Embed Size (px)
Citation preview
Lotus Notes and Domino was created by Ray Ozzie in 1989. But Lotus was purchased by IBM in 1991.
The physical location of a NoteID is specified in its RRV (Record Relocation Vector).
When a file or Document is deleted, Domino keeps a deletion stub so that it knows not to replace that file from a replica.
MAIL.BOX: Messages in a mail box fall into 3 basic states: Pending, Held, and Dead.
Pending - a message which is in the pending state is waiting to be transferred or delivered. Held - Held mail represents mail which fails to be delivered or transferred and would normally result in a Non-Delivery report being sent to the originator. By turning the feature on, any mail which would normally be returned as a Non-Delivery would be 'held' instead of being returned. This provides administrators with a chance to fix any problems which would have caused the Non-Delivery report to be sent and then release the held mail. The icon which appears next to mail in the 'Held' state is:
Dead - Dead mail represents mail which fails to be delivered to the intended recipient AND whose resulting Non-Delivery report fails to be delivered to the originator of the message. A message in the 'Dead' state lists the recipient as the originator of the message and the intended recipients as the list of people the originator of the message first sent it to. The icon which appears next to mail in the 'Dead' state is:
Domino Server Tasks: A few lines in NOTES.INI define which server tasks are started when the server starts up, and also which scheduled tasks are to run at various times during the day.
The Server Tasks= line lists the tasks to start as the server starts up. The scheduled tasks are listed in the ServerTasksAt0= to ServerTasksAt23= lines. These specifications use the 24-hour clock, where 0 is midnight and 23 is 11:00 P.M.
Another option for scheduling tasks is the Program document in the Domino Directory
By default, the following tasks are configured to start, depending on how the server has been configured:
When the Quick and Easy Configuration setup option is selected, the tasks set to start at startup are Router, Replica, Update, AMgr, AdminP, CalConn, Event, Sched, Stats, and Maps. Then other tasks are added depending on which other client audience options are selected. When the Advanced Configuration setup option is selected, the tasks set to start at startup are AdminP, AMgr, Update, Replica, Router, and Maps. Other tasks, such as CalConn, Event, Sched, and Stat, are optionally added if selected. Other tasks are added if they are selected by name.
AdminP The Administration Process automates many administration tasks. This task has the following commands available to modify its behavior while it is running: tell adminp process all Instructs the admin process to process all new and modified immediate/interval/daily/delayed requests. tell adminp process daily Instructs the admin process to process all new and modified daily requests. tell adminp process delayed Instructs the admin process to process all new and modified delayed requests. tell adminp process interval Instructs the admin process to process all immediate and interval requests. tell adminp process new Instructs the admin process to process all new requests. tell adminp process people Instructs the admin process to process all new and modified requests to update Person records within the Domino Directory. tell adminp process time Instructs the admin process to process all new and modified requests to delete mail files that become unlinked. tell adminp show databases Lists the databases that an administration server manages, and also lists databases that do not have an administration server configured.
AMgr The Agent Manager runs scheduled and triggered agents in Domino databases. This task has the following commands available to modify its behavior while it is running: tell amgr pause Pauses the agent manager service, so no new agents can be scheduled for execution on the server. tell amgr resume Resumes the agent manager service, so new agents can be scheduled for execution on the server. tell amgr schedule Displays the scheduled agents that are to run today, and also the database in which they reside. tell amgr status Displays the status of the agent manager, and also configuration information of the agent manager from the server document in the Domino Directory.
Agent Manager (Amgr) Examples: 1. If a user is moved and certified by a new hierarchy, then that too is considered renaming. So enabling an agent which sends the email notification to user about name changes.
The rename tasks are: v Change a Notes user’s common namev Notify a user of a change to private design elements during a name changev Rename a Web userv Move a user name in the new hierarchyv Upgrade a user name from flat to hierarchicalNotifying users of changes to private design elements during a name changeYou can enable an agent that sends to the user an e-mail message notifying the user of a name changeand containing links to databases in which the user created or modified design elements such as a folderor view. To update the private design elements with the user’s new name, the user must then open thedatabase via the database links in the e-mail notification. This update to the user name allows the user tomaintain access to their own private design elements. Enable the Mail Notification agent from within theadministration requests database (ADMIN4.NSF).Note: The AdminP Mail Notification agent runs only on Domino Release 5.05 or more recent servers andsends e-mail to Notes Release 5.05 or more recent clients.1. From the Domino Administrator, click Server - Analyses.2. Click Administration Requests (7).3. Locate the administration request to rename the user and then open the request.4. Choose Actions - Enable/Disable User Notification. The agent is enabled and automatically sends tothe user an e-mail message containing links to databases in which the user created or modified designelements such as a folder or view.5. Click OK.Troubleshooting name changesThe public key in the Person document must match the one on the user ID. If a public key has beenchanged or corrupted in some way, you see this message in the Administration Requests database: ″ The name to act on was not found in the Address Book. ″
When you initiate a user’s name change, the user may be prompted to accept or reject the name change.If the user rejects the name change, an administration request is generated that requires you to eitheraccept the user name reverting to the original name or reject the name reverting to the original username. The user is prompted if the user has selected the ″Ask your approval before name changes″ optionon the Notes Name Changes dialog box.
If the expiration date for the name change is reached and the user has not responded, an administrationrequest is issued asking you to accept a request to retract the name change. You can then either acceptthe request to retract the name change, or you can reject that request. If you accept the name changeretraction, the administration request for rejecting a name change are generated.
You can also move a user to another Organization, however to do so, your Domino Directory mustcontain cross-certificates between the Organizations involved.
Notes workstations and Domino servers use the Notes remote procedure call (NRPC) protocol running over the LAN’s network protocol to communicate with other Domino servers.Other client systems, such as Web browsers, Internet mail clients, wireless application protocol (WAP)devices, and personal information management (PIM) devices, can also communicate with Dominoservers.Isolated LANs can be connected by WANs. A WAN is either a continuous connection -- such as aFrame-relay, leased telephone line, or digital subscriber line (DSL) -- or a dialup connection over a modemor Integrated Services Digital Network (ISDN) line.
The foundation for communication between Notes workstations and Domino servers or between two Domino servers is the Notes remote procedure call (NRPC) service.
If the network connection fails while the Domino server is writing to a database on the file server orshared NAS server, the database can become corrupted.
NRPC service uses a combination of the Notes Name Service and DNS to resolve server names tonetwork addresses.
To configure server partitions to share the same IP address and the same NIC, you use port mapping.With port mapping, you assign a unique TCP port number to each server partition and designate onePartition to perform port mapping. The port-mapping partition listens on port 1352 and redirects Notesand Domino connection requests to the other partitions.
Default port for NRPC: By default, all NRPC connections use TCP port 1352. Because the InternetAssigned Number Authority (IANA) assigned Lotus Domino this port number, non-Domino applicationsdo not usually compete for this port.Do not change the default NRPC port unless:v You can use a NAT or PAT firewall system to redirect a remote system’s connection attempt.v You are using Domino port mapping.v You create a Connection document that contains the reassigned port number.To change the default NRPC port number, use the NOTES.INI setting TCPIPportname_TCPIPAddress andenter a value available on the system that runs the Domino server. TCP ports with numbers less than5000 are reserved for application vendors. You may use any number from 1024 through 5000, as long asyou don’t install a new application that requires that number.Note: When setting the NOTES.INI variables for port mapping, do not include a zone in a port mappedaddress. The zone is only valid locally.Default ports for Internet services: You may occasionally need to change the number of the TCP or SSL
port assigned to an Internet service. Lotus Domino uses these default ports for Internet services:Service Default TCP port Default SSL portPOP3 110 995IMAP 143 993LDAP 389 636SMTP inbound 25 465SMTP outbound 25 465HTTP 80 443IIOP 63148 63149Server Controller N/A 2050
Server Types:v Domino Utility Server -- Installs a Domino server that provides application services only, withsupport for Domino clusters. The Domino Utility Server removes client access licenserequirements. Note that it does NOT include support for messaging services. See full licensing textfor details.v Domino Messaging Server -- Installs a Domino server that provides messaging services. Note thatit does NOT include support for application services or Domino clusters.v Domino Enterprise Server -- Installs a Domino server that provides both messaging andapplication services, with support for Domino clusters
The Certification Log (certlog.nsf)When you set up the first Domino server in a domain, the Server Setup program creates the CertificationLog. If you delete the log, you can recreate it, but be aware that the new log will not contain theinformation it previously stored.The Certification log records information related to recertification and name changes. When you addservers and users to Domino, the Certification Log maintains a record of how you registered them. Foreach registered server and user, the Certification Log stores a document containing the followinginformation:v Name and license typev Date of certification and expirationv Name, license type, and ID number of the certifier ID used to create or recertify the ID
Create a replica of the Certification Log on every server that is a registration server and on every serverthat stores a Domino Directory that is used for user management -- for example, renaming andrecertifying users. If the server whose Domino Directory replica you are using does not have aCertification Log, user-management actions will fail.
Server registrationBefore you install and set up additional servers, you must register them. In effect, registering a serveradds the server to the system. The server registration process creates a Server document for the server inthe Domino Directory and creates a server ID. After registering and installing a server, you use the ServerSetup program to obtain a copy of the Domino Directory for the new server and to set up the server torun particular services and tasks -- for example, the HTTP service, the Mail Router, and so on.
When you register a server, Domino does the following:v Creates a server ID for the new server and certifies it with the certifier ID v Creates a Server document for the new server in the Domino Directory v Encrypts and attaches the server ID to the Server document and saves the ID on a disk or in a file on the serverv Adds the server name to the LocalDomainServers group in the Domino Directory v Creates an entry for the new server in the Certification Log (CERTLOG.NSF)
How a server connects to another serverA connecting server uses the following steps to determine how to connect to a destination server. As soonas the connecting server successfully connects to the destination, it stops searching for additionalconnection methods.1. The connecting server tries to connect using the same method it used the last time it made asuccessful connection to the destination server. Note these two exceptions:v If the server never connected to the destination server, the server searches for a path (consisting ofa network port and any passthru servers) to the destination server.v If the server has connected previously, but the connection now fails, the server conducts a new pathsearch if it is the first attempt of the day.2. The connecting server checks to see if it already has a WAN port connection to the destination server.3. The server examines normal-priority Connection documents in the Domino Directory for informationon what path to use to connect to the destination server. A normal-priority Connection document isone that has Normal selected in the ″Usage priority″ field. If multiple normal-priority Connectiondocuments exist for the same destination server, the server chooses the Connection document to usebased on the type of connection in the following order:
v Local Area Networkv Network Dialupv Notes Direct Dialupv Passthru serverv Hunt group of passthru serversNote: A server that uses a passthru connection to reach the destination server must first be able toconnect to the passthru server. To provide information on how to connect to the passthru server,
you may have to create an additional Connection document.4. The connecting server checks information stored in memory about other servers in the server’s Notesnamed network. It uses this information to define a path to the destination server. The server readsthis information from Server documents in its local Domino Directory.5. If the connecting server’s local Domino Directory does not contain information about the destinationserver, it tries to connect directly to the destination server on the LAN by using the server commonname as its address.6. The connecting server checks the low-priority Connection documents. A low-priority Connectiondocument is one that has Low selected in the ″Usage priority″ field.7. If the connecting server still cannot find a path to the destination server, it issues a message that aconnection is not possible.Note: For workstations connecting to servers, the search logic is the same except that the workstationtries to use the passthru server listed as default in the Location document to make the connection if Steps1 through 5 fail. If the Location document does not define a default passthru server and the workstationis already connected to a server over a Notes Direct Dialup connection, the workstation uses that serveras a passthru to reach the destination server.To display information about how a server makes a connection, open the Miscellaneous Events view inthe log file (LOG.NSF). To change the amount of information Domino records about connections in thelog file, change the log level
Replication and server topologyAs the number of Domino servers on your network increases, so does the amount of replication requiredto distribute information across the network. Because replication uses memory and processing time, planhow servers connect to perform replication. If you allow servers to replicate at random, so that a givenserver replicates a single database with multiple servers, or perhaps replicates different databases withdifferent servers, servers can become so overloaded with replication requests that it interferes with theirability to respond to client requests.To provide for efficient replication, consider setting up some servers as dedicated replication servers.Using dedicated servers to handle replication greatly reduces the amount of work that database servershave to devote to replication, because the database servers have to replicate with the replication serversonly, instead of having to replicate with every server that maintains a copy of a given database. Tocontrol replication, you create Connection documents that specify which servers to replicate with andwhen.How you connect servers for replication depends on many factors, including the layout of physicalnetwork and the size of your organization, as well as the extent to which you want to re-use existingConnection documents created for mail routing. There are several different configurations, or topologies,you can use to control how replication occurs between servers:v Hub-and-spokev Peer-to-peerv RingChoose the replication strategy that provides the most efficient replication performance. In many cases,you’ll use different topologies in different parts of the network.
Using a hub-and-spoke topology to manage replicationA hub-and-spoke topology is generally the most common and efficient replication topology in largerorganizations, because it minimizes network traffic. Hub-and-spoke replication establishes one centralserver as the hub, which schedules and initiates all replication with all of the other servers, or spokes.The spokes update the hub server by replication (and mail routing), and the hub in turn updates eachspoke. Hub servers replicate with each other or with master hub servers in organizations that use morethan one hub. In short, the hub server acts as the traffic manager of the system, overseeing systemresources, ensuring that replication takes place with each spoke in an orderly way, and guaranteeing thatall changes are replicated to all spoke servers.To set up replication in a hub-and-spoke system, you create one Connection document for eachhub-and-spoke connection. To ensure that the replication task on the hub, rather than the spokes, assumesmost of the work always, in each Connection document specify the hub server as the source server, thespoke server as the destination server, and pull-push as the replication method.A hub-and-spoke topology can be especially useful at large, multiple-server sites or in a centralized officethat needs to connect via phone or leased lines to smaller, regional offices. If you have a large site, youcan use a combination of topologies -- for example, two hub-and-spoke arrangements and onepeer-to-peer arrangement between the two hub servers.The major drawback of hub-and-spoke topology is that it is vulnerable to single point of failure if thehub is not working. Deploying a backup server that replicates the hub and can quickly be reconfiguredinto a hub server if the primary hub goes down can alleviate this shortcoming.Benefits of a hub-and-spoke topology1. Install multiple protocols on hub servers to enable communication in a Domino system that uses morethan one protocol. This places hub servers in multiple Notes named networks, another source ofefficiency. Hub servers can connect multiple Notes named networks, where a single hub server and itsspoke servers often make up one Notes named network.2. Bridge parts of a network -- for example, a LAN and a WAN.3. Centralize administration of the Domino Directory, standardize database ACLs, and limit access to thehub. You can designate the hub with Manager access and the spokes with Reader access so that youmake those changes on one replica on the hub to synchronize the spokes.4. Designate hubs by role -- for example, replication hubs and mail hubs.5. Place server programs such as message transfer agents on hubs to make them easily accessible.6. Connect remote sites with a hub server.7. Minimize network traffic and maximize network efficiency.8. Centralize data backup at the hub. By backing up databases on the hub only, you conserve resourceson spoke servers.
9. Improve server load balancing. However, network traffic increases on the hub LAN segment. If youhave more than 25 servers per hub, establish tiers of hubs. If a hub goes down, replication for thathub and its spokes is disabled until the hub is repaired or replaced.Note: Do not use hub-and-spoke replication for databases larger than 100MB that have replicas on lessthan four servers. Instead, schedule replication for these databases to occur separately from otherreplications.Using a peer-to-peer topology to manage replicationIn a peer-to-peer topology, replication is less centralized than in a hub-and-spoke configuration, withevery server being connected to every other server. Because peer-to-peer replication quickly disseminateschanges to all servers, it is often the best choice for use in small organizations, or for sharing databaseslocally among a few servers. However, it can be inefficient when a database resides on more than a fewservers.In a peer-to-peer topology, the potential for replication problems decreases, because only two serverscommunicate for each replication and no hub or intermediary servers are involved. However,peer-to-peer replication requires many Connection documents, increases administration since you mustavoid overlap in replication schedules, and prevents you from standardizing ACL requirements.Functions of Domino servers:Servers that provide Notes and/or browser users with access to applicationsv Hub servers that handle communication between servers that are geographically distantv Web servers that provide browser users with access to Web applicationsv Servers that manage messaging servicesv Directory servers that provide users and servers with information about how to communicate withother users and serversv Passthru servers that provide users and servers with access to a single server that provides access toother serversv Domain Search servers that provide users with the ability to perform searches across all servers in aDomino domainv Clustered servers that provide users with constant access to data and provide load-balancing andfailoverv Partitioned servers that run multiple instances of the Domino server on a single computerv Firewall servers that provide Notes users with access to internal Domino services and protect internalservers from outside usersv xSP servers that provide users with Internet access to a specific set of Domino applications
Hierarchical naming for servers and usersHierarchical naming is the cornerstone of Domino security; therefore planning it is a critical task.Hierarchical names provide unique identifiers for servers and users in a company. When you registernew servers and users, the hierarchical names drive their certification, or their level of access to thesystem, and control whether users and servers in different organizations and organizational units cancommunicate with each another.A hierarchical name scheme uses a tree structure that reflects the actual structure of a company.
Partitioned serversUsing Domino server partitioning, you can run multiple instances of the Domino server on a singlecomputer. By doing so, you reduce hardware expenses and minimize the number of computers toadminister because, instead of purchasing multiple small computers to run Domino servers that mightnot take advantage of the resources available to them, you can purchase a single, more powerfulcomputer and run multiple instances of the Domino server on that single machine.On a Domino partitioned server, all partitions share the same Domino program directory, and thus shareone set of Domino executable files. However, each partition has its own Domino data directory andNOTES.INI file; thus each has its own copy of the Domino Directory and other administrative databases.If one partition shuts down, the others continue to run. If a partition encounters a fatal error, Domino’sfault recovery feature restarts only that partition, not the entire computer
Partitioned servers can provide the scalability you need while also providing security. As your systemgrows, you can migrate users from a partition to a separate server. A partitioned server can also be amember of a cluster if you require high availability of databases. Security for a partitioned server is thesame as for a single server.When you set up a partitioned server, you must run the same version of Domino on each partition.However, if the server runs on UNIX®, there is an alternative means to run multiple instances of Dominoon the server: on UNIX, you can run different versions of Domino on a single computer, each versionwith its own program directory. You can even run multiple instances of each version by installing it as aDomino partitioned server.Deciding whether to use partitioned serversWhether or not to use partitioned servers depends, in part, on how you set up Domino domains. Apartitioned server is most useful when the partitions are in different Domino domains. For example,using a partitioned server, you can dedicate different Domino domains to different customers or set upmultiple Web sites. A partitioned server with partitions all in the same Domino domain often uses morecomputer resources and disk space than a single server that runs multiple services.
When making the decision to use partitioned servers, remember that it is easier to administer a singleserver than it is to administer multiple partitions.
Deciding how many partitions to haveHow many partitions you can install without noticeably diminishing performance depends on the powerof the computer and the operating system the computer uses. For optimal performance, partitionmultiprocessor computers that have at least one, and preferably two, processors for each partition that
you install on the computer.
Certifier IDs and certificatesCertifier IDs and certificates form the basis of Domino security. In order to place servers and users correctly within the organization’s hierarchical name scheme, we create a certifier ID for each branch on the name tree. We use the certifiers during server and user registration to ″stamp″ each server ID and userID with a certificate that defines where each belongs in the organization. Servers and users who belong tothe same name tree can communicate with each other; servers and users who belong to different nametrees need a cross-certificate to communicate with each other.Note: You can register servers and users without stamping each server ID and user ID if you havemigrated the certifier to a Domino server-based certification authority (CA).
There are two types of certifier IDs: organization and organizational unit.You can create up to four levels of organizational unit certifiers.
Each time you create a certifier ID, Domino creates a certifier ID file and a Certifier document. The ID filecontains the ID that you use to register servers and users. The Certifier document serves as a record ofthe certifier ID and stores, among other things, its hierarchical name, the name of the certifier ID thatissued it, and the names of certificates associated with it.
Advanced Domino servicesThese Domino services, which are necessary for the proper operation of the Domino infrastructure, areenabled by default when you set up a Domino server:v Database Replicatorv Mail Routerv Agent Managerv Administration Processv Calendar Connectorv Schedule Managerv DOLS (Domino Off-Line Services)
User Registration Queue (USERREG.NSF) : This database contains information on users pending registration. When you exit the Register Person dialog box, you can save all users pending registration and register them later. When you access the dialog box again, the User Registration Queue automatically opens to display all users pending registration.
You can also register users by importing them from a text file or migrating them from a foreign directory.
An administrator can be designated as a RegistrationAuthority (RA) for the server-based certification authority (CA). You can now assign to the administratorresponsible for user registration, the role of RA. This allows one administrator to register users withcertificates issued by the server-based certification authority.
Registering usersYou can use any of these methods to register Notes users:v Basic user registrationv Advanced user registrationv Text file registrationv Registration settingsv Migration tools (for people using an external mail system or directory) registration : The following list details the types of users you can migrate into Notes:* Microsoft Exchange* LDIF (from an LDAP directory)* LDAP* Windows 2000/Windows 2003* Active Directoryv Basic user registration from the Web Administratorv Advanced user registration from the Web Administrator
whether you need to import users from a foreign mail system or directory, and whether youruser settings are in a text file.
Moving a user’s mail file and roaming files from the DominoAdministrator You may need to move mail files when you need more space on a server or when users change jobs.When a mail file is moved, the Administration Process first moves it to a new server, then issues arequest to delete the old mail file from its original mail server. You must approve this mail file deletion.The Administration Process also changes the information in the ″Mail file name″ and ″Mail server″ fieldsin the user’s Location document.To move only a mail file1. To move a user’s mail files, you must have:v Editor access with Create documents role, or Author access with the UserModifier role in theDomino Directory2. From the Domino Administrator or Web Administrator, click the People & Groups tab.3. Click People and select the person whose mail file you are moving.4. Click Move to Another server.5. Choose a destination server to which you are moving the mail file. If the destination server youchoose is a clustered server, it appears ″checked″ in the Additional mail server field on this dialogbox.
6. (Optional) Enter a new directory to which the mail file should be moved. You can accept the defaultof mail\.7. (Optional) Click Link to Object Store if you are using shared mail and want to link the mail file tothe object store.8. (Optional) Choose one of theses:v From the Domino Administrator, click Remove all mail replicas if the server is in a cluster andyou want all mail replicas to be deleted.v From the Web Administrator, click Delete old replicas if the server is in a cluster and you want todelete mail file replicas from a cluster.9. If you are working with clustered servers, you can selected additional servers in the cluster to whichthe mail database can be moved. To select additional servers, click the check box next to the servername in the Additional mail server field.10. Click OK.11. Click Close.To approve the mail file deletionWhen the mail file is on the new mail server, you must approve the mail file deletion in theAdministration Requests database (ADMIN4.NSF).1. From the Domino Administrator or the Web Administrator, click Server - Analysis - AdministrationRequests (7).2. Choose the Pending Administrator Approval view.3. Locate the Approve mail file deletion request and open that request.4. Click ″Edit Document.″ Review the request.5. Click ″Approve Mail File Deletion.″6. Click Save and Close.
How license tracking worksWhen License Tracking is turned on, client usage is tracked on each server and the data is temporarilystored in the file LICENSE.NCF. When a user authenticates with a server using the Notes client, HTTP,IMAP, POP3, SMTP, or the LDAP protocol, the user’s full canonical name, protocol, and time and date ofaccess are collected. Once each day (at midnight) , an administration request sends to the administrationprocess, information regarding new users and information regarding users who have not accessed theserver within the last 30 days. The administration process running on the administration server processesthe request.The Domino User License Tracking database is created and resides on the administration server, not onall servers. The database is not created as soon as the License Tracking feature is enabled; instead, it iscreated when the administration process processes the first administration request to update the database.The administration process creates a new User License document in the Domino User License Trackingdatabase (USERLICENSES.NSF) for each new user reported in the administration request. Documents areupdated with the new time and date for those users who already have a document in the Domino UserLicense Tracking database. If a user does not access any servers in the Domino domain for one full year,the corresponding User License document is deleted from the Domino User License Tracking database.Daily updates to the database enable you to review this information at any time to obtain an up-to-datereport on the number of client licenses that you have available for use.Note: If a user is deleted from the Domino Directory, the corresponding document in the Domino UserLicense Tracking database is deleted. If a user is renamed, the corresponding document is also renamedAccordinglyEnabling or disabling license trackingUse this procedure to either enable or disable License Tracking.1. From the Domino administrator, click the Configuration tab.2. Choose Server - Configurations.3. Select the server and click Edit Configuration.4. On the Basics tab, in the License Tracking field, click Disabled or Enabled according to what you wantto do.5. Click Save and Close.
Replication: Keep in mind that two replicas will contain slightly different content between replications. If users need access to the most up-to-date information in a database, you can create replicas on clustered servers and then set up replication in clusters. In a cluster, all replicas are always identical because each change immediately replicates to other servers in the cluster.Because replication transfers only changes to a database, the network traffic, server time, and connection costs are kept to a minimum. During scheduled replication, by default, the initiating server first pulls changes from the destination server and then pushes changes to the destination server. As an alternative, you can schedule replication so that the initiating server and destination server each pull changes or so that the initiating server pulls changes only or pushes changes only.How server-to-server replication worksFor server-to-server replication, the Replicator on one server calls another Domino server at scheduledtimes. By default, the Replicator is loaded at server startup.To schedule replication between servers, the servers must be able to connect to each other in order toupdate replicas. You may need to create Connection documents to enable server connections, dependingon your server topology.Because replication transfers only changes to a database, the network traffic, server time, and connection costs are kept to a minimum. During scheduled replication, by default, the initiating server first pulls changes from the destinationserver and then pushes changes to the destination server.
Steps: 1. Replication schedule settings in a Connection document take effect.
2. The Replicator constructs a list of local files to replicate and asks the remote server to find those thathave a match with the list of local files.3. When the Replicator finds a match, it looks at the replication history to find the last time the replicasreplicated. The Replicator uses the history in the local database which is the destination databasewhen ″pulling″ and is the source database when ″pushing.″
For replication to occur properly, you must assign servers the appropriate access in the database ACL.
Remove documents not modified in the last x days: The number of days specified here, known as thepurge interval, controls when Domino purges deletion stubs from a database.Deletion stubs are markers that remain from deleted documents so that Domino knows to delete documents in other replicas of the database. Because deletion stubs take up disk space, Domino regularly removes deletion stubs that are at least as old as the value specified. It checks for deletion stubs that require removal at 1/3 of the purge interval. For example, assuming the default value, 90 days, when a user opens a database, Domino checks if it has been at least 30 days since it removed deletion stubs, and if so it removes any deletion stubs that are at least 90 days old. The Updall task, which runs by default at 2:00 AM, also removes deletion stubs.You can shorten the purge interval, if you want, but be sure to replicate more frequently than the purgeinterval; otherwise, deleted documents can be replicated back to the replica.Optionally, you can select the check box to remove documents in the replica that haven’t changed withinthe purge interval. If you select the check box, when Domino removes deletion stubs it also removesdocuments that haven’t changed within the specified number of days. These documents are purged,meaning no deletion stubs remain for the documents, so the documents aren’t deleted in other replicas.
Receive summary and 40KB of rich text only: If you select this setting, Domino prevents largeattachments from replicating and shortens the documents that this replica receives. The shorteneddocuments contain only a document summary that includes basic information, such as the author andsubject, and the first 40K of rich text.When users open a shortened document, they see ″(TRUNCATED)″ in the document title. To view theentire document, users open it and choose Actions - Retrieve Entire Document.
Replication priority doesn’t apply to replicas on a cluster of servers. Cluster replication occurs whenevera change occurs, not according to schedules in Connection documents.
Note: A database that doesn’t replicate should have at least one server in its ACL to serve as theadministration server for the database. This allows the Administration Process on a server to updatenames in the ACL when names in the organization change.
Note: Do not use the server’s common name when replicating servers. Only the server’s full hierarchicalname should be used during server-to-server replication. This applies to all instances of server-to-serverreplication.
By default, Domino uses Pull-Push as the replication direction. However, you can specify a differentreplication direction.v Pull-Push, the default replication direction, is a two-way process in which the calling server pullsupdates from the answering server and then pushes its own updates to the answering server. UsingPull-Push, the replicator task on the calling server performs all the work.v Pull-Pull is a two-way process in which two servers exchange updates. Using Pull-Pull, two replicators
-- one on the calling server and one on the answering server -- share the work of replication.v Push-only is a one-way process in which the calling server pushes updates to the answering server.One-way replication always takes less time than two-way replication.v Pull-only is a one-way process in which the calling server pulls updates from the answering server.One-way replication always takes less time than two-way replication.
When you force immediate server-to-server replication, you can initiate replication in one or in both directions.
The calendar and scheduling features use the Schedule Manager (Sched task), the Calendar Connector(Calconn task), and the Free Time system (a combination of Sched, Calconn, and nnotes tasks) to operate.When you install Domino on a server (any server except a directory server), the Sched and Calconn tasksare automatically added to the server’s NOTES.INI file. When you start the server for the first time, theSchedule Manager creates a Free Time database (BUSYTIME.NSF for non-clustered mail servers andCLUBUSY.NSF for clustered mail servers) and creates an entry in the database for each user who hasfilled out a Calendar Profile and whose mail file is on that server or on one of the clustered servers.
When users invite other users to meetings, the Free Time system performs the free-time lookups. The Free Time system also searches for and returns information on the availability of resources. If the lookup involves searching in Free Time systems on different servers or scheduling applications, the Calendar Connector sends out the queries. When users schedule appointments in their calendars and reserve resources, the Schedule Manager task collects and updates that information in the Free Time database.By default, the Schedule Manager has access to the Free Time database, so you do not have to define theACL for this database.
For clustered mail servers, the Schedule Manager creates the clustered Free Time database(CLUBUSY.NSF) the first time a server starts.
The effective policy for a user is a set of derived policy settings that are dynamically calculated at thetime of execution. In addition to organizational policies, users may also have explicit policies assigned to them. In that case,the order of resolution is that all organization policy settings are resolved first, then any explicit policysettings are resolved.
Domain SearchNotes and Web users can use Domain Search to search an entire Domino domain for databasedocuments, files, and attachments that match a search query.
To support Domain Search, you need to designate a Domino server as the indexing server, which builds adomain wide index that all Domain Search queries run against. In order for the indexing server to buildthe index, you must first create a Domain Catalog on the server -- a database that controls whichdatabases and file systems get indexed.
It is best to set up the Domain Catalog on the same server that indexes the Domino domain. If you havea very large number of databases to catalog, you can decrease network traffic by running the Catalog tasknightly on all servers. That way, when the Catalog task runs on the server that contains the DomainCatalog, the Domain Catalog uses pull replication from the local catalogs rather than spiders everydatabase.
The Domain Catalog, a database that uses the CATALOG.NTF template, controls which databases and filesystems get indexed for Domain Search. Even if your organization is not implementing Domain Search,the Domain Catalog is a useful administrative tool for such tasks as keeping track of the location ofdatabase replicas.You create the Domain Catalog by enabling the Catalog task on the server that will index the Dominodomain.The Administration Process : The Administration Process is a program that automates many routine administrative tasks.
The Administration Process automates these tasks:v Name management tasks, such as rename person, rename group, delete person, delete group, deleteserver name, recertify users, and store Internet certificate.v Mail file management tasks, such as delete mail file and move mail file.v Server document-management tasks, such as store CPU count, store platform, and place networkprotocol information in Server document.v Roaming user management, such as roaming user setup, move roaming users to other servers, upgradea nonroaming user to roaming status, and downgrade roaming user to nonroaming status.v User mail file management tasks, such as performing Access Control List (ACL) changes and enablingagents. For example, the ″Out of Office″ agent is enabled and disabled by Notes client users.v Person document management tasks, such as storing the user’s Notes version and client platforminformation.
v Replica management tasks, such as create replica, move replica, or delete all replicas of a database.
Administration serversAdministration servers control how the Administration Process does its work. You specify anadministration server for the Domino Directory and for specific databases. By default, the first LotusDomino server you set up in a domain is the administration server for the Domino Directory. Theadministration server for the Domino Directory maintains the Domino Directory’s ACL, performs deletionand name change operations in that Domino Directory, and these changes are replicated to other serversin the domain. If you have multiple directories in your domain -- not replicas of other domain’sdirectories, but more than one of your own -- you can specify an administration server for each of thedirectories in your domain. Do not specify an administration server in your domain for a replica ofanother domain’s Domino Directory.
The Administration Requests databaseThe Administration Requests database (ADMIN4.NSF) is created on the administration server for theDomino Directory when that server starts for the first time. Requests for work to be done by theAdministration Process are stored in the Administration Requests database.
Every server in the domain stores a replica of the Administration Requests database andthe Domino Directory.
The Certification LogTo use the Administration Process to perform name changes and recertifications, the Certification Log(CERTLOG.NSF) must reside on the server that stores the Domino Directory in which you will initiatethe name change or recertification. If the Certification Log exists on another server, move the CertificationLog to the server containing the Domino Directory on which you are initiating the name change orrecertification. The Certification Log contains a permanent record of how you register servers and users, including information about the certifier ID. The Certification Log also contains messages that describe the results of recertification requests that the Administration Process is processing.
If the domain has only a few servers, consider using one administration server for both the DominoDirectory and for other databases.
A second option involves using a dedicated registration server as the administration server for theDomino Directory. You limit this server’s responsibility to the processing of Domino Directory changes.You can then use other servers, such as database hubs, for processing ACL changes to other databases. Todo so, specify the database hub as the administration server for those databases. You can divide theresponsibility for database ACL changes among several administration servers; but, you must make surethat when there are multiple replicas of a database in the domain, you assign an administration server foronly one replica
Using a server that contains mail and other databases as the administration server for the DominoDirectory is possible, but is not recommended for performance reasons.
Always run the most recent version of Lotus Domino 7 on the administration server of the DominoDirectory and the extended administration servers, so that you can use all of the newest AdministrationProcess features.
The Administration Process uses administration servers to manage administrative changes that apply todatabases.
Verifying that the Administration Process is set up correctlyAfter you set up the administration server and the Administration Process, verify that both are runningcorrectly.1. From the Domino Administrator, click Server - Analyses - Administration Requests(7).2. Open the ″All Requests by Action″ view.3. Verify that the request ″Put server’s Notes build number into Server record″ appears in the view.4. Sixty minutes after the Administration Process begins running, open the Administration Requestsdatabase again and open the response Log document for the request.Note: Log documents are listed directly beneath the request that the document pertains to. Theheading Administration Request - Log appears at the top of each Log document.5. Review the information in the response Log document to ensure that the request has run.6. Complete the procedure, ″Setting up ACLs for the Administration Process.″
When a server locates and then attempts to process a name-management orgroup-management administration request, the server checks for the replica ID. If there is no replica IDstored in the Administration Request document, the administration server for NAMES.NSF processes therequest.If a replica ID is located, the server attempts to open the database. If it is successful, the server checks theACL to determine whether it is the administration server for that directory. If so, the server processes therequest. If it is not the administration server for that directory, the server leaves the request to beprocessed by the appropriate administration server. If the server is unable to open the database, it ignoresthe request.
Processing administration requests across domainsYou set up Cross-domain Configuration documents to enable a server in one domain to mailadministration requests to a server in another domain. Set up the Cross-domain Configuration document
after you specify an administration server for the Domino Directory in each domain. The AdministrationProcess for the Domino Directory must be set up on a server in each domain. Cross-domain processingworks only when the administration server of the Domino Directory is a Lotus Domino Release 5 or morerecent server.These tasks can be processed across domains:v Delete person in Domino Directoryv Delete server in Domino Directoryv Rename server in Domino Directory -- that is, upgrade the server name from flat to hierarchicalv Rename person in Domino Directoryv Create replicav Get replica information for deletion -- This request is generated when you delete a database and itsreplicas
v Create the necessary cross-certificate documents in the Domino Directory. Requests going to anotherdomain require cross certificates between the two domains.v Create a Connection document in the Domino Directory allowing a server in one domain to connect toa server in another domain. Each domain must have a Connection document.v Create one or more Cross-domain Configuration documents in the administration requests database foreach domain from which you will import administration requests and to which you will exportadministration requests.v Set up an administration server for the outbound domain to allow processing of the outboundrequests.
The Administration Requests database contains Cross-domain Configuration documents that specify howdomains exchange and process administration requests. When you configure a Cross-domainConfiguration document, you designate the trusted entities, which are persons, servers, or certifiers.
Benefits of cross-domain processingCross-domain processing offers these benefits:1. Processing administration requests across domains can protect the integrity of the data in databases.For example, if a person is deleted from the directory in one domain, corresponding deletions occurin the other domains.2. Access to information is enhanced because a name change is propagated to other domains. Forexample, people and servers registered in one domain can also be listed in the directory documentsand database ACLs in another domain. Cross-domain processing allows users and servers to haveaccess to databases and servers in both domains.3. Applications are easily distributed because databases are easily replicated from servers in one domainto servers in other domains. Administrators do not have to install and update applicationsindividually on all servers.
The Web Administrator uses the Web Administrator database (WEBADMIN.NSF). The first time theHTTP task starts on a Web server, Domino automatically creates this database in the Domino datadirectory. Domino automatically sets up default database security when the Web Administrator database(WEBADMIN.NSF) is created for the first time.
The Server Controller and the Domino ConsoleThe Server Controller is a Java® based program that controls a Domino server. Starting the ServerController starts the Domino server it controls. When a server runs under a Server Controller, you cansend operating system commands (shell commands), Controller commands, and Domino servercommands to the Server Controller.You can use the Domino Console, a Java-based console, to communicate with a Server Controller. You can
run the Domino Console on any platform except Apple Macintosh. Using the Domino Console, you cansend commands to multiple servers. The Domino Console doesn’t require a Notes ID, only a DominoInternet name and password
The Domino Console functions strictly as a server console. Consequently, the Domino Console doesn’tinclude the full set of Domino administration features that are available through the Domino Administrator and the Web Administrator, and you can’t use it to open and manage Notes databases.
The files needed to run the Server Controller and to run the Domino Console are provided with Dominoand Notes.
Start the Server Controller using the same command you normally use to start the Domino server butappend the argument -jc. For example, if you run a server on Windows XP from the directoryc:\lotus\domino using a shortcut icon on the Desktop, use the following target for the shortcut:c:\lotus\domin\nserver.exe –jc
You can minimize a Server Controller window, but do not close or kill the window to stop the Server Controller. Instead, use the Controller Quit command from a console to stop a Server Controller and the server it controls.
You can run the Domino Console from any machine on which a Domino server or the DominoAdministrator is installed. To use the Domino Console to communicate with a Domino server, the servermust be running under a Server Controller.Run the following command directly from the program directory, or from a directory path that pointsto the program directory:jconsoleSetting up Domino Active Directory synchronization When the Domino server is installed on a Windows 2000 server, as an administrator, you typically needto maintain two separate directories for the same set of people and groups. Maintaining user and groupinformation involves adding entries to both directories, deleting entries, ensuring that passwords are thesame when users use Notes Single Logon, coordinating group membership in both directories, andensuring that user or group settings, such as e-mail addresses and telephone numbers, are identical.
Lotus Domino includes a set of tools to make synchronization between Domino and Active Directory(R) simple and easy. The Active Directory Domino Upgrade Service (AD DUS) is a tool that you can use with Active Directory synchronization (ADSync) when you have data in your Active Directory and you have just installed Domino. AD DUS can optionally be used to migrate all or a set of your Active Directory users. After you’ve done that, you can start using ADSync to maintain those users in Active Directory and in Domino.
User options are available to register Notes users in Active Directory. In the Domino Administrator’s user registration interface, there is a ″Windows User Options″ button on the Other panel of the Register Person - New Entry dialog box. You can select options to register a user in Active Directory at the same time that the user is registered in Domino. This is essentially the opposite of what ADSync does. Regardless of the tool with which you register a new user in both directories, you can use ADSync tosynchronize and delete users from both directories. You can also use ADSync to rename users in bothdirectories.
You must have a properly certified Notes ID and appropriate access to make any changes to a DominoDirectory from Notes or Windows 2000, and have the appropriate rights if you are going to use theDomino server-defined certification authority (CA) to certify users on Domino. Use a Lotus Notes 6 ormore recent client, and Lotus Domino 6 or more recent server as your registration server.
These directory synchronization features let you keep both the Domino Directory and Active Directorycurrent without having to update both when either changes. Also, you can manage user and groupinformation in the Domino Directory and the Active Directory through a single interface of your choice,either Domino or Windows 2000.
To set up Domino Active Directory synchronization:
* Installed AD & Domino server R6.5 or later i.e. Install, but do not run, the Domino Administrator.* Open a command prompt. From your Notes install directory, type: regsvr32 nadsync.dll A message box appears indicating that registration is complete. This can take up to one minute.* Run the Domino Administrator and complete the configuration process.* From the Domino Administrator, create an organizational policy or an explicit policy and a Registration policy settings document. You must have at least one policy to use with ADSync. For more information on policies, see the chapter ″Using Policies.″* From the Start menu, click Programs - Administrative Tools - Active Directory Users and Computers. Click the Lotus Domino Options folder.* Right-click Domino Directory synchronization and then choose Options.* Enter your Notes password.* Click the Notes Settings tab.
* Click the Notes Server for Registration button and specify a registration server. This is typically the administration server of the Domino Directory.* Click OK.* Close and restart Active Directory Users and Computers to allow these changes to take effect.
During synchronization, ADSync attempts to match the Active Directory object with an entry in theDomino Directory. If more than one match is found, ADSync prompts you to specify the match fromthose that have been located.
Disabling Active Directory synchronization prior to uninstalling theDomino AdministratorIf you have set up and registered Active Directory synchronization, prior to uninstalling the DominoAdministrator, you must unregister Active Directory synchronization.1. Close the Administrator Client and the Active Directory MMC.2. From the system prompt, unregister the nadsync.dll library by entering one of these commands:regsvr32 /u <notes program path>nadsync.dllOR by enteringcd <notes program path>regsvr32 /u nadsync.dll3. Uninstall the Administrator Client.4. Delete any remaining Notes folders on the file system.5. Launch regedit and search for all adsync entries. Delete any adsync entries that are found.
Each Domino domain has at least one administration server for the Domino Directory. The administrationserver is responsible for carrying out Administration Process requests that automate changes to theDomino Directory. By default, the first server set up in a domain is the administration server for theDomino Directory.
Lightweight Directory Access Protocol (LDAP) is a standard Internet protocol for searching and managingentries in a directory.
The Domino Directory: is a database that Domino creates automatically on every server. The DominoDirectory is a directory of information about users, servers, and groups, as well as custom entries youmay add. Registering users and servers in a domain automatically creates corresponding Persondocuments and Server documents in the Domino Directory for the domain.
The Domino Directory is also a tool that administrators use to manage the Domino system. For example,administrators create documents in the Domino Directory to connect servers for replication or mailrouting, to schedule server tasks, and so on.
When a server runs the LDAP service, the Domino Directory is accessible through the LightweightDirectory Access Protocol (LDAP).
Typically, a Domino Directory is associated with a Domino domain. When you set up the first server in aDomino domain, Domino automatically creates the Domino Directory database and gives it the file nameNAMES.NSF. When you add a new server to the domain, Domino automatically creates a replica of theDomino Directory on the new server.
By default the LDAP task listens for LDAP client requests over TCP/IP port 389, and accepts bothanonymous connections, and connections that bind using name-and-password security. The LDAP servicecan also listen for requests over an SSL port, usually port 636.
A directory catalog is an optional directory database that typically contains information aggregated frommultiple Domino Directories. Clients and servers can use a directory catalog to look up mail addressesand other information about the people, groups, mail-in databases, and resources throughout anorganization, regardless of the number of Domino domains and Domino Directories the organizationuses. A directory catalog includes the type of information that is important for directory services, andexcludes other types of information that are part of a Domino Directory, for example Dominoconfiguration information, such as information in Connection documents.
There are two types of directory catalogs: condensed Directory Catalogs and Extended DirectoryCatalogs.
The access set for a user in an extended ACL can never exceed the access the database ACL, includingthe database ACL privileges and roles, allows the user.
Extended ACL : The access set for a user in an extended ACL can never exceed the access the database ACL, including the database ACL privileges and roles, allows the user. For example, if the database ACL allows a user only Reader access, you can’t use the extended ACL to allow Write access. Or if a user is omitted fromthe database ACL User Creator role, you can’t use the extended ACL to allow the user Create access toPerson documents.
The Lotus Notes client and the Domino mail router (the Router) create and send messages in the format(MIME or Notes rich text) appropriate for each recipient, as determined from the address format andsettings in the recipient’s Person document. If conversion between formats is necessary, Domino performsthe conversion automatically.The Router uses information in the Domino Directory to determine where to send messages and whattransfer protocol to use. For messages sent over SMTP, the Router also uses information from the Domain
Name System (DNS).
The Lotus Domino server and Lotus Notes client support both Internet standards and Notes protocols formessage routing, retrieval, and formatting. On the server, the Domino mail router (the Router) can sendand receive messages using the Simple Mail Transfer Protocol (SMTP) and Notes Remote Procedure Calls(NRPC), or Notes routing. To enable users to retrieve mail, the server supports the Internet accessprotocols, IMAP and POP3, as well as NRPC. In addition. the Domino HTTP service interacts withDomino mail databases to provide mail service for HTTP clients, such as the Domino Web Access client.Domino sends and stores messages in both MIME format and Notes rich text format, and the Notes clientcreates and sends messages in either format.Mail clients retrieve messages from the server using NRPC, IMAP and POP3. In addition, Web clients,such as the Domino Web Access client, access mail through the Domino HTTP service. The Notes clientsends and retrieves mail using NRPC, or Internet protocols (SMTP, IMAP and POP3).
Mail access protocolsDomino supports Internet mail access protocols such as IMAP and POP3 and also offers mail access toNotes clients. IMAP and POP3 clients connect to their respective protocol services to retrieve and sendmail by way of an SMTP server. The Notes client can use Notes protocols to connect to a Domino mailserver to read and send mail, and can also use IMAP or POP3 to access mail on a Domino server or onnon-Domino mail servers -- for example, a UNIX send mail server.
These steps describe how mail routes in a Domino mail system.1. Using a mail client, a user creates and addresses a mail message to a recipient.2. The user sends the message.3. The user’s mail client does one of the following:v Uses Notes protocols to deposit the message into the MAIL.BOX database on the user’s Dominomail server.v Uses SMTP to send the message to the user’s Domino mail server, which must be running theSMTP listener task. The SMTP listener task deposits the message into MAIL.BOX (Lotus Notes,IMAP clients, POP3 clients).v Uses HTTP to send the message to the user’s Domino mail server, which must be running theHTTP task. The HTTP task deposits the message into MAIL.BOX (Web clients).4. The Router finds the message in MAIL.BOX and determines where to send the message for eachrecipient. The Router checks its routing table to calculate the next ″hop″ for the message on the pathto its recipients and determines the appropriate protocol -- either SMTP or Notes routing -- to transferthe message.v Using SMTP routing, the Router connects to the destination server -- the recipient’s mail server, arelay host, a smart host, or one of the servers in the recipient’s Internet domain -- and transfers themessage.v Using Notes routing, the Router moves the message to the MAIL.BOX database on the server thatis the next hop in the path to the recipient’s mail server. The Router on that server transfers themessage to the next hop, until the message is deposited in the MAIL.BOX database on therecipient’s home server.5. The Router on the recipient’s server finds the message (in MAIL.BOX on a Domino server) anddelivers it to the recipient’s mail file.6. Using a mail client, the user retrieves the message from the mail file. Depending on the type of mailclient, one of the following protocols is used: Notes remote procedure calls, IMAP, POP3, or HTTP.
Mail routing protocolsWhen a new message arrives in MAIL.BOX, the Router determines where and how to send the message.By default, the Router uses Notes routing to transfer mail from one server to another. If the server hasboth SMTP and Notes routing enabled for the local Internet domains, the Router chooses the optimalprotocol to use to move the message to its destination. The protocol selection is based on the currentmessage format, the Domino version of the server that holds the recipient’s mail file, and the formatpreference specified in the recipient’s Person document. For example, the Router uses SMTP to route theMIME copy of a message to a POP3 recipient’s server, and uses Notes protocols to route the Notes richtext format copy of a message to a Notes recipient’s server.You can also configure Domino to use SMTP to route mail. SMTP routing can be used instead of, or inaddition to, Notes routing. You can configure a Domino server to use SMTP when transferring mail todestinations within the local Domino domain only, to external Internet domains, or both.
Messages sent over SMTP are always sent in MIME format.Notes clients access the Domino Directory using either Notes protocols or Lightweight Directory AccessProtocol (LDAP).
If the recipient’s home server is the current server, the Router will deliver the message. If itis a different server, the Router consults the routing table to determine the best route, or least-cost path,for transferring the message to the destination home server and routes the message along that path.
By default, Domino uses Notes Remote Procedure Calls (NRPC) -- also called Notes routing or the Notesrouting protocol -- to transfer mail between servers. Notes routing uses information in the DominoDirectory to determine where to send mail addressed to a given user. Notes routing moves mail from thesender’s mail server to the recipient’s mail server. The Router for the sender’s server determines the nextserver to move the message to -- or in other words, the next ″hop″ on the path to the message’sdestination. Each server uses its routing table to calculate the next hop along the route to the destinationserver.
How Notes routing moves a message
When a user sends mail to a recipient with a Notes address -- for example, Jane Doe/Acme -- the Routerpicks up a message in MAIL.BOX to determine where to direct the message. The Router first looks in theDomino Directory for a Person document for the recipient, Jane Doe/Acme. The Person documentcontains the name of Jane Doe’s mail server. From this information the Router uses its knowledge of thenetwork (that is, the routing table) to determine the next stop for the message. How the Routerdispatches the message depends on whether the recipient’s mail file is located:
v On the same server
v On a different server in the same Notes named network: If the sender and recipient don’t share a mail server, the Router checks the Domino Directory to determine whether the servers are in the same Domino domain.If the Server document for the destination server is found within the Domino Directory, the Routerchecks that document to determine the network information for the server. On the Ports - Notes NetworkPorts tab of the Server document, the server is assigned to one or more Notes named networks (NNNs).A Notes named network is a group of servers in a given Domino domain that share a common protocoland are connected by a LAN or modem connections.
v On a server in a different Notes named network within the local Domino domain: If the sender’s and recipient’s mail servers are in the same Domino domain, but don’t share either a mail server or a Notes named network, for transfer to succeed there must be some connection between the two networks. Connections between Notes named networks can be achieved by two means:v Using a ’bridge″ server that is a member of multiple Notes named networks: Two networks in the same domain can communicate with each other in the absence of a Connection document if any one server is a member of both networks. Servers that reside in multiple networks can act as a bridge between networks running diverse protocols. For example, if you have one Notes named network running TCP/IP and another running SPX, you can set up a server that runs both protocols to be a member of both Notes named networks. This server acts as a bridge between the networks.When a user in the TCP/IP network sends a message to someone in the SPX network, the Routertransfers the message from MAIL.BOX on the sender’s server to MAIL.BOX on this ″bridge″ server.
v Using a Connection document: A Connection document specifies the sending andreceiving servers, when and how to connect, and what tasks -- such as, replication and mail routing -- toperform during the connection. The source, or sending, server, and the receiving, or destination, servernamed in a Connection document may reside within the same Domino domain, or in different Dominodomains.
v On a server in an external Domino domain
You can create a Connection document between two domains whenever there is a direct physical connection between them.
Overview of routing mail using SMTPBy default, Domino uses the Notes routing protocol to transfer mail between servers. You can configureDomino to use SMTP to route mail instead of or in addition to using Notes routing.Message transfer over SMTP routing is performed as a point-to-point exchange between two servers. Thesending SMTP server contacts the receiving SMTP server directly and establishes a two-way transmissionchannel with it. To send a message over SMTP:
1. The sending server checks the recipient’s address, which is in the format localpart@domain, and looksup the domain in the Domain Name System (DNS).2. DNS returns the Mail Exchanger (MX) record for the domain, indicating the IP address of the serversin the domain that accept mail over SMTP.3. The sending server connects to the destination server over TCP/IP, establishes an SMTP connectionon port 25, transfers the message, and closes the connection.
The Domain Name System (DNS) and SMTP mail routingThe Domain Name System (DNS) is a directory used by SMTP to convert a name, such as acme.com, to alist of servers that can receive connections for that name and to find the IP address of a specific server. Bylooking up a destination server’s address in the DNS, the sending server can properly route a message toa recipient. DNS uses two kinds of records: Mail Exchanger (MX) records and A records. An MX recordmaps a domain name to the names of one or more mail hosts. An A record maps a host name to the IPaddress of a server.
Mail servers also use other DNS records. For example, servers that receive Internet mail perform areverse lookup to a DNS PTR record to determine the host name for a given IP address. Reverse lookupsare useful in verifying the source of a message
To provide users with the ability to work offline and use Sametime, you can integrate Domino WebAccess with Domino Off-Line Services (DOLS) and IBM Lotus Sametime (instant messaging). DOLSenables users to work offline, disconnected from the network, and provides many replication features thatNotes users expect when working in the Notes client.
An ID file contains:v The owner’s name. A user ID file may also contain one alternate name. A certifier ID may containmultiple alternate names.v A permanent license number. This number indicates that the owner is legal and specifies whether theowner has a North American or International license to run Domino or Notes.v At least one Notes certificate from a certifier ID. A Notes certificate is a digital signature added to auser ID or server ID. This signature, which is generated from the private key of a certifier ID, verifiesthat the name of the owner of the ID is correctly associated with a specific public key.
v A private key. Notes uses the private key to sign messages sent by the owner of the private key, todecrypt messages sent to its owner, and, if the ID belongs to a certifier, to sign certificates.v (Optional Notes client only) Internet certificates. An Internet certificate is used to secure SSLconnections and encrypt and sign S/MIME mail messages. An Internet certificate is issued by aCertification Authority (CA) and verifies the identity of the user. The user’s private key associated withan Internet certificate is stored with that certificate.v (Optional) One or more secret encryption keys, created and distributed by users to allow other users toencrypt and decrypt fields in a document.
CertificatesA certificate is a unique digital signature that identifies a user or server. Server and user IDs contain oneor more Notes certificates. In addition, user IDs may contain one or more Internet certificates that identifyusers when they use SSL to connect to an Internet server or send a signed S/MIME mail message.A certificate contains:v The name of the certifier that issued the certificate.v The name of the user or server to whom the certificate was issued.v A public key that is stored in both the Domino Directory and the ID file. Notes uses the public key toencrypt messages that are sent to the owner of the public key and to validate the ID owner’s signature.v A digital signature.v The expiration date of the certificate.
The execution control listYou use an execution control list (ECL) to set up workstation data security. An ECL protects userworkstations against active content from unknown or suspect sources, and can be configured to limit theaction of any active content that does run on workstations. The ECL determines whether the signer of thecode is allowed to run the code on a given workstation, and defines the access that the code has tovarious workstation functions. For example, an ECL can prevent another person’s code from running on acomputer and damaging or erasing data.
″Active content″ includes anything that can be run on a user workstation, including formulas; scripts;agents; design elements in databases and templates; documents with stored forms, actions, buttons, hotspots; as well as malicious code (such as viruses and so-called ″Trojan horses″).
There are two kinds of ECLs: the Administration ECL, which resides in the Domino Directory(NAMES.NSF), and the workstation ECL, which is stored in the user’s Personal Address Book(NAMES.NSF). The Administration ECL is the template for all workstation ECLs. The workstation ECL iscreated when the Notes client is first installed. The Setup program copies the administration ECL fromthe Domino Directory to the Notes client to create the workstation ECL.
Hunt Group: A pool of modems which are connected to different phone lines but use a single phone no such that each call that comes into that no is assigned to next free line in the group.
DNN/NNN: A group of domino servers which shares same protocol and same domino directory with constant connectivity.
IMP Files at clients: notes.ini (Configuration settings), user ID file (User name, password, certificates, Public/Private key, Internet License), names.nsf (Connection settings, Address book), desktop6.ndk (Workspace/Welcome page settings), bookmark.nsf (Bookmark icon settings).
IMP IDs at server: server.ID, admin.ID, cert.ID, dolcert.ID
ODS: On Disk Structure (The file system used in Lotus Notes)
R4:
R5: 41
R6: 43
Access level privileges in the ACL
Public and private keysFor all types of encryption, Domino uses public and private keys so that data encrypted by one of thekeys can be decrypted only by the other. The public and private keys are mathematically related anduniquely identify the user. Both are stored in the ID file. Within the ID file, the public key is stored in acertificate, but the private key is stored separately from the certificate. The certificate containing thepublic key is also stored in the Domino Directory, where it is available to other users.
Domino uses two types of public and private keys -- Notes and Internet. You use the Notes public key toencrypt fields, documents, databases, and messages sent to other Notes users, while the Notes private
key is used for decryption. Similarly, you use the Internet public key for S/MIME encryption and theInternet private key for S/MIME decryption.
When you register a user, Domino automatically creates a Notes certificate, which contains the user’spublic keys, and adds it to the ID file and the Domino Directory. The private key is created and stored inthe ID file.
Electronic signaturesElectronic signatures are closely associated with encryption. An electronic signature verifies that theperson who originated the data is the author and that no one has tampered with the data. Users can addan electronic signature to mail messages and to fields and sections of documents.
How electronic signatures workNotes signaturesWhen the sender signs a message with a Notes signature, all fields of the message are signed.1. Notes generates a ″hash″ of the data -- that is, a number that represents the data -- and then encryptsthe hash with the private key of the author of the data, forming a signature. The hash is alsosometimes called a message digest, and has some necessary special properties:v It is not possible to guess the original message from looking at the digest.v Even a small change in the message changes the digest in an unpredictable way, and produces acompletely different value.2. Notes attaches the signature, the signer’s public key, and the signer’s certificates to the data.3. When the reader accesses the signed data, Notes verifies that the signer has a common certificate orcommon certificate ancestor from a certifier that the reader trusts. If so, Notes attempts to decrypt thesignature using the public key that corresponds to the private key with which the data was signed.4. If decryption is successful, Notes indicates who signed the message. If decryption is unsuccessful,Notes indicates that it cannot verify the signature. Unsuccessful decryption and comparison mayindicate that the data has been tampered with.
Domino server-based certification authorityYou can set up a Domino certifier that uses a server task, the CA process, to manage and processcertificate requests.
Transaction loggingDomino supports transaction logging for servers that run Domino 5 and later, and for databases that arein a Domino 5 or later on-disk structure.Transaction logging captures all the changes made to a database and writes them to a transaction log. Thelogged transactions are then written to disk in a batch, either when resources are available or whenscheduled.
The default Domino Directory template (PUBNAMES.NTF) controls the appearance and functionality ofthe Domino Directory database (NAMES.NSF).
Calconn: Calendar Connector is a server task which processes requests for free-time information from another server.
Sched: Schedule Manager is a server task which check for Returns meeting times and dates and available invitees.
Amgr: Agent Manager is a server task which runs agent on one or more servers.
The calendar and scheduling features use the Schedule Manager (Sched task), the Calendar Connector (Calconn task), and the Free Time system (a combination of Sched, Calconn, and nnotes tasks) to operate. When you install Lotus Domino 6 on a
server (any server except a directory server), the Sched and Calconn tasks are automatically added to the server’s NOTES.INI file. When you start the server for the first time, the Schedule Manager creates a Free Time database (BUSYTIME.NSF for non-clustered mail servers and CLUBUSY.NSF for clustered mail servers) and creates an entry in the database for each user who has filled out a Calendar Profile and whose mail file is on that server or on one of the clustered servers.
Policy: is a document which defines a set of default that applies to the users and groups.
Types: 1. Organizational Policy 2. Explicit Policy.
Settings Documents: 1.
Policy Viewer and Policy Synopsis are the tool to check the effective policy governing.
Certifier ID: A file that generates an electronic stamp which indicates the trust relationship.
Encryption: Public Key used for sending and encrypting & Private key used for receiving and decrypting.
Public Key: A key which is used for encryption of messages while they are in transit. It is store in notes ceritificate which are furthure store in User ID and Domino directory.
Private Key: A key used for decryption. It is stored in User ID.
Domino Cluster: A Domino cluster is a group of two or more servers which provides usersthe constant access to data, balances the workload between servers, improves server performance, and maintains performance when you increase the size of your enterprise.
The servers in a cluster contain replicas of databases which are readily available to users at all times. If a user tries to access a database on a cluster server that is not available, Domino opens a replica of that database on a different cluster server, if a replica is available. Domino continuously synchronizes databases so that whichever replica a user opens, the information is always the same.
Cluster Benefits: 1. Availability of Database: When a hardware or software problem occurs, clustered servers redirect database open requests to other servers in the cluster to provide users with uninterrupted access to important databases. This process is called failover.
2. Workload balancing: When users try to access databases on heavily used servers, Dominocan redirect the user requests to other cluster servers that aren’t as busy so that the workload is evenly distributed across the cluster which leads to faster data access.
3. Scalability: As the number of users you support increases, you can easily add servers to a cluster to keep server performance high. As your enterprise grows, you can distribute user accounts across clusters and balance the additional workload to optimize system performance within a cluster.
4. Data synchronization: Cluster replication ensures that all changes, whether to databases or to the cluster membership itself, are immediately passed to other databases or servers in the cluster. Thus, databases are continuously synchronized to provide high availability of information.
5. Ease of changing operating systems, hardware, or versions of Domino: When you want to change your hardware, operating system, or Domino release, you can mark the clustered server as RESTRICTED so that requests to access a database on the server fail over to other cluster servers that contain replicas.
Clustering requirements: All servers in a cluster must be connected using a high-speed local area network (LAN) or a high-speed wide area network (WAN). You can also set up a private LAN for cluster traffic.All servers in a cluster must use TCP/IP and be on the same Notes named networkAll servers in a cluster must be in the same Domino domain and share a common Domino Directory.Each server in the cluster must have a hierarchical server ID. If any servers have flat IDs, you must convert them to hierarchical IDs to use them in a cluster.A server can be a member of only one cluster at a time.Each server must have adequate disk space to function as a cluster member. Because clusters usually require more database replicas, servers in clusters require more disk space than unclustered servers.Each server must have adequate processing power and memory capacity. In general, clustered servers require more computer power than unclustered servers.
![Lotus Domino Server Implementation Guide for linux[REDHAT]](https://img.pdfslide.us/doc/110x75/5534b3db4a795936578b4bac/lotus-domino-server-implementation-guide-for-linuxredhat.jpg)
