, the decision will not matter.
Mail encryption
Mail encryption protects messages from unauthorized access. Only the body of a mail message is encrypted; the header information for example, the To, From, and Subject fields is not. Notes users can encrypt mail sent to other Notes users or to users of mail applications that support S/MIME for example, Microsoft Outlook Express and Netscape Communicator. Users can use Notes mail encryption to encrypt mail sent to other Notes users, encrypt mail received from other Notes users, or encrypt all documents saved in a mail database. Notes uses the recipients public key, which is stored in the senders Personal Address Book or in the Domino Directory, to encrypt outgoing and saved mail. In general, mail sent to users in a foreign domain cannot be encrypted. However, if the recipient of the mail uses Notes and the sender has access to the recipients public key, the sender can encrypt the mail message. The recipients public key can be stored in the Domino Directory, in an LDAP directory to which the sender has access, or in the senders Personal Address Book. Notes users can also use S/MIME to encrypt mail sent to recipients who use mail applications that support S/MIME. Senders must have the recipients public key in order to encrypt the message for S/MIME.
43-4 Administering the Domino System, Volume 2
Security
The recipients public key is stored in an Internet certificate in either a Domino Directory or LDAP directory to which the sender has access or in the senders Personal Address Book. The sender must also have a cross-certificate that indicates to Notes that the recipients public key can be trusted. For information on setting up a Notes client for S/MIME encryption, see the chapter Setting Up Clients for S/MIME and SSL. Encrypting a message with either Notes mail encryption or S/MIME encryption does not affect the speed at which the message is routed from sender to recipient. However, encryption does increase the time required to send and to open a message. The extra time is required because the message must be encrypted at the beginning of the transmission and decrypted each time the recipient opens it. The time required to send and open a message is based on the size of the message and the number of bitmaps and other graphics, objects, and attachments in the message. In most cases, the delay is not noticeable.
Security
Encrypting mail
Encrypt outgoing, incoming, and saved mail to protect messages while they are in transit and stored in mail databases on the server. Users can encrypt outgoing mail messages sent to recipients who use either Notes or S/MIME. If recipients prefer to receive mail in MIME format, then encrypted mail will be in S/MIME format. Users can encrypt incoming and saved mail only if they use Notes mail. To encrypt outgoing mail Encrypting outgoing mail ensures that only the recipient of a message can read it while the message is in transit, stored in intermediate mailboxes, or in the recipients mail file. Each Notes client user must encrypt outgoing mail. The administrator cannot encrypt all outgoing mail on a server. Senders control the choice of MIME format or Notes format when sending mail directly to the Internet or for messages that are addressed to Internet addresses. Mail recipients control the format of incoming mail in their user preferences. The message format determines the choice of encryption method. Notes uses S/MIME encryption for outgoing mail in the following situations: The user selects directly to Internet in the Send outgoing mail field in the Mail tab of the current Location document. Mail messages sent from this location will use MIME format. The user selects MIME format in the Format for messages addressed to Internet addresses field in the Mail tab of the current Location document. Mail messages sent from this location to Internet addresses that cannot be found in a Personal Address Book or Domino Directory will use MIME. The user enables the field When receiving unencrypted mail, encrypt before storing in your mail file on the Basics tab of the users Person document. Mail sent to this user will use MIME. The user creates a message using a form in which the Body field in the forms design has Store contents as HTML and MIME selected in Field Properties. If the recipient can accept either Notes or MIME format (or if Notes cannot find a Person document for the recipient), the message will use MIME format.
The sender of an encrypted S/MIME mail message must find an Internet certificate for each intended recipient and a cross-certificate that verifies the Internet certificate. The Internet certificate can be stored in the Domino Directory, an LDAP directory that is accessible to the sender, or
Encryption and Electronic Signatures 43-7
in the senders Personal Address Book. The cross-certificate must be stored in the senders Personal Address Book. If a Notes recipients Internet certificate is not available to the sender, Notes attempts to use the recipients Notes public key (if available) to encrypt the message. Some recipients may have dual Internet certificates, meaning one certificate is for encryption and the other is for signatures and SSL. If the recipient uses dual certificates, Notes extracts the Internet encryption certificate and uses it to encrypt the message. The sender of an encrypted Notes mail message must have the public key for each intended recipient. The public key can be stored in the Domino Directory, in an LDAP directory that is accessible to the sender, or in the senders Personal Address Book. For information on encrypting outgoing mail, see Lotus Notes 6 Help. To encrypt incoming mail for a mail file If users have Editor access to their Person documents in the Domino Directory, they can encrypt all incoming mail they receive. Otherwise, the administrator must complete this procedure for them. 1. Open the users Person document in the Domino Directory. 2. Click Edit Person, and then click Basics. 3. In the field When receiving unencrypted mail, encrypt before storing in your mail file, select Yes. 4. Save the document. To encrypt saved mail Users can encrypt drafts of unsent messages and messages that they save after sending. For unsent mail, the message is encrypted only with the senders public key. For sent mail, the message is encrypted with the senders and the recipients public keys. Only messages saved after this option is chosen are encrypted. To encrypt previously saved messages, users must open and resave the messages. Encrypting saved mail prevents unauthorized access to messages by other users with unauthorized access to the mail server. For information on encrypting outgoing mail, see Lotus Notes 6 Help.
Security
Electronic signatures
Electronic signatures are closely associated with encryption. An electronic signature verifies that the person who originated the data is the author and that no one has tampered with the data. Users can add an electronic signature to mail messages and to fields and sections of documents. A database designer controls whether or not users can sign fields and sections of a database can be signed; individual users can choose to sign mail messages. Users can sign mail messages sent to other Notes users or to users of other mail applications that support the S/MIME protocol for example, Microsoft Outlook Express and Netscape Communicator. Domino uses the same keys used for encryption the Notes and Internet public and private keys for electronic signatures. You can also set up Notes to use separate keys for S/MIME signatures and encryption, by adding two Internet certificates to your Notes ID file and using one certificate for S/MIME encryption and the other for S/MIME signatures and SSL client authentication. Having dual Internet certificates lets you maintain separate public and private key pairs for encryption and electronic signatures and SSL client authentication. For information on creating signed fields and sections, see the book Application Development with Domino Designer. For information on dual Internet certificates, see the chapter Setting Up Clients for S/MIME and SSL.
3. When the reader accesses the signed data, Notes verifies that the signer has a common certificate or common certificate ancestor from a certifier that the reader trusts. If so, Notes attempts to decrypt the signature using the public key that corresponds to the private key with which the data was signed. 4. If decryption is successful, Notes indicates who signed the message. If decryption is unsuccessful, Notes indicates that it cannot verify the signature. Unsuccessful decryption and comparision may indicate that the data has been tampered with. Note Certificate trust checking occurs independently of hash decryption and comparison. Decryption and comparison may succeed even if the certificate is not trusted. This might happen, for example, when a user receives mail from a user in another company and that user doesnt have a cross-certificate. S/MIME signatures When the sender signs a message with an S/MIME signature, only the body of the message and accompanying attachments are signed. 1. Notes generates a hash of the data being signed and then encrypts the hash with the private key of the author of the data, forming a signature. 2. Notes attaches a certificate chain that is, all certificates in the hierarchy for the certificate and the signature to the data. 3. When the reader accesses the signed data, Notes or the mail application attempts to decrypt the signature using the public key that corresponds to the private key with which the data was signed. If successful, Notes or the application verifies that the signer has a common certificate or common certificate ancestor from a certifier that the reader trusts. Note Typically, the Notes users organizational certifier issues a cross-certificate to the signers certificate authority (CA). Trust can also be established if the Notes user issues a cross-certificate directly to the signers certificate or to the signers Certificate Authority. Or, the Notes users organizational certifier can issue a cross-certificate directly to the signers certificate. 4. Notes or the mail application compares the decrypted hash with a hash of the message generated by the reader. A match means that the signature is valid.
Security
5. If the digest comparison is successful, Notes or the S/MIME mail application indicates who signed the message. If decryption is unsuccessful, the application indicates that it could not verify the signature. Unsuccessful decryption and comparision may indicate that the data has been tampered with. Note Certificate trust checking occurs independently of hash decryption and comparison. Decryption and comparison may succeed even if the certificate is not trusted. This might happen, for example, when a user receives mail from a user in another company and that user doesnt have a cross-certificate. For more information on cross-certificates, see the chapter Protecting and Managing Notes IDs.
Security
44-1
Creates and maintains the Issued Certificate List (ICL), a database that contains information about all certificates issued by the certifier. Is compliant with security industry standards for Internet certificates for example, X.509 and PKIX.
To manage the CA process from the Domino console, you use a set of server Tell commands. For more information on CA process Tell commands, see the appendix Server Commands. Issued Certificate List (ICL) Each certifier has an Issued Certificate List (ICL) that is created when the certifier is created or migrated to the CA process. The ICL is a database that stores a copy of each unexpired certificate that it has issued, certificate revocation lists, and CA configuration documents. Configuration documents are generated when you create the certifier and sign it with the certifiers public key. After you create these documents, you cannot edit them. CA configuration documents include: Certificate profiles, which contain information about certificates issued by the certifier. CA configuration document, which contains information about the certifier itself. RA/CA association documents, which contain information about the RAs who are authorized to approve and deny certificate requests. There is one document for each RA. ID file storage document, which contains information about the certifier ID.
Another CA configuration document, the Certifier document, is created in the Domino Directory when you set up the a certifier. This document can be modified. For more information, see the topic Modifying a certifier later in this chapter. Certificate Revocation List (CRL) A CRL is a time-stamped list identifying revoked Internet certificates for example, certificates belonging to terminated employees. The CA process issues and maintains CRLs for each Internet certifier. A CRL is associated with a certifier, is signed by that certifier, and resides in the certifiers ICL database. A copy of the CRL is also stored in the Domino Directory, where it is used to assert certificate validity by entities that require certificate authentication.
44-2 Administering the Domino System, Volume 2
Security
You configure the CRL when you create a new Internet certifier. You can specify the length of time for which a CRL is valid and the interval between publication of new CRLs. After CRLs are configured, the certifier issues them on a regular basis and they operate unattended. Using CRLs, you can manage the certificates issued in your organization. You can easily revoke a certificate if the subject of the certificate leaves the organization or if the key has been compromised. HTTP servers and Web browsers check the CRLs to determine whether a given certificate has been revoked, and is therefore no longer trusted by the certifier. When you use Internet Site documents to configure Internet protocols on the Domino, you can also enable CRL-checking for each protocol. There are two kinds of CRLs: regular and non-regular. For regular CRLs, you configure a duration interval the time period for which the CRL is valid and the interval at which new CRLs are issued. Each certifier issues a CRL at the specified time, even if no certificates have been revoked since the last CRL was issued. This means that if an administrator revokes a certificate, it appears in the next scheduled CRL issued by the certifier. The CRL duration period should be greater than the time period between each CRL issuance. This ensures that the CRL remains valid. Otherwise, the CRL could expire before a new one is issued. However, in the event of a critical security break for example, if the administrator needs to revoke a particularly powerful certificate or the certifier certificate is compromised you can manually issue a non-regular CRL that is, an unscheduled CRL to enforce the emergency revocation. This type of revocation does not affect either the timing or the content of the next scheduled CRL. You use a Tell command to issue a non-regular CRL. For more information on revoking a certificate, see the topic Revoking a certificate later in this chapter. For more information on enabling CRL-checking, see the chapter Installing and Setting Up Domino Servers. For more information on configuring a regular CRL, see the topic Creating an Internet CA later in this chapter. For more information on issuing a nonscheduled CRL, see the appendix Server Commands.
Administering a Domino CA
There are a number of tasks associated with managing a certifier. If you implement a certifier that uses the CA process, you can delegate Notes and Internet certificate request approval and denial to other administrators, each of whom acts as a registration authority. Note Many of the manual tasks associated with managing a CA prior to Domino 6 are now automated when you use the CA process. Domino certificate authority administrator tasks The Domino certificate authority administrator (CAA) is responsible for these tasks: Create and configure certifiers. Modify certifiers. For example, only a CA administrator can edit ID recovery information for a Notes certifier. Add or remove Certification and Registration Authority administrators, or change the CA and RA roles assigned to users.
The CAA must have at least Editor access to the master Domino Directory for the domain. As a best practice, designate at least two CAAs for each certifier. You then have a backup if one leaves the organization. Note By default, the administrator who creates a certifier is automatically designated as both a CAA and an RA for that certifier. When you create additional CAAs, they must be assigned the RA role in order to register users. Domino Registration Authority administrator tasks A registration authority (RA) administrator registers Notes users and Domino servers, approves or denies Internet certificate requests, and, if necessary, revokes Internet certificates. While a CA administrator can also be a registration authority, the main advantage of having a separate RA role is to offload these tasks from the Domino and/or CA administrator. Moreover, the Domino administrator can establish one or more RAs for each certifier enabled for the CA process. An RA should approve only those requests that will be accepted by the certifier. The CA Configuration document, stored in the CAs ICL database, describes what is acceptable. Domino administrators who register Notes users should also be listed as RAs for the Notes certifier. If you are using the Web Administrator client, you need to set up a server-based certification authority to register Notes users. The Web
44-4 Administering the Domino System, Volume 2
Security
administrator, as well as the server on which the Web Administrator database resides, must be listed as an RA for that certifier. The Domino Registration Authority (RA) administrator is responsible for these tasks: Register users, servers, and additional Notes certifiers. Approve or deny Internet certificate requests. Revoke certificates if they can no longer be trusted, such as if the subject of the certificate leaves the organization, or if the key has been compromised.
Note CAs and RAs must have at least Editor access to the master Domino Directory for the domain.
4. In the Chose ID/key ring file dialog box, select the CERT.ID of the certifier you want to migrate. Choose the certifier ID (CERT.ID) and click Select to migrate a Notes certifier. Choose the certifier key ring file and click Select to migrate an Internet certifier. 5. The certifier IDs path and filename now appear in the Migrate Certifier dialog box. Enter the password for the certifier ID or key ring file and click OK. 6. If you are migrating a Notes certifier, complete the procedure To migrate a Notes certifier. Otherwise, see the procedure To migrate an Internet certifier. To migrate a Notes certifier 1. On the Basics tab, complete these fields:
Field Action Select the Select the server that will store the migrated certifier. server where Make sure that the client location document points to this the certifier will server. run Name of ICL database to be created (Optional) ICLs are created automatically when you create a certifier, and named by default. You can modify the default name (for example: icl\icl_Acme.nsf for the Acme certifier). Although you can change the location of the ICL, it is recommended that you use the default directory and path.
Encrypt ID Medium Enter a new with password Server ID for this certifier
If you choose to encrypt the certifier ID with the server ID and password, you need to activate the certifier. Use the tell command: tell ca activate <password> continued
Security
Option
Action required If you choose to encrypt the certifier ID with a lock ID, the certifier is locked when you create it. Use the tell command: tell ca unlock <idfile><password>
Note Encrypting a certifier ID with the password-protected Server ID protects only that certifier. If you use a lock ID, you have the option of using it with multiple certifiers. You then need to lock and unlock those certifiers simultaneously. 3. (Optional) In the Administrators list, enter names of additional CAAs and RAs. The name of the administrator migrating the CA is automatically included in the list as both a CAA and an RA. 4. On the Certificates tab, complete these fields:
Field Certificate duration for EE certificate Action Enter the default, minimum, and maximum duration, in months, for an end-entity (EE) certificate. An end-entity certificate is granted to servers or end users. Enter the default, minimum, and maximum duration, in months, for an certificate authority (CA) certificate. A CA certificate is granted to certifiers.
5. Click OK. A message appears saying that you have successfully migrated the certifier. 6. Add the certifier to the CA process. To migrate an Internet certifier 1. Migrate the key ring file. 2. Complete the Migrate Certifier dialog as described in the procedure To create an Internet certifier later in this chapter. For more information on using CA server commands, see the appendix Server Commands.
To add a certifier to the CA process 1. Make sure that you have already migrated or created a certifier. 2. If this is the first certifier you are setting up to use the CA process, or if the CA process is not already running, at the server console enter:
load ca
3. If the CA process task is already running, it automatically adds newly-created certifiers when it refreshes, which takes place every 12 hours. However, the time period in which the Administration Requests database processes CA requests will vary. If you want to hasten the process, at the console enter:
tell adminp process all tell ca refresh
And then enter the following to see if the new certifier has been added:
tell ca stat
Note To load the CA task automatically, add the parameter ca to the Server setting in the NOTES.INI file. For more information on using CA server commands, see the appendix Server Commands.
Security
Common name Enter the certifier name. Organizational unit (optional) Enter the name of the certifiers organizational unit, if applicable. Organization (optional) Enter the name of the certifiers organization. City or locality (optional) Enter the organizations city or locality. State or province (optional) Enter the full name of the state or province in which the organization resides. Country (optional) Enter the two-character abbreviation for the country in which the organization resides. 6. Choose the server on which to store the certifier. 7. (Optional) Modify the default ICL database name (for example: icl\icl_Acme.nsf). Note It is recommended that you use the default directory structure. 8. For Encrypt Certifier ID with, select one:
Option Security level Password required None Server ID password Action required None If you choose to encrypt the certifier ID with the server ID and password, you need to activate the certifier. Use the tell command: tell ca activate <password> If you choose to encrypt the certifier ID with a lock ID, the certifier is locked when you create it. Use the tell command: tell ca unlock <idfile><password>
Note Encrypting a certifier ID with the password-protected Server ID protects only that certifier. If you use a lock ID, you have the option of using it with multiple certifiers. You then need to lock and unlock those certifiers simultaneously.
9. (Optional) In the Administrators list, enter the names of additional CAAs and RAs. The name of the administrator creating the CA is automatically included in the list as both a CA administrator and an RA administrator. For more information on certifier administrators and registration authorities, see the topic Administering a Domino CA earlier in this chapter. 10. On the Certificates tab, complete these fields:
Field Action Include CRL distribution (Optional) Select to enable an attribute that point extension identifies the distribution point for the certifier CRL on the server that you select in the Using server list. Backdate certificate validity Certificate duration Key usage Enter the date when the certificate becomes valid, as this may differ from the date on which the certificate is created. Enter the default, minimum, and maximum certificate duration in months. Choose the key usage extensions for this certificate.
Note The default certificate type is end entity certificate. This means that Internet certificates issued by this certifier apply to users of certificates and/or end-user systems that are subjects of a certificate. 11. Click Miscellaneous, and then click Create a local copy of the certifier ID. Specify the certifier ID file name and password, and click OK. A copy of the certifier ID is saved to the default path ...\notes\data\ids\certs\cert.id. You can select a different path. Use this local copy of the certifier ID as a backup to re-create the certifier if it become corrupted. 12. Complete these fields to specify Certificate Revocation List information for this certifier:
Field Duration of CRL (in days) Action Enter the length of time, in days, for which a given CRL is valid. It is recommended that this time period extend beyond the time period between issued CRLs, as this ensures that the CRL is always valid. Enter the time interval, in days, between issued CRLs.
Security
13. Complete these fields to specify Key and certifier certificate information for this certifier:
Field Signing algorithm Key length Action Select the algorithm used to encrypt the certificates signature. Enter the key length to use for encryption. This setting determines the number of bits needed to be able to represent any of the possible values of a cryptographic key. The longer the key length, the more difficult it is to decrypt encrypted text. (Optional) Change the default certificate expiration date.
14. Complete these fields to specify the Certifier PKIX Alternative Name(s) information for this certifier: Alternative name fields allow alternate names to be listed in certificates. Alternate subject names can appear in any certificate. If a CA has alternate names, those names should be included in the certificates it issues. For example, you can include the certifiers e-mail address in the certificates it issues, so that users know how to contact the certifier that issued them. Note A PKIX Alternative Name is not the same as a Notes alternate name. The Notes alternate name is the foreign language version of a user name.
Field Type Value Action Enter the type of alternative name you want to use. Enter the alternative name you want to use.
15. Click Add to add the alternative name to the certifiers certificate. 16. Click OK. A message appears saying that you have successfully set up a CA. 17. Complete these procedures: Add the new certifier to the CA process. Create the Certificate Requests application.
Non-repudiation
Key encipherment Use when a certificate will be used with a protocol that encrypts keys. An example is S/MIME enveloping, where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key encipherment. Data encipherment Key agreement Use when the public key is used for encrypting user data, other than cryptographic keys. Use when the sender and receiver of the public key need to derive the key without using encryption. This key can then can be used to encrypt messages between the sender and receiver. Key agreement is typically used with Diffie-Hellman ciphers.
Certificate signing Use when the subject public key is used to verify a signature on certificates. This extension can be used only in CA certificates. CRL signing Use when the subject public key is to verify a signature on revocation information, such as a CRL. continued
Security
Key usage extension Description Encipher only Use only when key agreement is also enabled. This enables the public key to be used only for enciphering data while performing key agreement. Use only when key agreement is also enabled. This enables the public key to be used only for deciphering data while performing key agreement.
Decipher only
Extended key usage further refines key usage extensions. An extended key is either critical or non-critical. If the extension is critical, the certificate must be used only for the indicated purpose or purposes. If the certificate is used for another purpose, it is in violation of the CAs policy. If the extension is non-critical, it indicates the intended purpose or purposes of the key and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. The extension is then only an informational field and does not imply that the CA restricts use of the key to the purpose indicated. Nevertheless, applications that use certificates may require that a particular purpose be indicated in order for the certificate to be acceptable. If a certificate contains both a critical key usage field and a critical extended key usage field, both fields must be processed independently, and the certificate be used only for a purpose consistent with both fields. If there is no purpose consistent with both fields, the certificate must not be used for any purpose.
Extended key TLS Web server authentication TLS Web client authentication Sign (downloadable) executable code Email protection IPSEC End System (host or router) IPSEC Tunnel Enable for these key usage extensions Digital signature, key encipherment or key agreement Digital signature and/or key agreement Digital signature
Digital signature, non-repudiation, and/or key encipherment or key agreement Digital signature and/or key encipherment or key agreement Digital signature and/or key encipherment or key agreement continued
Enable for these key usage extensions Digital signature and/or key encipherment or key agreement Digital signature, non-repudiation.
Security
Key usages
Key usages
9. For Processing method, choose the method by which requests are submitted to the Administration Process: Manual (default) Choose this if you want an RA to review requests submitted to the Certificate Requests to approve or deny each request individually. Automatic Choose this to have requests submitted to the Certificate Requests database processed without RA intervention. Requests will be approved or denied according to the certificate policy. If this method is chose, the Automatic Transfer Server field appears, in which you need to specify the server running the administration process and to which certificate requests will automatically be transferred. Note If the Automatic method is chosen, the RA must be listed in the group of users who can run unrestricted methods and operations on the server. This can be set on the Security tab in the Server document. There must also be a replica of the Certificate Requests database on the specified transfer server. 10. For Mail notification, choose whether or not to send e-mail notification when a certificate request has been processed by the CA. Yes (default) Choose this if you want the requester to be notified by e-mail when a certificate request has been processed by the CA. No Choose this if you do not want the requester to be notified by e-mail when a certificate request has been processed by the CA. 11. Click Save & Close.
Security
Organization name Enter the name of the certifier organization. State or province Country
c. Verify the information in the Key Ring Created dialog box, then click OK to add your CA as a trusted root and generate a certificate request for the server. d. Verify the information in the Merge Trusted Root Certificate Confirmation dialog box and click OK.
e. When the Certificate received into key ring and designated as trusted root confirmation dialog box appears, click OK. f. When the Certificate Request Successfully Submitted for Key Ring dialog box appears, click OK. If you chose Automatic as the processing method used by the Certificate Requests database, continue with Step 5. If you chose Manual, then complete Steps 4 through 6. 4. Do the following to transfer the certificate request to the Administration Requests database: a. In the Certificate Requests database, open the Submitted/Waiting for Approval view. If the request does not appear, press F9 to refresh the view. b. If the request has been Submitted to Administration Process, continue with Step 5. If the request is still Pending, highlight the request and click Submit Selected Requests. c. When you see Successfully submitted 1 request(s) to the Administration Process, click OK. 5. Have an authorized registration authority approve the request. This RA should be authorized for the certifier for which you are setting up SSL. a. Open the Administration Requests database (ADMIN4.NSF), and then open the Certification Authority Requests/Certificate Requests view and find the new request. b. Open the request and verify the information in it. c. Click Edit Request, then Approve Request. Press F9 until the request changes from New to Issued. 6. Transfer the certificate request out of the Administration Requests database: a. Close the Administration Requests database and return to the Certificate Requests database. b. Open the Pending/Submitted Certificates view and locate the request. If necessary, refresh the view. c. If the certificate has not yet been issued, click Pull Selected Request(s).
Security
7. After the CA signs the request for a server certificate and notifies you to pick up the certificate, do the following: a. Do one: Open the Administrators mail file, locate and open a message with the subject Your certificate request has been approved, and copy the pickup ID to the Clipboard. From the Certificate Requests database, open the Submitted/Accepted view, then open the issued server request and copy the Request ID to the clipboard. b. In the Certificate Requests database, choose Domino Key Ring Management, then Pickup Key Ring Certificate. c. Enter the key ring file name and password, paste the pickup ID into the form, and click Pickup Certificate. 8. Do the following to merge the approved server certificate into the key ring file: a. When the Merge Signed Certificate Confirmation dialog box appears, verify the information and click OK. b. When the Certificate received into key ring confirmation box appears, click OK. c. Copy or use FTP (in binary mode) to transfer the new key ring file and its associated .STH file to the servers data directory. 9. Configure the port for SSL: a. In the Domino Directory, open the Server document. In the Ports/Internet Ports section, click Edit Server and enter the name of the new key ring file. (Do not include the full path to the key ring file. Specify only the file name.) Enable the SSL Port Status field and then click Save and Close. Note As an optional step, while editing the Server document, enable Session authentication in the Internet Protocols/Domino Web Engine section. This ensures that HTTP sessions will time out in the number of minutes that are specified in the Idle session timeout field. The Maximum active sessions may also be specified. b. If HTTP is already running, at the console type te http restart to enable SSL on the server. c. To show SSL status and to verify that the HTTP server is listening on both 80 and 443, type te http show security at the server console.
10. Do the following to confirm that SSL is working on the server. a. Open a browser, and enter the URL of the server for example:
https://Server.Company.com/certreq.nsf
b. If the New Site Certificate dialog box appears, click Next. c. Click More Info to verify the information, then click Next. d. Decide whether or not to accept the new site certificate, and for how long, then click Next. e. Decide whether or not you want to see a warning every time you access the new site, then click Next. When the dialog box appears, click Finish. If the Security indicator (a padlock icon) is closed (locked), you have successfully established a secure session over SSL.
Security
b. Open the request and verify the information in it. c. Click Edit Request, then Approve Request. Press F9 until the request changes from New to Issued. 4. Transfer the certificate request out of the Administration Requests database: a. Close the Administration Requests database and return to the Certificate Requests database. b. Open the Pending/Submitted Certificates view and locate the request. If necessary, refresh the view. c. If the certificate has not yet been issued, click Pull Selected Request(s). 5. The certifier signs the request for a server certificate and notifies the requester to pick up the certificate.
Modifying a server-based CA
After you migrate or create a certifier, you can modify it through the certifier ICL or through the certifier document in the Domino Directory. Note that how you open a certifier to modify it affects the number and type of changes you can make. Note Only CA administrators can modify a server-based CA. A CA administrator must have Editor access to the Domino Directory in order to modify a certifier. To modify a certifier through the ICL 1. Shut down the CA process used by the certifier that you want to modify. At the server console, type:
tell ca quit
2. From the Domino Administrator, click Configuration. 3. On the Tools pane, choose Certification - Modify Certifier. 4. Select the server that hosts the CA you want to modify, if necessary 5. Select the certifier to recover by doing one of the following: Select the certifier document from the Domino Directory. Select the certifier ICL database. Note If the certifier is protected with a lock ID, you must unlock it in order to modify it.
6. In the Certifier dialog box, modify the certifier as needed. You can change these features: Encryption mechanism for certifier ID CAs and RAs, and roles of current entries CRL distribution point extension Enable or disable backdating of certificate Certificate duration Certificate key usage (Internet certifiers only) CRL publication and duration (Internet certifiers only) For detailed information on these options, see the topic Creating a certifier for a server-based CA earlier in this chapter. 7. Click OK. To modify a certifier through the Certifier document To modify a Certifier document, you must have Editor access to the Domino Directory. Full-access administrators and administrators have this access by default; however, be sure that all certificate authority (CA) administrators also have this access. 1. From the Domino Administrator, click Configuration. Note If the certifier is protected with a lock ID, you must unlock it in order to modify it. On the Basics tab, you can modify certifier name and issuer. Click Modify CA configuration to change CAA and RA associations. 2. Click Save and Close.
Disabling a certifier
To modify a Certifier document, you must have Editor access to the Domino Directory. Full-access administrators and administrators have this access by default; however, be sure that all certificate authority (CA) administrators also have this access. 1. From the Domino Administrator, click Configuration and open the Certificates view in the Server pane. 2. Select the certifier document you want to disable and double-click to open it. 3. Click Edit Certifier.
Security
4. On the CA Configuration tab, disable the CA process for the certifier. 5. Click Save and Close. Caution If you disable the CA process for a certifier, and later want to enable it, you must open the certifier document and enable it. You can also repeat the CA migration process to enable it however, this creates a new ICL database for the certifier.
Revoking a certificate
A CA administrator can easily revoke an Internet certificate if the subject of the certificate leaves the organization, or if the key has been compromised. After a certificate is revoked, it can never again be trusted. If you revoke a certificate, especially if a key has been compromised, issue a non-regular CRL so that any entity checking CRLs has the most updated revocation information. To revoke a certificate 1. From the Domino Administrator, click Files. Open the ICL directory. 2. From the list of ICL databases, open the ICL for the certifier that issued the certificate you need to revoke. 3. Open the Issued Certificates\By Subject Name view. 4. Open the Issued Certificate document for the certificate you want to revoke. The document name is the same as the subject name. 5. At the top of the document, click Revoke Certificate. 6. In the Revocation Reason dialog box, select the reason for revoking the certificate, and click OK. 7. Issue a non-regular CRL. The next time the CA process refreshes, the Issued Certificate document will be updated to indicate that the certificate has been revoked. When you open the Issued Certificate document again, the Revocation Information section will indicate that the certificate has been revoked, the revocation date and time, the reason for the certificates revocation, and date and time the certificate became invalid. For more information on issuing non-regular CRLs, see the appendix Server Commands.
Viewing certifiers running under the CA process You can view a list of all the certifiers running under the CA process. At the server console type:
tell ca status
The server returns a list of all certifiers using the CA process and their current status. The number associated with each certifier is used in some CA Tell commands. For example:
10/22/2001 02:38:12 pm CA Process status: 10/22/2001 1. O=Acme 02:38:12 pm
10/22/2001 02:38:12 pm Certifier type: Notes 10/22/2001 02:38:12 pm Active: Yes 10/22/2001 02:38:12 pm ICL DB Path: icl\icl_Acme.nsf 10/22/2001 02:38:12 pm 2. CN=East/O=Acme/ST=Massachusetts/C=US 10/22/2001 02:38:12 pm Certifier type: Internet 10/22/2001 02:38:12 pm Active: Yes 10/22/2001 02:38:12 pm ICL DB Path: icl\icl_East.nsf
For more information about using CA Tell commands, see the appendix Server Commands.
Security
Security
A CA key ring file is a binary file that is password-protected and is used to store the CA certificate. This certificate is then used to sign server and client Internet certificates. Once you have created a certifier on a Domino server, you can then enable SSL on that server to provide secure communications for certificate requests and pickups. You do this by creating a server key ring file and merging the CA certificate into it as a trusted root certificate.
3. Create a CA key ring file and CA certificate. 4. Configure the CA profile to specify key ring and mail settings. 5. Set up SSL on the CA server.
Security
Key ring password Password verify Key Size Common name Organization Organizational Unit City or Locality
State or Province Enter three or more characters that represent the state or province where the certifier resides, such as Massachusetts. (For U.S. states, enter the complete state name, not the abbreviation.) Country Enter the two-character representation of the country where the certifier resides for example, US for United States or CA for Canada.
Note The Common name, Organization, Organizational Unit, City or Locality, State or Province, and Country make up the CA servers distinguished name. Choose the CA name carefully; it is a costly process to reissue certificates if you change the name. 5. Click Create Certificate Authority Key Ring. 6. After you review the information about the key ring file and CA name, click OK. 7. Make a backup copy of the Certificate Authority key ring file, and store it in a secure location. 8. Configure the Domino Certificate Authority application profile.
To change the password for the CA key ring file To ensure the continued security of the CA key ring file, periodically change its password. 1. From the Domino Administrator, click Files, and open the Domino Certificate Authority application. 2. Click View Certificate Authority Key Ring, and then click Change CA Key Ring Password. 3. Enter the old password, and then click OK. 4. Enter a new password, and then click OK.
Security
Field
Action
Mail confirmation Choose one: of signed Yes to generate an e-mail confirmation for a signed certificate to certificate request. requester? No (default) to not send the confirmation. Submit signed certificates to AdminP for addition to the Directory? Default validity period Choose one: Yes (default) to submit the signed certificate request to the Administration Process, which then stores this certificate in the Domino Directory. No to not submit the certificate. Specify the period, in years, for which the signed certificate is valid. Default is 2 years.
Action Enter the label to display when you view the CA certificate in the server key ring file. Enter the TCP/IP fully-qualified host name for example, www.lotus.com. Set up the server certificate so that the common name matches the DNS name, since some browsers check for this match before allowing a connection. Enter the name of the certifier organization. This is usually a company name, such as Acme. (Optional) Enter the division or department where the certifier organization resides. (Optional) Enter the city or town where the certifier organization resides.
State or Province Enter three or more characters that represent the state or province where the certifier organization resides, such as Massachusetts. (For U.S. states, enter the complete state name, not the abbreviation.) Country Enter a two-character representation of the country where the certifier organization resides for example, US for United States or CA for Canada.
5. Click Create Server Key Ring. 6. Enter the CA key ring file password, and then click OK. The server SSL key ring file is created. 7. Copy the server key ring file to the Domino data directory on the server. The Domino Certificate Authority application creates the file locally; however, the server needs the key ring file to use SSL. Note If you choose to store the server key ring file in some place other than the Domino data directory, you must specify the full directory path to it in the Server document or Site document. 8. Configure the SSL port. Enable server authentication on the server. For more information on configuring an SSL port, see the chapter Setting Up SSL on a Domino Server. 9. If clients use Netscape Navigator, do the following: a. From the Domino Administrator, click the Files tab, open the Domino Certificate Authority application, and then open the Database Properties box. b. On the Basics tab, choose Web Access: Require SSL connection to force browsers to use SSL to connect to this database.
Security
Note If clients use Microsoft Internet Explorer, do not complete this step, which forces users to use SSL to access the application. Clients who use Internet Explorer must use TCP/IP to access the Domino Certificate Authority application and merge the certificate as a trusted root. Internet Explorer does not allow clients to accept a site certificate for a server for which they do not have the trusted root certificate.
To sign a server certificate with a Domino 5 Certificate Authority Before you begin, make sure that: The requesting server administrator has merged the Certificate Authoritys certificate into the server key ring as a trusted root. You understand your organizations policy on signing certificates. Sign certificates only if the certificate requests comply with your organizations security policy.
1. From the Domino Administrator, click Files and open the Domino Certificate Authority application. 2. Click Server Certificate Requests. 3. Open the request to sign. 4. Review the user information and distinguished name. Make sure that the information provided complies with your organizations security policy. If you want to deny the request, complete Step 5. Otherwise, go to Step 6. 5. To deny the request, do the following: a. Enter a reason for the denied request. b. If you do not want to notify the server administrator by e-mail, deselect Send a notification email to the requester. Otherwise, Domino sends the server administrator an e-mail indicating that you denied the request and the reason why you denied the request. c. Click Deny. 6. To approve the request, do the following: a. Enter a validity period. For short-term projects, 90 days is typical; for ongoing projects, you can enter several years. b. If you do not want to notify the server administrator by e-mail to pick up the certificate, deselect Send a notification email to the requester. Otherwise, Domino sends the server administrator an e-mail with a URL indicating the location to pick up the certificate. c. Click Approve. d. Enter the password for the CAs key ring file, and then click OK. 7. Have the server administrator complete the procedure Merging a server certificate into the key ring file.
Security
Security
SSL security
Secure Sockets Layer (SSL) is a security protocol that provides communications privacy and authentication for Domino server tasks that operate over TCP/IP. SSL offers these security benefits: Data is encrypted to and from clients, so privacy is ensured during transactions. An encoded message digest accompanies the data and detects any message tampering. The server certificate accompanies data to assure the client that the server identity is authentic. The client certificate accompanies data to assure the server that the client identity is authentic. Client authentication is optional and may not be a requirement for your organization.
The Java applet that uses this protocol must be set up to use SSL.
46-1
Domino uses SASL automatically if SSL with client authentication is set up on the server and if the LDAP client supports the protocol. No additional configuration is necessary. Simple Mail Transport Protocol (SMTP)
Security
7. Configure the port for SSL. 8. If you are using client authentication, add the clients name to database ACLs and access lists for design elements.
To set up the Server Certificate Admin application 1. Make sure you set up the server as a Domino Web server. For more information, see the chapter Setting Up the Domino Web Server. 2. Edit the ACL of the Server Certificate Admin application, as follows: Add the names of server administrators who will need to obtain and manage server certificates. Assign Manager access. Set -Default- access to No access to prevent others from using the database. 3. Create a server key ring file. Tip To hide the Server Certificate Admin application when users choose File - Database - Open, deselect Show in Open Database dialog in the Database Properties box.
Every server certificate includes a distinguished name used for SSL connections. You set up this distinguished name when you create the server key ring file. Some components of a distinguished name are optional; however, the more components you include, the less likely you are to encounter an identical name elsewhere on the Internet. Note If you are requesting a server certificate from a server-based certification authority, you can use the Notes client to create the server key ring and request a server certificate in the Certificate Requests database. For more information, see the topic Requesting an SSL server certificate later in this chapter. To create a server key ring file 1. Set up the Server Certificate Admin application. 2. From the Notes client, open the Server Certificate Admin application on the server for which you want to enable SSL. 3. Click Create Key Ring. 4. Complete these fields:
Field Key Ring File Name Action Enter the key ring file name. The default is KEYFILE.KYR. Its helpful to use the extension .KYR to keep key ring file names consistent. Note The servers key ring file name appears in any Internet Site documents that you have configured, or, if Internet Site documents are not being used, on the Ports - Internet Ports tab of the Server document. If you specified a name other than the default, you need to edit the name where it appears - in the Internet Site documents or in the Server document. Enter the password for the key ring. Specify the key size Domino uses when creating the public and private key pairs. The larger the size, the stronger the encryption. Enter the servers TCP/IP fully-qualified domain name for example, www.acme.com. Set up the server certificate so that the common name matches the host name since some browsers check for this match before allowing a connection. Enter the name of the organization for example, a company name, such as Acme. continued
Common name
Organization
Security
Action (Optional) Enter the name of certifier division or department. (Optional) Enter the organization city or locality.
State or Province Enter the full name of the state or province in which the certifier organization resides. Country Enter the two-character abbreviation of country in which organization resides
5. Click Create Key Ring. 6. After you read the information about the key ring file and distinguished name, click OK. Notes creates the key ring file and stash (.STH) file and places them in the Notes data directory on the client machine used to create the key ring.
7. Copy the key ring file and stash (.STH) file to the Domino data directory on the server. Caution You must ensure that the key ring password in the stash file is protected. The key ring file password is altered in the stash file so that it cannot be recognized by a casual observer, but it is not encrypted. You should not allow unauthorized persons access to either the stash file or the key ring file. In the normal course of operation, only the server itself should have access to those files; however, administrators may also need permission to remove or replace the files. As with all server resources, managing proper file permissions and protections is vital to the security of the system. 8. Request an SSL server certificate.
1. From the Notes client, open the Certificate Requests database for the certifier from which you want to request a server certificate. 2. Do the following to create a server key ring file to store the server certificate and merge the CA certificate as a trusted root into the server key ring file: a. In the Certificate Requests database, choose Domino Keyring Management - Create Keyring. b. In the Create Key Ring form, complete these fields:
Field File name Password Key size Action Enter a file name for the Key Ring file and keep the .kyr. Enter a password for the key ring file. Choose a key size.
Common name Enter the fully qualified host name for example, server.company.com. Organization name State or province Country Enter the name of the certifier organization. Enter the full name of the state or province in which the organization is located. Enter a two-letter abbreviation for the country in which the organization is located.
c. Verify the information in the Key Ring Created dialog box, then click OK to automatically add the CA as a trusted root and generate a certificate request for the server. d. Verify the information in the Merge Trusted Root Certificate Confirmation dialog box and click OK. e. Click OK when the Certificate received into key ring and designated as trusted root confirmation dialog box appears. f. Click OK when the Certificate Request Successfully Submitted for Key Ring dialog box appears. After an RA approves the request for a server certificate, the CA issues a server certificate and sends notification that you can pick up the certificate. 3. In the Issued/Rejected Certificates view, open the issued server request and copy the Request ID to the Clipboard. 4. Choose Domino Key Ring Management - Pickup Key Ring Certificate. 5. Enter the key ring file name and password, paste the pickup ID into the form and click Pickup Certificate.
46-6 Administering the Domino System, Volume 2
Security
6. Verify the information in the Merge Signed Certificate Confirmation dialog box and click OK. 7. When the Certificate received into key ring dialog box appears, click OK. 8. Copy or use FTP (in binary mode) to transfer the new key ring and its associated .STH file to the servers data directory. From a Domino CA using a Web browser This procedure for generating a server certificate request is the same regardless of whether you are requesting a server certificate from a Domino server-based certification authority or a Domino 5 certificate authority. 1. Make sure you already created the server key ring file and mapped a drive to the directory that contains the server key ring file. 2. From the Notes client, open the Domino Directory of the server on which you want to create SSL, and open the Server Certificate Admin application. 3. Click Create Certificate Request. 4. Complete these fields:
Field Key Ring File Name Log Certificate Request Enter The name of the server key ring file, including the path to the file Choose one: Yes (default) to log information in the Server Certificate Admin application No to not log information Method Choose Paste into form on CAs site
5. Click Create Certificate Request. 6. Enter the password for the server key ring file. 7. Copy the certificate request to the system Clipboard (include the Begin Certificate and End Certificate lines), and click OK. 8. On the server, use one of these methods to browse to the Domino certificate authority application (the Certificate Requests application for a server-based certification authority, and the Domino Certificate Authority for a Domino 5 Certificate Authority) on the Domino servers Web site: If you use Microsoft Internet Explorer, use SSL (HTTPS) to connect to the application. You need to trust server certificate in order to use SSL to access the server. To install (and trust) the
Setting Up SSL on a Domino Server 46-7
server certificate, in the IE security alert dialog box click View Certificate - Install Certificate, and follow the instructions. To trust all site certificates certified by a given CA, click Accept this authority in your browser before accessing the server with SSL. This option is available in both the Certificate Requests and Domino Certificate Authority applications. If you use Netscape, use SSL to connect to the application. Then use the instructions provided by the browser software to accept the site certificate. 9. Click Request Server Certificate. 10. Enter your name, e-mail address, phone number, and any comments for the CA. 11. Paste the certificate request into the dialog box, and then click Submit Certificate Request. 12. Merge the CA certificate as a trusted root. From a third-party CA 1. Make sure you already created the server key ring file. 2. From the Notes client, open the Server Certificate Admin application on server for which you want to set up SSL. 3. Click Create Certificate Request. 4. Complete these fields:
Field Key Ring File Name Log Certificate Request Enter The name of the server key ring file including the path to the file Choose one: Yes (default) to log information in the Server Certificate Admin application No to not log information Method Choose one: Paste into form on CAs site (recommended) Send to CA by e-mail Note You must choose the paste option to submit a request to VeriSign, which doesnt use PKCS format for requests sent by e-mail. If you choose Send to CA by e-mail, enter the CAs e-mail address, and your e-mail address, phone number, and location.
5. Click Create Certificate Request. 6. Enter the password for the server key ring file.
Security
7. If you selected Paste into form on CAs site in Step 4, do the following: a. Copy the certificate request to the system Clipboard (include the Begin Certificate and End Certificate lines). b. Use a browser to visit the CAs site, and then follow the instructions that the CAs site provides for submitting a request for a new certificate. 8. Merge the CA certificate as a trusted root.
9. In the Certificate Source field, choose Clipboard. Paste the Clipboard contents into the next field. 10. Click Merge Trusted Root Certificate into Key Ring. 11. Enter the password for the key ring file, and then click OK. 12. Have the CA sign the server certificate. From a third-party CA View the default trusted roots in the key ring file to make sure the third-party CAs certificate is not already included. If it is already included, you do not need to complete these steps. For more information, see the topics Default Domino SSL trusted roots and Viewing SSL server certificates later in this chapter. 1. Make sure that you requested the server certificate and mapped a drive to the directory that contains the key ring file. 2. Browse to the Web site of the CA and obtain the CAs trusted root certificate. In most cases, the trusted root certificate is in a file attachment, or the certificate is available for you to copy to the Clipboard. 3. From the Notes client, open the Server Certificate Admin application. 4. Click Install Trusted Root Certificate into Key Ring. 5. Enter the name of the key ring file that will store this certificate. You specified this name when you created the server certificate request. 6. Enter the name that the key ring file will use to identify this certificate. If you leave this field blank, Domino uses the distinguished name of the certificate. 7. Do one of the following: If you copied the contents of the CAs certificate to the Clipboard in Step 2, choose Clipboard in the Certificate Source field. Paste the Clipboard contents into the next field. If you received a file that contained the CAs certificate in Step 2, detach the file to your hard drive and select File in the Certificate Source field. Enter the file name in the File name field. 8. Click Merge Trusted Root Certificate into Key Ring. 9. Enter the password for the key ring file, and then click OK. 10. Have the CA complete the procedure Signing server certificates.
Security
VeriSign Class 3 Public Primary Certification Authority VeriSign Class 2 Public Primary Certification Authority VeriSign Class 1 Public Primary Certification Authority VeriSign Test Certificate Authority RSA Secure Server Certificate Authority Netscape Test Certificate Authority RSA Low Assurance Certificate Authority
VeriSign, Inc.
US
VeriSign, Inc.
US
VeriSign, Inc.
US
US US
Netscape Test CA Communications Corp. RSA Data Security, Inc. Low Assurance Certification Authority
US
US
Security
3. Highlight the certificate text and copy it to the system Clipboard (include the Begin Certificate and End Certificate lines). 4. From the Notes client, open the Server Certificate Admin application. 5. Click Install Certificate into Key Ring. 6. Enter the file name for the key ring that will store this certificate. You specified this key ring file when you created the server certificate request. 7. In the Certificate Source field, choose Clipboard. Paste the Clipboard contents into the next field. 8. Click Merge Certificate into Key Ring. 9. Enter the password for the key ring file, and then click OK to approve the merge. 10. Configure the SSL port. From a third-party CA 1. Make sure the CA signed the certificate and you mapped a drive to the directory that contains the server key ring file. 2. Use the instructions provided by the CA to pick up the certificate. In most cases, the CA mails the certificate as a file attachment or gives you a URL to visit to copy and paste the certificate to the Clipboard. 3. From the Notes client, open the Server Certificate Admin application. 4. Click Install Certificate into Key Ring. 5. Enter the file name for the key ring that will store this certificate. You created this key ring file when you created the server certificate request. 6. Do one of the following: If you copied the certificate to the Clipboard, choose Clipboard in the Certificate Source field. Paste the Clipboard contents into the next field. If you received a file attachment that contains the certificate, detach the file to your hard drive, and then choose File in the Certificate Source field. Enter the file name in the File name field. 7. Click Merge Certificate into Key Ring. 8. Enter the password for the server key ring file, and then click OK to approve the merge. 9. Configure the SSL port.
For more information on name-and-password authentication, see the chapter Setting Up Name-and-Password and Anonymous Access to Domino Servers.
Security
For more information on setting up client authentication, see the chapter Setting Up Clients for S/MIME and SSL.
SSL protocol Choose one: version V2.0 only to allow only SSL 2.0 connections. V3.0 handshake to attempt an SSL 3.0 connection. If this fails and the requester detects SSL 2.0, then attempts to connect using SSL 2.0. V3.0 only to allow only SSL 3.0 connections. V3.0 and V2.0 handshake to attempt an SSL 3.0 connection, but start with an SSL.2.0 handshake, which displays relevant error messages. Makes an SSL 3.0 connection, if possible. Negotiated (default) to attempt an SSL 3.0 connection. If it fails, the server attempts to use SSL 2.0. Use this setting unless you are having connection problems caused by incompatible protocol versions. Note Domino does not use this field for HTTP. Accept SSL site certificates Choose one: Yes to allow this server to accept the site certificate and use SSL to access an Internet server, even if the Domino server does not have a certificate in common with the Internet server. No to not allow this server to accept site certificates. Choose one: Accept expired SSL Yes to allow clients to access the server, even if the client certificates certificate is expired. No to not allow clients to access the server with expired client certificates.
Security
4. Click the tab for the protocol that you want to configure, and then complete these fields:
Field SSL port number Enter Enter the port number on which Domino listens for SSL requests. You configure this here regardless of whether you are using Internet Sites or the Web Configurations view. Note If you change the default port number, clients must change their configurations as well. The default port number is usually changed only if a firewall proxy uses the reserved port number. SSL port status Choose Enabled to allow SSL connections on the port. You configure this here regardless of whether you are using Internet Sites or the Web Configurations view. Note Since a Domino server can be either an SMTP server or an SMTP client, you have two choices for the SSL port status field. To set up a Domino server as an SSL-enabled SMTP server, choose Enabled in the SMTP Inbound field. Client certificate Choose one: No to not use client authentication. Yes to use client authentication. SMTP and IIOP do not support client authentication. Choose one: No to not use name-and-password authentication. Yes to use name-and-password authentication. Choose one: Yes to allow anonymous access. You must choose Yes if you want users to connect using server authentication only. No to prevent anonymous access. If you choose Yes for both Anonymous and Client certificate, Domino first tries to authenticate the client. If that fails, Domino tries to connect the user anonymously. If you choose Yes for Anonymous, Client certificate, and Name & password, Domino first tries to authenticate the client using the client certificate. If that fails, Domino tries to use name-and-password authentication. If that fails, Domino tries to connect the user anonymously. LDAP must be configured to allow anonymous SSL connections in order to do name lookups. IMAP, POP3, and SMTP do not support anonymous access.
For information on how Domino authenticates clients when anonymous, client authentication, and name and password are enabled, see the chapter Setting Up Name and Password and Anonymous Access to Domino Servers.
To require SSL connections to a server in the Server document 1. From the Domino Administrator, click the Configuration tab, and open the Server document. 2. Click the Ports - Internet Ports tab. 3. Click the tab for the protocol for which you want to require SSL. 4. In the TCP/IP port status field, select Redirect to SSL. For individual databases You can also require clients to use SSL to connect to the server on a database-by-database basis, by configuring the requirement to connect with SSL in the database application itself. 1. Start the Notes client. 2. Select the database for which you want to force clients to use SSL. 3. Open the Database Properties box. 4. On the Basics tab, click Web Access: Require SSL connection.
Security
To view an SSL server certificate 1. Map a network drive to the directory that contains the key ring file. 2. From the Notes client, open the Server Certificate Admin (CERTSRV.NSF) application. 3. Click View & Edit Key Rings. 4. Click Choose Key Ring to Display. 5. Enter the name of the key ring file that contains the certificates you want to view. 6. Enter the password for the key ring file. 7. Do one of these: To view the server certificate, select a document in the Site Certificates category. To view a trusted root certificate, select a document in the Certification Authorities category.
Security
7. In the Certification Authorities category, open the document that contains the certificate you want to edit. 8. Click one: Trust This Certificate to mark a certificate as a trusted root. Do Not Trust This Certificate to unmark a certificate as a trusted root. Domino marks the certificate as untrusted but does not remove the certificate from the database. To delete a certificate permanently from the key ring file, click Delete. After you delete the certificate, you cannot recover it. Instead, you must merge the certificate as a trusted root again. 9. Enter the password for the key ring file.
Security
Enter A descriptive name that identifies the server certificate such as, Acme SSLCA. The name of the organization for example, a company name, such as Acme. (Optional) Name of certifier division or department. (Optional) The organization city or locality.
State or Province Three or more characters that represent the state or province in which the organization resides for example, Massachusetts. (For U.S. states, enter the complete state name, not the abbreviation.) Country A two-character representation of the country in which the organization resides for example, US for United States or CA for Canada.
4. Copy the key ring file and stash (.STH) file to the Domino data directory of the server. 5. Configure the port for SSL. 6. Set up database access.
You can restrict the use of SSL ciphers for Internet protocols. You can specify the use of a 128-bit cipher only for the HTTP service, for example, to require users to access a server using a domestic browser version. If no configuration parameters are set, then there is no restriction on the SSL ciphers used for that protocol. There are three ways to configure SSL ciphers, depending on how you choose to configure Internet protocols on your Domino server: In an Internet Site document. If you use Internet Site documents, you can specify a different set of SSL cipher restrictions for each protocol. Through the Server document. However, if you use the Server document you can restrict SSL ciphers for HTTP only. You must use the NOTES.INI variable SSLCipherSpec to restrict ciphers for protocols other than HTTP. Through the NOTES.INI variable SSLCipherSpec. All SSL cipher settings configured in either Site documents or in the Server document will be superseded by the INI variable.
For information about changing SSL cipher restrictions in Internet Site documents, see the chapter Installing and Setting Up Domino Servers. To modify SSL cipher restrictions in the Server document 1. From the Domino Administrator, click Configuration and open the Server document in the Domino Directory. 2. Click Ports - Internet Ports - Web. 3. In the SSL Ciphers field, click Modify. This displays a list of available SSL cipher specifications. 4. Select the cipher specification(s), then click OK. 5. Save and close the document. To modify SSL cipher restrictions using the NOTES.INI file Use the NOTES.INI setting SSLCipherSpec to specify SSL restrictions for all protocols. Ciphers are specified by a 2-digit code. You can add as many ciphers as you need. For example, to enable 3DES and RC4128SHA ciphers, enter the following line in the NOTES.INI file:
SSLCipherSpec=050A
where 05 = 3DES and 0A = RC4128SHA. Caution Using SSLCipherSpec overrides all SSL cipher restrictions in Internet Site documents and in the Server document. For more information, see the appendix NOTES.INI File.
46-24 Administering the Domino System, Volume 2
Security
Security
47-1
Notes and other Internet clients that use client certificate authentication have an Internet certificate that is stored in the Notes ID file for Notes client, and in a local file for Internet clients. The certificate includes a public key, a name, an expiration date, and a digital signature. The corresponding private key is stored in the ID file, but is stored separately from the certificate. For Notes clients, the client certificate is also stored in the Domino Directory so that others can access the public key. Notes and Internet clients can obtain Internet certificates from either a Domino certification authority or a third-party certifier. How you set up the client depends on whether the server requires client certificate authentication. As an administrator, you should carefully consider whether you want to require client certificate authentication. If you do not need to identify Internet users who access the server, you do not need to set up client authentication. In fact, in some cases, requiring an Internet certificate may deter users from accessing a server for example, a server that hosts a Web site. If you require an Internet certificate, users need to perform additional steps to obtain the certificate and set up client certificate authentication. Note By enabling the setting Accept SSL Site Certificates in the Location record, the Notes client can ignore cross-certificates and server authentication entirely. The user can also choose to create cross-certificates on the fly when connecting to a server using SSL.
Security
Note Secure transactions are indicated by the use of the term https:// in URLs for SSL-secured sites. A browser user can specify this when initiating a secure transaction. More likely, the user will navigate to a login page, where it is necessary to log in with a name and password in order to access the secure Web page.
Note A users can accept certificates automatically, without having to obtain the roots or cross-certificates, by enabling the option Accept site certificates in the location document for the Notes client. However, accepting certificates from unknown servers is a security risk. If a user doesnt know the sources of the certificates being accepted, it is possible to accept certificates from malicious sources. To obtain a trusted root certificate for a Notes client 1. Make sure that you have a trusted root certificate for the CA. In the Domino Administrator, click Configuration - Certificates Certificates, and view the certificate in the Internet Certifiers category. 2. Instruct clients to complete the procedure Creating an Internet cross-certificate for a CA. To obtain a trusted root certificate for an Internet client You can use the following procedures to obtain a trusted root certificate for an Internet client. If the trusted root certificate is for a Domino CA, the Internet client performs these steps: 1. Browse to the Domino Certificate Requests (for Domino 6) or Certificate Authority (Domino 5) application. 2. Select Accept This Authority In Your Browser. Note If you use an SSL connection to browse to the application, the server prompts you to accept the site certificate. Check the CA properties to make sure that the certificate that is presented is from a source you trust before accepting the certificate as a trusted root. If the trusted root certificate is for a third-party CA, the Internet client follows the third-party CAs established procedure to merge the trusted root certificate for the CA. If both the client and server have certificates issued from the CA or already have a CA in common, then this step is not necessary.
Security
SSL server authentication for Internet clients other than Notes does not require a cross-certificate. A Notes client can also create a cross-certificate for a server or client; however, this allows the Notes client to trust only that server or client. The Notes client does not then trust other servers and clients with certificates issued by a CA. To create an Internet cross-certificate 1. Make sure the CA created a trusted root certificate in the Domino Directory. 2. Instruct clients to retrieve an Internet cross-certificate through the User Security dialog box. For information on how Notes users can retrieve Internet cross-certificates, see Lotus Notes 6 Help. To view Internet cross-certificates Notes users can view the Internet cross-certificates contained in their Personal Address Book. For information on how Notes users can see their Internet cross-certificates, see Lotus Notes 6 Help.
Security
Third-party CA The third-party CA determines how you request an Internet certificate. Browse to the third-party CAs site, and enter the certificate request. A dialog box appears that allows you to request the certificate.
Signing an Internet client certificate and adding the certificate to the Domino Directory
When a CA signs an Internet client certificate, the CA adds a digital signature to the certificate and, if you are using a Domino CA, adds the public key to the Domino Directory. If you are using a third-party CA, you must complete additional steps to add the public key to the Domino Directory. You do not need to complete these steps if you are using a Notes client and the CA issued certificates in the Person document of the Domino Directory. Notes automatically adds Internet certificates stored in the Person document to the Notes ID file when the user authenticates with the server. The steps you follow to sign and add an Internet client certificate to the Domino Directory depend on whether the certificate is issued from a Domino server-based certification authority, a Domino 5 Certificate Authority, or a third-party CA. Before you approve client certificates for signing: Make sure you understand your organizations policy on signing certificates. Sign client certificates for clients if the certificate requests comply with your organizations security policy. Make sure you have the Administration Process set up on the server. If you are signing a certificate for an Internet client, make sure you created a Person document.
Domino server-based certification authority The steps are completed by the Domino CA. You must be a registration authority (RA) to approve client certificates for signing. 1. From the Domino Administrator, click Files, and open the Domino Certificate Requests application. 2. Transfer the certificate request into the Administration Requests database. a. In the Certificate Requests database, open the Pending/Submitted Requests view. Press F9 to refresh the view if the client request does not appear there.
b. If the view shows that the request has been Submitted to Administration Process, go to the next step. If it is still in the Pending state, highlight the request and click Submit Selected Requests. c. You should see a Successfully submitted 1 request(s) to the Administration Process message. Click OK. 3. Approve or deny the request. a. Open the Administration Requests database (ADMIN4.NSF), open the Certification Authority Requests/Certificate Requests view, and find the new client request. b. Open the request and verify the information in it. c. Click Edit Request, and then click Approve Request or Reject Request. Press F9 to make sure that the request changes state, from New to Approved (or Rejected). 4. Transfer the certificate request out of the Administration Requests database. a. Close the Administration Requests database and return to the Certificate Requests database. b. Open the Issued/Rejected Certificates view and locate the client request (you may need to refresh the view). 5. Notify the user who requested the client certificate. a. If you enabled the option for e-mail confirmation upon completion of the client request, then the once, the CA automatically notifies the requester to pick up the certificate. If it is denied, it sends the requester e-mail indicating that the request was rejected. b. If you did not enable the option for e-mail confirmation upon completion of the client request, then you need to click Send Confirmation Mail to notify the requester of the outcome. Note If the Certificate Requests database is configured for automatic request processing, then client requests are sent to the Administration Requests database automatically by the database. The Registration Authority only to approve or reject the request. Domino 5 Certificate Authority The Internet certificate request appears in the Client Certificate Requests view in the Domino Certificate Authority application. When the CA signs a certificate, the CA can automatically send e-mail to the client. This e-mail describes where to pick up the certificate and includes a pickup ID, which the client must use to identify the certificate during the pickup process. Domino automatically generates the pickup ID.
47-8 Administering the Domino System, Volume 2
Security
Note The steps below apply to signing client certificates issued by a Domino CA. The steps are completed by the Domino CA. 1. From the Domino Administrator, click Files, and open the Domino Certificate Authority application. 2. Click Client Certificate Requests in the left pane. 3. Open the request you want to sign. 4. Review the user information and distinguished name. Make sure the information provided complies with your organizations security policy. 5. Leave the option Register certificate in the Domino Directory selected to add the clients public key automatically to the Person document. If you want to deny the request, complete step 6. Otherwise, go to step 7. 6. To deny the request: a. Enter a reason for the denied request. b. If you do not want to send the person e-mail, deselect Send a notification e-mail to the requester; otherwise, the Domino Certificate Authority application sends the person e-mail indicating that you denied the request and the reason why you denied the request. c. Click Deny. 7. To approve the request: a. Enter a validity period. For short-term projects, 90 days is typical; for ongoing projects, you can enter several years. b. If you do not want to send the client e-mail indicating that the client can now pick up the certificate, deselect Send a notification e-mail to the requester; otherwise, the Domino Certificate Authority application sends an e-mail with a URL indicating the location to pick up the certificate. c. Click Approve and enter the password for the CA key ring file. This places a request in the Administration Requests database. When the Administration Process next runs, it processes the request and adds the certificate to the clients Person document in the Domino Directory. Note The client cannot use the certificate to authenticate against database ACLs until the Administration Process completes the request.
Third-party CA If a user obtains an Internet certificate from a third-party CA using the Notes client, the certificate is automatically added to their Person document. If a user obtains an Internet certificate from a third-party CA through a browser, the certificate must then be added to their Person document. For more information, see the topic Publishing third-party CA client certificates in a Person record later in this chapter.
Security
9. The certifier processes the request. If you chose to provide a certifier ID, Domino creates a certificate for each selected user and stores it in an Add Internet Certificate to Person Record request in the Administration Request database. If you chose to use the CA process, a certificate request is created in the Administration Request database for each selected user. When the CA processes the request, it creates the Add Internet Certificate to Person Record request. a. When the Administration Request database replicates with the Domino Directorys administration server, the Administration Process places the certificate in the users Person document. b. After the Domino Directory replicates with the users mail server and the user subsequently accesses the mail server, Notes recognizes there is a certificate in the Domino Directory that is not in the users ID file. Notes automatically places the Internet certificate in the users ID file.
7. In the Password for Export File Containing Internet Certificates, enter a password to protect the export file. If you choose not to assign a password to this file, click No Password. However, it is highly recommended that you assign a password to protect this information. 8. In the Specify Export File dialog box, choose the directory path and file name for the file that contains the exported certificates, and click OK. The certificates are successfully exported to the specified file. 9. Note the file name and password of the exported file for future reference. To import an Internet certificate into a Person document 1. From the Domino Administrator, click People & Groups, and open the People view. 2. Open the Person document for which you want to import Internet certificates. 3. Click Action - Import Internet Certificates. 4. In the Specify Export File dialog box, choose the directory path and file name for the file that contains the exported certificates, and click OK. Note that the file may not appear with the assigned file extension. It is recommended that you choose the all files option in the Files of type field to ensure that the exported files are displayed in the file selection list box. 5. In the Select Import File Format dialog box, choose the file format in which to save the imported Internet certificate, and click OK. The default is PKCS 12 encoded. 6. In the Enter Password dialog box, enter the file password. 7. In the Import Internet Certificates dialog box, choose the Internet certificate that you want to import, if there is more than one. Or you can click Accept All to import all certificates in the file.
Security
An Internet client can still access the Domino server anonymously if you have anonymous access set up on the server, or use name-and-password authentication to access the server. A Notes client can still send unencrypted mail messages to the user. You can also view information about Internet certificates in the Domino Directory. To view or delete an Internet certificate 1. From the Domino Administrator, click People & Groups, and edit the Person document for the Internet user whose certificate you want to view or delete. 2. Click Examine Internet Certificate(s). 3. To delete the Internet certificate, select the certificate and click Delete. Note that the certificate will remain displayed until you exit or save the document.
Setting up Notes clients to decrypt encrypted messages and send signed messages To decrypt sent messages and send signed messages, Notes clients need an Internet certificate stored in the Notes ID file. For more information, see the topic Creating Internet certificates for Notes S/MIME clients later in this chapter. Setting up Notes clients to verify signed messages To verify the signature on a signed message, Notes clients need a cross-certificate issued for either the sender of the message or the CA that issued the senders Internet certificate. This cross-certificate must be stored in the clients Personal Address Book. For information on creating cross-certificates, see the topic Creating an Internet cross-certificate for a CA later in this chapter.
Security
4. To create a certificate using the existing public and private keys in the Notes ID file, do the following: a. The CA adds an Internet certificate to the Person document. b. The client authenticates with the home server. Notes automatically merges the Internet certificate into the ID file. 5. To use new public and private keys to create an Internet certificate, do the following: a. The client requests the Internet certificate from the CA. b. The CA approves the request, and Domino automatically adds the clients Internet certificate to the users Person document. c. The client merges the Internet certificate into the ID file. For more information on how Notes clients merge Internet certificates into their ID files, see Lotus Notes 6 Help.
2. When you open the signed message, Notes asks if you want to add a cross-certificate if you do not already have a cross-certificate issued for either the author or the CA who issued the certificate to the author. Complete these fields and then click Cross Certify:
Field Certifier Enter The certifier ID that is cross-certifying the certificate. By default, the certifier is your ID. If you have access, you can choose an ID that is higher in the hierarchical name scheme. The registration server that holds the cross-certificate that is created. By default, it is stored locally in your Personal Address Book. Do not change this setting, since the cross-certificate must be stored in your Personal Address Book in order to validate the Internet certificate of the person to whom you are sending an encrypted message. The certificate that is being cross-certified. You can choose to cross-certify the sender of the signed message or you can cross-certify the CA that issued the certificate to the sender. If a cross-certificate is issued to the sender of the signed message, you can encrypt messages to only that person. If a cross-certificate is issued to the senders CA, you can send encrypted messages to anyone who has an Internet certificate issued by that CA and for whom you have an Internet certificate. Alternate names attached to the ID, if any. The date that the cross-certificate expires.
Server
Subject name
3. To add the authors Internet certificate to the Personal Address Book, choose Tools - Add Sender to Address Book. Notes creates a Contact document for the person and adds an Internet certificate to the document. For information on adding an Internet certificate and cross-certificate when users have dual certificates, see the topic Dual Internet certificates for S/MIME encryption and signatures later in this chapter.
Security
Security
If an LDAP client supports the Simple Authentication and Security Layer protocol (SASL), Domino automatically uses this protocol when the client uses SSL client authentication to connect to the server. SASL is not supported for TCP/IP connections or SSL connections with only server authentication. To set up Notes clients with certificates issued by a Domino CA The CA and client complete these steps. 1. Before issuing certificates, the CA must determine if Internet certificates should be created using the existing public and private keys from the Notes ID file or if the CA wants to issue certificates based on new keys generated from a browser certificate request. If clients use a browser that supports PKCS #12, clients can also import an existing Internet certificate into the Notes ID file. Depending on the environment, the administrator may choose to use a combination of these options for different users. 2. The CA adds a trusted root certificate to a Domino Directory that the client can access. The client can also add a trusted root certificate to the Personal Address Book; however, adding a trusted root certificate simplifies the process of setting up Notes clients for SSL because the trusted root is accessible to many clients. 3. The client creates a cross-certificate using the trusted root certificate for the CA and stores it in the Personal Address Book. 4. To create a certificate using the existing public and private keys in the Notes ID file: a. The CA adds an Internet certificate to the Person document. b. The client authenticates with the home server. Notes automatically adds the Internet certificate to the ID file. 5. To use new public and private keys to create an Internet certificate, do the following: a. The client requests the Internet certificate from the CA. b. The CA approves the request, and Domino automatically adds the clients public key to the users Person document. c. The client merges the certificate into the ID file. d. The CA adds an Internet certificate to the users Person document.
To set up Internet clients with certificates issued by a Domino CA 1. The CA administrator creates a Person document for the Internet client. 2. The client obtains the trusted root certificate for the servers CA. 3. The client requests the Internet certificate from the CA. 4. The CA approves the request, and Domino automatically adds the clients public key to the users Person document. 5. The client merges the certificate into the local file. To set up Notes and Internet clients with certificates issued by a third-party CA The CA and client complete these steps. 1. (Internet clients only) The CA administrator creates a Person document for the client. 2. Using any browser, the client follows the third-party CAs established procedure to request and merge the Internet certificate. For example, to obtain an Internet certificate from VeriSign, visit the site http://digitalid.verisign.com and follow the instructions provided. 3. The Internet client follows the third-party CAs established procedure to merge the trusted root certificate for the CA. 4. The CA adds the clients public key to the Person document.
Setting up a Person document for an Internet user using SSL client authentication
In the Domino Directory on your Domino server, set up a Person document for Internet clients using SSL client authentication to connect to a Domino server. The Person document for the user stores the users Internet certificate, which is used to verify the users identity. The Person document also lists the names that a Domino server can use to authenticate an Internet user. When an Internet user tries to connect to a server, Domino looks for the Internet certificate name in the User name field in the users Person document. Domino compares the Internet certificate presented with the one stored in the Person document. The comparison lets Domino authenticate the user, even if there are multiple users with the same name, since each users public key is unique. If Domino finds a match and the public key is valid, then the first name listed in the User name field is used to check database ACLs and design element access lists.
Security
For example, if the User name field contains these entries: Alan Jones, AJones, Alan, Al Jones and the client uses the name Al Jones to access the server, Domino authenticates the user, verifies that the public key presented matches the public key in the Person document, and uses the name Alan Jones to check database ACLs and design element access lists. For more information, see the chapter Controlling User Access to Domino Databases. To set up a Person document 1. Create a new Person document in the Domino Directory. 2. Enter the clients first, middle, and last names in the First name, Middle initial, and Last name fields. 3. Enter the clients common name on the certificate in the User name field. 4. (Optional) Enter additional information about the client in the Work/Home tab. 5. Save the document. Tip If the client wants to authenticate with a Domino server in another domain, add the users Person document to the Domino Directory for that domain. Make sure you set up directory assistance so Domino can find the client in the Domino Directory for the domain. For information on setting up directory assistance, see the chapter Setting Up Directory Assistance.
created automatically in the Administration Process database. When the request is completed, the third-party client certificate is published in the requesters Person record. In order to use this database, the server on which it is hosted must: Be configured for SSL, accepting both client certificates and anonymous access Have trusted root certificates installed in its server key ring for any certifier whose certificates you want to accept for publication
In order for users to make a publication request, they must be able to authenticate to the Certificate Publications database with the certificate they want to have published. Note The user does not have to have a Person document in the Domino Directory to make a publication request. The administrator can create a Person document once the request has been entered, and it has been decided that the certificates owner can be trusted. To create the Certificate Publications Request database 1. From the Domino Administrator, click File - Database - New. 2. Create a new database using the Domino Certificate Publications Request template (CERTPUB.NTF). To publish a third party CA client certificate in a Person record 1. The client opens the Certificate Publications Request database using a browser, completes the Certificate Registration Request form, and submits it. 2. The administrator approves or denies the publication requests in the Waiting for Approval view. 3. If the request is approved, it is submitted to the Administration Process and the client certificate is published in the requesters Person record.
Security
If you do not have the servers CA marked as a trusted root in the server key ring file for the Domino server, Domino automatically adds the certificate and logs the condition in the log file. Other Internet protocols do not allow users to proceed unless they have the servers CA marked as a trusted root. You should, however, mark the CA certificate as a trusted root instead of automatically adding the trusted root to ensure that the trusted root you receive is valid. For information on setting up a Notes client to use SSL to connect to an SMTP server, see Lotus Notes 6 Help. Or got to www.lotus.com/ldd/doc to download or view Lotus Notes 6 Help. To set up SSL for a Domino server routing mail to an SMTP server 1. From the Domino Administrator, click the Configuration tab, and open the Server document. 2. Select the Ports - Internet Ports - Mail tab. 3. In the SMTP Outbound column, select Disabled in the TCP/IP port status field. Note If you do not select Disabled in the TCP/IP port status field, Domino always connects to the SMTP server without using SSL. 4. In the SMTP Outbound column, select Enabled in the SSL port status field. 5. Save and close the document. 6. Add the trusted root certificate for the CA of the SMTP server.
When a Domino server uses SSL to connect to an LDAP directory server, both servers must have certificates trusted by the other. If this is not the case, you must add a trusted root certificate to the servers key ring file before your server can connect to the LDAP server. For more information on directory assistance for LDAP, see the chapter Setting Up Directory Assistance. For more information on adding a trusted root certificate, see the chapter Setting Up SSL on a Domino Server.
Database Management
For more information on designing or redesigning databases, see the Release Notes and the book Application Development with Domino Designer.
Mandatory tasks
Perform these tasks before copying a new database or database replica to a production server.
Task Considerations
Set up the database ACL If you plan to make replicas of a database, make sure for users and servers that that the database ACL lists the name of each server containing a replica. If the database uses roles, require access assign all roles to each server. If you assign ACL settings on the original database before copying it to a server, assign yourself Manager access on the original. Otherwise, you wont have Manager access to the new copy. Verify that server ACLs are set up correctly Verify that the Domino Directory contains the necessary Group documents Copy the new database to a server Verify that the database appears in the Open Database dialog box Without proper access in a server ACL, users and servers wont have access to databases on the server. Create a Group document in the Domino Directory before adding a Group name in a database ACL. If you must create a Group, make sure that the Group document replicates before you copy the database to a server. Consider server disk space, topology, and network protocols. Placing a database on a cluster requires that you consider cluster resources. While designing a database, the database designer often removes the database title from the list that appears in the Open Database dialog box. This deters users from opening the database. After the database is completed, make sure that the database title appears in the Open Database dialog box. To make this decision, consider the purpose and size of the database, the number and location of users who need access to the database, and the existing replication schedules between servers. Server documents are, by default, enabled for replication, but to avoid any problems, verify this.
Decide which servers require replicas of the database and then create the replicas Verify that Server documents in the Domino Directory are enabled for replication Create or edit Connection documents Set up a replication schedule
If several servers have a replica of the database, make sure that any necessary Connection documents are set up so that replication can occur. Consider the location and time zones of users and the frequency of database updates.
Optional tasks
The following tasks are not required, but you may want to perform them after your database is in production. Whether or not you need to do these tasks depends on the type of database you are rolling out to the production server and the roles assigned to an application developer, database manager, or Domino administrator in your organization.
Task Considerations
Database Management
Create About This Database Provide the name, phone number, and e-mail and Using This Database address of database managers in the About This documents Database document. Provide information about the application in the Using This Database document. For more information, see Application Development with Domino Designer. Create an index for the database Create a full-text index for the database if users need to search the database for information. If you create the index before you copy a new copy of the database or a replica to a server, the index settings carry over to the new copy or replica. If the database design includes encrypted fields, distribute encryption keys to users. For more information, see the book Application Development with Domino Designer. If the database is designed to receive mail, you must create a Mail-In Database document in the Domino Directory. By default, all databases except mail databases are listed in the default views of the database catalog. You can add categories to control how the database appears in the catalog views and to help users narrow the scope of a domain search. Create a library of selected databases on one server or several servers for users. Sign a database to provide a signature for it. Do this, for example, so that an Execution Control List (ECL) can evaluate the signature. If an application database will be useful to a wide audience, include the database in the Domain Index. Provide the database title, file name, and server location.
Create a Mail-In Database document List the database in the database catalog
Add the database to the Domain Index Notify users that the database is available
For more information on replication, see the chapter Creating Replicas and Scheduling Replication.
8. Optional steps: Choose Access Control List to copy the ACL. You can assign ACL settings (including roles) before or after copying a local database to a server. Before copying the database, assign yourself Manager access to the ACL so that you will have Manager access to the new copy. If you do not copy the ACL when you copy the database to a server, the ACL in the new copy automatically lists you with Manager access. Select Create Full Text index to create a full-text index on the new copy. Note You can also create a full-text index later. Choose Encryption to encrypt the new copy of the database. This option is intended to prevent unauthorized users from accessing a database from a workstation, laptop computer, or server. If you use this option, Notes encrypts the database using a specified ID so that only a user with that ID can gain access to the database directly from a server or workstation. You can choose one of three encryption levels. This encryption setting also carries over to copies of the database made at the operating system level. Note The maximum database size is 64GB on Windows and UNIX. For more information on encryption, see the book Application Development with Domino Designer.
Database Management
3. On the Basics tab, complete these fields and then save the document: Mail-in name The entry for this database in the Domino Directory. Users and applications use this name to send documents to the database. Internet message storage The message storage preference: No preference (default); Prefers MIME or Prefers Notes Rich Text. Internet address SMTP address in the format mailfile@organization.domain. Complete this field if you want Internet users to be able to send messages to the database. 4. On the Database Information tab, complete these fields: Domain Domino domain of the server where the database resides. Server The fully-distinguished hierarchical name of the server where the database resides; for example, Server1/Sales/Acme. Filename The path and filename of the database relative to the Domino Directory. For example, if the database named MAILIN.NSF is in the MAIL directory of the DATA directory, enter MAIL\MAILIN.NSF. 5. On the Administration tab, complete these fields and then click Save & Close: Owners Fully distinguished hierarchical name of users allowed to modify this document. Administrators Users or groups who can edit this document. Foreign directory sync allowed Yes allows entry to be exchanged with foreign directories for example, a cc:Mail directory so that users on the other system can look up the mail-in database in the cc:Mail post office directory and send mail to it. Encrypt incoming mail Mail sent to the mail-in database is encrypted with the Notes certified public key entered in the next field. Notes certified public key The certified public key to use when encrypting mail sent to this database. To copy a certified public key from the Domino Directory to this field, click Get Certificates and choose a name. 6. Give the name of the database to users so they can enter it in the To: field of messages destined for the database. For more information on setting up a database to receive mail, see the book Application Development with Domino Designer.
Database Management
4. Choose one of the following: Active Users ID to sign using your ID. Active Servers ID to sign using the ID of the server that stores the database or template. 5. Choose one of the following options to specify which elements to sign: All design documents to sign every design element. If you sign multiple databases or templates and select this option, the signing process may take a while. All data documents to sign all active content (Hotspots) found in the data documents. All documents of type to sign a specific type of design element This specific Note ID to sign a specific design element. 6. Select Update existing signatures only (faster) to update only design elements that have been signed previously. Use this to change the signature on previously signed design elements. 7. Click OK. A dialog box shows the number of databases processed and the number of errors that occurred (if any). See the Notes Log for details.
Database Management
When you create directory and database links, you can increase database security by specifying the ACL access for an individual user or group in the Create New Link dialog box. The database ACL, not the database link, controls access to individual databases that have database links.
Directory links
You can store databases in a directory outside the Domino data directory to take advantage of disk space available on other servers. Then you create a link in the Domino data directory that points to that directory. In the Domino data directory, users see the directory link MKTG.DIR as the subdirectory MKTG, with a directory folder icon next to it. Users who do not have access to a linked directory can see the directory link, but cannot access the directory. You can use a directory link on a Web server to point browser users to a directory outside the Domino data directory. When you create this link, you must specify access for browser users for example, you can specify access for anonymous users or enter the names of users who use name-and-password or SSL client authentication.
49-1
Database links
You can store a single database outside the Domino data directory and create a database link to it from the Domino data directory. A database link appears in the Domino data directory as a database icon followed by the name of the linked database. You can use a database link on a Web server to point browser users to a database in a directory outside the Domino data directory. If the database link points to a database on another server, browser users cannot access the database.
Database Management
Be sure to move the database named in this step to the directory you specify here. For example, for a directory link, enter the directory path, D:\PROJECT\SALES. For a database link, enter the complete directory and file name path, D:\PROJECT\SALES\SALES.NSF. 6. (Optional) To restrict access to a linked directory, enter the names of specific users to whom you want to grant access in the Who should be able to access this link? box. Click the person icon to select the names or groups from the Domino Directory that you want to have access to the link. Note The database ACL, not the database link, controls access to individual databases that have database links. 7. Click OK. 8. To verify that the link was created, click the refresh icon. 9. (Optional) To prevent Web browser users from using directory links, edit the NOTES.INI file to include this setting:
DominoNoDirLinks=1
To delete a link 1. From the Domino Administrator Server list, select the name of the server. 2. Click the Files tab, and then select the directory or database link to delete. 3. Choose Tools - Folder - Delete, and then click Yes. 4. To verify that the link was deleted, click the refresh icon. View the result in the Results pane.
4. In the left pane, select the directory to which you are restricting access. The access restrictions apply to any subdirectories of the directory as well. 5. In the Tools pane on the right, select Database - Directory ACL. 6. Below Who should be able to access this directory? click the person icon. 7. In the dialog box that opens, do the following for each name that you want to allow to access the directory: a. Select the name from a Domino Directory, or type the name in the Add name not in list box. You can specify the name of a user, server, group or a wildcard, for example, */Sales/Acme. b. Click Add. 8. When you are finished defining the access list, click OK. 9. Click OK again. In the left pane, the directory now displays a lock icon. Changing or deleting a data directory access list To change or delete a data directory access list: 1. Make sure you have at least database administrators access to the server. 2. From the Domino Administrator, connect to the server 3. Click the Files tab. 4. In the left pane, select the directory with the access list. 5. In the Tools pane on the right, select Database - Directory ACL. 6. Do one of the following: To remove a name from the access list, below Who should be able to access this directory? select the name and click the red X. To delete the access list entirely, remove each name from the list. To add a name to the access list, below Who should be able to access this directory? click the person icon, select or type the name, click Add, then click OK. 7. Click OK to save your changes.
Database Management
Database Management
The Domain indexing process is completely separate from that for individual databases, and including a database in the Domain Index does not preclude the need to create a separate index for a popular database. For more information on adding the full text of a database to the Domain Index or on setting up the Domain Index, see the chapter Setting Up Domain Search.
For more information on encrypted fields, see the chapter Encryption and Electronic Signatures.
You must periodically update full-text indexes on servers to keep them synchronized with changes to the databases. When you create an index, you can either accept the default schedule for updating it (nightly at 2 AM) or specify a different schedule. You can modify this setting at any time. You can also do manual index updates for server databases at any time from the Domino Administrator.
Database Management
Note Users update full-text indexes for local databases whenever they replicate with the server. Users can also do manual index updates for local databases at any time. To create one or more indexes 1. From the Domino Administrator, select the server that stores the database or databases you want to index. 2. Click the Files tab. 3. In the Tools pane, make sure that you have at least Designer access in the ACL of any database you want to index. 4. Select one or more databases to index. 5. In the Tools pane, choose Database - Full Text Index. 6. Select Create. 7. (Optional) Select any of the following indexing options (all of which increase index size). Index size is also dependent on the amount of text in the database (non-text elements such as bitmaps, buttons, and agents are not indexed). To check index size after indexing a database, look on the Full Text tab of the Database Properties box.
Indexing option Description Index attached files Indexes attachments. Also choose either With found text to include just the ASCII text of attachments, or With file filters to include the full binary content of attachments. Choosing With found text creates the index faster than choosing With file filters, but is less comprehensive. Index encrypted fields Indexes text in encrypted fields. Selecting this option can compromise system security.
Index sentence and Includes sentence and paragraph breaks in addition to paragraph breaks word breaks to allow users to do proximity searches. Enable case sensitive searches Allows searches by exact case match. This option increases the size of the index by about 15%, as each word must be indexed twice for example, apple and Apple.
Note You can view your indexing selections later on the Search tab of the Database Properties box. 8. (Optional) Change the default setting for index update frequency. Update frequency options are described in the following table.
Update frequency Updates occur option Daily (the default) Select when
Nightly when the Updall The database is very large, server program runs at 2 because updating a large AM. index can take some time. To change the time that Updall performs automatic daily index updates, use the ServerTasksAthour setting in the NOTES.INI file. Every hour, as scheduled by Frequent changes are made to the database contents. If the Chronos server task. subsequent monitoring of the database and server reveals slow performance of either, change to another frequency setting. As soon as possible after you close the database. Very frequent changes are made to the database contents. If subsequent monitoring of the database and server reveals slow performance of either, change to another frequency setting. None of the update frequency options described here meet your needs.
Hourly
Immediate
Scheduled
As scheduled by a Program document for the Updall server task in the Domino Directory. If you select the Scheduled option, you must specify a schedule for Updall in a Program document; otherwise, scheduled updates will not occur.
9. Click OK. 10. Inform users that the database or databases are indexed.
Database Management
to check whether databases are indexed or verify current update settings. 5. In the Update frequency (servers only) box, select one of the options described here.
Update frequency option Updates occur Daily Hourly Immediate Scheduled Nightly when the Updall server program runs by default at 2 AM Every hour, as scheduled by the Chronos server task As soon as possible after you close the database Note As scheduled by a Program document for the Updall server task in the Domino Directory If you select the Scheduled option and do not create a Program document for Updall, scheduled updates do not occur.
6. Click OK.
To update one or more indexes from the Tools pane 1. From the Domino Administrator, select the server that stores the databases. 2. Click the Files tab. 3. From the Tools pane, make sure that you have at least Designer access in the ACL of any database for which you want to update the index.
Database Management
4. Select all the databases for which you want to update the index. 5. From the Tools pane, choose Tools - Database - Full Text Index. 6. Select Update. 7. Click OK.
Database Management
Database libraries
You can create a database library that contains databases that pertain to a specific collection of users or to a specific topic. For example, a corporate database library might include all databases that deal with corporate policies and procedures, and a marketing database library might include databases that are useful to the marketing staff. The main view in a library lists the databases it contains alphabetically by title, and gives a short description of each database. Each database document displays the databases title, short and long descriptions, replica ID, and database manager, as well as buttons that let users browse the database or add it to their bookmarks. Note Instead of creating database libraries to point users to the databases they need, you can use Desktop policy settings to add bookmarks directly to their workspaces. For more information on Desktop policy settings, see the chapter Using Policies.
Server libraries
The databases you choose to include in a library can be located on any server. More than one library can reside on a server. When a user opens a database from a database library, Lotus Domino uses the databases replica ID number to search for it. Domino first searches for the database on the users workspace, then on the users home server, and finally looks for a Domain Catalog to find a path to a replica of the database on
51-1
another server. If a database is moved to another server, Domino automatically opens the database at its new location and then updates the databases replica ID in the database library. When you create a database library on a server, you automatically become the librarian for that database library with Manager access in the library ACL. The -Default- access in the library ACL is Reader. If a user with Reader access in the database library ACL attempts to publish a database, Domino automatically sends the librarian an e-mail containing the request to publish the database. The librarian then publishes the database for the user. If you want users to be able to publish databases in the library themselves, change -Default- access to Author.
Local libraries
You can create a local library for your own use, which lists databases on your own hard drive as well as databases on servers. The only difference between a local library and libraries on servers is that no other users can use your local library or become librarians for it.
To assign librarians
You must be a librarian of a database library in order to make other users librarians. 1. If someone other than you created the library, make sure you have Editor or higher access in the library ACL. 2. Make sure that the users to whom you are giving librarian status have at least Author access in the database library ACL. 3. From the Domino Administrator, select the server that holds the database library. 4. On the Files tab, double-click the title of the database library. 5. In the Librarians view, click Edit Librarians. 6. Type the names of all users who will be librarians, pressing ENTER after each name. 7. Close and save the Librarians document.
Database Management
6. Enter information in the following fields, and then close and save the database document: In the Abstract field, type a short description of the database to serve as the description that appears next to the databases title in the database library. In the Long Description field, type a more complete description of the database contents that appears when you open the database document.
Database catalogs
A database catalog provides a list of all databases on a server. You use the server Catalog task to create a database catalog. The Catalog task bases the catalog file (CATALOG.NSF) on the CATALOG.NTF template and adds the appropriate entries to the catalogs ACL. All databases on a server are included in the catalog when the Catalog task runs. Only administrators can see listings for some databases (those with the List in Database Catalog option selected in the Database Properties box), as these databases are not included in the default views. For databases in the default views, you can specify categories in the Database Properties box to determine how the databases appear in the categorized view of the catalog. For large catalogs, you can create a full-text index to make searching the catalog faster. To help users locate databases across an organization, or to keep track of all the replicas for each database, you must set up a Domain Catalog a catalog that combines the information from the database catalogs of multiple servers on one of your servers. You can set up a Domain Catalog regardless of whether you plan to implement Dominos Domain Search capability. For more information on the Domain Catalog, see the chapter Setting Up Domain Search.
51-4 Administering the Domino System, Volume 2
Database Management
To view the documents in the database catalog, open the catalog from the Domino Administrator or the Web Administrator tool (Files tab).
Note The Catalog task assigns Manager access in the ACL to administrators and to the server that stores the catalog.
Monitoring
52-1
database (STATREP.NSF) or to another database you can specify. The ISpy task executes TCP server and mail-routing event generators. Statistics Domino gathers statistics that show the status of processes currently running on the system for example, the statistic Free space on drive C indicates the amount of free space available on drive C. You use these statistics along with the predetermined statistics thresholds to monitor both your Domino system and platform statistics. Domino server monitor Provides a visual representation of the status of the servers you are monitoring.
Domino generates events continuously. Therefore, to monitor the Domino system efficiently, you must decide which events you want to know about. For example, the event Replicating files with servername occurs every time a file replicates with a specified server; consequently, you may want to know about the event only if it fails. You configure events that you want to know about, based on what type of information is important to you. To configure an event, you determine three critical pieces of information: what type of event it is, what the severity level is, and how you want it handled. You configure your events using Event Generator and Event Handler documents. Event generators describe the condition that must be met for an event to be generated; event handlers describe what happens when the event occurs. After deciding which events you want to know about, decide what will happen when the event occurs. You have several choices. You can log the event to the log file (LOG.NSF); you can mail a notification of the event to a file or an administrator; or mail the event to another application for further processing. You create an Event Handler document to specify to log the event to a specified destination, and simultaneously receive notification of the events occurrence and run a program for additional processing. You can also prevent the event from being logged or handled at all. However, if you want to know about an event, you must have an Event Handler document. Otherwise the event is not recorded. There is no default way of handling an event. So if you do not create event handlers, then events are not logged or stored anywhere (except for server or add-in task events, which are stored in the log). After an event is passed to the Event Monitor task, it can invoke one or more configured Event Handlers.
Monitoring
Event generators
Event generators gather information by monitoring a task or a statistic or by probing a server for access or connectivity. Each event generator has a specified threshold or condition, which, when met, causes an event to be created The event is passed to the Event Monitor task, which checks whether an associated event handler has been defined. If an event handler has not been defined, the Event Monitor task does nothing. If an event handler has been defined, the Event Monitor carries out the instructions in the event handler. The Event Monitor task, formerly know as the Event task, starts automatically when you start the server and must run on all servers that you want to monitor. For more information about event handlers, see the topic Event handlers later in this chapter.
Monitoring the Domino Server 52-3
The Domino Administrator includes a set of default event generators, which are listed in the Event Generators view of the Monitoring Configuration database (EVENTS4.NSF). To monitor other events that are important to you, you must create an event generator and define the type and severity of the event. The following table lists the types of event generators you can create. If you purchased an add-in product designed to work with server-management programs, you may see additional types of events listed.
Event generator Database event generator Description Monitors database activity and free space Monitors frequency and success of database replication Reports on ACL changes, including those made by replication or an API program Domino server response event generator Mail routing event generator Checks connectivity and port status of designated servers in a network Sends a mail-trace message to a particular users mail server and gathers statistics indicating the amount of time, in seconds, it takes to deliver the message Monitors a specific Domino or platform statistic
Task status event generator Monitors the status of Domino server and add-in tasks TCP server event generator Verifies the availability of Internet ports (TCP services) on servers and generates a statistic indicating the amount of time, in milliseconds, it takes to verify that the server is responding on the specified port
Monitoring
4. In the What to monitor section, choose one or more of the following: Monitor ACL Changes To monitor all ACL changes, including those made by replication. Monitor replication To monitor the frequency and success of database replication. Then complete these fields on the Replication tab:
Field Server(s) with which the database must replicate Action Choose one: All in the domain. Only the following. Then select one or more servers from the list.
Monitor unused space To monitor the amount of white space (free space) in one or more selected databases on a server. Then complete these fields on the Unused Space tab:
Field Trigger the event when unused space exceeds Automatically compact the database when the above condition is met Action Enter a percent. The default is 30%. (Optional) Select this option (the default) to compact the database.
Monitor for user inactivity To monitor database activity and to determine which databases are not being used. Then complete these fields on the user Inactivity tab:
Field Time periods to monitor Action Choose one: Daily Weekly Monthly Enter a minimum number of sessions that will trigger an event. The defaults are: Daily 10 sessions Weekly 50 sessions Monthly 300 sessions
Minimum sessions
5. On the Other tab, complete these fields, and then save the document:
Field Action Generate a database event Select a severity level. of severity Create a new event handler for this event Click this button to launch the Event Notification Wizard and create an event handler.
4. For the field Interval n minutes, enter an interval in minutes at which you want to send the probe. The default is three.
5. Choose one of the following options: Check just the ability to access the destination server Check the ability to access the destination server and open this database, and then enter a file name 6. Click the Probe tab, and then complete these fields:
Field Ports Action Do one: Enable the field to use any configured port to check access. Disable the field, and specify the port to use. Time-out threshold Enter a number that represents the allocated amount of time (in milliseconds) to open the database or access the server. The default is 1000 milliseconds.
The Resulting Statistic field, which is not editable, shows the name of the statistic that is generated. 7. Click the Other tab, complete these fields, and then save the document:
Field Action
Monitoring
On time-out, generate a Server Select a severity level. event of severity Create a new event handler for Click to launch the Event Notification this event Wizard and create an event handler.
In addition, the ISpy task monitors the local mail server by default and generates events for traces that fail. To monitor other Domino mail servers, create an event generator and set up an event handler to notify you when an event has occurred.
To create a mail-routing event generator 1. Make sure that you started the ISpy task on the server. For more information on the ISpy task, see the topic Starting and stopping the ISpy task later in this chapter. 2. From the Domino Administrator, click the Configuration tab, and then open the Monitoring Configuration view. 3. Open the Event Generators - Mail view, and click New Mail Routing Event Generator. 4. On the Basics tab, complete these fields:
Field Action All Domino servers in Do one: the domain will probe Check this option to have each server to probe themselves only the local mail box. Uncheck this option to probe specified servers. Recipient Enter the address of the recipient for which you want to check the mail route or use the drop-down box to select a recipient from a Domino Directory or Address Book. Do not enter more than one user and do not enter a group name. Select the name of the server from which to start the probe. Enable this option to track intermediate hop times.
6. Click the Other tab, complete these fields, and then click Save & Close.
Field Action On time-out, generate Select the severity level. a Mail event of severity Create a new event Click this button to launch the Event Notification handler for this event Wizard and create an event handler.
Monitoring
5. For the Generate the event when field, choose one: The statistic is less than the threshold value The statistic is greater than the threshold value The statistic is a multiple of the threshold value 6. Click the Other tab, complete these fields, and then click Save & Close.
Field Generate a statistic event of severity Action Select a severity level.
Create a new event Click this button to launch the Event Notification handler for this event Wizard and create an event handler.
4. Click the Other tab, complete these fields, and then save and close.
Field Generate a monitor event of severity Action Select a severity level.
Create a new event Click this button to launch the Event Notification handler for this event Wizard and create an event handler.
If the Collector task is running, the Monitoring Results database (STATREP.NSF) stores the Internet port statistics. By default, the ISpy task monitors all enabled Internet ports (TCP services) on the server on which it is running. When you create a TCP server event generator, you can have each server probe its own configured ports and all services that are running on those ports, or you can select which servers and services to probe. To verify the statistic name and the type of event generated upon failure, click the tab for each service. To create a TCP server event generator 1. Make sure that the ISpy task is running on the server. For more information on the ISpy task, see the topic Starting and stopping the ISpy task later in this chapter. 2. From the Domino Administrator, click the Configuration tab, and then open the Monitoring Configuration view. 3. Open the Event Generators - TCP Server view, and click New TCP Server Event Generator. 4. On the Basics tab for the field All Domino servers in the domain will probe themselves, do one: Check the option to have each server probe all services on its own configured ports. Then continue with Step 6. Uncheck the option to specify the server ports and services to probe. 5. Under Target Servers, choose one: All in the domain (default) To probe the ports of all servers in the domain. Only the following To probe the ports of selected servers in the domain. Then select one or more servers. 6. Under Probing servers (source), select the server from which the probes will be sent.
Monitoring the Domino Server 52-11
Monitoring
8. If all servers are probing themselves, continue with Step 8. If you chose to specify services, choose one. Probe all configured TCP services Probe these services. Then check the services to probe. 9. If all servers are probing themselves or if you selected the HTTP service to probe, click the HTTP tab and choose one Probe just the port To probe the availability of the HTTP service on the port. Fetch this URL To probe for the availability of a Web server. Then enter a URL specifying the file path. Do not include the server in the URL address. 10. If all servers are probing themselves or if you selected the NNTP service to probe, click the NNTP tab and choose one: Probe just the port To probe the availability of the NNTP service on the port. Send this command Then enter the command and the news group name. 11. Click the Other tab, complete these fields, and then click Save & Close:
Field Action On time-out, generate Select the severity level. an event severity Create a new Click this button to launch the Event Notification notification profile for Wizard and create an event handler. this event
To disable an event generator 1. From the Domino Administrator, click the Configuration tab, and then open the Monitoring Configuration view. 2. Open the Event Generators view, and select the event generator to disable. 3. Click the Other tab. 4. Check the field Disable this event generator. 5. Save and close.
Monitoring
Start the ISpy task automatically Edit the ServerTasks setting in the when the server starts NOTES.INI file to include RunJava ISpy. Start the ISpy task manually Stop the ISpy task Enter the command load runjava ISpy at the console. Enter either the command tell runjava ISpy quit or tell runjava quit at the console.
For more information about NOTES.INI settings and server commands, see the appendices.
To start a wizard 1. From the Domino Administrator, click the Files tab. 2. Open the Monitoring Configuration database, and then choose the Setup Wizards view. 3. Click the wizard you want to use.
Monitoring the Domino Server 52-13
Event handlers
An event handler defines the action that Domino takes when a specific event occurs. You can define an event handler to do one or more of the following: Log the event to a configured destination Notify you that the event occurred and specify the method of notification Forward the event to another program for additional processing Prevent the event from being logged to the server console or to a specified destination
The Monitoring Configuration database (EVENTS4.NSF) includes default event handlers for server tasks. However, to customize how events are handled, you may want to create a custom event handlers. You can enable or disable an event handler, so you can easily disable a default event handler and replace it with a custom one. When you create an event handler, you specify the condition for example, when an event meets or exceeds a threshold or meets a specified severity level that triggers it. To specify event handler conditions, you define a set of criteria, specify a task, or select a custom event generator that triggers the event handler. For example, suppose you create an event handler that defines the criteria as a replication event with a severity level of Fatal. Then any replication event that matches that criteria is handled based on the event handler you created. Or, you can create an event handler for all events of any type that have a severity level of Fatal. An event handler is generated only if the specified task creates an event. And event handlers
52-14 Administering the Domino System, Volume 2
based on custom event generators are triggered only if the associated event generator creates the event. You can also create different handlers for different severities. For example, you may want to be notified immediately if an event has a severity level of Fatal or Failure and choose to write the information to the log file or to the Monitoring Results database (STATREP.NSF). Normal levels of events may not interest you, so you may want to create a log filter to prevent normal events and severity levels from being logged to the log file or the server console.
Monitoring
Notification method Result Broadcast Log to database Reports the event to all users logged onto the server or to a specified group of users. Logs the event to a database, typically STATREP.NSF, on a local server. Select this method only if the specified server is reporting events to its own collection database. Mails the event to a person or to a mail-in database (typically STATMAIL.NSF) on a server in a different domain or one that uses an incompatible mail protocol. Reports the event to the Windows NT Event Viewer. Uses the mail address of an alphanumeric pager to report a modified version of an event to a pager. Runs an add-in program or specified command to correct problems automatically. Relays the event to another server that is in the same Domino domain and that runs a common protocol. These events are collected in a database, typically STATREP.NSF. Sounds an alarm on the designated server when the event occurs. Sends the event as an SNMP trap. Select this method only if the specified server is running the Event Interceptor task and the Domino SNMP Agent. Reports the event to the UNIX system log.
UNIXLog
For more information on SNMP agents, see the chapter Using the Domino SNMP Agent.
Monitoring the Domino Server 52-15
Using an API to create an event notification method If you use an API, there may be additional types of notification methods. To use one of these methods, create a notification based on the name and description provided by the API. 1. From the Domino Administrator, click the Configuration tab, and open the Monitoring Configuration view. 2. Open the Names & Messages (Advanced) - Notification Methods view, and click New Notification Method. 3. Enter a description of the notification method. 4. Enter the name of the notification method.
Generates Messages related to conditions on a particular server or server connectivity. These messages can include event handler notifications generated by Domino server event generators. Messages related to statistic alarms. Messages that have an unknown prefix and are not listed in another event category. Messages related to indexing.
Monitoring
Action Choose one: Events can have any message Events must have this text in the event message. Then type the message text.
For more information about event types and event severity levels, see the topics Event types used to specify event criteria, and Event generators, earlier in this chapter. A built-in or add-in task event. Then click Select Event, select the event from the list, and choose one: Events can have any message Events must have this text in the event message. Then type the message text. A custom event generator. Then select it from the list or click New to create a new custom event generator. (Optional) Click Details to view a custom Event Generator document. 5. Click the Action tab and choose the notification method. For more information on event notification methods, see the topic Event handler notification methods, earlier in this chapter. Note If you purchased an add-in product designed to work with server-management programs, you may see additional notification methods. 6. Choose one enablement option: Enable this notification To enable the notification during all hours. Enabled only during these times Then click the clock and move the slider to select the start and end time during which this event handler is enabled. 7. Click Save & Close.
To disable an event handler 1. From the Domino Administrator, click the Configuration tab, and open the Monitoring Configuration view. 2. Open the Event Handlers - All view. 3. Open the event handler you want to disable in edit mode. 4. Click the Action tab, and choose the field Disable this notification. 5. Save and close.
Monitoring
To create a log filter 1. From the Domino Administrator, click the Configuration tab and then open the Monitoring Configuration - Log Filters view. 2. Click New Event Filter. 3. On the Basics tab, select the name of the server on which you want to set log filters. 4. Click the Database tab. For the field Log unknown types/severities? select Yes or No to filter events from the log file. 5. Choose one: Log All Types Then specify a severity level. Select types Then check each type of event to log. 6. Click the Console tab. For the field Log unknown types/severities? select Yes or No to filter events from the console. 7. Choose one, and then Save & Close: Log All Types Then specify a severity level. Select types Then check each type of event to log. Tip You can also create a log filter from the server console. For more information about setting log levels, see the chapter Using Log Files.
To view an event message 1. From the Domino Administrator, click the Configuration tab. 2. Open the Names and Messages view, and choose one of these views: Event Messages To view all messages, sorted by type and then by severity level. Event Messages by Text To view all messages, sorted alphabetically by message text.
Customizing the appearance of the Domino server console and Domino Administrator console
By creating a Server Console configuration document for the server you are monitoring, you can specify the text, background, and color attributes that the Domino server console uses to display monitoring information. By default, the Domino Administrator server console uses the same attributes, but you can override the defaults and customize the appearance of the Domino Administrator server console. To customize the appearance of the Domino server console 1. From the Domino Administrator, click the Server - Status tab. 2. Open the Server Console view. 3. From the menu, select Live Console - Server - Set Server Console Attributes. 4. Select the server whose attributes you are configuring. 5. Click the color palette to select a color attribute for the background and event text. Look at the console display beneath the palette to view your choices in real time.
Console display Console Background Normal Events Fatal Events Failure Events Warning (High) Events Warning (Low) Events Default color Black Light grey Red Magenta Yellow White
Monitoring
6. (Optional) To reset the colors to the defaults, click Reset to Defaults. 7. Click Save & Close.
To customize the appearance of the Domino Administrator server console 1. From the Domino Administrator, click the Server - Status tab. 2. Open the Server Console view. 3. From the menu, select Live Console - Local - Set Console Properties. 4. Click the Color tab. For the field Use server default, do one: Check the field to use the defaults set in the Server Console Configuration document for the server. This is the default. Clear the check box, and then select a color for background, text, and severity levels. 5. Click the Filters tab, and clear the check box for any status level you do not want to log to the Domino Administrator server console. The default is all levels are checked. 6. Click the Attributes tab, and then select the font, size, and appearance for the local console text. To view a Server Console Configuration document 1. From the Domino Administrator, click the Configuration tab. 2. Open the Monitoring Configuration - Console Attributes view.
5. Do one to restart the Domino Administrator server console: If you clicked Pause, click Resume. If you clicked Stop, click Live. To get error information 1. From the Domino Administrator, click the Server - Status tab. 2. Open the Server Console view. 3. Click Pause or Stop to stop the logging of information to the console. 4. Select the event error message for which you want more information. 5. Select Live Console - Lookup Error. 6. Do one to restart the Domino Administrator server console: If you clicked Pause, click Resume. If you clicked Stop, click Live. To create an event handler 1. From the Domino Administrator, click the Server - Status tab. 2. Open the Server Console view. 3. Click Pause or Stop to stop the logging of information to the console. 4. Select the event for which you want to create an event handler. 5. Select Live Console - Create Local Event Handler. 6. If an event handler for the specified event already exists, you are prompted to edit the Event Handler document or create a new one. 7. Do one to restart the Domino Administrator server console: If you clicked Pause, click Resume. If you clicked Stop, click Live. For more information on event handlers, see the topic Creating an event handler, earlier in this chapter. To start or stop the Domino Administrator server console 1. From the Domino Administrator, click the Server - Status tab. 2. Open the Server Console view. 3. Click Live to start the console, or click Stop to stop it.
Monitoring
In the Domino Administrator, the Statistic Collector starts when you start the Domino server monitor, when you chart real-time statistics, or when you access the Server - Statistic tab. You can also set a Monitoring Administration Preference so that the Statistic Collector task starts automatically when you start the Domino Administrator. The Statistic Collector task continually adds new servers from which it gathers statistics as you monitor or chart statistics from additional servers. For example, in the Domino server monitor, if you begin monitoring the servers in the Acme1monitoring profile, the Collector task begins collecting statistics from the servers listed in the Acme1 profile. Then if you switch to charting and chart the statistics in the AcmeEast statistics profile, the Statistic Collector task simply adds the servers in the AcmeEast statistics profile to the list of servers from which it is gathering statistics. It does not stop gathering statistics from the servers in the first group you monitored in the Acme1 profile.
Monitoring
4. Choose one of the following: All servers in this domain To collect statistics from all servers connected to the collector server. All servers that are not explicitly listed to be collected To collect statistics from all servers in the domain from which statistics are not currently being collected. From the following servers Then choose the servers from which to collect statistics. 5. To log statistics to a database click the Options tab. Check the field Log statistics to a database and then complete these fields:
Field Database to receive reports Action Enter the name of the database to store the reports. The default is STATREP.NSF.
Collection report interval Enter the number of minutes between reports. The minimum is 15; the default is 60. Collection alarm interval Enter the number of minutes between alarms. The minimum is 15; the default is 60. Statistic filters Select the types of statistics to omit from the report.
Platform statistics
In addition to tracking server statistics, Domino tracks operating-system performance statistics. You can view these statistics from the Domino Administrator, along with your Domino statistics, which helps you with Domino server monitoring and tuning. You can include platform statistics in any statistic monitoring task you perform with the Domino statistics, including using them in monitoring and statistic profiles, and charting them. There may be slight overhead incurred while running platform statistics, however the overhead is insignificant. No disk space is consumed by enabling platform statistics, since no log files are created. As with Domino statistics, disk space is used only if you log platform statistics to the log file or to the Monitoring Results database (STATREP.NSF). The amount of disk space used depends on the frequency of capture.
By default, the Statistic Collector task continuously gathers these statistics: Logical disk Statistics for individual disks and total percent use of all disks Paging file Statistics that show use of paging files Memory Statistics showing memory allocation and use, including available memory Network Statistics for individual network adapters and cumulatively for all the network adapters on the system Process Statistics that show the percent of CPU use, along with process ID of Domino tasks, if the task is present. (Information for idle tasks is reported as zero.) System Statistics on the information captured for example, a summary of system CPU use and queue length.
Monitoring
Process System
To view a list of all statistics To view a list of all statistics, use the Show Stat command. For more information on server commands, see the appendix Server commands.
For information on using the Platform command, see the appendix Server Commands.
Network statistics
On Solaris, AIX, and OS/400, Domino provides statistics for a maximum of ten network adapters. On Windows 2000 and Windows NT, there is no limit on the number of network adapters. The loopback interface is not included in the list of adapters. On AIX, only Ethernet and token ring network adapters are supported.
Process statistics
On Windows 2000 and Windows NT, when you view process statistics, the Percentage Total Domino CPU Utilization value may be greater than the Total System CPU Utilization. This is because the CPU utilization value for each individual process is calculated based on the total number of processes used in a sampling interval. On Windows 2000 and Windows NT, Domino process names include the letter n as a prefix. For example, in Perfmon, Adminp the process name for the Administration Process is nadminp. To maintain platform-independence in naming, Domino does not include the prefix on any platform statistics. On Solaris, AIX, and OS/400 platforms, process statistics indicate how busy the processes are, but these are not absolute values. On these platforms, the utilization is based on how busy the processes are in the current sampling period as compared to how busy they were in the previous sampling period. For example, if a process reports 30% utilization in the first sampling and 60% in the second, the process is twice as busy. On all platforms, by default, the performance statistics for processes that are idle have the value zero.
Monitoring
System statistics
On Windows 2000 and Windows NT, the value of the combined CPU utilization statistic (Platform.System.PctCombinedCpuUtil) is not defined as sum of the user and privileged CPU utilization values (Platform.PctUserCpuUtil and Platform.PctPrivilegedCpuUtil). However, on Solaris and AIX, the value of the combined CPU utilization statistic is defined as sum of the user and privileged CPU utilization values.
Monitoring
The information in these reports provides a subset of statistics in each category. To view all statistics, use the Show Statistic command at the console or from the Domino Administrator, click the Server - Statistics tab. To view statistics reports 1. From the Domino Administrator, click the Server - Analysis tab. 2. Click the Monitoring Results view, and select Statistics Reports. 3. Select a report.
For more information on the IBM Tivoli Analyzer for Lotus Domino and resource balancing, see the chapter Using IBM Tivoli Analyzer for Lotus Domino. To create a new statistic 1. From the Domino Administrator, click the Configuration tab, and open the Monitoring Configuration - Names & Messages (Advanced) - Statistic Names view. 2. Click New Statistic. 3. On the Basics tab, complete these fields:
Field Statistic name Data type Action Enter the name of the new statistic. Choose one: Text Number Time Statistic unit Enter one: The unit in which the statistic is measured for example, bytes or minutes The word none, if this is a text statistic Statistic description Enter a description of the statistic
Monitoring
4. Click the Advanced tab, and do one of the following: If you selected Text or Time as the data type, go on to Step 5. If you selected Number as the data type, in the Normal values field, enter a normal value for this statistic for example, 350KB or the word varies, if the normal value of the statistic varies. 5. For the field Is an OS statistic? the default is No. Check Yes if the statistic is an operating system or platform statistic. 6. For the field Is an Activity statistic? the default is No. Check Yes if the if the statistic is generated using the Activity Trends Collector task, and then check one or more of the following: Has trended values If the statistic has both trended and last-occurrence values. Has prime/24-hour values If the statistic includes values for the prime shift and for a 24-hour period. Is user selectable If the statistic will be used as a selection for example, in a dialog box. Used in resource balancing If the statistic will be used when balancing resources using the IBM Tivoli Analyzer for Lotus Domino.
Monitoring the Domino Server 52-33
7. For the field Is a statistic template? the default is No. Check Yes if the statistic will be used to create other statistics using a variable for example, <portname>. 8. For the field Useful for thresholds? the default is No. Check Yes if this statistic will be used to generate statistic alarms. To use this statistic in a statistic event generator, you must define a threshold. Complete these fields:
Field Threshold operator Action Select the condition against which to evaluate the threshold: Threshold value Event severity Suggested response Useful in setup Less than Greater than Multiple of Percentage of
Enter a number. Select the severity that will cause an alarm. (Optional) Enter an explanation of a how to resolve the event that caused the alarm. Click Yes to use the statistic during setup and include this statistic when a new Monitoring Configuration database (EVENTS4.NSF) is created.
Monitoring
Charting statistics
You can graphically display the statistics generated by Domino, by creating statistics charts. To chart sets of statistics on a regular basis, you can define statistics profiles. Using statistics charts you can track and visualize statistics in real time or historically. Real-time charts reflect the current server activity. Historical charts pull information from the local Monitoring Results database (STATREP.NSF). You can also create statistic profiles so that you can chart a specified set of statistics routinely. To create statistics charts you must enable the field Generate statistic reports while monitoring or charting statistics in Administration Preferences, and the Domino server monitor must be running. For more information on setting Administration Preferences for statistic monitoring, see the chapter Setting Up and Using Domino Administration Tools. When you chart statistics, you choose the servers and the statistics to chart. Using the charting feature you can: Create and edit statistic profiles Remove existing statistic profiles or combine them into a new one Gather historical statistics over a specified period of time View the details of each statistic View an isolated statistic Start and stop real-time charting dynamically Use right-click functionality to add a statistic event generator
To create a statistic profile 1. From the Domino Administrator, click the Server - Performance tab. 2. Do one: If there are no statistics profiles displayed in the statistic profiles list, click Add. If there is a statistic profile currently displayed, choose Performance Monitor - Saved Statistics Profiles - New to clear the list, and then click Add. 3. Select the domain and server for which you are creating the statistic profile. 4. Choose one: Bundled statistics To create a group made up of predefined sets of statistics. Individual statistics To create a new group made up of selected individual statistics.
Monitoring
5. Click the arrow to open a statistic category. Select the specific statistic, and then click Add. 6. Click Done, choose Performance Monitor - Saved Statistics Profiles Save As, and then type a name for the statistic profile.
To change the layout of the panes You can change the layout of the chart display using the Performance Monitor menu or the layout button:
1. From the Domino Administrator, click Server - Performance. 2. From one of the Statistics charting views, choose Performance Monitor - Layout, and then choose one: Maximized To display only the statistic chart. Maximum Width To display the list of statistics and the statistic chart. Maximum Height To display the statistic chart and the server pane. Restore To restore the original layout. To manipulate statistic performance charts The following table describes ways to view the information on statistics performance charts.
Task Stop or start the charting Action Click the Stop/Start button.
Get a numerical representation of Click the statistic in the profile list. Then a graphical statistic look at the bar area between the profile list and the chart. Get a textual representation of the statistic chart Chart an isolated statistic Double-click the chart to display a document that you can edit and print. Double-click a graph line.
To add or remove a statistic You can add or remove a statistic or a server from a statistic chart without affecting the statistic profile. 1. Select the statistic profile. 2. Do any of the following:
Task Dynamically remove a statistic from the chart displayed Dynamically add a statistic Dynamically add a server Dynamically remove a statistic Action In the profile list, clear the check box next to the statistic. Click Add, and then select a statistic. Click the down arrow, and then select a server. Select a statistic in the profile list, and then click Remove.
Monitoring
Add a server
3. To save the profile, do one: Click Performance Monitor - Saved Statistics Profiles - Save To overwrite the original statistic profile with the changes. Click Performance Monitor - Saved Statistics Profiles - Save As To save the modified statistic profile under a new name, leaving the original statistic profile intact.
Note The Domino server monitor is not available in the Web Administrator.
Monitoring
view, you can change the sort order of the Server Name and Server Status columns and of any Statistic Value columns that contain numeric values. To view the Domino server monitor 1. From the Domino Administrator, click the Server - Monitoring tab. 2. Choose one view: By Timeline Then set the Column scale selector to a value from 1 to 60 minutes. By State Then to view past errors only, select the check box Display past states reporting errors exclusively. 3. Click Start to start the server monitor. Note If you enable Automatically monitor servers at startup in the Administration Preferences, the server monitor starts automatically and monitors the most recently viewed profile.
By default, the Domino server monitor contacts servers in the currently displayed profile and any profiles that have been displayed since the monitor started. To customize the profiles that the Domino server monitor uses, you can do any of the following: Modify a default profile Create a new profile Specify the profiles to monitor on startup
Monitoring
Note The Domino server monitor and profiles are not available in the Web Administrator.
Specifying profiles to use when you start the Domino server monitor
By default, the profile that was being monitored when you stop the server monitor is the profile that will be monitored when you start the server monitor. To override this default behavior, you can specify which profiles to monitor when you start the Domino server monitor. 1. From the Domino Administrator, click the Server - Monitoring tab. 2. Select a server profile. 3. From the Monitoring menu, select Profile Properties. 4. Make sure the name of the profile you want to monitor at startup is displayed. 5. Check Contact servers in this profile at startup. Tip You can also rename a nonsystem profile in Profile Properties.
You can perform the following tasks to troubleshoot server performance using the Domino server monitor: Open a different Domino Administrator tab from the Domino server monitor Display the differences in current and previous statistic values View additional information about a server or server task
Create an event handler for a server that is down Note The Domino server monitor is not available in the Web Administrator. Example using the Domino server monitor Suppose you are monitoring eight servers and are troubleshooting errors. Server Hub-E/East/Acme appears at the top of the server list and displays a failure indicator. In the By State view, you notice that one of the status indicators is reporting a Failure error. You can tell from the column which server task is reporting the error, but you still dont know what the error is. Hover over a task status indicator or to see a brief explanation of the problem. To take immediate constructive action on the server, you select the server, right click and select Display Status Tab. You are now ready to diagnose and take corrective action from the Server - Status tab. Or perhaps you are monitoring 14 servers, and troubleshooting dead mail statistics (dead.mail). To see which servers have the highest amount of dead mail, sort the statistic column so that the servers with the most dead mail messages appear at the top. To get an idea of when the dead mail really started piling up, locate the cursor in the Dead statistic column and right click. Select Show Statistics Difference to see if the error occurred within the last hour. To release the dead mail, right click and select Display Messaging tab to switch to the Messaging - Mail tab. To open a different Domino Administrator tab from the Domino server monitor 1. From the Domino Administrator, click the Server - Monitoring tab. 2. Select a server. 3. From the Monitoring menu, select one: Display Status Tab To view the status and access the Server Console to issue commands for the selected server Display Messaging Tab To monitor mail tracking for the selected server
Monitoring
To display differences for statistic values For numerical statistics, you can display the difference between the current statistic value and its value from one hour earlier. A delta icon appears in the statistic column when the earlier, or differences value is displayed. If the server monitor has been running less than one hour, it displays the difference between the current statistic value and the oldest value available. 1. From the Domino Administrator, click the Server - Monitoring tab. 2. Click in the statistic column to select the statistic. 3. From the Monitoring menu, select Show Statistics Difference. 4. To remove the difference value and icon, click the statistic column, and chose Monitoring - Show Statistics Difference again. To view additional information about a server or task 1. From the Domino Administrator, click the Server - Monitoring tab. 2. Do one: Server tasks In either view, locate the cursor in the tasks frame and hover over the error indicator to see what event cause the error. Servers In either view, locate the cursor in the server pane and hover over the error indicator to see what event cause the error. To create event handlers and event generators You can generate statistic events and invoke event handlers when a server goes down or comes back up, when a task reports an error, or when a statistic has reported a particular threshold. 1. From the Domino Administrator, click the Server - Monitoring tab. 2. Do one: Locate the cursor in the server pane and right click. Locate the cursor in the tasks pane and right click. Select Create event handler and then select one of the following to create an event handler when a task reports an error. Any Error (Local) Current Error (Local) Current Status (Local) Current Error (On Server) Locate the cursor in the statistics pane and right click. Select Create event generator and then select either local or server to create a new statistics event generator.
52-46 Administering the Domino System, Volume 2
Monitoring
53-1
The Domino SNMP Agent supports SNMP version 1. Out-of-band server status through the MIB The Domino SNMP Agent constantly monitors the status of the server indirectly through a Domino SNMP Agent server add-in task using IPC to determine whether the server is up or down. The Domino SNMP Agent is not a Lotus Notes API application; all of its status information is gathered out of band. Control of a Domino server through SNMP The following three control functions are available through SNMP: Stop the Domino server Start the Domino server Reboot the operating system Note Rebooting is not supported on the zSeries (S/390) platform. As a security feature, these functions are not available by default. Each function must be configured on a per-server basis. Real-time alerts on server status The Domino SNMP Agent constantly monitors the status of the server. Changes in status are sent as SNMP traps. Real-time alerts on server status significantly enhance monitoring whether a server is up or down in three ways: The information is provided in real-time. The information is available out-of-band. Determining whether the server is up or down does not require the Notes client or Domino server.
The information is qualitatively better. Instead of two states, up or down, SNMP can determine seven states or events as follows:
Message Status Specific trap Clearing trap number number 11 12
Domino server is up: [server name] Normal (This server has been started by a console command or using SNMP.) Domino server is shut down: Disabled [server name] (This server has been shut down by a console command or using SNMP.) Domino server pulse has failed: [server name] (This server is excessively busy or unresponsive to the SNMP pulse.) Domino server pulse is restored: [server name] (This server is no longer busy and now responding to the SNMP pulse.) System is rebooting (The Domino SNMP Agent is rebooting the entire system.) Warning
12
11
13
14
Monitoring
Normal
14
13
Informational
15
N/A
Domino server is not responding: Critical [server name] (This server may have crashed or hung.) Domino server is now responding: [server name] (This server is now responding again.) Normal
16
17
17
16
Note The above traps are all Generic number 6. The most important additional state is whether the server has been disabled intentionally. This avoids situations such as paging support staff during periods of routine maintenance. The method for determining the server state is a pulse between LNSNMP and its Domino server add-in tasks (first the QuerySet Handler or else the Event Interceptor). Traps 13 and 16 get raised only if LNSNMP first determines that the server is working by communicating with the SNMP add-in tasks. Traps are not raised if the server starts up with a problem. Trap 16 will occur if the trap 13 condition persists (server not responding); in other words, you will see a trap 13 before you see a trap 16.
Forwarding of Domino events as SNMP traps Forwarding of Domino events is similar to real-time alerts. SNMP traps are forwarded in real-time as soon as Domino generates them using the Event server task. Statistics monitors are not strictly real-time because Domino generates them only periodically using the Collector server task. One advantage of the Domino SNMP Agent is that it allows these events to be consolidated across Domino domains. The text message of the Domino event contains several items of information that are labeled as follows: Server Full name of the originating Domino server. Type Event Type (see below). Severity Event Severity (see below). TimeStamp Time stamp is converted to UNIX Epoch format. Note that this is the servers time stamp, not the consoles. Text The Event Message (in the local language of the server). Seq Assigned by LNSNMP. Note All of these fields come directly from the Domino server except for the Seq field. Type codes are numeric and correspond to the respective Event Types seen in Domino Event Monitors: 0 Unknown 1 Comm 2 Security 3 Mail 4 Replica 5 Resource 6 Misc 7 Server 8 Statistic 9 Update
Severity codes are numeric and correspond to the respective Event Severities seen in Domino Event Monitors: 0 Unknown 1 Fatal 2 Failure 3 Warning (high) 4 Warning (low) 5 Normal Domino statistics through the MIB Many Domino statistics are available using SNMP. Its possible to see which MIB objects are derived directly from Domino statistics by examining comments in the Domino MIB that begin with the string --<<. SNMP security SNMP version 1 is not a secure protocol. SNMPs native security uses only community names and IP addresses. All sites should review deployment of the Domino SNMP Agent with their security staff. However, the control functions provided by the Domino SNMP Agent do not present significant security risks (for example, access to the console or databases is not affected).
Monitoring
The Domino SNMP Agent consisting of: LNSNMP Which receives trap notifications from the Event Interceptor and then forwards them to the management station using the platform-specific SNMP Agent. LNSNMP also handles requests for Domino-related information from the management station by passing the request to the QuerySet Handler and responding back to the management station. QuerySet Handler Which queries server statistics information, sets the value of configurable Domino-based parameters, and returns Domino statistics information to LNSNMP, which then forwards the information to the management station using the platform-specific master SNMP Agent. Event Interceptor Which responds to the SNMP Trap notification for Domino Event Handlers by instructing LNSNMP to issue a trap.
The Domino MIB A standard Management Information Base (MIB) file for Lotus Domino servers that can be compiled and used by a network management program such as NetView or OpenView.
For additional information, refer to your operating systems or network management tools documentation (such as NetView or OpenView).
53-6 Administering the Domino System, Volume 2
and is numbered 1.3.6.1.4.1.334.72. The main branches in numeric order are as follows: lnInfo Information about the server provided by the QuerySet server add-in task. This includes values and sub-branches. The main sub-branch is lnStats, which contains the Domino statistics organized into sub-branches that mirror the Domino statistics branches. For example, the Server.* Domino statistics are in the lnServer sub-branch. Comments with these objects, beginning with the string --<<, indicate which Domino statistic an object is derived from. lnControl Values provided by LNSNMP including those monitoring and controlling the server. lnInterceptor An internal branch relating to the Event Interceptor add-in task. lnUnix An internal branch that supports for NetView for AIX. lnMPAInfo A branch with one value provided by LNSNMP that gives the version of the Domino SNMP Agent.
Monitoring
Note Some Domino statistics are in floating-point format. SNMP version 1 does not support floating-point numbers, truncating these statistics to integers.
System requirements
The following are system requirements for the Domino SNMP Agent: Windows requirements: Windows native TCP/IP. Windows SNMP Agent service.
AIX requirements: AIX native TCP/IP. AIX Master SNMP Agent (snmpd).
Linux requirements: Linux native TCP/IP. An extensible Master SNMP Agent that supports the SMUX protocol (RFC 1227), such as UCD-SNMP 4.1 or later (4.2.3 or later is strongly recommended), or NET-SNMP 5.0 or later. UCD-SNMP and NET-SNMP are distributed by http://www.net-snmp.org and must be built to include SMUX support by first running their source configure script with --with-mib-modules=smux as an argument.
Solaris requirements: Solaris native TCP/IP. An extensible Master SNMP Agent that supports the SMUX protocol (RFC 1227), such as PEER Networks OptiMaster Release 1.8a (included).
zOS (OS/390) requirements: OS/390 Version 1 Release 3 TCP/IP for OpenEdition MVS Applications or OS/390 Version 2 Release 4 TCP/IP. The most current PTFs for the zSeries (S/390) platform, which you can access on www.ibm.com.
Monitoring
further SNMP initiated starts once its own configuration options become known. This situation becomes possible each time the Domino SNMP Agent is started because the Domino SNMP Agent does not retain server configuration information when it is stopped. 1. Create a file called LNSNMP.INI in the appropriate directory depending on platform: Windows: Windows System directory AIX, Linux or Solaris: /opt/lotus zOS (OS/390): /opt/lotus Note These are the recommended directories. However, LNSNMP.INI can be in any path in the PATH environment variable that you like. 2. Edit the file and include one line for each server partition with the following format:
Server=<Data_Directory>;<Server_Name>;<Domino_Partition_ Number>
Data_Directory: The directory that is the servers Domino data directory for a given partition Server_Name: The name of your Server Domino_Partition_Number: This value is arbitrary because Domino no longer uses numbers to uniquely identify partitions. However, for historical reasons, a value must still be present. For example, if you have a UNIX server with two partitions and data directories of /home/domino/venus and /home/domino/saturn, your LNSNMP.INI file should look like this:
Server=/home/domino/venus;Venus Server;1 Server=/home/domino/saturn;Saturn Server;2
Note The case of the text to the right of the equals sign is significant in UNIX environments. Troubleshooting If LNSNMP does not start properly, then check that the LNSNMP.INI file is correct. LNSNMP will always attempt to reference the LNSNMP.INI file.
Monitoring
2. Configure the Lotus Domino SNMP Agent as a service. Enter this command:
lnsnmp -Sc
You have completed the Windows-specific portion of the Domino SNMP Agent configuration. You should now follow the instructions found in Completing the Configuration of the Domino SNMP Agent. Removing the LNSNMP service If you ever need to undo the configuration of the Lotus Domino SNMP Agent as a service, enter this command:
lnsnmp -Sd
3. Configure SNMPD to accept LNSNMP as an SMUX peer. Add the following line to /etc/snmpd.peers:
"Lotus Notes Agent" 1.3.6.1.4.1.334.72 "NotesPasswd"
4. Configure SNMPD to accept an SMUX association from LNSNMP. Add the following line to /etc/snmpd.conf:
smux 1.3.6.1.4.1.334.72 NotesPasswd
7. Create a link to the LNSNMP script. Enter this command, changing the Domino executable path if necessary:
ln -f -s /opt/lotus/notes/latest/ibmpow/lnsnmp.sh /etc/lnsnmp.rc
8. Arrange for LNSNMP to be restarted after a reboot. Add the following line to the end of /etc/rc.tcpip:
/etc/lnsnmp.rc start
You have completed the AIX-specific portion of the Domino SNMP Agent configuration. You should now follow the instructions found in Completing the Configuration of the Domino SNMP Agent.
Monitoring
2. Stop the Master SNMP Agent. If youre using UCD-SNMP or NET-SNMP enter this command:
/etc/rc.d/init.d/snmpd stop
If youre not using UCD-SNMP or NET-SNMP refer to your Master SNMP Agents documentation.
3. Configure the Master SNMP Agent to accept LNSNMP as an SMUX peer. If youre using UCD-SNMP or NET-SNMP add the following line to /usr/share/snmp/snmpd.conf:
smuxpeer 1.3.6.1.4.1.334.72 NotesPasswd
If youre not using UCD-SNMP or NET-SNMP refer to your Master SNMP Agents documentation. 4. Start the Master SNMP Agent. If youre using UCD-SNMP or NET-SNMP enter this command:
/etc/rc.d/init.d/snmpd start
If youre not using UCD-SNMP or NET-SNMP refer to your Master SNMP Agents documentation. 5. Start the LNSNMP process. Enter this command:
lnsnmp.sh start
6. Arrange for LNSNMP to be restarted after a reboot. Enter these commands, changing the Domino executable path and default run levels if necessary:
ln -f -s /opt/lotus/notes/latest/linux/lnsnmp.sh /etc/rc.d/init.d/lnsnmp chkconfig --add lnsnmp chkconfig lnsnmp on
You have completed the Linux-specific portion of the Domino SNMP Agent configuration. You should now follow the instructions found in Completing the Configuration of the Domino SNMP Agent.
Note The Domino SNMP Agent is set up to run automatically. This means that once the Domino SNMP Agent is configured, it is virtually always running, even when Domino is not. If you later upgrade Domino you should stop the LNSNMP process, and the PEER Agent(s) if applicable, before beginning the upgrade process. Note All the following commands should be executed as the root user. 1. Stop the LNSNMP process. Enter this command:
lnsnmp.sh stop
2. Stop the Master SNMP Agent. If youre using the PEER Agent(s) enter this command:
peerinit.sh stop
If youre not using the PEER Agent(s) refer to your Master SNMP Agents documentation. 3. Install or configure the Master SNMP Agent. If youre going to be using the PEER Master Agent, its already configured for LNSNMP; enter the following commands to install it, changing the Domino executable path if necessary:
ln -f -s /opt/lotus/notes/latest/sunspa/peer.snmpd /etc cp /opt/lotus/notes/latest/sunspa/peer.snmpd.conf /etc
Monitoring
If youre using another Master SNMP Agent refer to its documentation for how to configure LNSNMP as an SMUX Peer. The three parameters associated with SMUX authentication for LNSNMP are:
Description: Lotus Notes Agent Identity: 1.3.6.1.4.1.334.72 Password: NotesPasswd
4. Start the Master SNMP Agent. If youre using the PEER Agent(s) enter this command:
peerinit.sh start
If youre not using the PEER Agent(s) refer to your Master SNMP Agents documentation. 5. Start the LNSNMP process. Enter this command:
lnsnmp.sh start
6. Create a link to the LNSNMP script. Enter this command, changing the Domino executable path if necessary:
ln -f -s /opt/lotus/notes/latest/sunspa/lnsnmp.sh /etc/init.d/lnsnmp Using the Domino SNMP Agent 53-15
8. Create a link to the PEER script, if youre using the PEER Agent(s). Enter this command, changing the Domino executable path if necessary:
ln -f -s /opt/lotus/notes/latest/sunspa/peerinit.sh /etc/init.d/peerinit
9. Arrange for the PEER Agent(s) to be restarted after a reboot, if youre using them. Enter these commands:
ln -f -s /etc/init.d/peerinit /etc/rc2.d/S76peer.snmpd ln -f -s /etc/init.d/peerinit /etc/rc1.d/K76peer.snmpd
If youre not using the PEER Agent(s) refer to your Master SNMP Agents documentation. You have completed the Solaris-specific portion of the Domino SNMP Agent configuration. You should now follow the instructions found in Completing the Configuration of the Domino SNMP Agent. Configuring the PEER Encapsulator Agent with other master agents If you installed the PEER Master Agent above, but were using another Master SNMP Agent and need to continue using it, you should read the remainder of this section. Most Network Management Stations (NMS) view managed objects on a host through a single SNMP Agent. The NMS will usually direct its SNMP requests to an agent listening on port 161. Because only a single SNMP Agent can be listening at port 161, this limits the NMS to managing only the variables accessible to the one agent listening at that port. If you install the PEER Master agent, it will listen on port 161, so that all queries directed to that host will go to the PEER Master agent. If you already have non-PEER master agents installed on that host, they too will want to listen on port 161, so you need to reconfigure these non-PEER agents to listen on other ports. Then, configure the PEER Encapsulator agent to emulate an NMS and pass on the appropriate SNMP requests from the PEER Master agent to the encapsulated agents at their respective ports. The PEER Encapsulator agent works by hiding the non-PEER agents, so they are visible to the NMS only through the PEER Master agent. Configure the PEER Encapsulator agent to recognize non-PEER agents, respective sub-trees, SNMP ports, and traps. Then when a non-PEER
53-16 Administering the Domino System, Volume 2
agent sends a trap, the PEER Encapsulator agent listening for the trap forwards it up to the PEER Master agent or discards it, as configured. When the PEER Master agent receives an NMS SNMP request about an encapsulated agents managed sub-tree, it passes it on to the Encapsulator agent which, in turn, forwards the request to that encapsulated agent at its listening port. To install the PEER Encapsulator Agent enter these commands:
ln -f -s /opt/lotus/notes/latest/sunspa/peer.encaps /etc cp /opt/lotus/notes/latest/sunspa/peer.encaps.conf /etc
To configure the PEER Encapsulator Agent edit the /etc/peer.encaps.conf file, using the comments as a guide. Refer to your other Master SNMP Agents documentation for information about configuring it. To start the PEER Encapsulator Agent enter this command:
peerinit.sh start
Monitoring
This is the same command script used to start the PEER Master Agent and is responsible for both Agents if theyre both installed. Therefore, if you already configured the PEER Master Agent to restart automatically after a reboot, the PEER Encapsulator Agent will also restart automatically.
Note Automatic start of the Domino SNMP Agent is not supported on zOS (OS/390). You have completed the OS/390-specific portion of the Domino SNMP Agent configuration. You should now follow the instructions found in Completing the Configuration of the Domino SNMP Agent.
Using the Domino SNMP Agent 53-17
2. To support SNMP traps for Domino events, start the Event Interceptor add-in task. Enter this command on the Domino Server console:
load intrcpt
3. To support Domino statistic threshold traps, start the Statistic Collector add-in task. Enter this command on the Domino Server console:
load collect
4. Arrange for the add-in tasks to be restarted automatically when Domino is next restarted. Add quryset and/or intrcpt and collect to the ServerTasks variable in Dominos NOTES.INI file. Configuring traps for Domino events Once the Domino SNMP Agent is configured, your SNMP management console is able to receive traps for basic SNMP events for that server (for example, server down). Additional configuration is required to receive traps for Domino events. You must create appropriate Event Handlers in the Domino Monitoring Configuration database. The Event Handlers Notification Method must be set to SNMP Trap, and the Notification Server must be set to an asterisk. For more information about Event Handlers, see the chapter Monitoring the Domino Server. Configuring statistic threshold traps You can receive SNMP traps for Domino statistics that exceed a specified value when you have configured appropriate Statistic Event Generators and appropriate Event Handlers in the Domino Monitoring Configuration database. Domino must also be running the Statistic Collector and Event Interceptor add-in tasks. The Notification Method of the Event Handler must be set to SNMP Trap, and the Notification Server must be set to an asterisk. For more information about creating Statistic Event Generators and Event Handlers, see the chapter Monitoring the Domino Server.
53-18 Administering the Domino System, Volume 2
Enabling the SNMP Agent to start or stop a Domino server You can start or stop Domino servers from a remote management console using the Domino SNMP Agent. To do so, you must enable the Domino SNMP Agent to start or stop a specific server. By default, the Domino SNMP Agent does not allow the remote server to start or stop. You do not need to modify a servers Configuration Settings unless you want to enable the Domino SNMP Agent to start or stop that server. Note If the server ID is password protected, then the Domino SNMP Agent cannot be used to remotely restart a Domino server because SNMP cannot pass a password parameter to the server. Note It may not be possible for SNMP to start a server until that server has first identified itself to the Domino SNMP Agent. This situation can be overcome by putting information about the server into the lnsnmp.ini file. For additional information see Special Considerations for a Partitioned Server. The Allow Server Start and Allow Server Stop configuration options can be found in the SNMP tab of a server Configuration Settings document. For more information about server Configuration Settings documents, see the chapter Setting Up Mail Routing. Enabling the SNMP Agent to reboot the system You can reboot the system from a remote management console using the Domino SNMP Agent. To do so, you must enable the Domino SNMP Agent to reboot the system. By default, the Domino SNMP Agent does not allow remote system reboot. You do not need to modify a servers Configuration Settings unless you want to enable the Domino SNMP Agent to reboot the system. Note Rebooting is not supported on the zSeries (S/390) platform. Note In the case of a partitioned server, all running partitions must agree that its permissible to reboot the system. If one running partition is configured to not allow a system reboot then the reboot will not be performed. The Allow System Reboot configuration option can be found in the SNMP tab of a server Configuration Settings document. For more information about server Configuration Settings documents, see the chapter Setting Up Mail Routing. To initiate a system reboot the remote management console must set the lnRemoteReboot MIB object.
Monitoring
To start the Lotus Domino SNMP Agent service, enter this command:
net start lnsnmp
zOS (OS/390) To start the lnsnmp process, type the lnsnmp command from an OpenEdition command line. The command and its parameters are shown below:
lnsnmp [-I ipaddress] [-C community] [-P dpiport]
All parameters are optional. The defaults are as follows: ipaddress: the value returned from GETHOSTBYNAME. community: public dpiport: 161. The value must match the value in the SNMP configuration file (SNMP.PORT).
Monitoring
3. Click Load Traps. The Load Traps Definition File dialog appears. 4. Select the Trap Definition File, domino.tdf, that you copied in step 1. 5. Click OK. The Load Device Traps dialog box appears. 6. Select 1.3.6.1.4.1.334.72 in the Device Class field. 7. Click OK. The Customize Trap Alarms dialog reappears. 8. Click OK.
Having traps running causes traps to be updated as the script runs. See the NetView trapd man pages for more details. 4. As root, run the trap configuration script, addtraps.sh, that you copied in step 1. Enter this command:
sh addtraps.sh
Monitoring
You receive a message for each trap added. 5. Restart NetView. Enter this command:
ovstart
Upon completion, you receive the message Enterprise has been removed.
Each can respond to MIB requests. You can test them together or sequentially to determine which pieces are responding. You should use the community name configured into your Master SNMP Agent. Test the: Base system MIB variable, for example, iso.org.dod.internet.mgmt.mib-2.system.sysDescr (.1.3.6.1.2.1.1.1.0), to determine if the platforms SNMP Agent is working and to find out which version of the platform-specific Master SNMP Agent is running. If this fails, you can (ICMP) ping the server to determine if TCP/IP is responding. If TCP/IP is running, check the community name used by the servers Master SNMP Agent. If you cannot verify the community name, try the public community name. Refer to your SNMP management software documentation for specific instructions. MIB variable to determine if the Domino SNMP Agent is working, for example, iso.org.dod.internet.private.enterprises.lotus.notes.mp aInfo.lnMainProxyAgentVersion (.1.3.6.1.4.1.334.72.100.1.0), which indicates the version of the Domino SNMP Agent. QuerySet sends a heartbeat to the Domino SNMP Agent every few seconds. If the Domino SNMP Agent is not running, you will receive the following message for each failed heartbeat at the Domino server console:
Lotus Domino SNMP Agent is not available. 53-24 Administering the Domino System, Volume 2
The message stops if you start the agent or tell the QuerySet Handler to quit running. MIB variable to determine if the QuerySet Handler is working, for example, iso.org.dod.internet.private.enterprises.lotus.notes.lnInfo.lnQSBuild Number (.1.3.6.1.4.1.334.72.1.5.0), which indicates the version of the QuerySet Handler.
If the other variables are successful, but the QuerySet Handler is not responding, verify that the task is running using the Show Tasks command on the Domino console. You can perform this test remotely if you are authorized, or you can open a database, such as the Domino Directory, with the Notes client to verify the server is running. Caution Every 30 seconds, the Domino SNMP Agent tests whether the QuerySet Handler is responding. If this test fails you will receive a Warning trap Domino Server pulse has failed. This is usually a temporary problem because the server is overloaded. If the condition lasts 5 cycles, however, you will get a Critical trap Domino Server is not responding. This means that the server may have crashed or hung. In either case, while it is occurring you will not be able to query the Domino MIB. When the pulse returns, you will receive a canceling trap message that the server pulse is restored.
Monitoring
Monitoring
54-1
The Server Health Monitor extends the usefulness of traditional performance troubleshooting by automatically calculating health statistics, comparing those statistics to predefined thresholds, and reporting on overall server health. If the server health rating is Warning or Critical, a health report, which is stored in the Health Monitoring database (DOMMON.NSF), suggests short-term and long-term recommendations for tuning the server and returning its performance status to Healthy. The Server Health Monitor is incorporated into the Domino server monitor, which is part of the Domino Administration client. All health statistics generated by the Server Health Monitor are local to the Domino Administration client. For each server being monitored, the Server Health Monitor reports a health rating for the server and for all enabled individual server components namely, CPU, disk, memory, and network utilization; NRPC name lookup; mail delivery latency; and server, HTTP, LDAP, and IMAP response. The health rating of each server and server component is based on a collection of indices. Health ratings, such as healthy, warning, or critical, are assigned, based on these index values. Each index has a calculated value between 0 and 100. These values are based on server health monitoring assessment algorithms and rules. Each index has two related thresholds: a warning threshold and a critical threshold. When the index value is less than both thresholds, the server or server component is rated Healthy. When the index value is greater than the warning threshold, the server or server component is rated Warning. When the index value is higher than the critical threshold, the server performance is judged to be Critical and requires immediate attention.
The Server Health Monitor includes threshold values for each index on these platforms: AIX, IBM eServer iSeries (OS400), IBM eServer zSeries (Z/OS), Linux/Intel, Solaris/Sparc, Windows NT and Windows 2000. You can modify the thresholds to customize server assessment for each platform. You reduce or increase the thresholds to make the algorithms more or less sensitive. Health Monitoring reports on each server area for which data can be retrieved. If no data is available, nothing is reported for that component. You can customize this behavior by specifying which servers you want to monitor. You can exclude any component from the health report, which is useful for filtering out known situations about which you dont want to be constantly reminded. If you use the Server Health Monitor, the Current Reports view of the Health Monitoring database (DOMMON.NSF) displays a health rating for each monitored server and server component.
Monitoring
Health.Overall.Threshold.Warning < = Warning Health.Overall.Value and Health.Overall.Value < Health.Overall.Threshold.Critical Health.Overall.Threshold.Critical <= Health.Overall.Value and Health.Overall.Value <= 97 98 = Health.Overall.Value Critical
Critical
Health.*.Threshold.Warning <= Warning Health.*.Value and Health.*.Value< Health.*.Threshold.Critical Health.*.Threshold.Critical <= Health.*.Value and Health.*.Value <= 97 98 = Health.*.Value Critical
Monitoring
The component is failing to perform acceptably. The task associated with the component issued a fatal error message.
Fatal
99 = Health.*.Value
Not The task associated with the Responding component is not responding.
Server ratings
Rating Never Seen Healthy Description The server has never been seen running during the current server monitor session. The server is performing within acceptable tolerances. continued
Description One or more server components are approaching unacceptable levels of poor performance. The server is experiencing one or more of these critical problems: One or more server components are failing to perform acceptably One or more tasks on the server have issued a fatal error One or more tasks on the server are not responding
Server Down
The server is not responding; therefore, it isnt responding to requests for statistics.
Component ratings
Rating Healthy Warning Critical Fatal Description The server component appears to be running correctly. The server component is approaching unacceptable levels of poor performance. The server component is failing to perform acceptably. The task related to this component has issued a fatal error.
For more information about installing the Domino Administrator, see the chapter Setting Up and Managing Notes Users. The IBM Tivoli Analyzer for Lotus Domino is a separate product offering from Tivoli Systems. To learn more about how this integrated system management tool can help manage your servers and databases, ensure better performance, and help you plan for current and future needs, visit http://www.ibm.com/software/tivoli/r/analyzerfordomino or contact your Tivoli sales representative or Business Partner.
Monitoring
Make sure you have at least View-only Administrator rights for every server you want to monitor. Use a TCP server event generator as a self probe to create Quality of Service (QOS) statistics.
For information on setting up platform statistics and using TCP Server Event Generators, see the chapter Monitoring the Domino Server.
Monitoring
changing threshold values inappropriately may result in health values that do not accurately reflect server capacity and availability. If you get results that seem inaccurate, restore the default threshold values. To modify a threshold value 1. From the Domino Administrator, click the Server - Monitoring tab. 2. From the menu, choose Monitoring - Display Health Reports. 3. Under Configuration, choose Index Thresholds. 4. Choose the operating system whose threshold you want to change, and choose Edit Threshold Document. 5. Change the value for the Warning Threshold and/or Critical Threshold. 6. Click OK. If you later decide to restore the default threshold values, perform Steps 1 through 5 above and then click Restore Defaults.
Monitoring
To reduce the amount of statistic data: Increase the server polling interval in Administration Preferences. Reduce the number of servers being actively monitored during a Domino server monitor session. The servers for each monitoring profile you use are added to the total number of servers being monitored. To clear this list to the servers a specific profile only, stop the Domino server monitor, and then restart it. Dedicate one workstation to the Server Health Monitor
Monitoring
servers monitored may be quite lengthy, which may impact the performance of the Server Health Monitor. To clear the list of servers monitored, stop and then start the Domino server monitor. You can also customize which profiles to monitor upon startup, by specifying profiles you want to monitor in the background, no matter which profile was monitored when you shut down the Domino server monitor. You can perform the following tasks when you work with monitoring profiles: Creating monitoring profiles in the Domino server monitor Modify a system profile Specify monitoring profiles to monitor when you start the Domino server monitor
For more information on creating and modifying server profiles, and specifying which profiles to monitor when you start the Domino server monitor, see the chapter Monitoring the Domino Server.
3. In the Health column (Hea), the Server Health Monitor uses these icons to indicate the servers overall health: Green thermometer the servers overall health rating is Healthy. All server components are within the appropriate range. Yellow thermometer the servers overall health rating is Warning. One or more server components being monitored are approaching unacceptably poor levels of performance. Red thermometer the servers overall health rating is Critical. One or more server components being monitored are failing to perform within acceptable tolerance levels.
Monitoring
1. Perform the steps listed above to exclude temporarily the server from the server monitor view. 2. From the Domino Administrator, click the Files tab. 3. Open the Health Monitoring database (DOMMON.NSF), and open the Configuration - Server Components view. 4. Delete the Health Monitoring Server Configuration document for the server being excluded. 5. Open the Health Reports - Current Reports view and delete the current health report and all the response documents for the server. 6. (Optional) Open the Health Reports - Historical Reports view and delete the historical health reports and the associated response documents for the server.
For information on creating statistic profiles and charting statistics, see the chapter Monitoring the Domino Server.
Activity Trends
Domino server resource utilization can be separated into two types, system activity and user activity. System activity, which includes the level of processor, disk, memory, and network consumption that Domino generates to keep the server running, is a fixed amount of activity, as long as systems are healthy and performing smoothly. Domino servers typically use a modest percentage of their resources to run. The remaining server capacity is used to support user activity, which varies with the usefulness of the data on the server. Using Activity Logging servers account for their time precisely, recording user activity by person, database, and access protocol. When summarized and averaged, or trended over time, activity logging of trended statistics provides a way to measure and compare workloads across servers. You can use this information to identify the most active users and databases on each server. Using the Domino Change Manager, you can automate the creation and execution of workload redistribution plans to load a new server, decommission an old one, or balance workloads across unevenly burdened servers Activity Trends is part of the IBM Tivoli Analyzer for Lotus Domino, a separate product offering from Tivoli Systems. The Activity Trends Collector is a Domino server add-in task that records and reports statistics about database activity on a server. Information is stored in the Activity Trends database (ACTIVITY.NSF). The IBM Tivoli Analyzer for Lotus Domino uses the collected data to determine the load on the server. Then, using resource-balancing functionality, the Analyzer applies trends analysis and statistics to intelligent algorithms that can provide computer-aided load balancing on a set of servers or simplify the server decommissioning process. Integrated with the IBM Tivoli Analyzer for Lotus Domino, the Domino Change Manager provides workflow capability that creates resource-balancing plans and implements database moves, using the Tivoli Analyzer tools and analysis. The Domino Change Control database (DOMCHANGE.NSF) and Domino Change Manager are part of the Domino server core functionality. Activity Trends includes: Server profile definition For easy access to a named group of servers. Statistics profile creation For easy access to a named group of statistics.
Monitoring
Activity trends charting You can chart a selected group of statistics for a single server or a group of servers. Resource balancing Analyzes server resource use and creates recommendations for balancing the servers based on specified resource goals. Activity logging To collect information that will be used for resource-balancing. Activity Trends To set up times for data collection and retention. Domino Change Manager To implement a workflow process in which changes made to the system are controlled and approved.
3. Click the Activity Logging tab, and check Activity logging is enabled. 4. Under Server Activity Logging Configuration, complete these fields:
Field Enabled logging types Action Select the server tasks to use to produce activity logging data. For Activity Trends, enable all tasks except Domino.MAIL. At a minimum, you must enable Domino.Notes.Session and Domino.Notes.Database.
Checkpoint interval Enter the number of minutes to wait between the creation of checkpoint records. The default is 15 minutes. Log Checkpoint at Midnight Check Yes to log ongoing session activity at midnight. This is required for Activity Trends. You must enable this field to enable Activity Logging.
Monitoring
Log Checkpoints for Check Yes and then specify the prime shift interval to log checkpoints for the prime shift. Prime Shift You must enable this field to enable Activity Logging. Prime Shift Interval Specify the start and end time of prime shift. Set the interval on the hour.
5. Click the Activity Trends tab, and complete the following fields on the Basics tab:
Field Enable activity trends collector Action Click yes to run the Activity Trends Collector. Activity Trends Collector uses the raw data from activity logging and prepares it for use with Activity Trends. Enter the name and path of the database where Activity Trends data is stored if you want to change this. The default is ACTIVITY.NSF. Enter a time. The default is 3:23 AM. Schedule the Activity Trends Collector to run after the Catalog task runs. By default, the Catalog task runs at 1 AM.
Activity trends collector database path Time of day to run activity trends collector
Days of the week to Select the days for which you want to collect collect observations observations. The default is Monday through Friday.
6. Under Activity Trends Data Profile Options, keep the Use defaults field enabled. If you choose not to use the defaults, complete these fields.
Field Trends cardinal interval Action Enter the number of recent observations you want to use. The default is 10. When computing trended values, recent observations are weighted the most. For example, if you select Monday through Friday in the Day of the week to collect observations field and use the default 10 in the Trends cardinal interval field, the trended values will include two weeks of observations (five days each week). Note If you know there has been a recent change in user activity, you may choose not to use trended values.
Observation time Specify the time in seconds for one bucket. The default bucket (seconds) is 300. The observation time controls how many buckets you will have for one 24-hour observation period. Maximum observation list time Trends history interval Specify the maximum length of time data is kept in the Trends database before it is overwritten with new data. The default is 366, the number of days in a leap year. Choose one: Daily Weekly (default) Monthly Trend Interval
7. Click the Retention tab. Keep the Use defaults field enabled. Documents are overwritten after the retention period expires. The defaults are: Server history 366 days Server observations 15 days Database observations 10 days User observations 10 days Connection observations 10 days Inactive database trends 10 days Inactive user trends 28 days Inactive connection trends 28 days Run log 20 days
54-20 Administering the Domino System, Volume 2
8. Click the Proxy Data tab, and enter the names of the databases containing activity data to search. 9. Click Save and Close. For detailed information on checkpoint records, see the chapter, Setting Up Activity Logging.
Monitoring
5. Click Add to add each server, and then click Done when you have completed your selections. This group is only temporary. To save this server profile, proceed to the next step. 6. Click the document icon and choose Save As. 7. In the Save Server Profile dialog box, enter a group name and click OK. To create an additional server profile Use this procedure to clear the current server profile and create a new one. 1. In the Server profile area, click the document icon, and choose New. 2. Click the green plus sign, and complete Steps 4 through 7 in the above procedure.
Monitoring
You can add or delete servers to an existing server profile. In Resource Balancing, you can also add phantom servers. A phantom server does not physically exist, but is factored in to the resource-balancing plan to evaluate how adding servers might alleviate current load problems. To add a server to a profile 1. From the Domino Administrator, click the Server - Performance tab, and expand the Activity Trends section. 2. Select an Activity Trends view. 3. Under Saved server group configurations, choose a server profile. 4. Click the green plus sign to display the Add Server dialog box. 5. Under Server, do one or both of these: Click Existing Server, and then select from the list of available servers. Click Phantom (Resource Balancing view only), and then enter a name for the phantom server. 6. Click Add to add each server, and then click Done when you complete the selections. This group is only temporary. To save this server profile, proceed to the next step. 7. Click the document icon, and do one: Click Save As, and enter a new profile name. Click Save to update the existing profile.
To delete a server from a profile 1. From the Domino Administrator, click the Server - Performance tab, and expand the Activity Trends section. 2. Select an Activity Trends view. 3. Under Server profiles, choose a profile. 4. Select the name of one or more servers to delete. 5. Click the red minus sign.
Monitoring
For information about setting charting display options, see the topic Setting charting options for resource balancing later in this chapter. To view Activity Trends charts 1. From the Domino Administrator, click the Server - Performance tab. 2. Select the Activity Trends view. 3. Select one of these views: Latest folder - Server To view the set of data available for selected statistics on each selected server. Latest folder - Database To view the databases on each selected server. Latest folder - User To view the users statistics for all databases on the selected servers. Latest folder - Connection To view information for a selected statistic from either the User or Database charts. Historical folder Weekly Historical folder Daily
Server roles
The role you assign to a server affects the resource-balancing results. Source Only These servers cannot have any databases moved to them. Destination Only These servers cannot have any databases removed from them. A phantom server is a Destination Only server and cannot be changed. Any These servers can have databases moved to or from them.
Monitoring
Use the Server Profile Options dialog box to specify which databases and servers will be searched for activity data, and whether to use cached data. Because Activity Trends data changes only on a daily basis, caching data is highly recommended to increase system performance by avoiding a read across a potentially slow network. The first time a servers data is read, the data is cached and remains available. For example, if you read and then delete a servers activity data and later add the same server, the in-memory data is used. You can open the Server Profile Options dialog box from the Activity Trends menu or by clicking the Server Profile Options button:
To specify locations 1. From the Domino Administrator, click the Server - Performance tab. 2. Select the Activity Trends - Resource Balancing view. 3. Choose Resource Balancing - Options to open the Server Profile Options dialog box. 4. Click General. 5. Under Activity Data Search Order, choose one or both: Search Local Activity Databases To search the Activity databases (ACTIVITY.NSF) on each server on which Activity Trends is enabled.
Search Activity Data Proxy Servers To use servers that contain activity data copied or replicated from another server. Enter the name of the servers that have the proxy data. Activity Trends Collector proxy data options are configured in the Configuration Settings document in the Domino Directory. 6. Under Activity Trends Data Cache for the field Enable caching of activity data, do one: Check Yes (default) To cache Activity Trends data. When data is cached, if the data for a server has already been retrieved (even though the server may not appear in any of the server lists), the cached data is used. Uncheck Yes To gather Activity Trends data every time a new server is added. Data from servers that are removed is discarded immediately, and new data is retrieved. 7. For the field Cache expiration time out, enter the number of minutes that data remains cached after the servers data is first retrieved. The default is 360 minutes. 8. Choose one of the following to set location defaults. These defaults apply only to items on the current tab. Use Defaults To revert to previously stored custom defaults. Save as Defaults To save a custom set of defaults and override the system defaults. Reset Defaults To revert to the system defaults.
To set chart options 1. From the Domino Administrator, click the Server - Performance tab, expand the Activity Trends section, and click Resource Balancing. 2. Choose Resource Balancing - Options to open the Server Profile Options dialog box. 3. Click Charting. 4. Under Font Preferences, select the way that type will appear on all charts in all Activity Trends views. The defaults are:
Chart Element Chart Heading Font Chart Axis Label Font Font Size Appearance Bold Plain Plain Default Sans Serif 12 Default Sans Serif 8 8
5. Under Resource Balancing Display Options, check Yes to enable these options for Resource Balancing view. The default is unchecked.
Monitoring
Show actual values on Y-axis when displaying non-normalized data Show chart using 3D effect 6. Under Latest Activity Display Options, do the following to set the appearance of for the Activity Trends - Latest folder views: a. For the field Maximum X-axis items that can be displayed enter the number of items that can be shown in the horizontal position on the chart. The default is 1000. b. Check Yes to enable these display options. The default is unchecked: Show database titles on X-axis Show actual values on Y-axis when displaying single data type (such as bytes, transactions, milliseconds) Show chart using 3D effect 7. Under Historical Activity Display Options, check Yes to enable these options for the Activity Trends - Historical folder views. The default is unchecked. Show actual values on Y-axis Show chart using 3D effect 8. Choose one of the following to set Charting defaults: Use Defaults To revert to previously saved custom defaults. Save as Defaults To save a custom set of defaults and override the system defaults. Reset Defaults To revert to the system defaults.
Using IBM Tivoli Analyzer for Lotus Domino 54-29
Statistic Name
Description
HTTP BytesFromServer The number of bytes sent from the database, as recorded by the user session data. HTTP BytesToServer HTTP RequestMsecs HTTP Requests The number of bytes sent to the database, as recorded by the user session data. Request time, in milliseconds. The number of HTTP requests.
Notes BytesFromServer The number of bytes sent from the server, as recorded by the user session data. Notes BytesToServer Notes Connects Notes DocumentsRead Notes DocumentsWritten Notes Transactions Replica BytesRead Replica BytesWritten Users The number of bytes sent to the server, as recorded by the user session data. The number of database connections, as recorded by the user session data. The database read count, as recorded by the database activity data.
Monitoring
The database write count, as recorded by the database activity data. The number of transactions, as recorded by the user session data. The number of bytes read, as recorded by the Replicator task. The number of bytes written, as recorded by the Replicator task. The count of unique users, as recorded by the user session data.
1. From the Domino Administrator, click the Server - Performance tab. 2. Select the Activity Trends - Resource Balancing view. 3. Choose Resource Balancing - Options to open the Server Profile Options dialog box.
Using IBM Tivoli Analyzer for Lotus Domino 54-31
4. Expand the Balancing section, and then click Goals. 5. Complete these fields to specify the primary goal:
Field Statistic Name Tolerance Analyze Action Select a statistic from the list. The default is Notes Transactions. Enter a percentage. The default is 10%. Choose one: Trended Data (default) To analyze the resource balance based on trended data. Last Observation Data To analyze the resource balance based on the data that was gathered during the most recent observation time. Over period Choose one: Complete Day (24 hours) To analyze data gathered during a 24-hour period. Prime Shift Only (default) To analyze data gathered during the prime shift hours. Note The prime shift hours are defined on the Activity Logging tab of the Configuration Settings document.
For more information on defining prime shift hours, see the topic Setting up Activity Trends earlier in this chapter. 6. Click Secondary Goal, and repeat Step 5 to specify the values for the secondary goal. Goals that were selected as Primary goals will not appear in the list of available statistics for secondary goals. 7. (Optional for secondary goal only) Enable Other options if any tolerance value is acceptable as a solution for resource balancing. 8. Choose one of the following to set defaults for goals. You can set these defaults on either the Primary or Secondary Goal tab. Use Defaults To revert to previously saved custom defaults. Save as Defaults To save a custom set of defaults and override the system defaults. Reset Defaults To revert to the system defaults.
You pin databases in one of two ways. You can list databases you do not want to move, or you can list only the databases that you do want to move. After you define a pin list, you can save it as a pin list profile. Tip You can also pin individual databases from the Available Databases list in the Server - Performance tab, in the Resource Balancing view of the Domino Administrator. By default, all databases are associated with all servers. The server name can be specified as part of the entry. Use a colon to specify the server part. For example, Acme/East:mail/*.nsf applies to all mail/*.nsf databases on the server Acme. When you select servers to balance resources, you should be aware that Activity Trends does not recognize that servers are in a cluster. If you include servers from different clusters or some servers that are in a cluster and some servers that are not in a cluster, Activity Trends may suggest moving a database out of a cluster in order to balance the resources. To prevent this, you can create a separate server profile for each cluster and one for nonclustered servers, or you can pin databases that you want to exclude from resource balancing. You can open the Server Profile Options dialog box from the Resource Balancing menu, or by clicking the Server Profile Options button:
Monitoring
To create a master pin list 1. From the Domino Administrator, click the Server - Performance tab. 2. Select the Activity Trends - Resource Balancing view. 3. Choose Resource Balancing - Options to open the Server Profile Options dialog box. 4. Expand the Balancing section, and then click Pin List. 5. Click the Database Pin List tab. 6. Under Pin Method, choose one: Pin listed databases To pin the listed databases so that they will not be moved. Pin all but listed To make the listed databases available to be moved, and pin all other databases. 7. Under Database List, add or delete databases. To add a database, enter the name directly on the list.
8. Next to the list of database names, do one: Choose Reset to return the list to its original set of databases. Choose Save as, and enter a name to save a new pin list. 9. Choose one: Use Defaults To revert to previously saved custom defaults. Save as Defaults To save a custom set of defaults and override the system defaults. Reset Defaults To revert to the system defaults. To edit or delete a saved pin list profile 1. Under Saved Pin List Profiles, select a profile. 2. Do one: Edit the list of databases, and then click Save. Click Delete.
Resource balancing attempts to balance the bins among the servers as well as the total for the servers. This is important because heavily utilized databases (databases with a high number of transactions) also have the greatest variance. That is, their usage is more likely to vary from the mean more frequently. This means that when there is a spike in activity, the spike will be a big spike, and the dip will be a big dip. Dividing the databases into bins separates the few databases that account for a large amount of activity, from the large amount of databases that account for little activity. For example, out of 100 databases on a server, 10 databases may account for 30% of activity, while 65 databases account for another 30%. The remaining 40% of activity is accounted for by the medium usage 250 databases. Balancing according to the bins, ensures that the spread of heavily used and lightly used databases are evenly distributed across the servers. This results in more predictable usage patterns, increased availability, and more efficient use of resources. Deciding the exact percentages for each of the bins depends on how your organization uses their databases and the type of server being balanced (mail server versus application server). For mail servers in most organizations you may want to increase the size of the light bin and decrease the size of your heavy bin, while for application servers the mix may be different. For more information about charting bin activity and how the values are calculated, see the topic Understanding current and projected profile charts, later in this chapter. You also specify how Activity Trends analyzes the server resource capacities. By default, server capacities are determined relative to other servers in the list. For example a server that has a capacity of x1 transactions has half the transactional capability (CPU) of a server at x2. You could, however balance resources based on actual values (such as the number of transactions per day, or the total amount of disk space available). Using the example above, you would specify the servers as having a capacity of 10,000 and 20,000 transactions. However, if you choose to balance resources based on actual values, you have to know that the servers involved can actually handle the capacities specified. Another way in which you indicate server resource capabilities, is to specify how the server volume is determined. You can either use server volume and file system information when resource balancing, or ignore volume information and treat all space as flat. The default is to use the volume information, which uses the different physical volumes and their sizes that comprise the space available to Domino, rather than just the total amount of space on the server. Volume balancing is recommended.
Using IBM Tivoli Analyzer for Lotus Domino 54-35
Monitoring
This may produce plans in which a database moves to a different server and has a different destination path because of space requirements on a particular volume on the destination server.
7. For the field Enter server resource capacities as relative values when editing server properties, do one: Check Yes (default) to specify server resource capabilities relative to other servers in the list. Uncheck Yes to specify actual values, such as the number of transactions per day or the total amount of available disk space. 8. For the field Use server volume and file system information when resource balancing, do one: Check Yes (default) to use the volume information, such as physical volumes and their sizes that comprise the space available to Domino. Uncheck Yes to ignore volume information and use the total amount of space on the server, treating all space as flat. 9. For the field Warning when data is older than n days, enter the number of days before a warning is generated. The default is 7 days. Then if you create a resource-balancing plan and the data is older than 7 days, you receive a warning that the resulting plan will be based on old data. 10. Choose one of the following options to set Resource Balancing behavior defaults: Use Defaults To revert to previously saved custom defaults. Save as Defaults To save a custom set of defaults and override the system defaults. Reset Defaults To revert to the system defaults.
Monitoring
a particular server. There are many reasons why this could happen. Sometimes, there is no solution within the parameters specified and resources are balanced as well as they can be. 4. Review the server capacity and accuracy information before and after proposed targets. 5. Change the mix of servers and server properties and run the analysis again, if necessary. 6. Submit a plan to the Domino Change Manager to implement the new balance of resources.
To create a proposal 1. From the Domino Administrator, click the Server - Performance tab. 2. Under Activity Trends, click Resource Balancing. 3. Choose a server profile. 4. Click the Available Databases tab to display the list of databases that can be moved. 5. (Optional) To change the databases that are available for moving, select a database and click Pin or Unpin. 6. Make sure that each server in the top frame has an arrow next to its name. If there is a red (x) instead of an arrow, the server is not reporting its trended data. You must remove the server or make it a phantom server; otherwise, the Analyze button will be disabled and you will not be able to create a proposal. 7. Check the server properties to make sure that the capacity of each server is weighted correctly.
54-38 Administering the Domino System, Volume 2
For information on editing server properties, see the topic Editing server properties for resource balancing later in this chapter. 8. Click Analyze. 9. When the analysis is complete, view the Recommended Plan and Project Profile.
Monitoring
Evaluate the changes that are proposed during resource balancing. If you are not satisfied with the proposed changes, change the mix of servers or databases or adjust the specified tolerance level in the Server Profile Options dialog box. If you are happy with the proposal, then you are ready to submit the plan to the Domino Change Manager.
Hover over the red X with your mouse to see the status of the server, including the error message. The Edit Server Properties dialog box also shows associated error messages in the Status field. For each goal specified in the Server Profile Options dialog box, Activity Trends displays the following information that you use to evaluate whether a server is a candidate for resource balancing: Current The current value of the metric as recorded. Capacity The resource capacities of each server. Resources are balanced using either capacity or target values. By default, the capacity is the value used in determining the targets during resource balancing. You set this value by editing server properties. Target The target value that you want to meet during resource balancing. This value is based on the statistics specified as primary and secondary goals. For example, if Notes Transactions is a goal, the value is the number of transactions. So, if a server has a target of 2000 transactions, the resource-balancing solution attempts to provide this server with 2000 transactions. Projected The calculated final value of the servers resource, if the generated solution (plan) were to be applied. Accuracy A percentage from 0 to 100 that represents how successfully the moves were made, based on the behavior criteria you specified. A low percentage is bad and a high percentage is good. Servers whose values are within the tolerance for the goal (set in server profile options) display in blue. Values that did not achieve the tolerance specified for the Goal display in red. This is not necessarily bad, sometimes it means you need to use other servers or that there is no good solution for this resource problem. In a good balance, there should be almost no red values for the primary goal, and perhaps a few ones for the secondary.
If you do not like the distribution of activity or servers based on this evaluation, you can edit the server properties to change the server role. Likewise, you can alter some of the options selected in the Server Profile Options dialog box. If you have not set server profile options, you can edit the server properties to change some of the option defaults, and then analyze again using the new server values. For more information on editing server properties, see the topic Editing server properties for resource balancing later in this chapter.
Monitoring
80 70 60 50 40 30 20 10 0
Heavy activity Medium activity
Light The light bin is the top bin when graphed, using the lightest color of blue. This indicates the bin with the lightest amount of activity. Medium The medium bin is the middle bin when graphed, using a medium blue. This indicates the bin with a medium amount of activity. Heavy The heavy bin is the bottom bin when graphed, using the darkest color of blue. This indicates the bin with the heaviest amount of activity.
How bin values are calculated To understand how bin values are calculated, assume there are 20 databases, each with a varying number of transactions. Five is the lowest number of transactions on any database, and 420 is the highest number of transactions on the most active database. The total transactions per database is represented as follows: 5,5,10,10,15,25,25,50,75,100,120,125,140,150,250,300,310,350,400,420 = 2885 transactions When you group these transactions based on the bin sizes designated in the Server Profile Options (30% light, 40% medium, and 30% heavy), the transactions are distributed as follows: Light = 5,5,10,10,15,25,50,75,100,120,125,140,150 (14 databases account for 855 transactions; 865 is the target) Middle = 250,300,310 (3 databases account for 860 transactions; 1154 is the target) Heavy = 350,400,420 (3 databases account for 1170 transactions; 866 is the target).
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0
Sales1
Server: Sales1/Acme Stat: Notes Transactions Units: transactions Total: 2885 [DBs: 20] Light: 855 [DBs: 14] Medium: 860 [DBs: 3] Heavy: 1170 [DBs: 3]
When you view these charts, you see that 29% of the chart is light blue; 30% is medium blue; and 40% is dark blue. Hovering over the bar on the chart, the pop-up shows that most transactions on the server occur on relatively few (three) databases. In this case, 15% of the databases account for about 40% of the transactions. If the bars for the other servers on which you are balancing resources have different proportions for light, medium and high bins, then resource balancing would better spread the load across the system and probably result in better server performance.
Monitoring
If you set a capacity (or target) of zero for source-only or any-role servers, resource balancing tries to move all unpinned databases on the server. This is useful when decommissioning servers and moving their contents to new servers. If a servers data cannot be obtained, you can treat the server as a phantom server and then change it back to a real server when data becomes available. After changing it back, press F9 to refresh and read the data from the server. To edit server properties 1. From the Domino Administrator, click the Server - Performance tab and open the Resource Balancing view. 2. Under Server profiles do one: Select a profile Select All Servers 3. In the Servers section, double-click the server whose properties you want to edit. In the Edit Server Properties dialog box, the server name and domain name appear by default. Complete the following fields:
Field Type Action Choose one: Real To identify a server that physically exists in the domain. Phantom To identify a server that does not physically exist but is factored in to the resource-balancing analysis. Note The option to toggle between a real server and a phantom server is available only for real servers whose data cannot be obtained. Role Choose one: Any Databases can be moved to or from the server. Source Only This server will not have any databases moved to it. Destination Only This server will not have any databases moved from it. Note Phantom servers are always Destination Only. Goals Select either the primary or secondary goal from the list. These are the goals set in the Server Profile Options dialog box. For more information about goals, see the topic Primary and secondary goals for resource balancing. continued
Field
Action
Capacity Select this option to balance resources for the selected goal, based on server capacity. Enter the number of resource units. The default is 1. Target Select this option to balance resources based on achieving a target goal. Enter a target value for the goal you selected.
Monitoring
database that is pinned by the master pin list. However, the status of each database is saved with the server profile information for the selected server profile. To pin or unpin databases as you balance resources 1. From the Domino Administrator, click the Server - Performance tab, expand the Activity Trends section, and choose Resource Balancing. 2. Click the Available Databases tab. 3. Do one of the following: Select the databases that cannot be moved, and then click Pin. Select one or more databases that are currently pinned, and then click Unpin. 4. Click the Analyze button to see the effect of the new pinning information.
1. From the Domino Administrator, click Server - Performance. 2. From the Resource Balancing menu, select layout, and then choose one: Maximize Maximum Width Maximum Height Restore
Monitoring
3. Save and close the NOTES.INI file. 4. At the console, enter this case-sensitive command exactly as shown:
load runjava ChangeMan
Tip To display full help text for this task, append -? or -help to the command.
Monitoring
You set these options in the Configuration Settings document for the domain. This Configuration Settings document applies the settings as the default settings for all servers and uses the * [All Servers] as the group or server name. To specify the maximum concurrent tasks 1. From the Domino Administrator, click the Configuration tab, expand the Server section, and click Configurations. 2. Select the * [All Servers] Configuration Settings document, and click Add Configuration or Edit Configuration.
Action Stops and then starts the plug-in. Currently, Control, Monitor, and RoboAdmin are the defined plug-ins. Note Alternatively, you can also use the form plug-in restart.
plug-in command Attempts to issue the command to the named plug-in, if it exists and is running. reset Resets the internal lookup caches.
For more information on using Domino server commands, see the appendix Server Commands.
Monitoring
documents (Interface and Function Definitions, Domain Configurations and Plug-ins) must be signed by either the Change Manager server or a user who has the System Admin role. When the database is first created, all control documents are signed by the server. This is to ensure the security of the Change Manager system and the Domino Server. Plan Creator This role designates users and groups of users who can create plans. Plan Reader This role allows users and groups of users to read all plans. By default a Change Administrator can read all plans and does not explicitly need this role. Authors and Requesters of plans do not need this role to read their own plans.
Recommended ACL settings Assign the roles of Change Administrator and System Administrator only to administrators who require them. Administrators who have these roles have the ability to alter the basic system documents of a plan. The recommended access level is Editor for most Change Administrators and System Administrators. However, you can assign the Author access level, but add restrictions on editing existing system documents such as Interface or Function definitions. The System Admin role should be especially restricted. Assign the Plan Creator role only to those people or groups in an organization that can create plans. Plan Creators only create plans, they cannot commit them.
Assign the Plan Reader role to people and groups that will be allowed to read plans only. This role assumes that the people and groups reading the plans are not Authors or Requesters. Make sure that the Change Administrators and servers in the LocalDomainServers group have Create Replica access rights.
Monitoring
Resource-balancing plans
The purpose of a resource-balancing plan is to move databases according to the set of criteria defined in the Server Profile Options. The plan is based on the analysis and proposal created during data exploration in Activity Trends. When a plan is first submitted to the Domino Change Manager, the plan has draft status. By default, the person who submits the plan to the Domino Change Manager is the author and has the Plan Creator role. After the plan is submitted, it follows a prescribed course of submissions and approvals until the final plan is activated and then completed. The flowchart below shows the progression of a resource balancing plan from its original draft state through its completed, archived state.
Promoting a plan from one state to another, such as from drafted to prepared, can be made from within the plan document or from the Change Control database (DOMCHANGE.NSF).
Draft
Prepare
Legend
Author or Administrator activated Approver activated System activated Administrator or System activated
Submitted
Redraft
Prepared
Redraft Commit Reject Redraft
Committed
Rejected
Approve
Cancelled
Cancel
Approved
Activate Retry Fail
Activated
Hold Release
Failed
Complete
On Hold
Archive
Completed
Archive Archive
Archived (Pseudo-state)
The workflow for processing a plan submitted by Resource Balancing follows these steps: 1. The author fully defines a plan by editing the draft plan. 2. The author or a Change Administrator prepares the plan, thereby changing the plans status to prepared. The prepared state signals that the author is satisfied with the details of the plan and wants to have it executed. 3. A Change Administrator reviews the details of the plan and makes any necessary changes, which are typically limited to adding or removing approvers. At this time a Change Administrator can cancel the plan or commit the plan to execution, subject to approval by various groups and roles. 4. A committed plan is either approved or rejected by approvers. Approval must be unanimous for a plan to be approved. If one of the approvers is a group, only one member must approve the plan. If one approver rejects a plan, it passes into the rejected state. If no approvers are assigned, the plan automatically passes to the approved state.
54-54 Administering the Domino System, Volume 2
5. At any stage, a plan can be canceled. An author can cancel a plan prior to its prepared state. A Change Administrator can cancel a plan any time prior to completion. Canceled and rejected plans can be redrafted. Plans can be changed only in the draft state. If change to a plan is required, cancel or reject it, and then redraft the plan. A redrafted plan begins again in draft status. 6. After a plan is approved (and is within the plans optional start and end times for activation), it is moved to activated status. While the plan is in the activated state, a Change Administrator can put any part of the plan on hold. 7. The activated plan runs to completion unless an error causes the plan to fail. If the plan fails, the Change Administrator can change the environment or the plan, and then retry it.
Monitoring
What happens if a move fails A database move can fail for a number of reasons. For example, a database move fails if a server is down, if the destination server does not have create replica rights, or if the source database has been manually moved or deleted. How the Domino Change Manager handles the failure depends on how the moves are executed: Concurrently If any demand fails, the plan continues with other demands. When all demands are in a state of completion or failure, the plan reports a failure to the Domino Change Control database (DOMCHANGE.NSF). You can then retry the move, and the plan will attempt to complete only the demands that failed during the previous attempt. Sequentially If any demand fails, the plan stops.
3. Find the target plan and expand the plan to view the database move sequences. 4. Expand any of the database move sequences and view the individual moves. To view database moves in the resource-balancing plan 1. From the e-mail notification, click the link to the plan. 2. In the plan document, select the Demand Details tab.
Monitoring
5. Under Execution options, choose one: Sequential To execute each demand set (database move sequence) one at a time. Concurrent To move all demand sets at the same time. 6. In the field Activate Plan, do one: Choose Only between specified start and stop periods and specify a time during which the request can be sent to the Administration Process. Choose Anytime after specified start and specify a time after which the request can be sent to the Administration Process. Choose Anytime before specified end and specify a time by which the request must be sent to the Administration Process. Choose At any time (after approval) to submit the request to the Administration Process any time after the plan is approved. 7. Under Requesters and Authors, the plan automatically displays the name of the person who submitted the plan. However, you can edit either field if, for example, you submitted the plan for someone else but you do not want to remain as the requester or the only author. 8. Click the Approval tab, and complete one or both of these fields:
Field Approval profile Action Do one: Click Choose Profile and select the approval profile from the list. Click Clear Profile to remove the assigned profile. Require approval from Enter the names of users or groups to add to the approval list.
9. Click the Notifications tab. This tab lists, by role, those who will be notified at each stage of the plan. Add or remove the selection of any role as needed. Check Others, and then select from the list to add users to the notification list.
10. (Optional) Click the Variables tab. The default variable is Execution time, and the value is unspecified. To specify an execution time at which the Administration Process executes the plan, you must edit the variable. For information on editing variables see the topic Editing and creating resource balancing plan variables later in this chapter. 11. Click the Constraints tab to view and edit the constraints that will apply to the moves executed by this plan. By default, no constraints are assigned automatically. Referenced constraints Lists the constraints that apply to this plan. Click Edit to add or remove one of the constraints. Ad-hoc constraints Click New to create a new constraint. For information on creating constraints see the topic Creating constraints in the Domino Change Manager later in this chapter. 12. When you finish changing the draft plan, click Apply.
Monitoring
13. Click Change Control to promote this plan from draft state to prepared state, and then click OK.
7. Click OK.
Awaiting Commitment To view plans that have been fully approved, but have not yet been committed for completion. Active Plans To view plans that have been fully committed and are being carried out by Change Manager. By Status to view all plans grouped by status.
Monitoring
To view constraint definitions You can view a definition of each constraint and constraint sets. 1. Make sure that you have the Change Admin role so that you can edit, create, and delete constraints. 2. From the Domino Administrator, click the Server - Analysis tab. 3. Click Domino Change Control, and then select the Setup Constraints view.
6. Under Behavior, click Choose Function, and then select a function. 7. Click the Variables tab, and then click Edit to add a variable to this constraint. 8. Click OK to save and close the document. Note To edit a constraint, select a constraint and edit the fields listed in Steps 5 through 7. When you edit a constraint, you can also edit the arguments for assigned variables.
6. Click the Constraints tab, and then click Edit. 7. Select the constraints you want to include in this constraint set. 8. Click OK to save and close the document.
Monitoring
7. Select a Type: Text Number Time Boolean 8. For the field Special, do one: Choose Simple value, and then enter a Text value. Choose Formula, and then click Keywords and Variables and copy a text formula. Chose Unspecified to leave the value undefined. To create a new variable 1. Perform Steps 1 through 5 in the procedure above. 2. In the Edit Variables dialog box, click New 3. In the Name field, enter a name for the variable. 4. Complete the Type and Special fields.
Transaction logging
Domino supports transaction logging for servers that run Domino 5 and later, and for databases that are in a Domino 5 or later on-disk structure. Transaction logging captures all the changes made to a database and writes them to a transaction log. The logged transactions are then written to disk in a batch, either when resources are available or when scheduled. A transaction is a related series of changes made to a database on a server. For example, opening a new document, adding text, and saving the document is one transaction. In this case, the transaction consists of three separate implicit API calls: NotesOpen, NoteUpdate, and NoteClose. A transaction log is a record of changes made to Notes databases. The transaction log consists of log extents and the log control file (NLOGCTRL.LFH). A log extent is one of the log files into which the transaction logs are written. It has the form Sxxxxxxx.TXN, where x character represents a seven-digit number that is unique to that server. Domino fills each extent sequentially before writing data to a new one. The records are secured using a proprietary byte-stream format. Each server has only one transaction log that captures all the changes to databases that are enabled for transaction logging. Use transaction logging to: Schedule regular backups. Backups based on transaction logs are faster and easier than full database backups that do not use transaction logging. Recover from a media failure. If you have a media failure, you can restore the most recent full backup from tape, then use the transaction logs to add the data that was not written to disk.
Monitoring
55-1
Recover from a system crash. When the server restarts, it runs through the end of the transaction logs and recovers any writes that were not made to disk at the time of the crash. Logged databases do not require a consistency check. Log the database views. You can avoid most view rebuilds.
To use all the features of transaction logging for backups and backup recovery, you need a third-party backup utility that uses the backup and recovery methods of the Domino C API Toolkit (Release 5 or later). For example, in the case of a media recovery, a database backup is taken with the third-party utility, while logging keeps track of updates to the database. When the database is then lost, the backup is brought up to current state by going through the transaction log and applying any updates which have happened to that databases since the database backup was taken. Note that restart recovery does not require a third-party utility. In this case, logging goes on while updates are happening. When the server crashes then restarts, any updates which would have otherwise been lost are written to the database. This significantly reduces lost data and database corruption because of server crashes, and reduces overall restart time since the consistency check of databases is not required.
Monitoring
A few days later, theres a media failure. The administrator restores the corrupted databases from the most recent weekly backup and replays the changes. The employees who use the databases do not notice any difference in how they do their work. They might notice, however, that servers are up and running more often and that there is less down time.
Archived logging creates log files as needed. It simplifies backup and restoration, and provides online and partial backups. The log files are not overwritten until you archive them. With archived logging, you must have a backup utility to back up the filled log extents so that they are ready if needed. If you do not have a backup utility, the server continues to create log extents, fills up the disk space, and then panics.
Monitoring
Log path*
Field
Action
Maximum log space For circular and linear logging only. The maximum size, in MB, for the transaction log. Default is 192MB. Maximum is 4096MB (4GB). Allocate a separate disk with at least 1024MB (1GB) of disk space for the transaction log. Domino formats at least 3 and up to 64 log files, depending on the maximum log space you allocate. Automatic fixup of corrupt databases Choose one: Enabled (default) To run the Fixup task automatically if a database is corrupted and Domino cannot use the transaction log to recover it. Domino assigns a new DBIID and notifies the administrator that a new database backup is required. Disabled To not run the Fixup task automatically. Domino notifies the administrator to run the Fixup task with the -J parameter on corrupted logged databases. Runtime/Restart performance This field controls how often Domino records a recovery checkpoint in the transaction log. This affects server performance as databases may be flushed from the cache to disk. To record a recovery checkpoint, Domino evaluates each active logged database to determine how many transactions would be necessary to recover each database after a system failure. When Domino completes this evaluation, it: Creates a recovery checkpoint record in the transaction log that lists each open database and the starting point transaction needed for recovery Forces database changes to be saved to disk if they have not been saved already Choose one: Standard (default and recommended) To record checkpoints regularly. Favor runtime To record fewer checkpoints. This option requires fewer system resources and improves server run-time performance but causes more of the log to be applied during restart. Favor restart recovery time To record more checkpoints. This option improves restart recovery time because fewer transactions are required for recovery. continued
Action Choose one: Circular (default) To re-use the log files and overwrite old transactions. Archived (recommended) To re-use the log files after they are archived. A log file can be reused when it is inactive, which means that it does not contain any transactions necessary for a restart recovery. Use a third-party backup utility to copy and archive the existing log. When Domino using the existing file again to Start, Domino increments the log file name. If all the log files become inactive and are not archived, Domino creates additional log files. Linear To re-use the log files and overwrite old transactions for log size greater than 4GB.
* If you change this field, you must restart the server so that the change takes effect. ** If you change this field, Domino assigns a new DBIID to each database. You must restart the server and perform another full backup.
Monitoring
Issue If you edit the log path, save this document, then you must stop the server and use the operating system to move the existing log files to the new path. If you change only this field, you do not need to restart the server. As Domino logs the transactions, the changes take effect. If you change the logging style, you must perform a full backup of all databases because Domino assigns new DBIIDs to all the databases.
5. Click Save & Close. 6. Restart the server so that the settings take effect.
View logging
View logging provides a way to maintain consistent views in failure conditions and allows media recovery to update those views. View logging is transaction logging support for Notes views and folders. All updates to Notes views or folders are recorded in the transaction log for recovery purposes. To enable view logging, you use Domino Designer. In Designer, open a view or folder, select the Advanced tab, and check Logging - Include updates in transaction log. Note If you enable view logging in a template, all databases created from that template and all databases whose designs are replaced from that template have those views logged.
When you restart a server after a system failure, Domino automatically restores the affected databases.
Fault recovery
You can set up fault recovery to automatically handle server crashes. When the server crashes, it shuts itself down and then restarts automatically, without any administrator intervention. A fatal error such as an operating system exception or an internal panic terminates each Domino process and releases all associated resources. The startup script detects the situation and restarts the server. If you are using multiple server partitions and a failure occurs in a single partition, only that partition is terminated and restarted. Domino records crash information in the data directory. When the server restarts, Domino checks to see if it is restarting after a crash. If it is, an e-mail is sent automatically to the person or group in the Mail Crash Notification to field. The e-mail contains the time of the crash, the server name, and, if available, the FAULT_RECOVERY.ATT file, which includes additional failure information from an optional cleanup script, will be attached. The fault-recovery system is initialized before the Domino Directory can be read. During this initialization, fault-recovery settings are read from the NOTES.INI file, and then later read from the Domino Directory and saved back to the NOTES.INI file. Any changes to the Domino Directory or the NOTES.INI file become effective when the Domino server is restarted. To disable the reading of the Domino Directory, and subsequent update to the NOTES.INI file, use the NOTES.INI setting FaultRecoveryFromIni=1.
resources are available. If you are using multiple Domino server partitions, each partition requires a complete set of resources. Consult your operating system documentation for additional details on configuring message queue parameters. Windows NT and Windows 2000 systems do not require any system resource changes.
Monitoring
Maximum Crash Enter the number of restarts allowed during a specified Limits time limit for example, 3 crashes within 5 minutes. If the number of crashes exceeds the time limit, the server exits without restarting. Mail Crash Notification to Enter a user or group name. When the server restarts, Domino checks if it is restarting after a crash and sends e-mail to the person or group.
Monitoring
56-1
For more information on NOTES.INI settings, see the appendix NOTES.INI File. For more information on setting additional logging levels, see the topic Recording additional information in the log file, later in this chapter.
Log_Console
Log_DirCat
Log_Update Log_View_Events
Mail_Log_To_MiscEvents Determines whether all mail event messages are displayed in the Miscellaneous Events view of the log file.
Modem I/O Modem script I/0 Traced network connections Web Navigator Web server
Monitoring
The Retriever log level field on the Server Tasks - Web Retriever tab of the Server document. Additional information regarding the Web server is logged in the Domino Web server log (DOMLOG.NSF).
For more information on the Domino Web server log, see the topic Viewing the Domino Web server log (DOMLOG.NSF) later in this chapter.
Mail routing details not available in the Miscellaneous Events view Events that do not appear in other views Modem I/O messages Script I/O messages Server task messages Sorted by date Object store file name Mail database file name Mail database title Number of documents referenced in the object store Total size of the documents in the object store Details on the shared mail object store usage on your server
Passthru Connections Phone Calls By Date Phone Calls By User Replication Events
Starting and Ending times, destination, and protocol for each passthru connection Information about calls made and received by a server, sorted by date or by user
All replication sessions between servers, sorted by server Information includes the name of the initiating server, time and duration of replication, port used, and the number of documents added, deleted, or modified Uncategorized billing information provided in the Usage by Date and Usage by User views, sorted by user and including totals for each column and session continued
Sample Billing
Contains information about Sessions this server had with users or other servers, sorted by date or by user Information includes: sessions opened; session duration; databases opened; database-access duration; number of transactions (workstation-to-server database requests); and network usage (K transferred) Transactions for operations, such as opening a document, updating a document, reading a section of a view, and going to a specific section of a view Includes totals by date, by user/server, and for all usage
Search Results
Results of log analysis Information includes starting time and name of server
Monitoring
To search the log file 1. From the Domino Administrator, click the Server - Analysis tab. 2. Click Analyze, and then click Log. 3. In the Log Analysis dialog box, create a search query by specifying the search criteria.
Using Log Files 56-5
Note You can select more than one when specifying search criteria. For example, you can select more than one event type, then you must select one of these options: The results must match one of the criteria select this option if the results must match the selected criteria, such as event type, or event severity. The results can match one of the criteria select this option if results that do not match the selected criteria can be included in the log search as well.
Search criteria Date Complete the following Start and End Date Select the dates you want to search. Start and End Time Select the times you want to search. Select one: Use above time range in any time zone Use this setting when you do not need to vary the search start and end parameters. Convert time range to servers time zone Use this setting if you are searching the log file for a server in a different time zone. Any time Use this setting if you do not want to limit the log search by date or time. Event Type Select the type of event for which you want to search. Event Severity Select the type of severity for which you want to search. Add-in Name Select the add-in name for which you want to search. Add Add-in Name Enter the name of an add-in task if you do not find it on the list. Error Code Event Text Click in the column to the left of a message to select the error message for which you want to search. Do any of the following to refine your text. Look for Choose one of these: any of the words all the words exact phrase Enter Enter the words or phrases for which you want to search. Must Contain the Words Enter the words that the log search must contain to be successful. Must Not Contain the Words Enter the words or phrases that would make a search result invalid. continued 56-6 Administering the Domino System, Volume 2
Complete the following Select Existing Query Choose any predefined query. Save query on exit Select this option if you want to save your query criteria. Save Query As Enter a name for your query. Query Formula Displays the new or selected query for your verification.
4. When you click OK, the Log Analysis Results are displayed and a copy of the results is stored in the Search Results view of the log file. Tip Search strings can be any length containing any type of character and the search is not case sensitive. To view a search result 1. Open the log file (LOG.NSF). 2. Select the Search Results view. 3. Results are listed by starting time and server name. Select the results you want to view. 4. Use File - Open or double-click to open the search results document. Tip You can also view the search results from the Server - Analysis tab using the tool Analyze - View Search Results, which gives you additional sorting abilities when viewing the results. Analyzing Domino 6 log files using a Domino 5 server If you have a mixed environment in which you are using a Domino 6 Administration client and a server that is Domino 5 or earlier, the log analysis is based on the Domino 5 Log Analysis functionality, and the results are saved in the Results database (RESULTS.NSF). The Results database is based on the LOGA4.NTF template. It shows the date and time of events, their source (event or console message), and the text of messages. The view doesnt display times for server console messages. If you are using a Lotus Domino Administrator 6 client to analyze a Domino 6 server log file, you can still create a Results database and save the results to this database. To do so, open the document from the Search Results view in LOG.NSF, then use the File - Save As menu to save it to the desired location. For more information about the Results database, see the Domino 5 documentation.
Monitoring
Note You can log to both text files and a database. These options are not mutually exclusive.
Type of browser used to access the server Internal and Common Gateway Interface (CGI) program errors URL the user visited to gain access to a page on this site Servers IP address or DNS name Amount of time, in milliseconds, to process the request Cookies sent from the browser Translated URL (the full path of the actual server resource, if available)
Monitoring
Enter HTTP response status codes to exclude for example, 300 or 400 Browser client DNS names or IP addresses to exclude for example, 130.333.* or *.edu Note To enter DNS names in this field, you must first enable the DNS Lookup setting in the HTTP Server section of the Server document. Otherwise, you can enter only IP addresses in this field. Enabling this setting will impact performance.
6. Save the document and then restart the HTTP task so that the changes take effect.
The most commonly used Access log format is Extended Common, which logs all Web server information into a single text file. Optionally, you can choose Common for the Access log file format; however, the Common format is an older log file format and is available primarily for legacy information. If you choose the Common format for your Access file, it contains a subset of the server request information, with the requesting agent and referer information stored in separate Agent and Referer log files. It is difficult to match the entries in these different log files because a referer is not always sent with every request, so the number of referer entries may not match the number of requests.
Monitoring
Field
Enter
Log file duration Choose one to determine how often a new log file is created: Note The prefixes used in the file names are chosen in the Log File Names section of the Server document. Daily (default) To create a new log file each day, starting at midnight. Daily log files use the file naming convention:
file name prefixDDMMYYYY.log
Example: The access log file for May 29, 2001 is access-log29051998.log Weekly To create a new log file each week, starting on Sunday at midnight. Weekly log files use the file naming convention:
file name prefix__WWYYYY.log
Example: The access log for the week of May 24, 2001 is access-log__212001.log. Monthly To create a new log file each month, starting at midnight on the first day of the month. Monthly log files use the file naming convention:
file name prefixMMYYYY.log
Monitoring
Example: The access log file for May 2001 is access-log052001.log. Never To create log files of unlimited duration. The file naming convention is:
file name prefix.log
Example: The CGI error log file is cgi-error-log.log. Maximum log entry length The maximum length allowed for an individual entry in the access log file. If the entry exceeds this length it is not written to the file. The default is 10 kilobytes.
Maximum size of The maximum size allowed for the access log file. If this access log limit is reached no more entries are written to the file. A value of zero (the default) indicates that the size is unlimited.
Enter The prefix to use when creating the Agent log file. The default is agent. Note If you chose the Extended Common format, you will not have an agent log; this information will be included in the access log.
Referer log
The prefix to use when creating the Referer log file. The default is referer. Note If you chose the Extended Common format, you will not have a referer log; this information will be included in the access log. The prefix to use for the CGI error log. The default is cgi-error. Note The cgi-error log is created only if the CGI script logs information to stderr. The format of cgi-error log information is CGI script dependent. The Access log format does not affect the cgi-error log in any way.
7. (Optional) Under Exclude From Logging, complete these fields to exclude certain types of information from the log file:
Field URLs Methods MIME types User agents Action Enter URL paths to exclude for example, *.gif or /anydir/* Enter HTTP methods for example, POST or DELETE Enter MIME types to exclude for example, image (for all images) or image/gif (for .gif images) Enter strings that are part of user agent (browser) strings to exclude requests from a particular user agent. To exclude Microsoft Internet Explorer, enter MSIE* To exclude Netscape: For version 4.7, enter Mozilla/4.7 For version 4.6, enter Mozilla/4.6 Return codes Hosts and domains Enter HTTP response status codes to exclude for example, 300 or 400 Enter browser client DNS names or IP addresses to exclude for example, 130.333.* or *.edu Note To enter DNS names, you must first enable the DNS Lookup setting in the HTTP Server section of the Server document. Otherwise, you can enter only IP addresses. Enabling this setting impacts performance.
Activity logging
You use activity logging to collect information about the activity in your enterprise. You can use this information to charge users for the amount they use your system, monitor usage, conduct resource planning, and determine if clustering would improve the efficiency of your system. Domino writes the activity logging information in the Domino log file (LOG.NSF). To create activity logging reports, you write a Notes API program to access the information in the log file. You can also view the activity logging information by using Activity Analysis. In a hosted environment, enable activity logging on all of your ASP servers, that is, the servers used to house and maintain your hosted organizations.
Monitoring
57-1
You use the Domino Administrator to specify which types of activity to log. This table describes the types of activity you can log.
Activity type What this logs Agent HTTP IMAP LDAP When a Domino server runs scheduled agents, as well as the running time of the agents Web server requests Activity generated during an IMAP session Activity generated by all LDAP activity. Each type of LDAP activity generates a separate record. The types of LDAP activity include abandon, add, bind, compare, delete, extended, modify, modify distinguished name, search, and unbind. Activity generated by mail and mail-related messages being routed to and from the server. The messages can come from a Domino server or an SMTP server. When Notes clients and Domino servers open, use, and close Notes databases and the duration of use. When users or servers connect through a Domino passthru connection, as well as the activity that is generated through that connection When Notes clients and Domino servers acting as clients start and end sessions with a Domino server Activity generated during a POP3 session Activity generated by replication with another server or with a client Activity generated during an SMTP session
Domino creates Checkpoint records for the following types of activity: IMAP, Notes session, Notes database, Notes passthru, POP3, and SMTP. The Checkpoint records are cumulative; each one contains all of the activity that was logged to that point during the open session. By default, Domino creates a Checkpoint record the first time there is activity after a 15 minute waiting period, and every 15 minutes when there is activity thereafter. This waiting period is called the checkpoint interval. Domino generates a Checkpoint record the first time activity occurs after the checkpoint interval has completed. For example, if several transactions occur during the first 10 minutes of the checkpoint interval but no more activity occurs until minute 21, Domino generates the Checkpoint record in minute 21. For each type of activity for which there is an open session, Domino creates only one Checkpoint record per period, no matter how much activity occurs. To change the duration of the checkpoint interval, you can change the Checkpoint interval setting on the Activity Logging tab of the Configuration Settings document. To determine how long to make the checkpoint interval, consider three factors: the need to record information, the need to preserve storage space, and the need for quick performance. The longer you make the checkpoint interval, the more activity data that could be lost if the server crashes before Domino writes the Checkpoint records. The shorter you make the checkpoint interval, the more Checkpoint records that could be created, requiring more storage space. In addition, if you set a short checkpoint interval, system performance could be affected if there is a lot of activity. Note For types of activity that generate multiple activity logging records, the record type is indicated in the EventType field in the record.
Monitoring
This table shows the types of LDAP requests and some of the information that Domino logs for each type of request. Domino does not generate Checkpoint records for LDAP requests.
Request type Information logged Abandon Organization name, user name, server name, client IP address, the message ID of the command to abandon, the LDAP result code, and any error messages returned to the client Organization name, user name, server name, client IP address, the distinguished name of the object to be added, the attributes that are added and their new values, the names of the directories to which the entry was added, the number of entries added, the number of bytes sent to the server, the LDAP result code, and any error messages returned to the client Organization name, user name, server name, client IP address, LDAP version, the name the client is using to bind, the authentication method, the LDAP result code, and any error messages returned to the client
Add
Bind
Monitoring
Compare
Organization name, user name, server name, client IP address, the distinguished name of the object that was compared, the attribute and value portions of the attribute value assertion, names of the directories searched, the number of bytes sent to the server in the query, the LDAP result code, and any error messages returned to the client Organization name, user name, server name, client IP address, the distinguished name of the object that was deleted, names of directories from which the object was deleted, the number of entries deleted, the number of bytes sent to the server, the LDAP result code, and any error messages returned to the client Organization name, user name, server name, client IP address, the name of the extended command, the LDAP result code, and any error messages returned to the client Organization name, user name, server name, client IP address, the distinguished name of the entry to be modified, the operations to be performed on the entry (add, delete, replace), the attributes that are modified and their new values, the names of the directories in which the entry was modified, the number of entries modified, the number of bytes sent to the server, the LDAP result code, and any error messages returned to the client
Delete
Extended
Modify
ModifyDN Organization name, user name, server name, client IP address, the directory entry that is modified, the new Relative Distinguished Name (RDN), whether the old RDN was deleted, the new parent entry, the names of the directories in which the entry was modified, the number of entries modified, the number of bytes sent to the server, the LDAP result code, and any error messages returned to the client continued Setting Up Activity Logging 57-5
Request type Information logged Search Organization name, user name, server name, client IP address, the base object, the scope of the search, deref aliases, the maximum number of entries the client requests, the time limit a client requests for a session, the types of information to include in a record (field names only or field names and values), filters, the attributes that you want displayed for each entry, the amount of time the search took, the names of the directories searched, the number of entries and the number of bytes sent to the client, the LDAP result code, and any error messages returned to the client Organization name, user name, server name, client IP address, the LDAP result code, and any error messages returned to the client
Unbind
You can customize the LDAP service configuration to limit the amount of data collected in the Values fields in Add and Modify records.
Transfer failure
For each mail message, at least two types of records are logged a Deposit record and at least one of the other types of records, depending on the disposition of the attempted delivery.
Domino logs updates to messages in MAIL.BOX as new deposits. For example, if you change the address on a message in MAIL.BOX so that it routes correctly, that message is logged as a new deposit. If a message is split because the recipient list is too large, a separate record is generated for each copy of the message. Each of these records contains the same MessageID and Originator.
Monitoring
This table contains a few examples of the types of activities that generate each type of session record.
Type of record Type of activity Open Opening a database or any action that opens a database, such as checking database properties Starting replication Having a remote server open another servers MAIL.BOX Checkpoint Reading documents Editing documents Saving and updating documents Viewing or changing an ACL Rebuilding a database view Performing any other activity while a session is open Closing a database Ending replication Logging off, either manually or automatically Exiting Notes Having a remote server close MAIL.BOX Setting Up Activity Logging 57-7
Close
This table contains a few examples of the types of activities that generate each type of database record.
Type of record Type of activity Open Opening a database or any action that opens a database, such as checking database properties Starting replication, including opening a database to determine if replication is needed (even if no replication is needed)* Having a remote server open another servers MAIL.BOX Checkpoint Editing documents Saving and updating documents Viewing or changing an ACL Performing any other database activity while a database is open continued
Type of record Type of activity Close Closing a database Ending replication Logging off, either manually or automatically (one record for each open database) Exiting Notes (one record for each open database) Having a remote server close MAIL.BOX CloseEnd Closing a database at the end of a session Closing databases that the server opened for replication Logging off of Notes Exiting Notes Depositing a mail message that does not contain an attachment into MAIL.BOX
MailDeposit
* When Domino closes databases after determining that replication is not necessary, it generates a Close record that contains 0 (zero) in the Duration field.
Monitoring
CloseEnd records log the total activity in a database during a Notes session. Each time a user opens and closes a database during a session, Domino creates separate database Open and Close records. When the user closes the Notes session, Domino generates a CloseEnd record for each database that was open during the session. The CloseEnd record consolidates the total activity in the database during the entire Notes session. Therefore, if you open and close a database several times during a Notes session, Domino generates multiple Open and Close records for that database, but only one CloseEnd record.
If a session ends before authentication is complete, Domino generates only a Close record. The user name in this record is Anonymous.
1. User opens mail database 2. User creates a mail message 3. User sends message to MAIL.BOX
Notes Session Open Notes Database Open The following are possible: Notes Session Checkpoint Notes Database Checkpoint Mail Deposit plus the following: If the message contains an attachment: Notes Database Open Notes Database Close If the message does not contain an attachment: Notes Database MailDeposit The following are possible: Notes Session Checkpoint Notes Database Checkpoint Mail Transfer
Monitoring
Sending server
Sending server
5. The Router picks up the message from MAIL.BOX 6. The Router deposits the message in the destination servers MAIL.BOX
Sending server
Mail Deposit plus the following: If the message contains an attachment: Notes Database Open Notes Database Close If the message does not contain an attachment: Notes Database MailDeposit
Receiving server
continued
Activity
Records generated
7. The Router delivers the message to the users mail database 8. User opens mail database and reads message
Mail Delivery
Limiting the amount of attribute information logged for LDAP Add and LDAP Modify activity
Since it is possible for LDAP Add and LDAP Modify operations to add or modify many attribute values, by default activity logging stops logging attribute information in a record when the amount logged reaches 4096 bytes in that record. To specify a different amount of attribute information to log: 1. From the Domino Administrator, open the server that runs the LDAP service or a server in the same domain as the server that runs the LDAP service. 2. Click the Configuration tab. 3. In the Task pane, expand Directory; then expand LDAP; and then select Settings. 4. Do one of the following: If you see the message Unable to locate a Server Configuration document for this domain. Would you like to create one now? click Yes, and then click the LDAP tab on the document that is created. If you do not see this message, click Edit LDAP Settings. 5. In the field Activity Logging truncation size, type a value (in bytes). 6. Click Save & Close.
Monitoring
Description For LDAP Add activity, shows the organization name, user name, timestamp, name of the added object (entry), number of bytes received, and any error messages For all LDAP activity, shows the organization name, type of activity, user name, and the timestamp
LDAP All
LDAP Delete For LDAP Delete activity, shows the organization name, user name, timestamp, name of the deleted object (entry), number of entries deleted, and any error messages LDAP Modify LDAP ModifyDN For LDAP Modify activity, shows the organization name, user name, timestamp, name of the modified object (entry), number of bytes received, and any error messages For LDAP ModifyDN activity, shows the organization name, user name, timestamp, name of the modified object (entry), the new RDN, the new superior, and any error messages
LDAP Search For LDAP Search activity, shows the organization name, user name, timestamp, base object, filter, bytes sent, and the search time Mail Deposited For mail deposited into MAIL.BOX, shows the server name, who the message was from and to, when the message was deposited, the message ID, and the action taken upon the message (depositing the mail into MAIL.BOX) For messages processed in MAIL.BOX, such as mail transferred to other servers and mail delivered to users, shows the server name, who the message was from and to, when the message was deposited, the message ID, and the action taken upon the message For Notes database activity, shows the organization name, server name, user name, database name, timestamp, number of bytes sent and received, number of documents read and written, and the total number of transactions For Notes passthru activity, shows the date, duration of the connection, and the number of bytes sent and received by the client and by the target server
Mail Processed
Notes Database
Notes Passthru
Notes Session For Notes session activity, shows the organization name, server name, user name, timestamp, number of bytes sent and received, number of documents read and written, and the total number of transactions continued
View POP3
Description For POP3 activity, shows the organization name, server name, user name, timestamp, number of messages retrieved by and deleted from the client, number of bytes the client sent to the server and received from the server, and the duration of the session For replication activity, shows the date, source server and database name, destination server and path, and the number of bytes transferred For SMTP activity, shows the organization name, server name, IP address of the connected client, timestamp, number of messages the client sent, number of recipients to whom the messages were sent, number of bytes the client sent to and received from the server, and the duration of the session
Replica
SMTP Session
Note In addition to containing the results of running activity analysis, the Log Analysis database may contain the results of running log analysis, especially if you run log analysis using a version of Domino earlier than Lotus Domino 6.
Monitoring
7. Select Append to this database to append the results of the analysis to previous results in the database, or select Overwrite this database to create a new database that contains only the results of the current analysis. 8. Click OK to run the analysis and to open the Log Analysis database.
Database maintenance
To keep a specific database in good working order, perform these tasks regularly.
Task Monitor replication, if a database replicates Frequency Daily
Monitoring
Check for and consolidate replication or Daily, for large active databases; save conflicts weekly for other databases Monitor database activity Monitor database size Weekly Weekly
For information on monitoring database replication and database activity, see topics in this chapter. For information on monitoring database size, see the chapter Improving Database Performance. In addition, if youre a server administrator, perform the following tasks regularly to maintain all databases on a server.
Task Run the Updall task to update all views and full-text indexes Frequency Daily. Occurs by default daily at 2 AM.
Run the Designer task to keep databases Daily. Occurs by default daily at 1 that inherit design from master templates AM. in sync with the master templates Run the Compact task Weekly or monthly with the -B argument and in conjunction with a certified backup utility. Occasionally
For information on running the Updall and Designer tasks, see the topic Synchronizing databases with master templates, later in this chapter. For information on running the Compact task and monitoring the database cache, see the chapter Improving Database Performance.
58-1
Display disk space information To customize the Files tab, you can: Choose the types of files you see Choose the folder contents you see Customize the column display
3. To choose a combination of files to display, in the box, select Custom, select one or more of these options, and then click OK: Databases Templates Displays all templates except advanced templates Advanced templates Displays advanced templates Database Links Mail boxes ID files Modem files Alternately, you can specify one or more custom file extensions to display files with those extensions, for example, TXT or BMP.
Monitoring
1. From the Domino Administrator, click the Files tab. 2. Use the left pane in the Files tab to select a folder. By default, you see only files in the selected folder. To see all the files in the Domino data folder, click the files icon. The Files tab can display files only in the data folder and in any folders within the data folder.
To add and remove columns 1. From the Domino Administrator, choose Files - Preferences Administration Preferences. 2. Click the Files icon. 3. To add a column, select the column in the Available Columns box and then click the right arrow to include the column in the Use These Columns box. All available columns are displayed by default. 4. To remove a column, select the column in the Use These Columns box, and then click the left arrow to remove the column. 5. Click OK. To change the order of columns 1. From the Domino Administrator, choose Files - Preferences Administration Preferences. 2. Select the Files icon. 3. Select the column in the Use These Columns box and do the following: To move the column one place to the right, click the up arrow below the box. To move the column one place to the left, click the down arrow below the box. 4. Click OK.
Multi-Database Index Enables and disables multi-database indexing for databases Advanced Properties Set advanced database properties continued 58-4 Administering the Domino System, Volume 2
Database tool Quotas Move Sign Replication Fixup Cluster Analyze Find Note Create Db Event Generator Manage Views
Description Set quotas to limit the size of databases Moves databases using the Administration Process server task Signs databases with signatures that can be used for workstation data security Enables and disables replication of databases Fixes corrupted databases Manages databases in a cluster Runs a database analysis Finds a document based on Note ID or UNID and displays its properties to aid in troubleshooting Monitors a database based on various criteria Frees space used by view indexes
Monitoring
In addition to ensuring that a database is replicating, you should routinely check for and consolidate replication and save conflicts. For more information on the Database Analysis tool, see the topic Database analysis, later in this chapter.
specified in the Only replicate incoming documents saved or modified after setting on the Other panel of the Replication Settings dialog box. If a database doesnt replicate successfully, Domino doesnt update the replication history. Clearing the replication history If you have Manager access to a database, you can clear the database replication history if you think the database doesnt contain all the documents it should or if the database replication history is not synchronized with that of other replicas. Clear the replication history only as a last resort to solve replication problems. If you clear the history, during the next replication, Domino scans each document created or modified since the data specified in the Only replicate incoming documents saved or modified after setting on the Other panel of the Replication Settings dialog box. Scanning all these documents can be time-consuming, especially over dial-up connections. If you clear the Only replicate incoming documents saved or modified after setting, Domino scans all documents in the database. Within a server cluster, the Cluster Replicator stores replication history information in memory and updates the replication history about once an hour. For information on viewing cluster replication data, see the book Administering Domino Clusters. For more information on the Only replicate incoming documents saved or modified after setting, see the chapter Creating Replicas and Scheduling Replication.
Monitoring
To clear a replication history 1. Make sure you have Manager access in the database ACL. 2. Open the database. 3. Choose File - Replication - History. 4. Do one of the following: To clear one entry, select it, click Zoom, click Remove, then click Yes. To clear the entire replication history, click Clear, then click Yes. 5. Click Done.
Replication conflicts
A replication conflict occurs when two or more users edit the same document and save the changes in different replicas between replications. These rules determine how Domino saves the edit sessions: The document edited and saved the most times becomes the main document; other documents become Replication or Save Conflict documents. If all of the documents are edited and saved the same number of times, the document saved most recently becomes the main document, and the others become Replication or Save Conflict documents If a document is edited in one replica but it is deleted in another replica, the deletion takes precedence, unless the edited document is edited more than once or the editing occurs after the deletion.
Save conflicts
A save conflict occurs when two or more users open and edit the same document at the same time on the same server, even if theyre editing different fields. When this situation occurs, the first document saved becomes the main document. Before the second document is saved, a dialog box indicates that the user is about to save a conflict document and if the user saves the document, it becomes a Replication or Save Conflict document. Note ACL and design changes never result in replication or save conflicts; the most recent change always prevails.
Monitoring
The last three are techniques that a system administrator or database manager can use: Assign users Author access or lower in the database ACL to prevent users from editing other users documents. Keep the number of replicas to a minimum. If the database property Limit entries in $Revisions fields is set to a value greater than 0, increase the limit by specifying a greater value than the existing one or specify -1 to remove the limit.
For more information on the database property Limit entries in $Revisions fields, see the chapter Improving Database Performance.
2. Save the conflict document. The conflict document becomes a main document. 3. Delete the original main document.
Monitoring
If a database or view is inactive, consider deleting the database or view to free disk space on the server.
Shows total number of times user and servers Yes accessed, read, and wrote to a database in past 24 hours, past week, past month, and since the creation of the database* Shows inactive views (indicated by the size 0) Yes Shows names of users and servers who read and No wrote documents, sorted by date* * Includes activity for anonymous and authenticated Internet clients.
No Yes
Tip In addition to viewing activity statistics reported by Statlog, you can evaluate database activity by creating a view that sorts documents by date. You can also create File Monitor documents as part of Event Monitor configuration. File Monitors report user activity for specific databases. For information on creating views, see the book Application Development with Domino Designer. For information on monitoring database activity within a server cluster, see the book Administering Domino Clusters. Statlog always reports activity information to the log file, but to save disk space, you can prevent it from automatically reporting to User Activity dialog boxes. Note The Statlog task also reports database size statistics in the Database - Sizes view of the log file.
Monitoring
For information on using the Database Properties box to update full-text search indexes, see the chapter Setting Up and Managing Full-text Indexes.
Update
Update is loaded at server startup by default and runs continually, checking its work queue for views and folders that require updating. When a view or folder change is recorded in the queue, Update waits approximately 15 minutes before updating all view indexes in the database so that the update can include any other database changes made during the 15-minute period. After updating view indexes in a database, it then updates all databases that have full-text search indexes set for immediate or hourly updates. When Update encounters a corrupted view index or full-text index, it rebuilds the view index or full-text index in an attempt to correct the problem. This means it deletes the view index or full-text index and rebuilds it. To improve view-indexing performance, you can run multiple Update tasks if your server has adequate CPU power.
Note The Update task spawns a directory indexer thread. The directory indexer runs at one-minute intervals and is dedicated to keeping Domino Directory view indexes up-to-date. The directory indexer runs against any local or remote Domino Directory or Extended Directory Catalog that a server uses for directory services.
Updall
Updall is similar to Update, but it doesnt run continually or work from a queue; instead you run Updall as needed. You can specify options when you run Updall, but without them Updall updates any view indexes or full-text search indexes on the server that need updating. To save disk space, Updall also purges deletion stubs from databases and discards view indexes for views that have been unused for 45 days, unless the database designer has specified different criteria for discarding view indexes. Use the NOTES.INI setting Default_Index_Lifetime_Days to change when Updall discards unused view indexes. Like Update, Updall rebuilds all corrupted view indexes and full-text search indexes that it encounters. By default Updall is included in the NOTES.INI setting ServerTasksAt2, so it runs daily at 2 AM. Running Updall daily helps save disk space by purging deletion stubs and discarding unused view indexes. It also ensures that all full-text search indexes that are set for daily updates are updated. The following table compares the characteristics of Update and Updall. For Updall, the table describes default characteristics. For information on options you can use to modify some of these characteristics, see the topic Updall options later in this chapter.
Characteristic When it runs Runs on all databases? Refreshes views indexes? Updates full-text indexes? Update Continually after server startup No. Runs only on databases that have changed. Yes Yes. Updates full-text indexes set for immediate and hourly updates. Updall 2 AM and when you run it Yes Yes Yes. Updates all full-text indexes. Yes
Monitoring
Characteristic
Update
Updall Yes
Detects and attempts Yes to rebuild corrupted full-text indexes? Purges deletion stubs? Discards unused view indexes? No No
Yes Yes (after a view is unused for 45 days or according to a view discard option specified by a designer) Yes
Yes
No
Yes
Updall options
You can use any of these methods to run Updall on a server: Task - Start tool in the Domino Administrator Use this method if you dont want to use command-line options. Load Updall console command Use this method if youre comfortable using command-line options or if you want to run Updall directly at the server console when there is no Domino Administrator running on the server machine. Program document that runs Updall Use this method to schedule Updall to run at particular times. Run Updall on a Win32 platform Use this method if you are unable to run Updall at the server console. This method requires that you use the n prefix for example, nupdall - R.
When you use these methods, you can include options that control what Updall updates. For example, you can update all views and not update any full-text search indexes. The following tables describe the options you can use with Updall. The first column describes the option names as they appear in the Task - Start tool. The second column lists the equivalent command-line options that you use when you use a console command to run Updall and when you schedule Updall to run in a Program document.
Use this syntax when you use the Load updall console command:
Load updall databasepath options
For example:
Load updall SALES.NSF -F
For information on Updall behavior when you dont specify options, see the topic Indexer tasks: Update and Updall, earlier in this chapter. Updall - Basic options
Option in Task - Start Command-line tool option Index all databases Index only this database or folder databasepath For more information on databasepath, see the topic Using a console command, later in this chapter. Description Only this database updates only the specified database. To update a database in the Domino data folder, enter the file name, for example, SALES.NSF. To update databases in a folder within the data folder, specify the database path relative to the data folder, for example, DOC\README.NSF. Index all databases (or no database path) updates all databases on the server. Updates a specific view in a database. Use, for example, with -R to solve corruption problems.
Monitoring
database -T viewtitle
continued
Option in Task - Start tool Update: Full text indexes: Only those with frequency set to: Immediate or Hourly Update: Full text indexes: Only those with frequency set to: Immediate or Hourly or Daily
Command-line Description option -M Updates full-text indexes assigned Immediate or Hourly as an update frequency. Updates full-text indexes assigned Immediate, Hourly, or Daily as an update frequency.
-L
-R
database -C
-B
Monitoring
where databasepath specifies the files on which to run Updall and options are Updall command-line options. For example, enter :
Load updall SALES.NSF -F
The following table illustrates how you can use databasepath to specify databases, folders, and subfolders.
To compact Example command Files compacted DATA\SALES.NSF DATA\DEV.NSF DATA\SALES\all databases continued
To compact
Example command
A specific database in a Load updall SALES\USER1.NSF folder relative to the Domino data folder
All the files specified in Load updall WEEKLY.IND DATA\SALES.NSF an IND file created in DATA\DEV.NSF where WEEKLY.IND the Domino data folder contains: DATA\SALES\ SALES.NSF USER1.NSF DEV.NSF DATA\SALES\NEW\all SALES\USER1.NSF databases
SALES\NEW
Using a Program document Use a Program document to schedule Updall to run with options at a regular time. Note that by default Updall is included in the NOTES.INI setting ServerTasksAt2, so it runs daily at 2 AM on all databases without options. For more information on Program documents, see the appendix Server Tasks. 1. From the Domino Administrator, click the Configuration tab. 2. Next to Use Directory on, select the server with the replica of the Domino Directory that you want to modify. 3. Expand Server - Programs and then click Add Program. 4. Complete these fields on the Basics tab:
Field Program name Command line Server to run on Comments Enter Updall Command line options. Dont specify load before the options. Server on which to run Updall Optional comments
For more information on the available command-line options, see the topic Updall options, earlier in this chapter.
Monitoring
CTRL+SHIFT+ Rebuilds all views in a F9 database that are not built; updates all other views
5. Click the NOTES.INI Settings tab. 6. Click Set/Modify Parameters. 7. In the Item box, select Updaters. In the Value box, enter the number of Update tasks to run. Then click OK. 8. Click Save and Close. 9. Restart the server so that the setting takes effect. Using the Task - Start tool Use the Task - Start tool to run multiple Update tasks without having to shut down and restart the server. If you eventually shut down the server, you must repeat this procedure when you restart it. Each time you enter this command, the server loads another Update task. 1. From the Domino Administrator, select the server on which to run Update. 2. Click the Server - Status tab. 3. In the Tools pane on the right, click Task - Start. 4. Select Update. Do not select Update all. 5. Click Start Task. Tip You can also enter the following command at the console:
Load update
theres inadequate disk space. Make sure that the temporary folder you specify has plenty of disk space available. To change the temporary folder used for view rebuilds, add the setting View_Rebuild_Dir to the servers NOTES.INI file and specify a new location. For example, add:
View_Rebuild_Dir=D:\REBUILD
If Domino estimates that theres not enough space available in the temporary folder to rebuild a specific view, Domino uses a slower method to rebuild the view and logs this message to the Miscellaneous Events view of the log file (LOG.NSF):
Warning: unable to use optimized view rebuild for view due to insufficient disk space at directory. Estimate may need x million bytes for this view. Using standard rebuild instead.
You can add the following setting to the NOTES.INI file to disable optimized view rebuilding. However, do this only as a last resort if youve specified a view rebuild folder and you still see the preceding message for many views. If you see the message for just a few views, dont disable view rebuilding.
Disable_View_Rebuild_Opt=1
Monitoring
The following table describes the command line options you can use with the Designer task.
Command line option Description -d directory name Synchronizes the databases in a directory relative to the data directory. For example, to synchronize databases in the directory DATA\SALES, specify -d SALES. Synchronizes a specific database. For example, to synchronize the database DATA\SALES.NSF, specify -f SALES.NSF. Synchronizes the databases specified by name, which can be a database, folder, or file name that contains a list of paths, each of which can be a database or a folder.
-f filename
-i name
Monitoring
The following messages indicate that Domino has rebuilt, is in the process of rebuilding, or was unable to rebuild damaged views: Page format is incorrect Invalid CNO vector - position == 0 Container integrity has been lost - rebuild
For information on using the log file, see the chapter Using Log Files.
For information on using Compact, see the chapter Improving Database Performance.
Using Fixup
When you restart a server, the server quickly searches for any unlogged databases that were modified but improperly closed because of a server failure, power failure, hardware failure, and so on. A few minutes after server startup is complete, the Fixup task then runs on these databases to attempt to fix any inconsistencies that resulted from partially written operations caused by a failure. When users attempt to access one of these databases and Fixup hasnt yet run on the database, the users see the message This database cannot be opened because a consistency check of it is in progress. A similar Fixup process occurs when you restart a Lotus Notes client.
Multiple Fixup tasks run simultaneously at server startup to reduce the time required to fix databases. The number of Fixup tasks that Domino runs by default at startup is equal to two times the number of processors available on the server. Although this default behavior should be adequate in most circumstances, you can edit the NOTES.INI file to include the Fixup_Tasks setting. The actual number of tasks run is the smaller of the configured number of tasks that can run and the number of databases that require fixing. For example, if you set Fixup_Tasks to 4 but only one database requires fixing, then only one Fixup task runs. Keep in mind that after you set up transaction logging, Fixup is not needed or used to bring databases back to a consistent state.
Monitoring
Run Fixup using the Fixup tool in the Files tab Use this method to run Fixup on one or a few databases; you can easily select the databases and you dont have to use command-line options, but you cant use the Domino Administrator until Fixup finishes. Run Fixup using the Task - Start tool Use this method to run Fixup on all databases; you can continue to use the Domino Administrator while Fixup runs and you dont have to use command-line options. Run Fixup using a console command Use this method if you want to use command-line options or to run Fixup directly at the server console when there isnt a Domino Administrator client available. Run Fixup using a Program document Use this method to schedule Fixup to run at particular times. Run Fixup on a Win32 platform Use this method if you are unable to run Fixup at the server console. This method requires that you use the n prefix, for example, nfixup - F.
Fixup options
The following table describes the options you can use with Fixup. The first column lists the options as they appear when you run Fixup using the Fixup tool or the Task - Start tool in the Domino Administrator. The second column lists the equivalent command-line options that you use when you run Fixup using a console command or using a Program document.
Fixup options in Fixup Command-line Description tool and Task - Start tool equivalent Fixup all databases databasepath Fixup only this database or folder Fixup only this database or folder runs Fixup only on a specified database or all databases in a specified folder. To run Fixup on a database in the Domino data folder, enter the file name, for example SALES.NSF. To run Fixup on a database or databases in folders within the data folder, enter the path relative to the data folder. For example, to run Fixup on all databases in the DATA\SALES folder, specify SALES. Fixup all databases or no command line database path runs Fixup on all databases on the server. Note To specify databases or folders to run on using the Fixup tool, select the database(s) or folder(s). Report all processed databases to log file -L Reports to the log file every database that Fixup opens and checks for corruption. Without this argument, Fixup logs only actual problems encountered. When you run Fixup on a specific database, Fixup checks only documents modified since Fixup last ran. Without this option, Fixup checks all documents. When you run Fixup on all databases, Fixup checks all documents in the databases. Without this option, Fixup checks only documents modified since it last ran. Note To specify this option using the Fixup tool, deselect Scan only since last fixup. continued 58-28 Administering the Domino System, Volume 2
-I
-F
Fixup options in Fixup Command-line Description tool and Task - Start tool equivalent Perform quick fixup -Q Checks documents more quickly but less thoroughly. Without this option, Fixup checks documents thoroughly. Prevents Fixup from running on views. This option reduces the time it takes Fixup to run. Use if view corruption isnt a problem. Prevents Fixup from purging corrupted documents so that the next time Fixup runs or the next time a user opens the database, Fixup must check the database again. Use this option to salvage data in documents if the corruption is minor or if there are no replicas of the database. Reverts ID tables in a database to the previous release format. Dont select this option unless Customer Support recommends doing so. Runs on databases that are enabled for transaction logging. Without this option, Fixup generally doesnt run on logged databases. If you are using a certified backup utility, its important that you schedule a full backup of the database as soon after Fixup finishes as possible. If you run Fixup on open databases, Fixup takes the databases offline to perform the fixup. This is the default if you run Fixup and specify a database name. Without this option, when you do not specify database names, Fixup does not run on open databases. Applies only to running Fixup on a single database. When a database isnt taken offline and is in use, then Fixup is not run. This is the default when Fixup is run on multiple databases. continued
-U
Monitoring
-J
-O
-Z
Fixup options in Fixup Command-line Description tool and Task - Start tool equivalent Verify only -C Verifies the integrity of the database and reports errors. Does not modify the database (for example, does not purge corrupted documents). Runs Fixup on databases in subfolders (subdirectories). Does not run Fixup on databases in subfolders (subdirectories).
-Y -y
For information on transaction logging, see the chapter Transaction Logging and Recovery.
4. Enter the following command in one of the following ways: 1) In the command line at the bottom of the console, and then press ENTER, or 2) Directly at the console on a server:
Load fixup databasepath options
where databasepath specifies the files on which to run Fixup and options are Fixup command-line options. The following table illustrates how you can use databasepath to specify databases, folders, and subfolders.
To fixup Specific databases in the Domino data folder All the databases in a folder relative to the Domino data folder A specific database in a folder relative to the Domino data folder Example command
Load fixup SALES.NSF,DEV.NSF Load fixup SALES
DATA\SALES\USER1.NSF
Monitoring
Load fixup All the files specified in an IND file created in the WEEKLY.IND Domino data folder where WEEKLY.IND contains: SALES.NSF DEV.NSF SALES\USER1.NSF SALES\NEW
Using a Program document Use a Program document if you want to schedule Fixup to run at a regular time. For more information on Program documents, see the appendix Server Tasks. 1. From the Domino Administrator, click the Configuration tab. 2. Next to Use Directory on select the server with the replica of the Domino Directory that you want to modify. 3. Select Server - Programs and then click Add Program.
For more information on the available command-line options, see the topic Fixup options earlier in this chapter. 5. On the Schedule tab, complete these fields:
Field Enabled/disabled Run at times Repeat interval of Days of week Enter Enabled Times to run Fixup each day How soon to run Fixup again after it completes The days to run Fixup
6. Click Save and Close. Using the Fixup tool Use this method to run Fixup on one or a few databases. 1. From the Domino Administrator, select the server that stores the databases you want to run Fixup on. If the Domino Administrator does not run on a server, you can select local to run Fixup on databases stored on the client. 2. Click the Files tab. 3. Select the databases on which to run Fixup. 4. In the Tools panel at the right, select Database - Fixup. 5. (Optional) Select options to control how Fixup runs. For information on the options available, see the topic Fixup options earlier in this chapter. 6. Click OK.
Moving databases
It may be necessary to move a database from one server to another for example, to distribute databases evenly among servers. If there are replicas of the database, the server to which you move the database should have the appropriate Connection documents to replicate the database to other servers that store replicas. If youre moving a database to a server in a cluster, replication between the server and other servers in the cluster that have replicas of the database occurs without Connection documents. Keep in mind that within a cluster, the Cluster Manager distributes workloads and provides failover to database replicas if one cluster server becomes disabled. Before moving a database in a cluster, you should analyze the cluster workload to be sure it will remain balanced after you move the database. Only the person who administers the cluster should perform the move. For more information on clusters, see the book Administering Domino Clusters. You can use any of these methods to move a database: Use the Domino Administrator and the Administration Process to move the database. Manually move the database. Use this option when you do not have access to the Domino Administrator and the Administration Process.
Monitoring
using a Server document to set Create replica databases access, see the chapter Controlling Access to Domino Servers. 5. From the Domino Administrator, select the server that stores the databases you want to move. 6. Click the Files tab. 7. In the files pane, select one or more databases to move. 8. In the Tools pane on the right, select Database - Move. Or drag the selected database(s) to the Move tool. 9. (Optional) If the current domain includes a cluster, click Show only cluster members to display only destination servers that are members of the cluster. 10. Select one or more destination servers. To select a server that doesnt appear in the list, click Other, specify the hierarchical server name, then click OK. 11. (Optional) Select a destination server, click File Names to choose a custom file path on the destination server for any database youre moving and then click OK. You can repeat this procedure for each destination server. If you dont choose this option, the database is stored on the destination server in the same location as on the source server. To move a database to a folder below the data folder, type the folder name, backslash, and then the file name for example, JOBS\POSTINGS. If the specified folder does not exist, Domino creates it for you. 12. Click OK. A dialog box shows the number of databases processed and indicates if any errors occurred. See the status bar for more information. 13. If the source server is not a cluster server, you must approve the deletion of each original source database after the Administration Process completes the Non Cluster Move Replica request, which creates a replica at the new location. To do this: a. Make sure you have Editor access to the Administration Requests database (ADMIN4.NSF). b. Open the Administration Requests database. c. Select the Pending Administrator Approval view. d. Open the Approve Deletion of Moved Replica request for each source database that you moved, click Edit Document, click Approve File Deletion, click Yes, and then click Save and Close. 14. Notify users that youve moved the database.
Moving databases by dragging them to a destination server Rather than choosing Database - Move, you can drag databases to a destination server. When you use this method, you must store all databases in one preexisting folder on the destination server. This method also uses the Administration Process to automate moving the database. You cant use this method to move a database to another Domino domain. 1. From the Domino Administrator, click the Files tab. 2. In the files pane, select one or more databases to move. 3. Drag the selected databases to a destination server in the server pane on the left. 4. In the dialog box that appears, select Move database, select a folder on the destination server in which to store the database(s), then click OK.
Monitoring
Use this procedure to move a database to a server in another Domino domain or to move a database when you dont have access to the Domino Administrator. Do not use this procedure to move a mail file. For information on moving mail files, see the chapter Setting Up and Managing Notes Users. 1. Make sure that you have Create Replica access in the Server document of the destination server. 2. Make sure you have Manager with Delete documents access in the ACL of the original database. 3. Choose File - Replication - New Replica to create a replica of the database on the destination server. 4. Make a note of the file name and path of the original database. Youll include this information when you notify users of the move. 5. Choose File - Database - Delete to delete the original database. 6. If the database receives mail, change the Mail-In Database document in the Domino Directory to reflect the new location. 7. In the ACLs of any replicas of the database, remove the name of the server that you moved the database from and add the name of the destination server. 8. Notify users that you have moved the database.
Deleting databases
To keep a server performing efficiently and to free disk space, delete databases that are no longer active. To delete databases from a cluster server, you use the Cluster database tool in the Domino Administrator. To delete databases on non-cluster servers, select the databases and delete them manually, or use the Delete database tool in the Domino Administrator to have the Administration Process deletes replicas of the database. Within a cluster of servers, you create a number of replicas for each database to ensure user access to an updated replica even if a particular cluster server becomes unavailable. You can mark a cluster replica for deletion while users are working with the replica. Domino then prevents new users from accessing the marked replica and deletes the database after all current users exit the database. Before deleting the database, Domino replicates any changes to other replicas in the cluster. For more information on clusters, see the book Administering Domino Clusters.
Deleting a non-cluster database and its replicas using the Administration Process
1. Make sure you have Manager access in the database ACL. 2. From the Domino Administrator, select the server that stores the database you want to delete. 3. Click the Files tab. 4. Select the database to delete. 5. Click Database - Delete
6. (Optional) Select Also delete replicas of this database on all other servers if you want the Administration Process to delete other replicas. 7. Click OK.
Monitoring
Database analysis
You can perform a database analysis to collect information about one or more databases from a variety of sources the replication history, the User Activity dialog box, and the log file (LOG.NSF) and view it in a single results database. You can perform a database analysis only if you have access to the Domino Administrator.
Maintaining Databases 58-37
Use database analysis to collect the following information about a database: Replication history, as recorded in the Replication History dialog box User reads and writes, as recorded in the User Activity dialog box Document creations, edits, and deletions, as recorded in a database Design changes, as recorded in a database Replication additions, updates, and deletions, as reported in the log file (LOG.NSF)
Mail messages delivered by the mail Router You can collect this information from multiple replicas of a database.
Analysis documents
Each analysis document in the results database contains fields that describe a particular event.
Field Date Time Describes Date of the event Time of event
Source of Event The analyzed database or its replicas or the log file (LOG.NSF) Information Source Database Source Name of a database containing documents that were read For database replication events, name of database from which information was pulled Name of server that stores a database containing documents that were read or written For database replication events, name of server that stores the database from which information was pulled Name of a database on which documents were updated For database replication, name of the database to which information was replicated Name of a server that stores a database that was updated For database replication, name of a server that stores a database to which information is replicated Description of the event
Destination
Document creations, edits, and deletions Changes to documents Replication history Replication history
Design Note Changes to the database ACL and design Changes to design
Monitoring
Number of replication additions, Log file activity updates, and deletions, as reported in the log file (LOG.NSF)
8. Click Results, do one of the following, then click OK. Specify the server, title, and file name of the database where you want to store the results. Its recommended that you create the results database on a local client rather than on a server. If multiple people generate results databases on a server, they should each specify a different file name so the results dont conflict. If the specified results database already exists, click Overwrite database to write over the existing contents or click Append to this database to add the new results to existing ones. 9. Click OK to run the analysis. 10. To see the results, open the database and choose one of the available views. 11. Open Database Analysis Results documents in the selected view. Database analysis options
Option Changes in: Data documents Reports Details of document additions, edits, and deletions Total times users opened documents in the database Total times servers read documents Total times users and servers created, modified, or deleted documents Total number of mail messages delivered to the database Data for other replicas
Changes in: Design documents Changes to the database ACL and design User activity: User reads
Replication: Replication history Successful replications of a database as reported in the database replication history In logfile: Miscellaneous Events Events relating to this database, as recorded in view the Miscellaneous Events view of the log file In logfile: Database usage view Database activity, as recorded in the Usage By User view of log file
Default_Index_Lifetime_Days Changes when Updall discards unused view indexes. Disable_View_Rebuild_Opt Fixup_Tasks No_Force_Activity_Logging ServerTasksAt[n] Update_NO_BRP_Files Updaters View_Rebuild_Dir Disables optimized view rebuilding. Specifies the number of Fixup tasks to run concurrently on the server. Prevents Statlog from automatically recording activity in User Activity dialog boxes. Specifies which server tasks to run at time n.
Monitoring
When set to 1, the Fixup task creates a BRP file when it encounters an error in a view index. Specifies the number of Update tasks to run concurrently on the server. Changes the temporary folder used for view rebuilds.
Managing servers
To manage servers, you can do any of the following tasks: Change the server administrator Decommission a server Decommission a Domain Search server Delete a server name Find a server name in the domain with the Domino Administrator or the Web Administrator Recertify a server ID Upgrade a server name to hierarchical Uninstall a Domino server partition
Monitoring
While managing servers, you may also need to recertify a certifier ID. To do so, see Recertifying a Certifier or User ID.
59-1
If the name of the former administrator is included in any groups, delete the former administrators name from the Group document(s), if appropriate. Add the name of the new administrator. 1. From the Domino Administrator, select the Configuration tab. 2. Click Server, and then select one: Current Server Document to change the administrator name for the current server. All Server Documents and then select the server document you want to change. 3. Click Edit Server. 4. Click the Administration tab. 5. In the Administrator field, type the administrators name or click the arrow and complete the following fields as necessary in the Select Names dialog box:
Field Action Choose address Select the address book and choose a name from the list. Click one of the following: book Add to add the name to the Names list. Details to view address details from the Person document. Find names starting with Add name not in list Names (Optional) Enter a user name, last name followed by first name, to search for a name if you are unsure of the spelling or the complete name. Enter a user name and then click Add to add the name to the Names list without selecting it from an address book. (Optional) Do one: Select a name and then click Remove to remove the selected name from the Administrator field. Dont select any names. Click Remove all to remove all names from the Administrator field. Select a name and click to copy a name from the open address book to the local address book.
6. Click OK, and then click Save & Close in the Server document. 7. Use the Replicate server command at the console to force replication of the Domino Directory and disseminate the change quickly. For more information on the Replicate command, see the appendix Server Commands.
Decommissioning a server
You use the Decommission Server Analysis tool when you are consolidating existing servers and/or permanently removing a server from service. Whether you are combining two servers into one server or renaming a server, the result is the same the old server name is replaced with the new server name. The analysis tool can help you avoid a loss of service for your Domino server and can be used to help build a foundation for a decommission to do checklist. The role of the Server Analysis Tool is to compare the responsibility of the source server to that of the target server and to report differences that could cause a possible loss of service. When you run the Decommission Server Analysis tool, you create a Results database containing detailed information comparing the source server and the target server. The source server is the server being removed from service, and the target server is the server taking the place of the source server. The source and the target servers must be Domino servers that have hierarchical names and that are in the same domain.
Monitoring
Inconsistencies between the source and target servers are marked in the Results database to alert you to the administrative tasks you may need to do before you can decommission the server. Each comparison that the Decommission Server Analysis tool makes is somewhat individual. Relationships between analysis items are not determined by this tool; therefore, you need to review each report and make your own comparisons before taking any action. Perform comparisons between only two servers at a time. You do not need to resolve all differences before you decommission a server. Before decommissioning a server Before decommissioning a server, you may need to perform the following types of administrative activities: Check each database for formulas that contain specific server name references. Update the documents in the Domino Directory, such as the Connection and Program documents, to reflect the new server name. If the old server had cross-certificates, make sure the new server has the same cross-certificates. Notify other domains that access the server about the change. Inform users about the new location for databases, including their mail database, if necessary. Make sure the network protocols on the old and new servers match. Replicate all the databases from the old server to the new server. Update mail routing tables to ensure that mail gets delivered correctly.
Maintaining Domino Servers 59-3
To run an analysis report on Decommission Server 1. To use the Decommission Server Analysis Tool, you must have administrator access to both the source and the target servers. If you dont have administrator rights, some portions of the report may not be completed properly. 2. From the Domino Administrator, click the Server - Analysis tab. 3. From the tools pane, select Analyze - Decommission Server. 4. Complete these fields:
Field Source server Target server Results database Enter Name of the server being decommissioned Name of the server that will replace the server being decommissioned Name and/or location of the Results database if you are not using the default file name DECOMSRV.NSF. Complete these fields: Server Title File Name Folder
Append to this database (Default) Adds the new report to the end of the existing information in the Results database without deleting any existing data Overwrite this database Adds the new Results database by overwriting the existing database
5. Click OK. When the analysis is complete, the Results database opens to the Reports view. This can take up to several minutes depending on network traffic and the number of databases on both the source and target servers. Note You can create multiple reports in the same database or in different databases and then use these reports to verify that differences between the two servers are remedied and cannot be seen by the system when you run the Decommission Server Analysis tool. You can re-run the reports as many times as you wish. Viewing the report in the Results database The Decommission Server Analysis tool generates a categorized list of items that were analyzed. Each category represents a different aspect of a servers configuration that needs attention. Within each category, items are listed alphabetically. Each item lists any differences between the
59-4 Administering the Domino System, Volume 2
source and the target servers settings or values. In the Results database, you can view the categorized list of the items that were analyzed.
Monitoring
Each item is represented by a document. A documents status is indicated by an icon to the left of the document as follows:
Icon Explanation A difference was found when doing the comparisons and may require the attention of an administrator. An error was encountered when performing or trying to perform a comparison. No icon No attention is required because the fields being compared are either equivalent or the sources values are a complete subset of the targets values.
Click a document to open it and view the actual report that was generated. A sample report is shown here:
Description The section or category that the document belongs to. These categories are: Certificates, Cluster, Connections, Databases, Domains, Internet, Miscellaneous, Network, Programs, Security, SMTP, and Router. The specific field or item that is being analyzed for example, Databases Mail Users or Databases No Matching Replica. Date the report is generated. Name of the server being retired.
Report title
Server to accept Name of the server that will assume the responsibilities responsibility (target of the server being decommissioned. server) Errors Report details Errors that occur during the analysis on this item or field. This field is blank if there are no errors. Information that indicates the problem or inconsistency that exists between the source and target servers.
Report comparisons The following types of field comparisons are done between the two Server documents and the Configuration documents:
Field Comparison Boolean Explanation The content of the two fields being compared must be an exact match. In some cases, if the field on the source server is not set, no comparison is done with the value for the target server. The two fields are compared and differences are reported. Two text lists are compared and a report is generated if the source is not a complete subset of the target. Two names lists are compared by expanding both lists to single entries, removing duplicates, and generating a report if the source is not a complete subset of the target. When expanding names lists, all groups are expanded until only single entries remain. In some cases, a blank field has a special meaning. In these cases, the specific interpretation of blank for each field is taken into consideration when comparisons are performed.
Special cases
Monitoring
Program documents
Domain documents
Cross-Certificates Any cross-certificate that lists the source server in the Issued By field is reported.
Mail-in databases, Rooms, Each document that lists the source server as the Resources, Certifiers, Mail server is reported. Person documents Replicas Any database on the source server that does not have a matching replica on the target server is reported. A file name comparison for all databases that do not have replicas on the target is done. Any database on the source that has a name conflict with a different database with the same name on the target is listed.
5. Do one of these: Click the check box Delete servers from Domino Directory immediately to immediately remove the server name from the Domino Directory, and post Administration Requests to remove the server name from ACLs, Names fields, and other locations. Leave the check box Delete servers from Domino Directory immediately not selected, to create Administration Requests to remove the server name from the Domino Directory, ACLs, Names fields, and all other locations. 6. Click OK. For information on removing a server from service and replacing it with another server, see the topic Decommissioning a server in this chapter.
Recertifying a server ID
Follow this procedure to use the original certifier to recertify a server ID that has a certificate that is about to expire. 1. To recertify a server ID, you must have: Author with Create documents access and the ServerModifier role, or Editor access to the Domino Directory At least Author with Create documents access to the Certification Log 2. From the Domino Administrator, click the Configuration tab, and then click Server - All Server Documents. 3. Select the server you are recertifying. 4. Choose Actions - Recertify Selected Servers. 5. Choose one: Click Supply certifier ID and password if you want to use a certifier ID and password instead of the new server-based certification authority (CA). To change to a different certifier ID, click Certifier ID, select the new ID, enter the password, and then click OK. Use the CA Process Click to use the Domino server-based certification authority (CA) to recertify the server ID. Choose a CA-configured certifier from the list. 6. Accept the default certificate expiration date (two years from the current date), or enter a different date. 7. (Optional) Enter a date in the field Only renew certificates that will expire before if you want to limit which server IDs can be recertified.
Maintaining Domino Servers 59-9
Monitoring
8. (Optional) Click the check box Inspect each entry before submitting request if you want to view the server ID before finalizing the recertification. 9. Click OK. 10. Select one of the following: OK to submit the recertification. Skip if you are recertifying more than one server ID and you want to continue to the next server ID without submitting a recertification for the current server ID. Cancel Remaining Entries to cancel this server recertification and recertifications for any other server names you selected and have not yet submitted. 11. Review the processing statistics that appear and then click OK. Note You can use the @Certificate function to create a custom view of specific IDs for recertification based on the ID name, issuer of the certificate, and expiration date. If you create a custom view, be sure to include the Recertify Servers or an equivalent action in the Actions menu of the view. For more information on the @Certificate function, see the Domino Designer Programming Guide.
Finding a server name in the domain with the Domino Administrator or the Web Administrator
You can search for a server name in the domain and then view a log that includes document links and directory links to each occurrence of the server name. 1. From the Domino Administrator or the Web Administrator, click the Server - Analysis tab. 2. From the Tools pane, click Analyze - Find Server. 3. Do one of these: From the Domino Administrator, select a server name from the list box, and click OK. From the Web Administrator, enter a server name and click Send. 4. One of these occurs: On the Domino Administrator, a message appears indicating that an administration request will be initiated to search the enterprise for the server name. Click Yes. On the Web Administrator, the status line displays a message indicating that an administration request has been generated to locate the server name. Click Done or enter another server name and repeat the process. To view the log of locations 1. To view the log of locations where the server name has been located, from the same view, click Administration Requests(R6). 2. Click All Requests by Name. 3. Locate the server name you are looking for. 4. Expand the section and locate the Find Name in Domain request. 5. Open the request. View the documents that contain that server name in the Links to items found within Domino Directory documents field. View the database ACLs that contain that server name in the Links to item found in Database ACLs field. 6. Click Cancel to close the Response Log document. For more information on using the Web Administrator, see the chapter Setting Up and Using Domino Administration Tools.
Monitoring
Monitoring
Performance
For more information on performance, visit the Domino Performance Zone at www.lotus.com/performance. See the Notes.net column, Performance Perspectives for detailed information about performance issues. For more information on improving network performance see the chapter Setting up the Domino Network. For more information on database performance properties, see the chapter Improving Database Performance.
60-1
Domino Server.Load
Using Domino Server.Load, you run a script (a simulated workload) in your own environment to obtain server capacity and response metrics. You can run a built-in script or create a custom script. Domino Server.Load includes real-time control of the test environment and variables, such as the number of simulated users. Using Domino Server.Load, you can evaluate the capacity of your servers and evaluate the requirements for additional CPU, memory, or disk storage upgrades. Server.Load can also be used to determine the effect of changes to the machine, such as upgrading a device drive, an OS service pack, or a Domino maintenance release. Domino Server.Load is included as part of the Administrator client. For details about setting up and working with Server.Load, see the chapter Using Server.Load.
NotesBench
NotesBench is a collection of benchmarks (workloads) that simulate the behavior of workstation-to-server or server-to-server operations. Vendors and other organizations use NotesBench to evaluate the performance of various Domino and Notes platforms and configurations. Using NotesBench, hardware vendors and business partners generate benchmark information, which they can distribute to their customers. In turn, customers can use the benchmark information to evaluate vendors, select configurations, and plan resource budgets. To use NotesBench for testing, you must be a member of the NotesBench Consortium, which is an independent, nonprofit organization dedicated to providing Domino and Notes performance information to customers. The consortium requires that each member run the NotesBench tests in the same manner and allows tests to be audited. To view published data and test results, go to the NotesBench Web site at www.notesbench.org.
Performance
high-end Domino server loads. The size of your Level 2 cache should match your expected user loads and the response time you want. Vendors have moved from 256K to 512K, 1MB to 2MB Level 2 cache systems, especially on their greater than two-CPU configurations. 5. Improve your network. NotesBench vendors have: Moved from 10Mbps cards and networks to 100Mbps configurations Used multiple LAN segments (one for each partition) to isolate network traffic, at the high-end user loads 6. Change your network protocol to IP. Vendors initially used NetBIOS and SPX internally but have unanimously moved to IP for their performance publishing efforts. 7. You can improve Web server performance by disabling HTTP server logging. Logging options are stored in the Server document. In the HTTP server Enable logging to section are two fields, Log files and DOMLOG.NSF. Disabling both of these fields improves Web server performance. 8. You can improve general server performance by disabling the type-ahead mail addressing feature. (Type-ahead allows users to enter the first few characters of a users name; the server then completes the rest of the name automatically.) To disable type-ahead on a server, open the servers Configuration Settings document in the Domino Directory. On the Basics tab, choose Disabled in the Type-ahead field. Then save and close the document.
Server_MaxUsers This setting sets the maximum number of users that are allowed to access a server. When this number is reached, the server state becomes MaxUsers, and the server stops accepting new Database Open requests. The default is 0 (unlimited access to server by user). By setting a maximum number of users allowed on the server, you can prevent server performance from degrading because of demand overload. Server_Session_Timeout This setting specifies the number of minutes of inactivity after which the server automatically terminates network and mobile connections. The minimum recommended setting is 15 minutes. If you specify a lower time, the server must reopen database server sessions too frequently, which slows server performance. For best performance, the recommended time is 45 minutes. For mobile connections, X.PC has its own internal time out. If the X.PC time-out value is shorter than the Server_Session_Timeout value, the X.PC time out takes precedence. ServerTasks This setting controls the tasks that the server runs. These tasks start automatically at server startup and continue until the server is shut down. Improve performance by removing tasks that arent appropriate to the server. Do not remove the Update task from a server. If you do so, the Domino Directory will not update.
Performance
Translog_Status This setting enables transaction logging for all Release 5 and later databases on the server. Default is 0 (transaction logging disabled). Set this to 1 to enable transaction logging. Transaction logging improves the availability and reliability of the server. Note You must upgrade databases to Domino Release 5 or later format before they can use transaction logging.
systems performance monitor as well as the Domino statistics to determine which partitioned server is using the system resources. For more information about monitoring Domino servers, see the chapters Monitoring the Domino Server and Using Log Files. Optimizing performance If one partitioned server uses significant system resources, consider moving that server to a different computer. If partitioned servers causes slow disk access, consider moving the Domino data directories of the partitioned servers to separate disk drives. Another way to limit access to a server is to limit the number of users who can use a partitioned server at one time. To do this, you can use the Server_MaxUsers setting in the NOTES.INI file. When the server reaches the number of users you specify, Domino denies additional user requests for access to the server. For additional information about these NOTES.INI settings, see the appendix NOTES.INI File.
Note Setting this and other Agent Manager variables to zero does not completely eliminate the delay; a built-in delay will always exist. AMgr_DocUpdateEventDelay This setting specifies the delay time, in minutes, the Agent Manager schedules a document update-triggered agent after a document update event. The default is 5 minutes. The delay time ensures the agent runs no more often than the specified interval, regardless of how frequently document update events occur. When the agent executes, it will also process all additional events (if any) that occurred during the interval. A longer interval results in the agent running less often, thus reducing demand for server time. If document update events are infrequent, however, you can reduce the delay to ensure the agent runs soon after the event occurs. AMgr_NewMailAgentMinInterval This setting specifies the minimum elapsed time, in minutes, between execution of the same new mail-triggered agent. The default is 0 (no interval between executions). Similar to AMgr_DocUpdateAgentMinInterval, entering an interval can result in the agent running less frequently. AMgr_NewMailEventDelay This setting specifies the time (in minutes) that the Agent Manager delays before scheduling a new mail-triggered agent after new mail is delivered. The default is 1 minute. Similar to AMgr_DocUpdateEventDelay, the delay time ensures the agent runs no more often than the specified interval. When the agent executes, it will also process all additional events (if any) that occurred during the interval. A longer interval results in the agent running less often, thus reducing demand for server time. If document update events are infrequent, however, you can reduce the delay to ensure the agent runs soon after the event occurs. DominoAsynchronizeAgents This setting specifies whether Web agents triggered by browser clients can run at the same time (asynchronously). The default is zero (only one agent can run at a time). Set this to 1 to allow multiple agents to run simultaneously. This can result in faster execution of agents. However, a high number of agents executing at the same time can slow overall system performance. Open the Server document you want to change, and click the Internet Protocols - Domino Web Engine tab. In the Web Agents section, enable or disable the Run Web agents concurrently? option. For Web agent time-out (in seconds), the default is 0 (no time-outs).
Performance
If your server attempts to schedule agents at a rate faster than the Agent Manager can run them, the message AMgr: Agent scheduling is paused appears on the console. The Agent Manager will not schedule any new agents until the server processes some agents that are already scheduled. Therefore, the running of new agents may be slightly delayed.
Performance
NSF_DbCache_Maxentries This NOTES.INI setting sets the maximum number of databases stored in the database cache (if enabled). For short intervals, Domino stores up to 1.5 times the number entered for this setting. Increasing the maximum number of databases improves performance but requires more memory. Improving performance for users accessing the Web using the Web Navigator There are several ways to improve performance: Speed up your access to Web pages by speeding up your server connection to the Internet. Contact your Internet Service Provider to find out what options you have. Improve database performance by managing your database with the Purge and Refresh agents or any other agents you may create for the database. Manage the number of users retrieving pages in the Web Navigator database by setting the maximum number of concurrent retrievals (the number of Web pages the server retrieves at the same time). The default maximum number of concurrent retrievals is 25. The number of concurrent retrievals that your server allows depends on your specific system environment.
Show DBS command The Show DBS command is a tool for monitoring the performance of a database. This command returns the following information: Refs The number of times the database has been opened (the DBHANDLE count for the database). Mod Whether the database has been modified, but not yet flushed to disk. FDs The number of file descriptors currently being used for the database. LockWaits The number of times a user has had to wait for a lock on the database (read or write). AvgWait The average wait time in milliseconds for each wait. #Waiters The number of waiters currently on the database lock. (This number changes rapidly.) MaxWaiters The maximum number of waiters ever on the database lock.
Note To display LockWaits and AvgWait values, you must temporarily add the setting COLLECT_DB_LOCK_WAITS=1 to the servers NOTES.INI file. Because this setting consumes server resources, remove it after you view Show DBS statistics.
60-10 Administering the Domino System, Volume 2
Performance
Performance
To change the setting in Windows 2000, go to the Control Panel, click the Network and Dial up Connections icon, click Local Area Connection. Right-click on the properties for a network connection, and click File And Printer Sharing for Microsoft Networks. To change the setting in Windows NT, go to the Control Panel, click the Network icon, and then click the Services icon. Choose one of the following: Maximize data throughput for file sharing (Windows NT and Windows 2000) Maximize data throughput for network applications (Windows NT and Windows 2000) Minimize memory used (Windows NT and Windows 2000) Balance file sharing and network applications (Windows NT only).
NSF_Buffer_Pool_Size_MB
Many machines that run UNIX have very large amounts of physical RAM. Use the parameters NSF_Buffer_Pool_Size_MB or PercentSysAvailable Resources to control how much memory Domino is allowed to use. Each Domino instance on a UNIX machine can reference a maximum of 4GB of RAM.
Performance
Performance
Tip You can use the Compact task with specific options to enable or disable the above three properties and then compact the database.
Property Tab To optimize performance/ size Deselect option Improves Reduces database database performance? size? Yes Yes
Allow use of stored Basics forms in this database Display images after loading Dont maintain unread marks Document table bitmap optimization Dont overwrite free space Maintain LastAccessed property Basics
Select option
No Yes No
Yes Yes
No No
Dont support Advanced Select the option Yes specialized response hierarchy Dont allow headline monitoring
Slightly
Limit entries in Advanced Select the option Yes and specify the $UpdatedBy fields number of entries $UpdatedBy fields can contain Limit entries in $Revisions fields Advanced Select the option Yes and specify a limit on the number of entries $Revisions fields can contain. The suggested limit is 10 entries.
Yes
Performance
databases provided with Domino, administration databases such as the Domino Directory, or databases such as the log file (LOG.NSF) that are continually updated. In these types of databases, consider disabling unread marks. To disable unread marks, select the Advanced database property Dont maintain unread marks. Note Designing views that dont display unread marks doesnt improve database performance because they are still maintained but not displayed. If you select or deselect the Dont maintain unread marks property, you must compact the database so that the setting takes effect. Compacting in this case makes a temporary copy of the database, so your system must have the disk space to make the copy. Tip You can also run the Compact server task with the -u or -U option to enable or disable this property and then compact.
To prevent the overwriting of deleted data, select the Advanced database property Dont overwrite free space.
Performance
By default, the database property Maintain LastAccessed property is not selected, meaning the Accessed (In this file) property isnt updated when the last document access was a read, only when the last access was a document modification. Change the default behavior by selecting Maintain LastAccessed property. You should select Maintain LastAccessed property if you use the document archiving tool, available in the Database Properties box, to delete documents based on days of inactivity.
To improve database performance, disable the response hierarchy information in databases that dont use these @functions by selecting the Advanced database property Dont support specialized response hierarchy. Disabling the response hierarchy information has no effect on views and replication formulas that display information hierarchically without using @AllChildren and @AllDescendants. Disabling the response hierarchy information sets NotesDocument.Responses to 0 documents. If you select or deselect the Dont support specialized response hierarchy property, you must compact the database so that the setting takes effect. Compacting in this case makes a temporary copy of the database, so your system must have the disk space to make the copy. Tip You can also run the Compact server task with the -h or -H option to enable or disable this property and then compact.
on the server using the Huffman method. Note that recompressing has performance implications. For best performance, use LZ1 in primarily Domino 6 environments.
Performance
A suggested upper limit is 10 entries in the $Revisions field. If you set the limit lower than 10, you run the risk of increased replication or save conflicts.
Soft deletions
In some databases, deleting a document permanently removes it from the database. In other databases, such as the Notes mail file database, deleting a document moves it into a Trash folder and stores it in a state of soft deletion. From this folder, users can restore deleted documents by dragging them from the Trash folder into another folder or by selecting Remove from Trash. Deleted documents are not permanently removed until a specified expiration time or until the user empties the Trash folder. By default, soft deletions are enabled for mail databases created from the Domino 6 mail template (MAIL6.NTF). The default expiration time is 48 hours. You can turn soft deletions on or off for any database and specify how long to retain soft deletions before removing them from the database. To display soft-deleted documents in other types of databases, you must create a view to list the documents and provide users with an action programmed to un-delete documents and restore them to the database. For information on creating views to display soft-deletions, see the book Application Development with Domino Designer. Because deleted documents are not removed immediately from a database that has soft deletions enabled, space in the database is not reclaimed as quickly as in a database that does not use soft deletions. If space consideration is an issue, consider disabling soft deletions. To enable or disable soft deletions for a database 1. From the Files tab of the Domino Administrator, select the database and choose Edit - Properties. 2. On the Advanced tab of the Database properties box, check Allow soft deletions. 3. Set a value for Soft delete expire time in hours. The default is 48 hours. After that amount of time, soft deletions are permanently removed from the database.
To change this limit, add the NSF_DbCache_Maxentries setting to the NOTES.INI file or increase physical memory. Increasing the database cache size improves system performance but requires additional memory. The minimum number of databases allowed in the cache at one time is 25; the maximum is 10,000. The actual number of databases allowed in the cache is 1.5 times the maximum allowed. This buffer increases the chance that when a user opens a database from the cache, Domino can return the database to the cache when the user closes it.
Performance
allowed in the cache. However, if the maximum is exceeded, one of the following occurs: If the number of databases in the cache is less than the maximum allowed times 1.5, when a database is closed it is added to the cache, and the ager accelerates to reduce the number of databases to the maximum allowed. This action may increase stress on the server I/O subsystem and increase competition for cache resources. If the current number of databases in the cache is greater than or equal to the maximum allowed times 1.5, when a database is closed, Domino doesnt put the database in the cache. Instead it uses the slower, non-cache method to close the database. And when a user or process next opens the database, Domino reads the database from disk rather than from the cache, causing the database to open more slowly than if it were in the cache.
For information on statistics reporting, see the chapter Monitoring the Domino Server. For more information on server commands, see the appendix Server Commands.
Statistic Description
Database.DbCache. Number of databases currently in the cache. If this number CurrentEntries frequently approaches the value of Database.DbCache.MaxEntries, increase the number of databases the cache can hold. Database.DbCache. Maximum number of databases in the cache during this HighWaterMark running of the server program. This number may be artificially high because of startup activity, so it may not be a genuine indicator of cache performance. Database.DbCache. The number of times an InitialDbOpen is satisfied by finding the database in the cache. A high hits-to-opens Hits ratio indicates that the database cache is working effectively. If the ratio is low, increase the number of databases the cache can hold. continued
Statistic
Description
Database.DbCache. The number of times a user/server opened a database that was not already being used by another user/server. For InitialDbOpens example, if a user opens a mail file while it is being used by the Replicator, this number does not increase. Compare this number to Database.DbCache.Hits to gauge the effectiveness of the cache. Database.DbCache. The number of lookups to the database cache. A high Lookups Database.DbCache.Hit to Database.DbCache.Lookups ratio means the database cache is effective. If the ratio is low, increase the number of databases the cache can hold. Database.DbCache. The number of databases the server can currently hold in MaxEntries its cache at once. To change this value, use the NOTES.INI file setting, NSF_DbCache_Maxentries, or increase physical memory. Database.DbCache. Number of times a database is not placed into the cache OvercrowdingReje when it is closed because ctions Database.DbCache.CurrentEntries equals or exceeds Database.DbCache.MaxEntries times 1.5. This number should stay low. If it begins to rise, increase the number of databases the cache can hold.
Performance
Where value is the maximum number of databases allowed in the database cache at one time. The alternative to using NSF_DbCache_Maxentries is to increase physical memory. To show databases in the cache Enter this command at the server console to display the names of the databases currently in the cache:
dbcache show
To close databases in the cache Enter this command at the server console to close all databases in the cache:
dbcache flush
To disable the cache By default, the database cache is enabled on a server. To disable the cache, add the following NOTES.INI file setting:
NSF_DbCache_Disable=1
For information on replication settings and the database purge interval, see the chapter Creating Replicas and Scheduling Replication. For information on user activity recording, see the chapter Maintaining Databases.
Logs in Miscellaneous Events No view of the log file (LOG.NSF) File statistic reports in the Statistics database Yes
No No
Performance
2. Click the Info tab (i) to see the size of the database. 3. Click % Used to display the percentage of database space in use.
Compacting databases
When documents and attachments are deleted from a database, Domino tries to reuse the unused space, rather than immediately reduce the file size. Sometimes Domino wont be able to reuse the space or, because of fragmentation, cant reuse the space effectively until you compact the database.
Styles of compacting
There are three styles of compacting: In-place compacting with space recovery In-place compacting with space recovery and reduction in file size Copy-style compacting
In-place compacting with space recovery only This style of compacting recovers unused space in a database but doesnt reduce the size of the database on disk. Databases retain the same database instance IDs (DBIIDs), so the relationship between the compacted databases and the transaction log remains intact. Users and servers can continue to access and edit databases during compacting. This style of compacting is useful for databases that you expect to stay the same size or to grow in size. When you run Compact without specifying options, Domino uses this style of compacting on all databases enabled for transaction logging. Domino also uses this style of compacting when you use the -b option (case sensitive) when compacting any database. Tip Use this compacting method the most frequently it is the fastest method and causes the least system impact. In-place compacting with space recovery and reduction in file size This style of compacting reduces the file size of databases as well as recovers unused space in databases. This style of compacting is somewhat slower than in-place compacting with space recovery only. This style of compacting assigns new DBIIDs to databases, so if you use it on logged databases and you use a certified backup utility, perform full backups of the databases shortly after compacting is complete. This style of compacting allows users and servers to continue to access and edit databases during compacting. When you run Compact without specifying options, Domino uses this style of compacting on databases that arent enabled for transaction logging. Domino also uses this style of compacting when you use the -B option. To optimize disk space, its recommended that you run Compact using the -B option on all databases once a week or once a month. Copy-style compacting Copy-style compacting creates copies of databases and then deletes the original databases after compacting completes, so extra disk space is required to make the database copies. This style of compacting essentially creates a new database with a new database ID. If you use copy-style compacting on logged databases (using the -c option),
61-14 Administering the Domino System, Volume 2
compacting assigns new DBIIDs, so if you use a certified backup utility, you should perform full backups of databases shortly after compacting completes. When you use copy-style compacting, users and servers cant edit databases during compacting, and they can only read databases if the -L option is used. Domino uses copy-style compacting by default when you use an option with Compact to enable a database property that requires a structural change to a database or when you run Compact on a database that has a structural change pending that was initiated from the Database Properties box. Enabling or disabling the database properties Document table bitmap optimization and Dont support specialized response hierarchy require structural database changes. The following table compares the three styles of compacting.
Characteristics In place, space recovery In place, space Copy-style recovery with file size reduction Unlogged databases with no pending structural changes Databases with pending structural changes
Databases that use it when Logged compact runs without databases with options no pending structural changes Databases you can use it on Relative speed Users can read databases during compacting Users can edit databases during compacting Reduction in file size Extra disk space required Current release Fastest Yes Yes No No
Current release Current release (need -c) Medium Yes Yes Yes No Slowest
Performance
Renaming a copy-style compacted database Domino attempts only once to rename a database that was copy-style compacted. You can request successive attempts by specifying the value of the Num_Compact_Rename_Retries setting in the NOTES.INI file. Domino tries to rename until it succeeds or the number of retries is exhausted. For example, to request that Domino try once again to rename, specify Num_Compact_Rename_Retries=1; to request that Domino try 5 more times to rename, specify Num_Compact_Rename_Retries=5.
If you have specified a value for the Num_Compact_Rename_Retries setting, Domino waits 30 seconds before trying to rename a database that was copy-style compacted. You can request a different amount of time to wait by specifying the value of the Compact_Retry_Rename_Wait setting in the NOTES.INI file. For example, to request that Domino wait 2 minutes before trying to rename a database that was copy-style compacted, specify Compact_Retry_Rename_Wait=120. Domino enforces the following upper limit when trying to rename a copy-style compacted database:
Num_Compact_Rename_Retries 60 minutes x Compact_Retry_Rename_Wait <=
For information on transaction logging, see the chapter Transaction Logging and Recovery. For information on the document archiving tool, see the topic Running the document archiving tool later in this chapter. Note The Database - Sizes view of the log file (LOG.NSF), the File Statistic reports generated by the Statistics Collector server task, and the Info tab (i tab) of the Database Properties box, all report the percentage of used space in a database. These are often not accurate indicators of used space; therefore, you shouldnt use them.
Run Compact using the Task - Start tool in the Domino Administrator Use this method to compact all databases on a server; you can continue to use the Domino Administrator during compacting and you dont have to remember specific command-line options. Run Compact using a console command Use this method if youre comfortable using command-line options or to compact databases directly at the server when there isnt a Domino Administrator client running on the server. Run Compact using a Program document Use this method to schedule compact to run at particular times. Run Compact on a Win32 platform Use this method if you are unable to run Compact at the server console. This method requires that you use the n prefix. For example: ncompact - C.
Performance
Compact options
The following tables describe the options you can use with the Compact server task. The first column lists the options as they appear when you run Compact using the Task - Start tool or the Files tab in the Domino Administrator. The second column lists the equivalent command-line options that you use when you run Compact using a console command or using a Program document.
Compact - Basics
Option Compact only this database or folder (To specify databases to compact using the Files tab, select the databases in the files pane.) Command-line Description equivalent database path Specify any additional options after the database path. To compact a database in the Domino data folder, enter the file name, for example SALES.NSF. To compact databases in a folder within the data folder, specify the database path relative to the data folder. For example, to compact all databases in the folder DATA\SALES, specify SALES. If you choose Compact all databases (or dont specify a database path at the command line) Compact compacts all databases in the data folder and in folders within the data folder.
For more information on database path, see the topic Running Compact using a console command later in this chapter. Compact - Options
Option Command-line Description equivalent Compacts all databases with a specified percent of unused space. For example, if you specify 10, databases with 10% or more recorded unused space are compacted. Note that the unused space calculation is not always a reliable measure of unused space. Discards built view indexes. Use this option to compact databases just before you store them on tape, for example. Does copy-style compacting. Compacts databases without converting to the current release file format of the server that stores the databases or reverts databases in the current release file format to the previous release file format. For example, on Domino 6 servers, this option compacts Domino 5 databases without converting them to the Domino 6 file format and converts Domino 6 databases to the Domino 5 file format. This option uses copy-style compacting.
Compact -S percent database only if unused space is greater than x percent Discard any built view indexes Keep or revert database to previous format -D
-R
Compact - Style
Option Command-line equivalent Description Uses in-place compacting and recovers unused space without reducing the file size, unless theres a pending structural change to a database, in which case copy-style compacting occurs. This is the recommended method of compacting. Uses in-place compacting, recovers unused space and reduces file size, unless theres a pending structural change in which case copy-style compacting occurs. If you use transaction logging, do full database backups after compacting completes. Uses copy-style compacting. Use this option, for example, to solve database corruption problems. Enables users to continue to access databases during compacting. If a user edits a database during compacting, compacting is canceled. This is useful only when copy-style compacting is done. Enables compacting to continue even if it encounters errors such as document corruption. Only used for copy-style compacting.
In-place -b (recommended)
-B
Copy-style
-c
Copy-style: Allow access while compacting Copy-style: Ignore errors and proceed
-L
-i
Performance
Compact - Advanced The advanced compact options are not available through the Compact tool in the Files tab of the Domino Administrator.
Option* Command-line equivalent Description Disables Document table bitmap optimization database property. Does copy-style compacting. Enables Document table bitmap optimization database property. Does copy-style compacting. Disables Dont support specialized response hierarchy database property; in other words, support specialized response hierarchy. Does copy-style compacting. continued Improving Database Performance 61-19
Document table -f bitmap optimization: Off Document table -F bitmap optimization: On Dont support specialized response hierarchy: Off -h
Option* Dont support specialized response hierarchy: On Enable transaction logging: Off Enable transaction logging: On Dont maintain unread marks: Off Dont maintain unread marks: On
Command-line equivalent -H
Description Enables Dont support specialized response hierarchy database property; in other words, do not support specialized response hierarchy. Does copy-style compacting. Disables transaction logging.
-t
-T
-u
Disables Dont maintain unread marks database property; in other words, maintain unread marks. Enables Dont maintain unread marks database property; in other words, do not maintain unread marks.
-U
* Select Set advanced properties before you enable or disable any of these properties.
Compact - Archive When you use the document archiving tool to archive and delete documents in a database, you can use the following Compact options to archive documents if the database is located on a server and youve chosen the advanced archiving option Automatically on server.
Option* Archive only Command-line equivalent -A Description Archives and deletes documents from a database without compacting the database. Archives and deletes documents from a database and then compacts the database. Deletes documents from a database and then compacts the database.
*The Compact tool in the Files tab of the Domino Administrator provides only the option Archive database; this option archives and then compacts.
Performance
where databasepath specifies the files to compact and options are Compact command-line options. The following table illustrates how you can use databasepath to specify databases, folders, and subfolders.
To compact Specific databases in the Domino data folder Example command
Load compact SALES.NSF,DEV.NSF
All the databases in a Load compact SALES folder relative to the Domino data folder A specific database in Load compact SALES\USER1.NSF a folder relative to the Domino data folder All the files specified in a .IND file created in the Domino data folder
Load compact WEEKLY.IND where WEEKLY.IND contains: SALES.NSF DEV.NSF SALES\USER1.NSF SALES\NEW
Performance
6. Click Save and Close. For more information on the available command-line options, see the topic Compact options earlier in this chapter.
documents to it if the database contains unused space that is, space that remains from deleted data. In conjunction with setting a quota, you can specify that when a database reaches a certain size threshold, this warning message appears in the Miscellaneous Events view of the log file: Warning, database has exceeded its size warning threshold. For example, if the quota is 50MB, you might specify that the warning appear when the database size reaches 45MB so you can take steps to reduce the size of the database or move it to a server that has more disk space available. Note You can set quotas on user mail files, but, by default, when a mail file exceeds its quota, the Router continues to deliver mail to it, and users can update existing mail views. This ensures that users can continue to receive and read all mail sent to them. The quota is enforced only for other means of increasing the size of the mail file for example, when a mail file reaches its quota, users cant manually add documents or views to it. However, you can customize routing to strictly enforce quotas on mail files. For more information on customizing mail, see the chapter Customizing the Domino Mail System.
Create an archive settings document Document archiving tool in the Database Properties box Remove documents not modified in the last x days replication setting Agents
* Deletion stubs are markers that remain from deleted documents so that the documents are deleted in other replicas of the database. In addition to these methods, you can also create an API program that deletes documents. For information on the Remove documents not modified in the last x days setting, see the chapter Creating Replicas and Scheduling Replication.
Performance
6. If the database has replicas, replicate the active database when database use is light so that you minimize user interruptions. 7. Limit access to the archive database. Assign Manager access in the database ACL to one or two users and replicating servers. Assign Reader access in the database ACL to everyone else. By doing this, you ensure that view indexes and full-text search indexes update only when archiving occurs.
Performance
Which document(s) should it All documents in the database act on? Add Action: @Function formula Search for documents created more than 60 days ago What should this agent run? Simple action: Copy to Database ARCHIVE.NSF Simple action: Delete from Database
An agent that archives documents according to field status These selections create an agent that weekly copies all documents with a Status field set to Closed from the active database to an archive database with the file name ARCHIVE.NSF. Then the agent deletes the archived documents from the active database.
When should this agent run? On Schedule Weekly
Which document(s) should it All documents in the database act on? Condition: by Field Search for documents where field Status contains Closed What should this agent do? Add Action: Copy to Database ARCHIVE.NSF Add Action: Delete from Database
Performance
1. Open the database and choose File - Database - Properties. 2. Click the Advanced tab. 3. Select Allow more fields in database.
NSF_Buffer_Pool_Size
Description When set to 1, disables the database cache on the server. Specifies the maximum number of databases allowed in the database cache at one time.
Num_Compact_Rename_Retries The number of times to try renaming a copy-style compacted database. The default value is 0.
Server.Load
Server.Load is a capacity-planning tool that you use to run tests, also called scripts and workloads, against a targeted Domino server to measure server capacity and response metrics. Server.Load supports any platform that is supported by the Domino Administrator client. The client runs the Server.Load tests and generates the transactions that are presented to the server. A typical Server.Load configuration has one or more client systems driving the server under test (SUT). Each client running Server.Load generates a simulated user load of Notes transactions against the SUT, which reports server statistics back to the client. If you configure multiple clients, you set up and run the test from each client system.
Performance
You can run built-in scripts, create custom scripts from a library of commands, or submit commands manually. For example, run the built-in R5 Simple Mail Routing script to simulate users on a Notes client reading and sending mail. Or create a custom script to create and open a Notes mail database and populate it with messages. To test or execute individual commands, you can use the manual command line mode to delete documents from a database or issue remote server commands. Using Server.Load, you have real-time control of the test environment and variables. Prior to running a test, you can change test parameters, stop conditions, and existing script variables. You can also monitor real-time server metrics. While the script is running, the Metrics window displays an immediate characterization of server performance by updating metrics on a per-minute basis.
62-1
R5 IMAP Workload
R5 Shared Database
Custom scripts You can use the Server.Load command language to build a script from scratch, copy a built-in script and modify it, or use a sample script. Then by modifying only test parameters and script variables, you can further customize the script without changing the actual script code. Script variables are environmental values that are referenced through the NOTES.INI file. Test parameters control the number and creation of simulated users, or threads; the number of times the test runs for each user; and the test duration. If you create a script from scratch, you can test each line of code by entering it in the command line. In addition, using the command line, you can issue remote server console commands. NotesBench A related performance tool, NotesBench is a collection of benchmarks, or workloads, for evaluating the performance of Domino servers. To learn more about NotesBench, go to http://www.notesbench.org.
Performance
4. Simulate the behavior of actual users by providing pauses between commands in your script. Use the built-in scripts as a reference point.
5. Be aware of both ramp-up and steady state. Ramp-up state occurs after all threads run at least one iteration of the script. Steady state represents the servers true, sustainable performance with reproducible results. Steady state occurs when the number of Notes users on the server is equal to the total simulated users across all clients.
Server.Load agents
Server.Load includes a set of agents in the file NAMAGENT.NSF, which is initially installed in the data directory on the Domino Administrator client. The first agent in this list Create NotesBench Mail Person Documents is used to set up Person documents for the workloads and set the HTTP password. The rest of the agents are used to repair and change the workload setup. To use the agents, you must use Domino Designer to add them to the Domino Directory on the SUT. Create NotesBench Mail Person Documents Refresh All Documents Set HTTPPassword to NotesBench Set Message Storage Format = MIME Set Message Storage Format = No Preference Set Message Storage Format = Notes Update ACL of MailDBs to include Owner (mail1, mail2, ...)
Prompt Mail domain Mail server directory is on Message storage format Mail system Internet host name
Default Default is read from the servers mail domain Name of the server that stores the Domino Directory 2 (MIME) 1 (NOTES) Host name of the server that stores the Domino Directory
Performance
Script Loop Count Enter the number of times the script runs per simulated user. Default is 1. To calculate total iterations, multiply Script Loop Count by Max. No. of Users. Note For long-duration tests, enter a large value, and specify No Time Limit in the Test Time Parameter field. If a test uses the ScriptIterationLimit script variable, set both the variable and the Script Loop Count to the same value. Thread Creation Interval (sec) Enter the rate, in seconds, at which simulated users are created. Default is 1 To calculate total ramp-up time, multiply Thread Creation Interval by Max. No. of Users. Enter the thread number that will start the test. Default is 1. Note If you use multiple clients in a test, you must stagger the starting thread number for example, client 1 starts at thread 1; client 2 starts at thread 101, and so on. Choose one: No time limit (default) To run the test indefinitely. Run between two time periods To run the test between Start and Stop times that you enter in standard format (1:00 PM) or military format (13:00). Specify Total Test Time To run the test for a specific number of minutes.
Click Browse and select the Domino Directory or Personal Build Recipient List using Name Address Book to use when building a list of recipients of and Address Book the test results. Storage test output to Click Browse to choose the location to store test output.
Server.Load metrics
As you run a test, you can view various script metrics and server statistic metrics and optionally store the test output in a separate file. Server statistic metrics are generated by the Domino server. Script metrics correspond to Server.Load command names and display the performance of particular commands. For example, if you select the Add metric, the Metrics window displays the results of the Add command. For more information on script commands, see the appendix Server.Load Command Language. Note If the server runs Windows, you can also use the Windows Performance Monitor to measure performance.
Database statistics
Statistic Database.BufferPool.Reads Database.BufferPool.Used Database.BufferPool.Writes Database.DbCache.CurrentEntries Database.DbCache.HighWaterMark Database.DbCache.Hits Database.DbCache.InitialDbOpens Database.NIFPool.Used Description Number of database buffer pool reads. Number of bytes allocated in the buffer control pool. Number of database buffer pool writes. Number of entries in the database cache.
Performance
High water mark of the database cache. Number of hits to the database cache. Number of database opens done by the database cache. Number of database NIF pools
System statistics
Statistic Disc.c.Free (bytes) Description Free disk space in bytes on drive n. When disk space is low, compact, delete, or move databases. If problem persists, consider a larger hard disk. Total size in bytes of drive n.
Disc.c.Size (bytes)
Server.Trans.PerMinute Number of transactions that took place in the last minute. Useful to monitor server use. If this number is consistently higher than that of other servers and performance is a problem, redistribute the server load to other servers. Server.Users Number of users with sessions open on the server. Useful to monitor overall server use. If this number is consistently higher than that of other servers and performance is a problem, redistribute the server load to other servers.
Mail statistics
Statistic Mail.AverageDeliverTime Mail.AverageServerHops Mail.AverageSizeDelivered Mail.Dead Description Average delivery time of messages in seconds Average number of server hops for a delivered message. Average size of message delivered, in K. Number of undeliverable messages in MAIL.BOX. Useful for detecting problems with the Router. Check the server MAIL.BOX to view the dead mail messages and determine the problem. Number of messages received by the Router. Slowest delivery time of messages in seconds. Least number of server hops for a delivered message. Slowest delivery time of messages in seconds. Most number of server hops for a delivered message. Total number of mail failures. continued 62-8 Administering the Domino System, Volume 2
Description Total number of recipients that mail has routed to since the server started. Number of outgoing mail messages waiting to be either delivered locally or transferred in MAIL.BOX. Useful for detecting problems with the mail Router. Number of recipients awaiting either local delivery or transfer.
Mail.WaitingRecipients
Network statistics
Statistic NET.TCPIP.BytesReceived Description Amount of data received from client to server using TCP/IP protocol. Amount of data sent from client to server using TCP/IP protocol. Incoming sessions from client to server using TCP/IP protocol.
NET.TCPIP.BytesSent NET.TCPIP.Sessions.Established.Incoming
Per Minute Thread Statistics These statistics are automatically provided and collected for every test.
Statistic Avg. Trans (Per Thread) Min. Trans (Per Thread) Max. Trans (Per Thread) Total Trans (All Threads) Running Threads Agg. Replications Avg. Rsp. Time (ms) Description
Performance
The average number of transactions per thread. The minimum number of transactions per thread. The maximum number of transactions per thread. The total number of transactions per thread. The total number of all threads currently running. The aggregate number of replications that occurred. The average NRPC response time. This is the average response across all threads and is the best overall value to track general server response curves. Note This value is not applicable to the Web Mail script The total running time.
Performance
6. (Optional) Select metrics to monitor. For more information, see the topic Monitoring Server.Load metrics earlier in this chapter. 7. (Optional) In the Server to receive console commands field, enter the name of the SUT. 8. Click Start Test.
To set up a SUT
1. Make sure that: The Domino server is installed and operational The server has adequate RAM, approximately 512KB per simulated user (thread) across all clients used in the test 2. Make sure that you have Administrator access, Create database access, and access to run unrestricted LotusScript and Java agents. 3. Make sure that the Server, Replicator, Router, and Update tasks are running on the Domino server. Run additional tasks as required for individual tests. 4. Enable performance monitoring on the Domino server by issuing the Show Perf command. 5. Use Domino Designer to copy the file NAMAGENT.NSF to the Domino Directory. This file contains agents that you use to set up and change workloads. 6. Disable all screen savers.
To set up a client
If you use multiple clients in a test, they all must have the identical hardware setup, and you must complete the following procedure on each. 1. Make sure that: The Domino Administration client and Server.Load are installed and operational The client has access to the templates to use in the test The client has adequate RAM approximately 512KB per simulated user (thread) 2. Do the following to edit the Location document: a. Choose File - Mobile - Edit Current Location. b. Click the Mail tab, and complete these fields:
Field Mail file location Mailfile Action Choose On server Enter the path to the mail file for example mail\mailfile.nsf
c. Click the Servers tab, and in the home/mail server section, enter the name of the SUT. Note If you edit the MailServer script variable before you run a test, you change the location of the mail server for only that run. The next time you run Server.Load, the mail server listed in the Location document is used. d. Click Save and Close. 3. Make sure that you use a Notes ID that has administration access to the SUT. 4. Do the following to verify the connection to the SUT: a. Start the Domino Administration client and verify that the Home/Mail Server field in the Location document contains the fully distinguished SUT name for example, MailServer1/Acme. b. Verify connectivity by running a trace from the client to the server. Select File - Preferences User Preferences Ports. c. Verify that the correct communication port is enabled, and click Trace. d. Enter the name of the SUT in the Destination field and run the trace to verify that the client can use the desired protocol to trace to the server.
Using Server.Load 62-13
Performance
e. If you cannot connect over TCP/IP, verify that TCP/IP has been enabled on the Domino server and that the port is enabled in the Server document. f. Verify that the port has been enabled at the operating system level. g. Verify that TCP/IP is properly installed and enabled on the client and that you can use the ping utility to access the Domino server by name for example, acme.iris.com and by IP address. 5. Disable all screen savers.
5. Click the Test Parameters tab. If you are running the test on multiple clients, increment the value of the Starting Thread No. parameter when you run the test on each client. 6. (Optional) Click the Stop Conditions tab to set a stop condition. For more information, see the topic Setting a Server.Load stop condition earlier in this chapter. 7. Click Execute. 8. (Optional) Select metrics to monitor. For more information, see the topic Monitoring Server.Load metrics earlier in this chapter. 9. (Optional) In the Server to receive console commands field, enter the name of the SUT. 10. Click Start Test.
Performance
The resulting capacity metric for an IMAP server is the maximum number of users that can be supported before the average user response time becomes unacceptable. To read the code in the test script, see the appendix Server.Load Scripts.
Hardware considerations
The following hard disk requirements apply to the SUT and, during some tests, to the destination systems that receive mail from the SUT:
Initial Disk Requirement Subsequent Disk Requirement In Domino 6, approximately 13MB on the SUT for each user (mail database). In Domino 5, approximately 5.5MB. Increase of 1MB an hour for the duration of the test. (This figure is not dependent on the number of users.) Increase of 100KB an hour as impacted by the value of the nthIteration setting in the NOTES.INI file. The growth rate of each database is a function of the ratio of the number of users and recipients sending and receiving mail.
2. Use an IMAP client, such as Netscape or Outlook, to verify that the IMAP and SMTP server tasks are set up correctly. 3. To minimize environment troubleshooting, put IP information for example, host information in the \etc\hosts file or its equivalent on the SUT and driver directories. 4. From the SUT console, enter this command to display additional routing information:
Set Config Log_MailRouting=40
4. In the Test Type field, choose Built-In, and then choose R5 IMAP Initialization Workload from the list. 5. Click the Script Variables tab, and enter these values:
Variable MailServer MailTemplate nb_dbdir Action Enter the canonical name of the mail server for example, CN=MailServer1/O=Acme.
Performance
Enter the name of the mail file template for example, MAIL6.NTF. Enter the directory used to store mail files, relative to the data directory.
NormalMessageSize Enter the size of the body of the message. Recommended value is 10000. MessageLineSize RecipientDomain SMTPHost Enter the number of characters per line. Recommended value is 80. Enter the name of the domain containing the intended recipients for example, acme.com. Enter the fully qualified domain name of the Domino server that is running the SMTP Listener task for example, server1.acme.com Enter the fully qualified domain name of the client for example, client1.acme.com Enter the number of documents to populate the mail file when it is created. Recommended value is 100.
6. Start the IMAP task on the server. 7. In the Build Recipient List using Name and Address Book field, enter the name of the SUT and its Domino Directory in the format servername/org!!dominodirectory.NSF for example, Server1/Acme!!NAMES.NSF. 8. Verify that the client and server experience no errors while creating mail files. If a mail file has not been created, the test script creates the mail file during the first test iteration, but this adds overhead on the server back end. As a rule, CPU on the client and SUT should not exceed 75%, and the percentage of Disk Time on the Domino Server Data directory should not be a factor. 9. Click the Test Parameters tab. If you are running the test on multiple clients, increment the value of the Starting Thread No. parameter when you run the test on each client. 10. (Optional) Click the Stop Conditions tab to set a stop condition. For more information, see the topic Setting a Server.Load stop condition earlier in this chapter. 11. Click Execute. 12. (Optional) Select metrics to monitor. For more information, see the topic Monitoring Server.Load metrics earlier in this chapter. 13. (Optional) In the Server to receive console commands field, enter the name of the SUT. 14. Click Start Test. 15. Verify that the correct number of test mail files were created in the data directory. Each mail file is named MAILn.NSF, where n is a number. 16. Complete the procedure Running the R5 IMAP Workload test.
4. For optimal performance, create a Configuration Settings document in the Domino Directory and do the following: a. Set the Optimize LDAP queries field to Yes. b. On the Router/SMTP Basics tab, set the Number of mailboxes field, to 2 or higher. 5. On the Domino Administrator client, start Server.Load by running SLOAD.EXE from the Program directory. 6. In the Test Type field, choose Built-In, and then choose R5 IMAP Workload from the list. 7. In the Build Recipient List using Name and Address Book field, enter the name of the SUT and its Domino Directory in the format servername/org!!dominodirectory.NSF for example, Server1/Acme!!NAMES.NSF. 8. Click the Test Parameters tab, and do the following: a. For Thread Creation Interval, enter the rate, in seconds, at which simulated users are created. The recommended value is 3 to 5 seconds. b. If you are running the test on multiple clients, increment the value of the Starting Thread No. parameter when you run the test on each client. 9. Click the Script Variables tab, and enter these values:
Variable R5IMAPBreak Action
Performance
Enter one: 1 To prevent the script from quitting if errors occur 0 To force the script to quit if errors occur Enter the fully-qualified domain name of the SUT for example, server1.acme.com Enter the size of the body of the message. Recommended value is 10000. Enter the number of characters per line. Recommended value is 80.
NumMessageRecipients Enter the number of recipients for each message. Recommended value is 3. RecipientDomain Enter the name of the domain containing the intended recipients for example, acme.com. continued
Variable SMTPHost
Action Enter the fully qualified domain name of the Domino server that is running the SMTP Listener task for example, server1.acme.com Enter the fully qualified domain name of the client for example, client1.acme.com Enter the frequency for how often a message is sent. Instead of the message being sent on every script iteration, the message is sent once per n iterations of the script. Recommended value is 6. Enter the number of times the inner loop of the script runs. Recommended value is 35, resulting in approximately an 8-hour duration. Enter the number of times the outer loop of the script runs. Recommended value is 1.
ClientHost NthIteration
R5IMAP_Loop_N
ScriptIterationLimit
10. (Optional) Click the Stop Conditions tab to set a stop condition. For more information, see the topic Setting a Server.Load stop condition earlier in this chapter. 11. Click Execute. 12. (Optional) Select metrics to monitor. For more information, see the topic Monitoring Server.Load metrics earlier in this chapter. 13. (Optional) In the Server to receive console commands field, enter the name of the SUT. 14. Click Start Test.
Because mail routing and delivery are performed on the SUT, locate the destination addresses and the active users mail files on the SUT. The measurements obtained by this test are: Throughput of completed Notes operations Average response time at maximum capacity Maximum number of mail users supported
The resulting capacity metric for a mail-only server is the maximum number of users that can be supported before the average user response time becomes unacceptable. To read the code in the test script, see the appendix Server.Load Scripts.
Hardware considerations
The following hard disk requirements apply to the SUT and, during some tests, to the destination systems that receive mail from the SUT:
Initial Disk Requirement In Domino 6, approximately 13MB for each user (mail database). In Domino 5, approximately 7.5MB.
Subsequent Disk Increase of 80KB for each user, per hour Requirement
The R5 Simple Mail Routing test requires at least one client and the SUT. If you use multiple client systems, identical hardware configurations are recommended.
Performance
4. In the Test Type field, choose Built-In, and then choose R5 NRPC Mail Initialization Workload from the list. 5. Click the Test Parameters tab, and do the following: a. For Thread Creation Interval, enter the rate, in seconds, at which simulated users are created. The recommended value is 3 to 5 seconds. b. If you are running the test on multiple clients, increment the value of the Starting Thread No. parameter when you run the test on each client. 6. Click the Script Variables tab, and enter these values:
Variable MailServer nb_dbdir MailTemplate Action Enter the canonical name of the mail server for example, CN=MailServer1/O=Acme. Enter a database directory relative to the Notes data directory. Recommended value is mail\. Enter the name of the mail file template.
NumMailNotesPerUser Number of notes used to populate the mail file when the mail file is created (recommended value 100) NormalMessageSize Enter the size of the body of the message. Recommended value is 10000.
7. In the Build Recipient List using Name and Address Book field, enter the name of the SUT and its Domino Directory in the format servername/org!!dominodirectory.NSF for example, Server1/Acme!!NAMES.NSF. 8. Verify that no errors occur while creating mail files on the client and SUT. If a mail file is not created, the test script creates the mail file during the first test iteration, a process that adds overhead on the server back end. As a rule, CPU on the client and SUT should not exceed 75%, and the percentage of disk time on the servers data directory should not be a factor. 9. (Optional) Click the Stop Conditions tab to set a stop condition. For more information, see the topic Setting a Server.Load stop condition earlier in this chapter. 10. Click Execute. 11. (Optional) Select metrics to monitor. For more information, see the topic Monitoring Server.Load metrics earlier in this chapter.
12. (Optional) In the Server to receive console commands field, enter the name of the SUT. 13. Click Start Test. 14. Verify that the correct number of test mail files were created in the data directory. Each mail file is named MAILn.NSF, where n is a number. 15. Complete the procedure Running the R5 Simple Mail Routing test.
Performance
Enter the canonical name of the mail server for example, CN=MailServer1/O=Acme. Enter a database directory relative to the Notes data directory. Recommended value is mail\. Enter the name of the mail file template. Enter one to control how to handle existing documents at the start of the test: 1 To delete existing documents 0 To ignore existing documents Note The number of documents deleted is dependent on the value set for the variable MaxDocToDelete.
MaxDocToDelete
Enter the number of documents to delete when the test starts. After deleting documents, the initial document count is reset. continued
Variable
Action
NumMailNotesPerUser Number of notes used to populate the mail file when the mail file is created (recommended value 100) NormalMessageSize Enter the size of the body of the message. Recommended value is 10000.
NumMessageRecipients Enter the number of recipients for each message. Recommended value is 3. NthIteration Enter the frequency for how often a message is sent. Instead of the message being sent on every script iteration, the message is sent once per n iterations of the script. Recommended value is 6. Enter the number of times the outer loop of the test script runs. Recommended value is 1. This value must match the value in the Script Loop Count field on the Test Parameters tab.
ScriptIterationLimit
6. (Optional) Click the Stop Conditions tab to set a stop condition. For more information, see the topic Setting a Server.Load stop condition earlier in this chapter. 7. Click Execute. 8. (Optional) Select metrics to monitor. For more information, see the topic Monitoring Server.Load metrics earlier in this chapter. 9. (Optional) In the Server to receive console commands field, enter the name of the SUT. 10. Click Start Test.
To read the code in the test script, see the appendix Server.Load Scripts.
Hardware considerations
The following hard disk requirements apply to the SUT and, during some tests, to the destination systems that receive mail from the SUT.
Initial disk requirement Subsequent disk requirement 300MB to 400MB free space on the SUT One-half of the mail test space requirement
Performance
Action Enter the canonical name of the mail server for example, CN=MailServer1/O=Acme Enter the name of the test discussion database Enter the name of the template used for the discussion database Enter one to control how to handle existing documents at the start of the test: 1 To delete existing documents 0 To ignore existing documents Note The number of documents deleted is dependent on the value set for the variable MaxDocToDelete.
MaxDocToDelete
Enter the number of documents to delete when the test starts. After deleting documents, the initial document count is reset. continued Using Server.Load 62-25
Action Enter the number of documents to create for each user to populate the database initially. Enter the number of documents to add for each user.
6. (Optional) Click the Stop Conditions tab to set a stop condition. For more information, see the topic Setting a Server.Load stop condition earlier in this chapter. 7. Click Execute. 8. (Optional) Select metrics to monitor. For more information, see the topic Monitoring Server.Load metrics earlier in this chapter. 9. (Optional) In the Server to receive console commands field, enter the name of the SUT. 10. Click Start Test.
The resulting capacity metric for an SMTP/POP3 server is the maximum number of users that can be supported before the average user response time becomes unacceptable. To read the code in the test script, see the appendix Server.Load Scripts.
62-26 Administering the Domino System, Volume 2
Hardware considerations
The following hard disk requirements apply to the SUT and, during some tests, to the destination systems that receive mail from the SUT:
Initial disk requirement In Domino 6, approximately 11.5MB on the SUT for each user (mail database). In Domino 5, approximately 7.5MB.
Subsequent disk Increase of 100KB per hour for the duration of the test. This requirement figure is not dependent on the number of users.
Performance
3. On the Domino Administrator client, start Server.Load by running SLOAD.EXE from the Program directory. 4. In the Test Type field, choose Built-In, and then choose SMTP and POP3 Initialization Workload from the list.
6. Click the Test Parameters tab. If you are running the test on multiple clients, increment the value of the Starting Thread No. parameter when you run the test on each client. 7. (Optional) Click the Stop Conditions tab to set a stop condition. For more information, see the topic Setting a Server.Load stop condition earlier in this chapter. 8. Click Execute. 9. (Optional) Select metrics to monitor. For more information, see the topic Monitoring Server.Load metrics earlier in this chapter. 10. (Optional) In the Server to receive console commands field, enter the name of the SUT. 11. Click Start Test. 12. Verify that the correct number of test mail files were created in the data directory. Each mail file is named MAILn.NSF, where n is a number. 13. Complete the procedure Running the SMTP and POP3 Workload test.
5. Click the Test Parameters tab. If you are running the test on multiple clients, increment the value of the Starting Thread No. parameter when you run the test on each client. 6. Click the Script Variables tab, and enter these values:
Variable NormalMessageSize MessageLineSize Action Enter the size of the body of the message. Recommended value is 10000. Enter the number of characters per line. Recommended value is 80.
NumMessageRecipients Enter the number of recipients for each message. Recommended value is 3. SMTPHost Enter the fully qualified domain name of the Domino server that is running the SMTP Listener task for example, server1.acme.com Enter the name of the domain containing the intended recipients for example, acme.com. Enter the fully qualified domain name of the client for example, client1.acme.com Enter the frequency for how often a message is sent. Instead of the message being sent on every script iteration, the message is sent once per n iterations of the script. Recommended value is 6. Enter the fully qualified domain name of the Domino server running the POP3 task, in the format system.domainname for example, Server2.acme.com.
POP3Host
Performance
7. (Optional) Click the Stop Conditions tab to set a stop condition. For more information, see the topic Setting a Server.Load stop condition earlier in this chapter. 8. Click Execute. 9. (Optional) Select metrics to monitor. For more information, see the topic Monitoring Server.Load metrics earlier in this chapter. 10. (Optional) In the Server to receive console commands field, enter the name of the SUT. 11. Click Start Test.
The resulting capacity metric for a Web Idle server is the maximum number of users that can be supported before the average user response time becomes unacceptable. To read the code in the test script, see the appendix Server.Load Scripts.
The resulting capacity metric for a Web Mail server is the maximum number of users that can be supported before the average user response time becomes unacceptable. To read the code in the test script, see the appendix Server.Load Scripts.
Hardware considerations
The following hard disk requirements apply to the SUT and, during some tests, to the destination systems that receive mail from the SUT:
Initial Disk Requirement In Domino 6, approximately 13MB on the SUT for each user (mail database). In Domino 5, approximately 5.5MB.
Performance
Subsequent Disk Increase of 1MB an hour for the duration of the test. (This figure is not dependent on the number of users.) Requirement Increase of 100KB an hour as impacted by the value of the nthIteration setting in the NOTES.INI file The growth rate of each database is a function of the ratio of the number of users and recipients sending and receiving mail.
2. If authentication errors occur on the Domino server console, verify the password in the HTTP field of the respective users Person document in the SUTs Domino Directory; edit the Domino Directory if necessary. 3. From the SUT console, enter this command to display additional routing information:
Set Config Log_MailRouting=40
4. Check that the database properties for the mail database: Web access: Use JavaScript when generating pages Must be checked. Allow soft deletions Must not be checked. 5. In the Server document on the Internet Protocols - HTTP tab, complete these fields:
Field Action Optimize performance based on Choose Advanced (Custom Settings) to view and modify the number of HTTP the following primary activity threads. Number Active Threads Specify one active thread for every 10 Web Mail users.
6. Make sure that the administrator has Manager access to the Domino Directory. 7. Authentication By default, WebMail assumes user authentication is required. For authenticated users, Anonymous must have No Access and -Default- must have Manager access. Use the WebAuthenticationOff=0 setting in the clients NOTES.INI file. To run WebMail without authentication, Anonymous must have Manager access in the ACL of all mail databases and the Domino Directory. Use the WebAuthenticationOff=0 setting in the clients NOTES.INI file.
62-32 Administering the Domino System, Volume 2
To run Web Mail with authentication, use the WebAuthenticationOff=0 setting in the NOTES.INI file and run the Update ACL of MailDBs to include Owner (mail1, mail2, ...) agent on the SUT.
3. On the Domino Administrator client, start Server.Load by running SLOAD.EXE from the Program directory. 4. In the Test Type field, choose Built-In, and then choose Web Mail Initialization Workload from the list. 5. Click the Script Variables tab, and enter these values:
Variable NBTestReset Action
Performance
Enter one to control how to handle existing documents at the start of the test: 1 To delete existing documents 0 To ignore existing documents Note The number of documents deleted is dependent on the value set for the variable MaxDocToDelete.
Enter the canonical name of the mail server for example, CN=MailServer1/O=Acme. Enter the TCP/IP address or host name of the Domino Web server Enter a database directory relative to the Notes data directory. Recommended value is mail\. continued
Action Enter the name of the mail file template. Enter the size of the body of the message. Recommended value is 10000.
NumMailNotesPerUser Enter the number of documents to populate the mail file when it is created. Recommended value is 100. Domain Enter the name of the Notes mail domain.
6. Verify that the client and server experience no errors while creating mail files. If a mail file has not been created, the test script creates the mail file during the first test iteration, but this adds overhead on the server back end. As a rule, CPU on the client and SUT should not exceed 75%, and the percentage of Disk Time on the Domino Server Data directory should not be a factor. 7. Click the Test Parameters tab. If you are running the test on multiple clients, increment the value of the Starting Thread No. parameter when you run the test on each client. 8. Set a Server.Load stop condition. For more information, see the topic Setting a Server.Load stop condition earlier in this chapter. 9. Click Execute. 10. (Optional) Select metrics to monitor. For more information, see the topic Monitoring Server.Load metrics earlier in this chapter. 11. (Optional) In the Server to receive console commands field, enter the name of the SUT. 12. Click Start Test. 13. Verify that the correct number of test mail files were created in the data directory. Each mail file is named MAILn.NSF, where n is a number. 14. Complete the procedure Running the Web Mail test.
3. On the Domino Administrator client, start Server.Load by running SLOAD.EXE from the Program directory. 4. In the Test Type field, choose Built-In, and then choose Web Mail Initialization Workload from the list. 5. Click the Script Variables tab, and enter these values:
Variable HTTPHost nb_dbdir WebPreferencesOff Action Enter the TCP/IP address or host name of the Domino Web server Enter a database directory relative to the Notes data directory. Recommended value is mail\. Make sure this is set to Off. If its On, the script sets the mail database to be its own owner.
6. Click the Test Parameters tab. If you are running the test on multiple clients, increment the value of the Starting Thread No. parameter when you run the test on each client. 7. (Optional) Click the Stop Conditions tab to set a stop condition. For more information, see the topic Setting a Server.Load stop condition earlier in this chapter. 8. Click Execute. 9. (Optional) Select metrics to monitor. For more information, see the topic Monitoring Server.Load metrics earlier in this chapter. 10. (Optional) In the Server to receive console commands field, enter the name of the SUT. 11. Click Start Test.
Performance
Chapter 63 Troubleshooting
Even with careful server maintenance, you may occasionally encounter unexpected system problems. This chapter provides a server maintenance checklist, describes troubleshooting techniques, and offers suggestions for solving common problems. For information on performance-related issues, see the chapter Improving Server Performance.
Troubleshooting
Passthru connections Platform statistics Replication Server access Server-based certification authority Server crashes Server.Load Transaction logging Web Server, Web Navigator, and the Web Administrator
Troubleshooting tools
Domino provides several tools to help you troubleshoot problems. Most of the tools are available through the Domino Administrator. The table below summarizes the available tools and indicates how each is useful. If you havent solved your problem after reading through the section that applies to the problem, you may want to search the Lotus Support Services Web site or call Lotus Support Services directly for help with troubleshooting your problem.
Tool Server log file (LOG.NSF) Problems that the tool resolves How to access the tool All problems From the Server - Analysis tab in the Domino Administrator From the Server - Analysis tab in the Domino Administrator From the Messaging - Mail tab in the Domino Administrator From the Messaging - Mail tab in the Domino Administrator
Domino Web Web server problems server log file (DOMLOG.NSF) Servers MAIL.BOX Mail trace ISpy Mail routing problems Mail routing problems
Slow mail; server problems Configured in the Monitoring Configuration database on the Configuration tab in the Domino Administrator Mail user activity From the Messaging - Mail tab in the Domino Administrator continued
Mail reports
How to access the tool From the Messaging - Tracking Center tab in the Domino Administrator From the Messaging - Mail tab in the Domino Administrator From the Messaging - Mail tab in the Domino Administrator From the Messaging - Mail tab in the Domino Administrator From the Messaging - Mail tab in the Domino Administrator In User Preferences. Choose File - Preferences - User Preferences Server console on a server with the setting Log_Connections=1 added to its NOTES.INI file
Mail routing status Undelivered mail Mail routing topology maps Mail routing problems between servers
Mail routing events Undelivered mail view in the log file (LOG.NSF) Shared Mail view in the log file (LOG.NSF) Network trace Disk space usage
Connection problems
TCP/IP connection Connection problems logging Replication events in the log file (LOG.NSF)
Replication problems for From the Replication tab in the a particular server Domino Administrator Under Database Properties. Choose File - Database Properties; or choose File Replication - History
Replication problems for From the Replication tab in the a particular server Domino Administrator Replication problems between servers Server statistics and events you specifically monitor From the Replication tab in the Domino Administrator Configured from the Configuration tab of the Domino Administrator; view statistics from the Server Analysis tab in the Domino Administrator From the Files tab in the Domino Administrator From the Servers - Analysis tab in the Domino Administrator From the Servers - Status tab in the Domino Administrator Troubleshooting 63-3
Troubleshooting
Required information Network operating system(s) and version(s), protocols, and network driver version(s) Network interface card(s) Domino server names File names, replica IDs, and ACLs for all databases involved Number of users who are affected by the problem that is, one user, several users, or all users Number of servers that are affected by the problem that is, one server, several servers, or all servers Changes to the configuration that were made before the problem occurred for example, network, hardware, or NOTES.INI changes Error message(s), including the exact text of the message(s)
Your system
Troubleshooting
Troubleshooting 63-5
Task Monitor Web server requests Monitor server first domino servers
* If the database is in Domino 5 or later format and you are not using transaction logging, you can use the Fixup task to repair the corrupted database. If the database is in Domino 5 or later format and you are using transaction logging, you cannot run the Fixup task on that database, because the Fixup task interferes with the way transaction logging keeps track of databases. Instead, you must restore the corrupted database from a backup. You can run the Fixup task on databases that are in Domino 4.x and earlier format.
Troubleshooting
Troubleshooting 63-7
4. If your system uses a shared mail database, back up the shared mail database(s) along with user mail files.
You can also search for solutions to common problems on the Lotus Support Services Web site at www.lotus.com/support.
No Address book is present on this server; the Admin Process cannot continue without one. This message appears if you start the Administration Process on a server that doesnt store a replica of the Domino Directory. Create a replica of the Domino Directory on the server, and then start the Administration Process again. Removing viewname view notes in the Address Book. This message appears when the Administration Process deletes obsolete monitoring configuration documents from the Domino Directory. This is a status message; no action is required. Reporter: Could not locate view viewname. This message appears when the Administration Process cant find obsolete monitoring documents in the Domino Directory. This is a status message; no action is required. The Administration Process cannot delete the database databasename at this time because it is in use by someone else; will try again at time. This message appears as the result of a Delete Unlinked Mail File request. The message indicates that the Administration Process is retrying a request to delete a mail that was initially unavailable because someone was accessing it. This is a status message; no action is required. The Administration Process could not change or delete the name from the document because another process was modifying it. This message indicates that, in processing separate delete or rename requests, two threads of the Administration Process attempted to modify the same document in a database. As a result, only one request was processed, and the Administration Process is retrying the other. This is a status message; no action is required. The Administration Process does not have enough memory to compute the formulas required for request processing. This message indicates that there is currently inadequate memory for the Administration Process. To correct this, restart the server.
Troubleshooting
Troubleshooting 63-9
The Administration Process is retrying a name change or deletion from the document. This message appears as the result of a rename or delete request. It indicates that the Administration Process is retrying a request to rename or delete a name from a document that was initially unavailable because someone was accessing the document. This is a status message; no action is required. The certificate contained in the note was not issued by the selected certifier. This message appears if you choose Actions - Recertify Person or Actions - Recertify Server but you dont select the original certifier. If you dont specify the original certifier when you choose this action, you can submit the request, but it isnt posted in the Administration Requests database. To correct this, choose the action again, and select the original certifier. The replica of the database moved by the Administration Process has not been initialized by the replicator. This message appears as the result of a Monitor Moved Replica request. It indicates that the Administration Process is waiting for the replicator to initialize the replica at its new location before it deletes the original. This is a status message; no action is required. The selected certifier isnt an ancestor of the entity to be updated. This message appears if you attempt to choose Actions - Request Move to new Certifier to move a person to a different hierarchy, but you dont select the original certifier. If you dont specify the original certifier, you can submit the request, but it isnt posted in the Administration Requests database. To correct this, choose Request Move to New Certifier again, and select the original certifier. The selected certifier isnt the target certifier in the move request. This message appears if you choose Actions - Complete move for selected entries to attempt to complete moving user names to a different hierarchy and the target certifier isnt the one you specified when you originally chose Actions - Rename Person - Request Move to New Certifier. If the target certifier you specified when completing the move is wrong, select the user names in the Name Move Requests view of the Administration Requests database, choose Actions - Complete move for selected entries again, and specify the correct target certifier. If you specified the wrong target certifier when you originally chose Actions Request Move to New Certifier, repeat the action again, and specify the correct target certifier.
Troubleshooting
e. Each request in the Administration Requests database should have a corresponding response document that shows that the Administration Process has completed the request. Correct any errors indicated by a response document. f. The Certifier documents must have the correct public key; the public key must match the key in each CERT.ID. For more information about correcting errors in the Administration Requests database, or for any other information regarding the administration process, see the chapter Setting Up the Administration Process.
Troubleshooting 63-11
You can also search for solutions to common problems on the Lotus Support Services Web site at www.lotus.com/support.
For information on these commands, see the appendix Server Commands. Log file To enable agent logging in the log file (LOG.NSF), edit the NOTES.INI file to include the Log_AgentManager setting, which specifies whether or not the start of agent execution is recorded in the log file and displayed on the server console. Its important to monitor the server console or log for information from the Agent Manager because error and warning messages generated by the Agent Manager on behalf of the agent, as well as output for example, print statements generated by a background agent, appear on the console and in the Miscellaneous events view of the log (LOG.NSF). For more information on the Log_AgentManager setting, see the appendix NOTES.INI File.
The Agent Log The Agent Log is a view in a database that shows the last time an agent ran and describes if the agent completed or not. 1. In the database, choose View - Agents. 2. In the Design view that lists all the agents, choose the agent. 3. Choose Agent - Log. For more information on the Agent Log, see the book Application Development with Domino Designer.
Agent Manager isnt working as expected The Agent Manager may work or may not work efficiently. 1. The Agent Manager may not be scheduled to run. If the Agent Manager isnt running, check the Start time/End time fields on the Server Tasks - Agent Manager tab in the Server document. Any time not specified in these fields represents downtime. If necessary, adjust the times in these settings. 2. The demand for the Agent Manager may be too high. If the Agent Manager takes too long to run agents, reschedule agents to run at night when system demand is usually low. If the server runs Domino 4.6 or earlier, you can increase the Max % busy before delay field in the Server document. Domino 5 and higher does not support this field. Note If you allocate more resources to the Agent Manager, fewer will be available to run other server tasks.
Troubleshooting
Troubleshooting 63-13
An agent isnt running as expected In addition to the possibility that there are errors in the agent code, an agent may fail to run properly because the agent has insufficient access or because the agent is not set to run on the given server. 1. Insufficient access in the database ACL can prevent an agent from running properly. For example, a user may design an agent that copies selected documents from database A to database B. If the user and by extension, the agent doesnt have Author access in the ACL of database B, the agent runs, but it is not allowed to copy the documents. To determine if this problem exists, examine the Agent Log for access errors after the agent runs unsuccessfully. 2. If an agent wont run on a particular server, check the Agent Restrictions on the Security tab of the Server document. This section contains the Run personal agents, Run restricted LotusScript/Java agents, and Run unrestricted LotusScript/Java agents fields that specify who has access to run agents on the server. Although a user who has the appropriate access in the database ACL may be able to create an agent on the server, without the appropriate access in the Server document, the user cant run the agent. You should also check the Server Access section on the Security tab of the Server document. This section contains the Only allow server access to users listed in this Directory, Access server, and Not access server fields, which allow and deny access to the server. Because an agent inherits the access privileges of the person who creates it, the agent cant run on a server for which its creator does not have access. 3. Scheduling conflicts may prevent an agent from running. In the Server document, click the Server Tasks - Agent Manager tab and check the Daytime Parameters Start time/End time and Nighttime Parameters Start time/End time fields. Any time not specified in these fields represents downtime; if a user creates a scheduled agent and specifies that it run during the servers Agent Manager downtime, the agent will not run. Compare these fields in the Server document to the time the agent is scheduled to run. If a conflict exists, change the Agent Manager schedule on the server, or ask the user to reschedule the agent. 4. If a LotusScript or Java agent terminates before completing its tasks, check the Max LotusScript/Java execution time fields in the Server document. If a complex agent requires more time than is scheduled, the Agent Manager terminates the agent before completion. Ask the user to reschedule the agent to run at night, when the default maximum execution time is longer; or increase the value of the Max
63-14 Administering the Domino System, Volume 2
LotusScript/Java execution time field in the Server document, as needed. If neither of these solutions is practical, ask the user to rewrite the agent as several smaller agents. An agent doesnt run to completion When an agent doesnt finish running, check the log file (LOG.NSF), the server console, and the Agent Log for error messages. 1. If the agent runs to completion when you run it manually, but does not run when it runs in the background, the agent code may contain commands such as, LotusScript user-interface methods that arent intended to run as background processes. 2. The Max LotusScript/Java execution time field in the Server document specifies how much time a LotusScript/Java agent has to complete execution. If the agent exceeds this maximum, the agent doesnt finish, and the Agent Log records the termination. Review the agent code to make sure it functions correctly for example, make sure that the code doesnt run an infinite loop. If the code is correct, consider increasing the execution time limits in the Server document. However, be aware that increasing these settings may impact system performance because the Agent Manager will run for a longer time to accommodate this agent. An agent isnt running at the expected times If the agent is running, but not at or near the expected times, the server may be busy with other tasks. To gather information about when the agent last ran and if it completed successfully, check the agent log. Then check for these conditions and correct them, if necessary. 1. Scheduling conflicts may prevent an agent from running. In the Server document, click the Server Tasks - Agent Manager tab, and check the Daytime Parameters Start time/End time and Nighttime Parameters Start time/End time fields. If the values in these fields dont account for a portion of the day, the Agent Manager will not run during that period. For example, if the daytime parameters are 8 AM and 5 PM and the nighttime parameters are 8 PM and 8 AM, Agent Manager will not run any agents between 5 PM and 8 PM. 2. The NOTES.INI settings may be incorrect. Check these Agent Manager settings in the servers NOTES.INI file: Amgr_DocUpdateAgentMinInterval Amgr_DocUpdateEventDelay Amgr_NewMailAgentMinInterval Amgr_NewMailEventDelay
Troubleshooting 63-15
Troubleshooting
3. Edit the NOTES.INI file to include the Log_AgentManager setting and set it to 1. You can also enable this setting in the Configuration Settings document in the Domino Directory. 4. For servers running Domino 4.6 or earlier, the Max % busy before delay setting may have been exceeded. The Max % busy before delay setting on the Server Tasks - Agent Manager tab of the Server document controls the maximum percent of time the Agent Manager spends running agents. If the percentage of time is exceeded, a delay occurs before Agent Manager runs the next agent. After the percentage falls below the threshold, Agent Manager resumes running agents. For more information on NOTES.INI settings, see the appendix NOTES.INI File. The Escrow agent isnt working The Escrow agent wont work if: There is no Person document containing the phrase Escrow Agent in the User name field. More than one Person document contains the phrase Escrow Agent in the User name field. The Escrow agent attempts to send encrypted mail to a recipient whose Person document doesnt contain a public key.
Users cant create agents If a user cant create agents in a particular database, check the database ACL to see if the user has the access level required to create agents in that database. To create personal agents, a user must have at least Reader access to the database in which the agent will be created. To create shared agents, a user must have at least Designer access.
Some of the recommended solutions involve changing the database design. You should always test design changes on a template or a copy of the database before applying them to the production copy. For more information on transaction logging, see the chapter Transaction Logging and Recovery. The topics in this section include: Users cannot access the database Users experience a delay when accessing the database Resolving conflicts when names are assigned to more than one access level Using Groups and Roles to determine what controls user access Using Find Note to analyze a document reported in the log file
Troubleshooting
Troubleshooting 63-17
The server is continuously updating a full-text index If a database is large and active, database performance can be slow if the server updates a full-text index too frequently. Change the full-text index update frequency if necessary. For more information on update frequency, see the chapter Setting Up and Managing Full-text Indexes.
while the database is opening. Disabling unread marks on the database eliminates the delay. For information on disabling unread marks, see the chapter Improving Database Performance. The database design is complex A complex database design can cause performance problems. Work with the designer to redesign or minimize performance problems. For information on designing applications, see the book Application Development with Domino Designer. Database performance properties are not being used If feasible, set database properties to improve database performance. For information on setting database properties, see the chapter Improving Database Performance. The database cache needs adjustment If you are a system administrator, monitor the database cache on the server that stores the database to see if its working effectively. If necessary, increase the number of the databases the cache can hold. The NSF buffer pool size may also need to be increased. For more information on managing the database cache, see the chapter Improving Database Performance.
Resolving conflicts when names are assigned to more than one access level
Its possible to assign users or servers more than one level of access to a database. The following table describes access level conflicts and resolutions.
Access level conflict A name is listed in an ACL individually and as a member of a group Resolution The access level assigned to the individual name takes precedence over the access level for the group, even if the individual access level is lower than the group level.
Troubleshooting
A name is included in two or The name receives the access of the group with more groups the highest access. A name appears in an ACL and in access lists associated with forms, views, or sections The ACL controls database access; design element access lists refine this access to a lower level. For example, if a user has Author access to a database but is not listed in the access list for a form in the database, the user cannot use the form to create a document. Troubleshooting 63-19
For more information on creating access lists that refine access to specific design elements, see the book Application Development with Domino Designer.
For more information on Groups and Roles, user access, and the Enforce a consistent ACL option, see the chapter Controlling User Access to Domino Databases.
6. Paste or enter the Note ID or UNID from Step 1 into the ID field. 7. Click Find. 8. View the document details and properties in the Fields and Properties fields.
Directories Troubleshooting
These topics describe how to troubleshoot problems related to: Directory assistance Directory catalogs LDAP service Extended ACL
You can also search for solutions to common problems on the Lotus Support Services Web site at www.lotus.com/support.
Tip To record at the server console detailed information about specific Web user authentication sessions to help troubleshoot Web user authentication problems, use the NOTES.INI setting WebAuth_Verbose_Trace. Internet user authentication using a secondary Domino Directory or Extended Directory Catalog fails To authenticate Internet users registered in a secondary Domino Directory, make sure you complete these steps: 1. Select Notes as the Domain Type in the Directory Assistance document.
Troubleshooting
Troubleshooting 63-21
2. Set Trusted for credentials to Yes for at least one naming rule in the Directory Assistance document. The rule or rules should correspond to the names of the Internet users you want to authenticate. 3. Enter the secondary directorys Domino domain in the Domain Name field. Do not enter: the name of a condensed Directory Catalog, the name of the servers primary domain, or a domain name that is used in another Directory Assistance document. If you created the secondary directory manually and its not associated with a Domino domain, make up a unique domain name. 4. If you use name-and-password authentication, and you choose the authentication option Fewer name variations with higher security, make sure users provide either their hierarchical names or common names for authentication rather than first names, last names, or short names only. For more information on this server authentication option, see the chapter Setting Up Name-and-Password and Anonymous Access to Domino Servers. If you include groups of users in database ACLs on the server that authenticates, store those groups in the servers primary Domino Directory and/or in one directory enabled for Group authorization in the directory assistance database. Internet user authentication using an LDAP directory fails To authenticate Internet users registered in a remote LDAP directory, make sure you complete these steps: 1. Select LDAP as the Domain Type in the Directory Assistance document. 2. Specify a Domain Name that is not the Domino domain of the servers that use directory assistance and that is not used in another Directory Assistance document. 3. (Recommended) Enter 1 as the search order. 4. Set Trusted for credentials to Yes for at least one naming rule in the Directory Assistance document that corresponds to the names of the users to authenticate. 5. If the remote LDAP server requires a base DN, enter it in the field, Base DN for search. 6. Select Notes clients/Internet Authentication/Authorization in the Make this domain available to field. 7. If you enabled Channel encryption, make sure youve configured SSL properly.
63-22 Administering the Domino System, Volume 2
8. If the LDAP directory server doesnt allow anonymous connections, make sure youve entered a user name and password in the Optional Authentication Credential section of the Directory Assistance document. 9. If the server authentication option More name variations with lower security is selected, make sure the server has access to the LDAP directory attributes cn, uid, sn, givenName, and objectClass. If the server authentication option, Fewer name variations with higher security is selected, make sure the Web server has access to the LDAP directory attributes cn, uid, and objectClass. For more information on the server authentication options, see the chapter Setting Up Name-and-Password and Anonymous Access to Domino Servers. Database authorization using groups in a secondary directory fails To search a secondary directory Domino or LDAP for the members of groups listed in database ACLs, make sure you complete these steps: 1. Specify a Domain Name that is not the Domino domain of the servers that use directory assistance and that is not used in another Directory Assistance document. 2. Set the Group Authorization field to Yes; enable this option in only one Directory Assistance document. 3. Set Trusted for credentials to yes for at least one naming rule that represents the names within the groups to search. 4. If the directory is a Microsoft Active Directory, choose Active Directory in the Type of search filter to use field of the Directory Assistance document. 5. If the directory is a remote LDAP directory, when you add the name of a hierarchical group from an LDAP directory to a Notes database ACL, use the LDAP format for the name, but use forward slashes as delimiters (/) rather than commas (,). If the name of the LDAP directory group is not hierarchical, in a Notes database ACL enter the value for the group name without the associated LDAP attribute. For example, if the name of the LDAP directory group is cn=managers,ou=groups,o=acme, in the database ACL enter cn=managers/ou=groups/o=acme. If the name of the group is cn=managers, in the database ACL enter managers. 6. Select Notes clients/Internet Authentication/Authorization in the Make this domain available to field. 7. If the directory is a remote LDAP directory and youve enabled Channel encryption, make sure youve configured SSL correctly.
Troubleshooting 63-23
Troubleshooting
8. If the directory is on a remote LDAP directory server that doesnt allow anonymous connections, make sure youve entered a user name and password in the Optional Authentication Credential section of the Directory Assistance document. 9. If the members of groups on a remote LDAP directory server change, stop and restart the Domino server that connects to the LDAP server. This ensures that the Domino server flushes its group cache and retrieves the most up-to-date group information. Searches in a secondary Domino Directory configured in directory assistance fail Make sure the domain specified in the Domain Name field of the Directory Assistance document for the secondary directory is different from the primary Domino Directory and any other directories configured in directory assistance. If the Domain Name specified for the secondary Domino Directory is not unique, searches of the secondary directory fail, and you see the message User xxx not found in any Name and Address Book. If the secondary directory is not associated with a Domino domain, be sure to enter a unique Domain Name that is different from the primary domain of the servers that store the secondary directory. Dont enter the name of a condensed Directory Catalog in a Directory Assistance document. Directory assistance could not access Public Address Book on Server x, error is Server Not Responding When you restart a server that uses directory assistance, the server attempts to access replicas of secondary Domino directories that database links in directory assistance point to so that it can load information about the replicas into memory. If the server cant locate the replicas, this server console message appears. To avoid this problem, in directory assistance documents, enter server names and file names for replicas, rather than paste database links to the replicas. This message may also appear when a server that uses directory assistance attempts to look up a name in a secondary Domino Directory that is on an unavailable server. As a failover mechanism, you can specify more than one replica of a secondary directory for directory assistance to use.
Names are missing from the directory catalog If names appear to be missing from the directory catalog, take these steps to troubleshoot the problem. Verify that the Dircat task is building the directories as intended 1. Open the directory catalog on the server that aggregates it. 2. Select the Configuration Settings document, and then choose File Document Properties. 3. Click the Fields tab the second tab in the properties box. 4. Select the Directories field and look in the box on the right. Verify that the Dircat task can access all the directories specified in the box. Typically, this means making sure that the server that aggregates the directory catalog also stores replicas of all the aggregated directories locally.
Troubleshooting
Troubleshooting 63-25
5. Select the Since field and look in the box on the right to see the date and time the Dircat task last ran on all of the directories specified in the Directories field. If either of the following is true, run the Dircat task again: If there are fewer time/date stamps than directories for example, if there are four directories in the Directories field but only two time/date stamps when the Dircat task last ran, it attempted to rebuild the source directory catalog but didnt complete the task. If the time/date stamps are older than expected, the Dircat task may not have run to completion when it last did an incremental update of the source directory catalog. If the Remove duplicate users option is enabled, see if someone has deleted a duplicate entry from one of the full Domino directories If the Remove duplicate users option is enabled, the Dircat task doesnt add into the directory catalog all entries associated with an identical hierarchical name. Instead, the task adds an entry from the first directory in which it encounters the name. Dircat searches directories in the order that theyre specified in the Directories to include configuration field. If someone removes a duplicate entry from the full Domino Directory that has already been the entry used in the directory catalog, that name is removed from the catalog. For example, if the Acme East and the Acme West directories both contain an entry with the name, Phyllis Spera/Acme, if Remove duplicate users is enabled, and if Acme East is listed first in the Directories to include field, when Dircat runs, it includes only the entry from Acme East. If someone then removes Phyllis Spera/Acme from Acme East, the name is removed from the directory catalog the next time Dircat runs. To correct the problem, make a minor change to the remaining entry in the above example, the entry in Acme West. This change causes Dircat to add the entry to the directory catalog the next time it runs. You can also correct the problem by clicking the Clear History button in the directory catalog Configuration document, although this approach rebuilds the entire directory catalog. Verify that the User Name fields have values If theres no value in the User Name (FullName) field in a Person document, the Dircat task wont build the entry in the directory catalog. Notes registration adds values to User Name fields automatically, but if you created Person entries without using the Notes registration program, check that the entries have values in this field.
Use Log_Dircat=1 If the above steps dont solve the problem, add the NOTES.INI setting Log_Dircat=1, which logs information about the Dircat task in the log file (LOG.NSF). Use the logged information to help troubleshoot the problem. For more information on the log file, see the chapter Using Log Files. For more information on the NOTES.INI file, see the appendix NOTES.INI File. Users cant use type-ahead addressing to look up names in a condensed Directory Catalog Type-ahead addressing looks up a name in a condensed Directory Catalog only if the order in which the user types the name corresponds to the Sort by format configured for the directory catalog. For example, if the configured Sort by format is Distinguished name, type-ahead looks up the name in a directory catalog only when a user types the first name before the last name. Or, if the Sort by format is set to Last name, type-ahead looks up the name in a directory catalog only when a user types the last name before the first name. Domino isnt searching a directory catalog on a server To search an Extended Directory Catalog that is not integrated into its primary Domino Directory, a server must be set up to use a directory assistance database that contains a Directory Assistance document for the directory catalog. To search a condensed Directory Catalog, a server must store a local replica of the directory catalog. In addition, you must specify the file name for this replica in either the Directory Profile or in the Basics section of the Server document in the servers primary Domino Directory. For more information on directory catalogs, see the chapter Setting Up Directory Catalogs. Internet user name-and-password authentication using a condensed Directory Catalog fails If youre having difficulty setting up a server to use a condensed Directory Catalog to look up names and passwords to authenticate Internet users, take these steps to troubleshoot the problem. Note These steps do not apply to authentication using an Extended Directory Catalog.
Troubleshooting
Troubleshooting 63-27
1. Test that authentication using directory assistance alone is working. Temporarily disable the directory catalog. Remove the directory catalog file name from the servers primary Domino Directory. Remove the directory catalog file name from the Directory Profile and from the Basics tab of the Server document; the file name is probably stored in only one of these locations but if it is in both locations, remove the name from both. Restart the appropriate Internet protocol server task. For example, for a Web server, restart the HTTP task. Verify that the server can authenticate to each secondary Domino Directory configured in the directory assistance database that you want to use for authentication. If authentication fails, go to step 2. If authentication is successful, go to step 3. 2. If you are trusting all the aggregated directories for authentication, make sure youve selected the option on the Basics tab of the Server document: Trust the server based condensed directory catalog for authentication with internet protocols. If you are trusting for authentication only some of the aggregated directories, make sure youve created a Directory Assistance document for each of the directories to trust in which the users to authenticate are registered. In each Directory Assistance document, verify that youve done the following: Set Trusted for credentials to Yes for at least one naming rule in the Directory Assistance document. The rule or rules should correspond to the names of the Web users you want to authenticate. Enter the secondary directorys Notes domain in the Domain Name field. Do not enter: the name of the directory catalog, the name of the servers primary domain, or a domain name that is used in another Directory Assistance document. If you created the secondary directory manually and its not associated with a Notes domain, make up a unique domain name. In the Replicas tab of the Directory Assistance document, make sure one of the replicas specified is the same replica of the secondary directory specified in the Directories to include field in the directory catalog Configuration document. Do not specify a replica of the directory catalog.
3. In the Directories to include field of the directory catalog Configuration document, specify a replica of each secondary Domino Directory that contains the users you want to authenticate. Do not include the name of an LDAP directory in the Directories to include field. 4. In the Additional fields to include field of the directory catalog Configuration document, add the HTTPpassword field. 5. Run the Dircat task to build the directory catalog. 6. If the server on which you ran the Dircat task is not the server doing the authentication, make sure youve created a replica of the populated directory catalog on the server, added the directory catalog file name to either the Directory Profile or the Basics tab of the Server document, and then restarted the server. 7. If you use name-and-password authentication, and you choose the server authentication option Fewer name variations with higher security, make sure users provide either their hierarchical names or common names for authentication rather than first names, last names, or short names only. For more information on the server authentication option, see the chapter Setting Up Name-and-Password and Anonymous Access to Domino Servers. 8. If you include groups of users in database ACLs on the server, store those groups in the servers primary Domino Directory and/or in one directory configured in the directory assistance database that is enabled for group authorization. LDAP searches of a condensed Directory Catalog arent working If the LDAP service isnt searching a local condensed Directory Catalog as expected, make sure the directory catalog has a functioning, full-text index. The LDAP service always use the directory catalog full-text index to process searches. The LDAP service can return the error LDAP error DSA is unwilling to perform (0x35) when attempting to search a directory catalog that is not full text indexed. If necessary, delete and then re-create the full-text index. A condensed Directory Catalog is not full-text indexed or the full-text index is corrupted When you first create a condensed Directory Catalog, you must manually create a full-text index for it; you are prompted to create the index when you create the database. When you replicate the directory catalog however, Domino automatically creates the full-text index on the replica. If you create a copy rather than a replica, you must manually create the full-text index on the copy.
Troubleshooting 63-29
Troubleshooting
The full-text index can become corrupted if there is not enough disk space to build the index or if you shut down the Notes or Domino Administrator client before the index is entirely built. To correct the problem, delete and then recreate the full-text index. User Setup Profile doesnt push Mobile Directory Catalogs to users To use a User Setup Profile to set up mobile directory catalogs on Notes clients, you must paste a database link of a replica of the directory catalog in the Mobile directory catalogs field of the User Setup Profile. The Notes clients dont receive a replica of the mobile directory catalog until the User Setup Profile replicates to the users mail servers and the users authenticate with the mail servers. Router is finding the same name in multiple directories even though the Exhaustive lookup setting is disabled By default, the Router configuration option Exhaustive lookup available on the Router/SMTP - Basics tab of a Configuration Settings document is disabled. If you keep this default setting, once the Router finds a name, it doesnt continue its search to other secondary Domino directories. Disabling exhaustive lookups is a way to improve Router performance . By design, disabling Exhaustive lookup does not apply to a directory catalog. The Router always searches the primary Domino Directory and the entire server directory catalog, even if the exhaustive lookup setting is disabled. This is intended behavior since the Router can use the directory catalog to, in effect, quickly search multiple secondary directories rather than having to take the performance hit of searching these directories individually. These exhaustive lookups allow the Router to ensure there are no duplicate recipient names that might prevent the message from getting to the right person. The Router returns a delivery failure when it finds a name associated with more than one directory entry and the entries do not have the same Mail server, Mail file, or Domains specified. To avoid such delivery failures when duplicate entries actually represent the same person (for example, when someones name and directory location within the organization have changed but you want to allow people to address mail using the original name), make the entries in the Mail server, Mail file, and Domain fields identical for each entry. Users cant do full-text searches of a condensed Directory Catalog A condensed Directory Catalog doesnt support direct full-text searches by users, only indirect full-text searches via LDAP, mail addressing, and so on.
Name and password authentication fails for LDAP clients connecting to the LDAP service To authenticate using name-and-password security some LDAP clients, for example Netscape Mail, Microsoft Internet Explorer, and Notes clients with LDAP accounts, first do an anonymous search to retrieve the distinguished names used for the authentication, so that users dont have to specify the distinguished names themselves. To enable such clients to authenticate using names and passwords, you must enable anonymous access, as well as name and password authentication, for the LDAP service port the clients use to connect. You must also allow anonymous read access to the attribute(s) the clients use to search the directory anonymously to retrieve the distinguished names. Attributes typically searched for are cn, uid, sn, givenname, or mail. For information on anonymous access and the LDAP service, see the chapter Setting Up the LDAP Service.
Troubleshooting
Troubleshooting 63-31
LDAP searches are slow If LDAP searches are slow, do the following on the replica of the primary Domino Directory. If you extend LDAP searches to secondary Domino Directories, also do the following on each replica of the secondary directory. 1. Create a full-text index for the directory. 2. If youve created a full-text index for the directory and performance is still slow, consider editing the value of these LDAP configuration fields: Maximum number of entries returned limits the number of entries that the LDAP server can return. By default there is no limit, but you might set a limit of 100 entries, for example. Timeout limits the amount of time that LDAP searches can take. By default, there is no limit, but you might set a limit of 60 seconds, for example. Minimum characters for wildcard search increases the number of characters that users must enter before the first wildcard in a substring search filter. The default is 1. Dont specify 0 unless the directory is very small; specifying 0 can result in slow searches. For more information on improving LDAP service performance, see the chapter Setting Up the LDAP Service. Anonymous LDAP users cant search certain fields Make sure youve enabled the fields for anonymous access, using the domain Configuration Settings document or the database ACL/extended ACL. Keep in mind that you configure fields for anonymous access separately for the LDAP services primary Domino Directory and for each secondary Domino directory the LDAP service serves. For more information on anonymous LDAP search access, see the chapter Setting Up the LDAP Service. LDAP Server: Initialization failure: The full text index needs to be rebuilt If the LDAP service setting Automatically Full Text Index Domino Directory is set to Yes in a domain Configuration Settings document, this message can appear on a server running the LDAP service if the
full-text index for the primary Domino Directory is corrupted and requires rebuilding. The LDAP service shuts down after displaying the message. To correct the problem: 1. Use the Exit or Quit command to shut down the Domino server. 2. At the operating system prompt, issue one of the following commands from the Domino program directory to run the updall task and rebuild the directory full-text index: On Windows NT type: nupdall directory.nsf -X On UNIX type: updall directory.nsf -X where directory.nsf is the file name of the primary Domino Directory. 3. Restart the server. LDAP searches dont return a cn attribute If you add a Person document to the Domino Directory without using Notes registration, and you enter a hierarchical name in the FullName (User name) field, the leftmost part of the distinguished name does not automatically become the cn (common name) attribute value. You must add the common name as a second value in the FullName field to define a cn attribute for the entry. Person documents created through Notes registration automatically have a second value added to the FullName field to define the cn attribute. LDAP error Insufficient Access returned on an LDAP Add operation If you see this error in response to an LDAP Add operation, do the following: 1. Verify that the option Allow LDAP users write is set to Yes in the LDAP section of the Configuration Settings document for that Domino Directory. 2. Verify that the LDAP user has the necessary access in the Domino Directory database ACL and extended ACL, if an extended ACL is used. 3. If the LDAP user has Author access in the ACL, verify that the LDAP user has the proper Creator Role ([UserCreator], [GroupCreator], [ServerCreator] for the type of entry being added. 4. Verify that Form Properties are correctly set to allow the LDAP user to create documents with the form used to add the entry.
Troubleshooting
Troubleshooting 63-33
LDAP clients cant connect to the LDAP service over SSL when the server uses a self-signed Domino server certificate If the server that runs the LDAP service uses a self-signed Domino certificate, non-Notes LDAP clients can only perform LDAP searches over SSL if they first connect to the Domino server over SSL using a different protocol (for example HTTPS or IMAP). The client software then presents a warning dialog stating that the servers self-signed certificate is not issued by a trusted Certificate Authority and gives the users the option to accept the certificate. The users must accept the certificate before they can perform LDAP searches over SSL. LDAP Schema: Failed exporting error If you use the tell ldap exportschema command when the Domino LDAP Schema database (SCHEMA50.NSF) is open, schema exporting fails and the LDAP service returns this error. Close the database before using this command.
The access specified for subject is different than the subjects actual access The access you see set for a subject at an extended ACL target may not reflect the actual, effective access the subject has. For example, there may be access set for another subject that takes precedence. Or the database ACL may not actually allow the access that has been set for the subject in the extended ACL. Click Effective Access in the Extended access at target dialog box to find out more about what is controlling a particular users access to an extended ACL target.
The Target box doesnt show documents The Target box in the Extended Access at: target dialog box shows documents below the target categories only if Show only containers is not selected. Using categories as targets rather than individual documents is recommended. Documents show under a target category only if there names are defined through a FullName, ListName, or ServerName field. Access set at the / (root) controls access to documents that dont use FullName, ListName, or ServerName fields. I cant change a subjects access to a target To modify a subjects privileges to a selected target, you must have Manager access in the directory database ACL, or Editor access and the Administer privilege to the selected target. If you do not have the required access, a subjects privileges are grayed out. In addition, if Show All is selected next to People, Servers, Groups in the Extended access at: target dialog box, the list of subjects includes those whose privileges to the selected target are inherited from a higher target with the scope This container and all descendants selected. When you select such a subject, the subjects privileges are grayed out. In this case you can change the subjects privileges at the higher target and have the current target inherit the changes. Or you can add the subject to the current target with new privileges that override the inherited privileges at the current target.
Notes and Web users are getting unexpected results when accessing the directory
If you are controlling the access of Notes and Web users, be aware of the following issues. These issues do not apply to access through other means, such as access through LDAP operations or through the Notes applications, except where indicated. If you deny a Notes or Web user access to a field in a document, when the user opens the document, the document does not show the field and the text (TRUNCATED) shows in the tab of the document. In addition, the user is unable to edit the document, even if the user has write access to the fields in it. If you deny a Notes or Web user access to a field in a document that a view uses to sort the document, the name of the document is blank in the view. The user can still select the document to open it. To delete a document, a Notes or Web user must be able to see the document in a view. To see a document requires Browse access to the document.
Troubleshooting 63-35
Troubleshooting
To create a document, a Notes or Web user or a Notes application must have Create access to the document as well as Write access to the fields to which the user/application will add values.
Extended access controls are enabled in this domain. You must modify the Domino Directory on a version 6 or later Domino server. This message indicates that you have attempted to modify a Domino Directory or Extended Directory on a server running a previous release and the directory has the Extended Access feature enabled. When Extended Access is enabled, changes to a replica of the directory on a server running a previous release cannot replicate to a Lotus Domino 6 server, and so you should make the changes to a replica on a Lotus Domino 6 server instead.
You can also search for solutions to common problems on the Lotus Support Services Web site at www.lotus.com/support.
3. The user attaches the new mail database to a mail message and sends it to you. 4. You open the mail database attached to the mail message and select a Delivery Failure Report. The Delivery Failure Report identifies the reason the delivery failed and the routing path over which the message was sent. Use this information to further investigate the problem. Mail trace To troubleshoot mail routing or test mail connections, trace a mail delivery to test whether a message can be successfully delivered without actually sending a test message. 1. From the Domino Administrator, click the Messaging - Mail tab. 2. If necessary, click Tools to display the tool bar. 3. From the tool bar, click Messaging - Send Mail Trace. 4. Complete these fields, and then click Send:
Field To Subject Enter The mail address of a particular user The subject of the trace
Send delivery Choose one: report from Each router on path to receive a delivery report from each router on the path Last router only to receive a delivery report from the last router only
Mail routing topology maps Mail routing topology maps are useful to track mail routing problems between servers. 1. From the Domino Administrator, click the Messaging - Mail tab. 2. Choose one: Mail routing topology by connections Mail routing topology by named networks Undelivered mail From the Domino Administrator, click the Messaging - Mail tab, then select Mail routing status. You can also check for undelivered mail in the mail routing events view in the log file (LOG.NSF).
Troubleshooting
Troubleshooting 63-37
Mail routing event generators Using a mail routing event generator, you can test and gather statistics on mail routes. For more information on probes, see the chapter Monitoring the Domino Server.
User cant receive any mail, including mail sent by users whose mail files are on the same server If a user cant receive any mail, including mail sent by other users whose mail files are on the same mail server, check the Mail Routing Events view of the workstations log file for deliveries. Also, check the MAIL.BOX file on the users workstation to see if mail is being trapped there. Modify the Log_MailRouting setting in the NOTES.INI file to log more detailed mail routing information on the console and in the log file. File is in use by another process If the recipients mail file or the MAIL.BOX file on the sending or receiving server is being backed up, Domino generates the message File is in use by another process. Wait for the backup to complete, and then resend the message. NAMES.NSF does not contain a required view appears when sending mail to users on the same mail server If all users on the same mail server cant send or receive mail and they receive the message NAMES.NSF does not contain a required view, you need to update the design of the Domino Directory. Choose File 63-38 Administering the Domino System, Volume 2
Database - Replace design. When you customize the design of the Domino Directory, the design must be uniform across all replicas. Note that there are two templates: PUBNAMES.NTF, for the Domino Directory, and PERNAMES.NTF, for the Personal Address Book. Be sure to use the PUBNAMES.NTF template when working with the Domino Directory. For more information on updating the design of the Domino Directory, see the appendix Customizing the Domino Directory. No route found to Domain x from Server y If users cant send mail to another domain and receive a message such as No route found to Domain x from Server y, make sure that each domains Domino Directory has a Connection document from one of its servers to a server in the other domain. If a Connection document doesnt exist, create one. If there is a Connection document, make sure the information contained in it is correct. Router: Possibly no DOMAIN set; use SET CONFIG DOMAIN=name to set it; or replace the Name and Address Book design. If this message appears on console and then the Router shuts down, the Server document may contain errors. In the Server document, verify that the domain is set, and that the ServerKeyFileName (or KeyFileName) both refer to the server ID for that server. If necessary, make corrections to the Server document. Also check that the Location document that youre using refers to the correct server ID. If necessary, edit the Location document so that it refers to the correct server ID. Server Error: File Does Not Exist This message occurs when a user tries to read a message that is linked to an active shared mail file that has been improperly moved to a different directory, partition, or hard drive. For information on creating and enabling a shared mail database, see the chapter Setting Up Shared Mail. User name is not unique in a Delivery Failure Report Check the Domino Directory for multiple occurrences of the recipients name. There may be more than one Person document for a user, or a user and a group may have the same name.
Troubleshooting
Troubleshooting 63-39
User not listed in the Public Address Book appears with returned mail If the recipients name is misspelled, mail is returned to the sender, along with the message User not listed in the Public Address Book. If the domain name is misspelled, mail is returned with the message No route found to domain name from server name. Check the Domino Directory for the correct spelling of the names, and resend the document. Users unexpectedly required to include @domainname after each address If users report that they cant send mail to another domain unless they include @domainname after each address, configure directory assistance and directory catalogs to include the directories from the other domains.
2. Look for and correct any of these problems with Person documents: Theres no Person document for the recipient in the Domino Directory. If necessary, register the recipient to create one. The mail recipients name, mail server, or mail file is incorrect or is spelled incorrectly. Correct the entries, if necessary. There are multiple occurrences of the recipients name in the Domino Directory. There may be more than one Person document, or a user and a group may have the same name. You can add a middle initial to one of the user names if two users share the same name. You can modify a group name if its duplicate of another. The recipient receives mail through a gateway. Make sure the recipients Person document contains a forwarding address. 3. Check the Server documents of the senders and recipients mail servers. Make sure that the names of the server, domain, and Notes named network are spelled correctly. 4. Check Connection documents for mail routing. If two servers are in different Notes named networks (or domains) or dont have a third server that has a Notes named network in common with both servers, then you must create pairs of Connection documents to enable mail routing back and forth. For servers in the same Notes named network, mail routing is automatic so you dont need Connection documents. To check mail routing connections, from the Domino Administrator, click the Messaging - Mail tab. You can see mail routing topology by connections or by named networks. Look for servers that cant reach a server in another Notes named network or domain. Then check the Domino Directory for these problems, and edit or create the documents as necessary: Missing Connection documents. Make sure that each domains Domino Directory has a Connection document from one of its servers to a server in the other domain. A misspelled Notes network or domain name in the Connection document. An incorrect phone number (for dialup connections) in the Connection document. A missing selection for Mail Routing in the Tasks field of the Connection document. 5. If mail routing occurs through a non-adjacent or foreign domain, check that the Domino Directory contains a correctly set up Non-adjacent or Foreign domain document. For a non-adjacent
Troubleshooting 63-41
Troubleshooting
domain, verify that a Connection document to the intermediary, or middle, domain also exists. 6. If your organization uses cascading address books, be sure that the Names setting in the NOTES.INI file contains the correct names of the cascading address books. Checking the senders and/or recipients workstation for errors that affect mail Check for these conditions and correct them, if necessary. 1. Check the User Preferences (File - Preferences - User Preferences). Check the settings for Mail for example, the Mail Program field may be set to None, which disables all mail for the user. Check the settings under ports; the port(s) necessary to send mail may be disabled. For more information on User Preferences, see Lotus Notes 6 Help. 2. Check the users Personal Address Book for a missing view. If a view is missing, replace the design of the Personal Address Book. Choose File - Database - Replace Design, and specify the Personal Address Book template, PERNAMES.NTF, not the Domino Directory template, PUBNAMES.NTF. Replacing the design deletes any nonstandard private views but does not affect the data. For more information on replacing the design of a template, see the book Application Development with Domino Designer. 3. Check if the user is using the appropriate Location document. For example, a mobile user who is working in the office may be attempting to use a Location document that is for use only when the user works at home. Another possibility is that the Location document may contain incorrect information. To check the current Location document, from the workstation, choose File - Preferences Location Preferences. Check that the senders workstation is set up with the correct mail server and mail file names. Choose File - Preferences - Location Preferences, and verify the settings in the Home/mail server and Mail file fields. For more information on Location documents and on specifying a mail server and a mail file, see Lotus Notes 6 Help.
Checking the server for errors that affect mail Check for these conditions and correct them, if necessary. 1. Verify that the sending and receiving servers have a certificate in common. a. From the Domino Administrator, click the People & Groups tab. b. From the tool bar, click Certification - ID file. c. Choose the appropriate server ID file, and click Open. d. Click Certificates to display the certificates held by the server. e. Repeat for the second server. f. Recertify one or both server IDs, as necessary. 2. Make sure theres enough memory and disk space on the recipients mail server. Add memory to the server, and/or increase the disk space for swapping. Add disk space to the server. 3. Check for a corrupt mail file. On rare occasions a recipients mail file may become corrupted. Do one of these: Run the Fixup task. Use this task if the database is in Domino 5 or higher format and youre not using transaction logging, or if the database is in Domino 4 format. Run the Fixup task with the -J option. Use this task if the database is in Domino 5 or higher format and you are using transaction logging. If you use a backup utility certified for Domino 5 and you run Fixup -J, perform a full backup of the database as soon as Fixup finishes. 4. Check for a missing or incorrect Domain setting in the NOTES.INI file. At server startup, the Router sends the message Mail Router started for domain x to the console and to the log file. To see if the NOTES.INI file on the senders and recipients mail server includes a Domain setting, enter this command at the console:
Show Configuration Domain
Then verify that the domain name is correctly spelled. To add the Domain setting or correct the spelling of the domain name, enter this command at the console:
Set Configuration Domain = DomainName
Troubleshooting
where DomainName is the name of the mail servers Notes domain. 5. Check for a corrupt MAIL.BOX on the server. Do one of these: Run the Fixup task. Use this task if the database is in Domino 5 or higher format and if youre not using transaction logging, or if the database is in Domino 4 format.
Troubleshooting 63-43
Run the Fixup task with the -J option. Use this task if the database is in Domino 5 or higher format and you are using transaction logging. If you use a backup utility certified for Domino 5 and you run Fixup -J, perform a full backup of the database as soon as Fixup finishes. If the corruption still persists, shut down the server and rename MAIL.BOX for example, rename it to BADMAIL.BOX. Then restart the server to generate a new MAIL.BOX file, and copy any uncorrupted documents from BADMAIL.BOX to MAIL.BOX. 6. Check for problems with modem connections. For more information on errors that affect mail, see the topic User cant receive mail, including mail sent by other users whose mail files are on the same mail server earlier in this chapter. Checking the shared mail setup Check for these conditions and correct them, if necessary. 1. Verify that shared mail is enabled. To determine if a mail file or individual mail files in a directory use shared mail, enter this command at the console:
Load Object Info USERMAIL.NSF
where USERMAIL.NSF is the name of a users mail file or the name of a directory that contains mail files. If you enter a directory name, the information that appears describes each mail file in the directory. 2. Check for a corrupt shared mail file. If you suspect the shared mail file is corrupt, you can restore the file. 3. Verify that theres enough disk space available for the shared mail file. If there isnt, you can purge obsolete message from a shared mail file. 4. Make sure the users mail file hasnt been unlinked from the shared mail file. If necessary, relink the mail file. For more information about shared mail, see the chapter Setting Up Shared Mail.
You can also search for solutions to common problems on the Lotus Support Services Web site at www.lotus.com/support.
Free time information isnt available If, while scheduling a meeting, a user cant look up free time for a particular invitee because the invitees schedule is grayed out in the Free Time dialog box or if no users free time information can be accessed and the message No scheduling information for the requested users could be found at this time appears, use these tips to troubleshoot the problem. 1. Check that the invitees name is spelled correctly on the meeting invitation. If the invitee belongs to a different domain, be sure to specify the invitees full hierarchical name, including the domain name. 2. Check that Domino 4.5 or higher is installed on the invitees mail server. 3. Make sure that the mail server is running. Free-time lookups fail if Domino cannot access the free time database on the invitees mail server because the server is unavailable. If the server isnt running, the user can still complete invitation processing, including sending and receiving meeting-related messages. Also, lookups for other invitees with free time databases on other servers still work. 4. Check that the Schedule Manager task is running on the mail server.
Troubleshooting 63-45
Troubleshooting
5. Check that the invitee saved his or her Calendar Profile after upgrading the design to the Domino 4.5 or higher mail template. 6. Check that the user is included in the list of users who can read the invitees Free time Schedule in the Calendar Profile. 7. Check that the free-time lookup finds schedule information for users whose mail servers are in a foreign or adjacent domain. If the free-time lookup fails, make sure a valid Domain document exists. In addition, check the Calendar Server field in the Domain document to make sure a valid calendar server has been defined for the domain. 8. Check that the mail servers are running the same protocol. The mail servers must run the same protocol so that the servers can connect to each other to perform a free-time lookup. Cant Find User in Name and Address Book If this message appears, the entry used in the $BusyName field in a calendar entry for the Note ID reported in the log doesnt exist in the Domino Directory. This situation typically arises when a user leaves the company and the Domino Directory no longer contains a Person document for the user. To resolve this error, find the document associated with the NoteID, and delete the document. To find the note ID and the document associated with it, see the topic Troubleshooting Schedule Manager errors reported in the log later in this chapter. Cannot perform this action locally This message appears when you try to create a Site Profile in the Resource Reservation database locally on the server. To avoid this message, when you open the Resource Reservation database, specify the actual server, instead of Local. No resource/room found for time and/or capacity requirements The message No resource/room found for time and/or capacity requirements may appear when a user creates a reservation in the Resource Reservation database. This message indicates that the Site Profile name for that particular resource includes a comma for example, Acme, East. Re-create the Site Profile name without the comma for example, Acme East.
15. Click the check mark in the formula pane to accept the new formula. 16. Press ESCAPE, and click Yes to save the design. 17. Press ESCAPE to close the Designer. 18. Refresh the view so that all of the Note IDs appear in the database. 19. Find the Note ID that the Schedule Manager reported in the log, and select that document in the view. 20. Choose File - Document Properties. 21. Click the Fields tab.
Troubleshooting 63-47
Troubleshooting
22. Scroll through the fields in the left box and search for a $BusyName field. 23. Compare the information in the $BusyName field to the entries in the BUSYTIME.NSF file and the Domino Directory. Make any corrections.
You can also search for solutions to common problems on the Lotus Support Services Web site at www.lotus.com/support.
To isolate the problematic command or parameter, split the setup string in half, and enter a new Setup=AT command on the line immediately following the first half of the setup string. Try to make the connection again, and then check the log to determine which half of the setup string is causes the error. Continue splitting the setup string in half until you locate the command or parameter that causes the problem.
Troubleshooting
should be the same for modems that are trying to connect. To check these settings, choose File - Preferences - User Preferences, select Ports, select the COM port you want to check, and click COM options. 9. Check the modem command file. Make sure that its the correct one for your modem. Make sure it uses the correct syntax and is free of any spelling errors, missing command parameters, and incorrect settings or responses. Check the operating system time stamp and last revision date of the file to make sure youre using the correct version of the file. To do this, use a file manager such as Windows Explorer. Make sure you specified the correct directory for the file for example, the Notes\Data\Modems directory. 10. Check the Connection document in the Domino Directory. Make sure the fields in the Connection document contain the correct information for a dialup modem connection. 11. Check the Miscellaneous Events view in the log (LOG.NSF). Sometimes modems that use the same modem standards cant connect to each other because of the way the manufacturer implemented the standard. Contact the modem manufacturer to resolve the problem. 12. Check the Phone Calls view in the log. Numerous CRC or retransmission errors indicate that one or both modems detect transmission errors. A damaged RJ-11 cord and/or poor phone line quality may cause these errors. Try another cord and ask the phone company to check the phone line.
Data isnt transferring between two servers using a null modem If you connect two servers with a null modem cable and the servers make a connection but data does not transfer between them, try these tips to solve the problem: 1. Replace the modem cable or port with one that you know works correctly. 2. Change the port speeds. Choose File - Preferences - User Preferences and select Ports. Select the port you want to modify, and then select COM Options. Select a port speed that matches the port speed of the other modem. The dialup server cycles through port speeds without initializing the modem If the log (LOG.NSF) indicates that the server continuously cycles through port speeds without initializing the modem, the server isnt able to connect to or synchronize with the modem. Try these tips to solve the problem: 1. Turn the modem on and off to reset it. 2. Check the cable connection from the server to the modem. Make sure that the cable is attached to the correct port and isnt damaged. 3. Make sure the communication port is correctly configured. 4. Specify a lower port speed. Choose File - Preferences - User Preferences and select Ports. Select the port you want to modify, and select COM Options. Select a lower port speed. 5. Replace the serial card and RS-232 interface card with one that you know works. Valid commands in the modem command file are ignored You may notice this problem if you check the log and find that OK responses are missing after one or more valid commands. Try these tips to solve the problem: 1. Make sure letters in the AT commands in the modem command file are either all uppercase or all lowercase. Many modems do not recognize mixed-case commands. 2. Make sure that commands in a long setup string do not exceed the character limit for the modem. Use the Setup=AT command at the beginning of each line to split the setup strings into smaller sections.
Troubleshooting
Troubleshooting 63-51
Wait a few minutes and then issue the Show Stat Platform command again.
2. On Windows NT, enable network counters using the following steps: a. Enable the SNMP service b. During installation of the SNMP service, enable the physical layer property for SNMP. The SNMP server enables the Network Interface Object and begins collecting network statistics for platform statistics. 3. Restart the system so that the settings will take effect.
The probable cause for this message is that platform statistics detected that the Network Interface Object was not enabled. Enable the SNMP service. Logical disk counters are not enabled
Platform Stats Informational: Please execute diskperf.exe -y to enable Logical Disk performance counters.
The probable cause is that platform statistics detected that the logical disk counters were not enabled. Enable logical disk counters. Platform statistics do not appear to be enabled
Platform not in Statistics Table
When the statistics are ready to be displayed, the system displays the following message, where n is the number of current transactions or users.
n Transactions/Minute, n Users
Troubleshooting
Troubleshooting 63-53
Upon Domino startup, the path to the nnotes.dll is not set or is set incorrectly. Multiple installations of Domino may exist on the system and an earlier installation of Domino is being invoked. Make sure that nnotes.dll is set to this path:
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\not estat\\Performance\\Library
Perfmon, the performance monitoring package was incorrectly installed when the system was upgraded. Reinstall the Win2K server. Note If you need additional information regarding enabling the SNMP server, refer to your Windows NT or Windows 2000 System Administration Reference Guide.
System configuration issue for platform statistics on Windows NT and Windows 2000 systems
On Windows NT and Windows 2000, an error may occur when loading certain performance dlls. If they do not function properly or take too long to pass data, the operating system automatically adds a value to the following Performance registry subkey where TypeOfPerfService may be PerfProc, PerfOS, or NoteStat:
HKEY_LOCAL_MACHINE\SYSTEM\Services\CurrentControlSet\<TypeOf PerfService>\Performance.
When the error occurs, the value for the variable Disable Performance Counters is set to 1, which disables performance counters for statistics such as CPU utilization (Platform.System.PctCombinedCpuUtil) or Memory (Platform.Memory.PagesPerSec). These counters are found under the services PerfOS, PerfDisk, PerfProc and PerfNet.
If these statistic counters cannot be located, you may get the following error message, printed to both the event log and the console:
Platform Stats: _PSHandleDefaultCmd() Unable to set up default counters error =..."
Although the system may have set the Disable Performance Counters variable under a period of extreme stress on the system, once it has been set, this variable continues to disable all performance counters relating to its.dll, until it is manually set back to zero or deleted. To reset the default counters, search the registry for the phrase Disable Performance Counters. If it occurs under PerfOS, PerfDisk, PerfProc or PerfNet, manually set it back to zero or delete the entire variable.
where servername is the hierarchical name of the server you want to connect to, for example, Mail01/Cleveland/Acme. 2. If the requesting system didnt try to connect on a specific Notes network port that you want to use, check that the port is enabled. 3. If the port is enabled, make sure that the server is not down. 4. If the server is running, check whether you have a local Connection document for it, and if so, check that the port you want to use is selected in that document.
Troubleshooting
Troubleshooting 63-55
5. If you still cannot connect, it is probably because no address can be found for the server in the given protocol. Create or modify a local Connection document to include the servers protocol-specific network address. For more information on ports and Connection documents on Notes workstations, see Lotus Notes 6 Help. For more information on server ports and server name-to-address resolution, see the chapter Setting Up the Domino Network. 6. If you still cannot connect, see the procedures that apply to the ports you have enabled: Troubleshooting TCP/IP for NRPC Troubleshooting IPX/SPX For information on preparing to call Lotus Support Services for a network problem, see the topic Contacting Lotus Support Services earlier in this chapter.
If you cant solve your problem, record all of the following information (gathered as you performed the steps in the preceding topics) before contacting Lotus Support Services (www.lotus.com/support): 1. Exact quoted error messages 2. TCP stack name and version number (or operating system and version if the TCP/IP stack is included in the operating system) 3. IP configuration information 4. IP address and host name of Domino server 5. Server document 6. Host file 7. Tracert information (with number of hops) 8. Ping packet size Note It is recommended that customers prepare a network diagram for escalation.
63-56 Administering the Domino System, Volume 2
Tools for troubleshooting TCP/IP Connection logging When connection logging is enabled on a server, the server console displays the name of the Notes network port for TCP/IP, the IP address of the requesting system, and the IP address of the destination server for each connection. To enable connection logging, add the following setting in the servers NOTES.INI file:
Log_Connections=1
TCP/IP error messages -- Server only These sections describe common error messages on a Domino server offering NRPC services over TCP/IP. Error on Listen function: The requested TCP/IP port is in use on this system. This message could indicate one of the following problems: UNIX systems. You have failed to assign different IP addresses to each partition on a Domino partitioned server, or you have failed to follow the port mapping setup instructions properly, and you attempt to start the additional partition. You may need to stop the server currently running, so that the new server you are setting up can finish accessing the setup server for its copy of the Domino Directory. For more information about setting up IP addresses or port-mapping properly, see the chapter Setting Up the Domino Network. Note Failing to configure partitions properly on Windows systems does not generate an error on startup, but will generate operational problems. Windows 2000 and XP systems. It is possible for an application or system service to be assigned an ephemeral port number as its local port number that conflicts with the Domino listening port. Restart the system so that the process using TCP port number 1352 can release it.
Troubleshooting
When a system running TCP/IP makes each outbound connection, the TCP software automatically selects a local port number and assigns it to the connection. This is required in the TCP architecture so that the server can return packets to the client. This same port number cannot be used by any other outbound or listening socket until it is freed. Port numbers in the range 1 - 1024 are called reserved ports because they are reserved for well-known system services. The TCP software never uses reserved ports when it must select a client-side port number at random. Rather, it selects at
Troubleshooting 63-57
random a number from a range above 1024 called the ephemeral port range. The Internet authority uses the low-end range above 1024 to assign port numbers to registered applications such as Lotus Notes/Dominos NRPC services, which use 1352. Microsoft uses the ephemeral port range of 1024 - 5000. Therefore, when a server on a Windows system makes an outbound connection, the ephemeral port number chosen might be 1352. When this happens and Domino is started, the NRPC port fails to bind. Often, on startup, servers on Windows systems make outbound connections to the NetBIOS session service well-known port and keep these connections active until the system is restarted. This is the cause of the problem. Note Most UNIX systems use an ephemeral port range that is at the top-end of the range of ports, such as 45000 - 65000, so that there is not likely to be a conflict between the ephemeral port number chosen and registered port numbers. To determine if this is the cause of the problem, run Netstat -n -a. If what you see is similar to one of the following examples, the system is using port number 1352 and the Domino server cannot start. To solve this problem, restart the system. Example 1: Netstat -n -a output of the Domino server active on the local system using port 1352 as a server
Proto State Local Address Foreign Address 0.0.0.0:0
Example 2: Netstat -n -a output of the local system accessing an external system using port 1352 ephemerally
Proto State Local Address Foreign Address 10.30.10.1:139
To prevent future ephemeral bind conflicts on Windows systems, use the following instructions to add a registry value that forces TCP to skip port 1352 when it selects an ephemeral port number: Run Regedt32 (not Regedit Regedit does not support the data type required for the value) and enter the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip\Parameters Value Name: ReservedPorts Data Type: REG_MULTI_SZ Value: 1352-1352 63-58 Administering the Domino System, Volume 2
Tip To protect additional ports, you can enter a range (such as 1025 - 1050) or multiple ranges separated by spaces. Note In Windows 2000 and XP, Netstat might report an additional line showing the local and remote ports and addresses in the established state, or a second line showing the client-side port in the listening state. Thus when you run Netstat on Windows 2000 and XP systems and compare the results with those on NT systems, the output can look different. This is only a different method of reporting listening ports not a network bug. Insufficient TCP sockets are available. Consult your vendors TCP/IP documentation to increase the maximum number of sockets. You have reached a TCP/IP socket limitation. To see how many active TCP/IP sessions the server system has open, use Netatat with the -n switch (to disable reverse DNS lookups) and output the listing to a file. Import the listing to a spreadsheet and count the total number of connections. Then break the connections down by their state (Established, Time_Wait, Close_Wait, Fin_Waitn). You should be able to support more than 2,000 concurrent connections. If not, review your operating system and TCP/IP stack settings with the operating system and TCP/IP stack vendor. If you have a large number of Close_Wait sessions, you may have network-level problems. If you have a buildup of Time_Wait sessions with HTTP services, review your TCP/IP stacks settings to see if the stack offers a setting to time out Time_Wait sessions sooner. As a temporary solution or if you cant make any alterations to the system or TCP/IP stack, you can limit the number of NRPC sessions the server will support concurrently, but there will be a performance cost for doing so. To limit the number of concurrent NRPC sessions, do one of the following: Edit the portname_MaxSessions setting in the NOTES.INI file to limit the number of sessions that can run on this port. Edit the Server_MaxSessions setting in the NOTES.INI file to limit the total number of active sessions the server can have.
Troubleshooting
Listener task for port <portname> is suspending for 20 seconds due to listen errors. See the message Error on Listen function earlier in this topic.
Troubleshooting 63-59
The remote TCP/IP host is not running the Domino server, or the server is busy. The server is currently not running, or the server cant accept another TCP/IP connection or Domain session. Start the server, or verify that it is running. Check the server to determine if its workload is unacceptably heavy. The TCP/IP protocol stack reported that it ran out of memory. Consult your network documentation to increase configured memory, or reduce Notes connections by limiting clients (see SERVER_MAXSESSIONS parameter in Notes Admin Guide). This error can occur when your server systems resources are not correctly sized for the number of inbound and outbound connections or when events push the server into resource starvation. If system memory appears to be low, increase it. If you are using Windows NT, you may be encountering a page file limit. Both Domino and the TCP/IP stack use shared memory. If the page file is not large enough or the number of pages exceeds what the operating system can provide, this error appears. Upgrade the operating system to Windows 2000 with Service Pack 2. If inbound client and server connections or the servers own outbound connections seem to be experiencing network stability problems, verify the health of the network by using Netstat with the -n switch (to disable reverse DNS lookups) and output the listing to a file. Import the listing to a spreadsheet and count the total number of connections. Then break the connections down by their state (Established, Time_Wait, Close_Wait, Fin_Waitn). You should be able to support more than 2,000 concurrent connections. If not, review your operating system and TCP/IP stack settings with the operating system and TCP/IP stack vendor. If you have a large number of Close_Wait sessions, you may have network-level problems. If you have a buildup of Time_Wait sessions with HTTP services, review your TCP/IP stacks settings to see if the stack offers a setting to time out Time_Wait sessions sooner.
As a temporary solution or if you cant make any alterations to the system or TCP/IP stack, you can limit the number of NRPC sessions the server will support concurrently, but there will be a performance cost for doing so. To limit the number of concurrent NRPC sessions, do one of the following: Edit the Port_MaxSessions setting in the NOTES.INI file to limit the number of sessions that can run on this port. Edit the Server_MaxSessions setting in the NOTES.INI file to limit the total number of active sessions the server can have.
Unable to locate the Domain servers TCP/IP host. The TCP/IP domain name server may be down. Use the ping command to verify that DNS is running. Unexpected TCP error. See the Notes log file on this system for error code. Look in the log file to see the reported error code or codes. KnowledgeBase lists many of the error codes. If you find an error code that isnt in KnowledgeBase, report it to Lotus Support Services. TCP/IP error messages Client or server These sections describe common error messages on a Notes client or Domino server using NRPC services over TCP/IP. Network operation did not complete in the specified amount of time. The connection pathway between the client or server system and the target server was unable to sustain the session. This happens when a system is accessing a remote server over a slow or very congested WAN. Possible solutions to this problem are: Instead of users accessing server-based mail or application files on the remote server, have them replicate the database files to their local systems. Review your server-to-server replication and mail routing architecture across the WAN. It is best to use a hub-and-spoke design, and use Connection documents in Domino to connect the servers, mirroring the hub-and-spoke architecture. Use Notes name networks (NNNs) only at each isolated local site and then use Connection documents to interconnect the sites from the hub location.
If this error occurs over a LAN, you may be experiencing frame and/or packet sizing problems because you have a mixed-topology network or because your network routers routing tables are converging. In these cases, the network pathway to or from the target Domino server cannot forward the TCP/IP packet stream. If you are using a remote VPN connection across the Internet, with some VPN client software you can encounter packet sizing issues on the Notes client or Domino server and/or with the firewall systems VPN services. The connection has timed out. The establishment of the connection took longer than the expected default of 5 seconds. This can happen when the connection is over a dial-on-demand ISDN modem connection, remote bridge, or router. From the Port Setup dialog box, increase the TCP/IP connection-time-out interval. On a normal LAN, it is best to enter a value of no greater than
Troubleshooting 63-61
Troubleshooting
10 seconds, as the client or server wont retry the connection until the timer has expired. To access the Port Setup dialog on a Notes client, use File - Preferences User Preferences and click Ports. To access this dialog box for a Domino server, use the Domino Administrators Configuration tab and select Server - Setup Ports from the Tools pane. Once in the Port Setup dialog box, select the TCP/IP port and click the port name Options button. The server is not responding. Possible explanation. Variations of this error can occur when name-to-address resolution has completed on the local system, but the server would not respond to that address. The causes of this error include: The Notes Name Service cache in the current Location document contains a numeric IP address that it originally obtained from the Server document (Net Address field) of the target Domino server, and the Server document has since been updated with a new IP address. Using only host names in the Net Address field makes this error less likely to occur, as host names usually dont change. The contents of the Net Address field returned by the Notes Name Service is not the active address, either because of a typographical error, or because there is more than one enabled Notes network port for TCP/IP and the port listed first in the Server document is offering a different FQDN than the second. In this case, if you are trying to connect through the port listed second, the connection fails. The address returned by DNS or hosts files is not the correct address or is not correct for this location.
To resolve problems associated with this error, follow all the steps in the topic How to troubleshoot TCP/IP problems in NRPC later in this chapter. To resolve problems involving advanced TCP/IP configurations (more than one enabled port), see the chapter Setting Up the Domino Network.
The Remote server is not a known TCP/IP host. This message appears if the translation from server name to TCP/IP address fails. Follow these steps to troubleshoot the problem: 1. Verify that the server name is correct. 2. If you use a local hosts file for name resolution, enter the servers IP address and host name in the hosts file. If the server name does not match the TCP/IP host name, which is also known as the fully qualified domain name, enter the server name as an alias for the host name. For example, for the Domino server Red/Sales/Acme, enter:
130.103.40.1 red.acme.com red
Note Insert a tab between com and red. For TCP/IP for the Macintosh, the host name and alias definitions should look like this:
red.acme.com A 130.103.40.1 red CN red.acme.com
Note Verify that the ordering of the name lookup services is Host first and DNS second; otherwise, the hosts file entries may not be used when you expect them to be (excluding the NetBIOS Name Service). 3. If you use the Network Information Service (NIS) for name resolution, ask the UNIX system administrator responsible for the NIS domain to register the servers IP address and host name. If the server name does not match the TCP/IP host name, request that the server name be registered as an alias for the host name. 4. If youre using DNS for name resolution, ask the administrator responsible for the DNS domain to register the servers IP address and host name. If the server name does not match the TCP/IP host name, request that the server name be registered as an alias (CNAME) for the host name and place the host name in the TCP/IP ports Net Address field in the Server document. For example, for a Domino server named Sales/Boston/Acme with a host name of app01 for the A record, the CNAME record would be sales. The Net Address field contains either the simple host name, app01, or the FQDN, app01.acme.com. In the case of port mapping, each port-mapped servers common name is added as a CNAME to the A record for the base port-mapping server. For more information on DNS resolves, see the topic Checking TCP/IP name resolution in NRPC later in this chapter, as well as the chapter Setting Up the Domino Network.
Troubleshooting 63-63
Troubleshooting
How to troubleshoot TCP/IP problems in NRPC To troubleshoot a network problem when using NRPC services over TCP/IP, do the following in the order shown: 1. Check connectivity. 2. Check name resolution. 3. Check network layout (large LAN or WAN issues). Checking NRPC connectivity in TCP/IP Notes connectivity relies on TCP/IP communication. The first step in troubleshooting TCP/IP is to verify basic TCP/IP configuration and connectivity. For Notes and Domino to work properly with TCP/IP, the protocol stack on each computer must already be configured properly. Ensure that the brand and version of the protocol stack is certified for use with this version of Lotus Notes/Domino. For more information, see the protocol service providers documentation. Use the PING executable to verify IP-level connectivity. The PING command is available in all Windows and UNIX environments. 1. From the server, ping the server itself by numeric IP address. For example, at a DOS prompt, type:
PING 131.103.50.159
and press ENTER. This step confirms the following: TCP/IP is installed and configured with a correct address. If any other computer has the same IP address. A computers IP address must be unique on a network segment; that is, only one computer on a network segment can have a particular IP address. If this fails, TCP/IP is not set up properly on the local machine. Contact the sites network administrators for technical assistance. 2. From the server, ping the destination computer (the Notes workstation) by numeric IP address. This indicates if the path to the remote host is clear and whether you can communicate with IP through network routers. If this fails, continue to Step 3. Tip To obtain the IP address of a Notes workstation, from the workstation use the commands shown in the table in Step 6. 3. From the workstation, ping the workstation by its own numeric IP address. If this fails, continue to Step 4.
4. Ping the server from the server itself by its DNS fully qualified domain name (FQDN) to verify that it was added to the network correctly; then ping the server from the workstation by FQDN. For example, type:
PING iodine.lotus.com
5. Ping the server by DNS alias name from the server itself to verify it was added to the network correctly. Then ping the server from the workstation. Ideally the server host alias names all should be the same as the Domino server names. Sometimes the servers FQDN may differ from the Domino servers. That is when the alias name is used, being the same as the Domino servers name. For example, type:
PING Iodine
If you reach this point and the connection is failing between workstation and server, try creating a Connection document in the Personal Address Book of the workstation. This document contains the numeric IP address of the destination server. It is best to resolve IP addresses by DNS or hosts files and not by Connection documents. Note WINSOCK.DLL is the Windows Sockets interface provided with TCP/IP network software for Microsoft Windows. If youre using an incorrect (or incorrectly placed) version of WINSOCK.DLL, Notes may exhibit problems related to WINSOCK. 6. If pinging by numeric address succeeds, but pinging by the alias name fails, the problems source is in name resolution and not in physical network connectivity. The following table list the commands you use (depending on the operating environment the server or workstation uses) to gather the following information about the systems IP configuration: IP address Host name
Troubleshooting
If present, the default gateway If new information appears when the computer is restarted, record the information and call Lotus Support Services. After youve gathered this information, perform the procedure TCP/IP name resolution in NRPC.
Troubleshooting 63-65
Operating system Command/location to use Explanation Macintosh Control Panel, TCP/IP, Not applicable Load Ping, TCPIP Config window ipconfig <interface name> or ifconfig <interface name> ipconfig (or see the Network settings in Control Panel) Different switches or commands may be required for each UNIX platform; consult a UNIX expert if necessary. Issue this command at a prompt, or see the Network settings in Control Panel. Issue this command at a prompt, or see the Network settings in Control Panel.
UNIX/Linux
Windows NT/2000/XP
Windows 95/98 winipcfg (or see the Network settings in Control Panel)
Checking TCP/IP name resolution in NRPC If checking connectivity using an IP address appears to work, you need to check name-to-IP-address resolution. Name-to-IP address resolution within an organizations private network space usually takes one of two forms: locally stored hosts files or the Domain Name System (DNS). WINS Name Resolution or LMHOSTS resolution are not supported by Lotus Notes/Domino. 1. Check for illegal characters in the hosts file. Make sure there are no illegal characters (such as a space or a letter) in the numeric IP address; only numbers should appear. Each section of a dotted decimal numeric IP address should be no longer than three numbers, and there should be four sections to an address (for example, 19.99.21.217). Make sure there are no illegal characters in the Names fields; only alphabetic characters, numbers and dashes (-) should appear. Spaces are not allowed. Underscores (_) are mapped as spaces within Notes, and should be avoided. Some IP stacks will not accept underscore characters. Make sure there is only one correctly named hosts file being used. Rename any other hosts files on the computer (except the current one).
Note any recent changes made to the hosts file. Confirm that the information in the hosts file is correct. The target machines that a computer may contact must be defined in the local hosts file.
Operating System Location Macintosh UNIX/Linux Windows 2000 Windows XP Windows NT Macintosh System Folder /etc/ system32 directory windows\system32\drivers \etc\ wnnt40\system32\drivers \etc\ Explanation Not applicable Not applicable Root directory might vary The OS directory might be renamed The OS directory might be renamed The OS directory might be renamed
2. Look at the Server document and determine if the first part of the servers fully qualified domain name (FQDN) in the TCP/IP ports Net Address field is the same as the servers common name. For example: FQDN = mailhub1.lotus.com Server common name = Mailhub1 If this is not the case, a name resolution alias is required in the hosts file or DNS table. Note If the first part of the FQDN is the same as the server common name, the problem may be within DNS. For more information, see the vendors documentation for the DNS server. 3. If the Server document has changed recently, restart the server in order for the changes to take effect. After you finish checking name resolution, see the topic Checking a TCP/IP network pathway later in this section. Checking a TCP/IP network pathway If checking name resolution did not solve the problem, check each network pathway. Be sure to record the information you gather. Using the Trace Route utility Use the TRACERT command to determine what network pathway lies between the source and destination systems. This command determines the route from one host to another through the network, and displays an ordered list of the routers in the path with the IP addresses of the near-side interface of the routers.
Troubleshooting
Troubleshooting 63-67
Note A dedicated Trace Route utility may not be available on all platforms, and your firewalls are most likely blocking the ICMP sub-protocol of IP. Consult the site administrator to see if there is an equivalent for your platform. To use TRACERT, type the following at the prompt:
TRACERT servername -d
Where -d tells the command not to resolve addresses to host names. For example, the results of the TRACERT command might look like this:
C:\>tracert paran -d Tracing route to santa.north.com [118.111.90.204] 1 10 ms 10 ms [118.111.200.211] 2 <10 ms [118.111.29.2] 10 ms 10 ms <10 ms 10 ms elves.north.com rdeer.north.com santa.north.com
In this example, there are two IP routers between the workstation and the server (three, minus the first one which reported itself, leaving two). Checking the Maximum Transmission Unit (MTU) Each end-node system and router port on the network has the ability to control the size of the TCP/IP packet. Each NIC (port) can have its MTU set to a different value, and each topology has a different default value. The network administrator can increase or decrease this setting to meet the requirements of the network. MTU traffic issues are handled at the TCP/IP level and not within Notes workstations or Domino servers. If any of the following situations exist, suspect an MTU problem, and contact your network administrator: There is a mixture of Ethernet and Token-Ring or FDDI network topologies on the LAN/WAN. There are routers between the source and destination of traffic that could be set up with an incorrect MTU size. You are using VPN services across the Internet. ATM is being used with emulation [LANE].
TCP/IP frame types Most UNIX, AS/400, or S/390 systems offer both frame types for 802.3 (Ethernet) to Ethernet V2 (DIX) and SNAP by default. You can remove
63-68 Administering the Domino System, Volume 2
the SNAP frame support if you have a routed network with Token-Ring or FDDI topologies where the router will translate the frame types (free up non-needed resources). With Windows-based TCP/IP protocol services, the default frame type for 802.3 (Ethernet) network topology is v2 DIX and for Token-Ring and FDDI it is SNAP over LLC. With Novell ODI-based TCP/IP protocol services, all systems using the TCP/IP protocol on 802.3 Ethernet should be using the same frame type. The table below lists the frame types compatible across the different LAN topologies.
LAN topology and frame services Ethernet v2 (DIX) Novell frame types Ethernet_II Novell compatible frame types * Not applicable Not applicable Token-Ring_SN AP and FDDI_SNAP Not applicable Comments Recommended for TCP/IP Not applicable Not applicable
Not applicable
Not applicable
* If the bridge or router offers frame translation, other combinations may be possible.
Note If using a NetWare server as a TCP/IP router, make sure that the NetWare and Domino server systems are using the same common frame type for TCP/IP and that only one frame type is being used to support the TCP/IP protocol in a flat or bridged network.
Troubleshooting
Troubleshooting 63-69
For common error messages in IPX/SPX, see the topic IPX/SPX error messages later in this chapter. Frame types in the IPX/SPX network All Domino server and Notes client systems using the IPX protocol need to use the same IPX frame type across all network segments and topologies. Note Make sure that the NetWare and Domino server systems are manually locked to the same frame type and that only one frame type is used to support the IPX protocol in the network. Otherwise, you may have connectivity problems or IPX wrapper errors because of the different IPX packet sizes the frame types impose. Note On Notes client systems running Windows, it is best to use the Control Panel to select a specific frame type for the IPX/SPX network rather than to detect which type is being used with Auto Detect (the default).
The following table lists the possible frame types across different LAN topologies:
LAN topology and frame services Ethernet V2 (DIX) Novell frame types Ethernet_II Novell compatible frame types* Not applicable Comments Recommended for TCP/IP(Used in very old IPX networks, not recommended)
IEEE 802.3 (Ethernet) RAW LLC Ethernet_802.3 Ethernet_802.2 Not applicable Token-Ring and FDDI Not applicable Recommended for the IPX protocol suite (Recommended by Novell)
Ethernet_SNAP
Token-Ring
Ethernet_802.2 and Recommended for the IPX protocol FDDI suite (Recommended by Novell) For TCP/IP use only
SNAP
* If the bridge or router offers frame translation, other combinations may be possible, but are not recommended. Source-routing bridges in Token-Ring networks In addition to the frame type problem, a Token-Ring network has the problem that Domino servers on another Token-Ring network connected by a source-routing bridge cant be seen. You may need to apply source-routing services to the IPX/SPX protocol to pass across a source-routing bridge network. Note You must assign the Token-Ring bridge a unique number. If the bridge connecting two token rings does not have a unique number, the IPX/SPX connection fails. The NetWare servers, Domino servers, and other switches or bridges on the given Token-Ring network all share a common IPX network number within the bridged domain.
Troubleshooting 63-71
Troubleshooting
1. Make sure that the IPX/SPX network frame types are correctly configured. 2. Make sure that you have the latest versions of the IPX/SPX protocol services installed on the all of the Notes clients, Domino servers, and NetWare servers. 3. Make sure that the Domino server located on the Token-Ring network that is using source routing can access a local NetWare server that has source routing enabled, so that either the Bindery or NDS name resolver service can be established. You must implement Novells source-routing NetWare Loadable Module (NLM) in an IPX/SPX network. 4. Check that the switch or bridge configuration can support the frame sizes that the IPX/SPX protocol is using. Many units limit the buffers to 4096 or 4500 octets (bytes). The IPX/SPX protocol stack settings on Notes clients or Domino servers may also need to be altered so that they dont exceed the switchs or bridges frame size limit. IPX name resolution services (Bindery and NDS) Domino servers can use either Bindery, NDS, or both for IPX system name-to-IPX net/node address resolution (IPXs NCP protocol services). Bindery services are dynamic in nature. As such, any loss of communication between the Domino server and the NetWare server or other NetWare server can cause loss of access. NDS objects once initialized are static in nature, so as long as the system can access the NDS tree, it can locate the Domino server. Note An IPX node address is often the same as the MAC address of the network adapter card. When crossing bridges between Token-Ring and Ethernet or between Token-Ring and FDDI there may be issues where the MAC address and the IPX node numbers are not consistent with the NDS tree objects of the Domino servers. When Notes clients or Domino servers are accessing a Domino server on the other side of the bridge via NDS, they must have consistent MAC and node addresses from their network segment ({Least/Most Significant Bit order} LSB/LSB or MSB/MSB, not MSB/LSB or LSB/MSB).
The following table offers some basic guidelines in using Bindery and NDS services:
Novell server network NetWare 3.12 (Bindery only) NetWare 3.12 (Bindery only) Bindery NDS Best protocol usage X Local IPX LANs. IPX WAN links not reliable with Bindery services (not recommended). Local IPX LANs, use TCP/IP for WAN link access. WAN routers dont forward IPX over WAN links or filter all IPX SAP services over the WAN links. Local IPX LANs. IPX WAN links not reliable with Bindery services (not recommended). Local IPX LANs, use TCP/IP for WAN link access. WAN Routers dont forward IPX over WAN links or filter all IPX SAP services over the WAN links. X X IPX for both LANs and WAN links.**
NetWare 4.1,4.11 or 5.0 X (Bindery emulation) * NetWare 4.1, 4.11 or 5.0 X (Bindery emulation) *
NetWare 4.1, 4.11 or 5.0 (NDS only) NetWare 4.1, 4.11 or 5.0 X (Bindery and NDS)*
*Domino servers can support only one Bindery context entry that the Notes client and/or Domino server systems can access. ** Recommend filtering Bindery service advertising protocol (SAP) services over WAN links if there are any Bindery-only devices present on the network.
IPX/SPX error messages This section describes common error messages for the IPX/SPX protocol. Error getting connection ID. This message may appear when you start the Domino server after installing the SPX port driver. This error occurs when a Novell file server, to which you need to register the Domino servers name, is unavailable or the Domino server cant reach it over the frame type it is using. If an attempt to log into a Novell server from the Domino server fails or an SLIST shows no Novell servers are available, the network administrator must analyze the network to find out why the Domino server cant access a Novell file server so that either the Bindery or NDS name resolve service can be invoked.
Troubleshooting
Troubleshooting 63-73
NetWare IPX/SPX could not be initialized: Packet size is too large. This message appears when you have a mix of frame types in use for the IPX/SPX protocol. Review the frame type the NetWare server and Domino server are using to make sure that only one common IPX/SPX frame type is enabled across all of the server systems and network routers. NetWare service advertising (SAP) failed to start. Internal error in Notes NetWare port driver. Depending on which IPX/SPX stack you are using, you might need to start the SAP service so the Domino server can register its name with either the Bindery or NDS name resolve service. Unable to get default NetWare file server connection. The server or workstation is unable to read the Domino server network address from NetWare bindery. The default NetWare file server isnt responding to requests. Check that a NetWare file server is available on the network and that all required NetWare client software is installed and running. Unexpected NetWare error. See the log file on this system for error code. Contact Lotus Support Services. Unexpected NetWare IPX or SPX error. See log file for error code. Contact Lotus Support Services.
3. Make sure that the user has the necessary privilege to use a network dialup connection to dial into the server. If necessary, modify the users privileges. Also, make sure that the user is using the correct user ID password. 4. Trace the connection to the server. Check the resulting information for indications that the Connection document isnt properly configured. For example, common mistakes in the Connection document include not listing the current location or failing to enable the specified port(s). Note Information from a trace is recorded in the Miscellaneous Events view of the log. In the Trace Connections Log Options field, you can set the level of detail to record. For maximum information, choose Full Trace Information. 5. Use the dialing method provided by the network dialup client to make the network dialup connection. If the connection fails, check for the correct configuration and check the modem for problems. 6. If the connection is successful, while the connection is still active, switch to the Notes workstation or Domino server and attempt to connect to the destination server. At this point, the workstation or server should be connected to the LAN. You can temporarily set the Usage priority field of the network dialup Connection document to Low to force the connection over the LAN before using the Connection document. 7. If the previous step succeeds, drop the connection, switch to the Notes workstation, and choose File - Mobile - Call Server to call the remote access server. If you previously set the Usage priority field of the network dialup Connection document to Low, reset the priority to Normal. 8. Make sure youre using the correct Connection document. Then, make sure the information in the Connection document is correct. After a successful modem connection, cannot establish session with server The server is down. The port is not configured on the Domino server. The modem file on the server does not contain the correct connect string. RAS is currently using the port that the Notes Direct Dialup connection is attempting to call on the destination server.
Troubleshooting
Troubleshooting 63-75
Modem does not respond The modem is not turned on or is not connected. The modem software is not configured properly. COM device is in use You try to access a server using Notes Direct Dialup and your server has RAS running and only one COM port. You cannot create a RAS connection RAS is not configured and/or started on the destination server. Dial Up Networking is not configured properly on the client. The modem software is not configured properly.
Error messages
This section lists common error messages displayed on the server console or at the Notes client, and provides information on what caused the error and how to recover from it. Modem command files contains illegal character You selected the wrong modem. Select the correct modem file from the COM options - Modem type drop down box. The selected modem command file only allows speeds as high as XXX The configured modem speed exceeds the supported speed. Check the maximum modem speed for your modem and configure it in the COM options - Maximum Port Speed. Excessive Port or CRC errors on the last connection. Try enabling hardware flow control on the port or reducing the maximum speed settings The configured modem speed exceeds the supported speed. Enable flow control on the Notes client and Domino Server. Reduce modem speed on the machine with Port and/or CRC errors. Communications port unit number is not within valid range. You have too many ports configured. Set the valid number of ports on your system. Notes and Domino accept up to 64 ports.
No dialtone The modem is not receiving a dial tone. Check the phone line. Make sure that line is active and plugged into the modem properly. If you are in Europe, make sure that you have disabled wait for dial tone before dialing in the COM options box.
If successful, the ping utility returns a message in a format similar to the following:
64 bytes from 130.000.00.00: 1cmp_seq=4, time=0, ms
Troubleshooting
To test a connection to a server, use the Trace command, which provides detailed information about each step in a server connection. Using the results of a trace command, you can troubleshoot network connection problems. When you attempt to connect to a server, network trace information automatically appears on the status bar of a Notes workstation or on the server console, depending on where you initiated the connection attempt. You can use the NOTES.INI Console_LogLevel setting to control the level of detail that messages on the status bar contain.
Troubleshooting 63-77
For more information about the Trace command, see the appendix Server Commands.
You can also search for solutions to common problems on the Lotus Support Services Web site at www.lotus.com/support. Server exiting: partition number xx is already in use This message appears when you try to start more than one server in a partition. To correct this, stop all processes associated with the partition. If that fails, restart the system. Server not responding connecting to a partitioned server This message may appear if a partitioned server uses TCP/IP port mapping. 1. If the destination server is sharing a network interface card with a port-mapping server, check that the port-mapping server is running. Domino cant establish a connection to a server sharing the port-mapping servers IP address unless the port-mapping server can redirect the traffic to the port the destination server is listening on. 2. Make sure that the port-mapping information in the NOTES.INI file is in the correct order. In the port-mapping servers NOTES.INI file, there are entries that reference the other partitioned servers on the computer. If the lines containing the port-mapping information are out-of-order, Domino displays the message Server not responding or Servers name changed. Edit the port-mapping servers
NOTES.INI file, and make sure that the partitioned servers are listed in numerical order, as in this example:
TCPIP_PortMapping00= TCPIP_PortMapping01= TCPIP_PortMapping02= TCPIP_PortMapping03=
After modifying the NOTES.INI, stop and restart the server so that the changes take effect. 3. Make sure that the port number appended to the destination servers IP address matches the port number in the NOTES.INI file on the destination server. Also, verify that the server name and organization are correct. For example, this setting in the port-mapping servers NOTES.INI file assigns the destination servers IP address and port number:
TCPIP_PortMapping00=CN=Server1/O=Org1,198.114.89.123:135 20
Troubleshooting
Troubleshooting 63-79
You can also use the Access this server field in the Server document to restrict who can use passthru to access a server. If this field is blank on the destination server, the server does not allow passthru access. Only the users, groups, and servers explicitly named in this field have passthru access. Note that this field does not restrict general access to the server, which is controlled by fields on the Security tab of the Server document. 3. Make sure that the Connection document is properly configured. Check the log for the message Unable to find any path to ServerName, which indicates that there may not be enough information in the Domino Directory to determine how to reach the destination server or that the information in the Domino Directory is incorrect for example, server names might be misspelled. For more information on setting up and tracing connections, see the topic Tracing a network connection earlier in this chapter, as well as the chapter Setting Up Server-to-Server Connections.
Replication Troubleshooting
These topics describe how to troubleshoot replication. Tools for troubleshooting replication describes tools you can use for troubleshooting replication problems. Replication - Problems and error messages describes problems and errors that users or Domino servers may experience during replication.
You can also search for solutions to common problems on the Lotus Support Services Web site at www.lotus.com/support.
Log file To access the log, from the Domino Administrator, click the Servers Analysis tab and select the log file for the server you want to check. Then check for replication problems in these views: Miscellaneous events Phone calls Replication events
Tip You can also check replication events from the Replication tab in the Domino Administrator. Edit the NOTES.INI file to include the Log_Replication setting, which allows you to display detailed replication information in the log. Monitoring Configuration The Monitoring Results database (STATREP.NSF) is a repository for pre-configured and custom statistics. It is created when you load the Collect task, if it doesnt already exist. You can set alarms for some of these statistics. For example, you might set an alarm to generate a Failure report when more than three attempted replications generate an error. You can also report statistics to any database designed for this purpose, although typically the database is the Monitoring Results database (STATREP.NSF). Note that you can edit the NOTES.INI file to include the Repl_Error_Tolerance setting, which increases the number of identical replication errors between two databases that a server tolerates before it terminates replication. The default tolerance is 2 errors. The higher the value, the more often messages such as Out of disk space appear. If you run the Event task on a server, you can set up an Event Monitor document to report replication problems. You can also create a Replication Monitor document that notifies you if a specific database fails to replicate within a certain time. To view events from the Domino Administrator, click the Server - Analysis tab, click Statistics - Events, and then view the desired report.
Troubleshooting
Replication history The replication history for a database describes each successful replication of a database. To view the replication history of a database, select a database icon and choose File - Database - Properties (or File Database - Replication - History).
Troubleshooting 63-81
Replication schedules You can see a graphical representation of the replication schedules of the servers in your Domino system. To view replication schedules, from the Domino Administrator, click the Replication tab. For more information on viewing replication schedules, see the chapter Creating Replicas and Scheduling Replication. Replication topology maps Create a replication topology map to display the replication topology and identify connections between servers. To view replication topology maps, from the Domino Administrator, click the Replication tab. You must load the Topology maps task before you can view a replication topology map. For more information on viewing replication topology maps, see the chapter Creating Replicas and Scheduling Replication.
Replication isnt occurring between two servers When two servers cant replicate any of the databases between them, these messages may appear in the log: Unable to replicate with server x: Server Not Responding Unable to replicate with server x: The Notes server is not a known TCP/IP Host Unable to replicate with server x: Your address book does not contain any cross certificates capable of authenticating the server Unable to replicate with server x: The servers address book does not contain any cross certificates capable of authenticating you Unable to replicate with server x: You are not authorized to use the server or remote server
Check for the following conditions and correct them, if necessary: 1. Create Connection documents that list Replication in the Tasks field. Unless you enable multiple replicators on the server, make sure that replication schedules dont overlap. 2. Verify that the servers have a certificate in common. To verify certificates, check the server ID files. a. From the Domino Administrator, click the People and Groups tab. b. From the tool bar, click Certification - ID file. c. Choose the appropriate server ID file and click Open. d. Click Certificates to display the certificates held by the server. e. Repeat Steps a through d for the second server. f. Recertify one or both server IDs, as necessary. If the servers dont have a certificate in common, you can also cross-certify them. 3. Make sure the server is available. Check the log for the message Unable to replicate with server x : Server not responding, which indicates that one server cant connect to another server for replication or that server x is unavailable. 4. Check the Miscellaneous Events view of the log to see if a network error message occurred when the server attempted to connect to the other server. 5. Check the Phone Calls view of the log to see if two servers are unable to use dialup connections.
Troubleshooting
Troubleshooting 63-83
Scheduled replication isnt occurring between two servers 1. Check that the server names are spelled correctly in the Connection documents. 2. Make sure that multiple Connection documents dont have overlapping schedules for the same task in the same direction. If multiple Connection documents have overlapping schedules, correct the schedules or enable multiple replicators on the server. 3. If many users access a server or if a server performs many tasks, it takes longer for Domino to build a list of the databases that two servers have in common, a task that occurs just prior to replication. If building the list takes a long time, a scheduled replication may be delayed. Check server load statistics and, if necessary, replicate only specific databases, remove obsolete databases from the servers, and/or move some databases to another server. You can also reduce the number of users who access the server or reduce the number of tasks the server performs. 4. Make sure that the server has adequate disk space. If it doesnt, remove obsolete databases and/or move some databases to another server. One database isnt replicating between two servers When replication occurs correctly between two servers but one database doesnt replicate correctly, these symptoms might occur: The message Unable to replicate xxx.nsf appears in the log file. Users report that documents are different on each replica.
To correct this problem, try these tips. 1. Check if the database ACL is set up incorrectly. The message Access control is set to not allow replication in the log file indicates that the servers do not have the correct access to perform replication. Give the servers enough access in the database ACL to replicate changes. A server must have: Editor access to replicate changes to documents Designer access to replicate changes to views and forms Manager access to replicate ACL changes If replication occurs through a passthru server, the passthru server must also have the necessary access to pass along changes.
2. Check the log file for an Unable to copy document or similar message. This message indicates a corrupted database. To correct the problem, do one of the following: Run the Fixup task. Use this task if the database is in Domino 5 or higher format and if youre not using transaction logging, or if the database is in Domino 4 format. Run the Fixup task with the -J option. Use this task if the database is in Domino 5 or higher format and you are using transaction logging. If you use a backup utility certified for Domino 5 and you run Fixup -J, perform a full backup of the database as soon as Fixup finishes. 3. Check the log file for a Replication is disabled message, which indicates that the database is not enabled for replication. To enable replication of the source database, choose File - Replication - Settings - Other and deselect Temporarily disable replication. 4. Check if the Enforce a consistent Access Control List option has been set on a replica. Sometimes replication cannot occur because this option has been set, but the server storing the replica lacks the appropriate access to replicate the ACL. If this is the case, give the server Manager access in the database ACL. 5. Make sure there have been recent changes to the database. Replication occurs only when there are changes to replicate.
Troubleshooting
For more information on the log file, see the chapter Using Log Files.
Troubleshooting 63-85
There is no destination server in an access list Access lists allow only a subset of people and servers in the ACL to access documents. If such access lists exist, add the destination server to them in the source server replica. If the access list uses a role to define access, add the destination server to the role on the source server replica. For more information on server access, see the chapter Creating Replicas and Scheduling Replication. An intermediate server has insufficient access If replication between a source and destination server occurs through an intermediate server, make sure the source and destination server replica ACLs give the intermediate server high enough access to replicate all changes. For more information on server access, see the chapter Creating Replicas and Scheduling Replication. Replication settings are filtering documents Some replication settings act as filters that screen out documents and features. Check the replication settings. For more information on replication settings, see the chapter Creating Replicas and Scheduling Replication. The server is out of disk space Check to see if the database is a Domino 4 database and has exceeded the maximum database size. Ask your Domino administrator to resolve disk space problems and if necessary, consider moving a replica to another server or deleting databases on the server. Older documents werent replicated to a new replica When the replica was created, the date specified for the replication setting option Only replicate incoming documents saved or modified after is later than it should have been. This option is on the Other panel of the File - Replication - Settings dialog box in the Notes client. Create a new replica with an earlier date specified.
Troubleshooting
Unused space One replica has been compacted while another has not been compacted.
Troubleshooting 63-87
The database stops replicating and the option Enforce a consistent ACL is selected
If a user changes a local or remote server database replicas ACL when the Enforce a consistent access control list across all replicas of this database option is selected, the database stops replicating. This option is found on the Advanced panel of the Access Control List dialog box. The message in the log file is:
Replication cannot proceed because cannot maintain uniform access control list on replicas
The new replica contains the ACL of the source server but you did not copy the ACL
A replica stub is an empty replica that has not yet been populated with documents. When you select File - Replication - New Replica, Notes creates a replica stub and populates it with documents, either immediately or at the next scheduled replication, depending on the option you select. For more information on server access, see the chapter Creating Replicas and Scheduling Replication. Somebody modified the access control list on the source server before initial replication occurred If you create a replica stub and somebody modifies the ACL on the source server before initial replication occurs, the ACL on the source server becomes the most recent one and replicates to the replica stub. Simply opening the Access Control List dialog box on the source server replica and then closing it can cause this problem. The server times are not synchronized If you create a complete replica immediately (rather than creating a replica stub) and the time on the source server is later than the time on the destination server, the new replica contains the ACL from the source server.
Troubleshooting
Troubleshooting 63-89
A replication setting is preventing deletions from replicating Check these replication settings in File - Replication - Settings in the Notes client: On the Send panel, the option Do not send deletions made in this replica to other replicas. A source server doesnt send deletions to another replica if this setting is selected. On the Advanced panel, the Deletions option under Replicate incoming. A replica doesnt receive deletions if this setting is not selected.
Unexpected deletions may also occur for any of the following reasons: There is a new replication formula in place A new replication formula overrides previous formulas and removes documents that dont match the formula. A replication setting is automatically removing older, unmodified documents The replication setting Remove documents not modified in the last [ ] days removes older, unmodified documents. If the specified number of days is low, consider increasing the value. This option is on the Space Saver panel of the File - Replication - Settings dialog box in the Notes client.
reappear after the next replication. This option is on the Space Saver panel of the File - Replication - Settings dialog box in the Notes client. A document edit writes over a document deletion When the same document is modified on different servers between replication sessions, the document that was modified most frequently takes precedence, or if both documents are modified only once, the one modified most recently takes precedence. If a document is edited multiple times on one server and deleted on another server between replication sessions, the edited document takes precedence because it underwent the greatest number of changes, even if the deletion was the most recent change. If somebody deletes a document on one server and then someone else updates the document on another server once between replication sessions, the edit overrides the deletion because both documents were updated once and the edit occurred after the deletion.
You can also search for solutions to common problems on the Lotus Support Services Web site at www.lotus.com/support. The administrator cant enter commands at the server If an administrator cant run the workstation program on the server, run stand-alone server programs, or use the Load, Tell, or Set Configuration commands, the console has been password-protected. Use the Set Secure command at the console or use the Domino Administrator to clear the password. For information on using the Set Secure command, see the appendix Server Commands.
Troubleshooting
Troubleshooting 63-91
Users cant see a new server in the list of servers If users cant see a new server when they try to add, create, copy, or replicate a database, make sure that the Domino Directory contains a Server document for the new server and that the information in the document is accurate and correctly spelled. If no Server document exists, create one and then make sure that the new Server document replicates to all servers in the domain. If a Server document exists and contains accurate information for the new server, check the log file on both the users home server and the inaccessible server to see if there are network problems. Server not responding The message Server not responding may appear when you install a client or try to open any database on a particular server. 1. Check that the Domino server and the network are running. 2. Check if the server has been renamed or recertified. When a user tries to open a database on a server that has been recertified or renamed, the message Server not responding may appear. Users should use the new server name to open the database. 3. Check the Server document for an invalid or nonexistent host name as the Notes RPC proxy. From the Domino Administrator, click the Configuration tab and open the appropriate Server document. Click the Ports - Proxies tab. A Domino server that is configured to use TCP/IP cant transfer mail or initiate replication with another server in the local domain if the host name is invalid or nonexistent. In addition to Server not responding, No Path Found to Server and Proxy Reports that the Connection Request Failed messages may appear. A Domino server configured to use a Notes RPC proxy attempts to route all outbound connection requests through the listed proxy, whether or not the proxy exists. Because most Domino systems dont use an RPC proxy, this field should generally be left empty. Note If full trace logging is enabled in the NOTES.INI file, the log file records detailed information about failed attempts to connect to a remote server. The PassThru_LogLevel is typically set 0 to minimize unnecessary logging. 4. If youre using NetBIOS, make sure its configured properly and that its running on the workstation or server. The workstation and the server must use the same version of NetBIOS, and the server must be enabled for sufficient NetBIOS sessions.
Also, filters might prevent broadcast traffic from Notes from crossing a bridge or router. Bridges and routers are often configured to suppress broadcast traffic by default, and NetBIOS uses broadcasts to communicate on networks. You are not authorized to access the server or similar problems When users or servers get a not authorized to access the server message, try these tips to identify and then fix the problem. 1. Check the Domino Directory. 2. Check the server ID. 3. Check that the user has the proper certification to access the server. 4. Check for network or hardware problems.
Checking the Domino Directory for errors that affect server access
Many conditions that prevent proper access to servers can be traced to the Domino Directory. 1. Verify that these fields in the Server document contain the correct information and spelling. For each change you make, be sure to save the Server document before attempting to access the server again.
Field on the Network Configuration tab Server name Domain name Port Notes Network Check this
Make sure that the full hierarchical server name is spelled correctly. Make sure that the name is spelled correctly. If a COM port is listed, remove it. X.PC COM ports are only handled in the ports configuration section. Make sure that at least one Notes Network is enabled. Each port requires a unique Notes network name. Check this
Troubleshooting
Delete the contents of this field if it contains any information. Only those names or groups listed in the field are allowed to access the server. Delete the contents of this field if it contains any information. The users or groups listed in the field are not allowed to access the server.
Troubleshooting 63-93
2. Make sure the Server document isnt corrupted. To determine if it is corrupted, create a new Server document and use it instead of the old one. If the new Server document resolves the problem, its likely that the original Server document is corrupted. Be sure to create a backup of the original Server document by either copying and pasting the original into another Server document or by backing up the database. After you create the new Server document, copy the public key into it. 3. Verify that the Certified public key in the server ID file is the same as the Public key. To do this, copy the certified key and paste it into a text file, and then compare the two key values, which should be the same. If the values differ, the server ID was probably created with the same name based on a different Certifier key. Before altering the key, create a backup of the Domino Directory. 4. Check Group documents in the Domino Directory for correct user and server names. In particular, check the Group documents for groups listed in the Access server and Not access server fields in the Server document. In addition, be sure to check the Group Type setting of these Group documents. The Group type assigned to a group can affect server access. 5. Resolve any replication or save conflicts in the Groups and People views. 6. Make sure that all views in the Domino Directory are updated and not damaged. To rebuild all of the views in that database, enter this command at the console:
Load updall names.nsf -r
If you suspect that the Domino Directory is corrupted, do one of the following: Run the Fixup task. Use this task if the database is in Domino 5 or higher format and if youre not using transaction logging, or if the database is in Domino 4 format. Run the Fixup task with the -J option. Use this task if the database is in Domino 5 or higher format and you are using transaction logging. If you use a backup utility certified for Domino 5 and you run Fixup -J, perform a full backup of the database as soon as Fixup finishes. In addition, if you suspect a corrupted Domino Directory, try using a backup of the Domino Directory (if one is available), or create a new replica of the Domino Directory.
7. Replace the design of the Domino Directory. Select File - Database Replace Design. This ensures that the Domino Directory is using the correct template file (PUBNAMES.NTF). 8. Check Server document form in the Domino Directory for customizations that are not supported. For information about supported customizations, see the appendix Customizing the Domino Directory. 9. Make sure that passthru is properly enabled on the Server document. For information about enabling passthru, see the topic Passthru Troubleshooting earlier in this chapter.
Troubleshooting
3. Check for a Public Key... message that appears when the server starts. Verify that the public key stored in the Server document matches the public key stored in the server ID. To do this, copy the IDs public key to the clipboard, and then paste it to another application for example, into Windows Notepad so that you can compare it with the public key in the Server document. Be sure to perform a full backup of the Domino Directory before altering the key.
Troubleshooting 63-95
You can also search for solutions to common problems on the Lotus Support Services Web site at www.lotus.com/support.
Software problems Network problems Changes to network or operating system environments Changes in hardware configuration for example, upgraded NICs or software configuration
Use these steps to troubleshoot a server crash. If, after completing these steps, you havent resolved the problem, consult your technical support representative. 1. Collect system information: Domino server version Operating system version (SYSLEVEL information if the operating system is OS/2, by typing SYSLEVEL at an OS/2 prompt). Network type and version; network protocol(s) and version(s) (including file dates) System level patches Server hardware Names of API programs and tasks, gateways, backup programs, executable scripts, third-party programs, and so on. 2. Note any changes to these elements of the Domino environment. If possible, revert to the previous configuration to determine if the problem still occurs. Operating system changes for example, did you upgrade the operating system or apply a new patch? Network changes for example, did you add a new router or upgrade the network software or firmware? Network interface card (NIC) changes for example, is the NIC new, or is the NIC software driver old and the operating system new? Domino changes for example, did you upgrade to a new release of Domino or migrate new users? Other hardware or software changes. 3. For an OS/2 server crash, check for a crash screen. Collect all codes that are displayed and check them against the table of OS/2 server error codes. For information on these codes, see the topic Domino OS/2 server crashes later in this chapter. 4. If the last message on the console starts with the word Panic, record the entire message.
Troubleshooting 63-97
Troubleshooting
5. If possible, capture the last screen displayed on the console or save the Console Log file. 6. Stop all tasks running on the Domino server, and then stop the Domino server. 7. If an NSD log file was created, verify the time and date of the file, which should coincide with the time and date of the crash. If necessary, Lotus Support Services will use this file to identify where the crash occurred. Note If a crash doesnt produce an NSD log file, the server may be out of disk space or memory. 8. Restart the server. 9. Check the Miscellaneous Events view in the log. Record all entries that occurred immediately before and after the crash. To do this, double-click the appropriate entry to open it. In particular, look for an NSF file in the entry, which may indicate where the crash occurred. If a particular database appears to have caused the crash, check the replication history of that database for additional information. 10. Collect these configuration files: CONFIG.SYS For OS/2 NOTES.INI All platforms STARTUP.CMD For OS/2 PROTOCOL.INI For OS/2 NET.CFG For OS/2 and NetWare AUTOEXEC.NCF For NetWare STARTUP.NCF For NetWare Windows diagnostics file Windows NT
Corrupt database causes a server to crash If an Unable to copy database, Unable to copy document, or similar message appears in the Miscellaneous Events view of the log, a database is corrupted. Do one of the following to correct the problem: Run the Fixup task. Use this task if the database is in Domino 5 or higher format and if youre not using transaction logging, or if the database is in Domino 4 format. Run the Fixup task with the -J option. Use this task if the database is in Domino 5 or higher format and you are using transaction logging. If you use a backup utility certified for Domino 5 and you run Fixup -J, perform a full backup of the database as soon as Fixup finishes.
Note The Fixup task can take a significant amount of time to run on a large database or on the entire server. For more information on using Fixup to repair corrupted databases, see the chapter Maintaining Databases. Corrupt view causes a server to crash If a server crash seems related to a corrupt database view, run the Updall task on the database with the -r option:
Load updall databasename -r
Note The Updall task can take a significant amount of time to run on a large database. It will also take a significant amount of time if you run Updall without specifying the database name, which forces the task to run on all databases on the server. Server crashes while updating a database index If a server crashes while updating a database index, do the following: 1. Run the Updall task on the database with the -r option to fix a damaged database index:
Load updall databasename -r
Note The Updall task can take a significant amount of time to run on a large database. It will also take a significant amount of time if you run Updall without specifying the database name, which forces the task to run on all databases on the server. 2. If Updall does not fix the problem, use this procedure: a. Make a replica of the corrupted database. Be sure to give the replica a new file name. b. Delete the original corrupted database. c. Use the original database file name to rename the new replica. d. Restart the server.
Troubleshooting 63-99
Troubleshooting
The Router task causes the server to crash In many cases, a crash occurs while a particular task is running. You can often determine the task from the crash screen or from the NSD log file. If the crash is related to the Router task, there could be a problem with MAIL.BOX. 1. Rename MAIL.BOX. 2. Restart the server. The server will automatically create a new MAIL.BOX. 3. Copy and paste the messages from the old MAIL.BOX to the new MAIL.BOX. Domino OS/2 server crashes If an OS/2 server crashes, a message resembling the following appears:
Trap 000C Internal Processing error at Location #nnn:nnn Trap 000D CS=nnnn IP=nn xxxxx CSLIM = nnnn
where nnnn represents error locations and addresses. Crashed network drivers or an OS/2 problem may cause this error. Record the addresses and report them to your network administrator. Then restart the server. Codes that display when an OS/2 server crashes When an OS/2 server crashes, the console displays an error code. Record the code.
Code Meaning 0 Divide error 1.00 Debug exceptions 2.00 NMI interrupt 3.00 Breakpoint 4.00 Overflow 5.00 Bound range exceeded 6.00 Invalid opcode 7.00 Coprocessor not available 8.00 Double fault Cause The software is bad. The software is bad. Record all addresses. Stands for non-maskable interrupt. The software is bad. Record all addresses. There is a software problem. Record all addresses. The software is bad. Record all addresses. There is a software problem. Record all addresses. There is a software problem. Record all addresses. The software is expecting a math coprocessor, and one isnt installed. Two traps occurred at the same time. Record all addresses. continued 63-100 Administering the Domino System, Volume 2
Code Meaning 9.00 Coprocessor segment overrun A/10 Invalid task state segment B/11 Segment not present C/12 Stack exception
Cause There is a software problem. Record all addresses. There is a software problem. Record all addresses. There is a software problem. Record all addresses. There is a software problem. Ignore this code if it follows a code D/13. There is a bad coprocessor chip.
D/13 General protection There is a software problem or a corrupted database. F/15 Coprocessor error
NSD log files NSD log files can help determine the cause of a server or workstation crash. A program called NSD (nsd.exe for W32 platforms, nsd.sh for Unix platforms) creates these files in the Domino data directory (for a server) or in the Notes data directory (for a workstation). The files contain information about the tasks which were running when it crashed as well as general system information.
Troubleshooting
The mail file location on the Mail tab of the administrators location document must point to the server on which the CA process is running. The administrators public key must be in the Domino Directory for the server specified in the location document. CA administrators must have at least Editor access to the master Domino Directory for the domain.
Troubleshooting 63-101
CA process takes a long time to make changes to a certifier When you create a new certifier, make changes to an existing one, or revoke a certificate, the changes usually take place by the time the CA process refreshes itself. Sometimes the process takes longer, because: The CA process has to create or update the CA configuration documents, and, in the case of Internet certifiers, post a CRL. The CA process may be running on a server other than the one that hosts the master Domino Directory, adding replication delays to the process. Replication of the Administration Requests database can add delays. A request or change may be approved on one replica, but the change has to be replicated to other servers in the domain.
To see the results of any CA process operation immediately, at the server console type:
tell adminp process all
Then
tell ca refresh
Then
tell ca stat
to see if the changes have been processed. You may need to repeat the process more than once. For more information about configuring and using a server-based CA, see the chapter Setting Up a Domino Server-Based Certification Authority.
3. If the log path is correct and the device is good, restart the server. The problem should be fixed and you do not need to continue to step 4. 4. If log path is correct but the device is bad, replace the device on the log path, or edit the TRANSLOG_Path setting in NOTES.INI to point to a different log path. Note If you edit the TRANSLOG_Path setting when you restart the server, be sure to make the same edit to the Log path field in the Server document. Otherwise, Domino reverts to the old path upon the next server restart. 5. Restart the server. Domino creates new log files and a control file, and assigns new DBIIDs to all Domino 5 or higher databases. 6. If Automatic fixup of corrupt databases is set to Yes in the Server document, the Fixup task runs on the databases that require media recovery or Fixup. Otherwise, you must run the Fixup task manually. 7. Perform full database backups.
Troubleshooting
6. Restart the server. Domino creates new log files and a control file and assigns new DBIIDs to all Domino 5 or higher databases. 7. If Automatic fixup of corrupt databases is set to Yes in the Server document, the Fixup task runs on the databases that require media recovery or Fixup. Otherwise, you must run the Fixup task manually. 8. Perform full database backups. If the error occurred during media recovery, an archived log file may be corrupted.
Troubleshooting 63-103
9. Restart the server to correct the problem, and then stop the server so it shuts down cleanly. 10. While the server is down, use the third-party backup utility to perform media recovery. If the archived log still cannot be used, allow database backups to be restored without the transactions in the corrupted log. 11. Perform full database backups. 12. Restart the server.
You can also search for solutions to common problems on the Lotus Support Services Web site at www.lotus.com/support.
Users are prompted multiple times for their name and password You can configure Domino Web sites so that Domino authenticates and asks Web users for their credentials only once when they access different locations. Like other Web servers, Domino adheres to the HTTP authentication model. When a user accesses a page on a Domino Web site, the browser keeps track of user credentials, based on the realm that
the Domino server sends to the browser. A realm is a string, which is typically a URL path, that the server sends to indicate the location, or path, for which the user has been authenticated. For example, if your server name is www.acme.com, then www.acme.com is the top-level realm and www.acme.com/doc, www.acme.com/hr, and www.acme.com/marketing are the lower-level realms. If a user authenticates with the server when accessing the home page for www.acme.com, then the user is authenticated for www.acme.com and all lower-level realms. However, if the user accesses www.acme.com/doc first, enters a name and password and is authenticated, and then accesses www.acme.com/hr, Domino prompts the user for credentials again. This second prompt occurs because the browser examines the list of realms for which Domino has successfully authenticated the user and finds www.acme.com/doc in the browser realm list. Since www.acme.com/hr is not a subdirectory of www.acme.com/doc, Domino requires the user to enter credentials again. To prevent users from being prompted multiple times for their names and passwords, direct them to access and authenticate with the highest level realm that they need to access. This way, Domino asks users for their credentials only once during the browser session. If a Web site includes a link to a site on another server and that site requires authentication, users will be prompted again for their credentials. Users cant access a Domino Web server via the Internet A firewall server often prevents users from accessing a Domino Web server via the Internet. If you have a direct Internet connection, you can ping the Domino server to see if you can access it. If you can ping the server but still cant access it, telnet to the server on port 1352 (see your telnet documentation for details on how to do this). If connecting with telnet fails, the firewall server may be blocking the TCP port.
Troubleshooting
Users cant see a list of files on a Web server or access a database When users try to use the OpenServer command to display a list of files on a Web server and the message Database browsing not allowed appears, make sure the option Allow HTTP clients to browser databases is enabled in Server document for that server. If users try to access a database and the message Unauthorized exception appears, make sure they have the appropriate access in the database ACL.
Troubleshooting 63-105
Browser receives error message Single Sign-on not Configured when accessing an SSO enabled server Verify that a Web SSO Configuration document exists for either a Web Site or for the Server document and is enabled in the Session Authentication field. If using Web Site documents, the Web SSO Configuration documents appear in the Internet Sites view for the specified web site. Otherwise, the Web SSO Configuration documents appear in the Web Configurations view. You should also verify that the Web SSO Configuration document is encrypted for the server to which the browser is connecting, by checking the document to see that the server is listed in the participating server field. If the Server documents public key does not match the public key in the server ID file, then the decryption of the Web SSO document will fail. This could happen if the ID file was created multiple times and didnt update the Server document correctly. Usually there is an error on the server console indicating that the public key does not match the server ID. If this happens, then SSO fails because the document could be encrypted with a public key for which the server does not possess the corresponding private key necessary for decryption. The way to correct this is to copy the public key out of the server ID, paste it into the Server document, and then recreate the Web SSO document. Debugging session-based authentication problems In session-based authentication, a cookie is created on the Web server. Sometimes when the browser returns the cookie it doesnt work and authentication fails. Administrators need to be able to see the calls that the Web server is making to deny the cookie, or to see whether the server even received it. The NOTES.INI variable WebSess_Verbose_Trace should be used for troubleshooting both single server and multi-server (as in single sign-on) session-based authentication problems. Setting WebSess_Verbose_Trace=1 enables a Domino Web server to record, at the server console, detailed information about specific Web session-based authentication sessions, such as unauthorized, unauthenticated, or session expiration information. After you correct the problem, make sure to disable this setting remove it or set it to 0 because using it slows Web server performance. Error 403 - Directory Browsing error Access forbidden Check the Server document for an entry in the Home URL or Default Home page fields. To display a home page on the Web server, one or both of these fields must contain an entry.
Users cant send mail to the Internet from a mailto URL For users to send e-mail to the Internet, you must set up mail routing to the Internet. TCP/IP host unknown and Remote system not responding Messages such as TCP/IP host unknown and Remote system not responding usually indicate problems with the TCP/IP setup. If you have a direct Internet connection and are able to use the IP address to ping the remote host successfully, the Web Navigator may not be running. If you use host names instead of actual IP addresses in Connection documents, there may be a problem with name resolution. To fix this problem, check the hosts file to verify that your domain name system (DNS) can resolve the name to the IP address. If you do not have a DNS, add the entry to the servers local hosts file, which maps host names to IP addresses. The hosts file is usually located in the same directory as the protocol software. It has a format similar to:
Domino server name Salt/Sales/Acme IP Host name salt IP Fully Qualified IP Address Domain Name salt.usa.com pepper.usa.com 123.3.12.24.5 123.3.12.678 Comment #Salt server #Pepper server
Pepper/Support/Acme pepper
Troubleshooting
Troubleshooting 63-107
If the host name is the Domino servers common name, then the hosts file or DNS will require an alias link as shown here:
Domino server name IP Host IP Fully name Qualified Domain Name ruby.usa.com IP Alias name entry IP Address Comment
red within the 123.3.12.212 #Red host file or red server CNAME ruby for the DNS
Purple/IS/Acme violet
pepper.usa.com purple within 123.3.12.83 #Purple the host file or server purple CNAME violet for the DNS
URL Access Denied message trying to open certain Web pages If users try to open a Web page and a URL Access Denied message appears, check the Internet Site Access Control section under Server Tasks - Web Retriever in the Server document for the Web Navigator server to see if you prevented access to that Internet server. The Web Navigator Retrieval process is not running When users try to open a Web page within the database, they will get this message if: The Web task stopped running or hasnt been started on that server. To resolve this problem, start the Web task on the server the runs the Web Navigator. The server specified in the InterNotes field in either their current Location document or the Server document for their mail server is not a server running the Web task. To resolve this problem, specify the correct server name.
Web Administrator initializes itself when resizing the window If youre using the Web Administrator with a Netscape 4.x browser and you resize the browser window, the Web Administrator will reinitialize. To avoid this problem, resize windows before using the Web Administrator. Unable to log in to the Web Administrator Make sure you have the proper access level and roles in the ACL for the Web Administrator database. For information on access to the Web Administrator, see the chapter Setting Up and Using Domino Administration Tools. When you start the Web Administrator, Domino asks you for your name and Internet password, which are stored in your Person document. You must enter that name and password to access the database. If the Internet Access security setting in the Server document is set to less name variations, more security. You may need to re-create the database. The Web Administrator must be created and configured by the HTTP server to work properly. Do not attempt to use File - Database - Replace Design or Refresh Design. To re-create the database Domino creates the Web Administrator database the first time that the HTTP task runs on a server. Keep in mind that deleting the database deletes existing administrator preferences. 1. Enter this command at the console:
tell http quit
Note Do not try to refresh the database from the File menu using File Database - Replace Design or Refresh Design.
Troubleshooting
New policies do not appear as an option when registering users If a policy that has been recently created does not appear as an option during user registration, reload the Web Administrator so that the new policy is available.
Troubleshooting 63-109
Server.Load Troubleshooting
The dynamic link library NNOTES.DLL could not be found in the specified path Check to see if SLOAD.EXE was copied to the Notes program directory. Copying SLOAD.EXE to the Notes program directory should resolve the issue. Error detected on changeto: No such port known (0x0A25) This message appears when you use a custom script. Enable the port by choosing File - Preferences - User Preferences and selecting Ports. Error in NIFFindView messages Adding documents to a folder that does not exist returns the following:
Error in NIFFindView add 10 -f $ABC Error in NIFFindView: 0x0404--Entry not found in index 'add' summary: Added 10 notes
Although it states that 10 notes (documents) were added, no documents were actually added. Create a folder before adding documents. Error in NSFItemAppend: 0x013B Memory allocation request exceeded 65,000 bytes This message appears when you attempt to add a document containing a non-summary text item that is larger than 65KB. Do not create non-summary items that exceed 64KB. Cannot create greater than 512 sessions, sessions count reduced to 512. The value supplied for Server_MaxSessions was greater than the limit of 512 for the NT platform. The session count will be reduced to 512, and the built-in Idle Workload will continue to open 512 sessions to the Domino server.
Reference
A-1
where filename.ext is the name of the file to which you want to save output. Enter a space after the server command but not after the redirection symbol (>). For example, this command writes the output of the Show Tasks command to the file TASKS.OUT in the Notes directory:
Show Tasks > TASKS.OUT
To store output in a file outside the data directory, specify the complete path to the file.
1. Double-click the Domino server icon if the server isnt running, or switch to the console. Note On a UNIX server, log into the server account, change to the servers Notes directory, and enter server. 2. Press ENTER to display the console prompt (>). 3. Enter a server command. If a command parameter contains a space, enclose it in quotation marks for example:
Pull "Acme Server"
Tip To save time and space at the command line, enter the abbreviation for the server command. You can also press the Up arrow to display a command that you previously entered. 4. (Optional) Use these key combinations, as necessary: Press CTRL+Q or PAUSE to stop the screen display and suspend access to the server and events in process. Press CTRL+R to resume display and access to the server.
A-2 Administering the Domino System, Volume 2
Reference
Press CTRL+R (or ENTER) to restore a command line. For example, you might restore a command line if an on-screen event splits it or if it disappears while youre typing.
If you are sending several shell or Controller commands, you can change to Shell or Controller command mode in a remote console by entering the appropriate prefix in the Command box and pressing enter. Then you do not have to specify the prefix each time you send a command. To exit the specified command mode, enter the prefix again. For example, to enter the Controller command mode, enter # in the Command box. When you are done sending Controller commands, enter # again to exit Controller command mode. The following table describes the available Controller commands.
Controller command Broadcast message Disable username(s) Description Broadcasts a specified message to all administrators connected to the Controller Disables a specified administrators connection to the Controller. Connection remains disabled until you use the Enable User command or until you quit and restart the Controller. To disable more than one administrators connection, specify multiple names, separated by commas, for example:
#Disable user1,user2
Description Enables an administrators connection that you previously disabled using the Disable User command. To enable more than one administrators connection, specify multiple names, separated by commas, for example:
#Enable user1,user2
Kill Domino Quit Refresh Admins Restart Domino Set ControllerLog Expiration=days
Stops the processes on a server that is not responding Stops the Domino server and the Server Controller Refreshes the Controllers information about administrators from the Domino Directory Stops the processes on a server that is not responding and then restarts the server Specifies the number of days worth of log files to keep on the server. Default is 7 days. Change takes effect at midnight or when you restart the Server Controller.
Specifies the name and path of log files created on a Set server. By default, log files are stored in the servers data ControllerLogFile Name=path filename directory with filenames that begin with the text dcntrlr, followed by the creation date, a sequence number and the file extension .log or .meta. You can specify a different path, and can specify text to replace the dcntrlr portion of the log file names. Change takes effect at midnight or when you restart the Server Controller. Set Specifies which type(s) of log file(s) to create on a server or prevents the creation of log files.
ControllerLogType= 0 Do not create log files value 1 Create .log files that log only data normally seen at a console 2 Create .meta files that log data normally seen at a console as well as additional details, such as color, font, and event filter settings 3 Create both .log files and .meta files simultaneously Setting takes effect immediately. Show Users Show Processes Start Domino Shows the administrators currently connected to the Controller Shows the tasks running on the Domino server Starts the Domino server if it is down
Reference
To send a command from the Domino Administrator console: 1. Make sure you have the administrator access to the server required for the command you are sending. For more information, see the chapter Controlling Access to Domino Servers. 2. From the Domino Administrator, connect to the server. 3. Click Server - Status. 4. Click Server Console. 5. Do one of the following to add the command to the Command box: Enter the command with any arguments directly in the Command box. Click Commands, select the command from the list, and click OK. Enter any necessary arguments. If youve added the command to the Commands menu, select the Commands menu and select the command from the list. If you are sending a Tell command to the Certificate Authority (CA) process that requires a password as an argument, click the Commands menu, and select Password Commands to display a box in which to enter the password. The password box masks the characters in the password with asterisks. 6. (Optional) To prevent the console from displaying the server output, click the Send menu and select Quiet Commands. 7. To send the command only to the connected server, click Send. To send the command to more than one server: a. Click the Send menu and select Select Servers. b. In the Domain box, select the Domino Domain of a server to which you want to send the command. c. In the Server box, select a server from the selected domain.
Server Commands A-5
d. Click Add. e. Repeat Steps b - d for each server to which you want to send the command. f. (Optional) Select or deselect Quiet Commands to optionally change the option specified in Step 6. g. (Optional) Click Create Group, enter a name for the group, and click OK to save the group of selected servers. h. Click Send. Tip You can also select a group youve added to the Send menu. 8. If you entered a Controller command or shell command, enter the following in the Login dialog box that opens: In the Servers Internet Address box, specify the TCP/IP host name of the server. In the User ID box, specify a name in your Person document in the Domino Directory on the server to which you are connecting. In the Password box, specify the password in the Internet password field of your Person document. Click OK. 9. (Optional) Do any of the following, as necessary: Click Live to display events as they happen on the remote server. Click Pause to pause output from the remote server. Click Stop to stop events as they happen on the screen. Adding commands to the Commands menu If you frequently use the Domino Administrator console to send a specific command, add it to the Commands menu so its easy to select. For example, if you frequently send a command with a particular argument, add it to the Commands menu so you dont have to type the argument each time you send the command. 1. From the Domino Administrator, click Server - Status. 2. Click Server Console. 3. Click the Commands menu and select Custom Commands. 4. Add the command and any arguments. 5. Click Add. 6. Click Save. The Commands menu lists the command.
Reference
Adding a group of servers to the Send menu If you frequently use the Domino Administrator console to send a command to a particular group of servers, add the group to the Send menu: 1. From the Domino Administrator, click Server - Status. 2. Click Server Console. 3. Click the Send menu and select Server Groups. 4. To add a group you created previously during the process of sending a command, click Add Private, select the group, and click Add. 5. To add a group from the Domino Directory, click Add Public, select the group, and click Add. You can add only groups in the Domino Directory that are defined as the group type Servers only. 6. Click Save. The group now shows in the Send menu.
5. Do one of the following to add the command to the Command box: Enter the command with any arguments directly in the Command box. (Live Console only) Click Commands, select the command from the list, and click OK. Add any arguments as necessary. 6. Click Send.
4. Enter the path and file name of your Notes user ID. 5. Enter the password for your Notes user ID. 6. To exit cconsole, type:
done
Remote cconsole The cconsole program doesnt start if the Domino server isnt running on the same machine as the cconsole program. If the server fails while cconsole is running, cconsole may not automatically shut down. In this case, enter the done command to exit the cconsole program. To run cconsole from a remote machine, first telnet to the machine running the Domino server.
Reference
Note There is a security risk when running the cconsole program from a remote machine or from a remote X display. The cconsole program warns you of this security risk before proceeding. Deploy a secure remote protocol such as encrypted telnet. To address this security risk, if you dont deploy a secure remote protocol, run the cconsole program only from the local Domino server machine. Additional console commands In addition to the current set of Domino server console commands, cconsole also supports these commands:
Command done live on live off Result Exits cconsole while the Domino server continues to run Enables cconsole as a live console so that you see messages sent to the server console from other sources Disables the live console so that you see only the commands entered and the responses to these commands
Command line switches There are several command line switches that streamline using cconsole. You type the switches when you start cconsole.
Switch Result -f -i -l Lets you enter the path and file name for the Notes user ID when you start cconsole so that you arent required to respond to the prompts Lets you ignore warnings; warnings continue to appear on the console, but you wont be required to respond to them Lets you automatically start that console live when you start cconsole
For example, if you dont want to wait for the prompt to enter the path and file name for the Notes user ID, enter this command:
/opt/lotus/bin/cconsole -f notes/data/rrutherford.id
Dbcache Flush Closes all databases that are currently open in the database cache. Drop Exit Help Load Platform Pull Push Quit Replicate Restart Port Restart Server Restart Task Route Set Configuration Set Rules Set SCOS Set Secure Set Statistics Show Agents Show Allports Closes one or more server sessions. Stops the server. This command is identical to Quit. Displays a list of server commands with a brief description, arguments (if any), and the proper syntax for each. Loads and runs a specified server task or program on the server. Controls the platform statistics data at the console. Forces a one-way replication from the specified server to your server. Forces a one-way replication from your server to specified server. Stops the server. This command is identical to the Exit server command. Forces replication between two servers (the server where you enter this command and the server you specify). Disables transactions (or messages) on the specified port and then re-enables the port after a brief delay. Stops the server and then restarts the server after a brief delay. Shuts down and then restarts a specified server task. Initiates mail routing with a specific server. Adds or changes a setting in the NOTES.INI file. Reloads the servers mail rules. Activates or deactivates a shared mail database. Password-protects the console. Resets a statistic that is cumulative. Displays the name of agents in the database you specify. Displays the configuration for all enabled and disabled ports on the server. continued A-10 Administering the Domino System, Volume 2
Reference
Description Displays the local servers cluster name cache. Displays the current value for a NOTES.INI setting.
Show Directory Lists all database files in the data directory and identifies multiple replicas of a database. Show Diskspace Show Heartbeat Displays the amount of space, in bytes, available on the disk drive (Windows NT or OS/2) or file system (UNIX). Indicates whether the server is responding.
Show Memory Used for OS/2. Show Displays a list of open databases on the server and detail Opendatabases information for the databases. Show Performance Show Port Displays the per minute user/transaction values when the Domino Server is running. Displays traffic and error statistics, and resources used on the network adapter card or communications port. Displays information about shared mail databases and reloads the shared mail configuration. Shows server status information. Displays Domino server statistics for one or more of the following: disk space, memory, mail, replication, and network activity. Displays individual and cumulative platform statistics for all servers including one or more of the following: logical disk, paging file, memory, individual network, process, and system. Displays the server name, the Domino program directory path, and the status of the active server tasks. For each type of transaction, displays the total number of NRPC transactions, the minimum and maximum duration of the transaction, the total time to perform all transactions, and the average time to perform the transaction. Displays a list of all users who have established sessions with the server. Provides information about each directory a server uses for name resolution. Enables console logging. continued Server Commands A-11
Show Schedule Shows the next time that a server task will run. Show SCOS Show Server Show Stat
Description Enables transactions (or messages) on the specified port. Disables console logging. Disables transactions (or messages) on the specified port. Issues a command to a server program or task. Tests a connection to a server.
Broadcast
Syntax: Broadcast message [usernames or database] Broadcast (!) message [usernames or database] Description: Sends a message to specified users, users of the specified database or to all users of this server. Use this command to warn users when a server is brought down for maintenance. By default, the message you enter appears in the users status bar. To display the message in the middle of the users screen, precede the message with (!). Examples: Broadcast Server ACME will be down in 10 minutes Sends a warning message about impending maintenance on server ACME to all users on this server. Broadcast (!) Server ACME will be down in 10 minutes Sends the same warning message as shown in the example above, but this message displays in the center of the users screen. Note that parentheses () are entered as part of the command string.
Reference
Action Choose one: Selected user to send the message to the users you selected in the middle pane of the Server - Status tab. All connected users to send the message to all users with active sessions on the Domino server. All users of a database to send the message to all users of a particular database. Enter the directory string for the database in the field.
Enter the text of the message you want to send. Click this check box to display the broadcast message in a dialog box on the users workstation.
Dbcache Flush
Syntax: Dbcache flush Description: Closes all databases that are currently open in the database cache. Use this command before maintaining databases to flush databases from the cache. For more information on the database cache, see the chapter Improving Database Performance.
Drop
Syntax: Drop username Description: Closes one or more server sessions. To visually confirm which sessions are dropped, you must enter the Log_Sessions=1 setting in the servers NOTES.INI file. For information on Log_Sessions, see the appendix NOTES.INI File.
Examples: Drop Sandy Closes the current session running under the user name Sandy. Drop Lee Fran Closes the sessions running under the user names Lee and Fran. Drop All Closes all server sessions.
Exit
Syntax: Exit Description: Stops the server. This command is identical to Server Shutdown. Before you use Exit to stop the server, use the Broadcast server command to warn users so they can finish their current tasks before you stop the server. If you stop a server while its replicating databases or routing mail, these tasks resume at the next scheduled interval after you restart the server. Replication or mail routing continues until the databases are fully replicated and until the complete mail message is transferred or returned to sender. Tip You can also stop the server from the Domino Administrator. From the Domino Administrator, click the Server - Status tab, and then click Server - Shutdown.
Reference
Help
Syntax: Help Description: Displays a list of server commands with a brief description, arguments (if any), and the proper syntax for each.
Load
Syntax: Load programname Description: Loads and starts a specified server task or program on the server. You can start a server add-in program or one that takes a command line for additional data, such as a backup program. The program you run must be on the servers search path. Use the Load command to run a program until it completes or, if the program runs continually, until you stop the server. Where applicable, you can include arguments that determine how the program runs. Note Most server commands support the arguments -? and /? to display online help. For example, you could enter one of these to obtain help for the server command Load Compact:
Load Compact -? Load Compact /?
Examples: Load Fixup Loads and runs the Fixup server task. Load Object Info OBJECT.NSF Loads and runs the Shared Mail Manager and passes along arguments that execute the Info task. For more information, see the appendix Server Tasks.
Platform
Syntax: Platform <main argument> [<optional arguments>] Description: Controls the platform statistic feature at the console. Platform statistics that are affected by the reset command are: Fixed These statistic values do not change. They include information such as number of disks, or an assigned name. For example, in the statistic Platform.LogicalDisk.<identifying number>.PctUtil, the identifying number is a variable that identifies the disk. This information does not change when a platform reset command is issued. Primary These are the individual statistic metrics on which secondary statistics are derived. For example, a total paging file utilization statistic (Platform.PagingFile.TotalPctUtil) forms the basis for the secondary average and peak statistics values (Platform.PagingFile.TotalPctUtil.Avg and Platform.PagingFile.TotalPctUtil.Peak). Secondary Statistic values that are a combination of, or are derived from primary statistics.
Arguments:
Arguments Description
Time [<sampling period>] Used with an optional argument, changes the sampling period to the specified value in minutes. If not used, displays the current sampling rate. Default is 1 minute. Reset Reset Interval Enable Resets the value of primary statistics to zero, and gathers new set of metrics. Resets all values each time a new sampling period begins. Uses the sampling period defined using the Time argument. Disables the Reset Interval Enable command. Pauses the collection and update of performance data. Resumes the collection and update of performance data.
For more information on monitoring platform statistics, see the chapter Monitoring the Domino Server.
Reference
Examples: Use Platform Time <n> to start a new performance data monitoring session with a sampling period of n minutes. This means that the statistic value can change every n minutes. For example:
platform time 5
Use the Platform Reset command so that prior existing values are not used in calculating minimum, average, or maximum values. You may want to use this command when platform statistics have been accumulating overnight and you want to clear out the accumulation. For example:
platform reset
Use the Platform Reset Interval Enable command to reset all values each time you begin a new sampling period. For example:
Platform Reset Interval Enable
Pull
Syntax: Pull servername [databasename] Description: Forces a one-way replication from the specified server to your server. You can also replicate a single database from the specified server to your server by including the database name on the command line. The initiating server receives data from the named server, but doesnt request that the other server pull data from it. This forces a server to replicate immediately with the initiating server, overriding any replication scheduled in the Domino Directory. Enter the servers full hierarchical name, if applicable. You can pull changes immediately if an important database, such as the Domino Directory, has changed or if a database on your server is corrupted or has been deleted. For replication to succeed, make sure that: The Domino Directory contains a Server document for each server in the domain. The Domino Directory contains a Connection document to connect to a remote server. Each servers ID file contains a certificate that the other server recognizes and trusts.
Database ACLs allow replication, and the source server has sufficient access in the ACLs to replicate changes. If youre using server access lists, servers must have proper access in the Server document.
If the server is currently replicating, Domino queues the Pull server command until the current task completes. To check the status of the Replicator before using Pull, enter this command at the console:
Show Tasks
The server displays one of the following messages: If the server isnt replicating, the word Idle appears next to the Replicator task. If the server is replicating, a message such as Replicating CONTRACT.NSF from MARKETING\CONTRACT.NSF appears.
Examples: Pull Marketing\Acme Forces one-way replication with the server Marketing. Pull Marketing\Acme NAMES.NSF Forces one-way replication of the NAMES.NSF file from the server Marketing.
Reference
Push
Syntax: Push servername [databasename] Description: Forces a one-way replication from your server to the specified server. You can also replicate a single database from your server to the specified server by including the database name on the command line. The initiating server sends data to the named server, but doesnt request data in return. This forces a server to replicate immediately with the initiating server, overriding any replication scheduled in the Domino Directory. Specify the servers full hierarchical name, if applicable. In effect, the Push server command is the functional opposite of the Pull server command. Examples: Push Marketing\Acme Forces one-way replication with the server Marketing. Push Marketing\Acme NAMES.NSF Forces one-way replication of the NAMES.NSF file to the server Marketing.
Quit
Syntax: Quit Description: Stops the server. This command is identical to the Server Shutdown command. However, the Quit server command differs from the Tell server command, which you use to stop a particular server task without stopping the server. If you stop a server while its replicating databases or routing mail, these tasks resume at the next scheduled interval after you restart the server. Replication or mail routing continues until the databases are fully replicated and until the complete mail message is transferred or returned to the sender. Before you use the Quit server command to stop the server, use the Broadcast server command to warn users to finish their current tasks before you stop the server. Tip You can also stop the server from the Domino Administrator. From the Domino Administrator, click the Server - Status tab. From the tool bar, click Servers - Shutdown.
Replicate
Syntax: Replicate servername [databasename] Description: Forces replication between two servers (the server where you enter this command and the server you specify). Use the servers full hierarchical name. If the server name is more than one word, enclose the entire name in quotes. To force replication of a particular database that the servers have in common, specify the database name after the server name. The initiating server (where youre currently working) first pulls changes from the other server, and then gives the other server the opportunity to pull changes from it. You can use this command to distribute changes quickly or to troubleshoot a replication or communication problem. Note The existing replication schedule between the servers determines how the second server responds to this command. If this replication falls within the timeframe that the second server replicates with the initiating server (based on calling schedules and the repeat interval), the second server pulls changes. Otherwise, it waits for the next scheduled replication time.
Reference
If the server is already replicating when you issue the command, Domino queues the command until the current replication ends. To check the status of the Replicator, enter this command at the console:
Show Tasks
The server displays one of the following messages: If the server isnt replicating, the word Idle appears next to the Replicator program. If the server is replicating, a status line, such as Replicating CONTRACT.NSF from MARKETING\CONTRACT.NSF, appears.
To optimize resources Domino only replicates what is necessary. For example, if the servers recently replicated and no changes have since been made to any databases on either server, the servers dont replicate when you enter a Replicate command. Also, the replication is two-way only if databases on both servers changed since the last replication. If databases on only one of the servers changed, the replication is one-way. To force replication in only one direction, use the Pull or Push server commands. Examples: Replicate Marketing\Acme Initiates replication between your server and the Marketing/Acme server. The server console displays messages indicating when replication begins. Replicate Marketing\Acme NAMES.NSF Initiates replication of NAMES.NSF between your server and the Marketing\Acme.
5. Choose one: Selected database to select a specific database to replicate. Click the database button and select a database from the list. All databases in common to replicate all databases that both servers have in common. This is the default setting. 6. Click Replicate.
Restart Port
Syntax: Restart Port portname Description: Disables transactions (or messages) on the specified port and then re-enables the port after a brief delay. The command lets you stop and start a port without stopping the Domino server. When you are supporting Internet servers that rely on TCP/IP, you can restart the TCP/IP port and the Internet ports enter a waiting state. The Internet ports suspend and keep checking for the TCP/IP port. You will see the following when using restart port TCPIP:
>restart port tcpip 06/28/2002 12:34:08 PM LDAP Server: Listener failure: Request failed because the requested port is inactive 06/28/2002 12:34:08 PM LDAP Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted 06/28/2002 12:34:11 PM POP3 Server: Listener failure: Request failed because the requested port is inactive 06/28/2002 12:34:11 PM POP3 Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted 06/28/2002 12:34:11 PM SMTP Server: Listener failure: Request failed because the requested port is inactive 06/28/2002 12:34:11 PM IMAP Server: Listener failure: Request failed because the requested port is inactive 06/28/2002 12:34:11 PM SMTP Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted 06/28/2002 12:34:11 PM IMAP Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted 06/28/2002 12:34:28 PM LDAP Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted 06/28/2002 12:34:29 PM Port TCPIP was successfully disabled
Reference
06/28/2002 12:34:31 PM POP3 Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted 06/28/2002 12:34:31 PM SMTP Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted 06/28/2002 12:34:31 PM IMAP Server: Suspended, waiting 20 seconds for Notes Port Driver [TCPIP] to be restarted
To see a list of ports you can restart, issue the console command Show Configuration. Example: Restart Port TCP Disables and re-enables the port named TCP.
Restart Server
Syntax: Restart Server Description: Stops the server and then restarts the server after a brief delay. If you stop a server while its replicating databases or routing mail, these tasks resume at the next scheduled interval after you restart the server. Replication or mail routing continues until the databases are fully replicated and until the complete mail message is transferred or returned to the sender. Before you use Restart Server to stop the server, use the Broadcast server command to warn users to finish their current tasks before you stop the server. Tip You can also use the Domino Administrator to restart the server. From the Domino Administrator, click the Server - Status tab and use the tool Server - Restart.
Restart Task
Syntax: Restart Task taskname Description: Shuts down and restarts a specified server task. Example: The following command shuts down and restarts the LDAP task:
Restart Task LDAP
Tip You can also use the Domino Administrator to restart a task. From the Domino Administrator, click the Server - Status tab and use the tool Task - Restart.
Server Commands A-23
Route
Syntax: Route servername Description: Initiates mail routing with a specific server. The Route command overrides any mail routing schedules that you create in the Connection documents in the Domino Directory. Use the Route command for servers that are configured for Pull, Pull Push, Push, or Push Wait routing in the Connection document. Use the servers full hierarchical name, if applicable. If the server name is more than one word, enclose the entire name in quotes. To route to all pending destinations, use Route *. Use the Route command to troubleshoot mail problems and to send mail to or request mail from a server immediately. If no mail is queued for routing, Domino ignores the Route command. Use the Tell Router Show command to check for messages pending for local delivery or to check for messages held because a mail file is over quota. To check which servers have mail queued, use this command at the console:
Tell Router show
Examples: Route Marketing\Acme Sends mail to the Marketing server in the Acme domain. The server console displays messages indicating when routing begins. Route * Sends mail to all pending destinations. Route [$LocalDelivery] Overrides the next scheduled retry time and attempts local delivery immediately.
Reference
Set Configuration
Syntax: Set Configuration setting Description: Adds or changes a setting in the NOTES.INI file. Tip You can also use the Domino Administrator to add or change many settings in the NOTES.INI file using the Configuration Settings document. Example: Set Configuration Names = Names,Westnames Sets the NOTES.INI Names setting to specify that Domino search both the Names and the Westnames Domino Directories. For more information about using the Configuration Settings document to set NOTES.INI settings, see the appendix NOTES.INI File.
Set Rules
Syntax: Set Rules Description: Reloads the servers mail rules, enabling new rules to take effect immediately. Server mail rules enable administrators to filter messages based on content in the message headers or body. At startup, the server retrieves these rules from the Configuration document and registers them as monitors on each MAIL.BOX database in use. The Server task checks to see if the servers mail rules need to be reloaded every 5 minutes. New rules take effect only after the server reloads the mail rules.
Set SCOS
Syntax: Set SCOS Databasename [Active | Inactive] where Databasename is the full pathname to a shared mail database. Description: Activates or deactivates a shared mail database. The Shared Mail tab of the Server document lets you specify the delivery status and availability for all shared mail databases in the directory. Using the Set SCOS command, you can change the availability of an individual shared mail database.
Example: Set SCOS C:\LOTUS\DOMINO\DATA\SCOS1\SM000004.NSF INACTIVE Prevents new messages from being deposited in the shared mail database SM000004.NSF. Users still have access to previously-delivered messages in the database.
Set Secure
Syntax: Set Secure currentpassword Description: Password-protects the console. After you password-protect the console, you cant use the Load, Tell, Exit, Quit, and Set Configuration server commands or other programs that arent run automatically through Program documents in the Domino Directory or through the NOTES.INI file until you enter the password. Console security remains in effect until you clear the password by entering a second Set Secure command with the same password. Even if the console is password-protected, keep the server physically secure to prevent breaches of security at the operating system level. Examples: Set Secure abracadabra Password-protects the console if no password is currently in effect. In this case, the new password is abracadabra. Set Secure abracadabra sesame Changes the existing password abracadabra to sesame. Set Secure abracadabra If the console is already protected by a password in this case abracadabra entering a second Set Secure command with the same password clears the password.
Reference
3. Do one of the following: To set a password, select Set at the bottom of the box, then complete these fields, and click OK:
Field Console Password Verify Enter The password you want to set The same password, again
To clear a password, select Clear at the bottom of the box, then under Password, enter the password and click OK. To change a password, select Change at the bottom of the box, then under Password, enter the old password and click OK. Then complete these fields, and click OK:
Field Password Verify Enter The new password you want to set The same, new password, again
Set Statistics
Syntax: Set Statistics statisticname Description: Resets a statistic that is cumulative. Statisticname is a required parameter that names the statistic to be reset. You cant use wildcards (*) with this argument. For more information on monitoring statistics, see the chapter Monitoring the Domino Server. Example: Set Stat Server.Trans.Total Resets the Server.Trans.Total statistic to 0
Show Agents
Syntax: Show Agents database name [-v] Description: The Show Agents server command shows all agents available in the database. The verbose mode ([-v]) shows all agents and script libraries in the database as well as detail information on both. Examples: Show Agents DatabaseName.nsf Show Agents -v DatabaseName.nsf
Show Allports
Syntax: Show Allports Description: Displays the configuration for all enabled and disabled ports on the server. Example: The following example shows the output that appears on the server console when you issue the Show Allports command.
Show Allports Enabled Ports: TCPIP=TCP,0,15,0,,12320, SPX=NWSPX,0,15,0,,12320, LAN0tcpip=NETBIOS,0,15,0,,12322, LAN1nb=NETBIOS,3,15,0,,12322, LAN2ipx=NETBIOS,7,15,0,,12322, Disabled Ports: LAN6=NETBIOS,6,15,0,,12320, LAN8=NETBIOS,8,15,0,,12320, COM1=XPC,1,15,0,,12326,38400,,hyaccv34.mdm,60,15 LAN1=NETBIOS, 1, 15, 0 LAN2=NETBIOS, 2, 15, 0 LAN4=NETBIOS, 4, 15, 0 LAN5=NETBIOS, 5, 15, 0 COM2=XPC,2,15,0, COM3=XPC,3,15,0, COM4=XPC,4,15,0, COM5=XPC,5,15,0,
Reference
Show Cluster
Syntax: Show Cluster Description: Displays the local servers cluster name cache, which includes a list of all cluster members and their status, based on information received during the servers cluster probes. For more information on server clusters, see Administering Domino Clusters. Example: This example displays the cluster name cache of the Mars server, which is in the Planets cluster, which is in the Solarsys domain.
Show Cluster Cluster Information Cluster name: planets/solarsys, Server name: mars/solarsys Server cluster probe timeout: 1 minute(s) Server cluster probe count: 2604 Server cluster probe port: NetBEUI Server availability threshold: 10 Server availability index: 98 (state: AVAILABLE)
Show Configuration
Syntax: Show Configuration setting Description: Displays the current value for a NOTES.INI setting. Use the Show Configuration and Set Configuration server commands together to ensure that you correctly set the NOTES.INI settings. Wildcards are allowed.
Examples: Show Configuration Domain Displays the servers domain Show Configuration * Displays all the configuration information for the server Show Configuration ???? Displays any variable that is exactly 4 characters long
Show Directory
Syntax: Show Directory Description: Lists all database files (for example, NSF and NTF) in the data directory and specifies whether the data directory contains multiple replicas of a database. This command works only for the data directory; you cant specify another directory. Tip From the Domino Administrator, click the Files tab to view a list of all database files in the data directory. You can also use the Show Directory command to check which databases have transactional logging enabled. To see only logged databases, enter this command at the console:
show dir *log
Show Diskspace
Syntax: Show Diskspace location Description: Displays the amount of space, in bytes, available on the disk drive (Windows NT), or file system (UNIX). If you do not specify a location, Domino displays the space available on the disk or file system containing the Domino program directory. If available disk space is low for example, under 10MB free up disk space by deleting documents, databases, and other files that you dont need.
Reference
Domino servers installed on Windows NT 3.51 servers and using TCP/IP and Netbios cant see mapped drives on another NT server using the Show Diskspace command at the Domino server prompt. In order for the Show Diskspace command to work, one of the following conditions must be met: Run the Domino server as an application Run the Domino server as an NT server task
Note The Domino server starts before drives are mapped. Therefore, when you use the command, the drives arent visible. To see the mapped drivers, stop and restart the Domino server or put the Domino server in the Startup group. Domino makes calls to the network redirector on the system its on. In this environment, NT will provide this service (there is no Netware redirector). In a NetWare environment, a Domino server can see the disk space on a network mounted drive if it is logged onto a NetWare file server. Tip You can also display the amount of available space by using the Domino Administrator. From the Domino Administrator, click the Files tab. If necessary, click Tools, and then from the tool bar, click Disk Information. Examples: How you enter the Show Diskspace command depends on the servers operating system. On a Windows 2000 or Windows NT server, enter this command to display available space on Drive C:
Show Diskspace C
On a UNIX server, enter this command to display available space in the /USR directory of a file system:
Show Diskspace /USR
On a UNIX server, enter this command to display available space in the current directory:
Show Diskspace
Show Heartbeat
Syntax: Show Heartbeat Description: The Show Heartbeat server command indicates whether the server is responding. Example: Show Heartbeat The server responds with a message such as:
elapsed time: #### seconds
Show Memory
Syntax: Show Memory Description: The Show Memory server command displays the amount of RAM available on a server, plus the amount of swap memory available on the boot drive of the Domino server. If the number shown here and the number shown when you enter a Show Diskspace command are almost equal, the server may need more RAM. Examples: Show Memory The server responds with a message such as:
Memory Available (including virtual): 5776K bytes
Show Opendatabases
Syntax: Show Opendatabases Description: The Show Opendatabases server command displays a list of the open databases on the server as well as the statistics shown in the example below. Example: Show Opendatabases Returns a list of databases in the format shown below:
Database Name Wait|Wait-| Max (ms) | ers |Waiters Opens|Modi-| File | Sem |Avg
|fied |Handles|Waits|
Reference
1 10 N 1 Y N
Y N 1 N 1 16
1 2 0 1 0 0
0 0
Show Performance
Syntax: Show Performance Description: Displays the per minute user/transaction values when the Domino Server is running. To stop showing performance, enter Show Performance a second time.
Show Port
Syntax: Show Port portname Description: Displays traffic and error statistics and the resources used on the network adapter card or communications port. portname can be any configured port for example, LAN0tcpip, SPX, LAN1nb, LAN2ipx, TCPIP, COM1, or COM2.. Tip To check port status from the Notes workstation program, choose File - Preferences - Notes Preferences - Ports. Highlight the port and select Show Status. To check the port status from the Domino Administrator, click the Server - Status tab, and then click Servers - Port Information. Highlight the port, and select Show Status. Example: Show Port LAN0tcpip Displays the status of LAN0tcpip. As information appears, press PAUSE to stop the scrolling, and press ENTER to resume scrolling. Note that using PAUSE at the console stops server operation. Users cant access the server until you resume the display.
Show Schedule
Syntax: Show Schedule servername/taskname/destination Show Schedule -argument Description: Shows the next time that a server task runs. Output includes the type of task and the time it next runs. If you enter a location as an argument, the workstation replication schedule for that destination appears. Arguments: -Agents Show which agents are scheduled to run next -Replication Shows the next scheduled replication time and the replication type -Mailrouting Shows the next scheduled mail routing time -Programs Show which programs are scheduled to run Examples: Show Schedule Displays a list of all scheduled tasks Show Schedule Fixup Shows when the Fixup task is scheduled to run next Show Schedule -Mailrouting
> sh sched -mail Scheduled schedule Type Next
CN=Masterlock/OU=Server/O=Web Mail Routing CN=MServer0/OU=Server/O=Webadmi Mail Routing xTest1 08/02/2002 02:00:00 PM Mail Routing
Reference
Show SCOS
Syntax: Show SCOS [All] Description: Shows single copy object store (shared mail) information and reloads the shared mail configuration. Examples: SHOW SCOS displays summary information about the configured shared mail directories. Sample output:
Shared mail: Directory Availability Enabled for delivery and transfer Requested Actual Max Size
c:\lotus\domino\data\scos1 open for delivery c:\lotus\domino\data\shared open for delivery Totals 3 8 6 11 9000 11048 5 5 2048
SHOW SCOS ALL Displays information about each shared mail database within a configured directory, as well as summary information about each shared mail directory. Sample output:
Directory: c:\lotus\domino\data\scos1 - open for delivery Number of delivery databases requested: 5. Number of databases: 5 Maximum Directory Size: 2048 MB Database sm000001.nsf sm000002.nsf sm000003.nsf sm000004.nsf sm000005.nsf Availability Active Active Active Active Active State Enabled Enabled Enabled Enabled Enabled Size 14.68 MB 0.37 MB 0.37 MB 0.37 MB 14.68 MB
Total Database Disk Size in Directory: 30.50 MB Total Database Disk Available in Directory: 2017.50 MB Total Database Internal Free Space for Directory: 0.33 MB
Show Server
Syntax: Show Server Description: Shows server status information including the server name, data directory on the server, time elapsed since server startup, transaction statistics, and the status of shared, pending, and dead mail. Tip To view server information from the Domino Administrator, open the Domain bookmark in the bookmark bar on the left, right click on a server, and then choose Server Properties.
Output Server name Server directory Elapsed time Transactions Description Name you gave to the server during the setup procedure. Directory where the Domino data files are stored. Days, hours, minutes, and seconds since the server was started. Total number of times the server was used since the server started. Transactions include: opening a database, closing a database, writing to a database, routing mail to a database, and reading from a database.
Transactions/minute Total number of transactions on this server in the past minute and the past hour. Peak is the highest number of transactions per minute since the server started. Peak # of sessions Pending mail Dead mail Maximum number of sessions (users and servers connected at one time) since the server started. Number of mail documents waiting to be routed to other servers and users. Number of undeliverable mail documents that have been returned to the server. If there are any dead mail documents, check MAIL.BOX to release them. continued
Reference
Description The database server performs remote database operations and all client transactions, such as opening, closing, reading, and writing to Notes databases; performing console commands; and listening on serial and network ports for user requests to connect to a specific database. The Replicator performs database replication between this server and other servers and workstations. The Replica task runs the Replicator. The Router routes mail between users on this server and on other servers. The Router task runs the Router. The Indexer builds indexes, or views, of all databases and keeps track of changes to databases. The Update task runs the Indexer.
Replicator
Router Indexer
Show Stat
Syntax: Show Stat statisticname Description: Used without the optional statisticname argument, displays a list of server statistics for disk space, memory, mail, replication, and network activity. To display a single statistic, enter the name of the statistic as the optional argument. To display only a subset of statistics, add a group of statistics as an optional argument by using an asterisk (*) as a wildcard. You can enter this command at the server console to display statistics for the local server or at the remote server console to display statistics for a remote server. For more information on statistics, see the chapter Monitoring the Domino Server. Tip To view server statistics from the Domino Administrator, click the Server - Statistics tab. Examples: Show Stat Displays a complete list of statistics Show Stat Database Displays statistics for all statistics of the type Database.x.x Show Stat Disk.C.* Displays all disk statistics for drive C For a list of statistics, see the Advanced - Names & Messages - Statistic Names view of the Monitoring Configuration database (EVENTS4.NSF).
Server Commands A-37
For more information on platform statistics, see the chapter Monitoring the Domino Server. Examples: Show Stat Platform Displays a complete list of platform statistics Show Stat platform.logicaldisk.* Displays all the platform statistics in the logical disk group To display a single statistic, enter the name of the statistic as the optional argument instead of the wildcard (*). For a list of all platform statistics, see the Advanced - Names & Messages - Platform Statistic Names view of the Monitoring Configuration database (EVENTS4.NSF).
Reference
Show Tasks
Syntax: Show Tasks Description: Displays the tasks on the server, and describes the activity of the task. Idle tasks are indicated. Example: Show Tasks displays the task activity or idle, such as the following sample output.
Agent Manager HTTP Server SMTP Server Schedule Manager LDAP Server Executive '1': Idle Listen for connect requests on TCP Port:80 Control task Idle Control task
Tip You can also use the Domino Administrator to view a list of active tasks. From the Domino Administrator, click the Server - Status tab.
Show Transactions
Syntax: Show Transactions Description: When the Domino Server is running, displays the following for each type of transaction: the total number of NRPC transactions (Count), the minimal duration of the transaction (Min), the maximum duration of the transaction (Max), the total time to perform all transactions (Total), and the average time to perform the transaction (Avg). All times are reported in milliseconds. This command identifies transactions that require excessive amounts of time. Note For Internet Protocol Servers for example, SMTP, POP3, IMAP, HTTP use the Show Stat command to monitor statistics. For example, enter these commands at the server console:
SH STAT SMTP SH STAT POP3 SH STAT IMAP SH STAT LDAP SH STAT Domino (for HTTP Server stats) SH STAT DIIOP
Reference
0 0 0
238 8 2
Show Users
Syntax: Show Users Description: Displays a list of all users who have established sessions with the server, whether the users are actively working in databases or not, the names of databases that each user has open, and the elapsed time, in minutes, since the databases were last used. Tip You can also use the Domino Administrator to view the status of active users. From the Domino Administrator, click Server - Status. Then select Database Users. A list of users displays in the middle panel. Example: Show Users Displays user information for example:
User name Susan Salani Alan Jones Derek Malone Databases open MAIL\SSALANI.NSF NAMES.NSF MAIL\DMALONE.NSF Minutes since last used 6 4 11
Show Xdir
Syntax: Show Xdir Description: Provides information about each directory a server last used for name resolution. The output displays the following columns of information. DomainName The DomainName columns displays the name of the domain in which a directory resides. If a directory is configured in the directory assistance database, the Domain Name field in the Directory Assistance document for the directory determines the directorys domain name.
DirectoryType The DirectoryType column shows the type of directory. A directory can be one of these types: Primary Primary Domino Directory stored locally Configuration Configuration Directory stored locally Remote Primary Primary Domino Directory stored remotely used by a server with a Configuration Directory Secondary Extended Directory Catalog, secondary Domino Directory, or remote LDAP directory configured in the directory assistance database.
The DirectoryType column also shows the type of domain a directory is within (Notes or LDAP). If a directory is a remote LDAP directory configured in the directory assistance database, the directory type is LDAP. Any Domino Directory or Extended Directory Catalog is the directory type Notes. ClientProtocol The ClientProtocol column displays the client protocol, Notes and/or LDAP, for which the directory is enabled. For a directory configured in a directory assistance database, the value of the Make this domain available to field in the Directory Assistance document for the directory determines what appears in this column. This column always shows Notes for a Configuration Directory. Usually a Primary or Remote Primary directory show Notes & LDAP as the client protocols. An exception is if the primary directory is configured through directory assistance and is disabled for LDAP clients; in this case only Notes shows as the enabled client protocol. Replica/LDAP Server The Replica/LDAP Server column shows: The file name of a local Domino Directory Server path and file name of a Domino Directory accessed over the network The host name of a remote LDAP directory server and the port used
Note If a server uses a condensed Directory Catalog, Show Xdir also displays the text Directory Catalog filename in use, where filename is the file name of the local directory catalog. Following are examples of the output that appears on the server console when you issue the Show Xdir command.
Reference
Example 1 This example shows output on a server that uses a local primary Domino Directory, two secondary Domino Directories (one of which is a local Extended Directory Catalog), and one remote LDAP directory.
Example 2 This example shows output on a server that uses a Configuration Directory, a remote primary Domino Directory, and an Extended Directory Catalog accessed over the network.
Start Consolelog
Syntax: Start Consolelog Description: Enables output to the console log file. Example: Start Consolelog The Start Consolelog and the Stop Consolelog server commands enable and disable console logging just as the NOTES.INI variable CONSOLE_LOG_ENABLED does. The difference between the server console commands and the NOTES.INI settings is that the console commands are in effect for the current server session only, whereas the NOTES.INI settings are permanent and take effect each time the server is started. For more information on CONSOLE_LOG_ENABLED, see the appendix NOTES.INI File.
Start Port
Syntax: Start Port portname Description: Enables transactions (or messages) on the specified port. Use this command after you disable the port with the Stop Port command. Example: Start Port TCP Enables the port named TCP.
Stop Consolelog
Syntax: Stop Consolelog Description: Disables output to the console log file. Example: Stop Consolelog The Start Consolelog and the Stop Consolelog server commands enable and disable console logging just as the NOTES.INI variable CONSOLE_LOG_ENABLED does. The difference between the server console commands and the NOTES.INI settings is that the console commands are in effect for the current server session only, whereas the NOTES.INI settings are permanent and take effect each time the server is started. For more information on CONSOLE_LOG_ENABLED, see the appendix NOTES.INI File.
Stop Port
Syntax: Stop Port portname Description: Disables transactions (or messages) on the specified port. This command allows you to make changes to the port that take effect immediately without stopping the Domino server. When youre finished making changes to the port, use the Start Port command to re-enable it. To see a list of ports you can disable, issue the console command Show Configuration. Example: Stop Port TCP Disables the port named TCP.
Reference
Tell
Syntax: Tell serverprogram Description: Issues a command to a server program or task. The command is especially useful for stopping a server task without stopping the server. Note Most server commands support the arguments -? and /? to display online help. For example, you could enter one of these to obtain help for the server command Tell Amgr:
Tell Amgr -? Tell Amgr /?
Example: Tell Router Quit Stops only the Router task. All other tasks on the server continue to run.
For more information on these Tell commands, see the appropriate sections below.
Reference
Command Tell Adminp Process Interval Tell Adminp Process New Tell Adminp Process People
Result Processes all immediate requests and all requests that are usually processed according to the Interval setting in the Server document. Processes all new requests. Processes all new and modified requests to update Person documents in the Domino Directory.
Tell Adminp Process Time Processes all new and modified requests to delete unlinked mail files. Tell Adminp Show Databases Displays (and records in the servers log file) this information: The databases that a particular administration server updates The locations in the database where it updates Reader and Author fields in the databases it updates The databases that dont have an administration server assigned to them Tell Adminp Quit Stops the Administration Process on a server.
Result Runs the agents that you designate with these arguments: db name agent name Example: Tell Amgr Run DatabaseName.nsf AgentName Pauses scheduling of agents Stops the Agent Manager on a server. Shows the schedule for all agents scheduled to run for the current day. In addition, the command shows the agent trigger type, the time the agent is scheduled to run, the name of the agent, and the name of the database on which the database runs. Checking the Agent Manager schedule lets you see if an agent is waiting in one of the Agent Manager queues. Agent Manager queues: E - Agents eligible to run S - Agents scheduled to run V - Event-triggered agents waiting for their events to occur Trigger types: S - Agent is scheduled to run M - Agent is a new mail-triggered agent U - Agent is a new/updated document-triggered agent This command shows a snapshot of the Agent Manager queues and displays the Agent Manager settings in the Server document.
Reference
Result Display a list of pending certificate requests, revocation requests, and configuration modification requests for a specific certifier, using its number from the results of the tell ca status command. You can also use * to show this information for all certifiers that are using the CA process.
Activate a certifier if the certifier is created with Require tell ca activate certifier number password to activate certifier, or use this for any certifier that has been deactivated. Activation is enabled during CA password setup and creation. Activate a specific certifier by entering its number from the results of the tell ca status command. Or you can actually unlock all server ID/password-protected certifiers at one time with this command, if you specify * for the certifier number. The CA process then prompts you for the password for each certifier. tell ca deactivate Deactivate a certifier. You will need to activate it again in certifier number order for it to process any request. Use * to deactivate everything, or deactivate a specific certifier by entering its number from the results of the tell ca status command. tell ca lock idfile Lock all certifiers that were set up with a lock ID, as specified during CA setup. tell ca unlock idfile password Unlock all certifiers using the ID and password that comprise the lock ID. The lock ID is specified during CA setup.
tell ca CRL issue Issue a non-regular CRL for a specific certifier, where certifier number certifier number is the number of the certifier specified in the results of the tell ca status command. tell ca CRL push Push a certifiers latest regularly scheduled CRL to the certifier number Domino Directory, where certifier number is the number of the certifier specified in the results of the tell ca status command. tell ca CRL info Display CRL information for a specified certifier, where certifier number certifier number is the number of the certifier specified by the [s/S/n/N] tell ca status command. Use s or S for regularly scheduled CRLs, and n or N for non-regularly scheduled CRLs. tell ca refresh Force the CA process to refresh its list of certifiers. As a result: newly configured certifiers will be added to the CA process previously unlocked certifiers will need to be unlocked again previously activated certifiers may need to be activated again, if the activation password has changed the Notes certifier ID file in idstorage will be updated with the latest certificate information tell ca help List tell ca options Server Commands A-49
plug-in command Attempts to issue the command to the named plug-in, if it exists and is running. reset control process Resets the internal lookup caches. Requests the PlanControl (control) plug-in to process and check all plans.
Reference
Tell Clrepl Quit Stops all instances of the Cluster Replicator on a server. To prevent the Clrepl task from running in future sessions, remove all instances of the Clrepl task from the ServerTasks setting in the NOTES.INI file. Disabling the Clrepl task on one server only prevents replication from that server to other servers; it doesnt prevent replication to the server from other cluster servers.
Result This command determines the amount of information the DIIOP will log about its operation. Valid values for n are as follows: 0 Show Errors & Warnings only 1 Also show informational messages 2 Also show session init/term messages 3 Also show session statistics 4 Also show transaction messages The setting of this command is saved in the NOTES.INI variable DIIOPLogLevel. Any change that is made to the DIIOP log level will be used the next time the server is restarted. Use this command to reload the configuration data that DIIOP is using from the Domino Directory and from notes.ini. By default DIIOP incorporates changes from the Domino Directory every 3 minutes or as often as specified in the NOTES.INI parameter:
DIIOPConfigUpdateInterval
The Refresh command will force DIIOP to look for changes in the configuration and apply them immediately. Tell DIIOP Show Users Or Tell DIIOP Show Users D Show all the current active users known to the DIIOP task. This list is similar to the server console command show tasks but it includes more information. Appending D to this tell command the list of current users will also include the databases the user has open and along with a count of objects that are in use. Example:
tell diiop show users d UserName IdleTime ConnectTime Anonymous 0:00 0:00 ClientHost SessionId
perf/user1.nsf Objects in use: Databases: 1 Documents:0 Items: 0 Others: 0 Users: 1, Network Connections: 1
Reference
Result Verifies that each component of a distinguished name in a directory that is visible through Notes has an entry in the directory that represents the component as an object class. If the LDAP service finds a component of a distinguished name without a corresponding object class entry, it creates an appropriate entry for the object class in the hidden view ($LDAPRDNHIER). Creating such entries ensures that LDAP clients can successfully use an object class in a search filter to search for any entry in the directory. Also purges duplicate entries in the directory. Runs on any primary, central, or secondary Domino Directory or Extended Server Directory Catalog for which the server running the LDAP service is the administration server.
Tell Router Show Queues Shows mail held in transfer queues to specific servers and mail held in the local delivery queue. Tell Router Exit Stops the Router task on a server. continued
Reference
Result Updates the servers routing tables to immediately modify how messages are routed. This removes the 5 minute delay before a Router configuration change takes effect. To determine the best route for delivering a message to its destination, the Router creates routing tables, which map a path to the destination. The routing table derives information from variables in the NOTES.INI file and from the Configuration Settings, Domain, Connection, and Server documents in the Domino Directory. The command does not update the routing tables with changes made to the Global Domain document. By default, mail the router automatically refreshes its configuration every 5 minutes to absorb changes made in its sources. In previous versions of Domino, you had to restart the router task to update the routing tables after making changes in the sources documents. The command is case insensitive. Stops the Router task on a server.
Result Immediately validates a free time database on a server. Validation occurs by default at 2 AM; however, you can use this command to force it to occur sooner. Another way to force validation is to stop and restart the Schedule Manager. Validation can take some time. You must issue this command at all servers where mail files have been removed and/or added to ensure that old free time information is removed and new free time information is added to the free time database on the server. Dont use this command when you add a new user. The Administration process creates Person documents for users in the Domino Directory before creating their mail file on their mail server. Schedule Manager watches for database creations and automatically picks up new users mail files. Validates the information for the specified user. This command is faster than using the Tell Sched Validate command because it allows you to validate individual users, rather than validating all of the data on a server. Stops the Schedule Manager task on a server.
Reference
Tell HTTP Refresh Refreshes the Web Server before the normal refresh. You can specify the refresh cycle interval in the Server document. During a Web Server refresh cycle, all of the configuration information contained in the Web Site documents, and documents attached to Web Site documents (file protection, authentication realms, and rules) is updated on the server. continued
Command
Result
Tell HTTP Restart Refreshes the Web server with changes made to settings in the: Server document for the Web Server File Protection, Virtual Server, and URL Mapping documents in the Domino Directory. NOTES.INI file that affects the HTTP server task HTTPD.CNF and BROWSER.CNF files Changes to Java servlets or the servlets.properties file This command produces the same results as stopping and restarting the Web Server. However, this Tell command is faster than stopping and restarting because when you use the Tell command, the HTTP server task remains in memory. All outstanding HTTP requests are processed before the HTTP task restarts, however no HTTP requests are processed during restart. This command deletes the in-memory page and user-authentication caches. Tell HTTP Show File Access Tell HTTP Show Security Displays information about file system protection on the machine, and on virtual servers, if you set up virtual servers on the machine. Displays information about SSL and the server key ring file, including information about whether the server started SSL on the machine. Displays information about SSL for virtual servers if you set up virtual servers on the machine. Displays the names of users, their IP addresses, and the session expiration time for users authenticated with session-based authentication. Servers participating in single sign-on, configured for multi-server session-based authentication may not report sessions accurately using this command. If the authentication cookie originates from the current server, displays the user name, IP address, and session expiration time for that web server. If the authentication cookie does not originate on the current server, does not display session information for users. After a user logs out, this command continues to display the cookie as valid on the server. The session is still valid even though the user has ended the session. Displays a list of virtual servers running on the machine. Stops the Web Server task.
Reference
Trace
Syntax: Trace servername Description: Use the Trace command to test a connection to a server. This command shows detailed information about each server hop and is useful in troubleshooting network connection problems. This command works the same way as Trace connections, when you choose File Preferences - Notes Preferences in the Notes client. To trace a path to a server, enter:
Trace servername
When you attempt to connect to a server, network trace information automatically appears on the status bar of a Notes workstation or on the server console, depending on where you initiated the connection attempt. You can use the NOTES.INI Console_LogLevel setting to control the level of detail that messages on the status bar contain. Trace information is recorded in the log file (LOG.NSF). For more information on tracing connections, see the chapter Setting up Server-to-Server Connections. For more information on the Console_LogLevel setting, see the appendix NOTES.INI File.
Reference
where taskname is the name of the server task that you want to run.
B-1
In a Program document
To run a task on a server at a regularly scheduled time or at server startup, create a Program document in the Domino Directory. You can also use a Program document to run a UNIX shell script or program, or an API program. If you create a UNIX shell script or API program, you can use any of these characters for the name: A - Z, 0 - 9, & - . _ / (ampersand, dash, period, space, underscore, apostrophe, forward slash). Do not use \ (backslash) or any other characters because this can cause unexpected results. 1. From the Domino Administrator, open the Domino Directory. Go to the Servers view, and open the Server document. 2. Choose Create - Server - Program. 3. On the Basics tab, complete these fields:
Field Program name Command line Enter The name of the server task you want to run. The command that starts the task, including any arguments to the command.
Server to run on The full hierarchical name of the server on which to run the task. Comments A program description or additional information.
Reference
5. (Optional) Click Administration, and then enter the names of additional owners/administrators. 6. Close and save the document. Tip To view all tasks scheduled to run on a server, use the Show Schedule command. For more information, see the appendix Server Commands.
Administration AdminP Process Agent manager AMgr Billing Calendar Connector CA process Billing Calconn
Processes requests for free-time ServerTasks information from another server. Automates a variety of server-based certificate authority tasks. Updates the database catalog. ServerTasks
ca
Cataloger
Catalog
Command to Description run task runjava Runs the Change Manager ChangeMan addin task which manages large-scale changes within the domain. Chronos Updates full-text indexes that are marked to be updated hourly, daily, or weekly. Oversees the correct operation of all components of a cluster.
Chronos
None
Cluster Cladmin Administration Process (R4/R5 only) Cluster Database Directory Manager Cluster Replicator Database compactor Cldbdir
None
Updates the cluster database directory and manages databases with cluster-specific attributes. Performs database replication in a cluster. Compacts all databases on the server to free up disk space. Locates and fixes corrupted databases.
None
Clrepl Compact
Updates all databases to reflect ServerTasksAt1 changes to templates. Allows Java applets/ applications to access Domino data remotely using CORBA. Populates directory catalogs and keeps the catalogs up-to-date. ServerTasks
Dircat
None
Domidx
Creates a central, full-text index None for all specified databases and file systems in a domain. Runs only on Domain Catalog servers. Monitors events on a server. None Enables a Domino server to act None as a Web server so browser clients can access databases on the server. continued
Event HTTP
Reference
Enables a Domino server to act None as a maildrop for IMAP clients. Updates all changed views and/or full-text indexes for all databases. ServerTasksAt2
Provides failover and workload None balancing for HTTP clients (Internet browsers) that access Domino Web servers. Sends server and mail probes and stores the statistics. Enables a Domino server to provide LDAP directory services to LDAP clients. ServerTasks ServerTasks on administration server for the Domino Directory; None on other servers
MTC
MTC
Reads log files produced by the ServerTasks router and writes summary data about message traffic to a database for message tracking purposes. Performs maintenance activities ServerTasksAt3 on databases and mail files that =Object Info use shared mail. -Full Enables a Domino server to act None as a maildrop for POP3 clients. Replicates databases with other ServerTasks servers. Reports statistics for a server. Routes mail to other servers. Runs Java server add-in tasks such as the Change Manager and ISpy. None ServerTasks None; used only with the name of another add-in task, never appears by itself ServerTasks continued Server Tasks B-5
Object
Schedule manager
Sched
Command to Description run task SMTP Listens for incoming SMTP connections, enabling Domino to receive mail from other SMTP hosts.
SNMP QuerySet QurySet Allows Domino to respond to None Simple Network Management Protocol (SNMP) requests. Prerequisite: Domino SNMP Agent (LNSNMP). Allows Domino to issue SNMP None traps for Domino events. Prerequisite: Domino SNMP Agent (LNSNMP). Collects statistics for multiple servers. None
Interceptor
Intrcpt
Records database activity in the ServerTasksAt5 log file. Generates statistics for a remote ServerTasks server on demand. Implements the HTTP protocol None to retrieve Web pages and convert them into Notes documents.
Reference
C-1
Admin
Syntax: Admin=username Description: Specifies the user name of the server administrator. Enter each part of the name in canonical format, separated by a slash (/), where: CN is the common name OU is the organization unit O is the organization C is the country code For example: Admin=CN=John Smith/OU=Marketing/O=Acme Applies to: Servers Default: None UI equivalent: The Administrators field in the Server document in the Domino Directory
Reference
Allow_Access
Syntax: Allow_Access=names Description: Specifies servers, users, and groups that can access a server. You must specify a hierarchical name in hierarchical format, for example, Alice Jones/Acme. An asterisk represents everyone listed in the Domino Directory. An asterisk followed by a view name represents everyone listed in that view of the Domino Directory. An asterisk followed by a slash (/) and a hierarchical certifiers name represents everyone certified by that certifier. The Deny_Access setting overrides the Allow_Access setting. For more information on the Deny_Access setting, see the topic Deny_Access later in this chapter. Applies to: Servers Default: None UI equivalent: The Access Server field in the Security tab of the Server document in the Domino Directory. The Server document takes precedence over the NOTES.INI setting. Domino uses the Allow_Access setting only if the Access Server field is empty.
Allow_Access_portname
Syntax: Allow_Access_portname=names Description: Specifies servers, users, and groups that can access a server port. The portname parameter indicates the name of the port you enabled in the Port Setup dialog box and in the Server document. An asterisk represents everyone listed in the Domino Directory. An asterisk followed by a view name represents everyone listed in that view of the Domino Directory. An asterisk followed by a slash (/) and a hierarchical certifiers name represents everyone certified by that certifier. For example: Allow_Access_lan3=* All users listed in the Domino Directory can use the LAN3 port on this server. Applies to: Servers Default: None UI equivalent: None
Allow_Passthru_Access
Syntax: Allow_Passthru_Access=names Description: Specifies servers, users, and groups that can access this server using passthru. If you do not specify a name, no one can access this server using passthru. An asterisk represents everyone listed in the Domino Directory. An asterisk followed by a view name represents everyone listed in that view of the Domino Directory. An asterisk followed by a slash (/) and a hierarchical certifiers name represents everyone certified by that certifier. For example: Allow_Passthru_Access=* All users listed in the Domino Directory can access this server using passthru. Applies to: Servers Default: None UI equivalent: The Access this server field in the Passthru Use section of the Security tab of the Server document in the Domino Directory. If a conflict exists between the NOTES.INI setting and the server document, the Server document takes precedence.
Allow_Passthru_Callers
Syntax: Allow_Passthru_Callers=names Description: Specifies servers, users, and groups that can instruct this server to establish a connection to call a destination server. If you do not enter a name, no calling is allowed. An asterisk represents everyone listed in the Domino Directory. An asterisk followed by a view name represents everyone listed in that view of the Domino Directory. An asterisk followed by a slash (/) and a hierarchical certifiers name represents everyone certified by that certifier. Applies to: Servers Default: None UI equivalent: The Cause calling field in the Passthru Use section of the Security tab of the Server document. If a conflict exists between the NOTES.INI setting and the Server document, the Server document takes precedence.
Reference
Allow_Passthru_Clients
Syntax: Allow_Passthru_Clients=names Description: Specifies servers, users, and groups that can use a passthru server to connect to this server. If you do not specify a name, passthru is not allowed. An asterisk represents everyone listed in the Domino Directory. An asterisk followed by a view name represents everyone listed in that view of the Domino Directory. An asterisk followed by a slash and a hierarchical certifiers name represents everyone certified by that certifier. Applies to: Servers Default: None UI equivalent: The Route through field in the Passthru Use section of the Security tab of the Server document. If a conflict exists between the NOTES.INI setting and the Server document, the Server document takes precedence.
Allow_Passthru_Targets
Syntax: Allow_Passthru_Targets=names Description: Specifies the destination servers that this server can connect to using passthru. If you do not specify a name, this server can route to all servers. Applies to: Servers Default: None UI equivalent: The Destinations allowed field in the Passthru Use section of the Security tab of the Server document. If a conflict exists between the NOTES.INI setting and the Server document, the Server document takes precedence.
AMgr_DisableMailLookup
Syntax: AMgr_DisableMailLookup=value Description: By default, a mail-triggered agent performs a mail lookup of the user who last modified it. It only runs if the server running the agent is also the users mail server. When users create or modify a mail-triggered agent on a server other than their own mail server, you can use this setting on the server to disable mail lookup so that the agent
NOTES.INI File C-5
can run. Notes displays the message for the user Unable to determine the execution access privileges if the mail server cannot be reached. 0 - Perform mail lookups when running mail-triggered agents 1 - Do not perform mail lookups when running mail-triggered agents Applies to: Servers and workstations Default: None. Without this setting, mail-triggered agents perform mail lookups. UI equivalent: None
AMgr_DocUpdateAgentMinInterval
Syntax: AMgr_DocUpdateAgentMinInterval=number of minutes Description: Specifies the minimum elapsed time, in minutes, between the execution of the same document update-triggered agent. Applies to: Servers and workstations Default: 30 UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
AMgr_DocUpdateEventDelay
Syntax: AMgr_DocUpdateEventDelay=number of minutes Description: Specifies the delay time, in minutes, that the agent manager schedules a document update-triggered agent after a document update event. Applies to: Servers and workstations Default: 5 UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Reference
AMgr_NewMailAgentMinInterval
Syntax: AMgr_NewMailAgentMinInterval=number of minutes Description: Specifies the minimum elapsed time, in minutes, between execution of the same new mail-triggered agent. Applies to: Servers and workstations Default: 0 UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
AMgr_NewMailEventDelay
Syntax: AMgr_NewMailEventDelay=number of minutes Description: Specifies the time (in minutes) that the Agent Manager delays before scheduling a new mail-triggered agent after new mail is delivered. Applies to: Servers and workstations Default: 1 UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
AMgr_SchedulingInterval
Syntax: AMgr_SchedulingInterval=number of minutes Description: Specifies a delay (in minutes) between running of the Agent Managers scheduler. Valid values are 1 minute to 60 minutes. Applies to: Servers and workstations Default: 1 UI equivalent: None
AMgr_UntriggeredMailInterval
Syntax: AMgr_UntriggeredMailInterval=number of minutes Description: Specifies a delay (in minutes) between running of the Agent Managers check for untriggered mail. Valid values are 1 minute to 1440 minutes (the number of minutes in a day). Applies to: Servers and workstations Default: 60 UI equivalent: None
AMgr_WeekendDays
Syntax: AMgr_WeekendDays=day1, day2, ... Description: When agents use the On Schedule trigger, the Run on Schedule options box is available and includes the Dont run on weekends check box option. When you select this option, the agent does not run on weekend days. The default value for weekend days is Saturday (7) and Sunday (1). You can specify any number of days, up to 7. For example: AMgr_WeekendDays= 1,6,7 Causes agents that have the Dont run on weekends option checked not to run on Sundays, Fridays, and Saturdays. Applies to: Servers and workstations Default: 7 (Saturday) and 1 (Sunday) UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
AppleTalkNameServer
Syntax: AppleTalkNameServer=servername Description: Applies to AppleTalk users only. Identifies the name of the users secondary AppleTalk server. For more information, see your AppleTalk network documentation. Applies to: Servers and workstations Default: None UI equivalent: File - Preferences - User Preferences - Ports. Select the AppleTalk port, and click Options to select or modify the server.
C-8 Administering the Domino System, Volume 2
Reference
AutoLogoffMinutes
Syntax: AutoLogoffMinutes=minutes Description: Specifies the number of inactive minutes before a user is automatically logged off. Applies to: Workstations Default: None UI equivalent: File - Preferences - User Preferences - Basics - Lock ID after x minutes of inactivity.
BatchRegFile
Syntax: BatchRegFile =filename Description: Specifies the name of a batch registration file. If you add this variable, Domino does not prompt you for the filename when you import users from a text file. Applies to: Servers Default: None UI equivalent: None
BillingAddinOutput
Syntax: BillingAddinOutput=value Description: Specifies where Domino logs billing events. Use the following values to set this variable: 1 - Billing database (BILLING.NSF) 8 - Binary file (BILLING.NBF) 9 - Both the billing database and binary file Domino creates the BILLING.NSF database and/or the BILLING.NBF file the first time the billing add-in task is started with this option set. Applies to: Servers Default: 1 UI equivalent: None
BillingAddinRuntime
Syntax: BillingAddinRuntime=number of seconds Description: Specifies how long the billing add-in task runs. For example, BillingAddinRuntime=30 specifies that the billing add-in will process billing records for 30 seconds. After 30 seconds the billing add-in stops processing records, even if there are additional records to be processed. The BillingAddinRuntime value must be less than the value you specify for the BillingAddinWakeup variable. Applies to: Servers Default: 10 UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
BillingAddinWakeup
Syntax: BillingAddinWakeup=number of seconds Description: Specifies how often the billing add-in task runs. For example, BillingAddinWakeup=300 specifies that the billing add-in task wakes up every five minutes (300 seconds) to process the billing records in the billing message queue. The BillingAddinWakeup value must be greater than the value you specify for BillingAddinRuntime. Applies to: Servers Default: 60 UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
BillingClass
Syntax: BillingClass=class(es) Description: Specifies one or more of six classes of billing activity: Agent Database Document
Reference
The billing process tracks only the activities that you specify in the BillingClass variable. Applies to: Servers Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
BillingSuppressTime
Syntax: BillingSuppressTime=number of minutes Description: Specifies the frequency of record stamping during session and database activities if session and database activities are specified for the BillingClass variable. If you want billing data collected more frequently, decrease the default value (15 minutes). To minimize the billing workload on your system, increase the value. Applies to: Servers Default: 15 UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
CDP_Command
Syntax: CDP_Command=value Description: The set of CDP settings control the opening, handling, and closing of applications using OLE. All OLE applications use these variables: CDP_NEW CDP_OPEN CDP_EDIT
CDP_SAVE CDP_CLOSE CDP_SHOWITEM CDP_SHOWACTIVEITEM CDP_EXIT All other applications use DIP and need to be hard-coded with separate lines. For normal usage, you should never need to modify CDP settings. Applies to: Servers and workstations Default: None UI equivalent: None
CertificateExpChecked
Syntax: CertificateExpChecked=path and date Description: Specifies the path to the local ID file and the last time the ID was checked for certificates that have expired or are about to expire. Applies to: Servers and workstations Default: The ID file and last date checked for expiration. UI equivalent: None
CertifierIDFile
Syntax: CertifierIDFile=path Description: Specifies the path to the certifier ID. The path must contain the drive letter or network drive, directories, and file name. For example:
CertifierIDFile=C:\LOTUS\DOMINO\IDS\CERT.ID CertifierIDFile=M:\LOTUS\NOTES\IDS\ACME.ID
Applies to: Servers Default: The path and file name that you specify when you set up the server. UI equivalent: None
Reference
ClockType
Syntax: ClockType=value Description: (UNIX only) Specifies whether the Domino server clock displays time in 12-hour format (AM and PM) or 24-hour format (sometimes called military time). A value of 12_HOUR sets the clock type as 12-hour. A value of 24_HOUR sets the clock type as 24-hour. This setting overrides the system clock setting defined in the servers operating system. Applies to: Servers Default: None, although without this setting the Domino server displays 12-hour time. UI equivalent: None
Clrepl_Obeys_Quotas
Syntax: Clrepl_Obeys_Quotas=value Description: Specifies whether the Cluster Replicator obeys quotas. 0 - Disables the Cluster Replicator from obeying quotas. 1 - Enables the Cluster Replicator to obey quotas. Applies to: Servers Default: The Cluster Replicator does not obey quotas. UI equivalent: None
Cluster_Replicators
Syntax: Cluster_Replicators=value Description: Use this setting to start multiple cluster replicators, where value is the number of cluster replicators required. Applies to: Servers Default: None, but Domino starts one cluster replicator by default. UI equivalent: You can also specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
COMnumber
Syntax: COMnumber=parameter1, parameter2, ... Description: Specifies information for modems connected to the ports you set in the Ports dialog box. You can define up to five ports (COM1 through COM5). These parameters are valid:
Parameter driver unit_ID max_sessions buffer_size flags modem_speed modem_volume dial_ timer Specifies Driver name Unit ID Maximum number of concurrent sessions Size of buffer in kilobytes Flags, such as secured channel, log modem I/O, enable RTS/CTS, and so on Modem speed Modem volume and dialing mode Connection time-out in seconds Required? Yes Yes Yes Yes No No No No No No
modem_filename Name of the modem command file hangup_timeout Idle hang-up time in minutes
Unless you are experienced with modems and ports, use the user-interface to configure ports. Applies to: Servers and workstations Default: Depends on the modem type selected UI equivalent: File - Preferences - User Preferences - Ports dialog box.
Compact_Retry_Rename_Wait
Syntax: Compact_Retry_Rename_Wait=number of seconds Description: If you have specified a value for the Num_Compact_Rename_Retries setting, Domino waits 30 seconds before trying to rename a database that was copy-style compacted. You can request a different amount of time to wait by specifying the value of the Compact_Retry_Rename_Wait setting in the NOTES.INI file. For example, to request that Domino wait 2 minutes before trying rename a database that was copy-style compacted, specify Compact_Retry_Rename_Wait=120.
Reference
Domino enforces the following upper limit when trying to rename a copy-style compacted database:
Num_Compact_Rename_Retries x Compact_Retry_Rename_Wait <= 60 minutes.
For more information on the Num_Compact_Rename_Retries setting, see the topic Num_Compact_Rename_Retries later in this chapter. Applies to: Servers Default: No default entry, but in the absence of the setting, Domino waits 30 seconds before trying to rename a database that was copy-style compacted. UI equivalent: None
Console_Log_Enabled
Syntax: Console_Log_Enabled=value Description: Specifies whether to enable logging to the Console Log file (CONSOLE.LOG, by default). 0 - Disable Console Log file logging 1 - Enable Console Log file logging Tip To toggle logging to the Console Log file from the server console, use the start consolelog and stop consolelog commands. Applies to: Servers Default: 0 UI equivalent: None
Console_Loglevel
Syntax: Console_Loglevel=value Description: Controls the level of information displayed on the status bar when you trace a connection. The following values are possible: 0 - No information displayed 1 - Only errors are displayed 2 - Summary progress information is displayed 3 - Detailed progress information is displayed 4 - Full trace information is displayed
NOTES.INI File C-15
For more information on tracing a connection, see the chapter Troubleshooting. Applies to: Workstations Default: 2 UI equivalent: None
Console_Log_Max_Kbytes
Syntax: Console_Log_Max_Kbytes=value Description: Specifies the maximum size for the Console Log file (CONSOLE.LOG, by default). If the Console_Log_Max_Kbytes setting is not present or is set to 0, then the file size is unlimited. When the maximum file size is reached, new logging output starts to overwrite existing logging output at the beginning of the file. This setting can be changed at any time during a server session and when a new maximum file size is specified, it takes effect upon the next write. If the new maximum file size is less than or equal to the current maximum file size, then the maximum size will be set to the current size to prevent growth and the new size will take effect upon the next server session. Applies to: Servers Default: None UI equivalent: None
Country_Language
Syntax: Country_Language=value Description: Specifies the language used for the Domino/Notes interface. Applies to: Servers and workstations Default: en-US (US English) UI equivalent: File - Preferences - User Preferences - International Content Language dialog box. You can also specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Reference
Create_File_Access
Syntax: Create_File_Access=names Description: Specifies users, servers, and groups that can create new databases on the server. You must specify a hierarchical name in hierarchical format, for example, Alice Jones/Acme. If you dont specify a name, all certified users can create files. An asterisk (*) represents everyone listed in the Domino Directory. An asterisk followed by a view name represents everyone listed in that view of the Domino Directory. An asterisk followed by a slash ( / ) and a hierarchical certifiers name represents everyone certified by that certifier. Default: None Applies to: Servers UI equivalent: The Create New Databases field in the Security tab of the Server document. The Server document takes precedence over the NOTES.INI setting. Domino uses the Create_File_Access setting only if the Create New Databases field is empty.
Create_Replica_Access
Syntax: Create_Replica_Access=names Description: Specifies the groups that can create replicas on the server. You must specify a hierarchical name in hierarchical format, for example, Alice Jones/Acme. If you dont specify a group, all certified users can create replicas. An asterisk (*) represents everyone listed in the Domino Directory. An asterisk followed by a view name represents everyone listed in that view of the Domino Directory. An asterisk followed by a slash (/) and a hierarchical certifiers name represents everyone certified by that certifier. Default: None Applies to: Servers UI equivalent: The Create Replica Databases field in the Security tab of the Server document. Note that the Server document takes precedence over the NOTES.INI setting. Domino uses the Create_Replica_Access setting only if the Create Replica Databases field is empty.
CTF
Syntax: CTF=filename Description: Specifies the international import/export character set Applies to: Workstations Default: L_CPWIN.CLS UI equivalent: File - Preferences - User Preferences - International Import/Export Character Set dialog box.
DDE_Timeout
Syntax: DDE_Timeout=seconds Description: The amount of time (in seconds) Notes waits for another DDE application to respond to a DDE message Applies to: Workstations Default: 10 seconds UI equivalent: None
Debug_Outfile
Syntax: Debug_Outfile=filename Description: Specifies the file name for the Console Log file. If both this setting and the LogFile_Dir setting exist and Debug_Outfile contains a fully qualified path name, then LogFile_Dir is not used. If only the Debug_Outfile setting exists and it contains only a file name, then the default path \DATADIRECTORY\IBM_TECHNICAL_SUPPORT is used. If neither Debug_Outfile or LogFile_Dir exist, then the default path is \DATADIRECTORY\IBM_TECHNICAL_SUPPORT and the default path is CONSOLE.LOG. Applies to: Servers Default: None UI equivalent: None
Reference
Debug_SSL_Cert
Syntax: Debug_SSL_Cert=value Description: Enables viewing of certificate information at the server console. To enable viewing, set Debug_SSL_Cert to a value of 2. Applies to: Servers Default: None UI equivalent: None
Default_Index_Lifetime_Days
Syntax: Default_Index_Lifetime_Days=number of days Description: Specifies a default lifetime for view indexes if none was selected by the database designer in the view properties box. If the index is inactive for the specified number of days, the Indexer task purges the index. For example: Default_Index_Lifetime_Days=60 sets the lifetime of indexes to 60 days. Default: 45 days Applies to: Servers UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Deny_Access
Syntax: Deny_Access=names Description: Specifies servers, users, and groups that are denied access to the server. You must specify a hierarchical name in hierarchical format, for example, Alice Jones/Acme. An asterisk (*) represents everyone listed in the Domino Directory. An asterisk followed by a view name represents everyone listed in that view of the Domino Directory. An asterisk followed by a slash (/) and a hierarchical certifiers name represents everyone certified by that certifier. The Deny_Access setting overrides the Allow_Access setting.
For more information on the Allow_Access setting, see the topic Allow_Access earlier in this chapter. Applies to: Servers Default: None UI equivalent: The Not Access Server field in the Security tab of the Server document. The Server document takes precedence over the NOTES.INI setting. Domino uses the Deny_Access setting only if the Not Access Server field is empty.
Deny_Access_portname
Syntax: Deny_Access_portname=names Description: Specifies servers, users, and groups that are denied access to a specific server port. The portname parameter indicates the name of the port you enabled in the Port Setup dialog box and in the Server document. An asterisk (*) represents everyone listed in the Domino Directory. An asterisk followed by a view name represents everyone listed in that view of the Domino Directory. An asterisk followed by a slash and a hierarchical certifiers name represents everyone certified by that certifier. For example: Deny_Access_SPX=Terminations The users in the Terminations group cannot access the SPX port. Applies to: Servers Default: None UI equivalent: None
Desktop
Syntax: Desktop=path Description: Use this setting to specify the location of the DESKTOP5.DSK file used to customize the Notes workspace. For example, on the Macintosh: Desktop=Notes:Desktop For example, in Windows: DESKTOP=C:LOTUS\NOTES\DESKTOP5.DSK
Reference
Applies to: Workstations Default: None, although if this setting is omitted, Notes looks for the file DESKTOP5.DSK in the Notes Data directory. UI equivalent: None
DIIOPConfigUpdateInterval
Syntax: DIIOPConfigUpdateInterval=number of minutes Description: Specifies the time interval, in minutes, at which DIIOP should refresh its configuration data from the Domino Directory. Applies to: Servers Default: The default value is 3 minutes. UI equivalent: None
DIIOPCookieCheckAddress
Syntax: DIIOPCookieCheckAddress=value Description: Modifies the behavior of server-based cookies used with applets that are downloaded by the domino HTTP server. Set the value to 1 to enable the checking of client IP addresses for these cookies. Applies to: Servers Default: The default value is 0 (disabled), which means that DIIOP will not require the clients IP address using one of these cookies to match the IP address of the client to whom the cookie was issued. Client IP addresses will not match in most cases because the cookie is issued to the browser using the HTTP protocol, which is typically routed through proxy servers and therefore the client appears to be the proxy server. While the user of the cookie is the applet running in the browser, its network traffic does not go through a proxy server. UI equivalent: None
DIIOPCookieTimeout
Syntax: DIIOPCookieTimeout=number of minutes Description: Modifies the behavior of server-based cookies used with applets that are downloaded by the domino HTTP server. It specifies the time period (number of minutes) for which each cookie is valid. When a cookie expires it cannot be used to obtain a session with the DIIOP task. The minimum setting is 1 minute. Applies to: Servers Default: The default value is 10 minutes. UI equivalent: None
DIIOP_Debug_Invoke
Syntax: DIIOP_Debug_Invoke=value Description: Use for debugging only. It provides a level of logging beyond that of DIIOPLogLevel. Each transaction that the DIIOP task receives is logged along with the object ID that was the target, as well as the session ID. Valid values are: 1 - Show transaction details when a transaction finishes 2 - Show transaction details when a transaction starts Applies to: Servers Default: None. UI equivalent: None
DIIOPDNSLookup
Syntax: DIIOPDNSLookup=value Description: Specifies that DIIOP should do a DNS name lookup for every client that connects and uses DIIOP services. This information is visible when using the server console command show tasks. Set the value to 1 to enable DNS lookups for clients. Applies to: Servers Default: The default value is 0 (disabled). UI equivalent: None
C-22 Administering the Domino System, Volume 2
Reference
DIIOPIgnorePortLimits
Syntax: DIIOPIgnorePortLimits=value Description: This parameter is only valid on a Linux platform. It indicates that DIIOP may use the default ports of 63148 and 63149. On some Linux installations, the default ports are not available for use and DIIOP will automatically select ports 60148 and 60149. Set this value to 1 to use the higher numbered ports. Applies to: Servers Default: The default value is 0 (use default ports). UI equivalent: None Note Prior to Domino 6, this variable was known as DIIOP_IGNORE_PORT_LIMITS. It is still valid for backwards compatibility.
DIIOPIORHost
Syntax: DIIOPIORHost=hostname Description: To have DIIOP advertise its existence using an alternate hostname or IP address, you can set DIIOPIORHost to an alternate host name or address other than the server default. The server default is based on the value specified in the Server document setting Fully qualified Internet host name. Applies to: Servers Default: The default value is to use the setting in the Server document. UI equivalent: The preferred method of setting this value is through the Server document, on the DIIOP section of the Internet Protocols tab. Note Prior to Domino 6, this variable was known as DIIOP_IOR_HOST. It is still valid for backwards compatibility.
DIIOPLogLevel
Syntax: DIIOPLogLevel=value Description: This parameter increases the level of information that DIIOP reports to the server console and to the log. This value can be set manually by modifying the NOTES.INI directly or it can be set using the tell diiop log=n command. Possible values are: 0 - Show Errors & Warnings only 1 - Also show informational messages 2 - Also show session init/term messages 3 - Also show session statistics 4 - Also show transaction messages Applies to: Servers Default: None. UI equivalent: None
Dircat_Include_Readerslist_Notes
Syntax: Dircat_Include_Readerslist_Notes=value Description: When set to 1 the Dircat task aggregates documents that contain Readers lists. Users that are not in the Readers lists can nevertheless read these documents in the directory catalog. Applies to: Servers Default: None. Without this setting the Dircat task does not aggregate documents that contain Readers lists. Note that even users who are included in the Readers list cannot access the documents through the directory catalog. UI equivalent: None
Reference
Directory
Syntax: Directory=path Description: Specifies the location of the Data directory for Domino or Notes. This path is originally set during the Install program. Applies to: Servers and workstations Default: C:\LOTUS\NOTES\DATA, or the directory specified during the Install program. UI equivalent: File - Preferences - User Preferences - Basics - Local database folder.
Disable_Cluster_Replicator
Syntax: Disable_Cluster_Replicator=value Description: Use this setting to disable/enable cluster replication. 0 - Cluster replication enabled 1 - Cluster replication disabled Applies to: Servers Default: None, but cluster replication is on by default. UI equivalent: None
Disable_View_Rebuild_Opt
Syntax: Disable_View_Rebuild_Opt=value Description: Use this setting to enable/disable the view rebuild optimization feature, which presorts the view entries in temporary files before inserting them into the view index. Use the following values for this setting: 0 - Enables 1 - Disables Applies to: Servers Default: None, although the view rebuild optimization feature is enabled in Domino by default. UI equivalent: None
NOTES.INI File C-25
DisabledPorts
Syntax: DisabledPorts=portname(s) Description: This setting indicates which ports are disabled for the server or workstation. Ports are enabled/disabled in Server documents (servers) and in the User Preferences dialog box (workstations). Applies to: Servers and workstations Default: None UI equivalent: On a workstation, see the Ports tab in the User Preferences dialog box (choose File - Preferences - User Preferences). On a server, see the Port tab in the Server document.
DisableLDAPOnAdmin
Syntax: DisableLDAPOnAdmin=value Description: If set to DisableLDAPOnAdmin=1 prevents the LDAP task from running on the administration server of the Domino Directory for a domain. Since this administration server manages the schema and verifies the directory tree for all servers in the domain that run the LDAP service, use this setting only if you do not run the LDAP task on any server in a domain. To disable the LDAP service on the Domino Directory administration server, you must also remove the LDAP task from the servers ServerTasks NOTES.INI setting. To prevent the LDAP task on the Domino Directory administration server from processing LDAP requests but still allow it to manage the schema and verify the directory tree for other servers in the domain that run the LDAP service, disable the ports for the LDAP service on the administration server. Applies to: Servers Default: None UI equivalent: None
Reference
Domain
Syntax: Domain=name Description: On a server, specifies the servers domain. On a workstation, specifies the domain of the users mail server. This setting must contain at least one default name. Applies to: Servers and workstations Default: The domain specified during the Setup program. UI equivalent: On a server, the Domain Name field in the Basics tab of the Server document; on a workstation, the Domain field in the Mail tab in the users Person document.
DominoNoBanner
Syntax: DominoNoBanner=value Description: Web pages created with Domino display a Domino banner in source headers, as follows: <HTML> <! Lotus-Domino Release [release number] - [date of release] on [platform] > <HEAD> Use the DominoNoBanner setting to hide/display the banner. 0 - Displays the banner 1 - Hides the banner Applies to: Servers Default: 1. Hiding the banner provides greater default security. UI equivalent: None
DominoNoDirLinks
Syntax: DominoNoDirLinks=value Description: On a Web server, specifies whether browser users can use directory links. Options are: 0 - Allow browser users to access directory links. 1 - Prevent browser users from accessing directory links Applies to: Servers Default: 0 UI equivalent: None
DominoR5IntlURLDecoding
Syntax: DominoR5IntlURLDecoding=value Description: Use DominoR5IntlURLDecoding to enable decoding of international URL strings using a proprietary encoding scheme. 0 - Disables Domino 5 international URL decoding 1 - Enables Domino 5 international URL decoding Applies to: Servers Default: 0. By default, Domino 6 encodes URLs according to the IRI (International Resource Identifiers) standard and does not decode URL strings encoded by Domino 5. UI equivalent: None
DominoXURLProcess
Syntax: DominoXURLProcess=value Description: Use DominoXURLProcess to enable a Domino Web servers URL command parser to accept ! as an alternative query component separator. 0 - Disables ! as an alternative query component separator 1 - Enables ! as an alternative query component separator Applies to: Servers Default: 0. By default, Domino does not recognize ! as an alternative query component separator. UI equivalent: None
C-28 Administering the Domino System, Volume 2
Reference
DST
Syntax: DST=value Description: Specifies that a server or workstation observe daylight saving time: 0 - Do not observe daylight saving time 1 - Observe daylight saving time When you select this option, the created/modified time for documents created or modified from the first Sunday in April through the last Sunday in October are time-stamped one hour later than the servers system time. This option lets you adjust for daylight saving time without changing the actual system time. Applies to: Servers and workstations Default: 1 (observe daylight saving time) UI equivalent: On a workstation, Daylight saving time field in the Basics tab in the Advanced tab in the Location document; on a server, Daylight saving time field in the Server document. For information on additional ways to adjust the time stamp for daylight saving, see the topics DST_Begin_Date, DST_End_Date, and DSTlaw in this chapter.
DSTlaw
Syntax: DSTlaw=begin_month, begin_week, begin_day, end_month, end_week, end_day Description: Specifies when daylight saving time (DST) is observed. By default, the DST period is defined as the first Sunday in April to the last Sunday in October. (This is the period during which DST is observed in the United States.) The variables begin_month, begin_week, and begin_day define the month, week, and day, respectively, when DST begins. The variables end_month, end_week, and end_day define when DST ends. Months are 1 (January) through 12 (December); weeks are 1 through 4; days are 1 (Sunday) through 7 (Saturday). You can use negative numbers to specify the weeks, where -1 is the last week of the month, -2 is the second to last week, and so on. For example: DSTlaw=4 1 1 10 -1 1 Defines DST as beginning in April (4), on the first week (1), on Sunday (1); and ending in October (10), on the last week (-1), on Sunday (1).
NOTES.INI File C-29
Applies to: Servers and workstations Default: DSTlaw=4,1,1,10, -1,1 (The first Sunday in April to the last Sunday in October) UI equivalent: None For information on additional ways to adjust the time stamp for daylight saving, see the topics DST, DST_Begin_Date, and DST_End_Date in this chapter.
DST_Begin_Date
Syntax: DST_Begin_Date=date Description: date is the date when daylight saving time will begin, specified in dd/mm/year format. In most cases, this parameter is not necessary. Some regions of the world do not recognize the beginning of daylight saving time on the first Sunday in April. If your server is in a region where this is true, use this parameter to specify the exact date when DST begins. Use this setting along with DST_End_Date, which specifies when daylight saving time ends. Applies to: Servers Default: None, although if this setting is omitted, daylight saving time begins the first Sunday in April. UI equivalent: None For information on additional ways to adjust the time stamp for daylight saving, see the topics DST, DST_End_Date, and DSTlaw in this chapter.
DST_End_Date
Syntax: DST_End_Date=date Description: date is the date when daylight saving time will end, specified in dd/mm/year format. In most cases, this parameter is not necessary. Some regions of the world do not recognize the ending of daylight saving time as the last Sunday in October. If your server is in a region where this is true, use this parameter to specify the exact date when DST will end. Use this setting
Reference
along with DST_Begin_Date, which specifies when daylight saving time begins. Applies to: Servers Default: None, although if this setting is omitted, daylight saving time ends the last Sunday in October. UI equivalent: None For information on additional ways to adjust the time stamp for daylight saving, see the topics DST, DST_Begin_Date, and DSTlaw in this chapter.
EditExpnumber
Syntax: EditExpnumber=value1, value2, value3, value4, value5... Description: Settings used for file exports done at the document level. These are valid values:
Parameter value1 value2 Enter Program name and file type The following append options: 0 - No append option offered 1 - Append option offered through a dialog box 2 - Automatically write to a temporary file to avoid the 64K limit Name of the export routine called Not currently used File extensions to automatically select a file type in the File Export dialog box
EditImpnumber
Syntax: EditImpnumber=value1, value2, value3, value4, value5 Description: Settings used for file imports done at the document level. The following are valid values:
Parameter value1 value2 value3 value4 value5 - x Enter Program name and version Not used; always 0 Name of the import routine called Not currently used File extensions to automatically select a file type in the File Import dialog box
EmptyTrash
Syntax: EmptyTrash=value Description: Specifies when and how the Trash folder will be purged of documents marked for deletion. Options are: 0 - Prompt the user before closing the database 1 - Always empty the Trash folder before closing the database 2 - Empty the Trash folder manually Applies to: Workstations Default: 0 UI equivalent: File - Preferences - User Preferences - Basics - Empty Trash folder.
Reference
Enable_ACL_Files
Syntax: Enable_ACL_Files=value Description: Specifies whether to enable ACL file checking on a server. ACL files are an option for protecting server directories, and contain the names of users authorized to access those directories. Servers in xSP configurations enable this feature by default. In an xSP configuration, an individual ACL file is automatically created for each individual hosted organization, to prevent users in one hosted organization from traversing a directory that belongs to another hosted organization. 0 - Disable ACL file checking 1 - Enable ACL file checking Applies to: Servers Default: For non-xSP configurations, this variable is set to 0 (disabled). For xSP configurations, it is set to 1 (enabled). UI equivalent: None
EnableBiDiNotes
Syntax: EnableBiDiNotes=value Description: Turns On/Off the support for BiDirectional Languages (Arabic, Hebrew). 0 - Turns BiDirectional support off 1 - Turns BiDirectional support on Applies to: Workstations Default: 0 (off) UI equivalent: None
ExtMgr_AddIns
Syntax: ExtMgr_AddIns=value1, value2, value3... Description: Defines the list of add-in files for the Extension Manager. Domino or Notes reads this variable on initialization and then attempts to load the specified library or libraries. For example: ExtMgr_AddIns=logdll,amgrdll In addition, you can use ExtMgr_AddIns to add one or more custom Extension Manager applications. The name of the add-in file may begin with the platform specifier character N under Windows. This character may be omitted when using the ExtMgr_AddIns setting. Applies to: Servers and workstations Default: None UI equivalent: None
FileDlgDirectory
Syntax: FileDlgDirectory=path Description: Specifies the default directory for all file searches. If you specify this setting, Domino looks only in the specified location. Applies to: Servers Default: None, although if this setting is omitted, Domino searches the Domino Data directory. UI equivalent: None
Fixup_Tasks
Syntax: Fixup_Tasks=number of tasks Description: Specifies the maximum number of Fixup tasks that are created at server startup. A Fixup task performs a consistency check on any database that requires it. Server initialization continues while Fixup tasks run. Applies to: Servers Default: Twice the number of CPUs on the system. UI equivalent: None
C-34 Administering the Domino System, Volume 2
Reference
FT_Domain_Directory_Name
Syntax: FT_DOMAIN_DIRECTORY_NAME=directory Description: Allows users and administrators to select the location and name of the domain index. By default, the domain index is located in the Domino data directory and is named FTDOMAIN.DI. If an alternate location is specified using this setting, Domino will support directory links and index relocation. Applies to: Servers Default: None. If this setting is omitted, the domain index is located in the Domino data directory. UI equivalent: None
FT_Domain_Idxthds
Syntax: FT_DOMAIN_IDXTHDS=number of threads Description: Specifies the number of indexing threads to use for Domain Search. Using more threads lets the Domain Catalog server index more files simultaneously, but requires more CPU utilization, and response to search queries may be slow. With fewer indexing threads, search speeds up because of greater CPU availability, but changes are not reflected in the index as quickly. Applies to: Servers Default: None, although if this setting is omitted, the default number of threads used is two per CPU. For example, a server with two CPUs uses four indexing threads by default when indexing. Do not exceed eight threads per server or you may degrade the performance of the server, even on servers with more than four CPUs. UI equivalent: None
FT_Index_Attachments
Syntax: FT_Index_Attachments=value Description: Specifies whether to exclude types of document attachments in the Domain Index that are not already excluded by default. A value of 1 includes these document attachments in the index, and a value of 2 excludes them. The following types of attachments are excluded from the Domain Index by default: .au, .cca, .dbd, .dll, .exe, .gif, .img, .jpg, .mp3, .mpg, .mov, .nsf, .ntf, .p7m, .p7s, .pag, .sys, .tar, .tif, .wav, .wpl, .zip. Applies to: Servers Default: 1 UI equivalent: None
FT_Intl_Setting
Syntax: FT_Intl_Setting=language Description: Imposes several limitations on full text functionality to let Notes work properly with the Japanese language. When enabled (set to 1), this setting turns off stemming, makes all full text indexes case-sensitive, and ignores the setting for the stop word file. Applies to: Workstations Default: None UI equivalent: None
FT_Max_Search_Results
Syntax: FT_Max_Search_Results=number of entries Description: Specifies the maximum number of results (up to 2147483647) that can be retrieved at one time on a database without any index. For example: FT_Max_Search_Results=10000 allows a single NotesDatabase or NotesDocumentCollection FTSearch to return up to 10000 entries. Applies to: Servers and workstations Default: 5000 UI equivalent: None
C-36 Administering the Domino System, Volume 2
Reference
FT_No_Compwintitle
Syntax: FT_No_Compwintitle=value Description: Specifies whether the Domain Catalog server computes the window titles for documents that are returned by a search. XXX - Computes document window titles 1 - Omits the computation of document window titles, thus conserving CPU. Applies to: Servers Default: XXX UI equivalent: None
FTG_No_Summary
Syntax: FTG_No_Summary=value Description: Specifies whether document summaries can be displayed in search results. If you use server access lists within a domain to limit access to information, you might need to check the ACLs of databases on those servers to ensure that results are filtered. Otherwise, a search might return a result to a user who cannot access the result document. If the Domain Catalog server is on a Windows system, search results can include document summaries whereby users might be able to discern confidential information. If you are running Domino on Windows and are not sure that you can properly maintain database ACLs to prevent this, you might want to disable document summaries by using this setting in the Domain Catalog servers NOTES.INI file. XXX - Allows the display of document summaries in search results. 1 - Prevents the display of document summaries in search results. Applies to: Servers Default: XXX UI equivalent: None For information on Domain Search security, see the chapter Setting Up Domain Search.
FT_Summ_Default_Language
Syntax: FT_Summ_Default_Language=value Description: Specifies the language for a document summary in search results whenever the language in the document is not supported. Valid values (supported languages) are as follows. If a locales native language is not supported, use a value of NULL or english. bokmal danish default (You can use this value for the locales native language, if supported.) dutch english finnish french german italian NULL (English will be the language used.) nynorsk portugue (Use this value for the Portuguese language.) spanish
Health_Report_Purge_After_N_Days
Syntax: Health_Report_Purge_After_N_Days=N Description: Used for server health monitoring. N is the number of days that historical documents remain in the database. By default, historical reports are purged from the database after seven days. To override the default, add this variable to the NOTES.INI file, and specify the number of days for which historical documents remain in the database. Applies to: Servers Default: 7 (days) UI equivalent: None
C-38 Administering the Domino System, Volume 2
Reference
HTTPEnableConnectorHeaders
Syntax: HTTPEnableConnectorHeaders=value Description: Enables the Domino HTTP task to process special headers that are added to requests by a WebSphere 4.0.3 plug-in installed on a foreign Web server. When the plug-in relays an HTTP request to the Domino back-end server, the plug-in adds headers that include information about the front-end servers configuration and user authentication status. As a security measure, the HTTP task ignores these headers if the setting is not enabled. This prevents an attack via plug-in mimicking. 0 - The Domino HTTP task does not process the special headers. 1 - The Domino HTTP task does process the special headers. Applies to: Servers Default: 0 UI equivalent: None
HTTPLogUnauthorized
Syntax: HTTPLogUnauthorized=value Description: When set to 1, the Web Server logs Error 401 instances to the server console. These instances are generated in two cases: A user attempts to access a resource but is not authorized for it A user has failed to authenticate
Applies to: Servers Default: None. Without this setting, Error 401 instances are not logged to the server console. With or without this setting, Error 401 instances are logged to the Web Server logs. UI equivalent: None
ICMNotesPort
Syntax: ICMNotesPort=port name Description: Specifies the name of the Notes network port for TCP/IP that you are linking the Internet Cluster Manager (ICM) service with. This setting is required for a partitioned server hosting the ICM service, and for a single server hosting that service if the server has more than one Notes port for TCP/IP. Applies to: Servers Default: None UI equivalent: None
IMAILExactSize
Syntax: IMAILExactSize=value Description: Specifies that the IMAP service report the exact size of a MIME message when requested by a client. 0 - The IMAP service estimates the message size 1 - The IMAP service reports the exact message size By default, the IMAP service estimates the message size. This helps improve server performance. Set this to 1 only if clients require the exact size. Applies to: Servers Default: 0 UI equivalent: None
IMAP_Config_Update_Interval
Syntax: IMAP_Config_Update_Interval=number of minutes Description: Specifies in minutes how frequently the IMAP server checks for configuration changes made to the Domino Directory. Applies to: Servers Default: None, although the update interval is 2 minutes if this setting is not included in NOTES.INI file. UI equivalent: None
C-40 Administering the Domino System, Volume 2
Reference
Certain IMAP properties are not dynamically configured and require you to shut down and restart the service before they go into effect. Also, a given IMAP session uses whatever properties were in effect at the time the session began for the duration of that session; configuration changes apply only to IMAP sessions started after the update occurs.
IMAP_Convert_Nodisable_Folder_Refs
Syntax: IMAP_Convert_Nodisable_Folder_Refs=value Description: Specifies whether the mail conversion utility (CONVERT) preserves folder references when updating mail files for use with the Domino 6 IMAP service. 0 (or variable not set) - The conversion process disables folder references. 1 - The conversion process preserves folder references Applies to: Servers Default: None, although without this setting, Domino removes folder references during conversion. UI equivalent: None. In earlier releases of Domino, the IMAP service used folder references in the mail template to retrieve IMAP folder and message data. Because the Domino 6 IMAP service does not use folder references, and preserving folder references retards IMAP performance, by default, when you run the mail conversion utility (CONVERT) to prepare mail files for IMAP use, it removes folder references from the converted mail files. Set this variable only in environments where Domino applications other than the IMAP service use folder references in mail files to track information. When this variable is set, folder references are preserved during all mail file conversions, whether performed manually from the server console, or automatically as the result of an IMAP user logging in to the IMAP service for the first time. Following conversion, the IMAP folder and message data maintained by folder references is initially synchronized with the Domino 6 IMAP information. However, as the Router delivers new messages to the mail file, folder references are not updated.
IMAPDisableFTIImmedUpdate
Syntax: IMAPDisableFTIImmedUpdate=value Description: Specifies whether or how the IMAP server will do an immediate FTI update after a new message is appended. This is required for searching for new messages immediately. 1 - Suppress the update request (by default, the update suppression time is 15 minutes) 2 - Disable FTI update Applies to: Servers Default: The IMAP server does an immediate FTI update after a new message is appended. UI equivalent: None
IMAPDisableMsgCache
Syntax: IMAPDisableMsgCache=value Description: Specifies whether the IMAP server will cache the last fetched message. 1 - Disable the cache Applies to: Servers Default: The IMAP server caches the last fetched message. UI equivalent: None
IMAPGreeting
Syntax: IMAPGreeting=greeting Description: Customizes the greeting the IMAP server sends to clients connecting over TCP/IP. Applies to: Servers Default: None, although without the setting the following greeting is used:
* OK Domino IMAP4 Server V5.0 ready Mon, 10 May 1999 17:57:13 -0500
UI equivalent: None
C-42 Administering the Domino System, Volume 2
Reference
IMAPNotesPort
Syntax: IMAPNotesPort=port name Description: Specifies the name of the Notes network port for TCP/IP that you are linking the IMAP service with. This setting is required for a partitioned server hosting IMAP, and for a single server hosting it if the server more than one Notes port for TCP/IP. Applies to: Servers Default: None UI equivalent: None For information on binding an Internet service to an IP address, see the chapter Setting Up the Domino Network.
IMAPRedirectSSLGreeting
Syntax: IMAPRedirectSSLGreeting=greeting Description: Customizes the message the IMAP server sends to clients attempting to connect over TCP/IP when the TCP/IP port is configured to Redirect to SSL. Applies to: Servers Default: None, although without the setting the following greeting is used:
IMAP Server configured for SSL Connections only. Please reconnect using the SSL Port portnumber.
UI equivalent: None
IMAP_Session_Timeout
Syntax: IMAP_Session_Timeout=number of minutes Description: Specifies when the IMAP server drops idle IMAP client sessions. We recommend specifying a setting greater than ten minutes; many IMAP clients poll for new mail every ten minutes and the overhead of supporting idle session is less than the overhead required to support clients logging on and opening mailboxes.
Applies to: Servers Default: None, although without this setting, the server drops idle sessions after 30 minutes. UI equivalent: None
IMAPShowIdleStatus
Syntax: IMAPShowIdleStatus=value Description: If enabled, the command sh task at the server console will show idle IMAP threads. 1 - Enable the display of idle IMAP threads Applies to: Servers Default: Off UI equivalent: None
IMAPSSLGreeting
Syntax: IMAPSSLGreeting=greeting Description: Customizes the greeting the IMAP server sends to clients connecting over SSL. Applies to: Servers Default: None, although without the setting the following greeting is used:
* OK Domino IMAP4 Server V4.6 ready Mon, 12 May 1997 17:57:13 -0500
UI equivalent: None
Reference
Applies to: Workstations Default: None UI equivalent: The Play a Sound field on the Mail tab in the User Preferences dialog box (choose File - Preferences - User Preferences.)
INET_Authenticate_with_Secondary
Syntax: INET_Authenticate_with_Secondary=value Description: Allows a Domino POP3 server to use passwords stored in directories other than the primary for services other than HTTP, such as LDAP, IMAP, and POP3. 0 - Disables this setting. 1 - Enables this setting Applies to: Servers Default: 1 UI equivalent: None
InstallType
Syntax: InstallType=value Description: Identifies the type of Notes client installed, as follows: 0 - Designer License Type 1 - Administration License Type 2 - Designer and Administration License Type This line is updated when you perform an incremental setup after installing Notes 5. Applies to: Workstations Default: None UI equivalent: None
JavaEnableJIT
Syntax: JavaEnableJIT=value Description: Enables the default JIT if one is provided. Specify 1 as the JavaEnableJIT value to allow normal loading of the default JIT. Caution JITs can be unstable and lead to unexpected crashes. Applies to: Servers Default: 0 UI equivalent: None
JavaJITName
Syntax: JavaJITName=name Description: Enables the specified JIT. You must provide the named JIT or an error is reported by the Java Virtual Machine (JVM), although execution continues without the named JIT. Use the JavaJITName setting to load a JIT other than the default JIT (if one is provided). Caution JITs can be unstable and lead to unexpected crashes. Applies to: Servers Default: None UI equivalent: None
JavaMaxHeapSize
Syntax: JavaMaxHeapSize=number of bytes Description: Specifies the maximumnot initialsize the Java heap can reach. The Java Virtual Machine (JVM) starts out at 16MB of heap space and most of it is uncommitted. If the JVM needs more heap than it currently has, it will expand the heap in increments but will not exceed the maximum. Exceptions such as java.lang.OutOfMemoryError indicate that a heap has reached its maximum size. You can specify the number of bytes directly or use the suffix MB to indicate megabytes, for example, specifying 64MB is the same as specifying 67108864. Applies to: Servers Default: 64MB UI equivalent: None
C-46 Administering the Domino System, Volume 2
Reference
JavaMinHeapSize
Syntax: JavaMinHeapSize=number of bytes Description: Specifies the initial size of the Java heap at Java Virtual Machine (JVM) startup. If the JVM needs more heap than it currently has, it will expand the heap in increments but will not exceed the maximum. You can specify the number of bytes directly or use the suffix MB to indicate megabytes, for example, specifying 16MB is the same as specifying 16777216. Applies to: Servers Default: 16MB UI equivalent: None
JavaNoAsyncGC
Syntax: JavaNoAsyncGC=value Description: Prevents the Java Virtual Machine (JVM) from running the garbage collection (GC) mechanism in a separate background thread. Specify 1 as the JavaNoAsyncGC value to debug internal JVM problems. Applies to: Servers Default: 0 UI equivalent: None
JavaNoClassGC
Syntax: JavaNoClassGC=value Description: Prevents the garbage collection (GC) mechanism of classes, which protects static fields. Specify 1 as the value to enable the JavaNoClassGC setting. Applies to: Servers Default: 0 UI equivalent: None
JavaStackSize
Syntax: JavaStackSize=number of bytes Description: Specifies the size of each Java threads execution stack. You may need to increase the default number of bytes if you need deeply-nested call stacks, but otherwise you should not need to change the default. Applies to: Servers Default: 409600 UI equivalent: None
JavaUserClasses
Syntax: JavaUserClasses=list Description: Allows code-sharing across agents and applets. The value list is a list of directories, JAR files, or ZIP files that are added to the Java Virtual Machines internal classpath so that classes can be found via the system loader (rather than via attachment to the agent or applet). Note that this doesnt replicate and requires access to the file system on the server. Use a semicolon (;) to separate list items for Win32 and OS/2 systems and use a colon (:) to separate list items for UNIX systems; for example, a valid list for Win32 is:
c:\classes;d:\appxyz\stuff.jar
JavaVerbose
Syntax: JavaVerbose=value Description: Enables the verbose setting of the Java Virtual Machine (JVM), which causes the JVM to issue many messages while it runs. Specify 1 as the JavaVerbose value to troubleshoot runtime problems. Applies to: Servers Default: 0 UI equivalent: None
C-48 Administering the Domino System, Volume 2
Reference
JavaVerboseGC
Syntax: JavaVerboseGC=value Description: Enables the verbose setting of the garbage collection (GC) mechanism in Java Virtual Machine (JVM), which causes the JVM to issue many messages about memory usage as GC runs. Specify 1 as the JavaVerboseGC value to enable this setting. Applies to: Servers Default: 0 UI equivalent: None
KeyFileName
Syntax: KeyFileName=path Description: Specifies the location of the server ID or the user ID file. This setting lets an administrator use one ID to run the server. For example: On Macintosh, KeyFileName=Notes:JForgo.ID On UNIX, KeyFileName=/home/server1/notes/kbowker.id On Windows, KeyFileName=C:\Lotus\Notes\DMccarrick.ID For information on specifying a server ID file for a machine that runs both the Notes workstation and Domino server programs, see the topic ServerKeyFileName later in this chapter. Applies to: Servers and workstations Default: The ID for the administrator that you specify when you set up the server. UI equivalent: None
KitType
Syntax: KitType=value Description: Specifies which program you are running: 1 - Workstation 2 - Server Applies to: Servers and workstations Default: Specified during the Install program. You can install the workstation, the server, or both the workstation and server. The value when you install the server and workstation on the same machine is 2. UI equivalent: None
LANnumber
Syntax: LANnumber=port_driver, unit_ID, not_used, buffer_size Description: Specifies information about network ports on servers and workstations. For example: LAN0=spx, 1, , 2000 LAN1=netbios, 0, 15, 2000, , 12288 The LAN0 port is configured for an SPX network connection. The LAN1 port is configured for a NetBIOS connection and contains additional port setup information. Exclude the _ or i prefix and the .DLL extension from the port driver name. Applies to: Servers and workstations Default: Specified during the Install program. UI equivalent: On a workstation, File - Preferences - User Preferences Ports; on a server, the Ports tab in the Server document.
Reference
LDAPBatchAdds
Syntax: LDAPBatchAdds=value Description: Specifies which views in the Domino Directory the LDAP service updates after processing an LDAP write operation: 0 - After a write operation the LDAP service updates all the Domino Directory views it uses 1 - After a write operation the LDAP service updates only the ($LDAPRDNHier) view and waits for the Update task to update the other views it uses Use LDAPBatchAdds=1 before doing batch LDAP adds of 100 entries or more so that so that the additions are processed more quickly. When the LDAP adds are complete, immediately remove the setting or change it back to LDAPBatchAdds=0. Failure to immediately remove or change this setting back to 0 after completing the batch processing will cause subsequent LDAP operations to be unreliable. Applies to: Servers Default: None, although without this setting, after processing an LDAP write operation the LDAP service updates all the views it uses. UI equivalent: None
LDAPConfigUpdateInterval
Syntax: LDAPConfigUpdateInterval=number of minutes Description: Specifies the interval at which the LDAP service detects and puts into effect changes to these configuration settings: Settings in the domain Configuration Settings document except Choose fields that anonymous users can query via LDAP and Allow LDAP users write access NOTES.INI settings related to the LDAP service set through the Set Configuration command LDAP activity logging settings on the Activity Logging tab of a Configuration Settings document
You must always restart the LDAP task to put into effect changes to these settings: Choose fields that anonymous users can query via LDAP Allow LDAP users write access Port and port security settings on the Ports - Internet Ports Directory tab.
Applies to: Servers Default: Without this setting the interval is three minutes. UI equivalent: None
LDAPGroupMembership
Syntax: LDAPGroupMembership=value Description: The LDAP service always searches Domino groups specified as Multi-purpose, Access Control List only, Servers only, or Deny List only groups because it can do so quickly. However because searches of Domino groups specified as Mail only groups or of groups that do not have a value for the GroupType attribute can be slow, by default the LDAP service does not always search these types of groups. The LDAP service does not search these types of groups if a search query meets all of the following criteria, indicating a query that is typically used for authentication: A search query uses the equality filter objectclass=value, where value is one of these object classes: groupOfNames, groupOfUniqueNames, dominoGroup, or group. A search query uses an equality filter with one of these attributes: member, uniqueMember, or members. The two filters above are concatenated using the AND operator.
For example, by default the LDAP service does not search Domino Mail only groups and groups that do not have values for the GroupType attribute if search queries such as these are specified:
(&(objectclass=dominoGroup)(member=cn=jack brown,o=acme)) (|(&(objectclass=groupOfUniqueNames)(uniqueMember=cn= jackbrown,o=acme))(&(objectclass=groupOfNames)(member= cn=jack brown,o=acme)))
Reference
However, by default the LDAP service does search these groups if search queries such as these are specified:
(&(objectclass=dominoGroup)(member=*br*)) (member=cn=jack brown,o=acme) (|(&(objectclass=dominoGroup)(member=cn=jack brown,o=acme))(cn=*groupname*))
To change the LDAP service default behavior for group searches, specify one of these values for this setting: 1 - Always search all groups that meet specified search criteria. If you choose this setting, full-text indexing the directory is recommended to improve the speed of searches of Domino Mail only groups and groups that do not use the GroupType attribute. 2 - Never search Domino Mail only groups or groups that do not use the GroupType attribute. Note In Domino 5 the name of this setting is LDAP_MailOnlyGroupOption. The name has been changed in Domino 6 for clarity. However, you can use either setting name. Applies to: Servers Default: None UI equivalent: None
LDAPNotesPort
Syntax: LDAPNotesPort=port name Description: Specifies the name of the Notes network port for TCP/IP that you are linking the LDAP service with. This setting is required for a partitioned server hosting LDAP, and for a single server hosting it if the server more than one Notes port for TCP/IP. Applies to: Servers Default: None UI equivalent: None For information on binding an Internet service to an IP address, see the chapter Setting Up the Domino Network.
LDAPPre55Outlook
Syntax: LDAPPre55Outlook=value Description: If set to LDAPPre55Outlook=1, if the LDAP service receives a search query that specifies country (c=xx) as a search base, it converts the search base to root (). This setting is designed for use with pre-5.5 Microsoft Outlook Express clients which, when users dont specify a search, automatically use the country associated with the software version as a search base. Since its likely that pre-5.5 users who dont specify a search base intend a root search rather than one using the client-supplied country search base, use this setting if the clients that use the LDAP service are primarily pre-5.5 Microsoft Outlook Express clients. Applies to: Servers Default: None UI equivalent: None
Location
Syntax: Location=location_name Description: Identifies the users current location. Applies to: Workstations Default: None UI equivalent: File - Mobile - Choose Current Location.
Reference
Log
Syntax: Log=logfilename, log_option, not_used, days, size Description: Specifies the contents of the log file and controls other logging actions:
Parameter logfilename log_option Value The log database file name, usually LOG.NSF Log options: 1 - Log to the console 2 - Force database fixup when opening the log file 4 - Full document scan Always set to zero; this parameter is not currently used The number of days to retain log documents The size of log text in event documents
For example:
Log=LOG.NSF,1,0,7,20000
The log file (LOG.NSF) is deleted in seven days and can contain up to 20,000 bytes. All log information is also sent to the console. Applies to: Servers Default: Log=LOG.NSF,1,0,7,40000 UI equivalent: None
Log_AgentManager
Syntax: Log_AgentManager=value Description: Specifies whether or not the start of agent execution is recorded in the log file and shown on the server console: 0 - Do not log agent execution events 1 - Log agent execution events (partially and completely successful) 2 - Log agent execution events (completely successful only) Applies to: Servers Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
NOTES.INI File C-55
Log_Authentication
Syntax: Log_Authentication=value Description: Specifies whether or not authentication logging is enabled on the server. To enable authentication logging, set Log_Authentication to a value of 1. For example, if you specify the following NOTES.INI settings: Log_Authentication=1 (to enable logging) Debug_Console=1 (to write output to the console window) Debug_Outfile=c:\debug\debug.txt (to write output to the specified text file) this is sample output from client NOTES.INI: Authenticate: CN=CLEVES01/OU=Cleveland/OU=A/O=Acme T:64 E:1: S:64:22 A:4:1 L:N:N:N Authenticate: CN=ACCOUNT/OU=Memphis/OU=A/O=Acme T:64 E:1: S:64:22 A:4:1 L:N:I:N Authenticate: CN=CLEVES02/OU=Cleveland/OU=A/O=Acme T:128 E:1: S:128:22 A:4:1 L:N:N:N and this is sample output from server NOTES.INI: Authenticate: CN=Jane Ochoa/O=Acme T:128 E:1: S:128:22 A:4:1 L:N:N:N You can use the following table to interpret the output.
Field T E Description Ticket Width Examples of values are 64 and 128. Encryption Bit Examples of values are 1 (Encrypted), 0 (Not encrypted), and 1:e (Escrow for International). Encryption Strength The first value is the key length; for example, 128, 64, and 40. The second value is the algorithm; for example, 22 (RC4) and 2F (RC2). continued
Reference
Field A L
Description Algorithm Examples of values are 4:1 (RC4) and 2:0 (RC2). License Info The first value applies to the local ID (that is, local client or server); the second value applies to the remote ID (that is, the server); and the third value applies to the version of local software. Examples of values are N (North American/Global) and I (International).
Log_Connections
Syntax: Log_Connections=value Description: Specifies whether or not connection logging is enabled on the server. When connection logging is enabled, the server console displays the Notes network port, the network address of the requesting system, and the network address of the destination server. 0 - Do not log connections 1 - Log connections Applies to: Servers Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Log_Console
Syntax: Log_Console=value Description: Security administrators can use this setting to enforce the logging of server console command output, which can otherwise be prevented if the command is prefixed with an exclamation point (!). 0 - Console command logging turned off 1 - Console command output logged, unless its prefixed with an exclamation point
NOTES.INI File C-57
2 - Console command output logged, whether prefixed with the ! or not Applies to: Servers Default: None, but in the absence of this setting console command output is logged unless its prefixed with an exclamation point. UI equivalent: None
Log_DirCat
Syntax: Log_DirCat=value Description: Controls which information related to the Directory Cataloger task is logged to the console and to the Miscellaneous Events view of the log file (LOG.NSF): 1 - Logs when the Directory Cataloger starts and finishes, the name and domain of each source Domino Directory as it is aggregated, the number of entries processed. 3 - Logs same information as 1, except in addition, logs the names of all entries processed. Using 3 is not recommended because it slows performance and fills the log file. If you do use 3, use it only temporarily. Applies to: Servers Default: None, although without this setting the log file only shows when the Directory Cataloger starts. UI equivalent: None
LogFile_Dir
Syntax: LogFile_Dir=directoryname Description: Specifies the directory for the Console Log file (CONSOLE.LOG, by default). If both this setting and the Debug_Outfile setting exist and Debug_Outfile contains a fully qualified path name, then LogFile_Dir is not used. If neither Debug_Outfile or LogFile_Dir exist, then the default path \DATADIRECTORY\IBM_TECHNICAL_SUPPORT is used.
Reference
Log_Replication
Syntax: Log_Replication=value Description: Specifies the level of logging of replication events performed by the current server: 0 - Do not log replication events 1 - Log that a database is replicating 2 - Log summary information about each database 3 - Log information about each replicated document (both design and data documents) 4 - Log information about each replicated field Applies to: Servers Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Log_Sessions
Syntax: Log_Sessions=value Description: Specifies whether individual sessions are recorded in the log file and displayed on the console: 0 - Do not log individual sessions 1 - Log individual sessions Applies to: Servers Default: None UI equivalent: The Log All Client Events setting that is an Advanced server Setup option. You can also specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Log_Tasks
Syntax: Log_Tasks=value Description: Specifies whether the current status of server tasks is recorded in the log file and displayed on the console: 0 - Do not send status information 1 - Send the status of server tasks to the log file and to the console Applies to: Servers Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Log_Update
Syntax: Log_Update=value Description: Specifies the level of detail of Indexer events displayed at the server console and in the log file: 0 - Records when the Indexer starts and shuts down. 1 - Records when the Indexer starts and shuts down and when the Indexer updates views and full text indexes for specific databases. 2 - Records when the Indexer starts and shuts down and when the Indexer updates views and full text indexes for specific databases. Also records the names of views the Indexer is updating. Applies to: Servers Default: None UI equivalent: None
Reference
Log_View_Events
Syntax: Log_View_Events=value Description: Specifies whether messages generated when views are rebuilt are recorded in the log file: 0 - Do not log messages when views are rebuilt 1 - Log messages when views are rebuilt Removing this setting from the NOTES.INI file also disables logging of these messages. Applies to: Servers Default: None UI equivalent: None
MailCharSet
Syntax: MailCharSet=value Description: Specifies the character set a POP3 server uses when downloading mail messages to a POP3 client. value corresponds to a character set as follows:
Character set group Western Western Western Western Central European Central European Turkish Turkish Turkish Taiwanese Taiwanese Thai Simplified Chinese Language: Encoding character set Codepage 1252 Codepage 1252 ISO Latin-1 (8859) Mac Script Roman Codepage 1250 ISO Latin-2 (8859-2) ISO Latin-3 (8859-3) ISO Latin-5 (8859-9) Codepage 1254 Big5, Codepage 950 EUC-TW Codepage 874 PRC Chinese: GB,GBK MIME name usascii us-ascii iso-8859-1 cp1250 * iso-8859-2 iso-8859-3 iso-8859-9 cp1254 * big5 x-euc-tw cp874 * gb2312 MailCharSet value 82 82 32 80 33 34 40 84 26 3,302 144 27 continued NOTES.INI File C-61
x-mac-roman 96
Character set group Korean Japanese Japanese Japanese Greek Greek Cyrillic Cyrillic Cyrillic Baltic Rim Baltic Rim Arabic Arabic Hebrew Hebrew
Language: Encoding character set EUC-KR EUC-J ISO-2022-JP ShiftJIS ISO 8859-7 Codepage 1253 Codepage 1251 ISO 8859-5 KOI8 ISO Latin-4 (8859-4) Codepage 1257 ISO 8859-6 Codepage 1256 ISO 8859-8 Codepage 1255
MIME name euc-kr x-euc-jp iso-2022-jp x-sjis iso-8859-7 cp1253 * cp1251 * iso-8859-5 koi8-r iso-8859-4 cp1257 * iso-8859-6 cp1256 * iso-8859-8 cp1255 *
* On Windows-based servers, the MIME prefix is windows- rather than cp, for example, windows-1254.
If you do not use this setting, the POP3 server looks for a WWWDSP_Codepage value, if this setting is added. (WWWDSP_Codepage controls the character set used by the Web Navigator and accepts the same values as MailCharSet.) Applies to: Servers Default: None, although if this setting is omitted and there is no WWWDSP_Codepage setting, the POP3 server uses the us-ascii character set. UI equivalent: None
Reference
MailCompactDisabled
Syntax: MailCompactDisabled=value Description: Enables or disables the routine compacting of the servers MAIL.BOX. Without this setting in the NOTES.INI file, MAIL.BOX is compacted routinely when the Compact server task runs: 0 - Enables compacting of MAIL.BOX 1 - Disables compacting of MAIL.BOX Applies to: Servers Default: None UI equivalent: None
MailCompactHour
Syntax: MailCompactHour=value Description: Use this setting to specify the time at which the router should perform mailbox compaction. Value is based on a 24-hour clock. For example, MailCompactHour=22 will cause compaction to initiate around 10pm. Applies to: Servers Default: In the absence of the setting, the router will perform mailbox compaction at 4 AM. UI equivalent: None
MailConvertMIMEonTransfer
Syntax: MailConvertMIMEonTransfer=value Description: Enables or disables MIME message conversion on the router. This can help minimize conversion overhead on the server running the SMTP listener task. 0 - Router does not perform conversions for MIME messages 1 - Router performs conversions for MIME messages Applies to: Servers Default: 0
UI equivalent: None
Mail_Disable_Implicit_Sender_Key
Syntax: Mail_Disable_Implicit_Sender_Key=value Description: Determines whether to encrypt an encrypted message with the senders public key: 0 - Does not encrypt the encrypted message with the senders public key 1 - Encrypt the encrypted message with the senders public key Applies to: Workstations Default: 0 UI equivalent: None
Mail_Log_To_MiscEvents
Syntax: Mail_Log_To_MiscEvents=value Description: Determines whether all mail event messages are displayed in the Miscellaneous Events view of the log file: 0 - Does not display mail events in the Miscellaneous Events view 1 - Displays mail events in the Miscellaneous Events view Applies to: Servers and workstations Default: None, although if this setting is omitted, mail events are not displayed in the Miscellaneous Events view. UI equivalent: None
MailServer
Syntax: MailServer=server Description: Specifies the server where the users mail file resides. Applies to: Servers and workstations Default: None UI equivalent: The Mail Server field in the Mail tab of the Person document in the Domino Directory.
C-64 Administering the Domino System, Volume 2
Reference
Mail_Skip_NoKey_Dialog
Syntax: Mail_Skip_NoKey_Dialog=value Description: Specifies whether to display the Encryption Failure dialog when Notes cannot locate the public key to sign or encrypt a message: 0 - The Dont show signature or encryption failures again and continue sending dialog appears when Notes cannot find the public key. 1 - The Dont show signature or encryption failures again and continue sending dialog does not appear when Notes cannot find the public key. Notes then sends the message unsigned and/or unencrypted. Applies to: Workstations Default: None UI equivalent: The Dont show signature or encryption failures again and continue sending checkbox in the Encryption Failure dialog box.
MailSystem
Syntax: MailSystem=value Description: Specifies the mail system that the user selected during the workstation setup procedure: 0 - Notes mail 1 - cc:Mail or a non-Lotus mail system Applies to: Servers and workstations Default: None UI equivalent: The mail system selection made during workstation setup.
MailTimeout
Syntax: MailTimeout=number of days Description: Specifies the number of days after which the server returns undelivered mail to the sender. Increase this setting when you have a lot of mail returned in one day or when you are sending mail to foreign domains. Note To specify a period of less than one day, use the NOTES.INI setting MailTimeoutMinutes. Applies to: Servers Default: None, although if this setting is omitted, undelivered mail is returned after one day. UI equivalent: None, but you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
MailTimeoutMinutes
Syntax: MailTimeoutMinutes=number of minutes Description: Specifies the number of minutes after which the server returns undelivered mail to the sender. The maximum number of minutes is 1440 (24 hours). Note To specify a time greater than one day, use the NOTES.INI setting MailTimeout. Applies to: Servers Default: None UI equivalent: None
Map_Retry_Delay
Syntax: Map_Retry_Delay=number of minutes Description: Specifies the number of minutes that a server waits after an unsuccessful attempt to call another server before it tries again. Applies to: Servers Default: None UI equivalent: None
C-66 Administering the Domino System, Volume 2
Reference
Memory_Quota
Syntax: Memory_Quota=number of megabytes Description: This setting is for OS/2 only. Specifies the maximum number of megabytes of virtual memory that the server can allocate. This gives administrators more control over the growth of the swap file. The minimum value is 4MB. Without this setting in the NOTES.INI file, the server uses all available memory. Applies to: Servers Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
MinNewMailPoll
Syntax: MinNewMailPoll=number of minutes Description: Determines how often workstations can contact the server to see if new mail has arrived for the user. This setting overrides the users selection in the Mail Setup dialog box. You can increase the mail polling interval if there are a large number of mail users on your server, and you want to prevent frequent polling from affecting server performance. Applies to: Servers Default: None UI equivalent: None
Move_Mail_File_Expiration_Days
Syntax: Move_Mail_File_Expiration_Days=number of days Description: Specifies the number of days that the Notes client updates mail file related Change Requests. After this time period, these become obsolete Change Requests. For example: Move_Mail_File_Expiration_Days=30 Applies to: Servers Default: None UI equivalent: None
NOTES.INI File C-67
MTCDailyTasksHour
Syntax: MTCDailyTasksHour=time Description: Specifies the time, in 24-hour format, when the Mail Tracking Collector (MTC) task performs the daily compaction of the Domino MailTracker Store database (MTSTORE.NSF). For example: MTCDailyTasksHour=25:00 Applies to: Servers Default: None, although in the absence of this setting, compaction occurs nightly at 2 AM. UI equivalent: None
MTMaxResponses
Syntax: MTMaxResponses=number of responses Description: Specifies the maximum number of message tracking responses returned from a query. The number of responses returned will be less than or equal to the MTMaxResponses value. Whenever a query returns more than the MTMaxResponses limit, a message indicating this appears on the Admininstration panel status line. Applies to: Servers Default: None, although if this setting is omitted, the maximum number of message tracking responses returned from a query is 100. UI equivalent: None
Names
Syntax: Names=name(s) Description: Specifies the names of the secondary Domino Directories that Domino searches to verify recipient names in mail messages. By default, Domino searches only the primary Domino Directory, which is typically named NAMES.NSF. Note It is strongly recommended that you use directory assistance rather than this setting to do lookups in secondary Domino Directories. This NOTES.INI setting allows additional directories to be searched in the order in which they appear and stops searching when it finds a
C-68 Administering the Domino System, Volume 2
Reference
match in one of the databases. The file names can be up to 256 characters. Separate the list of directories with commas. Do not specify the NSF file extension. The server does not use this feature to look up additional Connection, Domain, or Server documents specified in additional directories. Ensure you create all of the necessary Connection, Domain, and Server documents in the primary Domino Directory. Local secondary Domino Directories To specify secondary Domino Directories that are replicated locally on the server, type the names of the directories without the NSF extension following the name of the primary Domino Directory; for example NAMES=NAMES, EASTNAME, WESTNAME Remote secondary Domino Directories If secondary Domino Directories are not replicated locally, access them over the network by specifying server names in canonical format and their Domino Directories as follows: CN=servername/OU=organizational unit/O=organization/!!filename Specify as many organizational units as necessary. For example, specify: NAMES=NAMES, CN=serverwest/OU=west/O=acme!!NAMES, CN=servereast/OU=east/O=acme!!NAMES If the name of the remote server is flat, omit the canonical format, for example NAMES=NAMES, serverwest!!NAMES If a remote server contains multiple Domino Directories, for example a hub server, you can point to each directory on the server. To do this, you must repeat the server name for each directory, for example: NAMES=NAMES, CN=serverhub/O=acme!!NAMES1, CN=serverhub/O=acme!!NAMES2 Note Do not add the name of a condensed Directory Catalog as a value for this setting. Use the Basics tab of the Server document in the Domino Directory to set up a server to use a condensed Directory Catalog. Applies to: Servers Default: NAMES UI equivalent: None
NetWareSocket
Syntax: NetWareSocket=socketnumber Description: Specifies the IPX socket number used by the Domino server. Applies to: Servers Default: None. Domino lets the IPX/SPX protocol stack assign a socket number dynamically. UI equivalent: None For information on assigning the IPX socket number for a Domino server, see the chapter Setting Up the Domino Network.
NetWareSpxSettings
Syntax: NetWareSpxSettings=value Description: Specifies the decimal value of the Domino servers IPX socket. Applies to: Servers Default: None UI equivalent: None
NewMailInterval
Syntax: NewMailInterval=number of minutes Description: Defines how often (in minutes) Notes checks the users Inbox for new mail. Applies to: Workstations Default: 1 UI equivalent: File - Preferences - User Preferences - Mail - Check for new mail every x minutes.
Reference
NewUserServer
Syntax: NewUserServer=server Description: Specifies the registration server for a Domino domain, if this has not been specified in Administration Preferences. Applies to: Servers Default: None UI equivalent: None
NoDesignMenu
Syntax: NoDesignMenu=value Description: Hides the Design menu on workstations. 0 - Shows the Design menu 1 - Hides the Design menu Applies to: Workstations Default: None, although if this setting is omitted, the Design menu appears UI equivalent: None
NoExternalApps
Syntax: NoExternalApps=value Description: Protects against mail bomb viruses by disabling the following workstation features: OLE, DDE, DIP, @Command @DBLookup, @DB Column (when using non-Notes drivers) @MailSend, @DDExxx Launching file attachments Subscribe on a Macintosh workstation 0 - Enables the workstation features listed above 1 - Disables the workstation features listed above
Applies to: Workstations Default: None, although if this setting is omitted, these workstation features are enabled. UI equivalent: None
No_Force_Activity_Logging
Syntax: No_Force_Activity_Logging=value Description: Controls whether the Statlog task automatically enables activity logging on all databases: 0 - Allows automatic activity logging on all databases 1 - Prevents automatic activity logging on all databases Even when activity is not being recorded for the database, the information is still recorded in the Activity entry of the Database Usage view in the servers log file. Applies to: Servers Default: None, although if this setting is omitted, the Statlog server task enables the Record Activity option for every database on the server and adds 64Kb to each database. UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
NoMailMenu
Syntax: NoMailMenu=value Description: Hides the Mail menu. When set to 1, the Mail menu doesnt appear on workstations. This setting also sets the users mail system to None. Applies to: Workstations Default: None, although if this setting is omitted, the Notes Mail menu appears. UI equivalent: None
Reference
NoMsgCache
Syntax: NoMsgCache=value Description: Disables per-user message caching by the IMAP task. This can improve capacity (number of users) on a server by reducing memory consumption. Applies to: Servers Default: None, although if this setting is omitted, IMAP per-user message caching will be enabled. UI equivalent: None
NSF_Buffer_Pool_Size
Syntax: NSF_Buffer_Pool_Size=number of bytes Description: Specifies the maximum size (in bytes) of the NSF buffer pool, a section of memory dedicated to buffering I/O transfers between Domino and disk storage. The maximum size depends on any limitations of the operating system, and the amount of system memory available. The minimum size is 4MB. Note You can also use NSF_Buffer_Pool_Size_MB to set the maximum size of the NSF buffer pool. This is the same as NSF_Buffer_Pool_Size, except it specifies the size in megabytes instead of bytes. Use NSF_Buffer_Pool_Size_MB to avoid the 2GB limitation that exists for NSF_Buffer_Pool_Size due to NOTES.INI variable limits. (NOTES.INI variables are signed variables, and cannot be larger than 2GB.) Applies to: Servers and workstations Default: Determined automatically by the server or workstation. (This is strongly recommended, except on partitioned servers.) The more memory is available, the larger the server sets the default NSF_Buffer_Pool_Size. On workstations, the maximum setting of the NSF_Buffer_Pool_Size is 8MB (4MB for MAC). On the server, the default maximum is determined to be between 1/8 and 3/8 of available physical memory, depending on the overall size of physical memory. The defaults are not automatically adjusted on partitioned servers, so it will usually be necessary to adjust the maximum values in each partition to a fraction of memory such that the memory used by all partitions adds up to approximately 1/4 to 3/8 of memory. UI equivalent: None
NSF_DbCache_Disable
Syntax: NSF_DbCache_Disable=value Description: Controls whether the database cache is enabled on a server. The database cache is enabled by default. 0 - Enables the database cache 1 - Disables the database cache Applies to: Servers Default: None UI equivalent: None
NSF_DbCache_Maxentries
Syntax: NSF_DbCache_Maxentries=number of databases Description: Determines the number of databases that a server can hold in its database cache at one time, where n is the number of databases. Increasing the database cache size can improve system performance but requires additional memory. The minimum number of databases allowed in the cache at one time is 25; the maximum is approximately 2000, depending on the server platform. Applies to: Servers Default: None, although if this setting is omitted, the number of databases that the server can hold in its cache at one time is either 25, or the NSF_Buffer_Pool_Size value divided by 300K (whichever is greater). UI equivalent: None
Num_Compact_Rename_Retries
Syntax: Num_Compact_Rename_Retries=number of times to retry Description: Domino attempts only once to rename a database that was copy-style compacted. You can request additional attempts by specifying a value in the Num_Compact_Rename_Retries setting in the NOTES.INI file. Domino tries to rename until it succeeds or the number of retries is exhausted. For example, to request that Domino try once again to rename, specify Num_Compact_Rename_Retries=1; to request that Domino try 5 more times to rename, specify Num_Compact_Rename_Retries=5.
C-74 Administering the Domino System, Volume 2
Reference
Applies to: Servers Default: No default entry, but in the absence of the setting, Domino attempts just once to rename a database that was copy-style compacted. UI equivalent: None
NWNDSPassword
Syntax: NWNDSPassword=NDS password Description: Specifies the password for Domino to log in to the Novell Directory Service (NDS) tree on system start-up. Until this setting is added to the NOTES.INI file, an administrator must log in to the NDS tree before starting the Domino server. Applies to: Servers Default: None UI equivalent: None For information on setting up NDS for a Domino server, see the appendix Novell Directory Service for the IPX/SPX Network.
NWNDSUserID
Syntax: NWNDSUserID=NDS user ID Description: Specifies the user ID for Domino to log into the Novell Directory Service (NDS) tree on system start-up. Until this setting is added to the NOTES.INI file, an administrator must log into the NDS tree before starting the Domino server. Applies to: Servers Default: None UI equivalent: None For information on setting up NDS for a Domino server, see the appendix Novell Directory Service for the IPX/SPX Network.
Passthru_Hangup_Delay
Syntax: Passthru_Hangup_Delay=number of seconds Description: Specifies how long in seconds a passthru server maintains a dialup connection after its last dialup session ends. Applies to: Servers Default: 120 UI equivalent: None
Passthru_LogLevel
Syntax: Passthru_LogLevel=value Description: Specifies the level of trace information recorded for all network connections (including passthru) in the Miscellaneous Events view of the log file. 0 - No information is recorded 1 - Only errors are recorded 2 - Summary progress information is recorded 3 - Detailed progress information is recorded 4 - Full trace information is recorded 5 - Full trace information plus driver messages are recorded Applies to: Servers and workstations Default: 0 UI equivalent: File - Preferences - User Preferences - Ports - Trace Notes Log options
PhoneLog
Syntax: PhoneLog=value Description: Specifies whether phone calls are recorded in the log file: 0 - Does not record phone calls to the log file 1 - Records all calls, except those that fail because of a busy signal 2 - Records all phone calls
Reference
Applies to: Servers and workstations Default: 2 UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
PKCS11_Library
Syntax: PKCS11_Library=path Description: Specifies the location of the servers locally installed PKCS#11 file for enabling Smartcards. For example: PKCS11_Library=C:\Program Files\Schlumberger\Smart Cards and Terminals\Common Files\slbck.dll Applies to: Servers Default: None UI equivalent: The Smartcard installation wizard will prompt the user to install the appropriate DLL for the Smartcard.
Platform_Statistics_Disabled
Syntax: Platform_Statistics_Disabled=value Description: By default, Domino tracks performance metrics of the operating system and captures the results in the Domino server. Use the following setting to disable statistic reporting: Platform_Statistics_Disabled=1 Note You must remove the setting from the NOTES.INI file altogether to re-enable platform statistic reporting. Applies to: Servers Default: None UI equivalent: None
POP3ConfigUpdateInterval
Syntax: POP3ConfigUpdateInterval=number of minutes Description: Determines how often (per minute) the POP3 server will update its configuration information. Applies to: Servers Default: 2 minutes UI equivalent: None
POP3_Disable_Cache
Syntax: POP3_Disable_Cache=value Description: Enables/disables message caching for users. 0 - Enables message caching 1 - Disables message caching Applies to: Servers Default: 0 UI equivalent: None
POP3DNSLookup
Syntax: POP3DNSLookup=value Description: Enables/disables reverse DNS lookups of client host names. 0 - Disables reverse DNS lookups of client host names 1 - Enables reverse DNS lookups of client host names Applies to: Servers Default: 0 UI equivalent: None
Reference
POP3Domain
Syntax: POP3Domain=domain name Description: Specifies the name of the Internet domain to use as the gateway to send mail to the Internet for local addresses. (All local addresses are converted to Internet addresses.) If this setting is included in the NOTES.INI file, it overrides the DNS value. Applies to: Servers Default: None UI equivalent: None
POP3_Enable_Cache_Stats
Syntax: POP3_Enable_Cache_Stats=value Description: Enables/disables message caching statistics. 0 - Disables message caching statistics 1 - Enables message caching statistics Applies to: Servers Default: 0 UI equivalent: None
POP3MarkRead
Syntax: POP3MarkRead=value Description: Specifies whether POP3 messages should be marked as read after downloading. A value of 1 instructs the server to mark the messages as read. Default is 0 (messages are marked as unread). 0 - Do not mark POP3 messages as read 1 - Mark POP3 messages as read Applies to: Servers Default: 0 UI equivalent: None
POP3_Message_Stat_Cache_NumPerUser
Syntax: POP3_Message_Stat_Cache_NumPerUser=number of message statistics Description: Limits the number of message statistics that can be cached for a single user. Message statistics caches contain UNIDs and saved message sizes. Each cache entry consumes CPU time and server memory. Reducing this number can improve server performance. Applies to: Servers Default: 50 UI equivalent: None
POP3NotesPort
Syntax: POP3NotesPort=port name Description: Specifies the name of the Notes network port for TCP/IP that you are linking the POP3 service with. This setting is required for a partitioned server hosting POP3, and for a single server hosting it if the server has more than one Notes port for TCP/IP. Applies to: Servers Default: None UI equivalent: None For information on binding an Internet service to an IP address, see the chapter Setting Up the Domino Network.
portname_MaxSessions
Syntax: portname_MaxSessions=number of sessions Description: Restricts the number of sessions on a specified port. Applies to: Servers Default: None UI equivalent: None
Reference
Ports
Syntax: Ports=portname(s) Description: This setting indicates which ports are enabled for the server or workstation. Ports are enabled/disabled by a two step process s using the Setup Ports dialog box and then using Server documents (for servers) or the User Preferences dialog box (for workstations). The order in which ports are listed in this setting can affect how Notes workstations and Domino servers connect to a system. Applies to: Servers and workstations Default: None UI equivalent: On a workstation, see the Ports tab in the User Preferences dialog box (choose File - Preferences - User Preferences). On a server, the Configuration tabs Tools pane, Server - Setup Ports option, and then see the Ports - Notes Network Ports tab in the Server document. For information on reordering network ports on a server, see the chapter Setting Up the Domino Network.
ProgramMode
Syntax: ProgramMode=value Description: If the user sets up Notes with a Notes Mail ID or switches to a Notes Mail ID (not a Lotus Notes Desktop ID), a value is written to the NOTES.INI ProgramMode setting: 0 - Full Notes 1 - Notes Mail 8 - Desktop Applies to: Workstations Default: 1 (Full Notes) UI equivalent: None
Repl_Error_Tolerance
Syntax: Repl_Error_Tolerance=number of replication errors Description: Specifies the number of replication errors of the same type that can occur between two databases before the server terminates replication. Applies to: Servers Default: 2 UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
ReplicationTimeLimit
Syntax: ReplicationTimeLimit=number of minutes Description: Specifies a time limit (in minutes) for replication between one server and another. If this setting is not included in the NOTES.INI file, there is no time limit. Applies to: Servers Default: None UI equivalent: The Replication Time Limit field in the Routing/Replication tab in the Connection document in the Domino Directory.
Replicators
Syntax: Replicators=number of tasks Description: Specifies the number of Replicator tasks that can run concurrently on the server. Note You must shut down and restart the server for this setting to take effect. Applies to: Servers Default: 1 UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
C-82 Administering the Domino System, Volume 2
Reference
Repl_Obeys_Quotas
Syntax: Repl_Obeys_Quotas=value Description: Specifies whether the Replicator obeys quotas. 0 - Disables the Replicator from obeying quotas 1 - Enables the Replicator to obey quotas Applies to: Servers Default: The Replicator does not obey quotas. UI equivalent: None.
Report_DB
Syntax: Report_DB=path Description: When the Monitoring Configuration database (EVENTS4.NSF) is created, it is placed in the Domino Data directory. Use this setting to specify the location of the database if it is located somewhere other than in the Domino Data directory. Applies to: Servers Default: None, but in the absence of any Report_DB setting in the NOTES.INI file, the default path is Lotus\Domino\Data\events4.nsf. UI equivalent: None
ReportUseMail
Syntax: ReportUseMail=value Description: Allows the Reporter task to use the Router to send statistics to another server in the same domain: 1 - Use the Router 0 - Use the network Using the Router can be useful for reporting statistics over dial-up connections to a central collection server. Applies to: Servers
Default: None, although without the setting, the Reporter task uses the network to report statistics. UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
RouterAllowConcurrentXferToAll
Syntax: RouterAllowConcurrentXFERToALL=value Description: Use this setting to enable/disable multiple concurrent transfer threads for inter-domain Notes routing. 1 - Enables 0 - Disables Applies to: Servers Default: None, but if the setting does not appear in the NOTES.INI file, Dominos default behavior is to disable multiple concurrent transfer threads for inter-domain Notes routing. UI equivalent: None For information on enabling multiple concurrent transfer threads between Domino domains, see the chapter Customizing the Domino Mail System.
RouterDisableMailToGroups
Syntax: RouterDisableMailToGroups=value Description: Specifies whether the router should allow or deny mail addressed to a group. 0 - Allow the Router to expand groups and forward a message to the group members. 1 - Router will not expand any groups. It will return the message as a failure report to the sender - rejected for policy reasons. Applies to: Servers Default: 0 UI equivalent: None
Reference
RouterDSNForNullReversePath
Syntax: RouterDSNForNullReversePath=value Description: Specifies whether the router should return delivery status notifications (DSNs) for messages received over SMTP with null RFC 821 reverse paths. 0 - Dont return a failed DSN. Create the non delivery report, but mark it as DEAD. The Administrator can then delete these messages or release them. 1 - Create and send the delivery status notification. 2 - Do not create a delivery status notification. Applies to: Servers Default: 0 UI equivalent: None
RouterEnableMailByDest
Syntax: RouterEnableMailByDest=value Description: Use this setting to generate verbose mail routing statistics per destination. These statistics may be useful when attempting to troubleshoot routing related problems. 0 - No destination based statistics are generated by the router. 1 - Router maintains statistics for each mail routing destination, which include the last successful/unsuccessful transfer time, total number of messages routed, and the total number of failures. Applies to: Servers Default: None UI equivalent: None
RTR_Logging
Syntax: RTR_Logging=value Description: Enables or disables monitoring of Cluster Replicator activity. 0 - Disables monitoring of the Cluster Replicator 1 - Enables monitoring of the Cluster Replicator Applies to: Servers Default: None UI equivalent: None
Sched_Dialing_Enabled
Syntax: Sched_Dialing_Enabled=value Description: Enables or disables dialing out to check Busy Time. Use the following values: 0 - Disables dialing out to check Busy Time 1 - Enables dialing out to check Busy Time Applies to: Workstations Default: Dialing out to check Busy Time is disabled. UI equivalent: None
Sched_Purge_Interval
Syntax: Sched_Purge_Interval=number of days Description: Specifies how many days prior to the current day to keep busytime data. A value of 0 means data is never purged. Applies to: Servers Default: 7 UI equivalent: None
Reference
Schedule_Check_Entries_When_Validating
Syntax: Schedule_Check_Entries_When_Validating=value Description: Enables or disables whether SchedMgr validates its busytime database entry on a user by user basis, as follows: 0 - Disables validation 1 - Enables validation Validation should not be required under normal conditions. Applies to: Servers Default: 0 UI equivalent: None
Schedule_No_CalcStats
Syntax: Schedule_No_CalcStats=value Description: Enables or disables whether SchedMgr updates/calculates statistics on an hourly daily basis, as follows: 0 - Enables update/calculation 1 - Disables update/calculation Applies to: Servers Default: 0 UI equivalent: None
Schedule_No_Validate
Syntax: Schedule_No_Validate=value Description: Enables or disables whether SchedMgr validates its busytime database entry on a daily basis, as follows: 0 - Enables validation 1 - Disables validation Validation should be enabled under normal conditions. Applies to: Servers Default: 0 UI equivalent: None
NOTES.INI File C-87
Schema_Daemon_Breaktime
Syntax: Schema_Daemon_Breaktime=number of seconds Description: Specifies how often (in seconds) the schema daemon spawned by the LDAP service checks if it should shut down because its parent LDAP task is shutting down. In most situations there is no need to change the breaktime interval. In rare situations, you might increase this value as a way to free up CPU resources on a heavily used server. Increasing the breaktime value also increases the time it takes the LDAP service to shut down. Applies to: Servers Default: None, although without this setting, the schema daemon checks the status of its parent LDAP task every 15 seconds. UI equivalent: None
Schema_Daemon_Idletime
Syntax: Schema_Daemon_Idletime=number of minutes Description: Specifies how long (in minutes) the schema daemon spawned by the LDAP service remains idle after it has completed its tasks. After the schema daemon has been idle for the specified interval, it begins its tasks again. Applies to: Servers Default: None, although without this setting, the schema daemon remains idle for 15 minutes. UI equivalent: None
Schema_Daemon_Reloadtime
Syntax: Schema_Daemon_Reloadtime=number of hours Description: Specifies how often (in hours) the schema daemon spawned by the LDAP service adds schema elements for new or changed Domino Directory forms and fields to its in-memory schema. This operation occurs only on the administration server for the Domino Directory and not on other servers in the domain that run the LDAP service.
Reference
Reloading in-memory schema to reflect new or changed Domino Directory forms and fields is a CPU-intensive operation. You might set different intervals for Schema_Daemon_Reloadtime and Schema_Daemon_Resynctime so the two operations occur at different times. Or you might increase the interval during periods when there are no schema changes. Schema_Daemon_Idletime, rather than Schema_Daemon_Reloadtime, controls how often the schema daemon loads new schema elements defined in the Domino LDAP Schema database into memory. Applies to: Servers Default: None, although without this setting the schema daemon reload interval is 24 hours. UI equivalent: None
Schema_Daemon_Resynctime
Syntax: Schema_Daemon_Resynctime=number of hours Description: Specifies how often (in hours) the schema daemon spawned by the LDAP service updates the schema published in the Domino LDAP Schema database with a newer in-memory schema. This operation occurs only on the Domino Directory administration server, and not other servers in the domain that run the LDAP service. Synchronizing the Schema database with in-memory schema is a CPU-intensive operation. You might set different intervals for Schema_Daemon_Reloadtime and Schema_Daemon_Resynctime so the two operations occur at different times. Or you might increase the interval during periods when there are no schema changes. Applies to: Servers Default: None, although without this setting the schema daemon resync interval is 24 hours. UI equivalent: None
Secure_Disable_FullAdmin
Syntax: Secure_Disable_FullAdmin=value Description: Entering 1 disables the Full Access Administrators field in the Server document, causing the server to ignore any entries in that field. 1 - Disables the Full Access Administrators field in the Server document 0 - Does not disable Full Access Administrators field in the Server document Applies to: Servers Default: 0 UI equivalent: None
SecureMail
Syntax: SecureMail=value Description: Entering 1 as the value forces the mail program to sign and encrypt all mail sent from the workstation: 1 - Removes the Sign and Encrypt options from all dialog boxes 0 - Restores the Sign and Encrypt options Applies to: Workstations Default: None, although if this setting is omitted, the Sign and Encrypt options appear UI equivalent: File - Preferences - User Preferences - Mail - Encrypt sent mail
Reference
Server_Availability_Threshold
Syntax: Server_Availability_Threshold=value Description: Specifies the acceptable level of system resources available to a server. By setting this value for each server in a cluster, you determine how the workload is distributed among cluster members. Valid values are 0 to 100. Domino compares this value against a servers availability index; when the availability index falls below the Server_Availability_Threshold value, the server becomes BUSY. A Server_Availability_Threshold value of zero (0) indicates a fully available state and workload balancing is disabled; a value of 100 indicates the server is BUSY (since the availability index can never be greater than 100) and the Cluster Manager then tries to redirect user requests to more available cluster members. Applies to: Servers Default: 0 UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Server_Cluster_Default_Port
Syntax: Server_Cluster_Default_Port=portname Description: Specifies the port used for intracluster network traffic. The value should be a port name for example, TCP as specified in the Ports tab of the Server document. Applies to: Servers Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Server_Console_Password
Syntax: Server_Console_Password=encrypted_password Description: For the encrypted_password to be written to this setting in the NOTES.INI file, you must use the Set Configuration server command to specify the password. The password can be a combination of letters and numbers. When this setting is added to the NOTES.INI file, Domino activates the Set Secure command to secure the server console. The password provided should be different from the administrators user password. If you forget the console password, delete this setting from the NOTES.INI file, and then re-specify a password. Applies to: Servers Default: None UI equivalent: None
ServerKeyFileName
Syntax: ServerKeyFileName=ID_file Description: Specifies the server ID file to use on a machine that runs both the Notes workstation program and the Domino server program. Then, you edit the NOTES.INI KeyFileName setting to specify your user ID as the ID to use when you run the Notes workstation or API programs on the server machine. For more information, see the topic KeyFileName earlier in this chapter. Applies to: Servers Default: None UI equivalent: None
Reference
Server_Max_Concurrent_Trans
Syntax: Server_Max_Concurrent_Trans=number of transactions Description: Sets the limit for the number of concurrently scheduled transactions on a server. If you use this setting to set the maximum number of concurrent transactions on partitioned servers, Lotus recommends that the sum of the limits be 20 transactions or less. For example, if you are running four partitioned servers on a computer, you would set the limit for each partitioned server at five transactions. Applies to: Servers Default: None UI equivalent: None
Server_MaxSessions
Syntax: Server_MaxSessions=number of sessions Description: Specifies the maximum number of sessions that can run concurrently on the server. To prevent server overload, decrease this number if you set up multiple Replicators or Routers. Applies to: Servers Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Server_MaxUsers
Syntax: Server_MaxUsers=number Description: Sets the maximum number of users that are allowed to access a server. When this number is reached, the server state becomes MAXUSERS, and the server stops accepting new Database Open requests. Use the following values to set this variable: 0 - Unlimited access to server by users number - Restricts number of active users to the number you specify
Applies to: Servers Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
ServerName
Syntax: ServerName=name Description: Specifies the full hierarchical name of the server Applies to: Servers Default: None UI equivalent: The Server Name field in the Server document.
ServerNoReplRequests
Syntax: ServerNoReplRequests=value Description: Forces the server to refuse all replication requests from other servers. When this feature is enabled, to replicate with this server, the requesting server must perform pull-push replication: 0 - Accepts replication requests from other servers 1 - Refuses replication requests from other servers Applies to: Servers Default: None, although omitting this setting allows the server to accept replication requests. UI equivalent: None
Reference
ServerPullReplication
Syntax: ServerPullReplication=value Description: Specifies that all scheduled replication initiated from this server must be pull-push replication. This server will not replicate back to the other server: 0 - Scheduled replication occurs normally (push-pull replication is not forced) 1 - This server pulls changes from other servers, but other servers cannot pull changes from this server This setting affects only scheduled replication. For example, to reduce the workload on a hub server, specify 1 for the ServerPullReplication setting on all spoke servers in a hub-and-spoke system. Applies to: Servers Default: None, although omitting this setting allows for normally scheduled replication. UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
ServerPushReplication
Syntax: ServerPushReplication=value Description: Specifies that all scheduled replication initiated from this server must be push-pull replication. This server does not request that the other server replicate back. 0 - Scheduled replication occurs normally (push-pull replication is not forced) 1- Other servers pull changes from this server, but this server cannot pull changes from other servers Applies to: Servers Default: None, although omitting this setting allows for normally scheduled replication. UI equivalent: None
Server_Restart_Delay
Syntax: Server_Restart_Delay=number of seconds Description: Specifies the amount of time (in seconds) the server waits before restarting with the restart server console command. Applies to: Servers Default: None, although by default, Domino waits 10 seconds. UI equivalent: None
Server_Restricted
Syntax: Server_Restricted=value Description: Enables or disables server access to a server. If access is disabled, the server does not accept new Open Database requests. Use the following values to set this variable: 0 - Server access is unrestricted 1 - Server access is restricted for the current server session. Restarting the server clears the setting. 2 - Server access is restricted persistently, even after server restarts Applies to: Servers Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Server_Session_Timeout
Syntax: Server_Session_Timeout=number of minutes Description: Specifies the number of minutes of inactivity after which the server automatically terminates network and mobile connections. The minimum recommended setting is 30-45 minutes. A lower setting may negatively impact server performance. The ideal setting depends on factors such as server load and the number of concurrent users on the server.
Reference
For mobile connections, XPC has its own internal time-out. If the XPC time-out value is shorter than the Server_Session_Timeout value, the XPC time-out takes precedence. Applies to: Servers Default: No default entry, but in the absence of the setting, Domino terminates a session connection after 240 minutes of inactivity (four hours). UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Server_Show_Performance
Syntax: Server_Show_Performance=value Description: Specifies whether or not server performance events are displayed on the console. 1 - Displays server performance events on console Applies to: Servers Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
ServerTasks
Syntax: ServerTasks=name(s) Description: Specifies the tasks that begin automatically at server startup and continue until the server is shut down. For example: ServerTasks=Replica, Router, Update, Stats, AMgr, Adminp, Sched, CalConn, Event, Collect, MTC, RunJava ISpy The server runs the Replicator, Router, Indexer, Stats, Agent Manager, Administration Process, Schedule Manager, Calendar Connector, Event, Collector, Mail Tracker Collector, and Mail Probe server tasks. Each task increases the servers load and may adversely affect server performance. Note that RunJava ISpy is case sensitive and must be specified exactly as shown.
Applies to: Servers Default: Replica, Router, Update, Stats, AMgr, Adminp, Sched, CalConn, Billing UI equivalent: None
ServerTasksAthour
Syntax: ServerTasksAthour=name(s) Description: Schedules automatic server and database maintenance functions. Enter the time in 24-hour format, where 0 is 12 AM (midnight) and 23 is 11 PM. For example: ServerTasksAt3=Catalog ServerTasksAt7=Updall ServerTasksAt16=Catalog, Updall, Statlog At 3 AM, the server runs the Catalog task. At 7 AM, the server runs the Updall task. At 4 PM, the server runs the Catalog, Updall, and Statistics tasks. Applies to: Servers Default: ServerTasksAt1=Catalog, Design ServerTasksAt2=Updall, Object Collect mailobj.nsf ServerTasksAt3=Object Info -Full ServerTasksAt5=Statlog UI equivalent: None
Setup
Syntax: Setup=revision number Description: Identifies the version number of the software. The setting is used by the Install program to determine whether or not to run the Setup program. This variable also provides an upgrade audit. Applies to: Servers and workstations Default: None UI equivalent: None
C-98 Administering the Domino System, Volume 2
Reference
SetupDB
Syntax: SetupDB=setupweb.nsf Description: Identifies the setup database for HTTP server setup mode. This must always be setupweb.nsf. When this is included in NOTES.INI, the administrator can start the server in HTTP server setup mode by including the argument HTTPSetup when starting the server. If this variable is missing, the server will not enter HTTP server setup mode. Applies to: Servers Default: None UI equivalent: None
SetupServerAddress
Syntax: SetupServerAddress=address Description: Identifies the address of the setup server. This can be either a DNS name, or a telephone number (XPC or DUN) to connect to the server. SetupServerAddress, together with SetupServerName, instruct the Notes setup program to obtain setup information from the specified server. If either variable is missing from NOTES.INI, the setup program prompts the user for setup information. Applies to: Workstations Default: None UI equivalent: None
SetupServerName
Syntax: SetupServerName=name Description: Identifies the name of the setup server. SetupServerName, together with SetupServerAddress, instructs the Notes setup program to obtain setup information from the specified server. If either variable is missing from NOTES.INI, the setup program prompts the user for setup information. Applies to: Workstations Default: None UI equivalent: None
NOTES.INI File C-99
Shared_Mail
Syntax: Shared_Mail=value Description: Specifies whether the shared mail feature is used for new mail delivered to this server: 0 - The shared mail feature is not used for new mail 1 - The shared mail feature is used for new mail delivered to this server 2 - The shared mail feature is used for new mail delivered to this server and for new mail transferred through this server Applies to: Servers Default: 0 (shared mail not used) UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
SMIME_Strong_Algorithm
Syntax: SMIME_Strong_Algorithm=value Description: Specifies the encryption method for encrypting MIME messages to recipients whose public keys are longer than 512 bits, but do not have the special strong encryption flag in their certificates. Possible values are: RC2_40 RC2_56 RC2_64 RC2_80 RC2_128 RC5_5 RC5_7 RC5_10 RC5_16 DES 3DES
Reference
SMIME_Weak_Algorithm
Syntax: SMIME_Weak_Algorithm=value Description: Specifies the encryption method for encrypting MIME messages to recipients whose public keys are shorter than 512 bits. Possible values are: RC2_40 RC2_56 RC2_64 RC2_80 RC2_128 RC5_5 RC5_7 RC5_10 RC5_16 DES 3DES Applies to: Workstations Default: None UI equivalent: None
SMTPAllHostsExternal
Syntax: SMTPAllHostsExternal=value Description: Use this setting to determine whether all hosts should be subject to the anti-spam controls specified for the server. 0 - Exempts internal hosts from anti-spam controls. 1 - Internal hosts included for anti-spam controls.
Applies to: Servers Default: In the absence of the setting, any internal hosts would be exempt from the controls. UI equivalent: In the servers Configuration Settings document, first click the Router/SMTP tab, then the Restrictions and Controls tab, and finally the SMTP Inbound Controls tab. In the Inbound Relay Enforcement sections Perform Anti-Relay enforcement for these connecting hosts field, select All connecting hosts or External hosts.
SMTP_Config_Update_Interval
Syntax: SMTP_Config_Update_Interval=number of minutes Description: Determines how often (in minutes) Domino checks to determine whether the user has updated SMTP configuration information. You can change Configuration documents while servers are running. For the change to take effect, the server must periodically check the Configuration document for changes. If the server discovers a change, it rereads all settings. This setting lets you change the servers checking interval. A shorter time results in slightly higher overhead for checking, but changes are noticed more quickly. Applies to: Servers Default: 2 UI equivalent: None
SMTPDebug
Syntax: SMTPDebug=value Description: Controls the level of console logging performed by the SMTP task. 0 - No logging 1 - Log errors 2 - Log Protocol commands Applies to: Servers Default: 0 UI equivalent: None
Reference
SMTPDebugIO
Syntax: SMTPDebugIO=value Description: Enables the logging of all data received by the SMTP task: 0 - No logging 3 - Logs all data received by the SMTP task Caution Use SMTPDebugIO only when necessary and disable it again as soon as possible. It can cause the log file to grow very large, and logs the contents of received messages. Applies to: Servers Default: 0 UI equivalent: None
SMTPExpandDNSBLStats
Syntax: SMTPExpandDNSBLStats=value Description: Use this setting to generate DNS blacklist filter statistics for each connecting host found in a DNS blacklist site. 0 - Host specific DNS blacklist filter statistics are not generated by the SMTP server. 1 - SMTP server generates host specific DNS blacklist filter statistics which indicate the total number of hits per DNSBL site, per connecting hosts IP address. Applies to: Servers Default: In the absence of this setting, the SMTP task maintains statistics that track the total number of connecting hosts that were found on the combined DNSBL of all sites combined, as well as how many were found on the DNSBL of each configured site. UI equivalent: None
SMTPGreeting
Syntax: SMTPGreeting=string Description: Specifies a text message sent to SMTP clients when they connect to the SMTP server. The message must contain the string %s which is replaced by the current date/time when the connection is made. Applies to: Servers Default: host-name ESMTP Service (Lotus Domino build-name) ready at %s UI equivalent: None
SMTPNotesPort
Syntax: SMTPNotesPort=port name Description: Specifies the port for the SMTP service, where port name is the name of the Domino port for TCP/IP. This is required for partitioned servers, and single servers that have more than one TCP/IP port. Applies to: Servers Default: None UI equivalent: None For information on binding an Internet service to an IP address, see the chapter Setting Up the Domino Network.
SMTPNoVersionInRcvdHdr
Syntax: SMTPNoVersionInRcvdHdr=port name Description: Use this setting to prevent Domino server product information from being disclosed in SMTP Received headers. 0 - Domino-generated SMTP Received header will contain Domino server product information, which includes the server version. 1 - Domino-generated SMTP Received header will not contain Domino server product information. Applies to: Servers Default: In the absence of this setting, Received headers added by the Domino server will include product information such as the server version. UI equivalent: None
C-104 Administering the Domino System, Volume 2
Reference
SMTPMaxForRecipients
Syntax: SMTPMaxForRecipients=number of addresses Description: Determines how many addresses can be added when the SMTP task adds received headers to messages received. Applies to: Servers Default: 0 UI equivalent: None
SMTPMTA_Space_Repl_Char
Syntax: SMTPMTA_Space_Repl_Char=character Description: Specifies the character the SMTP MTA uses to replace spaces in names. Choices are underline (_) or period (.). The following restrictions apply to using periods as replacement characters: User names in the Domino Directory cannot contain periods. For example, John R. Doe is not valid. You cannot use periods as the domain name separator if you configure Domino domains to appear to the left of the @ sign in mail addresses. If you do, a user name with periods replacing spaces can be confused with domain names separated by periods.
SMTPRelayAllowHostsandDomains
Syntax: SMTPRelayAllowHostsandDomains=value Description: Forces servers to abide by Domino 5 rules to resolve conflicts between Allow and Deny list entries in the SMTP inbound relay controls. 0 - Entries in the Allow field of the SMTP inbound relay controls take precedence over entries in the Deny fields when there is a conflict between them. For example, given the following entries:
Field Deny messages to be sent to the following external Internet domains Allow messages only from the following Internet hosts to be sent to external Internet domains Entry xyz.com relay.abc.com
the host relay.abc.com can always relay to any destination, including destinations in the domain xyz.com. 1 - Entries in the Deny fields of the SMTP inbound relay controls take precedence over entries in the Allow fields in the event of a conflict. Using the preceding example, if you deny relays to xyz.com, the host relay.abc.com cannot relay to the denied domain. Applies to: Servers Default: 0 UI equivalent: None
SMTPSaveImportErrors
Syntax: SMTPSaveImportErrors=value Description: Specifies whether mail message import errors are recorded, as follows: 0 - No messages are recorded. 1 - When an arriving message fails to be written as a note in MAIL.BOX, Domino writes the data stream to a temporary directory, and logs the name of the file. 2 - All arriving messages have their data streams written to the temporary directory.
Reference
Note This feature can use a great deal of disk space because the saved messages continue to accumulate until you delete them. Also, the content of the messages is accessible to anyone with the privileges to read files in the temporary directory. Applies to: Servers Default: 0 UI equivalent: None
SMTPStrict821AddressSyntax
Syntax: SMTPStrict821AddressSyntax=value Description: Specifies whether the SMTP task requires addresses that appear in MAIL FROM commands or RCPT TO commands be properly formed according to the 821 standard (must contain <>): 0 - Does not enforce 821 standard 1 - Enforces 821 standard Applies to: Servers Default: 0 UI equivalent: None
SMTPStrict821LineSyntax
Syntax: SMTPStrict821LineSyntax=value Description: Specifies whether the SMTP task requires all protocol text be terminated by CRLF: 0 - 821 standard is not enforced (LF is accepted as a line terminator) 1 - 821 standard is enforced Applies to: Servers Default: 0 UI equivalent: None
SMTPTimeoutMultiplier
Syntax: SMTPTimeoutMultiplier=value Description: Multiplies the SMTP time-out wait value by the specified number. Each SMTP protocol exchange has a time-out wait value. If the client does not respond within the time-out period, the connection is broken. You can increase the time-out period by specifying a multiplier value. For example, a value of 2 doubles all time-out periods. Applies to: Servers Default: 1 UI equivalent: None
SSLCipherSpec
Syntax: SSLCipherSpec=value1value2value3... Description: (SSL users only) Determines which SSL-compliant cipher to use to encrypt files on the server. Specification numbers correspond to the following ciphers:
Cipher specification value 01 02 03 04 5 06 09 0A 0B 0C 0D Cipher SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_DH_anon_WITH_DES_CBC_SHA
To enter multiple ciphers, enter each cipher specification value, including leading zeros. Do not include spaces between values. For example: SSLCipherSpec=01020A Note Specifying a 128-bit cipher for a server with an international license has no effect.
C-108 Administering the Domino System, Volume 2
Reference
Applies to: Servers Default: None UI equivalent: SSL ciphers field for each Internet protocol in the Ports Internet Ports of the Server document. The settings in this field are overridden by the SSLCipherSpec NOTES.INI setting.
SSL_Resumable_Sessions
Syntax: SSL_Resumable_Sessions=number of sessions cached Description: Specifies the number of resumable SSL sessions that will be cached on the server. Setting this variable to 1 disables SSL session resumption on the server. Applies to: Servers Default: 50 UI equivalent: None
SSL_Trace_KeyFileRead
Syntax: SSL_Trace_KeyFileRead=value Description: Enables viewing of information on the current keyring in use on a Domino server. To enable viewing, set SSL_Trace_KeyFileRead to a value of 1. This enables viewing of protocols other than HTTP to see if there is a valid keyring file present in the servers Server document or Internet site documents from the server console. Applies to: Servers Default: None UI equivalent: None
SwapPath
Syntax: SwapPath=location Description: Specifies the location of the servers swap file. If this setting exists in the NOTES.INI file, the Reporter or Collector server task uses this location for the Server.Path.Swap statistic. Applies to: Servers
NOTES.INI File C-109
Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
TCP_EnableIPV6
Syntax: TCP_EnableIPV6=value Description: Use this setting to enable Domino for IPv6. 0 - disables the feature 1 - enables the feature Applies to: Servers Default: None, but in the absence of the setting, IPV6 is disabled. UI equivalent: None
TCP/IPportname_PortMappingNN
Syntax: TCP/IPportname_PortMappingNN=CN=servername/ O=organization,IPaddress:TCP/IP portnumber Description: Specifies the TCP/IP port number of each partitioned server sharing the IP address of the port mapping server. TCP/IPportname is the name of the TCP/IP port which is specified in the NOTES.INI file by the settings Ports=TCPIP. This entry is only valid in the NOTES.INI file of the port mapper server. NN is any number from 00, 01, 02, and so on to 99; only 00 to 04 are currently supported. Numbers must be assigned in ascending order as an invalid break in the number sequence causes subsequent entries in the NOTES.INI file to be ignored. For example: TCP/IPportname _PortMapping00=CN=Server1/O=ACME,192.94.222.169:13520 TCP/IPportname _PortMapping01=CN=Server2/O=ACME,192.94.222.169:13521 TCP/IPportname _PortMapping02=CN=Server3/O=ACME,192.94.222.169:13522 The last number is the port number assigned to each partitioned server. This number must be an available number as specified in Assigned Numbers RFC 1340.
C-110 Administering the Domino System, Volume 2
Reference
UI equivalent: None
TCP/IPportname_TCPIPAddress
Syntax: TCP/IPportname_TCPIPAddress=0,IPaddress:TCP/IP portnumber Description: Defines the IP address and port number for a Domino server. TCP/IPportname is the name of the TCP/IP port which is specified in the NOTES.INI file by the setting Ports=TCPIP. For example: TCP/IPportname_TCPIPAddress=0,192.94.222.169:1352 Applies to: Servers Default: None UI equivalent: None
Temp_Index_Max_Doc
Syntax: Temp_Index_Max_Doc=number of entries Description: Specifies the maximum number of results (up to 2147483647) that can be retrieved at one timeby an agent running on a serveron a database without any index. For example, specifying Temp_Index_Max_Doc=10000 allows a single NotesDatabase or NotesDocumentCollection FTSearch running on a server to return up to 10000 entries. To use the Temp_Index_Max_Doc setting for an agent running on a server, you must also use the FT_Max_Search_Results setting and specify the same value, for example FT_Max_Search_Results=10000 For information on the FT_Max_Search_Results setting, see the topic FT_Max_Search_Results earlier in this chapter. Applies to: Servers Default: 5000 UI equivalent: None
TimeZone
Syntax: TimeZone=value Description: Specifies the time zone for a server or workstation. Time zones begin at Greenwich, England (0 = Greenwich Mean Time) and move westward around the world. The time zones can be 15, 30, 45, or 60 minutes apart (not all zones are an hour apart). For example: TimeZone=8 TimeZone=0 Specifies Pacific Standard Time (8) and Greenwich Mean Time (0). Applies to: Servers and workstations Default: Defined during the workstation or server Setup procedure. UI equivalent: On a workstation, the Local time zone field in the Location document; on a server, the Local time zone field in the Server document.
Topology_WorkInterval
Syntax: Topology_WorkInterval=number of hours Description: Use this setting to specify how often the Maps server add-in task updates the topology map data in the Domino Directory. Once set, it will refresh n hours after the maps add-in program is started, and every n hours after that. Note You should not use the setting to refresh too frequently, because the map data is stored in your Domino Directory and updates are replicated throughout the domain. Applies to: Servers Default: None, however the Topology maps task normally refreshes topology information once a day, every night at 2 AM. UI equivalent: None
Reference
TransLog_MaxSize
Syntax: TransLog_MaxSize=number of megabytes Description: The maximum size, in MB, for the transaction log. A value of at least 192 MB is recommended. If you dont specify a value, the system determines a log size approximately three times the size of the servers RAM. Applies to: Servers Default: None UI equivalent: Maximum log space field in the Transactional Logging tab of the Server document.
TransLog_Path
Syntax: TransLog_Path=path Description: Specifies the path to the transaction log. The default location is \logdir in the servers data directory. However, it is strongly recommended to store the transaction log on a separate mirrored device, such as a RAID level 0 or 1 device with a dedicated controller. If you change this field and have an existing transaction log, you must use the operating system to move all the log files to the new log path. Applies to: Servers Default: logdir in the servers data directory, for example c:\data\logdir UI equivalent: Log path field in the Transactional Logging tab of the Server document.
TransLog_Performance
Syntax: TransLog_Performance=value Description: Specifies the trade-off between transactional log runtime and restart recovery time, as follows: 1 - Favor runtime. The system stores more database changes in memory writes fewer changes to the transaction log. Fewer writes to disk improves server runtime. 2 - Standard (default)
3 - Favor restart recovery time. The system stores fewer database changes in memory and writes more changes to the transaction log. More writes to the transaction log improves restart recovery time. Applies to: Servers Default: 2 UI equivalent: Runtime/Restart performance field in the Transactional Logging tab of the Server document.
TransLog_Status
Syntax: TransLog_Status=value Description: Enables transaction logging for all Domino 5 databases on the server, as follows: 0 - Transactional logging disabled 1 - Transactional logging enabled You must upgrade databases to Domino 5 format before they can use transaction logging. Applies to: Servers Default: 0 UI equivalent: Transactional logging field in the Transactional Logging tab of the Server document.
TransLog_Style
Syntax: TransLog_Style=value Description: Specifies the type of transaction logging. Options are as follows: 0 - Circular (default). The system continuously reuses the extent log files, overwriting old transactions. 1 - Archive. The system does not reuse extent log files and allows you to use a backup utility to archive log files. This is recommended. Applies to: Servers Default: 0 UI equivalent: Logging style field in the Transactional Logging tab of the Server document.
C-114 Administering the Domino System, Volume 2
Reference
TransLog_UseAll
Syntax: TransLog_UseAll=value Description: Specifies whether or not to use all available disk space on the log device, as follows: 0 - The system uses the default or specified value in TransLog_MaxSize 1 - Use all available space on the disk for the transaction log extent. This is recommended if you use a separate device dedicated to storing the extent. Applies to: Servers Default: 0 UI equivalent: Use all available space on log device field in the Transactional Logging tab of the Server document.
Update_No_BRP_Files
Syntax: Update_No_BRP_Files=value Description: Determines whether or not the Fixup task creates BRP files. When set to 1, the Fixup task will not create a BRP file when it encounters an error in a view index. Applies to: Servers Default: None UI equivalent: None
Update_No_Fulltext
Syntax: Update_No_Fulltext=value Description: Turns off full-text indexing on a server. 0 - Turns full-text indexing on 1 - Turns full-text indexing off Applies to: Servers Default: None, although if this setting is omitted, full-text indexing is on. UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
NOTES.INI File C-115
Updaters
Syntax: Updaters=number of tasks Description: Specifies the number of Update server tasks that can run concurrently on the server. You must shut down and restart the server for this setting to take effect. Applies to: Servers Default: None, although if this setting is omitted, only a single Update task can run at a time. UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Update_Suppression_Limit
Syntax: Update_Suppression_Limit=value Description: Overrides the NOTES.INI Update_Suppression_Time setting if a certain number of duplicate requests to update indexes and views are received. Applies to: Servers Default: None UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Update_Suppression_Time
Syntax: Update_Suppression_Time=number of minutes Description: Specifies the delay time between full-text index and view updates, even if immediate indexing is scheduled as a server task. Applies to: Servers Default: 5 UI equivalent: None, although you can specify this setting in the NOTES.INI Settings tab of the Configuration Settings document in the Domino Directory.
Reference
UpgradeApps
Syntax: UpgradeApps=filename1, filename2, filename3... Description: Specifies custom upgrade applications for migrating users to Notes. Domino 5 includes four upgrade applications for migrating users to Notes, one each for cc:Mail, Windows NT, Exchange, and LDIF. In addition, you can use UpgradeApps to add one or more custom upgrade applications (DLL files) to the Registration dialog. Use commas to separate multiple names. Specified files must reside in the Notes program directory. UpgradeApps does not affect the upgrade applications that ship with Domino. Applies to: Servers Default: None UI equivalent: None
UseFontMapper
Syntax: UseFontMapper=value Description: Determines whether the font mapper is used to guess the closest mappings between the font face name in a CGM metafile and the currently installed fonts on a Notes workstation. 1 - Enables the font mapper 0 - Disables the font mapper Applies to: Servers and workstations Default: 1 UI equivalent: None
ViewExpnumber
Syntax: ViewExpnumber=value1, value2... Description: Specifies parameters to be used by file exports done at the view level.
Parameter value1 value2 Enter Program name and file type The following append options: 0 - No append option offered 1 - Append option offered through a dialog box 2 - Automatically write to a temporary file to avoid the 64K limit Name of the export routine called Not currently used File extensions to automatically select a file type in the File Export dialog box
ViewImpnumber
Syntax: ViewImpnumber=value1, value2... Description: Specifies parameters to be used by file imports done at the view level.
Parameter Enter value1 value2 value3 value4 value5 - x Program name and version Not used, always 0 Name of the import routine called Not currently used File extensions to automatically select a file type in the File Import dialog box
Reference
View_Rebuild_Dir
Syntax: View_Rebuild_Dir=path Description: Specifies the directory where temporary files will be created for optimized view rebuilds. For example, to set the directory to my_view_rebuild_directory, enter the following line in the NOTES.INI file:
View_Rebuild_Dir=c:\my_view_rebuild_directory
Applies to: Servers Default: None, but in the absence of this setting, the systems temporary storage directory (specified by the TEMP or TMP environment variables) is used. UI equivalent: None
WebAuth_Verbose_Trace
Syntax: WebAuth_Verbose_Trace=value Description: Use this setting to troubleshoot problems with Web server user authentication and Web server group searches for database access verification. With the setting enabled, a Domino Web server records detailed information about specific Web user authentication sessions at the server console. Information includes authentication success or failure, group cache information used to verify Web users membership in groups for database access control, and the search filters used to find user and group entries in an LDAP directory. 0 - Disabled 1 - Enabled Note After you correct the problem, be sure to disable this feature (or remove the setting altogether), because it slows Web server performance. Applies to: Servers Default: None UI equivalent: None
WebSess_Verbose_Trace
Syntax: WebSess_Verbose_Trace=value Description: This setting should be used to troubleshoot both single server and multi-server (as in single sign-on) session-based authentication problems. When enabled, the setting allows a Domino Web server to record, at the server console, detailed information about specific Web session-based authentication sessions, such as unauthorized, unauthenticated, or session expiration information. 0 - Disabled 1 - Enabled Note After you correct the problem, be sure to disable this feature (or remove the setting altogether), because it slows Web server performance. Applies to: Servers Default: None UI equivalent: None
Window_Title
Syntax: Window_Title=text Description: Uses the specified text on the title bar. Applies to: Servers and workstations Default: None UI equivalent: None
WinInfoboxPos
Syntax: WinInfoboxPos=value1, value2 Description: Determines the position of the InfoBox. Applies to: Workstations Default: 85, 193 UI equivalent: None
Reference
WinSysFontnumber
Syntax: WinSysFontnumber=value1, value2, value3 Description: All CGM metafiles contain numeric font identifiers 1 through x, where x is the maximum number of fonts in an optional CGM font face name table. When the font mapper is disabled, these lines list the installed Windows system fonts to which the CGM font numbers are mapped. Applies to: Workstations Default: None UI equivalent: None
XPC_Console
Syntax: XPC_Console=value Description: Displays the XPC console, which shows modem input/output (if logged). 1 - Displays the console 0 - Hides the console Applies to: Servers and workstations Default: 0 UI equivalent: None
Reference
StdActivityTrends Records and reports statistics that Database portray the activity of users (clients) against the databases on the Domino server where this database resides. StdR4Admin Requests StdR4AgentLog Tracks and records Administration Process requests and processes. Lists actions and errors that occur when a LotusScript program that uses the NotesLog class runs.
Administration Requests (6) ADMIN4.NTF Agent Log ALOG4.NTF Archive Log (6) ARCHLG50.NTF
StdR50ArchiveLog Logs information about all archived databases and contains information about the number of documents archived, the source database, and the archive database. StdR4Billing Records and stores billing information about activity on a Domino server. Opens a users databases and links. continued D-1
Bookmarks
Template title and file name Catalog (6) CATALOG6.NTF Certificate Requests (6) CERTREQ.NTF
Purpose Records and stores information about the databases on a Domino server. Acts as a front-end to a single CA-process Internet certifier, implementing a Web-based UI for browser users to request client certificates for their browser or other internet client, and a Notes UI for creating server key rings for SSL-enabled Domino servers. Maintains records of certified Notes IDs in a Notes community. Generates reports about the cluster configuration to verify if the cluster was configured correctly; locates problems with the configuration. Records and stores information about databases in a server cluster. Stores the results of a single database analysis.
StdCertificate Requests
Cluster Directory (6) CLDBDIR4.NTF Database Analysis DBA4.NTF Database Library DBLIB4.NTF
StdR4DatabaseLib Contains a list of public databases to which users can request access. Produces reports to help decommission one server and replace it with a server that is already set up. Configures real-time back-end connectivity between Domino and external systems when using the DECS (Domino Enterprise Connection Services) add-in task. Stores the results from a design synopsis of a database.
Decommission Server StdNotes Decommission Reports Server DECOMSRV.NTF DECS Administrator Template DECSADM.NTF DECS Administrator Template
DesignSynopsis
Reference
Purpose Helps to configure and build a directory catalog, which compresses user and group entries from one or more Domino Directories into a single database. Provides an electronic conference room for threaded discussions; includes built-in user profiles that allow automatic mailing of links to items of interest; allows for anonymous responses, archiving, and public/private threads.
StdR50Disc
Doc Library - Notes & StdR50WebDocLib Provides document storage and Web (R6) allows for review workflow (serial and parallel) and archiving. DOCLBW6.NTF DOLS Administration DOLS Admin 1.0 Template DOLADMIN.NTF DOLS Resource Template DOLRES.NTF Domino Administrator (6) DOMADMIN.NTF Domino Certificate Authority (6) CCA50.NTF Domino Certificate Publication Requests (6) CERTPUB.NTF Domino Change Control (6) DOMCHANGE.NTF DOLS Resource Template 1.0 Lets you configure any Domino application so that users can download the application for offline use. Lets you configure any Domino application so that users can download the application for offline use.
StdAdminDatabase Contains some necessary user-interface elements for the Domino Administrator; do not change this system template. StdNotes50SSL Auth StdCertPub Requests Sets up an internal certification authority for use with SSL. Lets you request publication of an SSL client certificate under an entry in the address book. Used by the Domino Change Manager process to manage and execute change control plans. It includes an approval cycle workflow and tight integration with the Administration Process. continued
DominoChange Control
Template title and file name Domino Directory PUBNAMES.NTF Domino Directory Cache (6) DBDIRMAN.NTF Domino LDAP Schema (6) SCHEMA.NTF
Purpose Provides a repository that stores user, server, connection, and access control information. Contains cache times for each database in the servers data directory. Provides information about the attributes, object classes, and syntaxes supported by the Domino LDAP schema in an user-friendly format. Contains information (originators, recipients, arrival times, and status) about messages the server processes. Creates a database that allows administrators to use a browser to administer databases. Holds custom error pages for use with the Web server. Logs information about activities on a Domino Web server. Can be used to create a mail database either on a local computer or on a server. Mail databases created from this template are best used by Notes, Intranet, or Internet clients. continued
StdDominoLDAP Schema
Domino MailTracker MailTrackerStore Store (6) MTSTORE.NTF Domino Web Administrator (6) WEBADMIN.NTF Domino Web Server Configuration (6) DOMCFG.NTF Domino Web Server Log (6) DOMLOG.NTF Extended Mail (R6) MAIL6EX.NTF StdWebAdmin Database StdR5Domino WebServer Configuration Domino Web Server Log Template ExtR6Mail
Reference
Template name
Purpose
StdDominoHealth Contains the Health Reports Monitor generated by Server Health Monitoring. Domino configuration and performance is periodically evaluated and recorded as health reports and health statistics. Recommendations on how to correct poor server behavior are issued when appropriate. The configuration documents in this database can be used to customize the health evaluation. Issued Certificates A record of the certificates issued by List a single certifier. Can be used by a CA Administrator to revoke certificates. NotesDocCache Creates a users local document cache database, which stores documents that the user opens and provides fast retrieval of documents previously opened. Manages time allotment for the calendar and scheduling features. Gives Notes users the ability to create and save documents using Lotus SmartSuite Word Pro, 1-2-3, Freelance, or Paintbrush, without leaving Notes.
Local free time info BUSYTIME.NTF Lotus SmartSuite Library (6) DOCLBS6.NTF
StdMailJournaling Stores copies of messages that pass through the router. This is a system database; therefore, the messages are saved per server, not per user. StdNotesMailbox Stores mail from a user that is in route from one user to another user. Creates a proxy database that allows clients to interact using IMAP mail. Creates the standard mail databases used by Notes mail users. continued
Mail Router Mailbox (6) MAILBOX.NTF Mail (IMAP) IMAPCL5.NTF Mail (R6) MAIL6.NTF
StdR50IMail
StdR56Mail
Template title and file name Message Tracking Reports (6) REPORTS.NTF Microsoft Office Library (6) DOCLBM6.NTF
Purpose Creates reports that measure mail message statistics or usage patterns. Automatically loads and sizes the OLE object to the window; stores and supports review cycles of documents created with Microsoft Office products. Stores configuration records for statistics reporting and monitoring tools and stores a listing of server messages. Records information about the activity on one or more Domino servers. Creates databases on clients to interact with NNTP news sites. Stores and posts articles to multiple newsgroups at a scheduled interval.
StdR5Events
Monitoring Results (6) StdR5StatReport STATREP5.NTF News Articles (6) NNTPCL5.NTF NNTP Cross-Post NNTPPOST.NTF StdR60NNTP Client StdR46NNTP PostBox
NNTP Discussion (6) StdR5.0NNTPDisc Creates newsgroup discussion databases that the NNTP server NNTPDI50.NTF uses. Notes Log LOG.NTF Notes Log Analysis (6) LOGA4.NTF StdNotesLog Stores information about activities on a Domino server or a Notes workstation.
StdR4LogAnalysis Creates a results database that contains one view, Log Events, that is categorized by server. Shows the date and time of events, the source (event or console message), and the text of messages. Does not display times for server console messages.
NT/Migrating Users StdNotesNewUser Stores randomly generated Passwords Passwords passwords created when administrators register Notes users NTSYNC45.NTF from Windows NT. continued
Reference
Purpose Creates a client database that stores information about connecting to servers on a network or from a remote site. The database also maintains personal mailing lists. Creates a personal journal database where users keep private documents. Creates a Personal Web Navigator database to access the Internet directly from a client. Provides information about the best local phone number to use to connect to a server from anywhere in the world.
Personal Journal (R6) StdR4Journal JOURNAL6.NTF Personal Web Navigator (6) PERWEB50.NTF Phonebook (6) PHONEBOOK.NTF StdR50Personal WebNavigator StdPhonebook
Policy Synopsis (6) POLCYSYN.NTF Resource Reservations (6) RESRC60.NTF Search Site (6) SRCHSITE.NTF Server Certificate Admin CSRV50.NTF
StdPolicySynopsis Creates a result database for policy information generated by the Policy Synopsis tool. StdR60Resource Reservation Contains inventory and schedule information on meeting resources, such as conference rooms and equipment.
StdNotesSearchSite Creates a database used when performing text searches on a specified set of databases. StdNotes50SSL Admin Requests server certificates from either a Domino or a third-party certificate authority (CA). Also stores CA certificates and manages server certificates. The server add-in program WEB.EXE uses this template to create the server navigator database that gives Notes users access to the Web. The database stores Internet documents before workstations retrieve them. Stores completed Server.Planner queries and stores results associated with those queries. continued System and Application Templates D-7
Server.Planner: Analyst
Template title and file name Server.Planner: Decision Maker DSPD.NTF Server.Planner: Vendor DSPV.NTF Smart Upgrade Kits (6) smupgrade.ntf
Purpose Stores information resulting from the Server.Planner Analyst Query, including recommended configuration(s). Stores machine configuration information and stores performance results from NotesBench workloads. Repository for Smart Upgrade kits within a Domino domain. The system administrator places Smart Upgrade kits into this database in order to make them available to clients. Lotus Notes 6 detects new Update kits and automatically upgrades itself.
StdNotesHeadlines Allows users to subscribe to various databases or Web sites and receive 5.0 updates on them. StdR6TeamRoom Creates structured, limited timeframe discussion databases; useful for short-term projects or team-oriented activity that requires a special format.
Creates the User Registration Queue StdUser RegistrationQueue database that stores information on Notes users pending registration.
Reference
E-1
Reference
If a default form to which you want to add fields does not have a corresponding $xxxExtensibleSchema subform, insert the subform you create directly into the form. In this case, you must insert the subform into the form again after you upgrade to a new version of the default Domino Directory template. When you insert a new subform directly into a default form, choose the Design property Prohibit design refresh or replace to modify. You can also use an $xxxExtensibleSchema subform as part of defining a new LDAP auxiliary object class in the LDAP schema. Default forms Do not change the names of the forms that come with the Domino Directory. You can add aliases, which are duplicate names. An alias appears in the Form Properties box to the right of the form name and is preceded by a vertical bar. Its best to add a new alias rather than edit an existing one. By doing so, programs that use the existing alias continue to work properly. If you add or edit an alias, when you upgrade to a new version of the default Domino Directory template, you must re-create your customizations. To hide a section of an existing form, select the section in the form, choose Text - Text Properties, click the Hide tab (the fifth tab from the left) and select appropriate hide options. If you later upgrade your companys Domino Directory with a new version of the default Domino Directory template, you must repeat this step. If you hide a section of an existing form, select the form, choose Design - Design Properties, click the Design tab, and make sure Prohibit design refresh or replace to modify is selected. New forms You can create new forms. If you want documents created from the forms to be LDAP-accessible, you must follow a specific procedure to create the forms. For more information, see the topic Using the Domino Directory to extend the LDAP schema later in the chapter. Database icon You can change the icon. New LDAP schema elements To add schema elements to the Domino LDAP schema, you can create forms and subforms in the Domino Directory. However, the recommended way to extend the schema is to use the Domino LDAP Schema database (SCHEMA.NSF). The Schema database provides an easy-to-use interface for extending the schema, has built-in
Customizing the Domino Directory E-3
error-checking that ensures valid schema elements, simplifies the creation of complex object class structures, and offers other advantages as well. The only reason to use the Domino Directory to extend the schema is if Notes or Web users require access to entries associated with the new schema elements through documents in the directory. If only LDAP access to entries created from the new schema elements is required, use the Domino LDAP Schema database to extend the schema. For information on using the Domino Directory to extend the schema, see the topic Using the Domino Directory to extend the schema later in this chapter. For more information on the LDAP schema and on using the Schema database to extend the schema, see the chapter Managing the LDAP Schema. To extend the LDAP schema using the Domino Directory, you can add a new LDAP structural object class by creating a form and related subforms, create a new LDAP auxiliary object class by creating a subform, and define LDAP attributes for a new object class by creating fields.
Reference
template. Where Acme appears, substitute a name that relates to your company. 1. Choose File - Database - New. 2. Select a server to store the new template. 3. In the Title field, enter:
Acme's Domino Directory
5. Click Template Server and select a server that stores the default Domino Directory template (PUBNAMES.NTF). 6. Click Show advanced templates. 7. Choose Domino Directory (PUBNAMES.NTF) from the list of templates. 8. Ensure that the Inherit future design changes field is checked. Then when a new version of the default Domino Directory template becomes available, ACMENAMES.NTF will inherit the design changes. 9. Click OK. Acmes Domino Directory template is now open. 10. Choose File - Database - Properties, and then click the Design tab (fourth tab from the left). 11. Choose Database file is a master template, and then in the Template name field, enter the template name:
StdAcmeDominoDirectory
For more information on designing views, see the book Application Development with Domino Designer. To make minimal changes directly to the view 1. Make sure that you are working in a copy of the default Domino Directory template (ACMENAMES.NTF) and that you have Designer or Manager access in the Domino Directory ACL. 2. From the Domino Designer, customize a visible view in ACMENAMES.NTF. 3. Select the view, choose File - Document Properties, click the Design tab (third tab from the left), then select Prohibit design refresh or replace to modify. 4. Make any other directory customizations, and then complete the procedure Applying template customizations to the Domino Directory database. To make extensive changes to a copy of the view 1. Make sure that you are working in a copy of the default Domino Directory template (ACMENAMES.NTF) and that you have Designer or Manager access in the Domino Directory ACL. 2. From the Domino Designer, make a copy of a view in ACMENAMES.NTF. 3. Select the copy, choose File - Document Properties, click the Design tab (third tab from the left), and then select Prohibit design refresh or replace to modify. 4. Customize the copy of the view, and then give the copy of the view a new title. 5. Open the original view, choose Design - View Properties, click the i tab, and then deselect Show in View menu. 6. Save the view. 7. Select the original view, choose File - Document Properties, click the Design tab, and then choose Prohibit design refresh or replace to modify. 8. Make any other directory customizations, and then complete the procedure Applying template customizations to the Domino Directory database.
Reference
To add attributes to an object class defined in the default schema, do not add the attributes to the object class directly. Instead, do one of the following: Create an auxiliary object class to define the new attributes, and then add the auxiliary object class to the default object class Create a new structural object class with the new attributes, and then configure the new object class to inherit from the default object class
schema. For example, to create a form to hold values for entries defined by the residentialPerson object class, follow the steps described in the procedure Using the Domino Directory to create a new LDAP structural object class. In this case you are not using the form to define an object class the object class is already defined in the LSCHEMA.LDIF file. Instead youre using the form so that entries defined by the object class are visible in documents. If you do this, make sure to define the schema elements exactly as the Domino LDAP Schema database (SCHEMA.NSF) shows them to be defined. Defining them differently can cause you to define new schema elements, rather than simply allowing the default schema elements to be visible in documents.
Using the Domino Directory to create a new LDAP structural object class
You can add a form and associated subforms to the Domino Directory to define a new LDAP structural object class in the LDAP schema and to enable documents created from the form to be LDAP-accessible. The preferred method for extending the schema is to use the Domino LDAP Schema database, however. Use the Domino Directory to extend the schema only if Notes or Web users require access to the new entries defined by the schema elements through documents in the directory. If you do not need documents created from a form to be LDAP-accessible for example, you dont run the LDAP service in the domain and are sure you wont in the future you can create a new form without following these steps. To add a new form to the Domino Directory to define an LDAP structural object class: 1. Create a form for the structural object class. 2. Create and insert an associated $xxxInheritableSchema subform into the form to define the attributes for the object class. 3. (Optional) Create and insert an associated $xxxExtensibleSchema subform into the $xxxInheritableSchema subform to support adding an auxiliary object class to the structural object class. Note You must also create a view for displaying the object class entries to Notes and Web users.
Reference
Subform: $acmePrinterExtensibleSchema
Note Inserting a subform into an ExtensibleSchema subform or inserting an ExtensibleSchema subform into an InheritableSchema subform are the only instances in which nesting subforms that is, inserting a subform within another subform is acceptable. Creating a form to define a new LDAP structural object class The procedures that describe how to using the Domino Directory to create a new structural object class use the following: ACMENAMES.NTF as the file name for the copy of the Domino Directory template. Where ACMENAMES.NTF appears, substitute the file name of the copy of the Domino Directory template you created. acmePrinter as the name of the new structural object class. Substitute the name of the object class you are adding. (LDAP country) form and the $countryInheritableSchema and $countryExtensibleSchema subforms, which come with the Domino Directory, as templates to use as a basis for creating the new form and subforms.
The first step in using the Domino Directory to create a new LDAP structural object class is creating a form as follows: 1. Make sure that you are working in a copy of the Domino Directory template (ACMENAMES.NTF) and that you have at least Designer or Manager access in the ACL. 2. From the Domino Designer, open ACMENAMES.NTF. 3. Do the following to copy the contents of the (LDAP country) form into a new form: Note Do not select the (LDAP country) form and use copy and paste to copy it. a. In the left pane, select Forms. b. Open the (LDAP country) form, choose Edit - Select All, then Edit - Copy. c. Close the (LDAP country) form. d. Click New Form, and choose choose Edit - Paste.
Customizing the Domino Directory E-9
4. With the new form open, delete the words LDAP Country at the top of the new form, and replace them with a label describing the new type of entry for example, Acme Printer:
5. Choose Design - Form Properties, and do the following: Note Next to the Name property, enter xxx, where xxx is the name of the new object class for example: acmePrinter Note You can use a backslash (\) in the name of the new form so that the form name cascades from an item in the Notes Create menu. If you use the backslash, add the right-most portion of the name as an alias to the form name so that the object is correctly named in the LDAP schema. For example, to cascade the acmePrinter form from LDAP, name the form LDAP\acmePrinter | acmePrinter. a. (Optional) Deselect the Display property Include in menu to prevent Notes and Web users from creating documents from the form. When a Notes or Web user creates a document, LDAP users cant search the new documents until after the Indexer runs to update the views. b. Deselect the Options property Render pass through HTML in Notes. c. Leave the other properties the same, and close the Form properties box. 6. On the Mandatory tab of the new form, select the Type field and in the field formula in the pane below, change country to the name of the new object class enclosed in quotation marks for example: acmePrinter
Reference
7. Do the following to remove the $countryInheritableSchema subform from the new form: a. On the Mandatory tab, click the phrase Mandatory Attributes to set focus on the $countryInheritableSchema subform.
b. Verify that the $countryInheritableSchema subform is selected in the bottom pane. c. Choose Edit - Delete to remove the $countryInheritableSchema subform. 8. Close and save the new form. 9. Do the following: a. In the left pane, select Forms. b. Select the new form, and choose Design - Design Properties. c. Click the third tab from the left, and select Prohibit design refresh or replace to modify. 10. Complete the procedure Creating and inserting an $xxxInheritableSchema subform. Creating and inserting a $xxxInheritableSchema subform After you create a form to define a new structural object class, create an associated $xxxInheritableSchema subform and insert it into the form. The $xxxInheritableSchema subform defines the attributes for the structural object class. 1. Make sure that you are working in a copy of the Domino Directory template (ACMENAMES.NTF) and that you have Designer or Manager access in the ACL. 2. From the Domino Designer, open ACMENAMES.NTF.
3. Do the following to copy the contents of the $countryInheritableSchema subform into a new subform: Note Do not select the $countryInheritableSchema subform and use copy and paste to copy it. a. In the left pane, select Shared Code and then Subforms. b. Open the $countryInheritableSchema subform, choose Edit Select All, then Edit - Copy. c. Close the $countryInheritableSchema subform. d. With Subforms still selected, click New Subform, and choose Edit - Paste. 4. Do the following to specify the properties for the new subform: a. With the new subform open, choose Design - Subform Properties. b. Next to the Name property, enter the following: $xxxInheritableSchema Where xxx is the name of the new structural object class created previously for example: $acmePrinterInheritableSchema Deselect the Options property Render pass through HTML in Notes. c. Leave the other properties the same, and close the Subform Properties box.
5. On the Mandatory tab, do the following: a. Delete the field OfficeCountry and its label. Do not delete the $dspType field and label. b. Choose Create - Field.
Reference
c. Next to the Name property, specify FullName. d. Next to the Type property, select Names.
e. Close the Field box. f. Select Input Validation in the Object pane, and enter the following formula: @V2If(FullName = ; @Failure(FullName is required); @Success) 6. On the Optional tab, delete the searchGuide field and its label, and optionally delete the comment field and its label. 7. Leave the Operational tab as is. 8. Define the mandatory and optional attributes for the new structural object class in the new InheritableSchema subform. For more information, see the topic Using the Domino Directory to define an LDAP attribute for a new object class later in this chapter. 9. Do the following to remove the $countryExtensibleSchema subform from the new InheritableSchema subform: a. On the Extensible tab of the new InheritableSchema subform, place the cursor the equivalent of one line down to select the $countryExtensibleSchema subform.
b. Verify that the $countryExtensibleSchema subform is selected in the bottom pane. c. Choose Edit - Delete to remove the $countryExtensibleSchema subform from the new InheritableSchema subform. 10. Save and close the new InheritableSchema subform.
11. Do the following to insert the new InheritableSchema subform into the form created to define the structural object class: a. From the Domino Designer, open ACMENAMES.NTF. b. In the left pane, select Forms and open the form you created previously for example, acmePrinter. c. Position the cursor between the form name and the Type, Owner, LocalAdmin, and DocumentAccess fields.
d. Choose Create - Resource - Insert Subform, select the InheritableSchema subform you created for example $acmePrinterInheritableSchema and click OK. 12. Save and close the form. 13. (Optional) Complete the procedure Creating and inserting an $xxxExtensibleSchema subform. Creating and inserting an $xxxExtensibleSchema subform After you create and insert a $xxxInheritableSchema subform for structural object class, create and insert a $xxxExtensibleSchema subform into the $xxxInheritableSchema subform so that you can add an auxiliary object class to the structural object class. If you do not want to add an auxiliary object class to the new structural object class, do not complete this procedure. 1. Make sure that you are working in a copy of the Domino Directory template (ACMENAMES.NTF) and that you have Designer or Manager access in the ACL. 2. From the Domino Designer, open ACMENAMES.NTF. 3. In the left pane, select Shared Code and then Subforms. 4. Click New Subform.
Reference
5. Do the following to specify the properties for the new subform: a. With the new subform open, choose Design - Subform Properties. b. Next to the Name property, enter the following: $xxxExtensibleSchema Where xxx is the name of the new structural object class created previously for example: $acmePrinterExtensibleSchema c. Deselect the Options property Render pass through HTML in Notes.
d. Leave the other properties the same, and close the Subform Properties box. e. Save and close the new ExtensibleSchema subform. 6. Do the following to insert the new ExtensibleSchema subform into the InheritableSchema subform: a. With Subforms still selected, open the InheritableSchema subform you created previously, for example $acmePrinterInheritableSchema. b. On the Extensible tab choose Create - Resource - Insert Subform. c. Select the ExtensibleSchema subform you created for example $acmePrinterExtensibleSchema d. Click OK. 7. Save and close the InheritableSchema subform. 8. Complete the procedure Using the Domino Directory to create an LDAP auxiliary object class.
You can also configure a new structural object class to inherit from a default object class in the schema that is defined by a form. 1. Make sure that you are working in a copy of the Domino Directory template (ACMENAMES.NTF) and that you have Designer or Manager access in the ACL. 2. From the Domino Designer, open ACMENAMES.NTF. 3. In the left pane, select Shared Code and then Subforms. 4. Open the $xxxInheritableSchema subform for the subordinate object class. For example, if you want the acmeLaserPrinter object class to inherit from the acmePrinter object class, open the $acmeLaserPrinterInheritableSchema subform. 5. Click the Inheritable tab, and do the following: a. Choose Create - Resource - Insert Subform. b. Select the InheritableSchema subform for the superior object class. For example, select the $acmePrinterInheritableSchema subform if you want the acmeLaserPrinter object class to inherit from the acmePrinter object class. c. Click OK. 6. Save and close the InheritableSchema subform for the subordinate object class.
Reference
The preferred method for extending the LDAP schema is to use the Domino LDAP Schema database. Use the Domino Directory to extend the schema only if Notes or Web users require access to the new schema elements through documents in the directory. Creating a subform to define an auxiliary object class 1. Make sure that you are working in a copy of the Domino Directory template (ACMENAMES.NTF) and that you have Designer or Manager access in the ACL. 2. From the Domino Designer, open ACMENAMES.NTF. 3. In the left pane, select Shared Code and then Subforms. 4. Click New Subform. 5. Do the following to specify the properties for the new subform: a. With the new subform open, choose Design - Subform Properties. b. Next to the Name property, enter a name for the auxiliary object class for example, building. c. Keep the Options property Include in Insert Subform... dialog selected. d. Deselect the Options property Render pass through HTML in Notes.
e. Leave the other properties the same, and close the Subform Properties box. f. Save and close the new subform. 6. Do the following to add a field to define the auxiliary object class: a. Choose Create - Field. b. Next to Name on the Basics tab of the Field dialog box, specify any name, but precede the name with a dollar sign ($) to indicate that the field is an operational field for example: $building. c. Next to Text on the Basics tab of the Field dialog box, select Computed when composed.
d. Specify the formula for the field in the pane below as follows: FIELD $objectclass := $objectclass : subform;1 Where subform is the name of the subform you specified in step 5 for example: FIELD $objectclass := $objectclass : building;1
Reference
7. Complete the procedure Using the Domino Directory to define an LDAP attribute for a new object class to add the attributes to the new auxiliary object class. 8. Save the new subform. 9. Do the following: a. In the left pane, select Shared Code and then Subforms. b. Select the new subform, and choose Design - Design Properties. c. Click the third tab from the left, and select Prohibit design refresh or replace to modify. Adding the new auxiliary object class to a structural object class After you create subform to define a new auxiliary object class, complete this procedure to add the auxiliary object class to a structural object class. You can add the auxiliary object class to a new structural object class you have created, or a default structural object class. 1. From ACMENAMES.NTF, open a $xxxExtensibleSchema subform or a form, as described in the following table:
To add the auxiliary object class to dominoPerson dominoGroup dominoOrganization, dominoOrganizationalUnit, and dominoInternetCertifier dominoServerResource locality organization organizationalUnit Open this subform or form $PersonExtensibleSchema $GroupExtensibleSchema $CertifierExtensibleSchema
a structural object class defined in the The form used to define the object default schema that doesnt have a class corresponding $xxxExtensibleSchema subform a structural object class you defined in the Domino Directory $xxxExtensibleSchema Where xxx is the name of the new structural object class
2. Choose Create - Resource - Insert Subform. 3. Select the subform you created for the auxiliary object class for example, building. 4. Click OK. 5. Close and save the subform or form you opened in step 1. 6. Complete the procedure Applying template customizations to the Domino Directory database.
Using the Domino Directory to define an LDAP attribute for a new object class
The preferred method for extending the LDAP schema is to use the Domino LDAP Schema database. Use the Domino Directory to extend the schema only if Notes or Web users require access to the new schema elements through documents in the directory. To define an attribute for a new object class you have added to the Domino Directory, add a field to the appropriate subform. Note Do not add the fields ListName or ServerName. 1. From the Domino Adminstrator or Notes client, choose the name for the attribute, then do the following to determine whether the attribute is already being used: a. Open the Domino LDAP Schema database (SCHEMA.NSF) on a server that runs the LDAP service. b. Select the All Schema Documents - LDAP Attribute Types view. c. Do a full-text search for the name of the attribute you plan to define for the object class. d. Do one of the following: If the search returns a document whose LDAP name field contains the name of the attribute for which you searched, use the corresponding value in the Notes mapping field in the Attribute document as the name of the new field. If the search does not return a document whose LDAP name field contains the name of the attribute for which you searched, use the name of the attribute for which you searched. 2. Make sure that you are working in a copy of the Domino Directory template (ACMENAMES.NTF) and that you have Designer or Manager access in the ACL. 3. From the Domino Designer, open ACMENAMES.NTF.
Reference
4. Do one of the following: To define an attribute for a new auxiliary object class, open the subform for the auxiliary object class for example, the subform named building. To define an attribute for a new structural object class, open the $xxxInheritableSchema subform for the object class for example, the subform $acmePrinterInheritableSchema and then select the Mandatory tab if the attribute will be required, or select the Optional tab if the attribute will not be required. 5. Choose Create - Field, and do the following: a. Next to the Name property, give the field a name as described in Step 1. b. Next to the Type property, choose one of the following data types, and keep Editable selected:
Choose this Domino data type Text Date/Time Number Names For this LDAP attribute syntax Directory string Generalized time Integer Distinguished name
6. (Optional) Do the following to require that all entries include a value for this attribute: a. Select the field. b. Select Input Validation in the Objects pane at the bottom of the subform. c. Enter the following input validation formula: @V2If(fieldname = ; @Failure(fieldname is required); @Success) Where fieldname is the name you gave the new field. For example, if you add the field shoesize and you want to require that all entries include values for the field, enter this formula: @V2If(shoesize = ; @Failure(shoesize is required); @Success)
Reference
receive all design changes from the new version of the Domino Directory template. Repeat Step 1 for each form that came with the Domino Directory and in which you hid sections. 2. Open ACMENAMES.NTF, choose File - Database - Refresh design, select a server that has a new version of the default Domino Directory template (PUBNAMES.NTF), and click OK. 3. If you created subforms to customize forms, re-insert the subforms into the appropriate forms in ACMENAMES.NTF. If you customized built-in subforms for Person, Group, or Server\Certifier forms, you do not need to complete this step. 4. To hide a section of one of the forms that comes with the Domino Directory, do the following in ACMENAMES.NTF: a. Select the section in the form, choose Text - Text Properties, click the Hide tab (the fifth tab from the left), select hide options, and then save the form. LDAP ignores any hide selections. b. Choose File - Document Properties, click the Design tab, and then select Prohibit design refresh or replace to modify. 5. For each view in ACMENAMES.NTF that came with the Domino Directory and that you customized, choose File - Document Properties, click the Design tab, and then select Prohibit design refresh or replace to modify. 6. If you previously customized a visible view that came with the Domino Directory, in ACMENAMES.NTF do one of the following to restore the customizations: If you made changes directly to the view, re-create the changes. If you made changes to a copy of the view, open the original view, choose Design - View Properties, click the i tab, deselect Show in View menu, then save the original view. Then, select the original view, choose File - Document Properties, click the Design tab, and choose Prohibit design refresh or replace to modify.
Reference
Create replica Create a Roaming User Delegate mail file Delegate mail file on administration server Delegate Web mail file Delete database Delete group in Domino Directory Delete hosted organization Delete person in Domino Directory Delete Policy in Domino Directory Delete resource Delete roaming user Delete server name in Domino Directory Downgrade user from Roaming to Non-Roaming user Find name in domain Maintain Trends database record Modify CA Configuration in the Domino Directory Modify ID recovery information in Domino Directory Modify resource Modify user information stored in the Domino Directory Move database from a cluster server Move database from a non-cluster server Move a mail file from one server to another Move roaming user to another server Place servers Notes build number into Server record Recertify Certificate Authority in Domino Directory Recertify servers Recertify users Register hosted organization Remove servers from cluster
F-2 Administering the Domino System, Volume 2
Reference
Rename group Rename person Rename person - name change refused Request to create ISpy database Retract database Set Directory Assistance field Set directory filename Set password fields Set user name and enable schedule agent Set Web admin fields Set Web user name and enable scheduled agent Sign database with servers ID file Store CA Policy Information in the Domino Directory Store certificate in Domino or LDAP Directory Store Certificate Revocation List in Domino or LDAP Directory Store directory type in Server record Store servers CPU count Store servers DNS host name Update client information in Person Record Update external domain information Update domain catalog configuration Update license tracking information in Domino Directory Update roaming user information in Person record Update non-roaming user to roaming user Update server protocol information Upgrade server to hierarchical Web set Soft Deletion Expire Time
Reference
Add Resource
You can add a resource, that is a room or reservation, to the Resource Reservations database via the Domino Administrator. Triggered by: The Resource administrator performing a New Resource action in the Resource Reservations database. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: Creates a mail-in database record for the resource.
Approve refused name change is posted in the Administration Requests database. For more information on processing name change refusals, see the topic Rename person - name change refused later in this appendix.
Reference
Create replica
You can create a database replica using the Administration Process by selecting a database and then choosing Database - Create Replica from the tools pane in the Domino Administrator. Check access Triggered by: Initiating the command from the Domino Administrator. Carried out on: The server that contains the database being replicated. Carried out: Immediately Result: The Administration Process on the source server checks that the user submitting the request and the destination server have at least Reader access in the ACL of the database. If the user and destination server have the necessary access and if a Connection document between the source and destination server exists, the Administration Process generates a Create replica request in the Administration Requests database of the source server. Create replica To populate the replica, the user submitting the request and the source server must have Create Replica access to the destination server. Triggered by: Successful completion of the Check Access administration request. Carried out on: The destination server for the database. Carried out: Immediately Result: A new replica of the database is placed on the destination server. The database is populated during the next replication.
Reference
Create a Roaming Users Roaming Files Triggered by: Clicking the Advanced check box on the Basics panel of the registration user interface, and then selecting the Roaming User check box on the same panel. (The Roaming User check box is not displayed until you select the Advanced check box on the Basics panel of the registration user interface.) Carried out on: Either the users mail server or the server you designate as a roaming server in the User Registration user interface. If you selected Put roaming user files on mal server, the files are placed on the mail server. If that option is not selected, the files are placed on the designated registration server. The default location is a subdirectory beneath the directory path Domino/Data/Mail. The subdirectory is named with up to the first eight characters of the users last name. For example, Domino/Data/Mail/<username.nsf>. Carried out: Immediately Result: Creates the roaming users files for the user that you are registering. Create Mail file Triggered by: Choosing to create a mail file during the Administration Process during registration. Carried out on: Users home mail server. Carried out: Immediately. Result: Creates the mail file on the users home mail server.
Result: Modifies the ACL for the mail file on the server for that database. New mail preferences are set by the user on the users mail file.
Delete Database
You can delete (retract) a database and, optionally, delete all replicas of the database. From the Domino Administrator, choose Files and select the database you are deleting, and then choose Files - Delete. You are prompted to verify that you do want to delete the selected file(s) and presented with a check box in which to indicate whether you want to delete all replicas. Click the check box to delete all replicas of those databases.
Reference
Carried out on: All servers in the domain. Carried out: Immediately Result: AdminP reads the database ACL to verify that the request signer is the database Manager. If so, generates an Approve Replica Deletion request for the server administrator to accept or reject. If the signer is not a database administrator, an Event is logged.
Delete Replica
Triggered by: Completion of the Request Replica Deletion request. Carried out on: Server on which the database exists. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: The replica is deleted.
Yes
No
Delete group in Domino Directory Triggered by: Choosing Actions - Delete Group in the Domino Directory (or clicking Delete Group) and selecting to delay the deletion of the group name from the Domino Directory. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: The Administration Process removes the name from the Domino Directory except from Person documents. Delete in Person documents Triggered by: Completion of a Delete Group in Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: The Administration Process removes the group name from Person documents in the Domino Directory.
Reference
Delete in Access Control List Triggered by: Choosing to immediately delete all occurrences of the group name from the Domino Directory when initiating the Delete action or the completion of a Delete Group in Domino Directory request (if you chose to delay deletion of the name from the Domino Directory). Carried out on: Each server in the domain. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Each server in the domain deletes the name from the ACLs of databases for which it is an administration server. Delete in Reader / Author Fields Triggered by: Completion of a Delete in Access Control List request on the administration server for the Domino Directory (if you chose to immediately delete occurrences of the name from the Domino Directory) or completion of the Delete in Person Documents request (if you chose to delay deletion of the name from the Domino Directory). Carried out on: Each server in the domain. Carried out: According to the Delayed Request settings for the Administration Process in the Server document. Result: Each server in the domain deletes the name from Reader/Author fields of databases for which it is an administration server and that have the advanced ACL option Modify all Reader/Author fields selected. Timing for deleting a group
Request Delete group in Domino Directory Delete in Person Documents Delete in Access Control List Delete in Reader/Author Fields Timing Interval Execute once a day requests at Interval Start executing on Start executing at
Reference
Approve deletion of hosted organization storage Triggered by: Successful completion of the Get hosted organization storage information for deletion request. Carried out on: Administration server for the Domino Directory. Carried out: When you open the request and choose Approve hosted organization storage deletion. Result: Posts the Delete hosted organization storage request. Delete hosted organization storage Triggered by: Successful processing of the Approve deletion of hosted organization storage request. Carried out on: The xSP server. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Deletes all file systems belonging to the hosted organization.
Choose "Actions: Delete Person" (or click "Delete Person") in the Domino Directory
Yes
No
Delete in Address Book 1 Hour Delete mailfile, person record, and all replicas? Yes End End
No
No
No
End
Get Information for Deletion Immediately Get Information for Replica Deletion? Delete replicas Approve File Deletion
Yes
Upon Administrator Approval Request File Deletion Immediately Delete Mail File 1 Hour Delete Private Design Elements Request to Delete Private Design Elements
Yes
No
No
Yes
End
Delete person in Domino Directory Triggered by: Choosing Actions - Delete Person in the Domino Directory (or clicking Delete Person) and choosing to delay deletion of the name from the Domino Directory. You can also trigger this action by choosing Delete Person when viewing a Person document with the Web Administrator. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting for the Administration Process in the Server document.
Reference
Result: The Administration Process removes the name from the Domino Directory, except from other peoples Person documents, and posts the Delete in Person documents request. If you have created a termination group and set up the administration process to add deleted users to that group, the name is added to the Terminations group. Delete in Person documents Triggered by: Completion of a Delete in Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: The Administration Process removes the name from other peoples Person documents in the Domino Directory. Delete in Access Control List Triggered by: Choosing to immediately delete all occurrences of the name from the Domino Directory when initiating the Delete action or the completion of a Delete in Domino Directory request (if you chose to delay deletion of the name from the Domino Directory). Carried out on: Each server in the domain. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Each server in the domain deletes the name from the ACLs of databases for which it is an administration server. Delete in Reader / Author Fields Triggered by: Completion of a Delete in Access Control List request on the administration server for the Domino Directory (if you chose to immediately delete occurrences of the name from the Domino Directory) or completion of a Delete in Person documents request (if you chose to delay deletion of the name from the Domino Directory). Carried out on: Each server in the domain. Carried out: According to the Delayed Request settings for the Administration Process in the Server document. Result: Each server in the domain deletes the name from Reader/Author fields of databases for which it is an administration server and that have the advanced ACL option Modify all Reader/Author fields selected. The server scans the databases for shared agents signed by the deleted person and for Private Design Elements (folders, views, agents) signed by the deleted person.
Administration Process Requests F-17
Shared agents found are reported in the requests Response document. If Private Design Elements are found an Approve deletion of Private Design Elements administration request is posted. Get file information for deletion Triggered by: Completion of the Delete in Access Control List request on the administration server for the Domino Directory (if you chose to immediately delete all occurrences of the name) or completion of the Delete in Domino Directory request (if you chose to delay deleting the name from the Domino Directory). You must also have specified to delete the mail file in which you chose to delete the person. Carried out on: The deleted persons home server. Carried out: Immediately Result: The persons home server creates an Approve file deletion request which provides information about the mail file. This appears in the Pending Administrator Approval view of the Administration Requests database. Approve file deletion Triggered by: Completion of the Get file information for deletion request. Carried out on: The server on which you approve the request. Carried out: When you manually approve or reject the request. Result: If you approve the request, the Administration Process creates a Request file deletion request. Request file deletion Triggered by: Approving the Approve file deletion request. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: Posts a Delete mail file request. Delete mail file Triggered by: Completion of a Request file deletion request. Carried out on: The deleted persons home server. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: The Administration Process verifies that the administrator who approved the deletion has at least Author with Delete documents access to the Domino Directory. Then, if the mail file
F-18 Administering the Domino System, Volume 2
Reference
doesnt use shared mail, the Administration Process deletes the file. If the file does use shared mail, then the Administration Process purges the links to the shared mail database, disables replication, and creates a Delete unlinked mail file request. Delete unlinked mail file Triggered by: Completion of a Delete mail file request for a mail file that uses shared mail. Carried out on: The deleted persons home server. Carried out: According to the Interval between purging mail file and deleting when using object store setting for the Administration Process in the Server document. Result: The Administration Process deletes the mail file after waiting a period of time. This delay provides time for the Object Collect task to purge any obsolete messages. Approve deletion of Private Design Elements Triggered by: Completion of a Delete in Readers/Authors field request and locating Private Design Elements signed by the deleted person in databases on that server. Carried out on: Any server in the domain. Carried out: According to the administrators discretion. Result: The deletion is approved and the Request to delete Private Design Elements administration request is posted. Request to delete Private Design Elements Triggered by: The administrators approval of the Approve deletion of Private Design Elements administration request. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: Posts the Delete Private Design Elements administration request. Delete Private Design Elements Triggered by: Completion of the Request to delete Private Design Elements administration request. Carried out on: The server containing the database with the Private Design Elements. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Private Design Elements signed by the deleted person are removed from the databases.
Administration Process Requests F-19
Note If the person requesting the delete action chose to delete all replicas of a mail file, then a Get File Information for Deletion request is created and processed by all servers in the domain. This request is posted after completion of the Delete mail file request or the Delete unlinked mail file request. For each replica of the mail file found on servers in the domain, the Approve file deletion, Request file deletion, and Delete mail file request sequence occurs again. Timing for deleting user names
Request Delete person in Domino Directory Delete in Person Documents Delete in Access Control List Delete in Reader/Author Fields Timing Interval Execute once a day requests at Interval Start executing on Start executing at Requires administrator approval in Administration Requests database Immediate Interval Interval between purging and deleting mail file when using shared mail Required administrators approval.
Get File Information for Deletion Immediate Approve File Deletion Request File Deletion Delete Mail File Delete Unlinked Mail File Approve deletion of Private Design Elements
Request to delete Private Design Immediate Elements Delete Private Design Elements Interval
Reference
Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: Removes all references to the explicit policy form all users Person documents.
Delete resource
Approve resource delete Triggered by: Performing a Delete Resource action in the Resource Reservations database. Carried out on: Any server. Carried out: According to administrators approval. Result: If you approve the request, the administration process creates a Remove Resource administration request. Delete resource Triggered by: Approval of the Approve resource delete request. Carried out on: The administration server of the Domino Directory. Carried out: Immediately Result: Removes the mail-in database resource for the Resource from the Domino Directory.
Delete in Person Documents Triggered by: Completion of a Delete Person in Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Domino Directory. Result: The Administration Process removes the name from other peoples Person documents in the Domino Directory. Delete in Access Control Lists Triggered by: Choosing to immediately delete all occurrences of the name from the Domino Directory when initiating the Delete action or the completion of a Delete in Address Book request (if you chose to delay deletion of the name from the Domino Directory). Carried out on: Each server in the domain. Carried out: According to the Interval setting for the administration process in the Server document. Result: Each server in the domain deletes the name from the ACLs of databases for which it is an administration server. Delete in Reader/Author fields Triggered by: Completion of a Delete in Access Control Lists request on the administration server for the Domino Directory (if you chose to immediately delete occurrences of the name from the Domino Directory) or completion of a Delete in Person documents request (if you chose to delay deletion of the name from the Domino Directory. Carried out on: All servers in the domain. Carried out: According to the Delayed Request settings for the Administration Process in the Server document. (Hourglass icon displays.) Result: Each server in the domain deletes the name from Reader/Author fields of databases for which it is an administration server and that have the advanced ACL option Modify all Reader/Author fields selected. The server scans the databases for shared agents signed by the deleted person and for Private Design Elements (folders, views, agents) signed by the deleted person. Shared agents found are reported in the requests Response document. If Private Design Elements are found an Approve deletion of Private Design Elements administration request is posted.
Reference
Get Mail File Information for Deletion This is generated once, to begin the deletion of the users mail file. Triggered by: Completion of the Delete in Access Control List request on the administration server for the Domino Directory (if you chose to immediately delete all occurrences of the name) or completion of the Delete in Domino Directory request (if you chose to delay deleting the name from the Domino Directory). You must also have specified to delete the mail file in which you chose to delete the person. You must have selected the option to delete the persons mail file. Carried out on: The users mail server. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: An Approve Mail File Deletion request is generated and appears on the Pending Administrator Approval view of the Administration Requests database. Get Replica Information for Deletion This is generated three times, once for each of these files: Journal.nsf, bookmark.nsf, and names.nsf. Triggered by: This request is generated upon completion of the Delete in Access Control List administration request (if you chose to immediately delete all occurrences of the name) or completion of the Delete in Domino Directory request (if you chose to delay deleting the name from the Domino Directory). Carried out on: Server specified as the roaming server, that is, the server on which the roaming files are stored. Carried out: Immediately Result: An Approve File Deletion request is generated and appears on the Pending Administrator Approval view of the Administration Requests database. Approve Mail File Deletion This is generated once. Triggered by: Completion of the Get Mail File for Deletion request. Carried out on: The users home server. Carried out: When you manually approve or reject this request. Result: If you approve the request, the Administration Process creates a Request Mail File Deletion request.
Approve Replica Deletion This is generated three times. Triggered by: Completion of the Get Replica Information for Deletion request. Carried out on: Server specified as the roaming server, that is, the server on which the roaming files are stored. Carried out: When you manually approve or reject this request. Result: If you approve the request, the Administration Process creates a Request Replica Deletion request. Request Mail File Deletion Triggered by: Approving the Approve Mail File Deletion request. Carried out on: The users home server. Carried out: Immediately Result: Posts a Delete Mail File request. Request Replica Deletion This request is generated three times, once for each of these files: names.nsf, journal.nsf, and bookmark.nsf. Triggered by: Approving the Approve Replica Deletion request. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: Posts a Delete Replica request. Delete Mail File Triggered by: Completion of the Request Mail File Deletion request. Carried out on: The users home mail server. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: The Administration Process verifies that the administrator who approved the deletion has at least Author with Delete documents access to the Domino Directory. Then, if the mail file doesnt use shared mail, the Administration Process deletes the file. If the file does use shared mail, then the Administration Process purges the links to the shared mail database, disables replication, and creates a Delete unlinked mail file request.
Reference
Delete Replica This request is generated three times, once for each of these files: names.nsf, journal.nsf, and bookmark.nsf. Triggered by: Completion of the Request Replica Deletion request. Carried out on: Server specified as the roaming server, that is, the server on which the roaming files are stored. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: The Administration Process verifies that the administrator who approved the deletion has at least Author with Delete documents access to the Domino Directory. The Administration Process deletes the file. If the user has created Private Design Elements, the Approve Deletion of Private Design Elements, Request to Delete Private Design Elements, and Delete Private Design Elements requests are generated and processed. For more information on how the Private Design Elements requests are processed, see the topic Delete person in Domino Directory in this chapter. The administration requests that locate and delete replicas are repeated until all replicas of roaming user files are deleted. These requests are the Get Replica Information for Deletion, Approve Replica for Deletion, Request Replica Deletion and Delete Replica requests.
Yes
No
Delete server in Address Books Triggered by: Choosing Actions - Delete Server or clicking Delete Server in the Domino Administrator and choosing to delay the deletion of the name from the Domino Directory. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: The Administration Process removes the name from the Domino Directory except from Person documents. Delete in Person documents Triggered by: Completion of a Delete in Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: The Administration Process removes the name from Person documents in the Domino Directory.
Reference
Delete in Access Control List Triggered by: Choosing to immediately delete all occurrences of the name from the Domino Directory when initiating the Delete action, or the completion of a Delete in Domino Directory request (if you chose to delay deletion of the name from the Domino Directory). Carried out on: Each server in the domain. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Each server in the domain deletes the name from the ACLs of databases for which it is an administration server. Checks to determine whether a catalog file exists for the enterprise. If so, it generates a Delete server from Domino catalog administration request. Delete server from Domino catalog The Delete server from Domino catalog request is generated only when a catalog file exists for the enterprise. Triggered by: The existence of a catalog file for the enterprise. Carried out on: The server that contains the catalog database. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Removes server information from the domain catalog on the catalog server. The domain catalog is used for domain searching. The catalog server is the first server in the Local Domain Catalog Servers group. Delete in Reader / Author Fields Triggered by: Completion of a Delete in Access Control List request on the administration server for the Domino Directory (if you chose to immediately delete occurrences of the name from the Domino Directory) or completion of the Delete in Person Documents request (if you chose to delay deletion of the name from the Domino Directory). Carried out on: Each server in the domain. Carried out: According to the Delayed Request settings for the Administration Process in the Server document. Result: Each server in the domain deletes the name from the Reader/Author fields of databases for which it is an administration server and that have the advanced ACL option Modify all Reader/Author fields selected.
Reference
Approve Replica Deletion This request is generated a total of three times, one time each for journal.nsf, bookmark.nsf, and names.nsf. Triggered by: Successful completion of the Get replica information for deletion administration request. Carried out on: Administration server for the Domino Directory. Carried out: When you manually approve the replica deletion request. Result: The roaming file replicas are deleted. The User can roam in the Person document is set to No. Delete replica Triggered by: Successful processing of the Approve Replica Deletion request. Carried out on: The server on which the roaming files are stored. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Deletes all replicas of the users roaming files.
For more information on the Tivoli Analyzer, see the chapter Using IBM Tivolio Analyzer for Lotus Domino.
Reference
Modify resource
Modify room/resource in directory Triggered by: The resource manager performing an Edit Resource action in the Resource Reservation database. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Modifies descriptive information about the resource in its mail-in database record in the Domino Directory.
Result: Checks for a Connection document between the old and new mail file servers, and sets up the ACLs so that the old and new servers have Manager access. If it is the administration server of the mail file, posts the Create new mail replica request. If it is not the administration server for the mail file, posts a Promote new mail servers access administration request. Verify hosted organization storage Triggered by: Successful completion of the Check mail servers access request or the Promote new mail servers access request. Carried out on: Destination server. Carried out: Immediately Result: Verifies whether the destination server hosts the hosted organization to which the user belongs. Generated the Create new mail replica request. Promote new mail servers access Triggered by: Execution of a Check mail servers access administration request. The home server is not the administration server of the mail file. Carried out on: The administration server of the mail file. Carried out: Immediately Result: Set up the ACLs so that the old and new mail servers are listed as having Manager access. Posts a Create new mail file replica administration request. Create new mail file replica Triggered by: Successful processing of the Check mail servers access administration request. Carried out on: Home server for the mail file as designated in the Person document. Carried out: Immediately Result: Creates a replica copy of the old mail file on the new mail server. If Tivoli Analyzer is not running on the source server, posts the Add new mail file fields request. If Tivoli Analyzer is running on the source servers, posts the Maintain Trends database record request on the source server.
Reference
Change the server on which the agent runs This request is generated only when there is an agent of the source server that needs to be signed by the destination server prior to running the agent. Triggered by: The presence of an agent on the source server that must be signed by the destination server after the database is moved and can run on the destination server. Carried out on: The destination server. Carried out: Immediately Result: If all access checks succeed, the agent is signed by the destination server and can be run according to normal processing. Maintain Trends database record Triggered by: Initiating the mail file move action as a result of resource balancing recommendations generated by the Tivoli Analyzer and successful completion of the Create new mail file replica administration request. Carried out on: The source server for the mail file being moved. Carried out: Immediately Result: Copies the database record from the source server to the destination server. If appropriate, it retires the database record on the source server. Add new mail file fields Triggered by: Completion of the Create new mail replica administration request. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: Posts the Monitor new mail file fields administration request. Creates two fields, New mail file and New mail server in the Person document. Monitor new mail file fields Triggered by: Completion of the Add new mail file fields administration request. Carried out on: The new mail file server. Carried out: When the router recognizes the new mail server for the mail file. Result: Verifies that New fields are added to the Person document on the new mail server and that the router can route the mail to the server. Posts the Replace mail file fields administration request.
Administration Process Requests F-33
Replace mail file fields Triggered by: Completion of the Monitor new mail file fields request. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: New mail server information is added to fields. Removes New fields from the Person document. Places Old Mail File and Old Mail Server fields in the Person document. The server sets a flag in the Person document to update the client. Note The user must now access their home server through the desktop so that the Notes Dialup Connection and Location documents in the Personal Domino Directory are updated with the new mail file and new mail server information. After the Personal Domino Directory is updated, Notes creates a Push changes to new mail server request, which initiates the mail file delete sequence on the old mail server. If the user accesses the home server exclusively through the Replicator, the Personal Domino Directory is not updated and the Push changes to new mail server request is not created. Push changes to new mail server Triggered by: Client authenticating with the home server after a Replace mail file fields request is completed. Carried out on: The home mail server. Carried out: Immediately Result: Pushes the last set of changes and mail to the new mail file. Posts the Get file Information for Deletion request. Get file information for deletion Triggered by: Completion of the Push changes to new mail server administration request. Carried out on: The old mail server. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Gathers the replica ID of the mail file and posts the Approve file deletion administration request. Approve file deletion Triggered by: Successful completion of the Get file information for deletion administration request. Carried out on: Any server. Carried out: According to the administrators discretion. Result: Posts the Request file deletion administration request.
F-34 Administering the Domino System, Volume 2
Reference
Request file deletion Triggered by: The administrators approval of the Approve file deletion request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Posts the Delete mail file administration request. Delete mail file Triggered by: Completion of the Request file deletion administration request. Carried out on: The original home mail server. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: The old mail file is deleted from the original home mail server. Delete unlinked mail file Triggered by: Completion of the Delete mail file request for a mail file that uses shared mail. Carried out on: The home mail server. Carried out: According to the Interval between purging mail file and deleting when using object store setting for the Administration Process in the Server document. Result: The Administration Process deletes the mail file after waiting a period of time. This delay provides time for the Object Collect task to purge any obsolete messages. Delete obsolete change request Triggered by: Expiration of the period in which the clients personal Domino Directory will be modified with the new mail servers information. You can use the Mail file Names expired after field in the Administration Process section of the home servers Server document to change the expiration period. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: New mail client update flag field is removed from the Person document.
Check Access for Move Replica Creation Immediately Move Replica Immediately Monitor Replica Stub 1 Hour Delete Original Replica After Move 1 Hour
Reference
Note The Maintain Trends database record request is executed as part of a database move initiated due to resource balancing initiated by IBM Tivoli Analyzer for Lotus Domino. This request is generated only when the database move is initiated while the Tivoli Analyzer is enabled. If you are not using the Tivoli Analyzer, you will not see this request. Check access for move replica creation Triggered by: Choosing Database - Move from the tools pane. Carried out on: The source server. Carried out: Immediately Result: The Administration Process checks that the administrator initiating the request has Manager with Delete documents access to the database being moved and that the destination server has Reader access to the database being moved. Move replica Triggered by: Completion of the Check Access for move replica creation request. Carried out on: The destination server (the server to which the database is being moved). Carried out: Immediately Result: The Administration Process checks that the administrator and the source server have Create Replica access to the destination server. If so, the Administration Process creates a replica. The replica is populated with documents the first time any server with the complete replica replicates with the destination server. If Tivoli Analyzer is running on the source server, posts the administration request Maintain Trends database record. If Tivoli Analyzer is not running on the source server, posts the administration request Monitor replica stub. Change the server on which the agent runs This request is generated only when there is an agent on the source server that needs to be signed by the destination server prior to running the agent. Triggered by: The presence of an agent on the source server that must be signed by the destination server after the database is moved and can run on the destination server. Carried out on: The destination server. Carried out: Immediately Result: If all access checks succeed, the agent is signed by the destination server and can be run according to normal processing.
Administration Process Requests F-37
Maintain Trends database record Triggered by: Initiating the database move action as a result of resource balancing recommendations generated by the Tivoli Analyzer and successful completion of the Move replica administration request. Carried out on: The source server for the database being moved. Carried out: Immediately Result: Copies the database record from the source server to the destination server. If appropriate, it retires the database record on the source server. Monitor replica stub Triggered by: Creation of the replica on the destination server. Carried out on: The destination server. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: The Administration Process monitors the replica. When it detects that the replica is initialized (another server has begun replicating to it), it posts a Delete original replica after move request. Delete original replica after move Triggered by: Completion of the Monitor replica stub request. Carried out on: The source server. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: The Administration Process marks the original database for deletion. The Cluster Database Directory Manager on the source server then monitors the database for usage. When all user connections to the database have closed, the Cluster Database Directory Manager pushes changes to another replica in the cluster and deletes the database. Timing for move database from a cluster server
Request Check access for move replica creation Move replica Monitor replica stub Delete original replica after move Timing Immediate Immediate Interval Interval
Reference
Check access for non-cluster move replica Triggered by: Executing the non-cluster move command. Carried out on: The source server for the database. Carried out: Immediately Result: The Administration Process on the source server checks that the user submitting the request is the Manager of the Domino Directory and that the destination server has Reader access in the ACL of the database. Posts a Non-cluster Move Replica request.
Administration Process Requests F-39
Non-cluster move replica Triggered by: Completion of the Check access for non-cluster move replica request. Carried out on: Source server for the database. Carried out: Immediately Result: Creates a replica of the original database on the destination server. If Tivoli Analyzer is not running on this source server, posts the Approve deletion of moved replica request. If Tivoli Analyzer is running on this source server, posts the administration request Maintain Trends database record. Update replica settings Triggered by: The administrator creating a new replica by replicating the source database to the destination database, where the database quota is not replicated to the destination database. Carried out on: Destination server. Carried out: Immediately Result: Establishes updated replica settings on the new replica, the database quota field is reset to the same database quota as the source. Change the server on which the agent runs This request is generated only when there is an agent on the source server that needs to be signed by the destination server prior to running the agent. Triggered by: The presence of an agent on the source server that must be signed by the destination server after the database is moved and can run on the destination server. Carried out on: The destination server. Carried out: Immediately Result: If all access checks succeed, the agent is signed by the destination server and can be run according to normal processing. Maintain Trends database record Triggered by: Initiating the database move action as a result of resource balancing recommendations generated by the Tivoli Analyzer and successful completion of the Non-cluster move replica administration request. Carried out on: The source server for the database being moved. Carried out: Immediately Result: Copies the database record from the source server to the destination server. If appropriate, it retires the database record on the source server.
F-40 Administering the Domino System, Volume 2
Reference
Approve deletion of moved replica Triggered by: Completion of the Non-cluster move replica request. Carried out on: The Pending Administrator Approval View of the Administration Requests database, on any server. The deletion occurs on the source server. Carried out: According to the administrators discretion. Result: Posts a Request to delete non-cluster move replica request. Request to delete non-cluster move replica Triggered by: Completion of the Approve deletion of moved replica request by the administrators approval. Carried out on: The administration server for the Domino Database. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Posts a Delete non-cluster move replica request. Delete non-cluster move replica Triggered by: Completion of the Request to delete non-cluster move replica request. Carried out on: Source server for the original database. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Makes one last push replication of the source database to the destination server and deletes the original database from the source server. Timing for move database from a non-cluster server
Request Check access for non-cluster move replica Non-cluster move replica Approve deletion of moved replica Request to delete non-cluster move replica Delete non-cluster move replica Timing Immediate Immediate According to administrators discretion Interval Interval
Reference
Create Roaming Users Replicas This request is generated one time. It creates three replicas, one for journal.nsf, one for bookmark.nsf, and one for names.nsf. Triggered by: Successful processing of the Check Roaming Servers Access administration request. Carried out on: Users roaming server. Carried out: Immediately Result: Pushes the three databases to the new replicas on the destination server. Posts the Monitor roaming servers field in Person record request. Monitor Roaming Servers Field in Person Record Triggered by: Successful completion of the Create roaming users replicas request. Carried out on: Destination server to which the roaming user files are being moved. Carried out: Immediately Result: Recognizes the update to the Person record and posts the Replace roaming servers field in Person record request. Replace Roaming Servers Field in Person Record Triggered by: Successful completion of the Monitor roaming servers field in Person record request. Carried out on: Administration server for the Domino Directory only. Carried out: Immediately Result: New roaming server information is added to the Roaming Server field on the Basics tab of the Person document. Push Changes to New Roaming Server This request is generated three times, once each for journal.nsf, bookmark.nsf, and names.nsf. Triggered by: The client recognizes that a new roaming server is in place and the Replicator page has been updated with the new roaming server. Carried out on: The original roaming server. Carried out: Immediately Result: Pushes the last set of changes to the new Roaming Server. Initiates the Get Replica Information for Deletion administration request.
Administration Process Requests F-43
Get Replica Information for Deletion Triggered by: Completion of the Push changes to new roaming server request. Carried out on: The original roaming server. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Gathers the replica ID of each of the roaming files and posts the Approve replica deletion administration request. Approve Replica Deletion This request is generated three times, once each for journal.nsf, bookmark.nsf, and names.nsf. Triggered by: Successful completion of the Get replica for deletion administration request. Carried out on: Any server. Carried out: According to the administrators discretion, that is, when the administrator approves the deletion. Result: Posts the Request replica deletion administration request. Request Replica Deletion This request is generated three times, once each for journal.nsf, bookmark.nsf, and names.nsf. Triggered by: Administrators approval of the Approve replica deletion administration request. Carried out on: The administration server of the Domino Directory. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Posts the Delete replica administration request. Delete Replica This request is generated three times, once each for journal.nsf, bookmark.nsf, and names.nsf. Triggered by: Successful completion of the Request replica deletion administration request. Carried out on: Deletes the replicas on the old roaming server. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: The replicas are deleted from the old roaming server.
Reference
Replace mail file fields Triggered by: Completion of the Add new mail file fields administration request. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: New mail server information is added to the fields. Removes New fields from the Person document. Places Old Mail File and Old Mail Server fields in the Person document. The server sets a flag in the Person document to update the client. Push Changes to new mail server Triggered by: Client authentication with the home server after the Replace mail file fields administration request is completed. Carried out on: The home mail server. Carried out: Immediately Result: Pushes the last set of changes and mail to the new mail file. Posts the Get mail file information for deletion administration request. Get mail file information for deletion Triggered by: Completion of the Push changes to new mail server administration request. Carried out on: The old mail server. Carried out: Immediately Result: Locates the replica ID of the mail file and posts the Approve mail file deletion administration request. Approve mail file deletion Triggered by: Successful completion of the Get mail file information for deletion administration request. Carried out on: Any server. Carried out: When you manually approve or reject the request in the administration requests database. Result: Posts the Request file deletion administration request. Request mail file deletion Triggered by: The administrators approval of the Approve mail file deletion request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Posts the Delete mail file administration request.
F-46 Administering the Domino System, Volume 2
Reference
Delete mail file Triggered by: Completion of the Request file deletion administration request. Carried out on: The original mail server. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: The old mail file is deleted from the original mail server.
Recertify servers
Triggered by: Initiating the Recertify Server command from the Actions menu. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: The servers public key is updated, and the Server document is updated with the new public key.
Administration Process Requests F-47
Recertifying users
Triggered by: Initiating a Recertify Person action from the tools pane in the Domino Administrator. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Updates the users certified public key, and updates the users ID file during the authentication process.
Reference
Create Mail file Triggered by: Successful completion of the Create hosted organization storage request and by selecting Create mail file in background on the Mail tab of the Registration Settings document selected for this hosted organization. Carried out on: The xSP server. Carried out: Immediately. Result: A mail file for the hosted organization administrator is created in the mail subdirectory for the hosted organization. The mail subdirectory resides beneath the hosted organizations data directory. For more information on registering a hosted organization, see the chapter Setting Up the Service Provider Environment.
Rename group
You can rename a group using the Administration Process by performing a Rename Group action from the Domino Administrator or by choosing Groups - Edit from the tools pane. The following flowchart shows the sequence of Administration Process requests that occur when you do this. (Boxes indicate requests). The timing shown for each request is the default, which you can customize through the Server Tasks Administration Process tab on the Server document.
Choose "Actions: Rename Group"
Rename Group in Person Documents Daily Rename Group in Reader/ Author Fields Weekly
Rename group in Domino Directory Triggered by: Choosing Actions - Rename group from the Domino Administrator or by choosing Groups - Edit from the tools pane. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Updates the groups name in the Domino Directory except in Person documents. Rename group in Person documents Triggered by: Completion of the Rename group in Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: Updates the name in Domino Directory Person documents.
Reference
Rename group in Access Control List Triggered by: Completion of the Rename group in Domino Directory request. Carried out on: Each server in the domain. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Each server in the domain updates the groups name in ACLs of databases for which it is an administration server. Rename group in Reader / Author Fields Triggered by: Completion of the Rename in Person documents request on the administration server for the Domino Directory. Carried out on: Each server in the domain. Carried out: According to the Delayed Request settings for the Administration Process in the Server document. Result: Each server in the domain updates the groups name in the Reader/Author fields of databases for which it is an administration server and that have the advanced ACL option Modify all Reader/Author fields selected. Timing for renaming groups
Request Rename Group in Domino Directory Rename Group in Person Documents Rename Group in Access Control List Rename Group in Reader/Author Fields Timing Interval Execute once a day requests at Interval Start executing on Start executing at
Rename person
You can rename a user with the Administration Process by choosing People - Rename from the tools pane of the Domino Administrator. The following flowchart shows the sequence of Administration Process requests that occur when you rename a person in the Domino Directory. (Boxes represent requests.) The timing shown for each request is the default, which you can customize through the Server Tasks Administration Process section of the Server document.
Change Request Expires No Person accepts new name before change request expires? Yes Rename Person in Address Book 1 Hour Delete Obsolete Change Requests Daily
End
Rename Person in Free Time Database Immediately Rename Person in Calendar Entries and Profiles in Mail File Immediately
For information on renaming a Web user, see the topic Rename Web user in this appendix. For information on the administration requests that are generated when a user refuses a proposed name change, see the topic Rename person Name change refused.
Reference
Move persons name in hierarchy Triggered by: Choosing Actions - Rename Person then Request Move to New Certifier in the Domino Directory or by choosing People - Rename from the tools pane of the Domino Administrator. Carried out on: The server from which you choose Actions Complete Move. Carried out: When you choose Actions - Complete Move, in the Name Move Requests view of the Administration Requests database, to move a persons name to another hierarchy. Result: Approves the move and triggers the Initiate rename in Domino Directory request. Initiate rename in Domino Directory Triggered by: Choosing a rename action. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Adds the new name, certificate, and change request to the Person document. Prompts the person to accept the new name upon next server authentication. Rename person in Domino Directory Triggered by: Person accessing a server and accepting the new name. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Updates the persons name in the Domino Directory except for Person documents. Posts the Rename in Person documents and the Rename person in Unread Lists administration requests. Rename in Person documents Triggered by: Completion of the Rename person in Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: Updates the name in Domino Directory Person documents.
Rename person in unread list Triggered by: Completion of the Rename person in Domino Directory request. Carried out on: Each server in the domain. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: Each server in the domain examines every database on the server and updates the persons name in any unread lists. Rename in Access Control List Triggered by: Completion of the Rename person in Domino Directory request. Carried out on: Each server in the domain. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Each server in the domain updates the persons name in ACLs of databases for which it is an administration server. Rename person in Free Time Database Triggered by: Completion of the Rename person in Domino Directory request. Carried out on: The persons home server. Carried out: Immediately Result: The persons name is changed in the Calendaring and Scheduling Free Time Database. Rename person in calendar entries and profiles in mail file Triggered by: Completion of the Rename person in Free Time Database request. Carried out on: The persons home server. Carried out: Immediately Result: The persons name is changed in their mail files Calendar Profile and appointment documents. If the persons common name was changed and the common name is in the title of the mail file, the mail file title changes to reflect the new name. If the person is the chair person of any future meetings, the name is changed in those appointment documents.
Reference
Rename in Reader/Author Fields Triggered by: Completion of the Rename in Person documents request on the administration server for the Domino Directory. Carried out on: Each server in the domain. Carried out: According to the Delayed Request setting for the Administration Process in the Server document. Result: Each server in the domain updates the persons name in Reader/Author fields of databases for which it is an administration server and that have the advanced ACL option Modify all Reader/Author fields selected. Delete Obsolete Change Requests Triggered by: Expiration of the period in which a person can accept a new name, by default 21 days. When you rename the person, you can change the expiration period. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: The Administration Process deletes the word Pending from the Change Request field from the Person document. Timing for Rename a user request
Request Timing Move Persons Name in Hierarchy Requires administrator approval in Administration Requests database Initiate Rename in Domino Directory Rename Person in Domino Directory Rename in Person Documents Rename Person in Unread List Rename in Access Control List Rename Person in Free Time Database Rename Person in Calendar Entries and Profiles in Mail File Interval Interval Execute once a day requests at Execute once a day requests at Interval Immediate Immediate continued
Delete Obsolete Change Requests* Execute once a day requests at * Before the Administration Process carries out a rename person request, the user whose name is being changed is prompted to accept the name change. If the user does not accept the name change within a specified period of time, or grace period, the name change request becomes an Obsolete Name Change and is entered in the Administration Requests database as a Delete Obsolete Name Change request.
Reference
Retract persons name change Triggered by: The administrator approving the Approve refused name change request. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: Removes the new information from the Person document and recovers the users information and updates the Person document. Reinitiate rename in Domino Directory Triggered by: The administrator rejecting the name change refusal. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: Posts an Initiate rename in Domino Directory request. The user is again notified of the proposed name change.
Rename Web user in Person document Triggered by: Completion of the Rename Web user in Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: Updates the Web user name in Domino Directory Person documents. Rename Web user in unread list Triggered by: Completion of the Rename Web user in Domino Directory request. Carried out on: Each server in the domain. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: Each server in the domain examines every database on the server and updates the Web users name in any unread lists. Rename Web user in Access Control List Triggered by: Completion of the Rename Web user in Domino Directory request. Carried out on: Each server in the domain. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Each server in the domain updates the Web users name in ACLs of databases for which it is an administration server. Rename Web user in Free Time Database Triggered by: Completion of the Rename Web user in Domino Directory request. Carried out on: The Web users home server. Carried out: Immediately Result: The Web users name is changed in the Calendaring and Scheduling Free Time Database. Rename Web user in calendar entries and profiles in mail file Triggered by: Completion of the Rename Web user in Free Time Database request. Carried out on: The Web users home server. Carried out: Immediately
Reference
Result: The Web users name is changed in their mail files Calendar Profile and appointment documents. If the Web users common name was changed and the common name is in the title of the mail file, the mail file title changes to reflect the new name. If the Web user is the chair person of any future meetings, the name is changed in those appointment documents. Rename Web user in Reader / Author Fields Triggered by: Completion of the Rename Web user in Person documents request on the administration server for the Domino Directory. Carried out on: Each server in the domain. Carried out: According to the Delayed Request setting for the Administration Process in the Server document. Result: Each server in the domain updates the Web users name in Reader/Author fields of databases for which it is an administration server and that have the advanced ACL option Modify all Reader/Author fields selected.
Monitor servers SSL status in Domino Directory Triggered by: Successful completion of the Enable servers SSL ports in Domino Directory request. Carried out on: Server being registered. Carried out: Immediately Result: Monitors for the change in port status being added to the Domino Directory and then restarts the ports.
Reference
Reference
Reference
Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Creates a new User License document in the UserLicenses database (USERLICENSES.NSF) for each unique (new) user reported in the administration request. Documents are updated with the new time and date for those users who already have a document in the User Licenses database.
Reference
Update Roaming User information in Person record Triggered by: The selected user logging into Notes after the administrator has initiated the action to update the users status to Roaming and the User can roam field on the Roaming tab of the users Person document has been changed from No to In Process. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: Updates the Personal Address Book field, Bookmarks filename, and Journal filename fields on the users Person document in the Domino Directory. Generates the Monitor roaming users replica stubs request. Monitor roaming users replica stubs Triggered by: Successful completion of the Update roaming user information in Person record request. Carried out on: The users roaming server. Carried out: Immediately Result: Recognizes when replication occurs, and then generates the Update roaming user state in Person document request. Update roaming user state in Person document Triggered by: Successful completion of the Monitor roaming users replica stub request. Successful replication of the roaming files to the roaming server. Carried out on: On the administration server of the Domino Directory. Carried out: Immediately Result: The User can roam field on the Roaming tab of the users Person document is updated from In Progress to Yes.
No
Server updates its ID before change request expires? Yes Rename Server in Address Book 1 Hour
End
Initiate rename in Domino Directory Triggered by: Performing an upgrade server to hierarchical in the Domino Directory. Carried out on: The administration server for the Domino Administrator. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: A new certified public key is assigned to the server and the Certified Public Key field in the Server document is updated. Rename server in Domino Directory Triggered by: The server polls its server document data looking for its new public key. The Rename server in Domino Directory administration request is triggered by the server recognizing that its name has changed. Carried out on: The administration server for the Domino Directory.
F-68 Administering the Domino System, Volume 2
Reference
Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Update the servers name in the Domino Directory. Posts a Rename in Access Control List request and a Rename in Person documents request. Rename in Access Control List Triggered by: Completion of the Rename server in Domino Directory request. Carried out on: All servers with databases that have been assigned administration servers. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Updates the ACLs with the new server name. Rename in Person documents Triggered by: Completion of the Rename server in Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day request at setting for the Administration Process in the Server document. Result: Updates the Person documents and posts a Rename in Reader/Author fields request. Rename in Reader / Author fields Triggered by: Completion of the Rename in Person documents request. Carried out on: All servers. Carried out: According to the Start executing on and Start executing at settings for the Administration Process in the Server document. Result: The Reader/Author fields are updated. Delete obsolete change requests Requests are carried out only if change requests have expired according to the Name_Change_Expiration_Days setting in the NOTES.INI file. Triggered by: Expiration of the period in which other servers in the domain can recognize both the old name and the new name of the server. The default is 21 days, but the administrator can set the Name_Change_Expiration_Days variable in the NOTES.INI file to a value between 7 and 60. Carried out on: The administration server for the Domino Directory.
Administration Process Requests F-69
Carried out: According to the Execute once a day request at setting for the Administration Process in the Server document. Result: The Change Request is deleted. Timing for upgrading server to hierarchical
Request Initiate Rename in Domino Directory Rename Server in Domino Directory Rename in Access Control List Rename in Person Documents Rename in Reader/Author Fields Delete Obsolete Change Requests Timing Interval Interval Interval Execute once a day requests at Start executing on Start executing at Execute once a day requests at
Reference
Delete person - outbound (source) domain These requests are generated on the outbound domain when the user name on the outbound domain is a flat name and you have specified a non-immediate deletion. Delete person in Domino Directory Triggered by: Choosing Actions - Delete Person in the Domino Directory (or clicking Delete Person) and choosing to delay deletion of the name from the Domino Directory. You can also trigger this action by choosing Delete Person when viewing a Person document with the Web Administrator. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: The Administration Process removes the name from the Domino Directory, except from other peoples Person documents, and posts the Delete in Person documents request. If you have created a termination group and set up the administration process to add deleted users to that group, the name is added to the Terminations group. Mails the Delete person in Domino Directory administration request to the inbound domain. Delete in Person documents Triggered by: Completion of a Delete in person Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: The Administration Process removes the name from other peoples Person documents in the Domino Directory. Delete in Access Control Lists Triggered by: Choosing to immediately delete all occurrences of the name from the Domino Directory when initiating the Delete action or the completion of a Delete in Domino Directory request (if you chose to delay deletion of the name from the Domino Directory). Carried out on: Each server in the domain. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Each server in the domain deletes the name from the ACLs of databases for which it is an administration server.
Get file information for delete (only if deleting the mail file) Triggered by: Completion of the Delete in Access Control List request on the administration server for the Domino Directory (if you chose to immediately delete all occurrences of the name) or completion of the Delete in Domino Directory request (if you chose to delay deleting the name from the Domino Directory). You must also have specified to delete the mail file in which you chose to delete the person. Carried out on: The deleted persons home server. Carried out: Immediately Result: The persons home server creates an Approve file deletion request which provides information about the mail file. This appears in the Pending Administrator Approval view of the Administration Requests database. Approve file deletion (only if deleting the mail file) Triggered by: Completion of the Get file information for delete request. Carried out on: The server on which you approve the request. Carried out: When you manually approve or reject the request. Result: If you approve the request, the Administration Process creates a Request file deletion request. Request file deletion (only if deleting the mail file) Triggered by: Approving the Approve file deletion request. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: Posts a Delete mail file request. Delete in Reader / Author fields Triggered by: Completion of a Delete in Access Control List request on the administration server for the Domino Directory (if you chose to immediately delete occurrences of the name from the Domino Directory) or completion of a Delete in Person documents request (if you chose to delay deletion of the name from the Domino Directory). Carried out on: Each server in the domain. Carried out: According to the Delayed Request settings for the Administration Process in the Server document. Result: Each server in the domain deletes the name from Reader/Author fields of databases for which it is an administration server and that have the advanced ACL option Modify all
F-72 Administering the Domino System, Volume 2
Reference
Reader/Author fields selected. The server scans the databases for shared agents signed by the deleted person and for Private Design Elements (folders, views, agents) signed by the deleted person. Shared agents found are reported in the requests Response document. If Private Design Elements are found an Approve deletion of Private Design Elements administration request is posted. Delete mail file (only if deleting the mail file) Triggered by: Completion of a Request file deletion request. Carried out on: The deleted persons home server. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: The Administration Process verifies that the administrator who approved the deletion has at least Author with Delete documents access to the Domino Directory. Then, if the mail file doesnt use shared mail, the Administration Process deletes the file. If the file does use shared mail, then the Administration Process purges the links to the shared mail database, disables replication, and creates a Delete unlinked mail file request. Delete unlinked mail file Triggered by: Completion of a Delete mail file request for a mail file that uses shared mail. Carried out on: The deleted persons home server. Carried out: According to the Interval between purging mail file and deleting when using object store setting for the Administration Process in the Server document. Result: The Administration Process deletes the mail file after waiting a period of time. This delay provides time for the Object Collect task to purge any obsolete messages. Approve deletion of Private Design Elements Triggered by: Completion of a Delete in Readers/Authors field request and locating Private Design Elements signed by the deleted person in databases on that server. Carried out on: Any server in the domain. Carried out: According to the administrators discretion. Result: The deletion is approved and the Request to delete Private Design Elements administration request is posted.
Request to delete Private Design Elements Triggered by: The administrators approval of the Approve deletion of Private Design Elements administration request. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: Posts the Delete Private Design Elements administration request. Delete Private Design Elements Triggered by: Completion of the Request to delete Private Design Elements administration request. Carried out on: The server containing the database with the Private Design Elements. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Private Design Elements signed by the deleted person are removed from the databases. Note If the person requesting the delete action chose to delete all replicas of a mail file, then a Get File Information for deletion request is created and processed by all servers in the domain. This request is posted after completion of the Delete mail file request or the Delete unlinked mail file request. For each replica of the mail file found on servers in the domain, the Approve file deletion, Request file deletion, and Delete mail file request sequence occurs again. Delete person - inbound (destination) domain These requests are generated on the inbound domain. Delete person in Domino Directory Triggered by: Receipt of a Delete person in Domino Directory administration request from the outbound domain. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Checks for the flat user name in the Domino Directory. If found, posts the Approve delete person in Domino Directory administration request. If not found, posts the Delete in Access Control Lists and the Delete person in Person documents administration requests.
Reference
Approve delete person in Domino Directory (only if a matching flat user name is found) Triggered by: Completion of an inbound Delete person in Domino Directory request on a sent name. Carried out on: Any server on which you approve the request. Carried out: According to the administrators discretion. Result: Post a Delete person in Domino Directory administration request. Delete person in Domino Directory (only if a matching flat user name is found) Triggered by: Administrator approving the Approve delete person in Domino Directory administration request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: The Administration Process removes the name from the Domino Directory, except from other peoples Person documents, and posts the Delete in Person documents request. If you have created a termination group and set up the administration process to add deleted users to that group, the name is added to the Terminations group. Delete person in Person documents Triggered by: Completion of a Delete person in Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: The Administration Process removes the name from other peoples Person documents in the Domino Directory. Delete in Access Control Lists Triggered by: Completion of the Delete person in Domino Directory request. Carried out on: Each server in the domain. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Each server in the domain deletes the name from the ACLs of databases for which it is an administration server.
Delete in Reader / Author fields Triggered by: Completion of a Delete in Access Control List request on the administration server for the Domino Directory. Carried out on: Each server in the domain. Carried out: According to the Delayed Request settings for the Administration Process in the Server document. Result: Each server in the domain deletes the name from Reader/Author fields of databases for which it is an administration server and that have the advanced ACL option Modify all Reader/Author fields selected. The server scans the databases for shared agents signed by the deleted person and for Private Design Elements (folders, views, agents) signed by the deleted person. Shared agents found are reported in the requests Response document. If Private Design Elements are found an Approve deletion of Private Design Elements administration request is posted. Approve Deletion of Private Design Elements Triggered by: Completion of a Delete in Readers/Authors field request and locating Private Design Elements signed by the deleted person in databases on that server. Carried out on: Any server in the domain. Carried out: According to the administrators discretion. Result: The deletion is approved and the Request to delete Private Design Elements administration request is posted. Request to Delete Private Design Elements Triggered by: The administrators approval of the Approve deletion of Private Design Elements administration request. Carried out on: The administration server for the Domino Directory. Carried out: Immediately Result: Posts the Delete Private Design Elements administration request. Delete Private Design Elements Triggered by: Completion of the Request to delete Private Design Elements administration request. Carried out on: The server containing the database with the Private Design Elements.
Reference
Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Private Design Elements signed by the deleted person are removed from the databases.
Create Replica
Create replica - outbound (source) domain The following request is generated on the outbound domain. Check access for new replica creation Triggered by: Initiating the Create Replica command from the Domino Administrator. Carried out on: The server on which you initiate the action. Carried out: Immediately Result: Checks for the appropriate Cross-domain Request Configuration documents and Connection documents. Sends the Create Replica administration request to the destination domain. Create replica - inbound (destination) domain The following request is generated on the inbound domain. Triggered by: Receipt of the Create replica administration request from the source domain. Carried out on: The server designated as the destination server in the Cross-domain Request Configuration document. Carried out: Immediately Result: Creates the replica on the designated server.
Delete person - cross domain administration request If you select Immediate processing, the outbound domain has the following subset of requests: Delete in Access Control List Get File Information for deletion Approve file deletion Delete in Reader/Author fields Request File deletion Delete mail file Approve deletion of Private Design Elements Request to delete Private Design Elements Delete Private Design Elements
If you select Immediate processing, the inbound domain has the following subset of requests. The same as non-immediate requests
Reference
Result: Posts a Delete in Person document request and a Delete in Access Control List request on the outbound server. It recognizes the cross domain configuration documents, checks for the approved signers, and then finding them, mails the request to the inbound domain. Delete in Person documents Triggered by: Completion of the Delete server in Domino Directory administration request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: Posts a Delete in Readers/Authors Fields request. Removes references to the server from the Person document(s). Delete in Reader / Author Fields Triggered by: Completion of the Delete in Person documents request. Carried out on: All servers in the domain. Carried out: According to the Delayed Request setting in the Administration Process section of the Server document. Result: The server name is deleted from database documents where the Delete in Reader/Author fields check box is selected for the database. Delete in Access Control List Triggered by: Completion of the Delete server in Domino Directory administration request. Carried out on: All servers. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: The server name is removed from the ACLs in any database that has an administration server assigned to it. Delete server - inbound (destination) domain These administration requests are generated on the inbound domain. Delete server in Domino Directory Triggered by: Successful completion of the Delete server in Domino Directory request on the outbound (source) domain. Carried out on: The administration server on the inbound domain.
Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Determines whether the server name is flat. If so, posts the Approve delete server in Domino Directory request. Approve delete server in Domino Directory (if flat server name is found) Triggered by: Processing of the Delete server in Domino Directory command and recognition of a flat server. Carried out on: Any server on which the administrator approves the request. Carried out: According to the administrators approval. Result: Posts a Delete server in Domino Directory request on the destination server. Delete server in Domino Directory (if flat server name is found) Triggered by: Approval of the Approve delete server in Domino Directory administration request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Posts Delete in Access Control List and Delete in Person documents administration requests on the destination server. Delete server in Person documents Triggered by: Successful completion the Delete server in Domino Directory administration request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: Posts a Delete in Reader/Author Fields administration request. Deletes all references to the server name in Person documents. Delete in Access Control Lists Triggered by: Successful completion of the Delete server in Domino Directory administration request. Carried out on: All servers. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: The server name is removed from the ACLs in any database that has an administration server assigned to it.
F-80 Administering the Domino System, Volume 2
Reference
Delete in Reader and Author Fields Triggered by: Successful completion of the Delete in Person documents administration request. Carried out on: All servers in the domain. Carried out: According to the Delayed Request setting in the Administration Process section of the Server document. Result: Deletes the server name from database documents where the delete in Reader/Author fields check box is selected for the database.
If you select Immediate processing, the inbound domain has the following subset of requests: Delete server in Domino Directory Approve delete server in Domino Directory (if a flat server name is found) Delete server in Domino Directory Delete in Access Control List Delete in Reader/Author Fields
For details on the above processes, see the processes documented above.
Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Posts a Delete in Person document request and a Delete in Access Control List request on the outbound server. Delete in Person documents Triggered by: Completion of the Delete server in Domino Directory administration request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: Posts a Delete in Readers and Authors Fields request. Removes references to the server from the Person document(s). Delete in Access Control List Triggered by: Completion of the Delete server in Domino Directory administration request. Carried out on: All servers in the domain. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: The server name is removed from the ACLs in any database that has an administration server assigned to it. Delete in Reader / Author fields Triggered by: Successful completion of the Delete server in Domino Directory administration request. Carried out on: All servers in the domain. Carried out: The time each server is set up to run that request. Result: Deletes the server name from database documents where the delete in Reader/Author fields check box is selected for the database. Delete server - inbound (destination) domain These requests are generated on the inbound domain. Delete server in Domino Directory Triggered by: Receipt of the Delete server in Domino Directory request from the outbound domain. Carried out on: The administration server for the Domino Directory.
Reference
Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: Posts Delete in Access Control List and Delete in Person documents administration requests on the destination server. Delete in Access Control List Triggered by: Completion of the Delete server in Domino Directory administration request. Carried out on: All servers in the domain. Carried out: According to the Interval setting in the Administration Process section of the Server document. Result: The server name is removed from the ACLs in any database that has an administration server assigned to it. Delete in Person documents Triggered by: Completion of the Delete server in Domino Directory administration request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: Posts a Delete in Readers/Authors Fields request. Removes references to the server from the Person document(s). Delete in Reader / Author fields Triggered by: Successful completion of the Delete server in Domino Directory administration request. Carried out on: All servers in the domain. Carried out: The time each server is set up to run that request. Result: Deletes the server name from database documents where the delete in Reader/Author fields check box is selected for the database.
Reference
Rename in Access Control List Triggered by: Completion of the Rename person in Domino Directory request. Carried out on: Each server in the domain. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Each server in the domain updates the persons name in ACLs of databases for which it is an administration server. Rename in Free Time database Triggered by: Completion of the Rename person in Domino Directory request. Carried out on: The persons home server. Carried out: Immediately Result: The persons name is changed in the Calendaring and Scheduling Free Time Database. Posts the Rename in Calendar entries and Profile administration request. Rename in unread list Triggered by: Completion of the Initiate rename in Domino Directory request. Carried out on: Every server in the domain. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Domino Directory. Result: If an Unread List is located for the old name, the Unread List is then stored with the persons new name. Rename person in calendar entries and profiles in mail file Triggered by: Completion of the Rename person in Free Time Database request. Carried out on: The persons home server. Carried out: Immediately Result: The persons name is changed in their mail files Calendar Profile and appointment documents. If the persons common name was changed and the common name is in the title of the mail file, the mail file title changes to reflect the new name. If the person is the chairperson of any future meetings, the name is changed in those appointment documents.
Rename in Reader / Author fields Triggered by: Completion of the Rename in Person documents request on the administration server for the Domino Directory. Carried out on: Each server in the domain. Carried out: According to the Delayed Request setting for the Administration Process in the Server document. Result: Each server in the domain updates the persons name in Reader/Author fields of databases for which it is an administration server and that have the advanced ACL option modify all Reader/Author fields selected. Rename person - Inbound (destination) domain The following requests are generated on the inbound domain. Rename person in Domino Directory Triggered by: Receipt of the request from the outbound domain. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Updates the persons name in the Domino Directory except in Person documents. Posts a Rename in Person document request. Rename in Person documents Triggered by: Completion of the Rename person in Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day requests at setting for the Administration Process in the Server document. Result: Updates the name in Domino Directory Person documents. Rename in Access Control List Triggered by: Completion of the Rename person in Domino Directory request. Carried out on: Each server in the domain. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Each server in the domain updates the persons name in ACLs of databases for which it is an administration server.
Reference
Rename in unread lists Triggered by: Completion of the Rename person in Domino Directory request. Carried out on: Every server in the domain. Carried out: According to the Execute once a day requests at setting in the Administration Process section of the Server document. Result: If an Unread List for the old name is found in the database, a copy of the Unread List is stored with the new name. Each server in the domain examines every database on the server and updates the persons name in any unread lists. Rename in Reader/Author fields Triggered by: Completion of the Rename in Person documents request on the administration server for the Domino Directory. Carried out on: Each server in the domain. Carried out: According to the Delayed Request setting for the Administration Process in the Server document. Result: Each server in the domain updates the persons name in Reader/Author fields of databases for which it is an administration server and that have the advanced ACL option Modify all Reader/Author fields selected.
Rename server in Domino Directory Triggered by: The server polls its server document data looking for its new public key. The Rename server in Domino Directory administration request is triggered by the server recognizing that its name has changed. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Update the servers name in the Domino Directory. Posts a Rename in Access Control List request and a Rename in Person documents request. Mails the request to the inbound domain. Rename in Access Control List Triggered by: Completion of the Rename server in Domino Directory request. Carried out on: All servers with databases that have been assigned administration servers. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Each server in the domain updates the persons name in ACLs of databases for which it is an administration server. Rename in Person documents Triggered by: Completion of the Rename server in Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day request at setting for the Administration Process in the Server document. Result: Updates the Person documents and posts a Rename in Reader/Author fields request. Rename in Reader / Author fields Triggered by: Completion of the Rename in Person documents request. Carried out on: All servers. Carried out: According to the Start executing on and Start executing at settings for the Administration Process in the Server document. Result: The Reader/Author fields are updated.
Reference
Rename server - inbound (destination) domain The following requests are generated on the inbound domain. Rename server in Domino Directory Triggered by: Receipt of the request from the outbound domain. Carried out on: The administration server for the Domino Directory. Carried out: According to the interval setting in the Administration Process section of the Server document. Result: If a matching flat server name is located, posts the Approve Rename in Domino Directory administration request. Approve Rename in Domino Directory (if flat server name is found) Triggered by: Processing of the Rename server in Domino Directory request and recognition of a flat server. Carried out on: Any server on which you approve or reject the request. Carried out: According to the administrators discretion. Result: Posts the Rename in Domino Directory administration request. Rename server in Domino Directory (If flat server name is found) Triggered by: Administrators approval of the Approve Rename in Domino Directory administration request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Update the servers name in the Domino Directory. Posts a Rename in Access Control List request and a Rename in Person documents request. Rename in Access Control List Triggered by: Completion of the Rename server in Domino Directory request. Carried out on: All servers with databases that have been assigned administration servers. Carried out: According to the Interval setting for the Administration Process in the Server document. Result: Each server in the domain updates the persons name in ACLs of databases for which it is an administration server.
Rename in Person documents Triggered by: Completion of the Rename server in Domino Directory request. Carried out on: The administration server for the Domino Directory. Carried out: According to the Execute once a day request at setting for the Administration Process in the Server document. Result: Updates the Person documents and posts a Rename in Reader/Author fields request. Rename in Reader / Author fields Triggered by: Completion of the Rename in Person documents request. Carried out on: All servers. Carried out: According to the Start executing on and Start executing at settings for the Administration Process in the Server document. Result: The Reader/Author fields are updated.
Reference
Administration Process generates a Create replica request in the Administration Requests database of the source server. For more information on the Check access for new replica creation request, see Create Replica - Cross domain administration request in this appendix.
Result: The Administration Process on the source server checks that the user submitting the request is the Manager of the Domino Directory and that the destination server has Reader access in the ACL of the database. Posts a Non-cluster Move Replica request. For more information on the Check access for non-cluster move replica request, see Move database from a non-cluster server in this appendix.
Reference
G-1
Network Address IPX address: network address: node address: socket number for example, IPX: 030000508: 00805F685BDA: 506f Status UNINITIALIZED or INITIALIZED. If UNINITIALIZED, the Domino server has not updated this object with its network address. If INITIALIZED, the Domino server has updated the object. However, if you are using Windows, the status attribute shows UNINITIALIZED. Domino build number for example, 143 Optional comments about the object for example, the administrators name and location
Version Description
Domino supplies a snap-in (NDSNOTES.DLL) to the NetWare Administrator that allows Domino servers to be administered using one standard tool. You must configure NetWare Administrator before you can use the snap-in. Using NetWare Administrator, you can access menus to determine the actions that can be performed on the Domino server NDS object. Using the snap-in, the Domino server becomes an object class. The Domino server NDS object class and servers are represented by the Domino icon.
Reference
Lotus NDS Manager For administration on Windows clients, Domino provides Lotus NDS Manager (NDSMGR.EXE) which is located in the Domino program directory and uses DLLs also found in the Domino program directory. The following table describes the commands to use with Lotus NDS Manager.
Task Create the Domino server NDS class Remove the Domino server NDS class Add a Domino server to the tree Command -c -r -a For example, this command adds the Domino server Burke to the tree: -a cn=Burke.o=Acme
Delete a Domino server from -d the tree For example, this command deletes the Domino server Burke from the tree: -d cn=Burke.o=Acme Read a Domino servers object attributes -s
On a Windows 95, 98, or XP workstation 1. Copy the NDSNOTES.DLL to the directory where NetWare Administrator resides on the Novell server. 2. From the Start menu on the workstation, choose Run and enter REGEDIT.EXE. 3. Click HKEY_CURRENT_USERS - Software - NetWare - Parameters NetWare Administrator - SNAPIN OBJECTs DLL WIN95 or SNAPIN OBJECTs DLL WIN98. 4. From the Edit menu, choose Edit, and then select Value. 5. Type NDSNOTES.DLL in the New Value #1 box (renaming this to NDSNOTES.DLL). 6. Click the new entry NDSNOTES.DLL and enter NDSNOTES.DLL in the Value Data box. 7. Verify NDSNOTES.DLL. NDSNOTES.DLL is added the list of objects. 8. Reload NWADMN95.EXE. 9. To check that the NDSNOTES.DLL has been properly installed, in NetWare Administrator, choose Object - Create. The Domino server class object should be included in the list.
Delete Domino server NDS object class Choose Tools - Define Notes Class. Add a Domino server NDS object class Choose Object - Create. Select Domino server object. Enter the Domino server name. Delete a Domino server NDS object Read a Domino server NDS objects attributes View a Domino server NDS objects attributes Select the Domino server. Choose Object - Delete. Select the Domino server. Double-click the Domino server NDS object.
Reference
Configuring NDS for a Domino server 1. Install a NetWare-compatible client that supports NDS and IPX/SPX. 2. Make sure the user log-in object has trustee rights to the directory tree that include browse, create, compare, read, and write. 3. Log into the NDS tree. 4. For each NDS tree, do one of the following to create a Domino server NDS object class and add the class to the NDS schema: If you are using NetWare Administrator, choose Tools - Define Notes Class. If you are using NDSMgr, enter this command:
ndsmgr -c Notes
5. To add each Domino server NDS object to the NDS tree, do the following: If you are using NetWare Administrator, choose Object - Create Notes Server Object and enter the Domino server name. You can add information to the description if necessary. If you are using NDSMgr, enter this command:
ndsmgr -a cn=server_name.o=preferred_tree,
Where server_name is the NDS name of the Domino server and preferred_tree is the Preferred Tree name. 6. If you want the Domino server to log into NDS automatically when the server starts, create user log-in objects for the Domino server and make sure each user log-in object has trustee rights that include browse, create, compare, read, and write access to the NDS directory tree. Configuring a Domino server to use NDS 1. Specify a preferred tree and default context. If you are using OS/2 Advanced Warp Server, specify these settings in the NET.CFG file. If you are using Windows NT, specify these settings in the control panel. 2. If you want the Domino server to log in to NDS automatically, edit the NOTES.INI file to include these settings:
NWNDSUSERID=cn=server_name.o=tree_name
Where server_name is the NDS name of the Domino server and tree_name is the name of the tree.
NWNDSPASSWORD=NDS_Service_Password
Where NDS_Service_Password is the password the Domino server uses to log into NDS.
G-6 Administering the Domino System, Volume 2
Reference
3. If you have not enabled the SPX port, start the Notes workstation and choose File - Preferences - User Preferences - Ports. Select SPX and select Port Enable. Domino automatically enables NDS and Bindery Services. 4. If you use only NDS on all Domino servers in your organization, click SPX Options, select Advanced configuration, and then select NetWare Directory Services (NDS) to disable Bindery Services lookup within Domino. 5. Open the Server document for this server in the Domino Directory and add the NDS server name to the Network Address field on the Ports tab. Include the Domino servers NDS distinguished name. 6. Exit the Notes workstation.
Reference
H-1
Keyboard shortcuts
The keyboard shortcuts in this section are based on U.S. standard keyboards. If you are using a screen reader, you may want to maximize your window so the tables of shortcuts are completely expanded and accessible.
Reference
ALT+F7, then ARROW keys, then Move position of active window ENTER ALT+F8, then ARROW keys, then Change size of active window ENTER ALT+F9 ALT+F10 ALT+underlined letter for menu item ALT+underlined letter for menu item, or ARROW keys ALT+W, then number (extended accelerators in User Preferences must be enabled) CTRL+BREAK CTRL+L, type URL, then ENTER CTRL+Q or ALT+F4 CTRL+TAB ESC or CTRL+W F1 F5 F6 F10 or ALT SHIFT+ALT+S SHIFT+CTRL+TAB Minimize active window Maximize active windows Access menu item Move to next menu item Open window tab on task bar
Stop operation in progress Go to a Web page Exit Domino Administrator Move to next window tab Close active window Get Help on current feature Lock User ID Move to next pane or frame Access menu bar Open search menu Move to previous window tab continued
Press
To do this
SHIFT+CTRL, then UP ARROW or Select multiple bookmarks or bookmark DOWN ARROW folders SHIFT+DOWN ARROW SHIFT+F6 SHIFT+F10 SHIFT+UP ARROW Select additional items below an already selected item Move to previous pane or frame Access Windows context menus Select additional items above an already selected item
Reference
Press ENTER ENTER ESC F1 SHIFT+CTRL+END SHIFT+CTRL+HOME SHIFT+CTRL+PAGE DOWN SHIFT+CTRL+PAGE UP SHIFT+TAB TAB UP ARROW or LEFT ARROW
To do this Activate default or selected item(s) in properties box Close Color box in Font tab and activate selection Close Color box in Font tab without activating selection Get Help on current properties box Move to first properties box in list Move to last properties box in list Move to next properties box in list Move to previous properties box in list Move to previous option or set of options in properties box Move to next option or set of options in properties box Select previous item in a list or set of options in properties box
Reference
Press ESC F4 or TAB LEFT ARROW RIGHT ARROW SPACEBAR SPACEBAR SPACEBAR
To do this Move to previous linked document Move to next unread document Move to previous link or object Move to next link or object Activate selected object Expand or collapse selected section Open selected link to document, view, or database
Reference
To do this Indent first line in paragraph Indent entire paragraph Refresh current document (in Edit mode), view, or workspace Cycle through paragraph styles from Paragraph Styles tab in Text Properties box Insert page break Reduce selected text to next available point size Outdent first line in a paragraph Outdent entire paragraph
Reference
Server.Load commands
Server.Load scripts consist of statements in a simple command language, the Server.Load specification language. Each command simulates an aspect of the Notes client functionality. You can build a script containing a series of these commands to perform a complex task, such as reading and deleting mail.
*Ensure that the current database contains a defined number of documents (NumMailNotesPerUser) to use in the test.
populate [NumMailNotesPerUser] $Inbox
I-1
@Else command
Use with the @If command in a Server.Load script. Example
@If[DeleteEntry] delete 1 @Else add 1 @EndIf
@EndIf command
Use with the @If command in a Server.Load script. Example
@If[DeleteEntry] delete 1 @Else add 1 @EndIf
@If command
Used in a Server.Load script to execute [Commands] if [Value] is non-zero. @If is used to execute multiple commands or to use an @Else condition.
Syntax
@If [Value] [Commands] [@Else [Commands]] @EndIf
Reference
Example This example executes the Delete command, only if [DeleteDoc] is defined in the NOTES.INI file and is non-zero; otherwise, the Add command is executed:
@If [DeleteDoc] Delete 1 @Else Add 1 @EndIf
Add command
Use in a Server.Load script to create new documents in a database according to the value of a. Each new document consists of: an author field with the current users name; a recipients field with the current users name; the ordinal number of the document as a summary item; the subject (summary) text item; the optional attachment item; and the body (non-summary) text item. If no number is specified, one note is created. If b is not specified, the length of the summary data is a uniform random number between 1 and 100 bytes. If c is not specified, the length of the non-summary data is a uniform random number between 100 and 300 bytes.
Syntax
Add(a, b, c)
Where: a Number of documents to be added b Length of summary item\Subject\ (optional; default is \) c Length of non-summary item \Subject\ (optional; default value is \) Note The body (non-summary) value cannot exceed 65000 bytes. Example 1 This example adds documents to the default view All Document $all.
changeto [mailserver]!!mail\mail[#].nsf mail60.ntf -keepopen add [a] drop Server.Load Command Language I-3
Note You need to add a value for the environment variable a in the NOTES.INI file, or you can code it into the script, as below:
changeto [mailserver]!!mail\mail[#].nsf mail60.ntf -keepopen
Example 2 This example adds documents to the Inbox folder using -f (foldername).
changeto [mailserver]!!mail\mail[#].nsf mail46.ntf -keepopen add [a] -f $Inbox drop
Example 3 This example adds 1 document to the Inbox view with the subject (Length of summary item) set to 30 bytes and the Body (Length of non-summary item) is set to 10000 bytes.
changeto [mailserver]!!mail\mail[#].nsf mail46.ntf -keepopen add 1 30 10000 -f $inbox drop
BeginCrit command
Use in a Server.Load script to mark the beginning of a scripts critical region. A critical region is a series of lines in a script that can only be executed by one Server.Load simulated user (thread). The critical region is marked by the BeginCrit and EndCrit pair. There can be a maximum of 6 critical regions per script.
BeginLoop command
Use in a Server.Load script to mark the start of the loop and the point to which the Rewind statement returns control. A script can have one loop.
Reference
BeginLoop2 command
Use in a Server.Load script to mark the start of the loop and the point to which the Rewind2 statement returns control.
Break command
Use in a Server.Load script to allow the user to set program control after an error.
Syntax
Break [x]
Where x is: 1 To terminate program upon error 0 To move on to next line upon error The default is Break 1.
Cal command
Use in a Server.Load script to schedule an appointment or invitation.
Syntax
Appointment:
cal -a <db> <msgsz> <dur> <startrng> <endrng> <nthiter>
Invitation:
cal -i <db> <msgsz> <dur> <startrng> <endrng> <numrecip> <nthiter>
Where: <dur> Duration, in minutes <startrng> Lower bound for the number of days ahead to schedule <endrng> Upper bound for the number of days ahead to schedule <numrecip> Number of recipients <nthiter> Nth iteration of the script
ChangeTo command
Use in a Server.Load script to set the current database for the test. Provide the full file name of the database (use server!!file if a remote database), or specify the keyword MAIL to open the mail database. The following statements operate on the specified database. If the database doesnt exist, a new database is created using template [database template name]. If the keepopen option is specified (which is the string -keepopen), the database is not closed and reopened if it is already open.
Syntax
ChangeTo [database name] [database template name] [-keepopen]
Where: [database name] Full file name of the database [database template name] File name of the template database [-keepopen] Keeps the database open Example 1 Using changeto to create a local database. * Create local file using the journal template (journal.ntf) * NOTES.INI contains setting templateversion=4
changeto journal.nsf journal[templateversion].ntf -KeepOpen pause 5000
Reference
Example 2 Using changeto to create multiple databases on a server. In this example the thread number is substituted in for the [#] symbol. * Create one or more databases on Mailserver using (journal.ntf) * NOTES.INI contains setting templateversion=4 * Creation of multiple databases, based on the number of threads * All test databases will be placed in the journal directory
changeto [MailServer]!!journals\journal[#].nsf journal[templateversion].ntf -KeepOpen pause 5000
Example 3 Create and initialize mail file(s) Note Uses Script Variable [NumMailNotesPerUser] * Script to create and initialize mail file(s)
changeto [MailServer]!!mail\mail[#].nsf mail60.ntf
Close command
Use in a Server.Load script to close the current view. The view is opened with the Open command.
Console command
Use in a Server.Load script to allow you to issue remote server console commands, similar to the Domino server console in the Domino Administrator console. You must have administration rights on the sever you are attempting to issue commands to.
Syntax
Console [server] [command]
Where: [server] The server at which to execute the console command [command] The command executed to the server Example This example uses the console command to issue a Show Stat command. The console command is analogous to remote console capability In this example sh stat is issued. Any server command can be substituted.
DbDelete command
Use in a Server.Load script to delete a database (locally or on a server). If the database is on a server, you must have delete database access.
Syntax
DbDelete [dbname]
Reference
Delete command
Use in a Server.Load script to delete randomly selected notes from the current database. Using Delete without any arguments deletes only one document from the database. To determine how to set the current database, use the ChangeTo command.
Syntax
Delete [#]
Drop command
Use in a Server.Load script to drop all network connections on the specified port.
Syntax
Drop [hangup] [port]
Where: [hangup] Causes the connection to be disconnected. [port] The port to be disconnected. Example 1 Disconnects the connection on the port specified.
changeto [MailServer]!!mail\mail[#].nsf mail46.ntf pause 1min drop hangup tcpip
EndCrit command
Use in a Server.Load script to indicate a critical region that can be executed by only one simulated user (thread). The critical region is marked by the BeginCrit and EndCrit pair. There can be a maximum of six critical regions per script.
Entries command
Used in a Server.Load script to simulate a user pressing PgUp and PgDn or pressing Up and Down arrows to traverse a view.
Syntax
Entries [start] [end] <navigation option>
Where: [start] Starting index ordinal position (optional; default is 1) [end] Number of index entries to be read (optional; default is All) <navigation option> One of the navigation options, described in the Navigate command.
ErrorDelay command
Used in a Server.Load script to set a time delay after a nonfatal error occurs.
Syntax
ErrorDelay [delay]
Reference
FindByKey command
Used in a Server.Load script to enable you to search index entries by key.
Syntax
FindByKey "[KeyField]#searchstring"
Where: key list List of keys separated by semicolons. Each key is in the <item>#<value> format, where <item> is the item, name, and <value> is the value. The FindByKey key list argument is the Field Name of the column searched, and the value of the data as it appears in the column. option list One or more of the following, each separated with a space: NO_ACCENT Accent insensitive NO_CASE Case insensitive PARTIAL Partial compare FIRST_EQUAL First equal entry LAST_EQUAL Last equal entry GREATER_THAN All entries greater than LESS_THAN All entries less than UPDATE_IF_NOT_FOUND Update if not found Example Search a view containing a column referencing the field Status and search for those complete.
FindByKey "[Keyfield]#complete"
The NOTES.INI setting is is Keyfield=Status. This also appears, and is set, on the Test Parameters tab.
FindByName command
Used in a Server.Load script to enable you to search index entries by name.
Syntax
FindByName [searchstring] <optionlist>
Where: [searchstring] The search collection whose primary sort key matches the given null-terminated string <optionlist> See the FindByKey command for <optionlist> choices.
GetAll command
Used in a Server.Load script to fetch the ID table of all Note IDs from the database. This command must be used before other commands for example, Stamp that operate on random documents in the database because those commands pick random notes out of this table. If this command is not used, the master ID table will start from scratch.
Help command
Used in a Server.Load script to display help text. If [command] is specified, help text for the command is displayed.
Syntax
Help [command]
@If command
Used in a Server.Load script to execute [Commands] if [Value] is non-zero. @If is used to execute multiple commands or to use an @Else condition.
Syntax
@If [Value] [Commands] [@Else [Commands]] @EndIf
Reference
Example This example executes the Delete command, only if [DeleteDoc] is defined in the NOTES.INI file and is non-zero; otherwise, the Add command is executed:
@If [DeleteDoc] Delete 1 @Else add 1 @EndIf
ImailCheckForNewMail command
Used in a Server.Load script to purge deleted IMAP messages and check for new messages.
ImailCloseMailbox command
Used in a Server.Load script to close the currently selected IMAP mailbox.
ImailFetchEntry command
Used in a Server.Load script to get (UID Fetch) body for specified entry.
Syntax
ImailFetchEntry [navigator]
Where: [navigator] CURRENT, NEXT, NEXT_UNSEEN, or FIRST. If not specified, default is CURRENT.
ImailFetchOld command
Used in a Server.Load script to get (UID Fetch) Body for specified entry.
Syntax
ImailFetchOld [navigator]
Where: [navigator] CURRENT, NEXT, NEXT_UNSEEN, or FIRST. If not specified, default is CURRENT.
ImailGetLastEntries command
Used in a Server.Load script to get (Fetch) last page of entries (UID, flags, envelope) for use with ImailFetchEntry.
ImailGetNewMail command
Used in a Server.Load script to check for new IMAP messages.
ImailHelp command
Used in a Server.Load script to displays all available IMAP (IMail*) commands with Help text.
ImailListMailboxes command
Used in a Server.Load script to list IMAP mailboxes.
Syntax
ImailListMailboxes [refmbox] [mailbox] [sub]
Where: [refmbox] Root mailbox to list from. If not specified, default is . [mailbox] Root mailbox to list from. If not specified, default is . [sub] If TRUE, lists subscribed mailboxes; if FALSE, lists non-subscribed mailboxes.
I-14 Administering the Domino System, Volume 2
Reference
ImailLogin command
Used in a Server.Load script to log in to a server running IMAP.
Syntax
ImailLogin [host] [user] [password]
Where: [host] The Internet host name of the IMAP server for example, company.com [user] The IMAP user name to log in as [password] The password of the user
ImailLogout command
Used in a Server.Load script to log out of a server running IMAP.
ImailOpenMailbox command
Used in a Server.Load script to open (select) an IMAP mailbox (the Inbox folder of the mail file).
Syntax
ImailOpenMailbox [mailbox]
ImailPostMessage command
Used in a Server.Load script to add a message to the specified mailbox.
Syntax
ImailPostMessage [bodysize] [linesize] [mailbox]
Where: [bodysize] Total size of the message [linesize] Length of each line in the message, typically 80
[mailbox] Name of the folder in which to locate the message, typically Inbox Example This example dreates a 2000-byte message in the Inbox. Each line in the message contains 80 characters.
ImailPostMessage 2000 80 Inbox
ImailSetSeen command
Used in a Server.Load script to set current message as seen.
Index command
Used in a Server.Load script to update the currently open collection.
Syntax
Index
Example Updating a view collection with the Index command. In this example, the thread number is substituted for the pound symbol [#]. * Create one or more databases on mail server using (journal.ntf) * NOTES.INI file contains setting templateversion=4 * Creation of multiple databases, based on the number of threads * All test databases will be placed in the journal directory.
changeto [MailServer]!!journals\journal[#].nsf journal[templateversion].ntf -KeepOpen pause 5000
Reference
LDAPLookup command
Used in a Server.Load script to perform LDAP lookup for specified user name.
Syntax
LDAPLookup <username>
Where: <username> Performs cn=username search on host LDAPHost. Note The NOTES.INI file must contain the setting LDAPHost=system.domainname for example, LDAPHost = Server.acme.com
Lookup command
Used in a Server.Load script to search the Domino Directory (NAMES.NSF) for names you specify.
Syntax
Lookup (a, b, c)
Where: a Mail server name b Namespace, specified as $users, $servers, $groups,$domain, $people, $People, $ServerAccess, $CrossCertByRoot, $CrossCertByName,$Users,$Servers, $Certifiers, $CrossCertByRoot,$Certifiers, $Connections, $Profiles c Names list; each entry separated by ASCII \0 Example Lookup performed
Lookup fssaixw/ess $Users John Doe/WAS/Acme Server.Load Command Language I-17
NABRetrievePOP3Mail command
Used in a Server.Load script to retrieve POP3 mail messages for a fixed user in the Domino Directory (NAMES.NSF).
Syntax
NABRetrievePOP3Mail <msg_num> <hostname> <options>
Where: <mst_num> Message to retrieve. Use the value -1 to retrieve all. <hostname> Host name of the server running SMTP MTA. <options> POP3 retrieval options: USE_SSL uses SSL protocol, LEAVE_ON_SERVER leaves messages on the server.
NABUpdate command
Used in a Server.Load script to update a number of random documents of a particular type in the Domino Directory (NAMES.NSF) database.
Syntax
NABUpdate(a,b)
Where: a Type of document to update (Person, Group, or Connection) b Number of documents to update. If b is not specified, one document is updated.
Navigate command
Used in a Server.Load script to read number of documents as listed in index.
Syntax
Navigate [<a>[<option>[ASYNC]]]
Where: <a> Number of documents to be read (optional; default is 1) <option> One or more of the following navigation options. You can string multiple options together as OR options, separated by the split vertical bar () character.
I-18 Administering the Domino System, Volume 2
Reference
NEXT, PREV, CURRENT, PARENT, CHILD, NEXT_PEER, PREV_PEER, FIRST_PEER, LAST_PEER, CURRENT_MAIN, NEXT_MAIN, PREV_MAIN, ALL_DESCENDANTS, NEXT_UNREAD, NEXT_UNREAD_MAIN, PREV_UNREAD, PREV_SELECTED, PREV_SELECTED_MAIN, PREV_EXPANDED_UNREAD, PREV_EXPANDED, PREV_EXPANDED_SELECTED, PREV_EXPANDED_CATEGORY, PREV_EXP_NONCATEGORY, PREV_HIT, PREV_SELECTED_HIT, PREV_CATEGORY, PREV_UNREAD_HIT, PREV_NONCATEGORY, CIRCULAR, MAXLEVEL, MINLEVEL, WITHIN_MAIN, CONTINUE, PREV_MAIN_ALWAYS, NEXT_SELECTED, NEXT_SELECTED_MAIN, NEXT_EXPANDED_UNREAD, NEXT_EXPANDED, NEXT_EXPANDED_SELECTED, NEXT_EXPANDED_CATEGORY, NEXT_EXP_NONCATEGORY, NEXT_HIT, NEXT_SELECTED_HIT, NEXT_CATEGORY, NEXT_UNREAD_HIT, NEXT_NONCATEGORY ASYNC Flag for opening documents asynchronously
NewMail command
Used in a Server.Load script to poll for new mail.
Syntax
NewMail(a,b,c)
Where: a Name of mail file (default is your mail file) b Number of times to poll (default is 1) c Millisecond delay between polls (default is 1000 ms)
NewReplicateDB command
Used in a Server.Load script to create empty database <target> as replica of <source>.
Syntax
NewReplicateDB <source> <target>
Where: <source> Full file name of source database. Use the format server!!file for a remote database. <target> Full file name of new target database; if a database with the same name exists with a different replica ID, it will be overwritten.
NoteAdd command
Used in a Server.Load script to add a document with the specified [Subject], [Body], [Attachment], [MsgCount], [NamedField], and [FolderID].
Syntax
NoteAdd [-sSubject] [-bBody] [-aFileAttachment] [-cMsgCount] [-nNamedField] [-fFolderID]
Where: Subject Summary item Subject Body Non-summary item Body Attachment File name of attachment MsgCount Number of messages to add NamedField Named field FolderID Add document to folder with this ID
Open command
Used in a Server.Load script to open a view collection.
Syntax
Open (a) <option>
Where: a View document ID (optional; default is the default view) or DESIGN to open the design collection. To open a view other than the default view, enter the decimal value of last 3 digits in the View Note ID converted from hex to decimal. To view this property, open the list of views and select a view, then bring up the Properties for the item.)
I-20 Administering the Domino System, Volume 2
Reference
<option> One or more of these options: noupdate, rebuild, invalidate, verify, do_not_create, verify_shared_view_note, reopen_collection, associate_unread, getname_list, noupdateunread, namespace Can also specify UPDATE, which will open using a separate update. Values are separated by spaces; default value is NONE.
Pause command
Used in a Server.Load script to wait for a specified number of milliseconds before performing the next command in the script.
Syntax
Pause (a)
Where: a Number of milliseconds to wait, or any of the forms: (Xsec, X-Ysec, Xmin, X-Ymin, Xhours, X-Yhours)
Populate command
Used in a Server.Load script to ensure that there are (NumMailNotesPerUser) documents in the current database. This command locks the database to prevent other users from simultaneously performing another Populate command, gets the number of documents currently in the database, and adds documents as necessary.
Syntax
Populate (NumMailNotesPerUser) [folder]
Where: NumMailNotesPerUser Total number of documents you want the database to have folder Folder or view to which documents will be added Example This example creates and initializes a mail file(s); documents are added to folder $Inbox.
changeto [MailServer]!!mail\mail[#].nsf mail46.ntf
Quit command
Used in a Server.Load script to terminate the open program.
Syntax
Quit
Read command
Used in a Server.Load script to open and close a specified number of documents.
Syntax
Read (a)
Replicate command
Used in a Server.Load script to replicate with server.
Syntax
Replicate <server> <direction> <files> <options>
Where: <server> Server with which to replicate <direction> One of the following: PUSH, PULL, or BOTH (optional; default is BOTH)
I-22 Administering the Domino System, Volume 2
Reference
<files> List of files to replicate for example, TESTREP1.NSF|TESTREP2.NSF (optional; default is ALL) <options> One or more of these options. Use the split vertical bar (|) to separate options. UPDATE_COLL Update collections CLOSE_SESSION End session with server when done SUMMARY_ONLY Only replicate summary fields TRUNCATE Truncate long documents PRI_LOW Replicate low-priority databases PRI_MED Replicate medium-priority databases PRI_HI Replicate high-priority databases
RetrievePOP3Mail command
Used in a Server.Load script to retrieve POP3 mail messages for a user.
Syntax
RetrievePOP3Mail <user> <password> <msg_num> <hostname> <options>
Where: <user> Users POP3 account name <password> Users POP3 password <msg_num> Message to retrieve; -1 to retrieve all <hostname> Host name of the server running SMTP MTA <options> POP3 retrieval options (USE_SSL for SSL protocol, LEAVE_ON_SERVER to leave messages on the server)
Rewind command
Used in a Server.Load script to restart the script file, if one is given, up to a maximum of n iterations, if n is specified. If the script contains a BeginLoop statement, the next command executed is the one immediately following the BeginLoop. Otherwise, the next command executed is the first command in the script. If n is not specified, the Rewind command is executed indefinitely.
Syntax
Rewind <n>
Rewind2 command
Used in a Server.Load script to restart the loop, up to a maximum of n iterations, if n is specified. If the script contains a BeginLoop2 statement, the next command executed is the one immediately following the BeginLoop2 statement. If n is not specified, the Rewind2 command executes indefinitely.
Syntax
Rewind2 <n>
RSVPInvitation command
Used in a Server.Load script to send a response (acceptance) to an invitation (if one exists). RSVP is subject to nthIteration.
SendMessage command
Used in a Server.Load script to create and send a mail message. The random body text in the message is created by the same method as in CREATEFILE. Message recipients are selected with a uniform distribution from the people in the Domino Directory (NAMES.NSF) on the source driver system. All replicas of the Domino Directory on the source driver systems and SUT have the same content.
Syntax
SendMessage <message_size> <num_recipients> <nth_iteration> <attachment>
Reference
Where: <message_size> Size of the body text, in bytes <num_recipients> Number of random users that will receive the message <nth_iteration> Sends a message every n script iterations <attachment> Name of file to be attached to message (optional). File is assumed to be in Notes data directory unless a drive/path specification is provided (e.g., c:\mypath\myfile.txt).
SendSMTPMessage command
Used in a Server.Load script to create and send an SMTP mail message.
Syntax
SendSMTPMessage <message_size> <line_size> <num_recipients/recipient> <hostname> <domain> <client_host> <nth_iteration>
Where: <message_size> Size of body text in bytes <line_size> Size in bytes of each line in a multi-line message <num_recipients> Number of random users in the Domino Directory to receive the message <recipient> A recipients e-mail address <hostname> Host name of server running SMTP Listener <domain> Domain of user for recipient addresses <client_host> Client host name <nth_iteration> Send a message every n script iterations
SessionsClose command
Used in a Server.Load script to close all open sessions. This statement only closes sessions opened with SessionsOpen.
Syntax
SessionsClose
SessionsOpen command
Used in a Server.Load script to create sessions on the specified server, monitor the time it takes to open num_sessions, and return that value. To close all of the sessions that you open, include the SessionsClose command in the script.
Syntax
SessionsOpen <server> <num_sessions>
Where: <server> Server where the sessions will be created <num_sessions> Number of sessions to create
SetContextStatus command
Used in a Server.Load script to set the context iteration status.
SetCalProfilecommand
Used in a Server.Load script to set the Owner and BusyName fields for the current database.
Stamp command
Used in a Server.Load script to select a random documents from the list of Note IDs returned from GetAll. Stamp modifies a summary data field of length b in each document with the same random value.
Syntax
Stamp (a, b)
Where: a Number of documents to be stamped b New size of the summary item Subject (optional; default is )
Reference
Unread command
Used in a Server.Load script to set the database unread list for the current collection to contain (a) random documents. This command may be used before a Navigate with one of the unread navigation options to simulate reading a specific number of new documents.
Syntax
Unread (a) Where:
Update command
Used in a Server.Load script to update random documents in a database, based on the value of a.
Syntax
Update (a, b, c)
Where: a Number of documents to be updated. If a is not specified, one document is updated. b New size of the summary item Subject (optional; default is ). If b is not specified, the length of the summary data is a uniform random number between 1 and 100 bytes. c Length of non-summary item Body (optional; defaults to ). If c is not specified, the length of the non-summary data is a uniform random number between 100 and 300 bytes.
WebGet command
Used in a Server.Load script to retrieve information from a specified URL.
Syntax
WebGet -[sumonly | alldata] [{-url <urlname> [-walk <depth> <span>] [-proxy <urlname>] } | { [-file <filename>] | <# entries to fetch> [-concurrent | -sequential ] } ] -[holdtime <ct> <st>]
- [sumonly | alldata} Retrieves either summary information (sumonly) or actual data for example, a graphic image (alldata) for a specified URL. The summary information is retrieved with the HTTP HEAD command; the actual data is retrieved with the HTTP GET command. Summary mode is useful for placing a light load on the HTTP server, as summary information is typically less than 300 bytes, versus an HTML document or image which can be any size. [{-url <urlname> [-walk <depth> <span>] [-proxy <urlname>] } | { [-file <filename>] | <# entries to fetch> [-concurrent | -sequential ] } ] -[holdtime <ct> <st>] After Web content has been retrieved from a URL (for example, -url www.ibm.com), the -walk switch can be used to traverse hyperlinks found on each page. The <depth> parameter indicates the number of hyperlinks to traverse for a given page; for each HTML document traversed, and is recursively applied to that page as well. The <span> parameter indicates the maximum number of pages for a given link that can be traversed before coming back to the initial request page. The -walk switch does not traverse links that have previously been traversed (that is, a back to home link will not be selected); this prevents an endless recursive loop. The -walk command also does not explore links that lead to other HTTP servers (that is, a link on www.lotus.com that leads to www.ibm.com will not be selected), avoiding the endless exploration of HTTP servers. The -proxy switch should be used when the specified URL is an external site that is, one that must be accessed via the specified proxy server. The -holdtime switch specifies the amount of time WebGet will wait before completing an HTTP transaction. The sequence of events required to complete an HTTP transaction is: establish a connection to an HTTP server, send the command to the HTTP server, receive back data from the HTTP server.
Reference
The <ct> parameter indicates the amount of time, in milliseconds, to wait after issuing a command to the HTTP server. This effectively holds the HTTP server thread/process that has been dispatched to service the request in an idle state. <ct> should be less than the HTTP servers connect time timeout parameter (typically 2 minutes). The <st> parameter specifies the amount of time to wait after sending the command to the HTTP server. This effectively holds the servicing HTTP server thread/process idle, even though it may be ready to send data. Example 1 The command [-url www.lotus.com -walk 2 1] is interpreted from a Web browsers point of view as, starting at web page www.lotus.com, select two links on the page to click (if the page has at least two links). Click the first selected link, return back to the initial page, then click the second link, and return back to the initial page. Example 2 The command [-url www.lotus.com -walk 1 2] is interpreted from a Web browsers point of view as, starting at web page www.lotus.com, select one link on the page to click. Click the link, then apply the same rule recursively to each new page. Assuming that the first link clicked is www.lotus.com/notes.htm, the rule then requires WebGet to find one link on that page and traverse it. The span parameter indicates a stopping point for the recursive process. Additionally, -walk 0 0 indicates that WebGet should only request the page indicated by <urlname> and no more. Equivalent to leaving out the -walk switch. Or, something like -walk 10000 10000 (or another large number) indicates that you want WebGet to traverse every conceivable link on that page, much like a Web robot.
Reference
Server.Load scripts
You can use any of these scripts with Server.Load: Sample scripts Idle Workload R5 IMAP Workload R5 Simple Mail Routing R5 Shared Database SMTP and POP3 Workload Web Idle Workload Web Mail Workload
J-1
Reference
Reference
**Set Owner**
Setcalprofile
**Ensure there are enough documents in mail database (one time only)**
beginloop sendssmtpmessage [NormalMessageSize] [MessageLineSize] mail[#]@[RecipientDomain] [SMTPHost] [RecipientDomain] [ClientHost] rewind [NumMailNotesPerUser] pause 60000
**Open views**
open $FolderInfo close open $FolderRefInfo close open $Inbox close drop Server.Load Scripts J-5
**Read 5 messages in the mailbox, delete 2, post 1. Read each for 10 to 20 seconds**
ImailFetchOld CURRENT
Reference
**Pause 10 to 20 seconds**
Pause 10000-20000 ImailFetchOld NEXT
** Pause 10 to 20 seconds**
Pause 10000-20000 ImailFetchOld NEXT
**Pause 10 to 20 seconds**
Pause 10000-20000
**Pause 10 to 20 seconds**
Pause 10000-20000 ImailFetchOld NEXT
**Pause 10 to 20 seconds**
Pause 10000-20000 ImailFetchOld NEXT_UNSEEN ImailSetSeen
**Pause 10 to 20 seconds**
Pause 10000-20000
**Pause 10 to 20 seconds**
Pause 10000-20000
**Pause at the desktop for 8+ to 12+ minutes while having a meeting in office**
Pause 515000-755000
**Repeat Inner loop sequence over again (go back to BeginLoop2 statement)**
rewind2 [R5IMAP_LOOP_N]
Reference
**Make sure there are enough notes in mail database (one time only)**
populate [NumMailNotesPerUser] $Inbox 100 [NormalMessageSize] setcalprofile
R5 Simple Mail Routing script Text enclosed in asterisks (**) indicates comments. For more information on the R5 Simple Mail Routing script, see the chapter Using Server.Load. **Pause a random interval so multiple processes are well-staggered; pause 0 to 3 minutes (3 min. = 180000 ms)**
Pause 0-180000
**Make sure there are enough documents in mail database (one time only)**
populate [NumMailNotesPerUser] $Inbox close
**Open 5 documents in the mail file and read each for 10 to 20 seconds**
navigate 5 pause 50000 - 100000
Reference
**Pause 1 to 2 minutes**
Pause 60000 - 120000
**Schedule an appointment**
cal -appt "[MailServer]!![nb_dbdir]mail[#].nsf" 1000 30 7 14 [NthIteration] pause 30000 - 50000
**Schedule an invitation**
cal -i "[MailServer]!![nb_dbdir]mail[#].nsf" 1000 60 2 3 [NumMessageRecipients] [NthIteration] pause 30000 - 50000
**Delete 2 documents**
delete 2
**Repeat entire sequence all over again (go back to BeginLoop statement)**
rewind [ScriptIterationLimit]
**Make sure there are enough documents in mail database (one time only)**
populate [NumMailNotesPerUser] close
Reference
**Page down the view 2 times, spending 3-10 seconds to read each window**
entries 21 20 pause 3000 - 10000 entries 41 20 pause 3000 - 10000
**Open next 3 unread documents and read each for 10-30 seconds**
navigate 1 next_unread pause 10000 - 30000 navigate 1 next pause 10000 - 30000 navigate 1 next pause 10000 - 30000 add [DiscDbAddDocRate] 100
**Open views**
open $Inbox close
SMTP and POP3 Workload script Text enclosed in asterisks (**) indicates comments. For more information on the SMTP and POP3 Workload script, see the chapter Using Server.Load. **Pause a random interval so multiple processes are staggered well**
pause 0 - 180000
**Start the part of the script that loops** **Send an SMTP message**
sendsmtpmessage [NormalMessageSize] [MessageLineSize] [NumMessageRecipients] [SMTPHost] [RecipientDomain] [ClientHost] [NthIteration] pause 240000 - 360000
Reference
@ENDIF pause 0-60000 changeto "[MailServer]!![nb_dbdir]mail[#].nsf" [MailTemplate] -KeepOpen pause 0-5000 beginloop
**Populate the mail database by having the thread send Web mail to itself**
webget -url [httphost]/[nb_dbdir]mail[#].nsf -h 10 10 1000-2000 -mis [NormalMessageSize] mail[#]/[Domain] 1 rewind [NumMailNotesPerUser] setcalprofile
Web Mail Workload script Sentences that are enclosed in asterisks (**) indicate a comment in the script. For more information on the Web Mail Workload script, see the chapter Using Server.Load. ** Pause a random interval so multiple processes are well staggered
pause 0-180000
**Make sure the user preferences are set to have the mail owner = mail[#]**
@If NOT [WebPreferencesOff] webget -url [httphost]/[nb_dbdir]mail[#].nsf -mp @EndIf
Reference
**Open the Web Mail database, to get Domino Directory info to be used by all threads**
webget -url [httphost]/[nb_dbdir]mail[#].nsf -mi drop
**Wait about 60 seconds** **Start the part of the script which loops**
beginloop
**SEND a Message from the Web, taking about 60 seconds to compose the message**
webget -url [httphost]/[nb_dbdir]mail[#].nsf -h 10 10 40000-80000 -mis
**Wait 1 - 3 minutes**
pause 60000-180000
**Read the first 5 Inbox Messages, spending about 1 minute on each message, deleting first**
webget -url [httphost]/[nb_dbdir]mail[#].nsf -h 10 10 40000-80000 -mir 5 1
**Wait 4 - 6 minutes**
pause 240000-360000
**Repeat entire sequence all over again (go back to beginloop statement)**
rewind
Index
Symbols
$AdminP View creating, 15-30 $Revisions fields size, 61-7 $UpdatedBy fields size, 61-7 $Users view in Domino Directory, 27-47 @Certificate recertification and, 5-80 @Else command described, I-2 @EndIf command described, I-2 @If command described, I-2, I-12 <ECLOwner> Administration Execution Control List, 41-14 8-bit MIME default character set for, 28-131 ESMTP extension, 28-96, 28-103 to 28-104 Access protocols mail, 26-5 Accessed (in this file) property performance and, 61-5 Accessibility Domino Off-Line Services and, 11-23 information about, H-1 shortcut keys, H-1 Accounts LDAP, 18-5 ACL, 40-1 access for Web users, 40-30 access level privileges, 40-1, 40-16 access levels, 40-13, 40-15 adding names to, 40-23 aliases in, 40-7 brackets in, 40-20 concurrent changes to, 40-25, 58-9 configuring, 40-11 creating, 49-4 database libraries, 51-1 database security, 40-23 default entries, 40-2 deletions, 7-7 directory, 18-7, 19-10 Domino Change Control database, 54-51 to 54-52 enforcing on replicas, 40-28 extended, 25-1 for mail database moves, 54-53 format for entries, 40-4 group names, 40-5 in a hosted environment, 13-5, 14-4 in mail files, 26-13 LDAP users and, 40-7 managing, 40-22 modifying for Administration Process, 15-13 modifying multiple ACLs, 40-11, 40-25 monitoring, 40-27 order of evaluation for entries, 40-10 precedence of, 38-4 replica IDs, 40-10 replication and, 7-6, 63-88 Resource Reservations database, 8-8, 8-16 roles in, 40-20 server groups in, 7-6 server names, 40-5 setting up, 40-11 setting up Administration Process for, 40-24 terminations group, 40-6 updating with Administration Process, 40-23 user types, 40-1, 40-19 viewing all database ACLs on a server, 40-27 Web administrator and, 16-20, 40-24 wildcard entries, 40-4 Acquire scripts editing, 4-51 making a call with, 4-50 Active Content Filtering disabling, 32-8 Activity Logging accessing logged information, 57-1 agents and, 57-3 analyzing logged data, 57-1, 57-13, 57-15 Checkpoint records, 57-2 configuring, 57-12 configuring for billing in a hosted environment, 13-23 described, 57-1 enabling, 54-18 example of records generated, 57-11 for service providers, 12-14 HTTP and, 57-4 IMAP and, 57-4 LDAP and, 57-4, 57-13 mail and, 57-6 Notes databases and, 57-8 Notes sessions and, 57-7 passthru and, 57-9
A
Abstract object classes described, 21-2 Accelerator keys. See Shortcut keys Access anonymous, 38-13, 40-8, 42-25 to 42-26 denying, 28-90, 38-7, 40-6 Access control list. See ACL Access level privileges ACL, 40-16 database, 7-7 Access levels ACL, 40-1, 40-15 assigning, 40-11 database, 7-5 servers, 7-6 troubleshooting, 63-19 to 63-20
Index-1
POP3 and, 57-10 replication and, 57-10 SMTP and, 57-10 the log file and, 57-1 types of information logged, 57-2 viewing logged data, 13-24, 57-13, 57-15 Web servers and, 57-4 Activity Trends data collection, 54-21 interpreting profile charts, 54-41 overview, 54-17 profiles, 54-22 to 54-25 resource balancing, 54-26 to 54-28, 54-30 to 54-43 resource balancing, overview, 54-34 resource balancing, setting up, 54-27 setting up, 54-18 viewing, 54-47 viewing charts, 54-25 AD DUS (Active Directory Domino Upgrade Service), 17-25 Add command described, I-3 Address Book deleting groups from, F-11 deleting servers from, F-25 deleting users from, F-15 Address format Domino domain, 26-21 Internet, 27-54 outbound mail, 27-54 Address lookup for inbound SMTP messages, 27-47 Addresses Domino domain, 26-21 Internet, 27-50, 27-52, 27-57 mail routing, 26-21, 26-25, 27-42 SMTP, 27-52 using group names in, 28-32 using phrases in, 28-134 Addressing, type-ahead disabling, 28-6 troubleshooting, 63-27 Adjacent domain document creating, 27-23 Admin setting described, C-2 Administration document Web Navigator database, 36-10
Administration Execution Control List, 41-6, 41-14 creating, 41-11 default security and, 41-7 Administration preferences setting, 16-5, 16-7 to 16-9, 16-11, 16-24 Administration Process ACL requirements, 15-13 and Domino Change Manager, 54-48 creating replicas with, 7-9 customizing, 15-29 described, 15-1 error messages, 15-36 Extension Manager and, 15-30 number of threads, 15-29 password checking with, 39-9 setting up, 15-5 setting up directory assistance with, 23-30 setting up for databases, 40-24 suspending, 15-28 Tell commands, A-46 troubleshooting, 63-8 updating the ACL with, 40-23 verifying setup of, 15-7 Administration Process requests described, F-1 Administration Process statistics, 15-35 Administration requests across domains, 15-8 approving, 15-21 cross-domain, F-70 error messages, 15-36 managing, 15-25 scheduling, 15-31 suspending, 15-28 time-based, F-90 Administration Requests database, 15-2 described, 15-19 icons, 15-23 replicating, 19-17 size, 15-26 troubleshooting with, 63-2 user access, 15-28 views in, 15-19 Administration roles Domino Directory ACL, 19-10 Administration servers Domino Directory, 15-2 to 15-3, 21-5
extended, 15-33 for databases, 15-6 options, 15-4 Administrator approval administration requests, 15-21 Administrator ID-recovery information changing, 39-21 Administrators allowing access to Web Administrator, 16-20 full access, 38-8 restricted system, 38-8 restricting access, 38-8 server access, 59-1, 38-8 system, 38-8 Administrators field Domino Directory, 19-12 AdminP Mail Notification Agent, 5-57 ADSync options, 17-29 Advanced controls setting, 28-46 Advanced user registration, 5-13 Agent log troubleshooting with, 63-13 Agent Manager capacity, 60-8 performance, 60-6 Tell commands, A-47 troubleshooting, 63-12 to 63-13 viewing status of, 60-9 Agents activity logging, 57-3 Averaging, 36-19 controlling on servers, 28-9 creating, 40-17 for deleting and archiving documents, 61-27 Purge, 36-15 Refresh, 36-18 restricting, 40-18 scheduling, 60-8 Server.Load, 62-4 setting time-out for mail, 28-9 SNMP, 53-1 troubleshooting, 63-12 Web Navigator database, 36-11 Agents, uses for in Domino Off-Line Services, 11-19 offline applications and, 11-19
Index-2
AIX configuring partitioned servers, 2-50 configuring SNMP Agent for, 53-12 Alarms for Server Health Monitor, 54-10 Alias dereferencing Directory Assistance documents and, 23-48 Aliases in ACL, 40-7 in DNS, 2-18 Allow_Access setting described, C-3 Allow_Access_portname setting described, C-3 Allow_Passthru_Access setting described, C-4 Allow_Passthru_Callers setting described, C-4 Allow_Passthru_Clients setting described, C-5 Allow_Passthru_Targets setting described, C-5 Alternate Language Information document creating, 20-31 viewing, 20-31 Alternate languages described, 5-38 LDAP service, 20-29 Alternate names adding to a user ID, 5-40 certifier IDs and, 5-39 changing, 5-62, 5-57 deleting, 5-57 in ACL, 40-7 AMgr_DisableMailLookup setting described, C-5 AMgr_DocUpdateAgentMinInterval setting described, C-6 AMgr_DocUpdateEventDelay setting described, C-6 AMgr_NewMailAgentMinInterval setting described, C-7 AMgr_NewMailEventDelay setting described, C-7 AMgr_SchedulingInterval setting described, C-7
AMgr_UntriggeredMailInterval setting described, C-8 AMgr_WeekendDays setting described, C-8 Analysis report for decommissioning a server, 59-3 Anonymous access in a hosted environment, 14-4 Internet/intranet users, 42-25 LDAP service and, 20-16 to 20-17, 20-20 setting up, 38-13, 38-16 SSL, 46-15 virtual servers, 3-42 Web users and, 40-8 Anti-relay controls effect on message transfer, 28-85 setting, 28-81 Anti-spam controls settings for, C-101 API creating event notification, 52-16 AppleTalkNameServer setting described, C-8 Application design element security, 37-15 Application security, 37-14 Application templates table of, D-1 Applications for hosted environments, 12-15 Approve persons name change request, F-5 Archive criteria for policies, 9-28 Archive policy settings creating, 9-25 Archives, database accessing, 61-26 Archiving agents for, 61-27 to 61-28 databases, 58-37 deleted documents, 61-25 documents, 61-20 policies for, 9-22 policy settings example, 9-24 transaction log files, 55-5 viewing document Archiving Log, 61-27 Assign Policy tool using, 9-40
Attachments compressing, 61-6 Domain Index and, 10-12 format for sending from Macintosh clients, 28-133 Attributes adding to LDAP schema, E-20 adding to schema, 21-13 described, 21-1, 21-4 Authentication described, 38-1 examples, 42-21 IMAP port, 31-5 Internet/intranet clients, 42-3, 42-27 of hosted organizations, 14-4 overview, 38-1 password checking with, 39-4 POP3 port, 30-2 to 30-3 session-based, 42-6 SMTP AUTH command, 28-62, 28-69 SMTP port, 28-59 SSL, 46-15 SSL client, 46-25, 47-18 SSL server, 47-3 troubleshooting, 63-104 user names, 40-7 Web Administrator, 63-109 Web clients and, 42-19, 42-23 IMAP service and, 28-60, 31-2, 31-6, Author access actions, 40-14 privileges, 40-16 Authors displaying for Server Web Navigator, 36-12 Authors field updating, 40-29 AutoDialer task Network dialup connections and, 4-40 Notes Direct Dialup and, 4-44 setting up, 4-42 AutoLogoffMinutes setting described, C-9 Automated client installation, 5-45 Autoscale scaling statistics, 52-37 Auxiliary object classes adding to schema, E-17 described, 21-2
Index-3
B
Backing up databases, 55-2 servers, 63-7 Basic password authentication setting up, 42-3 SSL, 46-15 Basic user registration, 5-11 Batch file installation clients, 5-46 BatchRegFile setting described, C-9 BeginCrit command described, I-4 BeginLoop command described, I-4 BeginLoop2 command described, I-5 Benchmarks server performance, 60-2 Billing in a hosted environment, 12-14 BillingAddinOutput setting described, C-9 BillingAddinRuntime setting described, C-10 BillingAddinWakeup setting described, C-10 BillingClass setting described, C-10 BillingSuppressTime setting described, C-11 Binary tree topology replication and, 4-9 Bindery Service Domino and, 2-30 server names and, 2-31 Binding port-to-IP address, 2-46 to 2-47 Bookmarks search forms and, 10-18, 10-20 Break command described, I-5 Broadcast command described, A-12 using before restarting the server, A-23
using before shutting down the server, A-14 Browsers accessing Web server with, 34-5 using for administration, 16-17 Browsing Web, 36-1 Build number in Server document, F-47 BUSYTIME.NSF purge interval, C-86 Byte-range serving Web server and, 34-56
C
CA key ring displaying, 45-7 exporting, 45-7 CA policy information storing in Domino Directory, F-62 CA process adding certifiers, 44-7 creating certifiers, 44-8 described, 44-1 Tell commands, A-48 viewing certifiers list, 44-24 Cache setting for Server Web Navigator, 36-18 Cal command described, I-5 Calendar and scheduling collecting detailed user information, 8-20 collecting user calendar information, 8-20 described, 8-1 example, 8-2 Holiday documents, 8-17 profile command, I-26 Server.Load script command, I-5 Call waiting disabling, 63-49 Capacity planning tools, 60-2 Catalog task Domain Catalog database, 10-2, 10-6 Catalog, Domain. See Domain Catalog Catalogs, database for servers, 51-4 to 51-5 cconsole, A-8
command line switches for, A-9 commands for, A-9 CD format. See Notes rich text format CDP_Command setting described, C-11 CD-ROM updates replication and, 7-17 Central Directories view described, 19-7, 19-9 Central directory architecture described, 19-2 Extended Directory Catalogs and, 19-4 managing, 19-5 planning, 18-2, 19-4 primary Domino Directories and, 19-9 Certificate removing from Domino or LDAP directory, F-49 Certificate Authority CA key ring, 45-2 creating, 45-2 displaying the CA key ring file, 45-7 exporting the CA key ring file, 45-7 internal, 45-1 merging certificates, 46-10 recertifying, F-47 removing as trusted root, 46-21 server-based, 44-1 setting up, 45-1 setting up SSL on server, 45-5, 44-17 third-party, 47-10, 47-21 troubleshooting, 63-101 viewing server certificates, 46-20 Certificate Authority administrator tasks, 44-4 Certificate Authority profile configuring, 45-4 Certificate requests processing, 44-1 viewing, 44-24 Certificate Requests database creating, 44-14 Certificate revocation lists described, 44-2 CertificateExpChecked setting described, C-12 Certificates certifier IDs and, 1-7 defined, 39-1
Index-4
deleting, 47-12 described, 39-3 displaying, 39-3 in a hosted environment, 13-5 Internet, 45-2, 47-10, F-4 managing server, 46-20 merging server, 46-12 renewing, 46-21 revoking, 44-2, 44-23 self-certified, 46-22 signing and adding to Domino Directory, 47-7 SSL and S/MIME, 47-5 SSL server authentication, 47-3 troubleshooting and, 63-83 trusted root, 46-9, 47-3 Certificates, SSL adding for Server Web Navigator, 36-8 creating a Certificate Authority, 45-2 expired, 46-21 self-certified, 46-22 setting up, 47-3 viewing information, 46-20 viewing requests for server, 46-21 Certification described, 39-2 Certification Log Administration Process requirements, 15-3 described, 3-28 Certifier documents modifying, 44-22 Certifier IDs migrating to CA process, 44-5 modifying, 44-21 organization, 3-34 organizational unit, 3-35 overview, 1-7 recovering, 44-25 CertifierIDFile setting described, C-12 Change Control database location, 54-34 Change HTTP password in Domino Directory request, F-6 ChangeTo command described, I-6 Channel encryption option directory assistance, 23-43 Character encoding LDAP service, 20-32
Character sets aliases for, 28-131 enabling auto-detection of, 28-126 language codes and encoding for, 28-120 specifying for MIME messages, 28-118, 28-126 Web, 34-31, 34-33 Checkpoint records activity logging and, 57-2 Client authentication directory assistance and, 23-3, 23-14 directory catalogs and, 24-9, 24-11 directory search order, 18-15 SSL, 46-1 Client information updating in Person record, F-64 Client installation, 5-41 setting up for users, 5-41 single user, 5-43 Clients setting up for S/MIME, 47-13 setting up for SSL client authentication, 47-18 Clients, mail POP3, 30-11 routing protocols and, 27-3 types of, 26-15 ClockType setting described, C-13 Close command described, I-8 Clrepl_Obeys_Quotas setting described, C-13 Cluster failover configuring for mail routing, 28-40 directory assistance and, 23-21 Cluster Replicator monitoring, C-86 quotas and, C-13 Tell commands, A-51 Cluster_Replicators setting described, C-13 Clusters Domino Off-Line Services on, 3-12 Free Time database, 8-2 port setting, C-91 removing servers, F-49 replication topology and, 4-8 workload balancing and, 60-4
Collector task overview, 52-1 Command line installation, 5-47 Commands capturing output to file, A-2 Controller, A-3 custom, A-6 entering from the UNIX command line, A-8 help for, I-12 modem command file, 63-48 shell, A-3 table of, A-10 Common Gateway Interface, 34-2 time-out setting, 34-53 Common names Internet, 45-2 renaming, 5-57 server IP name and, 2-16, 2-22 Communication ports options, 4-47 setting up, 4-34, 4-46 COMnumber setting described, C-14 Compact task archiving documents with, 61-20 IND file, 61-22 options, 61-17 renaming databases, C-74 running, 61-16 scheduling, 61-23 specifying database path, 61-22 upgrading database format, 31-28 with file reduction, 55-2 Compact_Retry_Rename_Wait setting described, C-14 Compacting databases, 61-13, 61-16, 61-21 to 61-23 Companies, external communicating with, 39-27 Compound document format. See Notes rich text format Compressing attachments, 61-6 network data, 2-42 performance and, 61-6 Concurrent retrievers Server Web Navigator, 36-6 Concurrent transfer threads maximum, 60-11 Condensed Directory Catalogs client authentication and, 24-10
Index-5
described, 24-2 full-text indexes, 24-25 multiple, 24-33 performance settings for, 24-30 planning, 24-29 replicating, 24-32 servers using, 24-5 setting up, 24-34 to 24-35 sorting, 24-29 Soundex and, 24-30 Configuration Directories changing to primary, 19-6 configuring remote primary directory, 19-7 described, 19-2 directory assistance and, 23-26 Extended Directory Catalogs and, 19-4 managing, 19-5 planning, 18-2, 19-4 showing remote primaries for, 19-9 Configuration document Cross-domain, 15-9 to 15-10 Configuration Settings document creating, 27-18 editing NOTES.INI file with, C-1 host names, 27-49 LDAP settings, 20-9, 20-17 for SMTP mail routing, 27-38 Configuring activity logging, 57-12 mail routing, 27-37 offline applications, 11-11 Connect scripts. See Login scripts Connection documents described, 4-1 Internet servers, 4-22 LAN, 4-15 mail routing and, 26-20, 28-36, 28-50 Network Dialup, 4-36, 4-46 Notes Direct Dialup, 4-35 passthru server, 4-29 port order and, 2-40 for replication, 7-20 scheduling mail routing, 28-50 troubleshooting, 63-39 Connections mail routing, 27-2 restricting SMTP inbound, 28-71 routing cost and, 28-39, 28-53 SSL, 46-18 tracing, 63-37, 63-77, A-59
troubleshooting in TCP/IP, 63-64 Console accessing from UNIX platforms, A-8 commands, 63-8, A-10, J-4 displaying performance events, C-97 monitoring events with, 52-22 password protecting, A-26, C-92 running server tasks, B-1 setting attributes, 52-21 XPC, C-121 Console command described, I-8 issuing remotely, J-4 Console_Log_Enabled setting described, C-15 Console_Log_Max_Kbytes setting described, C-16 Console_Loglevel setting described, C-15 Content categories Domain Catalog, 10-21 Content maps Domain Search and, 10-21 Controller commands, A-3 described, 16-28 starting and stopping, 16-29 Conversion between message formats, 27-1 IMAP mail files, 31-2 MIME messages, 28-122 Convert task enabling mail files for IMAP, 31-2, 31-30 Corporate hierarchies categorizing users by, 19-14 described, 19-13 Corruption database, 58-25 Cost reset for connections, 28-39 Country_Language setting described, C-16 CPU count value in Server document, F-64 Create IMAP delegation request, F-7 Create Mail-in database request, F-7 Create replica request, F-8 Create roaming user administration request, F-9 Create_File_Access setting described, C-17
Create_Replica_Access setting described, C-17 CRL. See Certificate revocation lists Cross-certificates, 39-29, 39-38 accessing servers with, 39-27 adding, 39-29, 39-33 to 39-34, 39-36, 47-15 creating, 39-29, 39-37 to 39-38 described, 39-27 displaying, 39-38 examples, 39-27, 39-31 in a hosted environment, 13-5 Internet, 39-28, 47-4 Person documents and, 39-37 S/MIME messages and, 39-27 Cross-domain administration requests described, F-70 Cross-domain Configuration document creating, 15-9 to 15-10 replicas and, 7-9 Cross-domain processing administration requests, 15-8 benefits of, 15-10 setting up, 15-9 CSRV50.NTF setting up, 46-3 CTF setting described, C-18 Custom Welcome Page creating, 5-87 Customer support contacting, 63-4 Customized client installation, 5-47
D
Data overwriting, 61-5 storing for a hosted organization, 13-7 Data directory certifier IDs and, 1-9 for a hosted organization, 13-5 restricting access, 49-4 Database access for SSL clients, 46-19 troubleshooting, 63-17, 63-19 to 63-20 Database activity monitoring, 58-11 reporting, 58-13 statistics, 58-12
Index-6
Database Administrator, 38-8 Database analysis described, 58-37 of replication events, 58-6 running, 58-39 troubleshooting with, 63-2 Database cache disabling, 61-12, C-74 monitoring, 61-10 overview, 61-9 performance and, 63-19 size, C-74 Database catalogs administering, 51-4 assigning categories in, 51-6 categories in, 10-10 creating, 51-5 excluding databases from, 51-6 uses for, 51-4 Database creator access level, 40-3 Database design replicating, 63-86 tasks, 48-1 Database event generator creating, 52-5 Database fields increasing number of, 61-29 Database files displaying, 58-2 opening, 58-2 Database format determining, 61-17 upgrading, 31-28 Database instance ID overview, 55-2 Database libraries ACL, 51-1 adding databases, 51-3 creating, 51-2 defined, 51-1 deleting databases, 51-4 local, 51-2 location, 51-1 Database links creating, 49-3 creating on the Web, 34-27 deleting, 49-4 described, 49-2 managing, 32-7, 58-5 Database maintenance NOTES.INI settings, 58-41 Database management for mail journaling, 28-107
maintenance tasks, 58-1 tasks, 48-1 tools, 58-4 Database organization NOTES.INI settings, 49-6 Database performance improving, 60-9, 61-1, 61-3, 61-12 NOTES.INI settings, 61-29 troubleshooting, 63-16 Database quotas obeying for message delivery, 28-10 to 28-11 setting, 61-24 Database replicas creating, I-19 described, 7-1 Database view indexes purging, 58-23 Databases access level privileges, 7-7 access levels, 7-5 access problems, 63-17 adding documents, I-3, I-20 to I-21 administration servers and, 40-24 analyzing, 58-37 archiving, 58-37, 61-26, Archiving Log, 61-27 backing up, 55-2 categories in, 10-10 compacting, 61-13, 61-16, 61-21 to 61-23 controlling access to, 40-1 controlling creation of, 38-14 copying to servers, 48-2, 48-4 corrupted, 58-25, 63-43 creating, J-2 to J-3 deleting, 58-36, I-8 deleting documents from, I-9 deleting inactive documents, 61-25 excluding from Domain Index, 10-17 file format of, 61-17 forcing replication, 7-33 forcing SSL connections, 46-18 indexing, 10-7, 50-1 to 50-2 monitoring, 40-27, 58-1 moving, 54-32, 54-53, 54-62, 58-33, 58-35, F-36, F-39 organizing, 49-1 performance problems, 58-11 pinning and unpinning, 54-32, 54-45
replicating, 7-32, 58-6, I-19 replicating specific, 7-27 replication history, 58-6 replication log, 58-8 rolling out, 48-1 security, 40-19 server crashes and, 63-99 Server Web Navigator, 36-16 setting up to receive mail, 48-5 shortcut keys, H-4 signing, 48-7 size, 58-12 size, controlling, 28-112, 61-1, 61-13, 61-23 size, monitoring, 61-13 statistics, 58-11 synchronizing, 58-24 tools, 58-4 transaction logging, 58-25 troubleshooting, 58-26, 63-16, 63-84 updating, I-27 Databases, shared mail using multiple, 29-2 Dates on Web pages, 36-18 Daylight saving time settings described, C-29 to C-30 Dbcache flush described, A-13 DbDelete command described, I-8 DBIID, 55-2 DDE_Timeout setting described, C-18 Dead mail described, 28-41, A-39 holding, 28-40 releasing, 28-44 Debug_Outfile setting described, C-18 Debug_SSL_Cert setting described, C-19 Decommission Server Analysis tool running, 59-3 Default database security Web Administrator, 16-19 Default Global Domain document designating a, 27-55, 27-57 Default group access level, 40-2 Default subject extended ACL, 25-11
Index-7
Default_Index_Lifetime_Days setting described, C-19 Delay notifications generating for low-priority mail, 28-30 Delegate mail file on administration server administration request, F-10 Delete command described, I-9 Delete database administration requests, F-10 Delete hosted organization administration requests, F-14 Delete Person administration requests described, F-78 Delete resource administration request, F-21 Delete Server administration requests described, F-25, F-78 hierarchical server names, F-81 Deletion stubs described, 63-90 purging, 7-12 Deletions replication and, 7-7 Deletions, soft defined, 61-8 effect on quotas, 28-11 performance and, 61-8 Delivery configuring for mail, 28-8 Delivery controls setting, 28-9 Delivery Failure Reports troubleshooting, 63-36 Delivery failures customizing message for, 28-46 quotas and, 28-16 Delivery status notification enabling, 28-96, 28-103 to 28-104 Delivery threads setting maximum number, 28-9, 60-11 Demand sets and database moves, 54-55 Deny_Access setting described, C-19 Deny_Access_portname setting described, C-20 Deployment certifier IDs, 1-7
Domino domains, 1-5 Domino environment, 1-14 guidepost, 1-1 naming conventions, 1-12 server functions, 1-2 server names, 1-3 server services, 1-11 Depositor access actions, 40-14 privileges, 40-16 Design menu hiding, C-71 Designer access actions, 40-14 privileges, 40-16 Designer task updating databases with, 58-24 Desktop policy settings creating, 9-14 Desktop setting described, C-20 Destination servers passthru, 4-28 Dialog boxes shortcut keys, H-5 Dialup connections described, 4-34 mail routing and, 27-59 number of modems for, 4-33 troubleshooting, 63-48 DIIOP server task starting, 34-10 DIIOP_Debug_Invoke described, C-22 DIIOPConfigUpdateInterval setting described, C-21 DIIOPCookieCheckAddress setting described, C-21 DIIOPCookieTimeout setting described, C-22 DIIOPDNSLookup setting described, C-22 DIIOPIgnorePortLimits setting described, C-23 DIIOPIORHost setting described, C-23 DIIOPLogLevel setting described, C-24 Dircat server described, 24-14, 24-8 Dircat task described, 24-8, 24-45 pausing, 24-48 planning, 24-14
restricting to one server, 24-15 running, 24-47 Tell commands, A-53 troubleshooting, 63-25 Dircat_Include_Readerslist_Notes setting described, C-24 Directories Domino server, 3-2 LDAP alternate languages searches, 20-30 search order of multiple, 18-15 troubleshooting, 63-21 Directories, secondary directory services for, 18-12 LDAP service, 18-3 Directory assistance authenticating, 42-23 client authentication, 23-3 compared to directory catalogs, 18-14, 24-4 concepts, 23-12 Configuration Directories and, 23-26 described, 23-1, 23-2 directory replicas, 23-36 domain names, 23-18 examples, 23-51 to 23-53, 23-55 Extended Directory Catalogs and, 23-22, 24-26 failover, 23-20, 23-22 group lookups for database authorization, 23-6 LDAP directories, 23-5 LDAP service and, 20-6, 23-17 monitoring, 23-60 naming rules, 23-12 Notes mail addressing and, 23-8 planning, 18-13 preventing LDAP searches of primary Domino Directory, 23-27 primary Domino Directory and, 23-26 remote primary directories and, 19-7 replicas, 23-20 search orders, 23-16 services, 23-3 setting up, 23-29, 23-33, 23-37 setting up servers to use, 23-30 statistics, 23-60 troubleshooting, 63-21, 63-40 updating name, F-60
Index-8
Directory assistance database creating and replicating, 23-30 number of, 23-29 setting up servers to use, 23-30 Directory Assistance documents alias dereferencing, 23-48 Channel encryption option, 23-43 creating, 23-33, 23-37 described, 23-2 local directory replicas, 23-36 Notes distinguished name attribute in, 23-49 password in, 23-44 search filters in, 23-46 Directory Catalog Configuration document additional fields to include, 24-22 creating, 24-36, 24-43 directories to include, 24-15 documents to aggregate, 24-17 groups in, 24-19 performance settings, 24-30 Remove duplicate users, 24-18 selection formula, 24-20 sort order for, 24-29 Soundex option, 24-30 viewing, 24-48 Directory Catalog Status Report described, 24-49 Directory Cataloger. See Dircat task Directory catalogs client authentication and, 24-9, 24-11 compared to directory assistance, 18-14 controlling what aggregates, 24-16 described, 24-1 directories to include in, 24-15 documents aggregated, 24-17 fields to include, 24-22 groups in, 24-19 improving performance of, 24-18, 24-20, 24-27, 24-30 monitoring, 24-49 multiple, 24-33 Notes mail encryption, 24-14 offline, 11-21 offline applications and, 11-21 planning, 18-12, 24-9, 24-26, 24-29 removing duplicate users, 24-18 replicating, 24-32, 24-45 reports for, 24-49
selection formulas, 24-20 servers and, 24-4 setting up, 24-8, 24-34 to 24-35, 24-41 to 24-42 sorting, 24-29 Soundex and, 24-30 troubleshooting, 63-25, 63-40 Directory file name setting, F-60 Directory folders creating, 49-2 deleting, 49-2 Directory indexer described, 58-15 Directory links creating, 49-3 database corruption and, 2-9 deleting, 49-4 described, 49-1 network security and, 2-9 Directory Profile document described, 19-16 directory catalogs and, 24-35, 24-42 Directory searches order of, 18-15, 23-16 Directory servers described, 18-2 Notes clients and, 19-15 Directory services directory customization, 18-19 directory search order, 18-15 to 18-17 international, 18-18 Notes client, 18-10 overview, 18-1 secondary directories, 18-12 terminology, 18-20 Directory setting described, C-25 Directory tree verifying for LDAP service, 20-4 Directory type storing in Server record, F-63 Disable_Cluster_Replicator setting described, C-25 Disable_View_Rebuild_Opt setting described, C-25 DisabledPorts setting described, C-26 DisableLDAPOnAdmin setting described, C-26 Disclaimers adding to messages, 32-9
Disk I/O tuning performance, 60-15 Disk space displaying information on, 58-5 monitoring, 28-10 saving, 40-17 to 40-18 troubleshooting, 63-86 Disposition-Notification-To header configuring for return receipts, 28-116 Distinguished names Domino Directory and, 18-8 Internet certificates, 45-2 LDAP service and, 20-3, 20-25 to 20-26, 20-31 DNS defined, 2-11 described, 26-25 domains, 2-11 examples of MX records, 26-27 mail routing and, 27-49 multiple domains, 2-16, 2-19, 2-22 name resolution in NRPC and, 2-11, 2-15 to 2-17, 2-19, 2-22 outages in a hosted environment, 14-11 preventing problems with, 2-56 verifying connecting hosts in, 28-71 verifying sending domain in, 28-90 DNS Blacklist filters, 28-86 DNS lookups use in controlling inbound SMTP sessions, 28-71 Document tables forms and, 61-4 Documents adding, I-20 to I-21 archiving, 61-20 archiving from server, 61-27 archiving with agents, 61-27 to 61-28 categorizing for Domain Search, 10-21 concurrent editing of, 58-8 Configuration Settings, 27-18 deleting, I-9 deleting inactive, 61-25 finding by Note ID, 63-20 Foreign domain, 27-30 Foreign SMTP domain, 27-32 Global domain, 27-55 Non-adjacent domain, 27-26
Index-9
DOLS. See Domino Off-Line Services Domain Catalog backing up, 10-18 categories in, 10-10, 10-21 creating, 10-6 described, 10-5 setting up, 10-2 updating, F-65 views in, 10-6 Domain Catalog server decommissioning, 59-12 Domain documents adjacent domains, 27-23 foreign domains, 27-30 global, 27-55 non-adjacent domains, 27-26 using multiple Internet domain names, 27-44 Domain Index adding databases, 10-7 adding file systems, 10-9 backing up, 10-18 creating, 10-14 deleting databases, 10-17 LDAP searches of, 20-36 location, 10-17 planning, 10-3 to 10-4 size, 10-11 to 10-12 updating, 10-14 Domain Indexer task performance, 10-16 setting up, 10-14 Domain Search described, 10-1 Notes users and, 10-19 NOTES.INI settings, 10-23 performance, 10-16 policy settings and, 10-19 security, 10-12 server requirements, 10-2 WANs and, 10-3 Web clients and, 10-20 Domain Search forms adding categories to, 10-10 customizing, 10-18 Domain Search results access to, 10-12 Domain Search server decommissioning, 59-12 Domain servers denying access, 38-7 Domain setting described, C-27
Domains communication between, 39-27 directory assistance, 23-18 DNS, 2-11 finding user names in, 5-85 mail routing and, 26-19, 26-21, 27-20 multiple DNS, 2-16, 2-19, 2-22 planning, 1-5 restricting mail in, 28-36, 28-55 verifying in DNS, 28-90 Domains, external connecting to, 4-18 DOMCFG.NSF, 34-48 creating, 34-49 Domino 5 certificate authority setting up, 45-1 setting up SSL on the CA server, 45-5 signing server certificates, 45-7 Domino 5 IMAP Initialization Workload script sample, J-5 Domino 5 IMAP Workload script sample, J-6 Domino Administrator Broadcast command, A-12 Configuration tab, 16-15 configuring mail routing, 27-18 creating groups with, 6-2 creating replicas, 7-9 disk space information, 58-5 displaying directory contents, 58-3 displaying files, 58-2 Domino Console, Domino Controller and, 16-28 Drop command, A-14 entering server commands, A-1 file information, 58-3 Files tab, 16-13, 58-2 installing, 16-1 Load command, A-15 managing databases with, 58-4 managing files with, 58-2 managing folders with, 58-5 Messaging tabs, 16-15 monitoring events with, 52-22 monitoring statistics with, 52-31 overview, 16-1 password protecting the console, A-26 People and Groups tab, 16-13 quitting a task from, A-46
remote console, A-5 to A-7 Replicate command, A-18 Replication tab, 16-15 Route command, A-24 running Server Setup program with, 3-18 server list, 16-4 Server tabs, 16-14 setting local attributes, 52-21 setting preferences, 16-5, 16-7 to 16-9, 16-11 setting up, 16-2 shortcut keys, H-3 Show Directory command, A-30 Show Diskspace command, A-31 Show Port command, A-33 Show Server command, A-36 Show Stat command, A-37 Show Tasks command, A-39 shutting down the server from, A-14 starting, 16-2 tabs, 16-13 Tell command, A-46 tools, 16-16 troubleshooting, 63-1 user interface, 16-3, 16-13 viewing hosted organizations, 14-14 viewing replication topology, 7-34 Web Administrator and, 16-23 Domino CA configuring application profile for, 45-4 creating, 45-2 in a hosted environment, 12-4, 13-3 server-based certification authority, 45-1 Domino CA server Domino 5, 45-1 setting up, 45-1 to 45-2 Domino Change Control database ACLs for, 54-51 to 54-52 database moves, 54-56 location, 54-34 Domino Change Manager and database moves, 54-55 and resource balancing, 54-47 to 54-48 maximum current tasks, 54-49 setting up, 54-48 Tell ChangeMan command, 54-50
Index-10
Domino Character Console, A-8 Domino Configuration database creating, 34-49 Domino Console starting and stopping, 16-30 Web Administrator and, 16-28 Domino Controller default TCP port, 2-56 Domino Data folder displaying contents, 58-3 managing files in, 58-2 Domino Directory ACL, 19-10 adding Internet/intranet users to, 42-3 address lookup and, 27-47 administration server, 15-2 Administrators field, 19-12 authenticating Web clients with, 42-23 changing passwords, F-6 changing type, 19-5 Configuration Settings document, 27-18 creating Internet certificates, 47-10 creating subforms in, E-17 cross-certificates, 39-27 customizing, E-1 to E-2, E-4 to E-5 deleting groups from, F-11 deleting policy record from, F-20 deleting servers from, F-25, F-78 deleting users from, F-15 described, 19-1 distinguished names, 18-8 domain documents, 27-23, 27-26 global domain documents, 27-44 in a hosted environment, 12-2 lookup command, I-17 mail routing and, 26-9 mapping fields with Active Directory, 17-31 offline, 11-21 offline use, 32-8 performance settings, 19-1, 60-9 replicating, 19-17 restoring, 14-11 restricting name lookups, 27-47, 28-40 roles, 19-10 scheduled replication and, 7-20 secondary, 15-7, 23-1, 23-3, 23-8, 23-10, 23-33, C-68
server access and, 63-93 server registration and, 3-29 setting access to, 19-9, 20-16, 20-22 to 20-23 setting up primary, 19-2 synchronizing with Active Directory, 17-38 tools for adding entries, 18-7 tools for managing entries, 18-9 troubleshooting, 63-38 updating, I-18 upgrading to new default template, E-22 views in access control lists, 38-4 Domino Directory template copying, E-4 customizing, 18-19, E-22 Domino domains in Internet reply addresses, 27-54 mail routing and, 26-19 planning, 1-5 planning directory architecture, 18-2, 19-4 restricting mail, 28-36, 28-55 Domino environment building, 1-14 Domino LDAP Schema database. See Schema database Domino Management Information Base (MIB) overview, 53-7 using with SNMP, 53-21 Domino named network defined, 27-20 mail routing and, 26-19, 27-39 Domino Off-Line Services accessibility and, 11-23 administrator tasks, 11-2 agents and, 11-19 creating a security policy, 11-7 described, 11-1 in a hosted environment, 12-4, 13-20 overview, 11-1 security, 11-10 setting up the server for, 3-11, 32-2 troubleshooting, 11-23 Domino ORB setting up, 34-26, 34-29, 34-31 Domino Performance Zone Web site for, 60-1 Domino security application, 37-14
application design element, 37-15 overview, 37-1 planning, 37-11 Domino server access, 38-2 anonymous access for Notes users, 38-13 configuring for NDS, G-6 controlling browser client access, 38-22 customizing access to, 38-7 Indic language support, 3-17 installing, 3-1, 3-3 monitoring databases for, 52-1 NDS objects, G-2 planning services and tasks, 1-11 setting console attributes, 52-21 Setup program, 3-8, 3-17 to 3-18, 3-34 starting and shutting down, 3-46 Domino server event generator creating, 52-6 Domino server monitor adding a task, 52-43 adding servers, 52-44 described, 52-40 profiles, 52-43, 52-44 starting, 52-41 using, 52-44 views, 52-41 Domino SNMP Agent architecture, 53-5 completing configuration of, 53-18 configuring for AIX, 53-12 configuring for Linux, 53-13 configuring for Solaris, 53-14 configuring for Windows, 53-11 configuring for zOS, 53-17 manual start and stop, 53-20 overview, 53-1 system requirements, 53-7 troubleshooting, 53-24 Domino statistics Windows NT Performance Monitor and, 17-23 Domino system administration tasks, 48-1 Domino Web Engine configuring for Web Site documents, 34-23 Domino Web server, 34-1 configuring, 34-12
Index-11
Internet port and protocol settings, 34-6, 34-8 to 34-9 log file, 56-8 to 56-10 logging server requests, 56-8 logging to text files, 56-10 running, 34-5 search results, 34-26 security, 34-8, 34-9 setting to work with other Web servers, 35-1 setting up, 34-4 Domino Web server log file setting up, 56-12 troubleshooting with, 63-2 DominoNoBanner setting described, C-27 DominoNoDirLinks setting described, C-28 DominoR5IntlURLDecoding setting described, C-28 DominoXURLProcess setting described, C-28 DOMLOG.NSF described, 56-8 viewing, 56-10 Downgrade user from roaming to non-roaming user, F-28 Downloading files improving performance for Web clients, 34-56 Drop command described, A-13, I-9 DSAPI values, 11-11 DSN enabling, 28-96, 28-103 to 28-104 DST setting described, C-29 DST_Begin_Date setting described, C-30 DST_End_Date setting described, C-30 DSTlaw setting described, C-29 Duplicate names, 24-18 during client authentication, 23-5 Duplicate Person documents directory catalogs and, 24-18 Dynamic cost reset interval resetting, 28-39 Dynamic lookup of host names, 27-49
E
ECL administration, 41-6, 41-11 creating a workstation, 41-12 described, 41-1 guidelines for creating, 41-6 Java applets and, 41-4 JavaScript and, 41-4 security access options, 41-3 updating a workstation, 41-13 workstation security and, 41-3 EditExpnumber setting described, C-31 EditImpnumber setting described, C-32 Editing concurrent, 58-8, 63-91 shortcut keys, H-6 to H-8 Editor access actions, 40-14 privileges, 40-16 EDNI document creating, 4-18 updating, F-65 Effective access extended ACLs and, 25-30 Effective policies described, 9-3 determining, 9-36 viewing, 9-37 to 9-38 EmptyTrash setting described, C-32 Enable_ACL_Files setting described, C-33 EnableBiDiNotes setting described, C-33 Encrypted fields indexing, 50-2 Encryption, 43-1 certificates, 2-41 defined, 43-4 dual Internet certificates and, 47-17 Internet transactions and, 40-31 mail, 43-4, 43-7 mail journaling and, 28-111 network data, 46-1 outbound mail routing, 24-14, C-90, C-100 to C-101 performance and, 43-4 SSL settings, C-108 EndCrit command described, I-10
End-to-end topology replication and, 4-8 End-user installations with Transform files, 5-50 Entries command described, I-10 Error messages Administration Process, 15-36, 63-8 Agent Manager and agents, 63-13 Domino Off-Line Services, 11-24 IPX/SPX network, 63-73 mail, 28-46 mail routing, 63-38 meetings and resources, 63-45 modems and remote connections, 63-50 network dialup connections, 63-74 OS/2, 63-100 partitioned servers, 63-78 replication, 63-82 server access, 63-91 to 63-93, 63-95 server crashes, 63-98 TCP/IP, 63-57, 63-61 Web Administrator, 63-108 Web Navigator, 63-107 Web server, 63-104 ErrorDelay command described, I-10 Escrow agent troubleshooting, 63-16 ESMTP supporting inbound extensions, 28-96 supporting outbound extensions, 28-103 ETRN extension enabling for inbound SMTP connections, 27-61, 28-96 Event filters creating, 52-19 viewing, 52-20 Event generators creating, 52-13 database, 52-5 defined, 52-3 disabling, 52-12 Domino server, 52-6 mail routing, 33-3, 52-7 statistic, 52-9 task status, 52-10 TCP server, 52-11 viewing, 52-14
Index-12
Event handlers creating, 52-13, 52-17, 52-23 defined, 52-3, 52-14 disabling, 52-18 notification methods, 52-15 to 52-16 viewing, 52-20 Event messages viewing, 52-20 Event Monitor server task overview, 52-1, 52-3 Event task monitoring replication, 63-80 Events filtering, 52-19 from SNMP traps, 53-4 logging, 52-21 monitoring, 52-2, 52-22 notification methods, 52-15 severity levels, 52-4 types of, 52-16 viewing, 52-20 Examples directory assistance, 23-51 to 23-53, 23-55 extended ACL, 25-19 Extended Directory Catalogs, 23-53, 23-55 LDAP service write operations, 20-26 ldapsearch utility, 22-6 registering a hosted organization, 13-8 replication, 7-19 xSP server in a hosted environment, 12-16 Execution Control List. See ECL Execution Security Alert dialog box, 41-2 trusting signatures, 41-2, 41-13 Exit command described, A-14 Expired certificates renewing, 46-21 Explicit policies adding, 9-40 assigning, 9-40 changing, 9-40 described, 9-2 removing, 9-40 Extended accelerator keys. See Shortcut keys Extended access disabling, 25-31
enabling, 25-23 Extended ACLs activity log for, 25-31 changing, 25-28 described, 25-1, 25-3 directory, 18-7 disabling, 25-31 effective access and, 25-30 enabling, 25-23 examples of, 25-19 Extended Directory Catalogs and, 24-7 in a hosted environment, 13-6 LDAP and, 20-20, 25-6 other database security and, 25-2 planning, 25-22 privileges for, 25-2 to 25-3, 25-5 restoring, 14-11 schema database and, 25-7 setting up, 25-22, 25-24 subjects in, 25-9, 25-17 target scope, 25-14, 25-17 targets in, 25-12 to 25-13 troubleshooting, 25-30, 63-34 Extended administration servers removing, 15-34 setting up, 15-33 Extended Directory Catalogs benefits of, 24-5 central directory architecture and, 19-4 client authentication and, 23-3, 24-10 directory assistance and, 23-6, 23-8, 23-22, 23-33, 24-26 examples, 23-53, 23-55 full-text indexes, 24-26 groups for database authorization, 24-27 integrated into primary directory, 24-28 LDAP service, 23-10 multiple, 24-33 native documents, 24-7 planning, 24-26 replicating, 24-45 setting up, 24-41 to 24-42 size of, 24-26 Extended key usage public keys, 44-13 Extension manager Administration Process and, 15-30
in a hosted environment, 12-5 External companies communicating with, 39-27 External Domain Network Information document. See EDNI document External Internet mail preventing relaying, 28-75 External servers access levels for, 7-7 ExtMgr_AddIns setting described, C-34
F
Failover directory assistance, 23-20, 23-22 for mail routing, 28-40 Fault recovery, 55-10 cleanup script, 55-11 enabling, 55-11 operating systems and, 55-10 Fields customizing in Domino Directory, E-2 directory catalogs and, 24-22 LDAP attributes and, 21-4 Fields, database increasing number of, 61-29 performance and, 61-6 File format database, 61-17 mail, 31-28 File names key ring, 45-2 File protection, 34-42 File Protection documents, 34-41 described, 34-44 example, 34-42 File systems searching, 10-9 FileDlgDirectory setting described, C-34 Files compressing when uploading to Web, 34-29 displaying, 58-2 displaying information about, 58-3 downloading from Web server, 34-56 managing, 58-2 preferences, 16-7
Index-13
protecting from Web access, 34-41, 34-44 replicating specific, 7-27 Files/Directories to Replicate field, 7-27 Filtering message, 28-20 Find name in domain request, F-29 FindbyKey command described, I-11 FindByName command described, I-12 Finger Internet service controlling access to, 36-7 Firewalls troubleshooting, 63-105 using a relay host, 27-58 Fixup task BRP files, C-115 options, 58-28 running, 58-26, 58-30 transaction logging and, 55-2 troubleshooting and, 63-99 use in preparing mail files for IMAP use, 31-29 Fixup_Tasks setting described, C-34 Flat names converting to hierarchical, 5-67, F-68, F-84 Folder prefixes IMAP, 31-15, 31-17 Folders creating, 40-17, 49-2 deleting, 49-2 managing, 58-5 Fonts mapping, C-117 Windows system, C-121 Foreign domains configuring, 27-30 scheduling and, 8-6 Foreign SMTP domain documents creating, 27-32 Internet mail configuration and, 27-58 Format preference for incoming mail setting for IMAP users, 31-3, 31-23, 31-35 setting for POP3 users, 30-7 Forms and document tables, 61-4 and object classes, 21-3
customizing in Domino Directory, E-2 HTML, 36-5 performance and, 61-3 Forwarding address in Person document, 27-42 Forwarding rules enabling and disabling support for, 28-9 FQDN as servers common name, 2-19 specifying in Connection document, 2-17 specifying in Server document, 2-16, 2-22 Frame types IPX, 63-70 TCP/IP, 63-68 Free Time database described, 8-1 troubleshooting, 63-45 Free-time lookups, 8-5 in non-adjacent domains, 8-6 FT_DOMAIN_DIRECTORY_NAME setting described, C-35 FT_DOMAIN_IDXTHDS setting described, C-35 FT_Index_Attachments setting described, C-36 FT_Intl_Setting setting described, C-36 FT_Max_Search_Results setting described, C-36 FT_No_Compwintitle setting described, C-37 FT_Summ_Default_Language setting described, C-38 FTG_No_Summary setting described, C-37 Full-text indexes creating, 50-2 deleting, 50-7 described, 50-1 directory catalogs and, 24-7, 24-25 disabling, C-115 Domain Search and, 10-2 LDAP service and, 20-15 security and, 50-2 size, 50-3 updating, 50-3, 50-5 to 50-6
G
Gateways routing mail to, 27-30 GetAll command described, I-12 GIF files Web server and, 34-24 Global Domain documents default, 27-55 in a hosted organization, 13-5 LDAP service and, 20-5 Global domains configuring, 27-44 defining multiple, 27-55 Global Web settings document, 34-40 creating, 13-21, 34-40 described, 13-19, 34-34 editing, 13-22 Gopher Internet service controlling access to, 36-7 Graphics Web server format, 34-24 Group documents editing, 6-10 object classes for, 21-5 Group members registering in Notes, 17-18 Group names finding, 6-15, F-29 in Internet message headers, 28-131 Groups adding and deleting members, 6-6 adding to Notes, 17-20 Administrator, 13-7 assigning a policy to, 6-9 creating and modifying, 6-2 creating with Domino Administrator, 6-2 creating with Web Administrator, 6-4 database authorization, 18-16, 23-6, 24-27 deleting, 6-14, 17-42 Deny List Only, 6-8 described, 6-1 directory catalogs and, 24-19 to 24-20, 24-35, 24-42 editing, 6-10 finding members, 6-18 mail, 28-32 managing, 6-8, 6-16
Index-14
registering, 17-39 renaming, 6-10, 17-41, F-50 renaming immediately throughout domain, 6-13 troubleshooting, 63-20 Windows NT, 17-16
H
Headers resent, 28-131 Headline monitoring controlling, 38-16 performance and, 61-6 Health reports for servers, 54-11 to 54-12, 54-14 to 54-15 for servers, purging, 54-12 Health_Report_Purge_After_N_Days setting described, C-38 Help customer support, 63-4 Help command described, A-15, I-12 Hierarchical IDs cross-certification by phone, 39-33 cross-certification through Notes mail, 39-36 cross-certification through postal service, 39-34 Hierarchical names converting flat names to, 59-10, F-84 creating scheme for, 1-3 deleting servers with, F-81 Domino Directory and, 18-8 server registration and, 3-29 Hierarchical organizations certification and, 39-27 communication between, 39-27 Holding undeliverable mail in MAIL.BOX, 28-40 Holiday documents creating, 8-17 modifying, 8-20 Home pages for virtual servers, 3-42 Web server, 63-106 Host names DNS and, 26-25 mail routing and, 26-12, 27-49 restricting inbound connections by, 28-71
specifying in Server document, 2-16, 2-22 Hosted environments Domino features in, 12-4 example, 12-16 server options, 12-2 Hosted organizations access to Web sites, 14-12 anonymous access to databases, 14-4 deleting, 14-3, F-14 disabling services, 14-4 distribution of data, 12-9 Internet Site documents for, 13-18, 13-20 loopback addresses, 13-17 mail addressing to, 14-16 maintaining, 14-1 managing users, 14-14 managing users and groups, 14-16 moving to other servers, 14-5 on multiple servers, 14-2 policies for, 9-7, 13-4 registering, 13-5, 13-8, 13-11 registration, F-48 removing from an additional server, 14-10 security and, 12-3 server crash recovery in, 14-11 server environments for, 12-1 setting up Domino Certificate Authority for, 13-3 setup checklist, 13-3 using the Resource Reservations database, 14-12 using the Web Administrator, 14-15 viewing, 14-14 viewing Web Site and Internet Site documents, 13-20 Web Site documents for, 13-18, 13-20 to 13-21 HostedOrganizationAdmin group, 13-7 Hosting Java applets, 34-10 Hosts files system settings for, 2-13 HP OpenView and SNMP traps, 53-21 HTML displaying source for Server Web Navigator, 36-13
passthru, 34-2 HTML login form customizing, 42-10 HTML preferences in Server Web Navigator, 36-12 HTTP activity logging, 57-4 HTTP proxy connecting Server Web Navigator through, 36-3 HTTP server task running, 34-5 HTTP servers Domino working with the IBM HTTP Server, 35-2 setup mode setting, C-99 HTTP service binding to an IP address, 2-49 controlling access to, 36-7 in a hosted environment, 12-13 HTTP sessions tracking, 34-13 HTTPEnableConnectorHeaders setting described, C-39 HTTPLogUnauthorized setting described, C-39 HTTPS controlling access to, 36-7 SSL and, 46-18 Hub-and-spoke topology example of, 4-10 limitations of, 4-8 replication and, 4-6 Hunt group connection document creating, 4-31 Hunt groups described, 4-23, 4-31
I
IBM HTTP Server setting Domino to work with, 35-2 IBM Office Vision scheduling and, 8-6 IBM Tivoli Analyzer Activity Trends, 54-17 installing, 54-6 overview, 54-1 ICL. See Issued Certificate Lists ICMNotesPort setting described, C-40
Index-15
Icons Administration Requests database, 15-23 ID recovery administration request, F-30 ID table Note IDs, I-12 Idle Workload script described, 62-14 running, 62-14 sample, J-4 IDs defined, 39-1 displaying certificates, 39-3 IMAP users and, 31-23 multiple-password, 39-6 password protection, 39-4 passwords for, 39-13 recovering, 39-14, 39-17 to 39-18, 39-20 security and, 37-16 server, recertifying, 59-9 IDs, certifier, 1-7, 3-34 to 3-35 Ignore message priority setting for mail routing, 28-39 IIOP in a hosted environment, 12-13 setting up, 34-10 Image display performance and, 61-3 Web server and, 34-24 ImailCheckForNewMail command described, I-13 ImailCloseMailbox command described, I-13 IMAILExactSize setting described, C-40 ImailFetchEntry command described, I-13 ImailFetchOld command described, I-14 ImailGetLastEntries command described, I-14 ImailGetNewMail command described, I-14 ImailHelp command described, I-14 ImailListMailboxes command described, I-14 ImailLogin command described, I-15 ImailLogout command described, I-15
ImailOpenMailbox command described, I-15 ImailPostMessage command described, I-15 ImailSetSeen command described, I-16 IMAP activity logging, 57-4 IMAP attributes adding to IMAP-enabled mail files, 31-3 IMAP delegation administration request, F-7 IMAP Initialization Workload script sample, J-5 IMAP protocol Domino mail server and, 26-5, 31-1 in a hosted environment, 12-13 IMAP public folders designating, 31-15 IMAP service and shared mail files, 31-12 authenticating options, 31-5 binding to an IP address, 2-47 changing default port information for, 31-6 configuring internal thread use, 31-19 customizing, 31-5 greetings, 31-21 limiting sessions, 31-9 logging in to server, I-15 logging out of server, I-15 mail commands, I-13 to I-16 NAMESPACE command, 31-12 to 31-13 setting up, 31-4 starting, 31-5 time-out setting, 60-12 IMAP users allowing SMTP relays from, 28-82 creating mail files for, 31-26 enabling mail files for, 31-2, 31-10, 31-27, 31-30 setting acceptable login names for, 31-24 setting up, 31-22 setting up Person documents for, 31-23 IMAP_Config_Update_Interval setting described, C-40
IMAP_Convert_Nodisable_Folder_ Refs setting described, C-41 IMAP_Session_Timeout setting described, C-43 IMAPDisableFTIImmedUpdate setting described, C-42 IMAPDisableMsgCache setting described, C-42 IMAPGreeting setting described, C-42 IMAPNotesPort setting described, C-43 IMAPRedirectSSLGreeting setting described, C-43 IMAPShowIdleStatus setting described, C-44 IMAPSSLGreeting setting described, C-44 Inactive documents deleting, 61-25 Inbound connections restricting for SMTP, 28-71, 28-86 Inbound mail routing restricting, 28-70, 28-75, 28-90 Inbound relay controls enforcement of, 28-81 and message transfer, 28-85 Inbox folder adding documents to, J-2 Incoming Mail Sound setting described, C-44 Index command described, I-16 Index entries searching, I-11 to I-12 Index, Domain. See Domain Index Indexes creating, 50-2 deleting, 50-7, 58-23 described, 50-1 Domain Search and, 10-2, 48-7 encrypted fields, 50-2 replicating, 50-1 security and, 50-2 size, 50-3 troubleshooting and, 63-99 updating, 50-3, 50-5 to 50-6, 58-14 Indic languages support for, 3-17 INET_Authenticate_with_Secondary setting described, C-45
Index-16
Informational logging, 28-7 iNotes Web Access active content filtering for, 32-8 adding disclaimers, 32-9 alternate name support in, 32-10 configuring, 32-4 creating a portal for, 32-3 customizing, 32-4, 32-7 to 32-9 overview, 32-1 registering users, 32-2 to 32-3 Sametime and, 3-14 setting up a server for, 3-13 Install directories customizing location of, 5-49 Installation automating client, 5-45 batch file, 5-46 client, 5-41 command line, 5-47 customizing client, 5-47 End-user with Transform files, 5-50 interactive mode, 3-5 multi-user client, 5-46 by scriptable setup, 5-52 script mode, 3-7 setting to multi-user by default, 5-49 setting up, 5-42 shared network directory, 5-43 silent, 3-7 single user, 5-43 on UNIX systems, 3-4 on Windows systems, 3-3 Installation options using Transform files, 5-49 InstallShield Tuner for Lotus Notes, 5-47 InstallType setting described, C-45 Interlaced rendering Web images and, 34-24 International characters LDAP service and, 20-32 International settings specifying for Web, 34-31 Internet anonymous access, 42-25 to 42-26 connecting Server Web Navigator through, 36-3 connecting to, 4-21 to 4-22, 4-40 creating a key ring and certificate request, 45-2
cross-certification, 39-37 enforcing encrypted transactions, 40-31 name-and-password authentication, 42-1, 42-6 security, 38-2, 38-4 Internet address changing, 5-73 Internet addresses adding senders in outbound mail, 27-50 formats for, 28-134 LDAP service and, 20-5 outbound mail, 27-54 as reply addresses, 27-52 Internet addresses, inbound looking up in the Domino Directory, 27-47 Internet certificates adding, F-4 adding to Domino Directory, 47-7 creating, 47-14 creating with Domino Directory, 47-10 deleting, 47-12 dual, 47-17 in a hosted environment, 12-4 signing, 47-7 SSL and S/MIME, 47-5 Internet clients name variations accepted for login, 31-24 Internet cross-certificates creating, 47-4 described, 39-28 Internet domains primary vs. aliases, 27-55 Internet mail, 27-38 restricting inbound, 28-90 restricting outbound, 28-98 to 28-99 restricting relays, 28-75 restricting who can receive, 28-92 routing, 26-23, 27-6, 27-34, 27-37 to 27-38, 36-9 troubleshooting, 63-107 Internet passwords, 42-24 security and, 42-24 user registration and, 42-3 Web Administrator, 16-19 Internet protocols setting up passwords for, 42-3 Internet services accessing, 36-7
binding to IP addresses, 2-47 controlling access to, 36-7 default TCP ports, 2-56 proxies for, 2-7 Internet Site documents configuring for hosted organization, 3-40, 13-20 creating, 3-40 and DNS outages, 14-11 in a hosted environment, 13-18 IMAP configuration and, 28-60, 31-6 overview, 3-37 POP3 configuration and, 30-3 SMTP configuration and, 28-59 Internet users renaming, 5-66 InterNotes server described, 36-1 saving HTML source, 36-13 setting up, 36-2 Intranets name-and-password authentication, 42-1 Invitations responding to, I-24 IP address configurations in a hosted environment, 12-5 IP addresses binding ports to, 2-46 to 2-47 binding to xSP servers, 13-16 DNS and, 26-25 multiple, 2-19, 2-22 partitioned servers and, 2-21, 2-50 resolving, 12-14 restricting inbound connections by, 28-71 using in Connection documents, 2-18 using in Server documents, 2-12 IP names specifying in Server document, 2-16, 2-22 IPv6 standard described, 2-25 enabling support for, 2-45, C-110 IPX/SPX assigning sockets, 2-62, C-70 frame types, 63-70 integrating Domino with, 2-29, G-1 name resolution in, 2-30, 63-72
Index-17
Notes port for, 2-34 to 2-36, 2-38 to 2-42, 2-61 NOTES.INI settings, 2-64 security, 2-9 setting up servers on, 2-32, 2-61 Token-Ring and, 63-71 troubleshooting, 63-70 ISpy database creating mail-in database record for, F-7 ISpy task mail routing event generator and, 52-7 starting and stopping, 52-13 TCP server event generators and, 52-11 troubleshooting with, 63-2 Issued Certificate Lists described, 44-2
retrieving journaled messages, 28-113 setting up, 28-106 JPEG files Web server and, 34-24
K
Keep alive headers sending to Web server, 34-53 Key ring files changing the password for, 46-22 creating a test version, 46-22 creating for internal CA, 45-2 displaying, 45-7 entering for server, 46-15 exporting, 45-7 merging a certificate from an external CA, 46-9 merging server certificates into, 46-12 naming, 45-2 viewing certificates, 46-20 Key usage extensions public keys, 44-12 Keyboard shortcuts. See Shortcut keys KeyFileName setting described, C-49 Keys private, 43-1 public, 43-1 KitType setting described, C-50
J
Java agents restricting, 40-18 Java applets hosting, 34-10 on Web server, 34-2 Java servlets managing, 34-13 JavaEnableJIT setting described, C-46 JavaJITName setting described, C-46 JavaMaxHeapSize setting described, C-46 JavaMinHeapSize setting described, C-47 JavaNoAsyncGC setting described, C-47 JavaNoClassGC setting described, C-47 JavaScript on Web server, 34-2 JavaStackSize setting described, C-48 JavaUserClasses setting described, C-48 JavaVerbose setting described, C-48 JavaVerboseGC setting described, C-49 Journaling mail, 28-105 methods, 28-109
L
LAN Connection document creating, 4-15 LANA numbers NetBIOS ports and, 2-58 Language codes specifying for a character set group, 28-120 Language groups configuring font options for, 28-126 Languages choosing default for Web, 34-31 Domain Search and, 10-1 LDAP service tags, 20-29 LANnumber setting described, C-50
LANs connecting servers on, 4-15 integrating Domino with, 2-2 network compression and, 2-42 setting up servers on, 2-32 troubleshooting, 63-55 LDAP accounts compared to directory assistance, 23-9 planning, 18-5 LDAP activity logging information logged, 57-4 limiting information logged, 57-13 LDAP directories alias dereferencing and, 23-48 authenticating SSL clients, 46-25 authenticating Web clients with, 42-23 authenticating Web users with, 40-7 connecting using SSL, 47-23 described, 23-1 directory assistance, 23-3, 23-6, 23-9, 23-11, 23-37, 23-43 failover, 23-22 LDAP service referrals to, 20-33 lookup command, I-17 Notes distinguished names in, 23-49 search filters and, 23-46 server passwords for connecting, 23-44 LDAP features overview, 18-3 LDAP migration tool, 20-2 LDAP operations extended ACLs and, 25-6 LDAP schema checking, 21-18 to 21-19 described, 21-1 Domino, 21-2 Domino LDAP Schema database, 63-34 extending, 18-19, 21-10, 21-16 to 21-17, E-3, E-7 to E-9, E-16 to E-17, E-20 retrieving, 21-20 root DSE searches, 21-20 viewing, 21-9 LDAP service anonymous search access, 20-16 to 20-17, 20-20 binding to an IP address, 2-47
Index-18
client setup, 20-34 condensed Directory Catalogs and, 20-6 configuration, 20-9, 20-37 described, 20-1 to 20-2 directory assistance and, 20-6, 23-10 to 23-11, 23-17 to 23-18 directory search order, 18-16 directory tree verification, 20-4 disabling, 20-8 distinguished names and, 20-3 Domain Index searches, 20-36 Extended Directory Catalogs and, 20-6 full-text indexes and, 20-15 in a hosted environment, 12-13 Internet address formation, 20-5 Internet Draft supported, 20-42 language tags, 20-29 monitoring, 20-37 name and password authentication failure, 63-31 name-and-password security, 20-31 NOTES.INI settings, 20-41 performance settings, 20-28 planning, 18-4 ports and port security, 20-12 preventing use of primary Domino Directory, 23-27 referrals, 20-33 RFCs supported, 20-42 schema daemon, 21-5, C-88 to C-89 schema database, 21-7 search, 20-28 secondary directories, 18-4 setting up, 20-7 starting and stopping, 20-8 statistics, 20-38 Tell commands, A-53 time-out setting, 20-28 troubleshooting, 63-31 Unicode and, 20-3 UTF-8 encoding, 20-32 write operations, 20-22 to 20-23, 20-25 to 20-26 LDAP_MailOnlyGroupOption setting LDAPGroupMembership setting, C-53
LDAPBatchAdds setting described, C-51 LDAPConfigUpdateInterval setting described, C-51 LDAPGroupMembership setting described, C-52 LDAPLookup command described, I-17 LDAPNotesPort setting described, C-53 LDAPPre55Outlook setting described, C-54 ldapsearch utility described, 22-1 examples, 22-6 operational attributes and, 22-5 parameters, 22-2 planning, 18-6 search filter operators, 22-5 search filters, 22-4 ldapsearch.exe retrieving schema with, 21-20 Leased-line connections connecting to the Internet by, 4-21 Librarians assigning, 51-3 database libraries, 51-2 Libraries. See Database libraries License tracking described, 5-85 License tracking information updating in Domino Directory, F-65 Linux configuring partitioned servers, 2-50 configuring SNMP Agent for, 53-13 Listener task Server document, 27-41 SMTP, 27-41 Live console Web Administrator and, 16-26 LNSNMP service removing, 53-11 LNSNMP.INI file configuring, 53-9 Load command described, A-15 Load server command running server tasks, B-1 troubleshooting, 63-91 LocalDomainAdmins group described, 6-2
LocalDomainServers group access level, 7-6, 40-3 described, 6-1 directory catalogs and, 24-20 Location documents Internet addresses in, 27-53 Location setting described, C-54 Log file accessing, 56-5 activity logging information, 57-1, 57-13 Agent Manager and agents, 63-12 analyzing, 56-5 compacting, 56-1 Domino server, 56-1 Domino Web server, 56-12 extended ACL, 25-31 logging modem I/O in, 63-48 NOTES.INI settings, 56-2 NSD, 63-96, 63-101 passthru connections and, 63-79 replication events, 58-8 replication views, 63-80 Results database, 56-5 Schedule Manager errors in, 63-47 searching, 56-5 selecting level of logging, 28-7, 56-3 troubleshooting with, 63-2 using commands to record information, 56-3 viewing the Domino server, 56-3 Log filters for events, 52-15 Log setting described, C-55 for log file size, 56-1 LOG.NSF, 28-7 introduced, 56-1 monitoring servers and, 52-3 Log_AgentManager setting described, C-55 Log_Authentication setting described, C-56 Log_Connections setting described, C-57 Log_Console setting described, C-57 Log_DirCat setting described, C-58 Log_Replication setting described, C-59 troubleshooting and, 63-80
Index-19
Log_Sessions setting described, C-59 Log_Tasks setting described, C-60 Log_Update setting described, C-60 Log_View_Events setting described, C-61 LogFile_Dir setting described, C-58 Logging configuring for Domino Web server, 56-12 to the console, 52-21 informational, 28-7 internal server errors, 56-10 phone calls, C-76 replication, 63-80 Web server requests, 56-8 Logging level selecting, 28-7 Login names authentication for Internet clients, 31-24 Login scripts editing, 4-51 making a call with, 4-50 Lookup command described, I-17 Loopback addresses creating, 13-17 Lotus NDS Manager administering Windows clients with, G-3 for IPX/SPX setup, G-1 Lotus Organizer scheduling and, 8-6 Lotus Support Services contacting, 63-4 Web site, 63-4 LotusScript agents restricting, 40-18 Low-priority mail generating delay notifications for, 28-30 LSCHEMA.LDIF described, 21-2, 21-5
M
Mail blocking, 28-20 encrypting, 28-9, 43-4, 43-7, 47-13, 47-15, C-90 error messages, 28-46
held, 28-16 limiting the size of messages, 28-28 pending, 28-16 polling, I-19 restricting, 28-70, 28-90 routing from Web page, 36-9 security, 29-4 shortcut keys, H-7 to H-8 signing, 43-9, 43-11, C-90 tracing connections, 63-37 virus protection, C-71 Mail activity logging information logged, 57-6 Mail addresses formats for Internet, 28-134 Mail addressing directory assistance and, 23-8 directory catalogs and, 24-4, 24-29 domain names and, 63-40 format for sending to another Domino domain, 26-21 and groups, 28-32 for hosted environments, 14-16 Mobile Directory Catalogs and, 24-3 type-ahead, 28-6 Mail agents controlling, 28-9 Mail clients POP3, 30-11 supported, 26-15 Mail connections routing and, 27-2 Mail conversion utility enabling mail files for IMAP, 31-2 Mail databases archive criteria, 9-28 archive log, 9-24 archiving, 9-22, 9-25 IMAP service and, 31-2 moving, 54-53 overview, 26-12 sharing IMAP, 31-13 Mail delivery configuring, 28-8 shared mail and, 29-8 Mail encryption administration request, F-31 Mail file quotas enforcing, 28-14, 28-28 shared mail and, 29-4 soft deletions and, 28-14
Mail file size calculating, 28-14 Mail files converting for IMAP, 31-2, 31-10, 31-29 to 31-30 creating, J-4, , 31-26 delegating access to, F-9 to F-10, 31-13 deleting during Delete user, 5-73 encrypting, 31-24, 43-8 for hosted organizations, 13-5 initializing, J-4 move request, F-31 moving, 5-77, 29-21 overview, 26-12 POP3 user and, 30-10 quotas, 28-10 to 28-11, 28-15 to 28-16, 28-28 replication and shared mail, 29-19 shared, 31-13 troubleshooting, 63-36 Mail files, storage format, 26-13 setting for IMAP users, 31-3, 31-23, 31-35 setting for POP3 users, 30-7 Mail journaling defined, 28-105 retrieving journaled messages, 28-113 specifying messages to journal, 28-113 Mail Journaling database managing, 28-109 setting up, 28-106 Mail menu hiding, C-72 Mail Notification Agent, 5-57 Mail priority level, 28-27 disregarding during routing, 28-39 Mail protocols in a hosted environment, 12-13 supported, 26-2 Mail recipients looking up in the Domino Directory, 27-47 restricting, 28-92 Mail relays and outbound mail routing, 27-33 restricting, 28-75 Mail reports generating, 33-12 setting up a Reports database, 33-4
Index-20
troubleshooting with, 63-2 Mail routing configuring, 27-37 configuring delivery, 28-8 connection costs and, 28-53 controlling message transfer, 28-26 customizing Notes routing, 28-50 described, 26-1, 26-8 DNS and, 26-25 domain documents and, 27-23, 27-26 Domino Directory and, 26-9 examples, 27-9 forwarding addresses, 27-42 improving performance, 28-2 to 28-3 IP addresses and, 26-10, 26-12 in local Internet domain, 27-4, 27-39 logging and, 28-7 mail clients and, 27-3 for mail outside the local Internet domain, 27-6, 27-38, 28-85 MAIL.BOX databases and, 28-3 to 28-4 message priority and, 28-27 Notes protocols and, 26-17, 26-19 to 27-20, 28-36 obeying database quotas, 28-11 over dialup connections, 27-59 over SMTP, 26-23, 27-32, 27-34, 27-37, 28-57 relay hosts and, 27-33 requirements, 28-2 resolving addresses, 27-42 restricting for Notes, 27-28, 27-31, 28-55 restricting inbound Internet mail, 28-71, 28-90 restricting inbound mail, 28-70 restricting inbound relays, 28-75 restricting message size, 28-28 restricting outbound messages, 28-98 to 28-99 restricting recipients, 28-92 Route command, A-24 routing table and, 26-10 scheduling Notes routing, 28-50 SMTP, 27-41 SMTP protocol and, 26-21 stopping, 27-5 topology, 27-2 troubleshooting, 63-36
using a firewall, 27-58 using a smart host, 27-43 using multiple Internet domain names, 27-44 using multiple mailboxes, 28-4 workstation setup, 63-42 Mail routing event generators creating, 52-7 Mail rules forwarding, 28-9 journaling, 28-113 reloading, 28-21 setting server, 28-20 Mail servers described, 26-1, 26-5 Mail storage formats, 26-13 Mail templates MAIL6EX.NTF, 32-11 Mail trace troubleshooting with, 63-2 Mail tracking configuring servers for, 33-8 from the Domino Administrator, 33-10 overview, 33-1 troubleshooting with, 63-2 Mail Tracking Collector task controlling, 33-5 Mail usage reports described, 33-2 generating, 33-12 viewing, 33-16 Mail, dead described, 28-41, A-39 Mail, undeliverable releasing from server, A-39 returning, 28-37 MAIL.BOX databases compacting, 63-43 corrupt, 63-43 described, 27-1 setting up multiple, 28-3 to 28-4 troubleshooting with, 63-2 undeliverable mail, 28-41 Mail/ID registration options Windows NT and Notes, 17-11 Mail_Disable_Implicit_Sender_Key setting described, C-64 Mail_Log_To_MiscEvents setting described, C-64 Mail_Skip_NoKey_Dialog setting described, C-65
MAIL6EX.NTF using, 32-11 Mailboxes setting number of, 60-12 setting up multiple, 28-3 to 28-4 MailCharSet setting described, C-61 MailCompactDisabled setting described, C-63 MailCompactHour setting described, C-63 MailConvertMIMEonTransfer setting described, C-63 Mail-in Database document creating, 48-5 statistics, 52-35 Mail-in statistics using, 52-35 MailServer setting described, C-64 MailSystem setting described, C-65 MailTimeout setting, 28-37 described, C-66 MailTimeoutMinutes setting described, C-66 Mailto setting up, 36-9 Maintain Trends database record request, F-30 Manage Groups tool using, 6-16 Manager access actions, 40-14 privileges, 40-16 Map_Retry_Delay setting described, C-66 Maps replication topology, 7-34 Master Address Book. See Directory assistance Maximum concurrent transfer threads setting, 28-33 Maximum delivery threads, 28-9 Maximum hops setting, 28-33 Maximum message size setting, 28-28 Maximum transfer threads setting, 28-33, 60-11 Maximum Transmission Unit. See MTU setting
Index-21
Meetings troubleshooting, 63-45 Memory displaying, A-32 Memory requirements for servers, 60-3 Memory_Quota setting described, C-67 Message caching disabling, C-73 Message conversion mail routing and, 27-1 Message delivery configuring, 28-8, 60-11 Message filtering using mail rules for, 28-20 Message headers MIME, 28-131, 28-134 Message journaling. See Mail journaling Message priority level, 28-27 disregarding during routing, 28-39 Message size restricting, 28-28 Message tracking configuring servers for, 33-8 controlling, 33-5 from the Domino Administrator, 33-10 overview, 33-1 in Web Administrator, 16-27 Message transfer controlling, 28-26, 28-33 Message validation SSL, 46-1 Messages disabling, A-22, A-44 encrypting for delivery, 28-9 MIB overview, 53-7 using with SNMP, 53-21 Microsoft Active Directory deleting users and groups, 17-42 directory assistance search filters, 23-46 mapping containers to Notes certifiers and policies, 17-32 mapping fields with Domino Directory, 17-31 registering existing users, 17-35 registering new groups, 17-39 registering new users, 17-33 renaming users and groups, 17-41
synchronizing with Domino Directory, 17-25, 17-38 Microsoft IIS setting Domino to work with, 35-3 Microsoft Management Console Notes registration and, 17-29 MIME messages 8-bit and ESMTP, 28-96, 28-103 to 28-104 converting, 28-122 converting addresses in, 27-50 converting to Notes format, 27-1 Domino mail server and, 26-3 encrypting, C-100, C-101 setting character set options for, 28-118 setting options for processing, 28-115 Minimal logging, 28-7 MinNewMailPoll setting described, C-67 Miscellaneous Events view corruption messages, 58-25 Mixed-release environments log file analysis, 56-7 MMC Notes registration and, 17-29 Mobile directory catalogs described, 24-3 multiple, 24-33 setting up, 24-34 to 24-35 Modem command files described, 4-34 modifying, 4-49 troubleshooting, 63-48 Modems displaying input/output, C-121 logging modem I/O, 63-48 number to use, 4-33 troubleshooting, 63-48 Modify CA Configuration in Domino Directory request, F-30 Modify ID recovery information in Domino Directory request, F-30 Modify room/resource in Domino Directory request, F-31 Modify user information stored in Domino Directory administration request, F-31 Monitoring checklist for, 63-6 database cache, 61-10
database size, 61-13 events, 52-22, 52-24 events and statistics, 52-2 headline, 38-16 mail, 26-17 overview, 52-1 performance, 52-36 server activity, 54-17 server connections, 52-6 server tasks for, 52-1 Server.Load metrics, 62-10 setting preferences for, 16-8, 52-25 statistics, 52-9, 52-31 threshold values, in Server Health Monitor, 54-10 tools, 52-1 to 54-2 Monitoring Configuration database described, 52-1 document types, 52-2 location, C-83 viewing statistics in, 52-32 wizards for, 52-13 Monitoring Results database described, 52-1 performance statistics and, 52-36 Move mail file administration requests, F-31 Move roaming user administration requests, F-42 Move_Mail_File_Expiration_Days setting described, C-67 MT Collector task controlling, 33-5 described, 33-1 MTA servers and interoperability with other mail systems, 26-14 MTC task controlling, 33-5 described, 33-1 MTCDailyTasksHour setting described, C-68 MTMaxResponses setting described, C-68 MTU setting troubleshooting, 63-68 Multilingual applications setting up Web for, 34-32 Multiple replicators and scheduled replication, 7-30 Multiple-password IDs described, 39-6
Index-22
N
NABRetrievalPOP3Mail command described, I-18 NABUpdate command described, I-18 NAMAGENT.NSF Server.Load agents, 62-4 Name and Address Book. See Domino Directory Name change refusing, F-56 Name lookups restricting, 27-47 restricting to primary directory, 28-40 Name resolution in IPX troubleshooting, 63-72 Name resolution in NRPC described, 2-4 ensuring DNS resolves, 2-16 to 2-17, 2-19, 2-22 over IPX/SPX, 2-30 over NetBIOS, 2-28 over TCP/IP, 2-11, 2-15, 2-44 troubleshooting, 63-66 Name services Microsoft, 2-13 NetWare, 2-30 to 2-32, 2-61 to 2-62 Notes, 2-4 Name-and-password authentication, 42-8, 46-15 customizing, 42-3 directory assistance and, 23-3 Internet/intranet clients and, 28-60, 31-2, 42-1 LDAP service and, 20-12, 20-31 level, 42-19 session-based, 42-6, 42-8, 42-10 setting up users, 42-3 virtual servers, 3-42 Names changing, 5-56 to 5-57 for Policy documents, 9-32 for servers, 2-15, 2-17, 2-19, 2-22, 59-10, Internet authentication and, 31-24 NDS, 2-62
server, deleting, 59-8 server, finding, 59-11 Names setting described, C-68 NAMES.NSF, 19-1 customizing, E-22 NAMESPACE command enabling support for, 31-12 to 31-13 Naming contexts. See Naming rules Naming conventions ACL, 40-4 Domino system, 1-12 hierarchical, 1-3 Notes named networks, 2-33 ports, 2-38 Program documents, B-2 servers, 2-14, 2-29, 2-31 to 2-32 Naming rules directory assistance, 23-12 LDAP service and, 23-17 trusted, 23-14 NAT using, 2-18 Navigate command described, I-18 NDS Domino server and, G-1 Notes workstations and, G-5 NOTES.INI setting, G-7 passwords, C-75 server names and, 2-32 specifying distinguished names, 2-62 user IDs, C-75 NDS objects Domino server, G-1 to G-2 managing, G-4 Nested groups database authorization, 23-7 NetBIOS integrating Domino with, 2-26 name resolution in, 2-28 Notes port for, 2-34 to 2-36, 2-38 to 2-42, 2-58, 2-60 setting up servers for, 2-32, 2-58 Netscape trusted root, 46-11 Web Administrator and, 16-23 NetWare name services, 2-30 to 2-32, 2-61 to 2-62 NetWare Administrator Domino and, G-2, G-4
NetWareSocket setting described, C-70 NetWareSpxSettings setting described, C-70 Network Address Translation. See NAT Network connections dropping, I-9 testing, 63-77 tracing, 63-77, A-59, C-76 Network Dialup encrypting Connection documents, 4-46 setting up servers to use, 4-36 troubleshooting, 63-74 Network ports adding, 2-36, 2-60 binding to IP addresses, 2-46 to 2-47 compressing data on, 2-42 configuring, 2-35, 2-58 deleting, 2-40 disabling, 2-34 encrypting, 2-41 fine-tuning, 2-34 renaming, 2-38 reordering, 2-39, 2-45 Server Setup program and, 2-2 TCP/IP, 2-12, 2-22 Network protocols compatible with Domino, 2-2 defined, 2-1 specifying, 4-16 Networks integrating Domino with, 2-1, 2-10, 2-26, 2-29 name resolution, 2-4, 2-11 NOTES.INI settings, 2-64 security, 2-6 to 2-7 NewMail command described, I-19 NewMailInterval setting described, C-70 NewMailTune setting Incoming Mail Sound setting, C-44 NewReplicateDB command described, I-19 NewUserServer setting described, C-71 NIS preventing problems with, 2-56 NNN. See Notes named networks
Index-23
No access assigning, 40-14 privileges, 40-16 No_Force_Activity_Logging setting described, C-72 NoDesignMenu setting described, C-71 NoExternalApps setting described, C-71 NoMailMenu setting described, C-72 NoMsgCache setting described, C-73 Nonroaming users change to roaming, 5-70 Normal logging, 28-7 Note ID finding documents by, 63-20 table of, I-12 NoteAdd command described, I-20 Notes registering Windows NT users, 17-1, 17-8, 17-12, 17-14 synchronizing with Windows NT, 17-2 to 17-3 Notes client authentication with directory assistance, 23-6 authentication with directory catalogs, 24-11 connecting to servers, 4-55 directory servers, 19-15 directory services, 18-10 installation in a shared directory, 5-43 LDAP service and, 20-34 Notes Direct Dialup Connection documents, 4-35 described, 4-34 setting up, 4-44 Notes domains. See Domino domains Notes IDs about, 39-1 to 39-2 Notes items sending in Internet message headers, 28-134 Notes mail condensed Directory Catalogs and, 24-29 directory assistance and, 23-8 directory catalogs and, 24-1, 24-3 to 24-4, 24-14
Notes name lookups directory search order, 18-17 Notes Name Service described, 2-4 Notes named networks defined, 2-3 mail routing and, 26-18 setting up, 2-33 Notes names LDAP directories and, 23-49 Notes network ports. See Network ports Notes protocols mail routing and, 26-3, 26-19, 27-4, 27-20, 27-32, 28-50 Notes Remote Procedure Call service. See NRPC service Notes rich text format in mail messages, 26-13, 27-1 Notes RPC. See NRPC service Notes templates table of, D-1 Notes workstations configuring for NDS, G-5 NOTES.INI file adding settings, A-25 editing, 16-27, C-1 NOTES.INI settings Agent Manager, 60-6 database maintenance, 58-41 database organization, 49-6 database performance, 60-9, 61-29 Domain Search, 10-23 iNotes Web Access, 32-8 to 32-9 LDAP service, 20-41 log files, 56-2 mail, 63-43 NDS, G-7 networks, 2-64 scheduling server tasks, B-2 schema daemon, 21-21 server performance and, 60-4 UNIX server, 60-14 NotesBench described, 60-2 Novell Directory Service. See NDS NRPC mail routing and, 26-3, 26-17 troubleshooting, 63-55 NRPC Mail Initialization Workload script sample, J-8
NRPC service binding to an IP address, 2-46 default TCP port, 2-55 described, 2-2 encrypting, 2-41 name resolution in, 2-4, 2-11, 2-15 to 2-17, 2-19, 2-22, 2-28, 2-30 NSD log file troubleshooting and, 63-96, 63-101 NSF_Buffer_Pool_Size setting described, C-73 NSF_DbCache_Disable setting described, C-74 NSF_DbCache_Maxentries setting described, C-74 Null modems troubleshooting, 63-51 Num_Compact_Rename_Retries setting described, C-74 NWNDSPassword setting described, C-75 NWNDSUserID setting described, C-75
O
Object class hierarchy described, 21-1 Object classes adding to schema, 21-14 described, 21-1, 21-3 extending, 21-11 for Group documents, 21-5 for Person documents, 21-4 Object collect task use in generating shared mail statistics, 29-13 use in resynchronizing mail files, 29-22 Object Link command use in managing shared mail, 29-15 Object Request Broker. See Domino ORB Object store defined, 29-1 managing growth of, 29-10 to 29-11 Offline Security Policy document creating, 11-7 Offline Subscription Configuration profile document creating, 11-11
Index-24
editing, 11-11 Offline subscriptions overview, 11-1 Offline users security, 11-7 tracking, 11-22 OID for LDAP described, 21-12 On-demand cross-certificates, 39-32 Online Meeting Place in the Resource Reservations database, 8-9 Open command described, I-20 Open relays defined, 28-76 preventing, 28-76 OpenView for Windows and SNMP traps, 53-21 ORB. See Domino ORB Organization certifier IDs, 1-8 creating, 3-34 Organization hierarchy moving user names in, 5-61 Organizational policies described, 9-2 Organizational unit certifier IDs, 1-8 creating, 3-35 Organizational units Internet, 45-2 restricting mail based on, 28-55 Organizations restricting mail based on, 28-55 OS/2 error codes, 63-100 troubleshooting, 63-100 OS/390. See zOS OtherDomainServers group access level, 7-6, 40-3 described, 6-1 directory catalogs and, 24-20 Over quota enforcement configuring, 28-17
P
Packing density condensed Directory Catalogs, 24-31 Partitioned servers described, 1-6 in a hosted environment, 12-2
IP addresses and, 2-21, 2-50, 2-53 multiple Web sites and, 2-49, 34-20 performance, 60-5 port mapping, 2-53 removing, 59-13 SNMP and, 53-9 troubleshooting, 63-78 Passthru connections activity logging through, 57-9 hangup delay setting, C-76 troubleshooting, 2-12, 63-79 Passthru HTML, 34-2 Passthru servers as application proxies for NRPC, 2-8 configuring, 4-27 Connection documents, 4-29 controlling access to, 38-17 creating a topology, 4-25 described, 4-23 destination servers and, 4-28 topology example, 4-26 using with hunt groups, 4-24 Passthru_Hangup_Delay setting described, C-76 Passthru_LogLevel setting described, C-76 Password quality scale described, 39-7 levels, 39-4 Password recovery. See IDs, recovering Passwords assigning, 39-4, 39-8, 42-3 change intervals for, 39-10 changing, F-6 checking during authentication, 39-8, 39-12, F-60 console, A-26 Directory Assistance documents, 23-44 IDs and, 39-4 Internet, 42-24 for key ring file, 45-2, 46-22 multiple, 39-6, 39-13 NDS, C-75 recovering. See IDs, recovering server console, C-92 troubleshooting, 63-104 verifying, 39-8, 39-11 Pause command described, I-21
PC-Pine client configuring, 31-39 PEER Agent and SNMP Agent, 53-14 Peer-to-peer topology example of, 4-11 replication and, 4-8 People registering Internet/intranet, 42-3 Performance database cache and, 61-9 directory catalogs, 24-18, 24-20, 24-27, 24-30 Domino Directory, 19-1 Domino Performance Zone Web site, 60-1 encryption and, 43-4 improving, 60-1, 60-3, 61-12 LDAP service, 20-28 mail, 26-17 28-3, 28-6 mail routing, 28-2 monitoring, 52-36 networks, 2-42 optimizing, 61-1, 61-3 Server Health Monitor, 54-12 sources for improving, 60-15 tools, 60-2 troubleshooting, 63-16 tuning disk I/O, 60-15 UNIX server, 60-14 view indexes and, 58-23 Web server, 34-52 Windows server, 60-13 Person documents changing during synchronization, 17-5 IMAP users and, 31-23 Internet Address field, 27-50, 27-53 mail routing and, 26-10 object classes for, 21-4 password checking, F-60 POP3 users and, 30-7 SSL clients, 47-20 Personal Address Book missing views and, 63-42 PhoneLog setting described, C-76 PHP configuring a Web site for, 34-40 Pin lists creating, 54-32 Ping, 27-38 troubleshooting and, 63-77
Index-25
Pipelining commands supporting via ESMTP, 28-96, 28-103 to 28-104 PKCS11_Library setting described, C-77 Platform command described, A-16 using, 52-28 Platform statistics disabling, 52-30, C-77 displaying, 52-27 evaluating, 52-28 overview, 52-26 troubleshooting, 63-52 viewing, 52-30 Platform_Statistics_Disabled setting described, C-77 Policies assigning, 9-6, 9-40 child policy, 9-4, 9-34 creating, 9-7 examples, 9-4 exceptions, 9-3 for hosted organizations, 9-7, 12-4 with Notes synchronization, 17-6 overview, 9-1 planning, 9-6 troubleshooting, 63-109 types of, 9-2 viewing, 9-37 to 9-38 Policy documents child policy, 9-34 creating, 9-32 deleting, 9-35 in a hosted environment, 13-4 names in, 9-32 Policy hierarchy effective policy, 9-36 examples, 9-4 Policy settings deleting, 9-35 described, 9-1 desktop, 9-14 editing, 9-35 groups, 6-9 inheritance, 9-4 registration, 9-7 security, 9-19 setup, 9-12 viewing, 9-38 in Web Administrator, 16-25 Policy Synopsis tool using, 9-36
Policy viewer described, 9-37 using, 9-38 Policy-based registration with Notes synchronization, 17-6 POP3 Initialization Workload script running, 62-27 sample, J-14 POP3 protocol Domino mail server and, 26-5 in a hosted environment, 12-13 POP3 service authentication and, 30-2 binding to an IP address, 2-47 changing default port information for, 30-3 clients, 30-11 described, 30-1 DNS lookups, C-78 Internet domain names, C-79 mail commands, I-18, I-23 marking messages as read, C-79 message caching, C-78 to C-80 Notes port for TCP/IP, C-80 setting up, 30-2 starting, 30-3 updating configuration, C-78 POP3 users activity logging, 57-10 allowing SMTP relays from, 28-82 creating mail files for, 30-10 enabling to send mail, 30-1 setting up, 30-7 POP3 Workload script described, 62-26 running, 62-28 sample, J-14 POP3_Disable_Cache setting described, C-78 POP3_Enable_Cache_Stats setting described, C-79 POP3_Message_Stat_Cache_NumPer User setting described, C-80 POP3ConfigUpdateInterval setting described, C-78 POP3DNSLookup setting described, C-78 POP3Domain setting described, C-79 POP3MarkRead setting described, C-79 POP3NotesPort setting described, C-80
Populate command described, I-21 Port mapping on partitioned servers, 2-53 Portals creating for iNotes Web Access, 32-3 portname_MaxSessions setting described, C-80 troubleshooting and, 63-59 to 63-60 Ports adding, 2-36, 2-60 binding to IP addresses, 2-46 to 2-47 cluster servers and, C-91 compressing data on, 2-42 configuring, 2-35, 28-66, 30-3, 31-5 controlling access to, 38-14 deleting, 2-40 disabling, 2-34 dropping connections, I-9 enabling, C-81 encrypting, 2-41 for LDAP service, 20-12 maximum sessions, C-80 names, 2-38 renaming, 2-38 reordering, 2-39, 2-45 Server Setup program and, 2-2 SMTP, C-104 specifying, 4-16 SSL, 46-15, 2-55 starting and stopping, A-22 TCP, 2-55, C-110 to C-111 Ports setting described, C-81 Ports, communication options, 4-47 setting up, 4-34 POST command restricting, 34-29 Pre-delivery agents controlling, 28-9 Preferences Domino Administrator, 16-5, 16-7 to 16-9, 16-11 Web Administrator, 16-24 Primary Domino Directory changing to Configuration Directory, 19-5 directory assistance for, 23-26, 23-33
Index-26
excluding from LDAP searches, 23-27 Extended Directory Catalog in, 24-28 preventing use as remote primary, 19-8 Priority mail routing and, 28-27 Private design elements notifying user of change to, 5-57 Private keys encryption and, 43-1 Notes certification, 39-2 Privileges access level, 40-16 extended ACL, 25-3, 25-5 Probes. See Event generators Profiles Activity Trends, 54-22 to 54-25 Server Health Monitor, 54-13 Server monitor, 52-43, 54-13 statistic, 52-39 Program document to compact ADMIN4.NSF, 15-27 naming conventions for, B-1 for scheduling Updall, 50-5 ProgramMode setting described, C-81 Progressive rendering Web images and, 34-24 Properties boxes shortcut keys, H-5 Proxies defined, 2-7 Domino passthru servers as, 2-8 HTTP, 2-7 Internet connections and, 4-22 specifying for Server Web Navigator, 36-3 PTR records in DNS, 28-71 Public access, 40-18 assigning, 40-18 Public Address Book, 19-1 passthru access, 38-17 server access, 38-4 Server documents, 39-25 Public documents, 40-18 access to, 40-18 Public folders IMAP, 31-13, 31-15 Public keys copying, 58-26, 63-96, F-6 creating, 39-23 to 39-24
cross-certification and, 39-33 described, 38-1, 39-2 encryption and, 43-1, 43-4 lost or stolen, 39-22 mailing, 39-25 replacing in address book, 39-23 restricting, 44-12 verifying, 39-25 Publishing to database libraries, 51-3 LDAP schema, 21-20 PUBNAMES.NTF copying, E-4 customizing, E-1 upgrading, E-22 Pull routing configuring for dialup connections, 27-60 Pull server command, 7-31 described, A-17 Pull-only replication specifying, 7-23, C-95 Purge agent enabling, 36-17 Server Web Navigator, 36-15 Purge interval deletion stubs and, 7-12 setting, 28-33 Purge/Compact method for managing size of Mail Journaling database, 28-112 Push server command described, A-19 Push-only replication specifying, 7-23, C-95
R
R5 IMAP Initialization Workload running, 62-17 R5 IMAP Workload script described, 62-15 running, 62-18 sample, J-6 R5 NRPC Mail Initialization script running, 62-21 R5 Shared Database script described, 62-24 running, 62-25 sample, J-12 R5 Simple Mail Routing script described, 62-20 running, 62-23 sample, J-9 RA. See Registration Authority Ratings Server Health Monitor, 54-5 Read command described, I-22 Reader access actions, 40-14 privileges, 40-16 Readers field updating, 40-29 Realms authentication and, 63-104 Receipts configuring Internet, 28-116 Recertify Certificate Authority in Domino Directory administration request, F-47 Recommendation documents Web Navigator database, 36-11 Recovery. See IDs, recovering Redirect URL command finding links with, 34-27 Referrals LDAP service and, 20-33, 23-11 Refresh agent enabling, 36-18 using, 36-18 Register hosted organization administration requests, F-48 Registration customizing options, 17-8 existing Active Directory users, 17-35 group member in Notes, 17-18
Q
Quick console Web Administrator and, 16-26 Quit command described, A-20, I-22 Quotas database, 61-23 to 61-24 enforcing, 28-16 mail, 28-10 to 28-11, 28-15 memory, C-67 replication and, C-13, C-83 setting Router controls for, 28-17 soft deletions and, 28-14 Quotas, mail shared mail and, 29-4
Index-27
hosted organizations, 13-5, 13-8, 13-11 IMAP users, 31-23 Internet/intranet users, 42-3 Microsoft Management Console and, 17-29 new Active Directory groups, 17-39 new Active Directory members, 17-33 setting preferences, 16-9 from a text file, 5-22 Windows NT users, 17-1, 17-8, 17-12, 17-14 Registration Authority tasks, 44-4 Registration policy settings creating, 9-7 Registration settings documents with Notes synchronization, 17-6 Relay hosts, 28-85 configuring, 27-58 defined, 27-8 restricting, 28-75 to 28-76, 28-81 using multiple, 27-33 Remote connections setting up, 4-36 troubleshooting, 63-48 types of, 4-34 Remote console Web Administrator and, 16-26 Remote primary directories described, 18-2 to 18-3 preventing as, 19-8 how servers locate, 19-7 Remote server console entering server commands, A-1 Remote servers number of modems for, 4-33 topology, 4-3 topology example, 4-14 Remove certificate from Domino or LDAP Directory request, F-49 Rename person refusing name change, F-56 Rename Web user administration requests, F-57 Repl_Error_Tolerance setting described, C-82 troubleshooting and, 63-80 Repl_Obeys_Quotas setting described, C-83 Replica IDs assigning access by, 40-10
Replica stubs described, 63-88 troubleshooting, 63-89 Replicas access levels, 7-6 concurrent changes to, 58-8 controlling changes, 40-5 controlling creation of, 38-14 copying to servers, 48-2 creating, 7-9, F-8, I-19 creating for multiple domains, F-77 deleting, 58-36 deleting documents from, 7-12 deletions, 63-89, 63-90 described, 7-1 limiting content, 7-12, 7-16 size of, 63-87 Replicas, directory directory assistance and, 23-20, 23-36 Replicate command described, A-20, I-22 Replicate server command, 7-31 Replication access levels, 7-6 activity logging, 57-10 CD-ROM updates, 7-17 customizing, 7-11, 7-22 database design and, 63-86 deleted documents, 7-7 described, 7-1, 7-3 direction, 7-23 directory catalogs, 24-32 disabling, 7-16, 7-32, 63-89 document size and, 7-14 from Domino Administrator, A-19 Domino Directory, 19-17 editing conflicts, 63-91 enabling, 7-32 end-to-end topology, 4-8 enforcing consistent ACL, 40-28 error tolerance setting, C-82 examples, 7-19 forcing, 7-33 full-text indexes, 50-1 graphical display of topology, 7-34 history, 58-6, 58-7 limiting time for, 7-29 log file, 58-8 manual, 7-31 monitoring, 58-6
multiple replicators, 7-30 NewReplicateDB command, I-19 non-document elements, 7-15 one-way, A-17, A-19 preventing, 7-31, C-94 priority, 7-26, 7-28 Replicate command, A-20 scheduling, 7-24 selective, 7-12, 11-22, 15-27 server, I-22 setting up, 7-20 settings, 7-17 to 7-18 specific databases and, 7-27 specifying a group of servers, 7-20 specifying dates, 7-13 statistics, 63-80 strategies, 4-6, 4-8 time limits, C-82 troubleshooting, 63-80 Web applications, 11-22 Replication conflicts consolidating, 58-10 described, 58-8 Replication events troubleshooting with, 63-2 Replication formulas using, 7-14 Replication history directory catalogs, 24-39, 24-45 specifying dates, 7-13 troubleshooting with, 63-2, 63-80, 63-85 Replication priority assigning, 7-16 Replication topology binary tree, 4-9 clusters, 4-8 end-to-end, 4-8 hub-and-spoke, 4-6 peer-to-peer, 4-8 ring, 4-8 troubleshooting and, 63-80 viewing, 7-34 ReplicationTimeLimit setting described, C-82 Replicator task running concurrently, C-82 Replicators setting described, C-82 Reply addresses in Internet mail, 27-52
Index-28
Report_DB setting described, C-83 Reporter task sending statistics, C-83 Reports directory catalog, 24-49 mail usage, 33-2 REPORTS.NSF (Reports database) creating, 33-4 ReportUseMail setting described, C-83 Requests managing certificate, 46-20 Web server, 34-55 Resent headers using, 28-131 Reservations deleting, 8-17 editing, 8-17 Resource balancing in Activity Trends, 54-26 in Activity Trends, setting up, 54-27 additional statistics, 54-46 analyzing distributions, 54-37 approval profile for, 54-59 charting options, 54-28 comparing, 54-39 creating plan constraints, 54-62 customizing, 54-36 database and server locations, 54-27 database moves, 54-32, 54-53, 54-55 and decommissioning a server, 54-43 and Domino Change Manager, 54-48 to 54-49 editing server properties, 54-43 evaluating server activity, 54-39 filtering servers, 54-45 goals, 54-30, 54-31 interpreting profile charts, 54-41 overview, 54-34 plan constraints explained, 54-61 plan documents for, 54-53, 54-57, 54-60 to 54-64 plan variables, 54-63 proposals for, 54-38, 54-47 viewing, 54-47 Resource document creating, 8-9 editing and deleting, 8-13 plan notification messages, 54-64
Resource Reservations database access rights, 8-8, 8-16 creating, 8-7 in a hosted environment, 14-12 synchronizing with Domino Directory, F-5 troubleshooting, 63-46 using with a Web browser, 8-16 Resources modify in directory request, F-31 troubleshooting, 63-45 types of, 8-9 Response hierarchy performance and, 61-5 Response Log documents, 15-36 Response time server, 60-3 Restart port command described, A-22 Restart server command described, A-23 Restart Task described, A-23 Results database database analysis, 58-38 from decommissioning a server, 59-3 log events, 56-5, 56-7 RetrievePOP3Mail command described, I-23 Retry interval setting, 28-33 Return receipts configuring, 28-116 Return-Receipt-To header configuring for return receipts, 28-116 Reverse DNS lookups use in controlling inbound SMTP sessions, 28-71 Rewind command described, I-23 Rewind2 command described, I-24 RFCs LDAP service, 20-42 Ring topology replication and, 4-8 Roaming files moving, 5-77 Roaming users, 5-9 change from nonroaming, 5-70 change to nonroaming, 5-69 deleting, F-21
move request, F-42 registering, 5-13 updating from non-roaming, F-66 Roles, 40-20 creating, 40-21 Domino Directory, 19-10 troubleshooting, 63-20 Web Administrator and, 16-20 to 16-21 Room resources in the Resource Reservations database, 8-9 modify in directory request, F-31 setting up, 8-9 Root DSE searching, 21-20 Roots default trusted, 46-11 Route command unscheduled mail and, A-24 Router task described, 26-6 reloading configuration of, 27-22 server crashes and, 63-100 stopping and starting, 27-4 RouterAllowConcurrentXFERToALL setting described, C-84 transfer threads and, 28-36 RouterDisableMailToGroups setting described, C-84 RouterDSNForNULLReversePath setting described, C-85 RouterEnableMailByDest setting described, C-85 Routers configuring delivery by, 28-8 to 28-9 connection costs and, 28-53 described, 26-8, 26-21, 27-1 mail file quotas and, 28-16 to 28-17 MAIL.BOX databases and, 28-3 obeying database quotas, 28-10 shutting down, 27-5 SMTP, 27-37 Tell commands, A-54 TRACERT command and, 63-67 updating configuration, 27-22 Routing costs setting, 28-39, 28-53 Routing table described, 26-10
Index-29
recalculating, 27-22 Routing task described, 27-1 Routing. See Mail routing RSA trusted root, 46-11 RSVP command for, I-24 RSVPInvitation command described, I-24 RTR_Logging setting described, C-86 Rules mail, 28-113
S
S/MIME encrypted, 47-13 to 47-15 setting up clients for, 47-1, 47-13 Sametime setting up for iNotes Web Access, 3-14 Save conflicts consolidating, 58-10 described, 58-8 Sched_Dialing_Enabled setting described, C-86 Sched_Purge_Interval setting described, C-86 Schedule Manager statistics, C-87 Tell commands, A-55 troubleshooting, 63-47 validation settings, C-87 Schedule_Check_Entries_When_ Validating setting described, C-87 Schedule_No_CalcStats setting described, C-87 Schedule_No_Validate setting described, C-87 Scheduled replication troubleshooting, 63-80, 63-84 Scheduled reports mail, 33-15 Schedules replication, 7-24 viewing for replication, 7-34 Scheduling example, 8-2 server programs, B-2 setting up, 8-5 troubleshooting, 63-45
Scheduling Notes routing, 28-50 Schema adding attributes, 21-13 to 21-14 adding syntaxes, 21-15 checking, 21-18 to 21-19 described, 21-1 Domino, 21-2 extending, 21-10, 21-17, E-3, E-7 to E-9, E-14, E-16, E-20 publishing, 21-20 root DSE searches, 21-20 viewing, 21-9 Schema daemon described, 21-5 NOTES.INI settings, 21-21 Schema database deleting documents, 21-17 described, 21-7 extended ACLs and, 25-7 extending schema with, 21-13, to 21-17 views, 21-8 to 21-9 Schema entry searching, 21-20 Schema_Daemon_Breaktime setting described, C-88 Schema_Daemon_Idletime setting described, C-88 Schema_Daemon_Reloadtime setting described, C-88 Schema_Daemon_Resynctime setting described, C-89 SCOS. See Shared mail SCRIPT.DAT file UNIX installation, 3-7 Scriptable setup setting up Notes with, 5-52 Scripts commands, 4-53 editing acquire and login, 4-51 keywords in, 4-52 making a call with, 4-50 Server.Load, I-1 Search filters Directory Assistance documents, 23-46 Search forms adding categories to, 10-10 bookmarks and, 10-18, 10-20 customizing, 10-18 Web clients and, 10-20 Search order directories, 18-15 to 18-17 directory assistance, 23-16
Search results access to, 10-12 filtering, 10-13 titles in, 10-19 Web server, 34-26 Searching domains, 10-1 encrypted fields, 50-2 file systems, 10-9 SearchMax number of documents to display, 34-26 Secondary directories directory services for, 18-12 LDAP service, 18-4 Secondary Domino Directory Administration Process support, 15-7 described, 23-1 directory assistance and, 23-3, 23-8, 23-33 LDAP service, 23-10 name lookups, C-68 Secondary name servers adding in Notes, 2-44 Secure_Disable_FullAdmin setting described, C-90 SecureMail setting described, C-90 Security adding cross-certificates on demand, 39-32 anonymous access, 42-25 application, 37-14 application design element, 37-15 authenticating clients, 31-24, 46-25 certificates, 39-2 certifier IDs and, 1-9 database, 10-12, 40-19 database access for SSL clients, 46-19 databases, 38-14 directory links, 49-1 Domino Directory and, 18-7, 19-9, 20-16, 20-22 to 20-23 Domino Off-Line Services, 11-7 encryption, 2-6, 43-1 encryption defined, 43-4 full-text indexes and, 50-2 ID recovery, 39-14, 39-17 IDs and, 37-16, 39-1 for Internet/intranet clients, 31-24 in a hosted environment, 12-3
Index-30
iNotes Web Access, 32-1, 32-8 Internet passwords and, 42-24 Internet transactions and, 40-31 Internet/intranet clients, 42-27 keys, 39-2, 43-1 mail, 21-5, 28-68, 29-4 mail encryption, 43-7 mail journaling and, 28-110 name-and-password access, 42-19 name-and-password authentication for Web clients, 42-6 network, 2-6 to 2-7, 2-9 Notes IDs and, 39-1 to 39-2, 39-25 offline users, 11-7, 11-10 overview, 37-1 passwords, 39-4 planning, 2-6, 37-11 port access, 38-14 public and private keys, 39-2 public keys, 39-22, 43-4 renewing an expired certificate, 46-21 server, 38-23 server key ring file, 46-3 Server Web Navigator, 36-8 setting up, 37-1 setting up a Domino 5 certificate authority, 45-1 setting up a Domino CA server, 45-1 setting up anonymous access, 42-26 setting up clients for S/MIME, 47-13 setting up clients for SSL client authentication, 47-18 setting up clients for SSL server authentication, 47-3 setting up Person documents for Internet clients using SSL client authentication, 47-20 setting up SSL server authentication using SMTP, 47-22 signatures and, 43-11 SNMP, 53-5 SSL, 46-1 SSL server certificate, 46-5 trusted root certificates, 47-3 verifying passwords, 39-8 verifying public keys, 39-25 virtual Web servers, 3-42 Web Administrator, 16-18
workstation, 41-1 Security policy settings creating, 9-19 Selection formulas directory catalogs and, 24-20 Selective replication setting up, 11-22 Selective replication formulas preventing replication of ADMIN4.NSF, 15-27 Self subject extended ACL, 25-11 Self-certified certificate, 46-22 Send copy to mail rule disabling, 28-9 SendMessage command described, I-24 SendSMTPMessage command described, I-25 Server access anonymous, 38-13 customizing, 38-7 data directory, 49-4 denying, 38-4, 38-7 passthru, 38-17 troubleshooting, 63-91 Server administrators changing name of, 59-1 Server certificates changing expiration date, 3-32 merging into key ring file, 46-12 Server Certificate Administration requesting certificate, 46-5 setting up, 46-3 Server commands Agent Manager and agents, 63-12 entering from the UNIX command line, A-8 redirecting command output to, A-2 table of, A-10 troubleshooting with, 63-2 Server comparisons when decommissioning a server, 59-5 Server console commands, I-8 described, A-1 using at server, A-2 Server Console Configuration document settings in, 52-21 Server crashes database indexes and, 63-99
fault recovery, 55-10 hosted organizations and, 14-11 troubleshooting, 63-96 Server documents access lists, 38-2 build number in, F-47 CPU count field, F-64 creating for NDS, G-7 database creation, 38-14 directory catalogs and, 24-8 DNS resolves in NRPC and, 2-12 network settings in, 2-36 protocol field, F-66 specifying international settings, 34-31 time-out settings for Web, 34-53 troubleshooting, 63-39 verifying public keys, 39-25 Server failures customizing message for, 28-46 Server files controlling Web browser access to, 38-23 Server Health Monitor configuring, 54-6 excluding servers, 54-15 overview, 54-2 performance of, 54-12 profiles, 54-13 ratings, 54-5 reports, 54-11 to 54-12 selecting server components, 54-9 setting up, 54-7 starting, 54-8 statistics, 54-3, 54-13, 54-16 threshold values, 54-10 using, 54-8 viewing in Domino server monitor, 54-14 Server IDs defined, 39-1 overview, 39-1 recertifying, 59-9 replacing, 63-96 security and, 39-25 server access and, 63-95 specifying, C-92 Server key ring files creating, 46-3 Server monitor adding a task, 52-43 adding servers, 52-44 changing default settings, 16-8 overview, 52-40
Index-31
profiles, 41-13, 52-44, 54-13 Server Health monitor, 54-2 starting, 52-41 using, 52-44 views, 52-41 Server names deleting, 59-8 finding in domain, 59-11 IP names and, 2-14, 2-22 upgrading to hierarchical, 59-10 Server ports access to, 38-14 Server programs SSL and, 46-1 Server protocol information updating, F-66 Server registration administration requests, F-59 Server security, 38-23 Server setup profiles creating, 3-21 silent, 3-25 using, 3-22 Server Statistic Collection document creating, 52-25 Server tasks adding, 52-43 monitoring, 52-1, 52-44 running, B-1 scheduling, B-2 settings for, C-97 to C-98 SSL and, 46-1 status level, 52-42 table of, B-3 Server topology planning, 1-2 Server Web Navigator about the Averaging agent, 36-19 access to Internet services, 36-7 changing appearance of pages, 36-12 controlling access to sites, 36-6 customizing, 36-6 described, 36-1 displaying authors, 36-12 displaying HTML source, 36-13 managing size of database, 36-16 moving out of data directory, 36-14 private page access, 36-5 proxies, 36-3 renaming database, 36-14 retrieval settings, 36-6
setting cache options, 36-18 setting up, 36-2 starting and stopping, 36-3 Server.Load agents, 62-4 capacity planning with, 60-2 changing script variables, 62-10 described, 62-1 metrics, 62-7, 62-10 modifying built-in scripts, 62-11 setting stop condition, 62-10 setting up, 62-12 test parameters, 62-6 testing commands, 62-11 troubleshooting, 63-110 Server.Load scripts built-in, 62-2, 62-11, 62-14 to 62-15, 62-20, 62-24, 62-26, 62-30 to 62-31 commands, 62-11, I-1 critical region, I-4, I-10 custom, 62-3, 62-11 list of, 62-2, J-1 loops, I-4 to I-5 pausing, I-21 restarting, I-23 to I-24 running, 62-3, 62-11, 62-14, 62-17 to 62-18, 62-21, 62-23, 62-25, 62-27 to 62-28, 62-30, 62-34 samples, J-1 stop conditions, 62-10 variables, 62-10 Server_Availability_Threshold setting described, C-91 Server_Cluster_Default_Port setting described, C-91 Server_Console_Password setting described, C-92 Server_Max_Concurrent_Trans setting described, C-93 Server_MaxSessions setting described, C-93 troubleshooting and, 63-59 to 63-60 Server_Restart_Delay setting described, C-96 Server_Restricted setting described, C-96 Server_Session_Timeout setting described, C-96 Server_Show_Performance setting described, C-97
Server-based certification authority creating an Internet CA, 44-8 ServerKeyFileName setting described, C-92 ServerName setting described, C-94 ServerNoReplRequests setting described, C-94 preventing replication with, 7-31 ServerPullReplication setting described, C-95 ServerPushReplication setting described, C-95 Servers access, 38-2, 38-4 access levels for, 7-6, 40-13 access to databases, 7-5 adding hosted organizations to, 14-2 adding to clusters, F-5 administering, 16-4 backing up, 63-7 capacity, 60-3 changing administrator of, 59-1 configuring for LANs, 2-19, 2-32, 2-43, 2-58, 2-61 configuring for NDS, G-6 connecting, 4-1, 4-4 database creation, 38-14 decommissioning, 54-43, 59-3, 59-12 delete requests for, F-25, F-78, F-81 deleting hosted organizations from, 14-3 Domain Search requirements, 10-2 editing properties for resource balancing, 54-43 encrypting mail files, 43-8 environment for service providers, 12-1 evaluating for resource balancing, 54-39 filtering for resource balancing, 54-45 functions, 1-2 Health reports, 54-11 to 54-12 hierarchical names, C-94 installing, for hosted environments, 13-2 limiting replication time, 7-29 limiting transactions, C-93 managing, 59-1
Index-32
maximum sessions, C-93 naming, 1-3, 2-14 to 2-17, 2-19, 2-29, 2-31 to 2-32 partitioned, 1-6, 2-21, 2-53, 59-13 passthru, 2-8, 4-23, 38-17, password checking on, 39-12 performance, 60-3 performance tools for, 54-2 proxy, 2-7 recertifying, F-47 registering, 3-29 remote connections, 4-3, 4-34 removing from cluster, F-49 renaming, F-68, F-87 replicating groups of, 7-20 restarting, A-23, C-96 secondary name, 2-44 setup address, C-99 setup name, C-99 SSL connections, 46-18 swap file, C-109 time-out setting, C-96 topology, 4-6, 4-9 tracing connections, 63-77 troubleshooting mail routing, 63-43 UNIX performance, 60-14 verifying public keys, 39-25 viewing health of, 54-14 Windows, performance, 60-13 Servers, external access levels for, 7-7 Servers, partitioned SNMP and, 53-9 ServerTasks setting described, B-2, C-97 ServerTasksAt setting, B-2 ServerTasksAt2 setting, 50-4 ServerTasksAthour setting described, C-98 Service providers Activity Logging for, 13-23 to 13-24 and DNS outages, 14-11 Domino features for, 12-4 environment example, 12-16 Global Web Settings documents for, 13-21 mail and directory protocols for, 12-13 managing users, 14-14 security for hosted organizations, 12-3 server environment for, 12-1
server options, 12-2 setting up environment for, 13-1 using the Resource Reservations database, 14-12 Web Administrator and, 16-26 Servlets managing on Web server, 34-13 Sessions closing, I-25 IMAP, 31-9, 31-19 opening, I-26 SessionsClose command described, I-25 SessionsOpen command described, I-26 Set Configuration command described, A-25 troubleshooting, 63-91 Set directory filename request, F-60 Set Rules command described, A-25 Set SCOS command described, A-25 Set Secure command described, A-26 Set Statistics command described, A-27 Set user name and enable schedule agent request, F-61 Set Web admin fields request, F-61 Set Web user name and enable scheduled agent, F-61 SetCalProfilecommand described, I-26 SetContextStatus command described, I-26 Setup policy settings creating, 9-12 Setup profiles creating, 3-21 silent, 3-25 using, 3-22 Setup program. See Domino server Setup setting described, C-98 Setup=AT command troubleshooting and, 63-48, 63-51 SetupDB setting described, C-99 SetupServerAddress setting described, C-99 SetupServerName setting described, C-99
Shared installation, 5-43 Shared mail clusters and, 29-20 described, 29-1, 29-5 disabling, 29-25 excluding mail files, 29-17 including mail files, 29-17 linking mail files to, 29-15 managing, 29-11, 29-21 moving mail files and, 29-21 object store, 29-1 replicated mail files and, 29-19 restoring, 29-23 security, 29-4 settings, C-100 statistics, 29-13 troubleshooting, 63-39 using for transfer and delivery, 29-8 Shared mail databases deleting, 29-24 inactive, 29-2 purging obsolete messages from, 29-22 setting up, 29-5, 29-9 to 29-11 using multiple, 29-2 Shared_Mail setting described, C-100 Shell commands using, A-3 Shortcut keys for accessibility, H-1 for cursor, H-8 database, H-4 dialog box, H-5 document, H-6, H-7, H-8 Domino Administrator, H-3 properties box, H-5 views, 58-21, H-10 Show Allports command described, A-27 to A-28 Show Cluster command described, A-29 Show Configuration command described, A-29 Show Directory command described, A-30 Show Diskspace command described, A-30 Show Heartbeat command described, A-32 Show Memory command described, A-32
Index-33
Show Opendatabases command described, A-32 Show Performance command described, A-33 Show Port command described, A-33 Show Schedule command described, A-34 Show SCOS command described, A-35 Show Server command described, A-36 Show Stat command described, A-37 using, 52-28, J-4 Show Stat Platform command described, A-38 using, 52-27 Show Tasks command described, A-39 Show Transactions command described, A-39 Show Users command described, A-41 Show Xdir command described, A-41 directory assistance and, 23-60 Signatures described, 43-9 sent mail and, 43-11 Signing databases and templates, 48-7 defined, 43-9 documents and mail, 43-9 dual Internet certificates and, 47-17 Silent install UNIX, 3-7 Single sign-on configuring, 42-13 to 42-14, 42-18 configuring for a Web Site, 42-17 Domino and WebSphere, 42-12 troubleshooting, 63-106 Single-copy object store. See Shared mail Site documents. See Internet Site documents Site Profile document creating, 8-9 Size attachments, 7-14 Console Log file, C-16 database, 61-12 to 61-13 database cache, 61-9, C-74
Extended Directory Catalog, 24-26 increasing database, 61-23 index, 50-3 Java heap, C-46 to C-47 Java stack, C-48 mail file, 28-11 MIME message, C-40 NSF buffer pool, C-73 replica, 7-12, 63-87 Server Web Navigator database, 36-16 transaction log, C-113 SIZE extension enabling, 28-96, 28-103 to 28-104 Size quotas database, 61-23 to 61-24 mail, 29-4, 28-10, 28-15 to 28-16, 28-28, 28-55 Smart hosts for mail routing, 27-5, 27-43 SMIME_Strong_Algorithm setting described, C-100 SMIME_Weak_Algorithm setting described, C-101 SMTP activity logging, 57-10 binding to an IP address, 2-47 changing default port information for, 28-58, 28-60, 28-66 IMAP clients and, 31-1 in local Internet domain, 27-39 mail commands, I-25 requirements for routing, 28-2 restricting inbound connections, 28-71, 28-75 setting up SSL server authentication, 47-22 setting up SSL server authentication for Notes and Domino using, 28-68 using inside the local Internet domain, 26-23 using outside the local Internet domain, 26-24, 27-38 SMTP addresses inbound lookup, 27-47 SMTP configuration updating, 27-65 SMTP connection documents creating, 27-34 SMTP Initialization Workload script running, 62-27
sample, J-14 SMTP Listener task enabling or disabling, 27-41 starting and stopping, 28-57 SMTP protocol DNS and, 26-25 Domino mail server and, 26-3 mail routing and, 26-21, 27-37 SMTP routing configuring multiple relay hosts, 27-58 customizing, 28-57 relay hosts and, 27-33 SMTP Workload script described, 62-26 running, 62-28 sample, J-14 SMTP_Config_Update_Interval setting described, C-102 SMTPAllHostsExternal setting described, C-101 SMTPDebug setting described, C-102 SMTPDebugIO setting described, C-103 SMTPExpandDNSBLStats setting described, C-103 SMTPGreeting setting described, C-104 SMTPMaxForRecipients setting described, C-105 SMTPMTA_Space_Repl_Char setting described, C-105 SMTPNotesPort setting described, C-104 SMTPNoVersionInRcvdHdr setting described, C-104 SMTPRelayAllowHostsandDomains setting described, C-106 SMTPSaveImportErrors setting described, C-106 SMTPStrict821AddressSyntax setting described, C-107 SMTPStrict821LineSyntax setting described, C-107 SMTPTimeoutMultiplier setting described, C-108 SMUX protocol and SNMP Agent, 53-14 Snap-in registry values configuring, G-3
Index-34
SNMP Domino events, 53-4 floating-point support, 53-7 INI file configuratrion, 53-9 MIB, 53-5 on partitioned servers, 53-9 overview, 53-1 security, 53-5 traps, 53-21 to 53-23 troubleshooting, 53-10 using Domino MIB with, 53-21 SNMP Agent alerts, 53-2 Sockets IPX/SPX addresses and, 2-62 SOCKS proxy connecting Server Web Navigator through, 36-3 Soft deletions defined, 61-8 effect on quotas, 28-14 expiration time, 61-8, F-70 Solaris configuring partitioned servers, 2-51 configuring SNMP Agent for, 53-14 Soundex directory catalogs and, 24-30 Space Saver settings in Administration Requests database, 15-27 Spamming preventing, 28-20, 28-70, 28-75, 28-90, C-101 Spoofing preventing, 28-71 SPX. See IPX/SPX SSL authenticating clients, 9-37, 28-60, 31-2, 31-6, 46-25, Certificate Authority server and, 45-5 client authentication, 47-18 creating a self-certified key ring, 46-22 database access for clients, 46-19 default Domino trusted roots, 46-11 features, 46-1 forcing connections, 46-18 in a hosted environment, 12-4 to 12-13 Internet security and, 40-31
LDAP directories and, 23-43 LDAP lookups, 47-23 LDAP service and, 20-12 merging certificates, 46-9 merging server certificates, 46-12 NOTES.INI settings, 46-19 overview, 46-1 passwords, 42-3, 42-24 Person documents for client authentication, 47-20 resuming sessions, 46-19 server authentication and, 47-3 server authentication using SMTP, 47-22 server certificate request, 46-5 server tasks, 46-1 setting up clients for, 47-1 setting up for Web Navigator, 36-8 setting up test site, 46-22 virtual servers and, 3-42 SSL certificates client, 47-3, 47-21 creating a Certificate Authority, 45-2 marking as trusted root, 46-21 publishing in Person records, 47-21 removing trusted roots, 46-21 renewing, 46-21 viewing information, 46-20 SSL ciphers restricting, 46-23 SSL key rings creating a key ring and certificate request, 45-2 creating a self-certified key ring, 46-22 SSL server authentication setting up clients for, 47-3 SMTP, 28-96, 34-23, 47-22 trusted root certificate for, 47-3 SSL servers protocol version, 46-15 setting up application, 46-3 setting up on server, 46-2 setting up test site, 46-22 SSL_Resumable_Sessions setting described, C-109 SSL_Trace_KeyFileRead setting described, C-109 SSLCipherSpec setting described, C-108
Stamp command described, I-26 Start Consolelog command described, A-43 Start Port command described, A-44 STARTTLS extension enabling for SMTP, 28-68 enabling for SMTP inbound, 28-96 Stash files setting up for SSL, 46-5 Statistic alarms reporting, 52-9 for Server Health Monitor, 54-10 Statistic Collector Tell commands, A-57 Statistic Collector task described, 52-24 Statistic documents creating, 52-32 Statistic event generator creating, 52-9 Statistic profiles charting, 52-37 creating, 52-31, 52-36 modifying, 52-39 Statistic thresholds viewing, 52-32 Statistics Activity Trends, 54-22 Administration Process, 15-35 charting, 54-16, 54-25, 52-36 creating documents for, 52-32 database activity, 58-12 database archives and, 61-26 database cache, 61-10 default thresholds, 52-32 directory assistance, 23-60 exporting to spreadsheet, 52-34 LDAP service ports, 20-38 mail-in, 52-35 modifying, 52-32 monitoring, 52-24, 52-31 platform, 52-26, 52-28, 52-30 for resource balancing, 54-46 Server Health Monitor, 54-3, 54-13 Server.Load, 62-7 Set Statistics command, A-27 setting preferences for, 16-11, 52-25 shared mail, 29-13 viewing, 52-28, 52-30, 52-32
Index-35
Windows NT Performance Monitor, 17-23 Statistics Collector overview, 52-1 Statistics reports viewing, 52-31 Statlog task database activity reporting, 58-11, C-72 statistics, 58-12 user activity reporting, 58-13 STH files setting up for SSL, 46-5 Stop Consolelog command described, A-44 Stop Port command described, A-44 Stop triggers setting, 52-22 Storage format, mail file setting for IMAP users, 31-3, 31-23, 31-35 setting for POP3 users, 30-7 Store CA policy information in Domino Directory request, F-62 Store certificate in Domino or LDAP directory request, F-62 Store Certificate Revocation List in Domino or LDAP directory request, F-63 Store directory type in server record request, F-63 Store servers DNS host name in Server record request, F-64 Structural object classes described, 21-2 Subjects extended ACL, 25-9, 25-17 Subscriptions, offline overview, 11-1 SwapPath setting described, C-109 Synchronization enabling, 17-27 Notes and Windows 2000 users, 17-25, 17-38 Notes and Windows NT users, 17-1 to 17-3, 17-5 Syntaxes adding to schema, 21-15 LDAP, 21-2, 21-4 System administrators, 38-8
System and application templates table of, D-1 System mail rules setting, 28-20
T
Tables forms and, 61-4 Targets extended ACL, 25-12 to 25-14, 25-17, 25-30 Task status event generator creating, 52-10 TCP server event generator creating, 52-11 TCP/IP Domino Internet services and, 2-47 frame types, 63-68 importance of Notes port order, 2-45 IPv6 standard, 2-25, 2-45 multiple IP addresses for servers, 2-12, 2-19, 2-22 name resolution in, 2-15 name resolution in NRPC, 2-11, 2-16 to 2-17, 2-19, 2-22 Notes port for, 2-34 to 2-36, 2-38, 2-39 to 2-42, 2-46 NOTES.INI settings, 2-64 partitioned servers and, 2-21 passwords, 42-3, 42-24 planning server configurations, 2-10 port mapping, 2-53, 63-78 port numbers, 2-55 redirect to SSL, 31-7, 46-18 Secondary name servers, 2-44 security, 2-9 setting up servers on, 2-19, 2-32, 2-43 testing, 2-56 time-out setting, 2-45 troubleshooting, 63-56, 63-107 TCP/IPportname_PortMappingNN setting described, C-110 TCP/IPportname_TCPIPAddress setting described, C-111 TCP_EnableIPV6 setting described, C-110
Tell commands Administrator Process, A-46 Agent Manager, 63-12, A-47 CA process, A-48 Change Manager, A-50 Cluster Replicator, A-51 described, A-45 Directory Cataloger, A-53 LDAP service, A-53 Router, 27-5, 27-22, A-54 Schedule Manager, A-55 SMTP, 27-65, A-56 Statistic Collector, A-57 troubleshooting, 63-91 Web Navigator, A-57 Web Server, A-57 Telnet and UNIX installation, 3-5 Temp_Index_Max_Doc setting described, C-111 Templates Domino Off-Line Services, 3-11 signing, 48-7 system and application, D-1 updating databases with, 58-24 Temporary directory changing for view rebuilding, 58-22 Terminated users deleting from system, 40-23 Terminations group adding names to, 40-6 creating, 6-8 Text in Server Web Navigator, 36-12 Text files for Domino Web server log, 56-10 redirecting command output to, A-2 setting up for registration, 5-23 Third-party relays defined, 28-76 Threads DIIOP and, 34-11 IMAP service, 31-19 transfer, 28-33, 28-36 Web server, 34-55 Threads, Administration Process changing number of, 15-29 Time zones and replication, 7-24 Time-out settings IMAP service, 31-9 LDAP service, 20-28
Index-36
message, 28-37 server, C-96 SMTP, C-108 specifying for Web, 34-53 TCP/IP, 2-45 TimeZone setting described, C-112 Titles replication and, 63-87 window, C-120 TLS (Transport Layer Security) for SSL, 28-68 Tools Active Directory Domino Upgrade Service, 17-25 administration, 16-16 to 16-17 Agent log, 63-13 for troubleshooting, 63-2 monitoring servers and, 52-1 server performance, 60-2 Topology creating a passthru, 4-25 replication and, 4-8 Topology maps task starting, 7-34 update frequency, C-112 Topology_WorkInterval setting described, C-112 Trace command described, A-59 TRACERT command using for TCP/IP, 63-67 Tracing mail, 63-2 network connections, 63-77 passthru connections, 63-79 Tracking messages configuring the server for, 33-8 from the Domino Administrator, 33-10 Mail Tracking Collector task, 33-5 overview, 33-1 Transaction logging database changes, 58-25 disabling, 55-8 disk space and, C-115, 55-8 enabling, C-114 log location, C-113 log size, C-113 logging style, C-114 overview, 55-1 performance, C-113 planning for, 55-4 recovery, 14-11, 55-9
setting up, 55-5 settings, 55-7 shared mail and, 29-3 troubleshooting, 63-102 using, 55-3 Transactions disabling, A-22, A-44 Transfer failures non-delivery reports and, 28-37 Transfer threads setting maximum number between servers, 60-11, specifying messages to journal, 28-36 Transferring messages controlling, 28-26 using shared mail, 29-8 Transform file creating, 5-47 Transform files applying, 5-50 for end-user installations, 5-50 installation options with, 5-49 TRANSLOG_MaxSize setting described, C-113 TRANSLOG_Path setting described, C-113 TRANSLOG_Performance setting described, C-113 TRANSLOG_Status setting described, C-114 TRANSLOG_Style setting described, C-114 TRANSLOG_UseAll setting described, C-115 Troubleshooting Administration Process, 63-8, 63-11 Agent Manager and agents, 63-12 Certificate Authority, 63-101 database corruption, 58-26 database performance, 63-16 Directories, 63-21 Directory assistance, 63-21 Directory catalogs, 63-25 disk space problems, 63-86 Domino, 63-1 Domino SNMP Agent, 53-24 extended ACLs, 25-30, 63-34 Fixup task, 58-26 IPX/SPX, 63-70 LDAP service, 63-31 Location documents, 63-42 Lotus Support Services and, 63-4
mail routing, 63-36 meeting and resource scheduing, 63-45 modems, 63-48 Network dialup connections, 63-74 NOTES.INI, 63-43 NRPC, 63-55 NSD log files and, 63-101 partitioned servers, 63-78 Passthru connections, 63-79 Personal Address Book, 63-42 platform statistics, 63-52 remote connections, 63-48 replication, 63-80 server access, 63-91 server crashes, 63-96 Server.Load, 63-110 shared mail, 63-44 SNMP, 53-10 tools, 63-2, 63-57 transaction logging, 63-102 Web Administrator, 63-104 Web client authentication, 63-21 Web Navigator, 63-104 Web servers, 63-104 workstation setup, 63-42 Trusted naming rules directory assistance and, 23-14 Trusted root certificates accepting server CAs certificate, 46-9 default Domino SSL, 46-11 removing, 46-21 SSL authentication and, 47-3 viewing information, 46-20 Type-ahead addressing condensed directory catalogs and, 24-29 disabling, 28-6 troubleshooting, 63-27
U
Undeliverable mail generating non-delivery reports for, 28-37 holding in MAIL.BOX, 28-40 to 28-41 Unicode LDAP service and, 20-3 Unit numbers NetBIOS ports and, 2-58
Index-37
UNIX accessing the server console, A-8 directory for entering commands, 3-2 installation on, 3-4 server performance, 60-14 Unread command described, I-27 Unread marks allowing IMAP users to change other users, 31-17 performance and, 61-3, 63-18 setting, I-27 Unwanted commercial e-mail preventing, 28-20, 28-70, 28-75, 28-90 Updall task commands, 58-16 indexes, 58-15 options, 58-16 running, 58-19 scheduling, 50-4 to 50-5 Update client information in Person record, F-64 Update command described, I-27 Update Config command, 27-65 described, 27-22 Update task directory indexer, 58-15 indexes, 58-14 running, 58-21 Update user from non-roaming to roaming user administration requests, F-66 Update_No_BRP_Files setting described, C-115 Update_No_Fulltext setting described, C-115 Update_Suppression_Limit setting described, C-116 Update_Suppression_Time setting described, C-116 Updaters setting described, C-116 UpgradeApps setting described, C-117 URLs, 34-3 categorizing for Domain Search, 10-21 in Server Web Navigator, 36-12 mailed to SSL server administrators, 45-4 redirecting, 34-27
retrieving information from, I-28 troubleshooting, 63-108 UseFontMapper setting described, C-117 User accounts creating in Windows NT, 17-12 deleting, 17-22 User activity reporting, 58-13 statistics, 58-11 User authentication registering Internet/intranet users, 42-3 User IDs adding alternate name, 5-40 defined, 39-1 passwords, 39-4 recertifying, 5-82 security and, 39-25 User information synchronizing in Notes and Windows NT, 17-1 User Management, 5-54 User name failures customizing message for, 28-46 User names aliases, 40-7 categorizing by corporate hierarchy, 19-13 to 19-14 changing, 5-56 deleting, 5-73, 17-42 deleting with Web Administrator, 5-75 editing, 40-23 finding in domains, 5-85, F-29 moving in the organization name hierarchy, 5-61 renaming, 5-57, 5-61 upgrading from flat to hierarchical, 5-67 Web, 40-30 wildcards in, 40-4 User Preferences troubleshooting, 63-42 User registration Advanced, 5-13 Advanced from the Web Administrator, 5-31 alternate names, 5-41 Basic, 5-11 Basic from the Web Administrator, 5-28 customizing, 5-4 default settings, 5-9
explained, 5-2 from a text file, 5-22 Internet-only users, 5-37 non-Notes users, 5-37 roaming, 5-13 types of, 5-7 Web, 5-8, 5-27, 5-31 User rules mail forwarding disabling, 28-9 User types assigning to ACL, 40-19 Users access levels, 40-1, 40-11 anonymous, 40-8 configuring for TCP/IP, 2-44 managing, 5-54 migrating from external mail system or directory, 5-8 recertifying, F-48 registering, 5-2, 16-25, 17-33, 17-35 renaming, 17-41, F-51, F-84 restricting in clusters, 60-6 terminated, 40-6 UTF-8 LDAP service and, 20-32 UTF-8 locale in a hosted environment, 13-8
V
Validation, 38-1 Internet/intranet clients, 42-27 Verbose logging mail, 28-7 Web servers, C-119 to C-120 VeriSign trusted root, 46-11 Version numbers identifying, C-98 View indexes updating, 58-14 View_Rebuild_Dir setting described, C-119 ViewExpnumber setting described, C-118 ViewImpnumber setting described, C-118 Views adding documents, J-1 Administration Requests database, 15-19 Close command, I-8
Index-38
creating, 40-17 customizing in Domino Directory, E-2, E-5 in Server Web Navigator database, 36-12 keyboard shortcuts for, 58-21 logging, 55-9 navigating, I-10 opening, I-20 performance and, 63-18 purging database, 58-23 rebuilding, 58-22, C-119 searching in, I-11 shortcut keys, H-10 troubleshooting, 63-42, 63-99 updating, J-3, I-16 Virtual servers Web site hosting, 34-17 Virtual Web servers partitioned servers and, 2-49 security, 3-42 Viruses protection against, C-71
W
WANs integrating Domino with, 2-2 network compression and, 2-42 Web access levels, 40-13 anonymous users, 40-8 restricting amount of data sent, 34-29 Web access improving, 60-10 Web Administrator access, 16-18, 16-20 configuring, 16-17 creating groups with, 6-4 Domino Console, Domino Controller and, 16-28 entering server commands, A-1 in a hosted environment, 14-15 to 14-16 managing policies, 16-25 managing the ACL with, 40-24 message tracking, 16-27 re-creating database, 63-109 registering users, 16-25, 5-27, 5-31 remote console, 16-26, A-7 resizing and, 63-109 roles, 16-20 to 16-21
service providers and, 16-26 setting preferences, 16-24 signing out, 16-27 starting, 16-22 troubleshooting, 63-108 using, 16-17, 16-23 Web applications enabling for offline use, 11-1 to 11-2 replicating, 11-22 Web browsers controlling access from, 38-23 restricting access to links, 49-4 Web client authentication restricting, 42-19 troubleshooting, 63-21 Web Idle Workload script described, 62-30 running, 62-30 sample, J-15 Web mail files delegating access to, F-10 Web Mail Initialization Workload script sample, J-15 Web Mail Workload script described, 62-31 running, 62-34 sample, J-16 Web Navigator changing appearance of pages, 36-12 customizing, 36-6, 36-11 described, 36-1, 36-10 displaying authors, 36-12 managing size of, 36-16 moving out of data directory, 36-14 renaming, 36-14 setting cache options, 36-18 starting and stopping, 36-3 Tell commands, A-57 troubleshooting, 63-107 Web Navigator SSL setting up, 36-8 Web pages mailto, 36-9 rated, 36-19 retrieving with Web Navigator, 36-1 updating for Server Web Navigator, 36-18 Web server messages, 34-48 customizing, 34-48, 34-50 to 34-51
Web servers, 34-1, 34-26 activity logging, 57-4 creating links on, 49-1 creating secure Web applications, 34-3 features, 34-2 interactive Web applications, 34-3 listing files on, 63-105 logging, 56-8 performance, 34-52 to 34-56 processing requests, 34-55 running Web agents on, 34-54 security, 34-9 setting Domino to work with, 35-1 setting up logging, 56-9 Tell commands, A-57 troubleshooting, 63-104 Web application development, 34-3 Web set soft deletion expire time request, F-70 Web Site authentication realm creating, 34-45 described, 34-45 Web Site Authentication Realm document defined, 34-45 Web Site documents configuring for hosted organization, 13-20 creating, 34-17 DOLS and, 3-12 file protection and, 34-42 in a hosted environment, 13-18 language preferences, 34-31 setting up session authentication for, 34-23 Web Site Rule documents creating, 34-38 described, 13-19, 34-34 in a hosted environment, 13-21 Web sites, 34-38, 34-42 authentication and, 34-23, 34-45 controlling access to, 36-6 hosting, 34-17 Lotus Support Services, 63-4 multiple, on a server partition, 2-49, 34-20 Web task Server Web Navigator and, 36-3 troubleshooting, 63-108
Index-39
Web tours Web Navigator database, 36-11 Web user registering, 5-8 Web user preferences, 34-30 cookies, 34-30 regional settings, 34-30 Web users authenticating, 40-7 controlling access, 40-30 renaming, 5-66 WEB.NSF renaming, 36-14 WEBADMIN.NSF configuring, 16-17 securing, 16-18 WebAuth_Verbose_Trace setting described, C-119 WebDAV, 34-15, 34-22 setting up, 34-15, 34-17 WebGet command described, I-28 WebSess_Verbose_Trace setting described, C-120 troubleshooting with, 63-106 WebSphere plug-ins installing on IIS servers, 35-4 Welcome Page creating, 5-87 Wide-area networks. See WANs Wildcard searches LDAP service, 20-28 Window_Title setting described, C-120 Windows configuring SNMP Agent for, 53-11 directory for entering commands, 3-2 installation on, 3-3 running Server Setup program on, 3-18 system fonts, C-121 Windows 2000 configuring partitioned servers, 2-52 ensuring name resolves on, 2-29 improving server performance, 60-13 name resolution, 2-15, 2-22 registering existing users, 17-35 registering new users, 17-33
synchronizing with Notes users, 17-25 Unit/LANA numbers for NetBIOS ports, 2-59 Windows NT adding groups to Notes, 17-16, 17-20 configuring partitioned servers, 2-52 ensuring name resolves on, 2-29 improving server performance, 60-13 name resolution, 2-15, 2-22 registering users in Notes, 17-1, 17-8, 17-12, 17-14 renaming user accounts with Domino, 5-57 synchronizing with Notes, 17-2, 17-3 synchronizing with Notes users, 5-62, 17-5 Unit/LANA numbers for NetBIOS ports, 2-59 Windows NT Performance Monitor viewing statistics with, 17-23 Windows NT User Manager deleting user accounts with, 17-22 setting up, 17-1, 17-3 WinInfoboxPos setting described, C-120 WinSysFontnumber setting described, C-121 Workload balancing clusters and, 60-4 servers and, 60-2 Workstations ECL, 41-1 mail routing errors and, 63-42 troubleshooting, 63-92 www.lotus.com/support searching, 63-4
xSP servers Activity Logging for, 13-23 to 13-24 applications on, 12-15 binding IP addresses to, 13-16 configuring, 12-5, 12-9 Domino features for, 12-4 example, 12-16 for hosted environments, 12-1 installation options, 12-2 installing, 13-2 mail protocols on, 12-13 opening databases on, 13-8 securing, 12-3 setting up environment for, 13-1
Z
zOS configuring SNMP Agent for, 53-17
X
X.PC network compression and, 2-42 XACLs. See Extended ACLs x-headers adding to outbound Internet mail, 28-134 XPC_Console setting described, C-121
Index-40