You are on page 1of 398

Building the IBM Lotus Domino 8.

5 Infrastructure
Instructor Guide

Building the IBM Lotus Domino 8.5 Infrastructure


Instructor Guide

Building the IBM Lotus Domino 8.5 Infrastructure


Part Number: IBMD8L76 Course Edition: 1.0

Notices
DISCLAIMER: You may not copy, reproduce, translate, or reduce to any electronic medium or machinereadable form, in whole or in part, any documents, software, or les provided to you without prior written consent of IBM Corporation, except in the manner described in the documentation.While every reasonable precaution has been taken in the preparation of this manual, the author and publishers assume no responsibility for errors or omissions, nor for the uses made of the material contained herein and the decisions based on such use. Neither the author nor the publishers make any representations, warranties, or guarantees of any kind, either express or implied (including, without limitation, any warranties of merchantability, tness for a particular purpose, or title). Neither the author nor the publishers shall be liable for any indirect, special, incidental, or consequential damages arising out of the use or inability to use the contents of this book, and each of their total liability for monetary damages shall not exceed the total amount paid to such party for this book. TRADEMARK NOTICES The following terms are trademarks or service marks of International Business Machines Corporation in the United States, other countries, or both: DB2, Domino, Domino Designer, Domino.Doc, Everyplace, ibm.com, K-station, LearningSpace, Lotus, Lotus Discovery Server, Lotus Enterprise Integrator, Lotus Notes, Lotus Workow, Mobile Notes, Netnity, QuickPlace, Rational, Sametime, Tivoli, VisualAge, WebSphere, Workplace, Workplace Messaging, and WorkPlace Shell. Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc., in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Copyright 2009 IBM Corporation.
Lotus software, IBM Software Group One Rogers Street Cambridge, MA 02142

Under the copyright laws, neither the documentation nor the software may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form, in whole or in part, without the prior written consent of IBM, except in the manner described in the documentation or the applicable licensing agreement governing the use of the software. All rights reserved. Licensed Materials - Property of IBM US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corporation. You must purchase one copy of the appropriate kit for each student and each instructor. For all other education products you must acquire one copy for each user or you must acquire a license for each copy provided to a user.

Building the IBM Lotus Domino 8.5 Infrastructure

Table of Contents
Building the IBM Lotus Domino 8.5 Infrastructure Lesson 1: Setting Up the First Server and Administrator
Topic A. Analyzing a Deployment Plan . . . . . . . . . . . . . . . . . . . . . . . . . Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Planning Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Worldwide Corporation Deployment Plan . . . . . . . . . . . . . . Supported Platforms and System Requirements . . . . . . . . . . . . . Topic B. Installing the IBM Lotus Domino Server Software . . . . . . . Lotus Domino Server Installation Types . . . . . . . . . . . . . . . . . . . . . Topic C. Installing the IBM Lotus Domino Administrator Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Lotus Notes 8.5 Client Standard and Basic Congurations . . What is Eclipse? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Client Installation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What is Lotus Expeditor? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Expeditor Component Packaging . . . . . . . . . . . . . . . . . . . . . . . . Eclipse Update Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automated Installation Options for Eclipse Components . . . . . . Multiple Users Sharing One Workstation . . . . . . . . . . . . . . . . . . . . . Topic D. Launching and Conguring the First Server . . . . . . . . . . . . . . The Server Setup Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Domino Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replicas of the Domino Directory . . . . . . . . . . . . . . . . . . . . . . . . . Comparing Domains and Organizations . . . . . . . . . . . . . . . . . . . Purposes of Organizational Units . . . . . . . . . . . . . . . . . . . . . . . . . . Alternatives to Organizational Units . . . . . . . . . . . . . . . . . . . . . . . . Descendants of the Organization Certier . . . . . . . . . . . . . . . . . . Organization Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organization Certier ID Security . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Between Organizations . . . . . . . . . . . . . . . . . . . . Country Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Server Audience Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Lotus Domino Server Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrator Group Security Options . . . . . . . . . . . . . . . . . . . . . .

2 3 4 13 13 13 14 18 18 20 20 21 21 21 22 22 25 25 26 26 27 29 30 32 32 32 33 34 35 36 36

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure

Topic E. Conguring the First Workstation. . . . . . . . . . . . . . . . . . . . . . . . The Client Conguration Program . . . . . . . . . . . . . . . . . . . . . . . . . Topic F. Assigning Roles to Administrators and Servers . . . . . . . . . . . . Access in the Domino Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . The Special Privilege of the LocalDomainAdmins Group . . . . . . Privileges the LocalDomainAdmins Group Lacks . . . . . . . . . . . . .

40 40 41 42 42 42

Lesson 2: Adding IBM Lotus Domino Servers


Topic A. Registering Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Server Registration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . Domino Directory Access for Registering Servers . . . . . . . . . . . . . Need for Selecting a Registration Server . . . . . . . . . . . . . . . . . . . Server ID File Storage Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic B. Conguring and Starting Additional IBM Lotus Domino Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Standard Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . The Central Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . Replicating a Subset of Documents in the Domino Directory . . . Server Setup Proles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Clearing the Server ID Password . . . . . . . . . . . . . . . . . . . . . . . . . . .

46 47 47 47 48 51 51 52 53 53 53

Lesson 3: Adding IBM Lotus Notes Clients


Topic A. Creating an Organizational Unit Certier . . . . . . . . . . . . . . . . The Certier Registration Process . . . . . . . . . . . . . . . . . . . . . . . . . . The Certication Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrator Access to Register OU Certiers . . . . . . . . . . . . . . . Need for Selecting a Registration Server . . . . . . . . . . . . . . . . . . . . Topic B. Registering New Administrators . . . . . . . . . . . . . . . . . . . . . . . . User Registration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrator Access to Register Users . . . . . . . . . . . . . . . . . . . . . The License Tracking Database . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet Password Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet Password Locking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ID File Distribution Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic C. Registering Users from a File . . . . . . . . . . . . . . . . . . . . . . . . . . . User Registration Text Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to Register Users from a Text File . . . . . . . . . . . . . . . . . . . . . . .

60 61 62 62 62 64 65 66 66 66 67 68 71 72 72

Copyright IBM Corporation 2009.

Topic D. Replicating Server Document Changes . . . . . . . . . . . . . . . . . Domino Directory Document Synchronization . . . . . . . . . . . . . . . Topic E. Setting Up an Administrator Workstation . . . . . . . . . . . . . . . . . Workstation Setup for Additional Workstations . . . . . . . . . . . . . . . Topic F. Verifying the IBM Lotus Domino Installation . . . . . . . . . . . . The Lotus Domino Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic G. Creating Replicas on Multiple Servers . . . . . . . . . . . . . . . . . . The Administration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Components of the Administration Process . . . . . . . . . . . . . . . . . Database Tools in Domino Administrator . . . . . . . . . . . . . . . . . . . Timing and Execution of Administration Process Requests . . . . .

72 73 75 75 77 77 79 79 79 80 80

Lesson 4: Administering Users


Topic A. Creating Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nested Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Deny List Only Group Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Precedence in Database Access . . . . . . . . . . . . . . . . . . . Auto-populated Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic B. Creating an Organizational Policy . . . . . . . . . . . . . . . . . . . . . . Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policy Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policy Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Settings Document Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policy Precedence Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Static and Dynamic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policy Management Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policy Management Development Tools . . . . . . . . . . . . . . . . . . . Use of an Organizational Policy . . . . . . . . . . . . . . . . . . . . . . . . . . .

86 87 88 89 89 89 93 93 93 93 94 95 96 96 97 97

Topic C. Creating and Assigning an Explicit Policy . . . . . . . . . . . . . . . 98 Policy Assignment Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Policy Assignment During Registration. . . . . . . . . . . . . . . . . . . . . . 99 Dynamic Policy Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 The Effect of Multiple Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure

Lesson 5: Setting Up Server Administration


Topic A. Customizing the IBM Lotus Domino Administrator Work Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administration Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lotus Domino Server Console Administration Tasks . . . . . . . . . . . Message Color-Coding on the Server Console . . . . . . . . . . . . . . Topic B. Setting Access to Create Databases on the Server . . . . . . . . Server Access Control Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . Restrictions for Authorizing Server Access . . . . . . . . . . . . . . . . . . . User Access to the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . When to Restart the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic C. Setting Administration Levels . . . . . . . . . . . . . . . . . . . . . . . . . . Administration Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administration Level Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Full Access Administrator Level . . . . . . . . . . . . . . . . . . . . . . . . Full Access Administrator Best Practices . . . . . . . . . . . . . . . . . . . . The Domino Web Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . Administration Levels and the Lotus Domino Web Administrator Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic D. Setting Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Domino Server Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Notes.ini File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

108 109 109 109 113 113 113 114 114 116 117 118 119 119 120 120 120 121 121 122

Lesson 6: Synchronizing IBM Lotus Domino System Databases


Topic A. Creating Server Groups for Replication . . . . . . . . . . . . . . . . . . 130 Server Databases to Replicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Server Groups and Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Topic B. Creating a Connection Document . . . . . . . . . . . . . . . . . . . . . Replication Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Methods for Forcing Replication . . . . . . . . . . . . . . . . . . . . . . . . . . Pull Push Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multiple Replication Hubs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Critical Application Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . Replication Schedule Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

132 133 135 136 137 137 139 139

Copyright IBM Corporation 2009.

Lesson 7: Conguring Basic Intranet Mail Routing


Topic A. Conguring Notes Named Networks. . . . . . . . . . . . . . . . . . . . Checklist for Conguring Basic Intranet Mail Routing . . . . . . . . . Mail Routing Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mail Routing Behavior Within and Between NNNs . . . . . . . . . . . . Topic B. Implementing a Hub-and-Spoke Mail Routing Topology . . . The Hub-and-Spoke Mail Routing Topology . . . . . . . . . . . . . . . . . How Mail Routes in the Hub-and-Spoke Topology . . . . . . . . . . . . Opportunistic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connection Document Mail Routing Options . . . . . . . . . . . . . . . Router Types and Connection Documents . . . . . . . . . . . . . . . . .

148 149 152 152 158 159 159 161 161 161

Topic C. Selecting a Mail Storage Format for Incoming Mail . . . . . . . . 165 Mail Storage Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Lesson 8: Conguring Mail Routing to the Internet


Topic A. Enabling the SMTP Listener Task . . . . . . . . . . . . . . . . . . . . . . . . Checklist for Conguring Mail Routing to the Internet . . . . . . . . . SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SMTP Implementation Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . SMTP Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet Mail Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The SMTP Listener and Router Tasks . . . . . . . . . . . . . . . . . . . . . . . . Methods for Enabling SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

172 173 173 175 176 177 178 178

Topic B. Conguring Basic SMTP Settings . . . . . . . . . . . . . . . . . . . . . . . . 179 SMTP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Topic C. Restricting Internet Mail Delivery . . . . . . . . . . . . . . . . . . . . . . . SMTP Inbound Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SMTP Outbound Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Message Relay Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

184 184 185 185

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure

Topic D. Enabling Whitelist and Blacklist Filters . . . . . . . . . . . . . . . . . . . What Are DNS Whitelist Filters? . . . . . . . . . . . . . . . . . . . . . . . . . . . . The DNS Whitelist Filter Query Process . . . . . . . . . . . . . . . . . . . . . . Enabling DNS Whitelist Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Happens When a Host is Found in the DNS Whitelist? . . . . . DNS Whitelist Filter Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What are DNS Blacklist Filters? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling DNS Blacklist Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Happens When a Host is Found in the DNS Blacklist? . . . . . What are Private Whitelist Filters? . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling Private Whitelist Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . What Happens When a Host is Found in the Private Whitelist? . . What Are Private Blacklist Filters? . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling Private Blacklist Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Happens When a Host is Found in the Private Blacklist?. . . Order of Whitelist and Blacklist Precedence . . . . . . . . . . . . . . . . . How to Enable Whitelist and Blacklist Filters . . . . . . . . . . . . . . . . . .

188 188 188 189 189 190 191 191 192 193 194 194 195 195 196 197 197

Topic E. Conguring Extended SMTP (E/SMTP) Options . . . . . . . . . . . . 199 E/SMTP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Topic F. Conguring Internet Addressing . . . . . . . . . . . . . . . . . . . . . . . . 199 When to Set Internet Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Internet Address Lookup Options . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Topic G. Testing SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 An Implementation of SMTP Routing . . . . . . . . . . . . . . . . . . . . . . . 203

Lesson 9: Establishing Mail Controls


Topic A. Conguring Router Restrictions . . . . . . . . . . . . . . . . . . . . . . . . 208 Mail Restrictions and Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Topic B. Implementing Message Disclaimers . . . . . . . . . . . . . . . . . . . . Message Disclaimers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Message Disclaimer Implementation Process . . . . . . . . . . . . Options for Attaching Disclaimers . . . . . . . . . . . . . . . . . . . . . . . . . Enabling Server Message Disclaimers . . . . . . . . . . . . . . . . . . . . . . Creating Message Disclaimer Policy Settings . . . . . . . . . . . . . . . . Using Message Disclaimers in S/MIME Messages . . . . . . . . . . . . .

211 211 211 212 212 213 213

Topic C. Implementing Mail Delivery Controls . . . . . . . . . . . . . . . . . . . 215 Delivery Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Copyright IBM Corporation 2009.

Topic D. Implementing Mail Transfer Controls . . . . . . . . . . . . . . . . . . . 218 Mail Transfer Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Topic E. Conguring Multiple Server Mailboxes . . . . . . . . . . . . . . . . . . 220 Benets of Multiple Mailboxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Lesson 10: Implementing Mail Rules and Storage Limits


Topic A. Creating and Activating a Server Mail Rule . . . . . . . . . . . . . . Mail Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Mail Rules Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mail Rule Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Activating a Server Mail Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topic B. Enabling Mail Journaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mail Journaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Journaling and Mail Rules Interactions . . . . . . . . . . . . . . . . . . . . . Journaling and Mail Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Journaling and Server Conguration . . . . . . . . . . . . . . . . . . . . . . Topic C. Implementing Blacklist Tag and Whitelist Tag Mail Rule Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tag Mail Rule Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Field Names Associated with Tags . . . . . . . . . . . . . . . . . . . . . . . . . Options for Creating Rules with Blacklist or Whitelist Tags. . . . . . . Topic D. Establishing Mail Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Quota Implementation Options . . . . . . . . . . . . . . . . . . . . . . . . . . Quota Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to Establish Mail Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

224 225 225 228 228 230 231 231 232 232 235 235 237 237 237 238 238 240 240

Topic E. Controlling Inbox Size with Inbox Maintenance . . . . . . . . . . . 242 Inbox Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Use the Inbox Maintenance Feature to Control Inbox Size . . . . . 243 Topic F. Archiving Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Benets of Archiving and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . Archive Policy Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Archive Policy Settings Document . . . . . . . . . . . . . . . . . . . . . Archive Criteria Settings Document . . . . . . . . . . . . . . . . . . . . . . .

247 247 247 248 248 249

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure

Lesson 11: Monitoring Mail


Topic A. Verifying Routing and Checking Mail Delivery . . . . . . . . . . . . Checklist for Verifying Mail Routing . . . . . . . . . . . . . . . . . . . . . . . . Checklist for Monitoring Mail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Misdelivered Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Checking Mail Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

258 259 260 261 261

Topic B. Enabling Mail Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Mail Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Topic C. Enabling Message Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Message Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Topic D. Conguring Message Recall . . . . . . . . . . . . . . . . . . . . . . . . . . What is Message Recall? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Message Recall Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conguring the Message Recall Feature . . . . . . . . . . . . . . . . . . .

266 266 267 267

Lesson 12: Resolving Common Mail Routing Problems


Topic A. Sending a Mail Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Common Causes for Mail Routing and Delivery Problems . . . . . Troubleshooting Stages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Mail Trace Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

272 273 273 273

Topic B. Restarting the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 When to Restart the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Topic C. Forcing Mail Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 When to Force Mail Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Topic D. Resolving Undelivered and Dead Mail . . . . . . . . . . . . . . . . . . 278 The Delivery Failure Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Appendix A: Solutions to Practice Activities


Topic A. About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Lesson Lab Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Copyright IBM Corporation 2009.

Appendix B: The Worldwide Corporation Infrastructure Plan Appendix C: Certication and Exam Competencies Appendix D: Instructor Preparation Additional Instructor Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction

About This Course


As an IBM Lotus Domino administrator, it is possible that you might be asked to assist in the installation and management of IBM Lotus Domino and Lotus Notes. This course covers installing and conguring a basic IBM Lotus Domino 8.5 and IBM Lotus Notes 8.5 infrastructure with a single domain using an existing deployment plan. This course also covers setting up replication and mail routing in the single-domain environment. This two-day course is instructor-led, classroom training where the instructor presents course materials to a group of students in a classroom. The course materials provide extensive background information, procedural tables, and best practice tips.

Course Description
Target Student
The target audience for this course is system administrators who are new to Lotus Domino 8.5, who have a general understanding of the Lotus Domino and Lotus Notes administration environment, and who will be responsible for initial installation and conguration of a basic Lotus Domino and Lotus Notes 8.5 infrastructure, as well as conguration of Domino mail servers in corporate intranet and extranet (i.e. Internet) environments.

Course Prerequisites
The prerequisites for this course include completion of the IBM Lotus Domino 8.5 System Administration Operating Fundamentals (D8L75) course, or equivalent knowledge, skills, and experience.

Introduction

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction

How to Use This Book


As a Learning Guide
Each lesson covers one broad topic or set of related topics. Lessons are arranged in order of increasing prociency with Lotus Domino and Lotus Notes; skills you practice in one lesson are used and developed in subsequent lessons. For this reason, you should work through the lessons in sequence. Each lesson is organized into results-oriented topics. Topics include all the relevant and supporting information you need to master Lotus Domino and Lotus Notes, and activities allow you to apply this information to practical hands-on examples.

As a Review Tool
Some of the information covered in class may not be relevant to your environment immediately, but it may become important later on. For this reason, we encourage you to spend some time reviewing the topics and activities after the course. The course can also be used in preparation for Lotus certication exams.

As a Reference
The organization and layout of the book make it easy to use as a learning tool and as an after-class reference. You can use this book as a rst source for denitions of terms, background information on given topics, and summaries of procedures.

ii

Introduction

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction

Course Objectives
After completing this course, you should be able to: Set up the rst server and the administrator. Add Lotus Domino servers. Add Lotus Notes clients. Administer users by creating groups and implementing policies. Set up server administration. Synchronize Lotus Domino system databases. Congure basic intranet mail routing. Congure mail routing to the Internet. Establish mail controls. Implement mail rules and storage limits. Monitor mail. Resolve common mail routing problems.

Introduction

iii

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction

Course Requirements
Hardware
Instructor (Hub) Server
The following list identies the hardware requirements for the instructor (Hub) server.
The classroom setup allows for up to 12 students, where each student has a client and a server on one physical machine. While this is not the best installation practice, it allows for each student to have the same experience. If you prefer to install the client and sever on separate machines, you may do so. However: Students may have to share machines. You may need to revise some activities and exercises.

512 MB of RAM or more is required; 1 GB of RAM is recommended. A Pentium Class or higher processor and compatibles; a Pentium 4, 2.6 GHz or higher processor is recommended. An SVGA (or better) video card and monitor. Support for 256 colors, 800 x 600 resolution. At least 2 GB of free hard disk space per partition; 4 GB is recommended. A mouse or other pointing device. A CD-ROM drive or access to a network le server for installation. A projection system or mechanism for the instructors computer screen. IP networking capabilities. Internet access (recommended). Synchronize system time with all classroom machines.

iv

Introduction

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction

Instructor Client
It is strongly recommended that you have a separate computer to install as the instructors Lotus Notes and Lotus Domino Administrator client. If you do not have a separate client computer, you can install the client software on the instructors Domino server, but this is not the optimal conguration. The following requirements assume that you will have a separate client computer for the instructor.
Client requirements are per client software installed on machine. If more than one client type is required on certain machines, add the individual client type requirements together.

At least 512 MB of RAM; 1 GB is recommended. A Pentium Class processor. An SVGA (or better) video card and color monitor. Support for 256 colors, 1024 x 768 resolution. At least 2 GB of free hard disk space. A mouse or other pointing device. A CD-ROM drive or access to a network le server for installation. A projection system or mechanism for the instructors computer screen. IP networking capabilities. Internet access (recommended).

Student Machines
Each student will have one computer on which to install and congure both the Domino server software and the Lotus Notes and Domino Administrator client software. The following list identies the hardware requirements for the student machines. At least 1 GB of RAM; 2 GB is recommended. A Pentium Class or higher processor and compatibles; a Pentium 4, 2.6 GHz or higher processor is recommended. An SVGA (or better) video card and monitor. Support for 256 colors, 800 x 600 resolution. At least 3 GB of free hard disk space. A mouse or other pointing device. A CD-ROM drive or access to a network le server for installation. IP networking capabilities. Internet access (recommended).

Introduction

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction

Software
Instructor (Hub) Server
The following list identies the software requirements for the instructor server machine. Please note that proper licensing for all software is required and is the responsibility of the training organization. Microsoft Windows Server 2003 Standard Edition (Service Pack 1 is not required but recommended), Microsoft Windows Server 2003 Enterprise Edition with Service Pack 2, or Microsoft Windows Server 2008 Standard or Enterprise Edition. The latest version of Java. Lotus Domino 8.5 Enterprise Server. A host name resolution mechanism, either through DNS or a hosts le.

Instructor Client
The following list identies the software requirements for the instructor client machine. Please note that proper licensing for all software is required and is the responsibility of the training organization. Microsoft Windows XP Professional with Service Pack 2. (If you prefer to use Windows Vista, be aware that the course was not developed and tested using that conguration.) The latest version of Java. IBM Domino Administrator 8.5. IBM Lotus Notes 8.5, Standard conguration. A host name resolution mechanism, either through DNS or a hosts le. IBM Lotus Symphony Presentations or Microsoft PowerPoint Viewer.

Student Machines
The following list identies the software requirements for the student machines. Please note that proper licensing for all software is required and is the responsibility of the training organization. Microsoft Windows Server 2003 Standard Edition (Service Pack 1 is not required but recommended), Microsoft Windows Server 2003 Enterprise Edition with Service Pack 2, or Microsoft Windows Server 2008 Standard or Enterprise Edition. The latest version of Java. Lotus Domino 8.5 Enterprise Server. IBM Domino Administrator 8.5. IBM Lotus Notes 8.5, Standard conguration. A host name resolution mechanism, either through DNS or a hosts le.

vi

Introduction

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction

Version Note
This course was tested using the GA release of IBM Lotus Domino 8.5.

Class Setup
Preparing for an ILO Class Experience
Instead of a traditional classroom instructor-led class, you may be taking this course as an instructor-led online class. If you are participating in an online class experience, you should: Verify that you have the dial-in number for participants.
Instructor preparation information specic to ILO is provided in the Instructor Preparation Appendix.

If necessary, verify that you have the conference reference name or number and password, if required, to the conference. Verify that you have the appropriate support contact information:

Technical support: To help resolve connection issues. Content support: To answer questions about the materials presented in class. Process support: To assist with understanding how an ILO class is carried out and assure that participation is appropriate.

Test your ability to connect to the course with the equipment you plan to use during the course. This will allow you to:

Test connectivity to the providers server. Download any applications or plug-ins required. Become familiar with the online interface.

Note: Some training providers will schedule a separate test session prior to your course to allow you to test connectivity; otherwise, you should plan to do this just prior to the courses start time. Your training center will provide the necessary information and instructions to you prior to your class start date.

Lotus Domino Naming Used in the Course


This course uses the following hierarchical naming scheme. Table 0-1: Domino naming scheme
Naming component Organization certier /WWCorp Classroom implementation

Introduction

vii

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction Naming component Domain Organizational unit certiers WWCorp SVR/WWCorp East/WWCorp West/WWCorp Domino server names Domino administrator user names Doctor Notes/WWCorp Admin East01/East/WWCorp Admin East02/East/WWCorp Admin Admin Admin Admin Admin East03/East/WWCorp East04/East/WWCorp East05/East/WWCorp East06/East/WWCorp West01/West/WWCorp Classroom implementation

Instructor Students

Hub/SVR/WWCorp East01/SVR/WWCorp East02/SVR/WWCorp East03/SVR/WWCorp East04/SVR/WWCorp East05/SVR/WWCorp East06/SVR/WWCorp West01/SVR/WWCorp West02/SVR/WWCorp West03/SVR/WWCorp West04/SVR/WWCorp West05/SVR/WWCorp West06/SVR/WWCorp

Admin West02/West/WWCorp Admin West03/West/WWCorp Admin West04/West/WWCorp Admin West05/West/WWCorp Admin West06/West/WWCorp

Instructor servers computer name Instructor servers host name Instructor clients computer name Instructor clients host name Student computer names

Hub

hub.wwcorp.com

Instructor

instructor.wwcorp.com

East01 through East06 and West01 through West06

viii

Introduction

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction Naming component Student host names Classroom implementation east01.wwcorp.com through east06.wwcorp.com and west01.wwcorp.com through west06.wwcorp.com

List of Course Files


The following table outlines the les used in the course or provided as additional tools. Table 0-2: Required course les
File name Reg_East.txt Reg_West.txt Rep_dd.txt Function Lesson 3 Used for registering users from text les. Used throughout the course for replicating the Domino Directory to all classroom servers. Lesson 2 Used for adding elds to the Server document. Lesson 10 Used for demonstrating mail rules. Lesson 11 Used for sending messages for tracking purposes. Instructor presentation le.

D8L76 Agent.nsf

Test.abc

MailAgent.nsf

D8L76.ppt

Checklist of Classroom Setup Tasks


Complete the following tasks to set up the classroom prior to the start of class or when indicated in an instructor note during the class. Detailed procedures for each task appear on the following pages. Table 0-3: Classroom setup tasks
Task 1 Procedure If necessary, uninstall Lotus Domino and Lotus Notes on all servers and clients.

Introduction

ix

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction Task 2 3 4 Create the hosts le. Install the course les. Complete the individual lesson setups for Lessons 3, 8, 10, and 11. Procedure

Task 1: If Necessary, Uninstall Lotus Domino and Lotus Notes on all Servers and Clients
At the beginning of class, the instructor (Hub) server and all student computers should have only Windows Server and Java installed. The instructor client computer should have only Windows XP Professional, Java, and IBM Lotus Symphony Presentations or Microsoft PowerPoint Viewer installed. If the machines have been used as Domino servers or Lotus Notes clients, you will need to uninstall Lotus Domino and Lotus Notes from the machines to enable guiding students through the installation of both products. See the Lotus Domino documentation for detailed steps.

Task 2: Create the Hosts File


Use any text editor to edit the hosts le on each classroom machine to include the IP address and server names as shown in the following table. You can use any IP addresses that are appropriate for your classroom environment. Table 0-4: IP addresses and server names for the hosts le
IP address HubIPaddress IPaddress IPaddress IPaddress IPaddress IPaddress IPaddress IPaddress IPaddress Hierarchical name Hub/SVR/WWCorp East01/SVR/WWCorp East02/SVR/WWCorp East03/SVR/WWCorp East04/SVR/WWCorp East05/SVR/WWCorp East06/SVR/WWCorp West01SVR/WWCorp West02/SVR/WWCorp Host name hub.wwcorp.com East01.wwcorp.com East02.wwcorp.com East03.wwcorp.com East04.wwcorp.com East05.wwcorp.com East06.wwcorp.com West01.wwcorp.com West02.wwcorp.com

Introduction

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction IP address IPaddress IPaddress IPaddress IPaddress Hierarchical name West03/SVR/WWCorp West04/SVR/WWCorp West05/SVR/WWCorp West06/SVR/WWCorp Host name West03.wwcorp.com West04.wwcorp.com West05.wwcorp.com West06.wwcorp.com

Task 3: Install the Course Files


Follow these steps to install the \D8L76 course folder on the instructors server and client. Table 0-5: Install the course les
Step 1 Action To install the course les from the CD-ROM, insert the course CD into the instructors server machine. On the CD-ROM, open the D8L76 folder. Double-click the D8L76dd.exe le. Repeat the above steps on the instructor client machine.

2 3 4

The executable will copy the following les to the specied locations, creating the \lotus_ed\ directory and all necessary sub-directories, if required. These les will be present on both the instructor server and instructor client machines. Table 0-6: Course data les
Directory \D8L76 Files: Rep_dd.txt Reg_East.txt Reg_West.txt D8L76.ppt Test.abc Files copied Databases: D8L76 Agent.nsf MailAgent.nsf

Introduction

xi

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction

Task 4: Complete the Individual Lesson Setups for Lessons 3, 8, 10, and 11
The following tasks should be completed before beginning the specied lesson or when indicated in an instructor note. Lesson 3 Complete the following tasks. Table 0-7: Lesson 3 setup tasks
Task 1 Action Use Domino Designer to copy the Set D8L76 elds agent from the supplied D8L76 Agent.nsf le to the Domino Directory on Hub/SVR/ WWCorp. Use Domino Administrator to select all Server documents and run the agent to perform the following: Add LocalDomainServers and Doctor Notes/WWCorp to the Server documentSecurity tabCreate new replicas eld to enable the Administration Process to create a new replica. Remove current contents of the Full Access Administrators eld and add Doctor Notes Set Adminp interval to 5 minutes. Set the time that Adminp performs daily requests to noon.

2 3

Copy Rep_dd.txt to the instructors Domino data directory. Copy the following les to the instructors Notes data directory: Reg_East.txt Reg_West.txt

Lesson 8 If necessary, add Doctor Notes (or any account that you might use) to the ACL of the Mail.box on Hub/SVR/WWCorp, with Manager access and all permissions. This enables a demo in this lesson in which you view documents in Mail.box. Lesson 10 Complete the following tasks. Table 0-8: Lesson 10 setup tasks
Task 1 Action Copy Test.abc to the instructors server data directory, or to a location where students will be able to access it.

xii

Introduction

Building the IBM Lotus Domino 8.5 Infrastructure


Introduction Task 2 Create two or three mail rules. Action

Lesson 11 Complete the following tasks. Table 0-9: Lesson 11 setup tasks
Task 1 2 Action Send mail that cannot be delivered to show dead and undelivered mail. Copy the Send multiple mail messages for D8L76 agent from the supplied MailAgent.nsf le to your (Doctor Notes) mail le. Run the agent to send messages to students for tracking purposes.

Course Icons
The following table explains the icons used in this course. Table 0-10: Course Icons
Icon Description An activity is a student-centered learning process that allows students to learn by performing a task. Activities can be instructor-led or completed independently. Scenario information is used to introduce an activity problem or goal. Scenarios use ctitious people and organizations to present details, problem statements, and parameters that are used to complete the activity or lab exercise. Caution statements are included in the courseware to make students aware of potential negative consequences of an action, setting, or decision, that are not easily known. Tips and notes provide additional information, guidance, or a hint about a topic or task. An Instructor Note is a special comment to the instructor regarding delivery, classroom strategy, classroom tools, exceptions, and other special considerations. The Instructor Note is included in the Instructor Guide only. Display Slide provides a prompt to the instructor to display a specic slide. The Display Slide icon is included in the Instructor Guide only.

Introduction

xiii

Setting Up the First Server and Administrator


Topic A: Analyzing a Deployment Plan Topic B: Installing the IBM Lotus Domino Server Software Topic C: Installing the IBM Lotus Domino Administrator Client Software Topic D: Launching and Conguring the First Server Topic E: Conguring the First Workstation Topic F: Assigning Roles to Administrators and Servers

Copyright IBM Corporation 2009.

Lesson 1 Setting Up the First Server and Administrator

Introduction
Planning is a critical step in the process of implementing an IBM Lotus Notes and IBM Lotus Domino environment. Worldwide Corporation has decided to use Lotus Notes and Lotus Domino as their international standard for messaging and collaboration. Worldwide has gone through extensive planning to determine their mail and application requirements and to identify how Lotus Notes and Lotus Domino can accommodate those requirements. As a result of their planning, Worldwide has designed a deployment plan to describe how they will implement Lotus Notes and Lotus Domino throughout the corporation. This lesson covers basic guidelines and considerations to use when planning a Lotus Notes and Lotus Domino implementation and introduces Worldwides deployment plan and implementation checklist.
Note: Since this is not a planning course, in-depth planning issues are not discussed. This lesson presents high-level planning considerations and guidelines that will help position Worldwides deployment plan. Worldwides implementation checklist is an example of a typical checklist that might be used to install and set up a basic Lotus Domino infrastructure. The checklist will be used as the basis for this course. It will be revisited in each lesson to demonstrate progress.

After completing this lesson, you should be able to: Review a sample deployment plan implementation. Install the Lotus Domino server software. Install the Lotus Domino Administrator client software. Launch and congure the rst server. Congure the rst workstation. Assign roles to administrators and servers.

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

A
Planning Considerations Introduce the topic. The main goals of this topic are to: Emphasize the importance of creating a deployment plan. Introduce Worldwide Corporations deployment plan (see the Worldwide Corporation Infrastructure Plan appendix). Provide basic guidelines for planning an infrastructure. Introduce Worldwides implementation checklist, which students will use throughout the course to install and congure the infrastructure.

Topic A: Analyzing a Deployment Plan


Planning Considerations
When planning a Lotus Domino infrastructure:

Determine the business problems to be addressed. Examine the organizational structure. Design the Lotus Domino environment around the organizational structure.

The Lotus Domino infrastructure should enhance and support the organizational structure.

Integration with other IBM products


As you plan the Lotus Domino infrastructure, also consider how it needs to integrate with other organizational software and systems. Lotus Domino 8.5 has been designed specically to work with the following IBM products: IBM Lotus Sametime

IBM Lotus Quickr IBM Lotus Connections IBM WebSphere Portal IBM Lotus Notes Traveler

Checklist: Planning the Lotus Domino environment


Worldwide Corporation used the following checklist to plan their infrastructure.

Task 1 2 3 4 5 6 7 8

Procedure Identify structure of organization. Create planning team. Identify tracking mechanism. Dene the business problem. Identify how Lotus Domino can address the business problem. Identify access needs. Identify hardware requirements (site map). Identify server roles.

Planning Checklist

Copyright IBM Corporation 2009.

Topic A: Analyzing a Deployment Plan


Lesson 1 Setting Up the First Server and Administrator Task 9 10 11 12 13 14 15 16 17 18 19 Procedure Select location for servers. Identify network protocol(s) and network changes. Choose replication topology. Identify directory strategy. Select mail routing strategy. Develop naming scheme. Dene security. Determine sever congurations. Determine client congurations. Determine rollout strategy. Determine education strategy.

Planning Guidelines
Planning Guidelines

Several areas need to be considered when planning a Lotus Domino infrastructure. It is important to determine and follow guidelines to ensure that all tasks are properly carried out.
Note: The Planning Guidelines table presents some basic guidelines to use when planning a Lotus Notes and Lotus Domino infrastructure. This course does not cover how to plan an infrastructure. However, you can use this table as a planning reference.

Introduce the table as a reference. Instead of reading the material in the table, use the table to emphasize the extent to which planning should be performed and the importance of a planning effort.

Guidelines for planning tasks


The following table provides some guidelines for planning tasks.

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

Task Identify structure of organization: Examine current structure. Validate with upper management. Design Lotus Domino infrastructure around organization. Determine:

Guidelines Geographic layout of the organization Mobile considerations Number of users and where they are located Business model Work environment Infrastructure Communication Future plans Key departmental considerations Decision makers

Create planning team.

Identify decision makers (based on size of company, will be different roles). Identify the skills required to design the Lotus Domino infrastructure. Assign individuals/job titles to the skills. Identify gaps in skills and/or human resources. Ensure approval from upper management.

Identify tracking mechanism to: Record planning progress. Allow adjustment of goals as necessary. Keep users informed. Serve as a project management tool.

Identify:

The types of information to ask: Dates Timelines Budget How will the information be used? Who will contribute to it? How it will be updated and managed? Suggested tracking mechanisms, such as: Lotus Domino Web application located on a test server Existing project management software

Copyright IBM Corporation 2009.

Topic A: Analyzing a Deployment Plan


Lesson 1 Setting Up the First Server and Administrator Task Dene the business problem.

Guidelines Typical business problems include: Knowledge management Process Communication Extended enterprise

Identify how Lotus Domino can address the business problem.

Basic Lotus Domino solutions include messaging and/or workow: E-mail/PIM Broadcast/Reference Discussion Tracking/Workow

Identify access needs.

Identify: Current and future user information access requirements User location access requirements Lotus Domino hardware requirements Changes to existing hardware based on user needs and Lotus Domino requirements

Identify hardware requirements (site map).

Identify factors affecting hardware infrastructure, such as budget and expertise. Determine operating system(s) for Lotus Domino servers. Identify Lotus Domino specications. Determine need for clustering and/or partitioned servers. Determine backup strategy. Identify current hardware infrastructure (create a site map). Determine changes to current hardware infrastructure to support Lotus Domino.

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator Task Identify server roles.

Guidelines Determine the roles of Lotus Domino servers based on the business problem. For example: Mail Application/Web Hub Communication Certicate Authority

Firewall/Gateway

Select location for servers.

Assign roles to servers in locations based on: Organizational structure Business problem(s) User needs Hardware requirements Update the site map by specifying which servers belong in each location.

Identify network protocol(s) and networking changes.

Identify network connections based on: Network protocols (recommended protocol TCP/ IP) Network traffic (LANs and WANs) amount of bandwidth needed depends on: The amount of mail traffic and database replication How traffic is routed (shared applications on the same network) Clustering, if clustered servers are implemented Lotus Notes Named Networks, including: Connection types (protocols available, bandwidth) Time zones (when does replication occur?) Which workgroups exist in multiple sites and are dependent on each other for information? What is the level of urgency for data within an application that is replicated between servers? Who communicates with whom most often? Is dialup connectivity required?

Copyright IBM Corporation 2009.

Topic A: Analyzing a Deployment Plan


Lesson 1 Setting Up the First Server and Administrator Task Choose replication topology.

Guidelines Identify who needs access to what information and when. Identify where to put applications to be replicated. Determine how and when replication occurs. Use Hub and Spoke topology when possible to maximize server resources. Use dedicated replication hubs where possible. Use Pull/Push replication from the hubs. Create a replication map that shows which servers replicate with each other, the frequency of replication, and any restrictions that are in place. Place applications in geographic locations by workgroups.

Identify directory strategy.

Identify domain or domains. Dene directory structure by domain. Identify how the Lotus Domino Directories will be used. Identify the external directories that will be accessible to Lotus Domino users. Determine whether to use Central Directory (for better performance and efficiency). Determine whether to use Directory Catalogs (for mobile users).

Select mail routing strategy.

Identify mail clients. Identify which mail routing protocol or protocols to use based on client types. Determine message format based on client types. Decide on security mechanism(s). Determine how mail is routed using a topology map.

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator Task Develop naming scheme.

Guidelines Determine organizational units based on: Location Departments Workgroups Servers common name should: Be a short, descriptive name. Contain an abbreviation for the region where it resides. Not contain any spaces. Be easily expandable. Be easily recognizable for the tasks the server performs.

Dene security.

Secure the following infrastructure components: Workspace Network Server Workstation Applications

Determine server congurations.

Consider standardizing the following for Lotus Domino servers: File directory structure

Database location Database size quotas Lotus Domino server types based on the server role Lotus Notes client types based on users job responsibilities Use of the same release of Lotus Domino server software throughout the organization

Determine client congurations.

Identify Lotus Domino client types. Identify non-Lotus Domino client congurations. Identify user mail congurations.

Copyright IBM Corporation 2009.

Topic A: Analyzing a Deployment Plan


Lesson 1 Setting Up the First Server and Administrator Task Determine rollout strategy.

Guidelines Identify project milestones and deadlines. Identify who is responsible for project milestones.

Determine education strategy.

Identify training resources for technical users. Identify training resources for end users.

Note: For more information on planning, consult these resources:

IBM Redbook: A Roadmap for Deploying Lotus Domino in the Organization at http:/www.redbooks.ibm.com. Lotus Domino Administrator 8.5 Help

The Worldwide Corporation Deployment Plan


The complete Worldwide Corporation Infrastructure Plan appears in the Worldwide Corporation Infrastructure Plan appendix. The deployment plan includes three regions for implementation: Headquarters (Corporate)

East West

Note that the server names in the plan accommodate a mail and application environment, whereas in this course only the mail servers will be implemented. Therefore, the server names have been modied from the ones presented in the plan.

10

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

This course implements the basic infrastructure based on the deployment plan. The Lotus Domino and Lotus Notes components for the three regions appear in the following completed classroom diagram.

Classroom Implementation

Provide an overview of the classroom implementation.

See Additional Instructor Notes

Figure 1-1: Completed classroom diagram

Copyright IBM Corporation 2009.

11

Topic A: Analyzing a Deployment Plan


Lesson 1 Setting Up the First Server and Administrator

Checklist: Building the Lotus Domino environment


This course implements the following tasks from Worldwide Corporations deployment plan.

Implementation Checklist

Task 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery.

Tell students that this is the checklist they will be using throughout the class to implement the infrastructure. This is a subset of the implementation checklist provided in the Worldwide Corporation Infrastructure Plan appendix. Because this class focuses on a basic infrastructure, it does not include setting up a Web server or conguring mobile, nonDomino, and Internet clients.

15 16 17 18

12

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

Supported Platforms and System Requirements


Supported Platforms and System Requirements

The Release Notes for each version of Lotus Domino and Lotus Notes contain a section on supported platforms and system requirements. You can also obtain this information from the IBM Web site. For Lotus Notes and Domino 8.5, the Detailed system requirements Web page can be accessed from http://www-01.ibm.com/support/ docview.wss?rs=463&uid=swg27013072.

Copyright IBM Corporation 2009.

13

Topic B: Installing the IBM Lotus Domino Server Software


Lesson 1 Setting Up the First Server and Administrator

B
Implementation Checklist Review the checklist. At the end of this lesson, the following Implementation Checklist items will be complete: Set up the rst server. Add an administrators workstation. Set up access to the Domino Directory.

Topic B: Installing the IBM Lotus Domino Server Software


This topic focuses on the installation of the rst server. You will use the components created during the rst server setup to install and congure the rest of the servers and users in the domain in the upcoming lessons. The administrators for Worldwide Corporation will begin implementation with the rst IBM Lotus Domino server. The following components result from setting up the rst server, and these components will be used to implement the rest of the plan: Organization certier

Organizational unit certier Server name Administrators name Directory of resources in the domain

Lotus Domino Server Installation Types


To ensure installation of the appropriate server software, administrators must select the server type at installation. The following table describes the different server types.

Server type Lotus Domino Utility Server

Function Provides custom database applications for IBM Lotus Notes and Web clients, and Lotus Domino database transaction logging. Application services only Support for Lotus Domino clusters Note: This does not include support for messaging services.

Lotus Domino Server Installation Types

Lotus Domino Messaging Server

Provides Lotus Domino and Internet mail services. Messaging services Note: This does not include support for application services or Lotus Domino clusters.

14

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator Server type Lotus Domino Enterprise Server Function Provides a Lotus Domino server license option for deploying an e-mail and calendar infrastructure along with collaborative applications. Both messaging and application services Support for Lotus Domino clusters Note: To cluster mail servers, the Lotus Domino Enterprise server is required.

Note: All three server types support Lotus Domino partitioned servers. The installation presents an option for Partitioned Server Installation. This option allows an administrator to install and congure more than one Lotus Domino server on the same machine. Worldwide Corporation has chosen to dedicate a machine to each server, so we will leave this check box deselected during installation of the classroom servers. Partitioned servers, clustered servers, and transaction logging are beyond the scope of this course. For more information on these advanced topics, refer to the Lotus Domino Administrator 8.5 Help.

Platform and operating system requirements


The following table displays the platform and operating system requirements as they apply specically to the Lotus Domino 8.5 server and Microsoft Windows.

Platform and Operating System Requirements

Category Supported operating system versions


Requirements Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Enterprise Edition with Service Pack 2 Microsoft Windows Server 2003 X64 Edition Microsoft Windows Server 2008 Standard Edition Microsoft Windows Server 2008 Enterprise Edition Microsoft Windows Server 2008 x64 Standard Edition Microsoft Windows Server 2008 x64 Enterprise Edition

Copyright IBM Corporation 2009.

15

Topic B: Installing the IBM Lotus Domino Server Software


Lesson 1 Setting Up the First Server and Administrator Category Processors supported Requirements Intel Pentium or higher and compatibles (32-bit and 64-bit chips as appropriate), or equivalents 512 MB minimum or more recommended per CPU 1.5 GB minimum per partition Two times the physical RAM installed Color monitor required NetBIOS over IP (32-bit processor only, only Microsoft IP is supported) NetBIOS over IPX (32-bit processor only) TCP/IP (includes IPv6)

RAM

Disk space Disk swap space Monitors supported Protocols

16

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

Activity 1-1: Install the Lotus Domino Enterprise Server Software


Lead students in installing the Lotus Domino Enterprise Server software on all classroom servers. Step 1: Direct students to the appropriate location of the install executable. Step 8: While the software is installing, move on to the next section.

Scenario Each server will be a Lotus Domino Enterprise server to allow for all possible congurations. Installing the Lotus Domino server software copies executables, database templates, and other les to the hard drive. On Microsoft Windows platforms, the installation also creates registry entries. To complete this activity:

Start the installation process. Accept the license agreement and the default location for the directory names for program and data les. Complete the installation of Domino Enterprise Server.

Follow these steps to install the Lotus Domino Enterprise Server software.
Step Start the installation process 1. 2. Run the Lotus Domino 8.5 server installation executable, Setup.exe, from the location provided by the instructor. On the Welcome screen, click Next. Action

Accept the license agreement and the default location for the directory names for program and data les 3. 4. 5. Click I accept the terms in the license agreement, and then click Next. Click Next to accept the default directory name for program les. Click Next to accept the default directory name for data les.

Complete the installation of Domino Enterprise Server 6. 7. 8. Verify that Domino Enterprise Server is selected, and click Next. Review the selected options and click Next to begin copying les. Click Finish to complete the installation.

Copyright IBM Corporation 2009.

17

Topic C: Installing the IBM Lotus Domino Administrator Client Software


Lesson 1 Setting Up the First Server and Administrator

C
Lotus Notes 8.5 Client Types

Topic C: Installing the IBM Lotus Domino Administrator Client Software


Administrators require a client to administer the IBM Lotus Domino servers. Worldwide administrators will use the Lotus Domino Administrator client to perform all administrative tasks.

The Lotus Notes 8.5 Client Standard and Basic Congurations


The IBM Lotus Notes 8.5 client comes in two main congurations, or types: Basic and Standard. The following table describes each conguration.

Client type Basic

Description Built on the same platform as Lotus Notes 7, the Basic client resembles Lotus Notes 7 in its interface and functionality. The Basic client is one of the options of the Standard client installation. With all the applications residing on Domino servers, the Basic client allows you to access new and recognizable service offerings for Calendar, Contacts, and Mail, plus familiar functionality for instant messaging. The existence of the Basic client is useful if you want to run it in the following circumstances: Client computers do not have enough RAM or other hardware resources to run the Standard client at acceptable performance levels. As an administrator, you do not want to spend the money for additional technical support or to train users on the new Lotus Notes 8.5 user interface yet. You are not upgrading the servers on the back end to Lotus Domino 8.5 yet, so there is little reason to run the Standard client.

18

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator Client type Standard Description Supported by IBM Lotus Expeditor and IBM Lotus Eclipse platforms with Java-enabled, Eclipse, and SWT capabilities, the J2EE Standard client provides a larger networking environment with increased functionality and innovation opportunities. The Standard client enables you to access applications on both Domino servers and IBM WebSphere Portal servers. With a fully redesigned user interface, the Standard client offers new and improved mail, calendar, contacts, and instant messaging functionality, while introducing you to engaging application and tool integration. The J2EE Standard client is the preferential conguration to support an all-inclusive new features and functionality upgrade from Lotus Notes 7 to Lotus Notes 8.5.

Other client options


In addition to using the Basic and Standard client congurations, users can also access Notes mail and other features by using IBM Lotus iNotes, which is a browser-based access method that is offered in three modes. The following table describes the iNotes modes.
Note: The former name of Lotus iNotes was Domino Web Access.

iNotes mode Full

Description Provides a full set of features including Mail, Calendar, Notebook, Contacts, and To Do list. Optimized for performance in bandwidthconstrained environments, and provides access to Mail and Contacts in a streamlined user interface. Designed for use on mobile devices such as the Apple iPhone or iPod touch.

Lite

Ultralite

Copyright IBM Corporation 2009.

19

Topic C: Installing the IBM Lotus Domino Administrator Client Software


Lesson 1 Setting Up the First Server and Administrator

What is Eclipse?
What is Eclipse?

The Eclipse platform is designed for building integrated development environments (IDEs) that provide template-driven design and CSS-based customization. It is an open-source Java-based platform for end-user and developer products. Because of its open architecture, Eclipse has become the foundation for rich client platform (RCP) development. The Lotus Notes 8.5 client includes all the code that is Lotus Notes within the Eclipse environment. The Eclipse platform incorporates technology that is expressed through a well-dened design and implementation framework. It can be used to create diverse end-to-end computing solutions for multiple execution environments.

Client Installation Types


Client Installation Types

When you run the client installation software, the Custom Setup screen lists the available client installation options. By default, Notes Client and Sametime (integrated) are selected, and you have the option of selecting any or all of the following client components for installation: IBM Lotus Domino Designer

Lotus Domino Administrator Activities Composite Application Editor IBM Lotus Symphony

Lotus Notes 8.5 is also available as a client-only installation kit, which can be acquired via the Web, snail mail, and in stores on CD- and DVD-ROMs.
Note: IBM Lotus Sametime is an integrated installation option and cannot be deselected when installing the Notes 8.5 client.

The workstation installation offers three Lotus Notes-based clients, as shown in the following table.

Client type Lotus Notes

Purpose An interface for working with Lotus Notes applications and Internet data. An interface for administering Lotus Domino systems. An interface for adding functionality to new or existing applications.

Lotus Domino Administrator

Lotus Domino Designer

20

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

Note: Selecting either the Lotus Domino Administrator client or the Lotus Domino Designer client also installs a Lotus Notes client.

What is Lotus Expeditor?


What is Lotus Expeditor?

Lotus Expeditor is a client platform for end-to-end smart client application solutions. Expeditor extends Lotus Notes 8.5 by providing services to install and manage applications. Additionally, users are allowed to easily launch and switch among these applications. Expeditor builds reusable clients on top of Eclipse and leverages Eclipse technology to provide a client solution that runs on multiple operating systems. As a rich client, Lotus Notes 8.5 inherits a great deal of its behavior from Expeditor, created by IBM as a generalized rich client with strong manageability features.

InstallShield Tuner capabilities


Lotus Notes 8.5 does support InstallShield Tuner capabilities to congure and customize client installations. Lotus Notes tuning les include notes.ini, templates, and databases.

Expeditor Component Packaging


Expeditor Component Packaging

Expeditor component packaging is a method by which you can customize client installation for Lotus Notes. This type of packaging is used to add a variety of the supplementary client-supported functionality provided by IBM for Lotus Notes 8.5.
Note: Composite applications can be packaged as J2EE code in .war les or as XML denitions in Lotus Notes .nsf databases. Expeditor can open either.

Eclipse Update Sites


Eclipse Update Sites

Eclipse Update Sites are catalogs that contain features and plug-ins for Eclipse/RCP applications. They are published in a specic form to locate new and updated versions to download during installation. Eclipse is capable of installing or updating features placed on the remote servers. The features and plug-ins must be packaged in JAR les and have a manifest (site.xml) le that links them together. These les collectively form an Eclipse Update Site.

Copyright IBM Corporation 2009.

21

Topic C: Installing the IBM Lotus Domino Administrator Client Software


Lesson 1 Setting Up the First Server and Administrator

Eclipse Update Sites offer a convenient way of delivering new plug-ins and updates of existing ones. Collections of plug-ins are provided that logically go together. They are assembled in such a way to enable easy transport over the network, have necessary legal and security mechanisms, and are modular to allow hierarchical product building.

Automated Installation Options for Eclipse Components


Automated Installation Options

Automated client installation supports the IBM Lotus Domino clients and simplies installation for end users because it presents very few or none of the installation windows. This process is therefore known as a silent installation. You can automate an installation for Lotus Notes 8.5 clients using any of the following methods: Tuning the installer for automated install.

Conguring the installer content via features and install manifest. Scripting the installer for specic options and silent install. Using the installer in conjunction with Smart Upgrade. Using the installer in conjunction with other deployment systems.

Multiple Users Sharing One Workstation


Workstation Sharing Considerations

Many environments require different users to share programs on a workstation. The Lotus Notes workstation installation offers a multi-user option so that multiple users can share a Lotus Notes client, with each user maintaining a separate environment. There are two considerations: The operating system must support multiple user proles.

The Lotus Domino Designer client and the Lotus Domino Administrator client do not support multi-user.

Worldwide Corporation has chosen not to implement multi-user workstations, so this option will be deselected during installation of the classroom workstations. For more information on multi-user workstations, refer to the Lotus Domino Administrator 8.5 Help.
Note: Further discussion of multi-user workstations is beyond the scope of this course. Refer to the Lotus Domino Administrator 8.5 Help for more information on this subject.

22

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

Activity 1-2: Install the Lotus Domino Administrator Client Software


Note: To provide all students with a comprehensive hands-on experience, we have designed this course so that students administer their own servers. To accommodate this, you will run the client and server software on the same machine. The Lotus Domino server and Lotus Notes client software support this conguration provided that the server and client software is installed in separate directories on the machine. While we recognize that this is not an optimal nor a recommended conguration to deploy in a real world environment, we use this environment in the classroom to provide you with the experience of administering your own servers.

Step 1: Direct students to the appropriate location of the installation executable. While the software is installing, move on to the next section.

Scenario Before the Worldwide administrators can use the Lotus Domino Administrator client to administer Lotus Domino servers, the client software needs to be installed. To complete this activity:

Begin the installation of the client software. Select the client components to be installed. Complete the installation.

Follow these steps to install the Domino Administrator client and related software.
Step Action

Begin the installation of the client software 1. 2. 3. 4. 5. Run the Lotus Notes 8.5 client installation executable, Setup.exe, from the location provided by the instructor. On the Welcome screen, click Next. Select I accept the terms in the license agreement, and click Next. On the Customer Information screen, type your user name, verify Worldwide Corporation is the organization, and then click Next. Click Next to accept the default installation path selections.

Select the client components to be installed

Copyright IBM Corporation 2009.

23

Topic C: Installing the IBM Lotus Domino Administrator Client Software


Lesson 1 Setting Up the First Server and Administrator Step 6. Action On the Custom Setup screen, verify that Notes Client and Sametime (integrated) are selected for installation. Then, select the following features by clicking them and clicking This feature will be installed on the local hard drive.

Domino Designer Domino Administrator Composite Application Editor

Click Next. Complete the installation 7. 8. Click Install to begin copying les. Click Finish to complete the installation.

24

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

D
Summarize the key components created by Server setup. Use the diagram shown in Figure 1-2 to illustrate the les created during the Server setup.

Topic D: Launching and Conguring the First Server


The Server Setup Process
After installing the server software, an administrator must launch the server to congure it. When you run the Server setup program on the rst server in the infrastructure, the program creates the Lotus Domino environment to which other servers and users can be added. The Server setup program creates the components described in the following table.

Component A Domino Directory for the new domain An organization certier for the organization

Stored in The servers data subdirectory, as names.nsf Cert.id le in the Lotus Domino servers data subdirectory Certier document in the Domino Directory

(Optional) An organizational unit certier

Oucert.id in the data subdirectory Certier document in the Domino Directory

A Server document for the server A server ID stamped by the organizations certier A Person document for the administrator The administrators ID stamped by the organizations certier

The Domino Directory The Server document and/or the servers data subdirectory The Domino Directory

The Person document and/or the servers data subdirectory

Copyright IBM Corporation 2009.

25

Topic D: Launching and Conguring the First Server


Lesson 1 Setting Up the First Server and Administrator

The following gure illustrates the components in the preceding table.

Components Created During First Server Setup

Figure 1-2: Components from rst server setup

The Domino Directory


The Domino Directory

The IBM Lotus Domino Directory is the most important database in the Lotus Domino environment. It contains information about all Lotus Domino resources and how the resources function, and it is the database that contains the information created and updated using Lotus Domino Administrator. Each additional server in the domain has a replica of the Domino Directory.

Stress the signicance of the Domino Directory.

Replicas of the Domino Directory


Replicas of a database can reside on different servers, enabling users to collaborate without having to use the same server. Replication synchronizes the changes made on these replicas, so that each replica has the required documents. Replication is the controlled synchronization between database replicas.

Replicas of the Domino Directory

26

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

The following gure represents Domino Directories on different servers. The arrows represent replication, keeping the information synchronized.

Figure 1-3: Domino Directories on different servers

Comparing Domains and Organizations


Note the following differences between a domain and an organization:
Comparing Domains and Organizations The material represented here is not new material. It serves as a review of prerequisite knowledge.

A Domino domain is the collection of Domino servers and users that share the same Domino Directory. A Domino organization is dened by the certier that stamps the IDs of users, servers, and other certiers. There is a trust relationship within the organization so that users and servers can communicate and share data. The organizational certier provides security and uniformity in naming of users and servers. The certier name is part of the hierarchical name of all users and servers in the organization.

When to use multiple domains


Large enterprise corporations might consider dening regions or countries as separate domains in order to keep the Domino Directory manageable for administrators, to facilitate name lookup, and to maintain good server performance. Separate domains can also be created for development, so as not to interfere with a production environment.
Note: Consider placing Web servers accessible via the Internet in a separate domain and organization to maintain a secure environment.

Copyright IBM Corporation 2009.

27

Topic D: Launching and Conguring the First Server


Lesson 1 Setting Up the First Server and Administrator

Practice Activity 1-3: Review Domains and Organizations


Use these questions as a basis for discussion of the concepts.

Scenario In a Domino environment, when setting up and launching the rst server, there are key components involved in the process. As an administrator, you should be familiar with Domino Domains and organizations. Complete the following to review.

This activity reviews student knowledge from the IBM Lotus Domino 8.5 System Administration Operating Fundamentals course.

1.

What is a domain? A domain is a collection of servers and users that share a single Domino Directory. The domain name is typically the company name.

2.

If a company has two domains, how many Domino Directories are needed? Two Domino Directories are neededone per domain.

3.

Does the collection of servers and users in the Domino Directory constitute a domain or an organization? A domain.

4.

What is an organization? An organization is an entity that authorizes users and servers to authenticate with one another. The primary purpose is security.

5.

Does the organization name have to be the same as the domain name? No. For simplicity, Worldwide Corporation is using WWCorp for the domain and organization name. The names could be different if needed.

28

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

Purposes of Organizational Units


Dividing an organization into organizational units (OUs) allows for:
Purposes of Organizational Units

Management by region or division. For example, database ACLs can specify different privileges for each OU. Separation of servers from users. For example, an administrator can easily:

Cross-certify the OU containing all servers with another organization. Not cross-certify users with the other organization.

Unique names for users who have the same common name.

Naming requirements for an organizational unit


The organizational unit name can be a maximum of 32 characters and may include alphabetic characters (A - Z), numbers (0 - 9), and the ampersand (&), dash (-), period (.), space ( ), and underscore (_). For information on naming requirements for this and other Lotus Domino components, refer to the Lotus Domino Administrator 8.5 Help document titled Table of Naming Requirements.
Note: The space character is not recommended because programs other than the Lotus Notes client may not allow spaces.

Sample organizational structure


Worldwide Corporations deployment plan divides /WWCorp into three organizational units. Worldwide Corporation is using the following organizational structure:

The organization certier is /WWCorp. All servers will be in an organizational unit named /SVR/WWCorp. Users will be in one of the following organizational units:

/East/WWCorp /West/WWCorp

Copyright IBM Corporation 2009.

29

Topic D: Launching and Conguring the First Server


Lesson 1 Setting Up the First Server and Administrator

The following diagram represents the certiers in Worldwides Lotus Domino organization hierarchy. The organization certier is /WWCorp and the three organizational unit certiers are descendants of /WWCorp.

Worldwide Corporations Lotus Domino Organization Hierarchy

Figure 1-4: Worldwides Lotus Domino organization hierarchy

Alternatives to Organizational Units


Alternatives to Organizational Units

A company may choose not to use organizational units. There are methods that serve similar purposes for those Lotus Domino environments: Group documents can enable management of subsets of the population. For example, a group document can contain all people in the East division.

In smaller organizations, servers may not need to be separated from users. Differentiating two users who have the same rst and last name and need to be certied by the same certier can be accomplished in two ways:

The middle initial can be included as part of the common name. The User registration dialog box has an option to create a unique organizational unit. This adds an OU component to the user name, but the OU name does not really exist as a separate certier.

30

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

Practice Activity 1-4: Review Possible Hierarchical Names


Use these questions as a basis for discussion of the concept.

Scenario Each server and end user is certied by a certier. Worldwide will use certier names that:

Indicate the region where the users work. Indicate the servers being separate from users.

The following diagram displays Worldwides Lotus Domino organizational hierarchy and the users and servers certied by each certier. Your instructor may ask you to identify various hierarchical names based upon this diagram.

Organizational Hierarchy

Figure 1-5: Worldwides Lotus Domino organizational hierarchy Answer the following questions to review.

1.

What is the hierarchical name for the Admin East01 user? Admin East01/East/WWCorp

2.

What is the hierarchical name for the West02 server? West02/SVR/WWCorp

3.

What is the hierarchical name for the East03 server? East03/SVR/WWCorp

Copyright IBM Corporation 2009.

31

Topic D: Launching and Conguring the First Server


Lesson 1 Setting Up the First Server and Administrator 4. What is the hierarchical name for the user Marcus Frank who works in the eastern division of WWCorp? Marcus Frank/East/WWCorp

5.

What is the hierarchical name for a different Marcus Frank who works in the western division of WWCorp? Marcus Frank/West/WWCorp

Descendants of the Organization Certier


Descendants of the Organization Certier

The deployment plan calls for setting up one organization hierarchy. Therefore, all names are descendants of the /WWCorp organization certier. Certier IDs stamp server, user, and other certier IDs with their certicates. The /WWCorp organization certier stamps one entity, the user Doctor Notes.

The /WWCorp certier stamps the following OU certiers, which will stamp the IDs for other users and servers:

/SVR /East /West

Organization Security
Organization Security

All users and servers within the /WWCorp hierarchy will be able to authenticate with each other. For example, when a user opens a database on a server, the user and server will check each others certicates to verify that they are both descendants of the /WWCorp certier. If so, the user database will open unless another security measure restricts access.

Organization Certier ID Security


Organization Certier ID Security

The certier ID le is the most important ID le in the organization. It should be kept in a secure location. The organization certier ID (Cert.id) does not need to remain in the Domino\data subdirectory. Leaving it there could be a security risk if unauthorized users gain access to the server machine. Move the Cert.id le from the Domino\data subdirectory on the rst Lotus Domino a server to a secure area, such as on a portable medial device or disk stored in a locked cabinet.

32

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

Caution: A person with access to the organization certier ID le and its password has the ability to change the entire organizations hierarchy. Carefully consider and plan access to this le.

Note: For additional security, consider requiring multiple passwords to access the organization certier ID. Refer to the Lotus Domino Administrator 8.5 Help for more information about adding multiple passwords to an ID le.

The Oucert.id le name


Selecting the option to create an OU for servers creates a le named Oucert.id. The name can be changed from within the operating system after the rst server has been congured.

Server-based certication authority basics


The server-based Certication Authority (CA) allows selected administrators to perform registration tasks without access to a certier ID le and password. This enables registration of IBM Lotus Notes users from a Web browser, using the Lotus Domino Web Administrator client, as well as from the Lotus Domino Administrator client. For more information about the server-based CA, refer to the Lotus Domino Administrator 8.5 Help.
Note: Worldwide Corporation will distribute certier ID les instead of using the server-based CA for registration of Lotus Notes users.

See Additional Instructor Notes

Authentication Between Organizations


Authentication Between Organizations

If Worldwide Corporation merges with another company, for example, Acme Corporation, the Lotus Notes and Lotus Domino infrastructures would not be able to communicate without administrative intervention. Administrators can perform a technique called cross-certication to establish trust between the two Domino organizations. Refer to the Lotus Domino Administrator 8.5 Help for more information about cross-certication.

Copyright IBM Corporation 2009.

33

Topic D: Launching and Conguring the First Server


Lesson 1 Setting Up the First Server and Administrator

Country Codes
Country Codes

In an international organization, using country codes requires creating multiple organization certiers (one for each country code). For example, if Worldwide Corporation chose to use country codes for branches in the U.S., Great Britain, and Brazil, there would be three organizations: /WWCorp/US

/WWCorp/GB /WWCorp/BR

Describe the classroom implementation. Remind students that Worldwide Corporation has chosen to indicate regions, rather than countries, in OU names and not to use country codes.

A country code does not replace the organization component, but rather is an additional, higher-level component in a hierarchical name. The organization is the grandparent, while the country code is the great-grandparent.

Country codes and hierarchical naming


The country codes position, furthest to the right in the hierarchical name, makes it the highest-level component of the hierarchy. Each certier that uses a country code is a separate hierarchy, even if the organization name is the same.

Users and servers in different hierarchies cannot automatically authenticate. They must be cross-certied. An administrator must cross-certify the organizations with country codes, requiring additional administrative work.

For example, users and servers under /WWCorp/US and /WWCorp/GB cannot automatically authenticate because they are separate hierarchies.

Recommendations for accommodating regions using organizational units


Use the following guidelines for deciding on organizational units:

Using country codes increases administrative work. As an alternative to using country codes, use the rst OU level to designate the country, for example, /US/WWCorp. Use the second OU level for region or department names to further distinguish users, for example:

/East/GB/WWCorp /ISS/GB/WWCorp

A hierarchical name can be comprised of up to four organizational units. However, in general, do not use more than three organizational units.

34

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

Server Audience Types


Server Audience Types

The audience selected during server setup determines the server tasks that will run on the Lotus Domino server to accommodate the type of users who will access the server. The following table describes the types of server audiences.

Server audience Web browsers

Description For Web browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Netscape Navigator, to access data on the server. For Internet mail clients using the following protocols to access mail on the server: POP3 (Post Office Protocol 3) IMAP (Internet Message Access Protocol) SMTP (Simple Mail Transfer Protocol)

Internet mail packages

Directory Services

For clients using LDAP (Lightweight Directory Access Protocol). The LDAP task starts automatically on the administration server of the Domino Directory.

Selecting Internet protocols during setup


For convenience, the server setup program offers the ability to select Internet protocols that will load automatically during server startup. These can be congured later if not selected during server setup.

The Lotus Domino Server Log


The Lotus Domino Server Log

Every Lotus Domino server has a Domino Server Log (Log.nsf) that reports all server activity and provides detailed information about databases and users on the server. The server log le: Can be congured to report the desired level of detail about server activity.

Is created automatically when a server is started for the rst time.

Copyright IBM Corporation 2009.

35

Topic D: Launching and Conguring the First Server


Lesson 1 Setting Up the First Server and Administrator

Administrator Group Security Options


The server setup program contains options for adding entries to ACLs.
Administrator Group Security Options

The Prohibit anonymous access option adds an ACL entry called Anonymous to all databases, and gives it the No Access ACL setting. The LocalDomainAdmins option creates a group that gives some or all administrators Manager access to all databases. This is accomplished as follows:

A group named LocalDomainAdmins is created in the Domino Directory and is given Manager access to all databases created on the server. The rst servers administrator is added to LocalDomainAdmins during rst server setup. Other administrators can be added to the group later.

Procedure Reference: Launching and conguring the rst server


Follow these steps to congure the rst server.
1.
Demonstrate this procedure using the values and information included in the procedure reference.

Start the Domino server to run the Server setup program. From Windows, click StartAll ProgramsLotus ApplicationsLotus Domino Server.
Note: Options for accessing the Domino Server Setup program vary by platform, and are covered in the appropriate installation guide.

2. 3. 4.

On the Welcome screen, click Next. Verify that Set up the rst server or a stand-alone server is selected, and click Next. On the Provide a server name and title screen:

Enter the Server name.

36

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

For classroom purposes, Hub should be used for this value.


(Optional) Enter the Server title. For example, you could enter a description of the servers purpose. (Optional) Select I want to use an existing server ID le to use a server ID le from a previous installation. After this check box is selected, you can use the Browse button to navigate to and access the server ID le to use. Click Next. For Organization name, enter the organization name. For classroom purposes, WWCorp should be used for this value. For Organization Certier password, enter the password for the organizations certier ID le. For classroom purposes, passw0rd should be used for this value. For Conrm password, enter the same password. (Optional) Select I want to use an existing certier ID le to use an organization certier ID le from a previous installation. Click Customize to access the Advanced Organization Settings dialog box.

5.
Step 5: Point out the following information about the organizational unit (OU) certier ID le: The le name of this OU certier ID le is always oucert.id. The le name can be changed at the operating system later, if needed. The resulting screen provides examples of a servers nal name and a users nal name. The user example is Administrator/SVR/ WWCorp. Tell students that they will create different OUs for the users, and that the /SVR/ WWCorp OU will be for servers only. The rst Administrative user will be certied at the organization level, and will not be in an OU.

On the Choose your organization name screen:

For Organizational Unit name, enter the name of the organizational unit that will hold the server. For classroom purposes, SVR should be used for this value. For Org. Unit Certier password, enter the password for the organizational units certier ID le. For classroom purposes, passw0rd should be used for this value.

For Conrm password, enter the same password. (Optional) Select I want to use an existing organizational unit certier ID le to use an organizational unit certier ID le from a previous installation. (Optional) Select a country code. Click OK.

Click Next.

Copyright IBM Corporation 2009.

37

Topic D: Launching and Conguring the First Server


Lesson 1 Setting Up the First Server and Administrator 6.

For Domino domain name, enter the domain name, and click Next. For classroom purposes, WWCorp should be used for this value.

7.
Step 7: Select Also save a local copy of the ID le, and tell students that this is just one method for backing up ID les.

On the Specify an Administrator name and password screen:

Enter the rst and last names of the administrator. For classroom purposes, Doctor Notes should be used for this value.

Enter the administrators password and conrm the password. For classroom purposes, passw0rd should be used for this value. (Optional) Select Also save a local copy of the ID le. (Optional) Select I want to use an existing Administrator ID le to use an administrator ID le from a previous installation. Click Next.

8.
Step 8: Clear the Directory Services (LDAP services) check box, and click Customize. Clear the DOLS Domino Off Line Services check box to prevent an error that appears when switching to a user ID that does not have access to doladmin.nsf. Select SMTP Server, and explain that servers should run only the tasks that will be used.

Select the appropriate Internet service types, or click Customize to select individual services. Click OK, and then click Next. On the Domino Network settings screen, click Customize to access the Advanced Network Settings dialog box. Clear network ports that will not be used with this Lotus Domino server. For classroom purposes, only the TCPIP port should be used.

9.

For each port Lotus Domino will use:

Select Encrypt if all network data sent by the server should be encrypted to render the data unreadable to someone with a network sniffer. Select Compress if all network data sent by the server should be compressed to improve performance in a saturated or lowbandwidth network.

Step 9: Point out the Encrypt and Compress options.

Enter the fully qualied Internet host name. For classroom purposes, hub.wwcorp.com should be used for this value. Click OK, and then click Next.

10. On the Secure your Domino Server screen, leave both check boxes

selected, and click Next.


11. Review the setup options, and click Setup. 12. When setup is complete, click Finish.

38

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator 13. Start the Domino server. From Windows, click StartAll Programs

Lotus ApplicationsLotus Domino Server.


14. In the Lotus Domino Server dialog box, select Start Domino as a
Step 14: Verify that the server launches properly before moving to the next section.

regular application, select Dont ask me again, and click OK.

Copyright IBM Corporation 2009.

39

Topic E: Conguring the First Workstation


Lesson 1 Setting Up the First Server and Administrator

E
The Client Conguration Program

Topic E: Conguring the First Workstation


The Client Conguration Program
After the IBM Lotus Notes client software has been installed, a user runs the IBM Lotus Notes 8.5 Client Conguration program to congure it appropriately. This program congures the workstation and connects it to the Lotus Domino intranet. The program will: Connect to the specied server, which must contain a Person document for the user.

Download the ID le if the le is stored in the users Person document. Create the users local Contacts le. Congure bookmarks for the users mail and Contacts les, and other databases specied in setup settings of policies. Create documents in the Contacts le.

Procedure Reference: Conguring the rst workstation


Follow these steps to congure a Lotus Notes workstation.
1.

Demonstrate this procedure using the instructors workstation.

Start any installed client, such as IBM Lotus Domino Administrator, to start the Client Conguration program. From Microsoft Windows, click StartAll ProgramsLotus ApplicationsLotus Domino Administrator 8.5. On the Welcome screen, click Next. On the User Information screen:

2. 3.

In the Your name eld, enter the name of the user created during the rst server setup. For classroom purposes, Doctor Notes should be used for this value.

In the Domino Server eld, enter the hierarchical name of the rst server. For classroom purposes, Hub/SVR/WWCorp should be used for this value.

Verify that I want to connect to a Domino server is selected. Click Next.

4.

Enter the password for the user, and click Log In. For classroom purposes, passw0rd should be used for this value.

40

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator 5. 6. 7. 8.

On the Instant Messaging Setup screen, clear the Setup instant messaging check box, and click Next. (Optional) Select Internet clients and proxy servers as required, and click Next. When setup is complete, click OK. When the Domino Administrator client starts, it displays the Welcome page. To close this page, click the X on the page tab.

Copyright IBM Corporation 2009.

41

Topic F: Assigning Roles to Administrators and Servers


Lesson 1 Setting Up the First Server and Administrator

F
Access in the Domino Directory Privileges and the LocalDomainAdmins Group

Topic F: Assigning Roles to Administrators and Servers


Access in the Domino Directory
Having Manager access to the IBM Lotus Domino Directorys ACL enables editing the ACL. To create and edit documents in the Domino Directory, the administrator must also be assigned the appropriate ACL role(s). Worldwide Corporation will assign all ACL roles to the administrators and to servers.

The Special Privilege of the LocalDomainAdmins Group


During rst server setup, we chose to add the group LocalDomainAdmins and assign it Manager access in the ACL of every database. This allows any administrator listed in LocalDomainAdmins to change the ACL of any database, including the Domino Directory.

Privileges the LocalDomainAdmins Group Lacks


The LocalDomainAdmins entry is not automatically assigned any roles. The roles in the Domino Directory specify who can create and edit documents. Without the roles, an administrator cannot perform any registration tasks, because the registration program creates documents. Managers can edit the ACL, so members of LocalDomainAdmins could assign the appropriate ACL roles to themselves.

Display the ACL of the Domino Directory, and ask students the following question. Would people in LocalDomainAdmins be able to edit the ACL to assign themselves roles? Answer: Yes. Manager access means the user, group, or server can edit the ACL.

Procedure Reference: Assigning roles to administrators and servers


Follow these steps to assign roles in the ACL of the Domino Directory.
1. 2. 3. 4.

If necessary, open Domino Administrator. Click the Files tab. Right-click names.nsf, and click Access ControlManage. Select LocalDomainAdmins, and select the appropriate roles. For classroom purposes, all roles should be assigned to LocalDomainAdmins.

Demonstrate this procedure using the instructors workstation.

5.

Select LocalDomainServers, and select the appropriate roles. For classroom purposes, all roles should be assigned to LocalDomainServers.

6.

Click OK to save the ACL changes.

42

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 1 Setting Up the First Server and Administrator

Lesson Summary
In this lesson, you created the initial server and workstation in the domain and expanded the organization to include organizational units. Checklist: Building the Lotus Domino Environment The bolded tasks from the Implementation Checklist were completed in this lesson.

Review the items completed in this lesson.

Task 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery.

15 16 17 18

Copyright IBM Corporation 2009.

43

Adding IBM Lotus Domino Servers


Topic A: Registering Servers Topic B: Conguring and Starting Additional IBM Lotus Domino Servers

Copyright IBM Corporation 2009.

Lesson 2 Adding IBM Lotus Domino Servers

Introduction
Worldwide Corporation has planned for mail and utility servers. They will use the organizational unit certiers and the IBM Lotus Domino Directory to expand the organization hierarchy in order to add servers to the Lotus Domino intranet. After completing this lesson, you should be able to: Register servers. Congure and start an additional Lotus Domino server.

Implementation Checklist

Review the checklist. At the end of this lesson, the following implementation checklist item will be complete: Add Lotus Domino servers.

46

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 2 Adding IBM Lotus Domino Servers

A
The Server Registration Process Domino Directory Access for Registering Servers

Topic A: Registering Servers


The Server Registration Process
Administrators register additional servers using an existing server and workstation. The server registration process creates:

A Server document in the IBM Lotus Domino Directory. An ID le stored as one or both of the following:

An attachment in the Server document. A le at the operating system level.

Domino Directory Access for Registering Servers


To register servers, an administrator must have the appropriate access to the Domino Directory, including the following in the ACL: Author access or higher

The Create documents privilege The ServerCreator role

In addition, the administrator must have access to the certier ID le and password or be a registration authority for a certier migrated to use the Server-based Certication Authority (CA).

Need for Selecting a Registration Server


Whenever registering a certier, server, or user, select a Lotus Domino server for the registration server. Lotus Domino creates the appropriate document in the Domino Directory on the registration server rst. Then, Lotus Domino replication distributes changes to replicas of the Domino Directory on other servers in the domain.
Caution: Do not leave the Registration server as Local. Always select an appropriate registration server. If the server name is left as Local, the registration program creates the document in the clients Contacts le. If this happens, there are two solutions:

Copy the document from the contacts le, and paste it to the appropriate view in the Domino Directory. Or, simply repeat the registration.

Copyright IBM Corporation 2009.

47

Topic A: Registering Servers


Lesson 2 Adding IBM Lotus Domino Servers

Server ID File Storage Options


Server ID File Storage Options

The server registration program allows a choice of locations for the server ID le. Consider the following factors: Storing the ID le in the Domino Directory of an existing server:

Allows the new server to detach the ID le from the Server document of the existing servers Domino Directory. Requires a password for the attached server ID. The result is that after the server is congured, it cannot be restarted from the Domino Administrator remotely, because the password prompt displays on the server machine.

Review the Servers by Location and Server Naming Examples in the deployment plan. Explain that the rst server, Hub/SVR/ WWCorp, was set up in a previous lesson and the student servers will be congured next.

Storing the ID le in the le system requires that the additional server machine has access to the ID le locally or on the network.

The following gure illustrates the classroom implementation.

Classroom Server Implementation

Figure 2-1: Classroom implementation

48

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 2 Adding IBM Lotus Domino Servers

Activity 2-1: Register the Classroom Servers


Step 7: Students use the instructor workstation to register their servers as additional servers using the /SVR/WWCorp certier ID and the preceding gure (to determine which server name to register). ILO: If you are presenting this course online, you will need to coordinate each students remote login into the instructor workstation. Step 7: Explain the importance of the Server administrator name eld and the reason for using LocalDomainAdmins: The name entered in the Server administrator name eld goes in the Server documentSecurity tabAdministrators eld. This eld allows the user or group certain privileges that will be covered later in this course. Students enter LocalDomainAdmins because the administrative user accounts have not yet been registered. An alternative would be to register an administrative user before server setup and specify that user in the eld. Step 10: Have the last student to register a server complete step 10.

Scenario Each Worldwide administrator is responsible for registering his or her server prior to conguring it. The server will be under the /SVR/WWCorp organizational unit structure. To complete this activity:

Prepare the registration server. Your instructor will perform this part of the activity. Register the servers.

Follow these steps to register the classroom servers.


Step Action

Instructor steps: Prepare the registration server 1. 2. 3. 4. In Domino Administrator, select Hub/SVR/WWCorp to administer. Click the Conguration tab. In the Tools pane, click RegistrationServer. In the Choose a Certier dialog box:

Click Server, select Hub/SVR/WWCorp as the Registration Server, and click OK. Click Certier ID, navigate to the Domino\Data subdirectory on Hub, select oucert.id, and click Open. Click OK.

5. 6.

Enter passw0rd as the certier password, and click OK. Select the appropriate Public key specication, and then click Continue.

Register the servers

Copyright IBM Corporation 2009.

49

Topic A: Registering Servers


Lesson 2 Adding IBM Lotus Domino Servers Step 7. Action In the Basics panel, enter the following information.

Enter the assigned server name; for example: East01 East02 East03 West01 West02 West03

For Domino domain name, verify that WWCorp is displayed. For Server administrator name, type LocalDomainAdmins Click Password Options. Verify that Password Quality Scale is set to Weak and that Password is optional (0) is displayed. This provides the ability to remove the password. Click OK. Enter passw0rd for the password. For Location for storing server ID, select:

In Domino directory In le

8. 9.

Click

to add your server to the queue.

Highlight the entry for your server in the queue at the bottom, and click Register. Result: Observe the Domino Administrator status bar for the success message.

10.

When all servers are registered, click Done.

50

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 2 Adding IBM Lotus Domino Servers

B
Standard Directory Structure Introduce the standard directory structure. To help students understand the central directory structure, it is helpful to describe the default Domino Directory structure. The red areas (top) represent user and group information, while blue areas (bottom) represent conguration records. Use this slide to show how the default structure uses large amounts of disk space and considerable resources for replication.

Topic B: Conguring and Starting Additional IBM Lotus Domino Servers


The Standard Directory Structure
The following gure shows full IBM Lotus Domino Directories on every server. The arrows represent replication. All servers store and replicate all Domino Directory document types.

Figure 2-2: Example of the standard directory structure

Copyright IBM Corporation 2009.

51

Topic B: Conguring and Starting Additional IBM Lotus Domino Servers


Lesson 2 Adding IBM Lotus Domino Servers

The Central Directory Structure


In a central directory structure, the Domino Directory on a server can be a:
Central Directory Structure Describe the central directory structure, and contrast the previous diagram to the one shown here, describing how the elements interact. Point out the signicant disk space savings and reduced replication volume.

Primary Domino Directory, which stores all documents. Administration Domino Directory, which stores all documents and is an administration server. Conguration Domino Directory, which stores only the documents needed for basic server operation.

For example, a Conguration Directory server does not store Person or Group documents. In a large domain, this option saves disk space and decreases replication work signicantly. In the following gure, the servers in the center store and replicate all types of Domino Directory documents, so they have full Domino Directories. The servers at the top and bottom have Conguration Domino Directories.

Open a Server document and navigate to the Server PropertiesBasics tabDirectory Information section. Use the elds to describe the Central Directory implementation.

Make a local replica of WWCorps Directory. Change the le name to wwcnames.nsf. Open the new local copy of WWCorps Directory. Click File ReplicationOptions for this Application. Show the Space Savers options for selective replication. Then, show the Conguration Documents only option described on the student page. Optionally, you can also show the selective replication options on the Advanced panel.

Figure 2-3: Example of the central directory structure

How does a server become a Conguration Directory server?


An administrator can specify a Conguration Directory for a server before or after server setup. The methods are: During server setup, by selecting the Conguration Directory option.

After setup, by selecting the Domino Directorys Replication SettingsSpace Savers panel, and clicking IncludeConguration documents only.

52

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 2 Adding IBM Lotus Domino Servers

Replicating a Subset of Documents in the Domino Directory


By default, each replica of the Domino Directory stores all documents. Changes to any type of document in one replica usually need to replicate to each other replica. If a server needs only a subset of documents, an administrator can select the subset by editing the replication settings for the Domino Directory.

Server Setup Proles


Administrators performing large enterprise deployments can use the record and playback options to create and use server setup proles for future server setups. For example, administrators can record the options selected for a particular type of server and play this back to set up many servers of this type.
Note: See the following Lotus Domino Administrator 8.5 Help documents for more information: Creating a server setup prole Using a server setup prole

Clearing the Server ID Password


Clearing the Server ID Password

If an additional servers ID was created with a password, an administrator can clear the password after setup, if needed. Clearing the server ID password requires local access to the ID le. Two different dialog boxes contain an option to clear a password. The dialog boxes can be invoked either: With the Domino Administrator client, by clicking Conguration CerticationID Properties, and then locating and selecting the server ID.

Tell students not to clear the password. Unless there is a reason to remove passwords now, allow them to remain on the server IDs. This will emphasize a point made later when students need to enter the password on the server machine when restarting the server remotely from the Domino Administrator.

Without the Domino Administrator, by starting Nlnotes.exe from the program directory of a Domino server machine installed on a Microsoft Windows platform. Nlnotes.exe starts an IBM Lotus Notes client from which an administrator can click FileSecurityUser Security to remove the password from the server ID.

Copyright IBM Corporation 2009.

53

Topic B: Conguring and Starting Additional IBM Lotus Domino Servers


Lesson 2 Adding IBM Lotus Domino Servers

Other uses for Nlnotes


Nlnotes can also be useful when local access to a servers data directory is needed but a Domino Administrator client is not installed on the Windows machine.
Caution: Nlnotes should be used with extreme caution because it defaults to:

Mention that Nlnotes can also be used to gain local access to databases to bypass security, if needed. Emphasize the caution note, and point out that local access can mean no access control or no authentication.

Non-secure access to the servers data directory. Use of the server ID as a user ID.

54

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 2 Adding IBM Lotus Domino Servers

Activity 2-2: Congure and Start an Additional Lotus Domino Server


Step 6: Mention that students clear the DOLS Domino Off line Services check box for two reasons: To minimize the number of unneeded tasks and databasesDOLS is not used in this course. To prevent an error that appears when switching to a user ID that does not have access to Doladmin.nsf. Step 7: Advise students if network settings need to be changed. In particular, ensure that students: Clear the check boxes for any ports that will not be used in class. For many environments, Lotus Domino will need only the TCPIP port. Change the host name, if required. Step 9: Provide students with the IP address of the Hub server.

Scenario Each Worldwide administrator is responsible for conguring and starting the Domino server that he or she will administer. To complete this activity, run the Server setup program and include the specications for your assigned classroom server. Follow these steps to congure and start a Lotus Domino server.
Step 1. 2. 3. 4. 5. 6. Action Launch the Lotus Domino server to run the setup program. From Windows, click StartAll ProgramsLotus ApplicationsLotus Domino Server. On the Welcome screen, click Next. Select Set up an additional server, and click Next. Select The server ID le is stored in the Domino Directory, and click Next. Enter the hierarchical name of your assigned server, for example East01/SVR/WWCorp, and click Next. For Setup Internet services for, clear Directory services (LDAP services). Click Customize, clear DOLS Domino Off Line Services, and select SMTP Server. Click OK and click Next. 7. 8. 9. 10. Click Customize, and clear all check boxes except TCP/IP. Type your fully qualied server name (i.e. east01.wwcorp.com), click OK, and click Next. For Other Domino server name, type Hub/SVR/WWCorp For Optional network address, enter the IP address for the Hub server, and click Next. Verify that Set up as a primary Domino Directory (Recommended) is selected, and click Next. Leave the default security options selected, and click Next. Review the setup options, and click Setup. When prompted, enter passw0rd for the password. When setup is complete, click Finish. Launch the Lotus Domino server. From Windows, click StartAll ProgramsLotus ApplicationsLotus Domino Server.

Before moving to the next section, verify that all student servers launched properly.

11. 12. 13. 14. 15.

Copyright IBM Corporation 2009.

55

Topic B: Conguring and Starting Additional IBM Lotus Domino Servers


Lesson 2 Adding IBM Lotus Domino Servers Step 16. 17. Action In the Lotus Domino Server dialog box, select Start Domino as a regular application, select Dont ask me again, and then click OK. In the Lotus Domino Server window, if you are prompted for the server ID password, type passw0rd and press Enter.

56

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 2 Adding IBM Lotus Domino Servers

Lesson Summary
In this lesson, you completed a very signicant task by adding Lotus Domino servers. Checklist: Building the Lotus Domino Environment The bolded task in the Implementation Checklist was completed in this lesson.

Task 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery.

15 16 17 18

Copyright IBM Corporation 2009.

57

Adding IBM Lotus Notes Clients


Topic A: Creating an Organizational Unit Certier Topic B: Registering New Administrators Topic C: Registering Users from a File Topic D: Replicating Server Document Changes Topic E: Setting Up an Administrator Workstation Topic F: Verifying the IBM Lotus Domino Installation Topic G: Creating Replicas on Multiple Servers

Copyright IBM Corporation 2009.

Lesson 3 Adding IBM Lotus Notes Clients

Introduction
Worldwide Corporation needs workstations to administer the servers. In this lesson, you will use the organizational unit certiers, /East/WWCorp and /West/WWCorp, and Domino Directory to add more users to the IBM Lotus Domino intranet. After completing this lesson, you should be able to:
Implementation Checklist

Create an organization unit certier. Register new administrators. Register users from a text le. Replicate Server Document changes. Set up an administrator workstation. Use Lotus Domino Administrator to verify the Domino implementation. Create replicas on multiple servers.

Review the checklist items for adding workstations. At the end of this lesson, the following Implementation Checklist items will be complete: Add organizational units. Register administrators. Add Lotus Notes clients.

Complete the setup tasks for this lesson.

60

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 3 Adding IBM Lotus Notes Clients

A
Certier Registration Review certier registration by asking the following questions: What certier ID is always created during the rst server setup? Answer: The organization certier ID. For Worldwide, this is /WWCorp. What additional certier ID did Worldwide Corporation choose to create? Answer: The /SVR/ WWCorp OU certier, which will certify all servers. What are the next certier IDs Worldwide will create? Answer: The /East/ WWCorp and /West/ WWCorp organizational unit certiers. These will be used to certify users in either the East OU or the West OU.

Topic A: Creating an Organizational Unit Certier


The Certier Registration Process
Worldwide created the /SVR/WWCorp organizational until certier during the rst server setup. Worldwide now needs the organizational unit certiers for the East and West regions to register users according to the deployment plan. The certier registration process creates a document for the organizational until certier in the Domino Directory. Certier registration results in the following: A Certier document in the Domino Directory.

The Certier document contains the certied public key. During authentication, the key is compared with the key in an ID le.

A certier ID le for certifying descendants of this organizational unit.

Copyright IBM Corporation 2009.

61

Topic A: Creating an Organizational Unit Certier


Lesson 3 Adding IBM Lotus Notes Clients

The Certication Log


Certication Log

A server used for registering and managing users should have a database called the Certication Log. The le name must be Certlog.nsf. The Certication Log (Certlog.nsf) maintains a record of each use of a certier to register a user, or another certier. The information includes: Name, license type, and ID number for the registered user, server, or certier.

Tell students they will have a replica of the Certication Log later, so they can register and manage users on their own servers.

Date of certication and expiration. Name, license type, and ID number of the certier ID used to certify the new ID.
Note: Use one Certication Log for the organization. First server setup automatically creates the Certication Log on the rst server. Create a replica of the Certication Log on each additional server that will be used to register and manage users. The le name of each replica must also be Certlog.nsf.

Open the Certication Log on the rst server to display the views. Show the documents that recorded the certication of the OUs created so far.

Administrator Access to Register OU Certiers


Only those administrators who meet the requirements can register organizational units. As with registering servers and users, an administrator needs: The appropriate access to the Domino Directory, including Author access or higher, and the Create documents privilege. Roles are not required.

One of the following:


Access to a certier ID le and password. Registration authority for a certier migrated to use the serverbased certication authority.

Need for Selecting a Registration Server


Select a registration server when registering a certier or other Lotus Domino resource. Lotus Domino creates the appropriate document in the Domino Directory on the registration server rst. Then, Domino replication distributes changes to replicas of the Domino Directory on other servers in the domain. If the registration server eld is set to Local, the document will be created in the clients Contacts le. Therefore, the server will not be able to use the document.

62

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 3 Adding IBM Lotus Notes Clients

Procedure Reference: Creating an organizational unit certier


After identifying the parent certier, follow these steps to create the organizational unit certier.
1.
Invite two students to use the instructors workstation to demonstrate creating the organizational unit certiers for the East and West regions. ILO: You will need to coordinate students remote logins to the instructor client.

In Domino Administrator, select the server to administer. For classroom purposes, Hub/SVR/WWCorp should be used.

2. 3. 4.

Click the Conguration tab. In the Tools pane, click RegistrationOrganizational Unit. In the Choose a Certier dialog box: a. b. c. Click Server, and select the appropriate server. For classroom purposes, Hub/SVR/WWCorp should be used. Verify that Supply certier ID and password is selected. Click Certier ID, select a certier ID le, and click Open. For classroom purposes, cert.id should be used. d. Click OK. Enter the certier ID password, and click OK. For classroom purposes, passw0rd should be used.

Show the new Certicate documents in the Domino Directory.

5.

6.

In the Register Organizational Unit Certier dialog box: a. Click Registration Server, select a server, and click OK. For classroom purposes, Hub/SVR/WWCorp should be used. b. c. d. Enter the organizational unit name. For classroom purposes, East and West should be used. Enter a certier password. For classroom purposes, passw0rd should be used. Click Password Options, select a Password quality, and click OK. For classroom purposes, Weak should be used. e. Click Set ID File, enter the new ID le name, and click Save. For classroom purposes, east.id and west.id should be used and should be stored in the Notes\data subdirectory. f. g. Select a Public key specication. Enter the name of an administrator or group of administrators to receive certication requests.

Copyright IBM Corporation 2009.

63

Topic A: Creating an Organizational Unit Certier


Lesson 3 Adding IBM Lotus Notes Clients

For classroom purposes, LocalDomainAdmins should be used. h.


7.

Click Register.

Click OK.

64

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 3 Adding IBM Lotus Notes Clients

B
Ask the following questions to review material from the IBM Lotus Domino 8.5 System Administration Operating Fundamentals course. What is a mail server? Answer: A server where users mail les reside. What is a mail hub? Answer: A server through which other servers route mail. Typically the mail hub is the gateway to another Notes Named Network or another domain.

Topic B: Registering New Administrators


User Registration Options
The rst server setup program creates an administrative user automatically. All other IBM Lotus Notes users must be registered before they can set up their Lotus Notes workstations. Before registration, determine the mail server on which to store each users mail le.

Sample servers and mail les for administrators


The following gure represents classroom servers and the mail les for administrators.

Figure 3-1: Mail servers for each administrator


Mail Servers for Each Administrator

Use the diagram to clarify administrator names and mail servers. For example, Admin East01s mail server is East01/SVR/WWCorp.

Copyright IBM Corporation 2009.

65

Topic B: Registering New Administrators


Lesson 3 Adding IBM Lotus Notes Clients

Administrator Access to Register Users


Only those administrators who meet the requirements can register users. Administrators must have: Access to the certier ID le and password.
Display the User registration dialog box, and click Advanced. Point out the user registration options.

The appropriate access to the Domino Directory, including Author access or higher, the Create documents privilege, and the UserCreator role.

The License Tracking Database


An administrator may also choose to monitor the number of active users within a IBM Lotus Domino domain. The License Tracking database serves this purpose. For more information, refer to the Lotus Domino Administrator 8.5 Help document titled License Tracking.

Internet Password Options


Internet Password Options

Set internet password is the Internet password option available when registering users. It puts an Internet password in the Internet Password eld of the Person document. Lotus Domino 8.5 offers an assortment of security enhancements that apply to various Internet protocols.

Security enhancement Certicate revocation checking via Online Certicate Status Protocol (OCSP)

Description OCSP determines the revocation state of an X.509 certicate. OCSP provides more timely information than Certicate Revocation Lists (CRLs), no CRL cache required. Enhances security for S/MIME signature verication, S/MIME encrypted sender verication, and SSL certicate verication. Enables OCSP client support, not an OCSP responder. Third-party OCSP responders can be congured to return information from CRLs issued by the Domino CA. OCSP must be enabled to be used. A security policy exists for the Lotus Notes 8.5 client as well as various notes.ini variables for a Domino server.

66

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 3 Adding IBM Lotus Notes Clients Security enhancement Advanced Encryption Standard (AES) support for SSL

Description AES is a Symmetric algorithm chosen by the National Institute of Standards and Technology (NIST) after a ve-year long contest. AES is intended to replace the Digital Encryption Standard (DES). Includes new cyphersuites supported by the Domino SSL server.

Smartcard improvements

New SSO tokens, such as cookies, are supported. Usage of X.509 certicates that are precongured on smartcards where the import and lock ID are not required. No information from the smartcard is stored in the ID le, and no information from the ID le is stored in the smartcard. A new dialog box is included to dynamically pick S/MIME signing certicates. It can pick X.509 certicates that exist on a smartcard but are not in the ID le. It can also switch signing certicates without changing the default signing certicate in the user datagram protocol (USD).

Internet Password Locking


Internet Password Locking

Internet password locking is another security enhancement featured in Lotus Domino 8.5. Internet Password Lockout lets system administrators set a threshold value for Internet password authentication failures for Lotus iNotes users to prevent brute force and dictionary attacks on user Internet accounts. As a system administrator, you can lock out a user after three incorrect login attempts; this is known as the 3 Strikes rule for HTTP. You can also enable the Enforce Internet Password Lockout feature by selecting the Yes check box next to it, and congure defaults for one or more servers at a time in a server Conguration Settings document. Additionally, you can override server default settings with user security policies. Because special rules apply to CEOs and other users with unique needs, overriding lockout pertains only to servers with Internet Password Lockout enabled.

Copyright IBM Corporation 2009.

67

Topic B: Registering New Administrators


Lesson 3 Adding IBM Lotus Notes Clients

Internet password protection with xACLs


One way to secure Internet passwords is to use Extended ACLs, or xACLs, to control access based on levels in the naming hierarchy, and at the form and eld level. For passwords stored in the Domino Directory, system administrators can set up xACLs to limit access to Internet passwords to the users themselves, for accessing their own passwords, and administrators, for allowing administration changes to passwords. Using xACLs, you can prevent attacks on the Domino Directory and stop access to hashed passwords.

ID File Distribution Options


ID File Distribution

The Registration process provides two options for administrators to store the users ID le. The following table describes the requirements for these options.

ID le option Attach the ID le to the users Person document in the Domino Directory. Store the ID le on disk.

Requirements The ID must be password protected.

The ID le must be accessible to the user before the user can set up the workstation.

68

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 3 Adding IBM Lotus Notes Clients

Activity 3-1: Register New Administrators


Servers for Each Administrator

Scenario Worldwide has 12 new administrators that need to be registered before they can set up their workstations. To complete this activity, take turns using the instructors workstation to register your assigned administrative user account. Follow these steps to register new administrators.
Step 1. 2. 3. 4. 5. 6. 7. Action In Domino Administrator, select Hub/SVR/WWCorp to administer. Select the People & Groups tabDomino Directories section WWCorps Directory sectionPeople view. In the Tools pane, click PeopleRegister. Click Cancel when prompted for the certier password. Click Certier ID, select the appropriate certier ID for your region (east.id or west.id), click Open, and click OK. Enter passw0rd as the certier ID password, and click OK. In the Basics panel, perform the following steps:

Leave the graphic displayed while students register their administrator accounts. This activity must be performed on the instructors workstation. Students should use the instructor workstation to register their administrative users per the established naming scheme. ILO: You will need to coordinate students remote logins to the instructor workstation. Step 7: Tell students that selecting a weak password is for classroom use only. In a real implementation, they should select a higher password quality. Step 9: Ensure that students have selected the correct mail server. Step 11: Assist students with selecting the appropriate classroom license type.

For Registration Server, verify that Hub/SVR/WWCorp is selected. Enter your assigned First name and Last name from the Mail servers for each administrator gure. Click Password Options. For the Password Quality Scale, select Allow weak password, despite risk of being guessed by trial and error (4). Select Set internet password to make the initial Internet password the same as the Notes password, and click OK. Enter passw0rd for the password.

8. 9.

Select Advanced to see more panels and options. In the Mail panel, perform the following steps:

Click Mail Server. Enter the appropriate server name from the gure titled Mail servers for each administrator, and click OK. Accept the defaults for the other options in the Mail panel.

10.

In the Address panel:

For Address name format, select FI LastName (rst initial, last name). For Internet Domain, enter wwcorp.com

Copyright IBM Corporation 2009.

69

Topic B: Registering New Administrators


Lesson 3 Adding IBM Lotus Notes Clients Step 11. Action In the ID Info panel, perform the following steps:

Verify that the Certier ID is the correct one for your region. Select the appropriate License type for the classroom location with guidance from the instructor. Store the user ID in both places:

In the Domino directory In le

12. 13. 14.

In the Groups panel, select the LocalDomainAdmins group, and click Add. Click to add the user to the Registration queue.

Click Register. Result: A message appears stating that the Person registered successfully. Click OK.

15.

When registration is complete, click Done.

70

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 3 Adding IBM Lotus Notes Clients

C
User Registration Display a registration text le. Show students one of the two supplied registration text les. Point out that null values work for many parameters. This demo enables later activities. Edit the two supplied user registration text les according to classroom needs. The les are Reg_East.txt and Reg_ West.txt. Consider the following options: Edit the les to distribute one mail le to each server. Change the registration server for some users after importing the text le. Note: Michelle Grassi is one of the users in the Reg_West.txt le. This user needs to have Hub/ SVR/WWCorp as the mail server, to enable the Updating recovery information for existing IDs procedure in the Student Guide, in the next lesson.

Topic C: Registering Users from a File


User Registration Text Files
Regular users can be registered at this time or later. To populate the Domino Directory for later classroom activities, we will register users now. An alternative to entering names in the Registration dialog box is to create a text le containing the names and information for users. The instructor will register users listed in a supplied text le.
Note: For information on creating the text le, refer to the Lotus Domino Administrator 8.5 Help document titled Registering users from a text le.

Copyright IBM Corporation 2009.

71

Topic C: Registering Users from a File


Lesson 3 Adding IBM Lotus Notes Clients

How to Register Users from a Text File


Procedure Reference: Registering users from a text le
Follow these steps to register users by using a text le.
1.
Demonstrate this procedure. Be sure to perform this procedure twice, selecting the / East/WWCorp certier the rst time and the /West/WWCorp certier the second. After you have imported all users from the two text les, detach the ID from the Person document for Michelle Grassi. Create a Location document for this user. Verify that this users mail le was created on Hub/SVR/ WWCorp.

In Domino Administrator, select the server to administer. Select the People & Groups tabDomino Directories sectionYour Directory sectionPeople view. In the Tools pane, click PeopleRegister. Click Cancel when you are prompted for the certier password. Click Certier ID, select the appropriate certier ID, and click Open. Then, click OK. For classroom purposes, east.id and west.id should be used.

2. 3. 4. 5.

6. 7.

Enter the certier ID password, and click OK. Click Password Options and drag the Password Quality Scale to a strength appropriate for the passwords in the text le. Then, click OK. For classroom purposes, Allow weak password, despite risk of being guessed by trial and error (4) should be used.

8. 9.

Select Advanced. Click the Address panel, and, if necessary, type the Internet Domain for these users. For classroom purposes, wwcorp.com should be used.

10. Click Import Text File. 11. Select the text le and click Open.

For classroom purposes, Reg_East.txt and Reg_West.txt should be used.


12. Click OK. 13. Click Register All. 14. Click OK when prompted that the users were successfully registered. 15. When registration completes, click Done.

72

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 3 Adding IBM Lotus Notes Clients

D
Replicating the Domino Directory to Other Servers Ask students what documents need to replicate. Use the explanation in the text to explain the next step synchronizing the changes to the Domino Directory. Briey mention the Rep_dd.txt le and how using the less-than sign (<) in the Server Console view tells the server to read and perform the commands in a text le. The commands in Rep_ dd.txt tell the server to replicate with all other servers. Point out that you will run this twice: 1. Once so that the Hub server receives documents from each server. 2. A second time so that the servers that replicated rst will receive documents created on the servers that replicated last.

Topic D: Replicating Server Document Changes


Domino Directory Document Synchronization
After modifying the IBM Lotus Domino Directory, as happens during any registration task, replicas on other servers need the modications. Replication synchronizes the replicas. At this point, each replica of the Domino Directory has only documents that existed on the Hub server at the time of additional server setup. Therefore, the additional servers have the following: A Server document for each classroom server, because all servers were registered on the Hub server.

The Doctor Notes Person document, because Doctor Notes was created during the rst server setup. Only Person documents that were registered on that server.

To facilitate name lookup for users sending mail, the Person documents need to be on each servers replica of the Domino Directory. Now that the servers are running, the instructor can replicate with all classroom servers to ensure that all Person documents are in each replica.

Copyright IBM Corporation 2009.

73

Topic D: Replicating Server Document Changes


Lesson 3 Adding IBM Lotus Notes Clients

Activity 3-2: Restart the Server to Activate Server Document Changes


Before beginning this activity, replicate the Domino Directory changes twice so that all replicas receive all documents. Use the console command batch le, Rep_dd.txt, included with the instructor materials, to replicate documents in the Domino Directory to all the domain servers. Follow these steps. 1. In Domino Administrator, select Hub/ SVR/WWCorp to administer. 2. Select the Server tabStatus tab. 3. Click the Server Console view. 4. Click the Live button. 5. Enter the following text on the command line: < Rep_dd.txt Note: The command requires a space between the less-than sign and the name of the text le. If the Rep_ dd.txt le is in a subdirectory other than the Domino data directory, use the full path to the le. Tell students to restart their servers to activate the change you made earlier. Also mention that in general, it is helpful to synchronize replicas of the Domino Directory before students start using the Lotus Domino Administrator so that all replicas look the same.

Scenario After editing the documents in the Domino Directory, Worldwide administrators need to replicate those changes throughout the domain. Replication can occur based on a schedule, or it can be manually initiated in order to replicate the documents immediately. The newly replicated Server documents have changes on the Security tab. The instructor edited security restrictions to enable later activities. Changes to security restrictions may require a server restart. To complete this activity, restart your server. Follow these steps to restart the server to activate Server document changes.
Step 1. 2. Action At the server console, enter Restart Server If you are prompted for a password on the server machine, enter passw0rd

74

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 3 Adding IBM Lotus Notes Clients

E
Remind students of the function of the workstation setup program. Explain that there is little difference between setup of the rst and additional workstations. Sample Workstation Implementation

Topic E: Setting Up an Administrator Workstation


Workstation Setup for Additional Workstations
The workstation setup program congures the workstation and connects it to the IBM Lotus Domino intranet. The workstation connects to a Lotus Domino server whose Domino Directory contains a Person document for the user.

Sample workstation implementation


The following gure represents the administrators and mail servers for the classroom. Use the gure to set up your workstation.

Review each students assigned mail server and user name.

Figure 3-2: Sample workstation implementation

Copyright IBM Corporation 2009.

75

Topic E: Setting Up an Administrator Workstation


Lesson 3 Adding IBM Lotus Notes Clients

Activity 3-3: Set Up a Workstation


Scenario Each Worldwide administrator will set up a workstation to use the Lotus Notes client to access mail and other databases and the Lotus Domino Administrator client to administer server and users. To complete this activity, use the workstation setup program to congure the client software on your machine. Follow these steps to set up a workstation.
Step
Step 3: Provide students with their assigned user name and mail server from Figure 3-2. Step 6: Provide students with the protocol used in the classroom: TCP/IP. Students will be asked for the protocol only if the setup program cannot make a connection to the specied server. Steps 8 and 9: Ensure that students perform both steps to close the current Welcome page and to prevent it from appearing at each start of the Administrator client.

Action Launch Domino Administrator to start the setup program. From Windows, click StartAll ProgramsLotus ApplicationsLotus Domino Administrator 8.5. On the Welcome screen, click Next. On the User Information screen, enter the following information:

1.

2. 3.

Your Name: Your assigned user name. Domino Server: The hierarchical name of your assigned server. Verify that I want to connect to a Domino server is selected.

Then, click Next. 4. 5. 6. Enter passw0rd and click Log In. Clear the Setup instant messaging check box, and click Next. On the Additional Services screen, click Next.
Note: We will not be using the Lotus Notes client to connect with Internet servers, so we do not need to select Internet protocol options here. These options create Account documents in the Contacts le.

7.

When setup is complete, click OK. Result: The Domino Administrator program starts.

8. 9.

On the Welcome page, select Dont show this again. On the tab, click the X to close the Welcome page.

76

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 3 Adding IBM Lotus Notes Clients

F
Lotus Domino Administrator Quickly review the parts of Lotus Domino Administrator, such as task windows and the push pin, to ensure students are familiar with the terms.

Topic F: Verifying the IBM Lotus Domino Installation


The Lotus Domino Administrator
The IBM Lotus Domino Administrator contains menu and graphic options for performing most of the management functions. The Lotus Domino Administrator allows connecting to different servers and can perform certain functions on multiple servers with a single click. The following table describes the tabs and the content on those tabs.

Tab People & Groups

Content People-related Domino Directory items: Person documents, groups, mail-in databases, and Policies. File interaction includes databases, templates, database links, and all other les in the servers data directory. Current server activity and tasks. This tab has ve subtabs: Status, Analysis, Monitoring, Statistics, and Performance. Mail-related information. This tab has two sub-tabs: Mail and Tracking Center. Replication schedule, topology, and events. All documents used to congure the server, such as: Server document Server Conguration document Messaging and replication connections Web Conguration documents Directory Conguration documents

Files

Server

Messaging

Replication Conguration

Copyright IBM Corporation 2009.

77

Topic F: Verifying the IBM Lotus Domino Installation


Lesson 3 Adding IBM Lotus Notes Clients

Activity 3-4: Select Your Assigned Server to Administer


Scenario Each Worldwide administrator is responsible for managing a Lotus Domino server. It is important to select the assigned server before using Lotus Domino Administrator. To facilitate selecting the server, administrators will add their assigned server to the Favorites list. To complete this activity:

Select your server. Add your server to the Favorites list.

Follow these steps to select your assigned server to administer.


Step
Students should select the assigned server to administer according to the classroom layout.

Action

Select your server 1. In Lotus Domino Administrator, display the Server pane for the WWCorp and click the push pin domain by clicking the WWCORP Domain icon to secure the pane. Click AdministrationRefresh Server ListCurrent Domain. In the WWCORP Domain pane, expand the All Servers section, and select your assigned server.

Before moving to the next section, make sure all students have selected the correct server to which they were assigned.

2. 3.

Add your server to the Favorites list 4. 5. Right-click your assigned server, and click Add Server to Favorites to add your server to the Favorites list. Click the Favorites icon Favorites list. to verify that your assigned server is in the

78

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 3 Adding IBM Lotus Notes Clients

G
Administration Process Generate a discussion about uses for the Administration Process (Adminp). Display the Lotus Domino Administrator 8.5 Help and click Search. Search for and select Administration Requests Database. Point out the variety of jobs Adminp performs. Search for and select Delete person in Domino Directory. Point out the complexity of the owchart and how time-consuming it would be perform the owchart steps manually, especially for a large number of users. Show the triggering and timing information at the bottom of the Help document. A student tip recommends looking at this information before performing an action that triggers Adminp.

Topic G: Creating Replicas on Multiple Servers


The Administration Process
The Administration Process (Adminp) is a program that automates routine administrative tasks, such as: Name-management tasks, such as rename person, rename group, delete person, delete group, delete server name, recertify users, and store Internet certicate.

Mail le-managment tasks, such as delete a Mail le and move a Mail le. Server document-management tasks, such as store CPU count, platform, and place network protocol information in Server document.

Components of the Administration Process


Maintaining the Administration Process requires monitoring key components. The following table lists the components of the Administration Process.

Component Administration Process task (Adminp) Administration server

Description Posts, responds to, and carries out requests in the Administration Requests database. Server responsible for completing many Administration Process requests. The Administration server is assigned for each database in the ACLAdvanced panel. Some Administration Process requests are completed on a server other than the Administration server, for example, on the server where the request was created. Every server in the domain stores a replica of the Administration Requests database. Replicas of the Administration Requests database distribute requests made on one server to other servers in the domain or send mail requests to servers in other domains. The Administration Process requires this database to perform name changes and recertications. The Certication Log contains a permanent record of how users and certiers are registered, including information about the certier ID. The Certication Log also contains messages that describe the results of recertication requests that the Administration Process is processing.

Administration Requests database (Admin4.nsf)

Certication Log (Certlog.nsf)

Copyright IBM Corporation 2009.

79

Topic G: Creating Replicas on Multiple Servers


Lesson 3 Adding IBM Lotus Notes Clients

Practice Activity 3-5: Review the Administration Process Components


Use the questions presented as a basis for discussion.

Scenario Based on the information covered, answer the following questions.

1.

What server task runs the Administration Process? Adminp

2.

Which server is the Administration server? Hub/SVR/WWCorp

Database Tools in Domino Administrator


Domino Administrator enables creating replicas of a database on multiple servers with one command. All servers used to register and manage users should have a replica of the Certication Log, so this is a good use of creating replicas.

Timing and Execution of Administration Process Requests


Use Help to determine timing and execution of Administration Process requests. When performing an action that triggers the Administration Process, determine the following by referring to the Lotus Domino Administrator 8.5 Help document titled Administration Process Requests:

The timing of the request you are using. The server that performs the request. Other requests that might be generated by the action.

The Administration Process can be run manually to trigger a change before the next scheduled running.

80

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 3 Adding IBM Lotus Notes Clients

Procedure Reference: Creating replicas on multiple servers


Follow these steps to create a replica of the Certication Log on multiple servers.
1.
Demonstrate this procedure. Step 3: Point out the Compact option on the Tools pane. Students will use this in the server access activity in the lesson where they set up server administration. Step 4: Select each classroom server and click Add. If servers do not display, select Other, click Add, and enter the server name. Repeat for each server. Step 5: Accept the default le name.

In Domino Administrator, click the Files tab. Select the Certication Log database from the list. In the Tools pane, click DatabaseCreate Replica(s). Select each server that needs a replica and click Add, or select Other, click Add, and enter a server name. Accept the default le name or change it if required. In the Destination database and server box, select the destination server(s), and verify that Copy Access Control List is selected. Click OK to create the replica.
Note: Two Administration Process requests lead to creation of a replica on each server immediately. Because the Administration Process creates the replicas, the server that contains the database being replicated needs to be listed in each receiving servers Server documentSecurity tabCreate new replicas eld.

2. 3. 4. 5. 6. 7.

Copyright IBM Corporation 2009.

81

Topic G: Creating Replicas on Multiple Servers


Lesson 3 Adding IBM Lotus Notes Clients

Lesson Summary
Several deployment tasks were implemented in this lesson to set up users on Lotus Notes clients. Checklist: Building the Lotus Domino Environment The bolded tasks in the Implementation Checklist were completed in this lesson.

Review the list of items implemented in this lesson.

Task 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery.

15 16 17 18

82

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 3 Adding IBM Lotus Notes Clients

Lab 3-1: Verify the Components Created So Far


Scenario All Worldwide administrators need to become familiar with using Lotus Domino Administrator and locate the documents and les on their assigned servers. To complete this activity, examine several components and answer questions related to them. Complete the following steps to verify the components created so far.

Tell students to locate items listed in the rst step. Review what students discovered in this activity.

1. Use Domino Administrator to locate the following components.


Your Server document The Certier documents Your Person document Your Servers mail.box Mail le(s) on your server

You will use these components to answer several questions.

2. In the Server document for your server, what name is in the Administra-

tors eld? Is this the name you entered when registering your server?

3. Is there a document for each of the four classroom certiers?

4. Does the mail le listed in your Person document exist?

Copyright IBM Corporation 2009.

83

Administering Users

Topic A: Creating Groups Topic B: Creating an Organizational Policy Topic C: Creating and Assigning an Explicit Policy

Copyright IBM Corporation 2009.

Lesson 4 Administering Users

Introduction
Worldwide Corporation has determined that they will use groups to facilitate administration and user activities. After completing this lesson, you should be able to:
Implementation Checklist

Create groups. Create an organizational policy. Create and assign an explicit policy.

Review the checklist items for adding workstations. At the end of this lesson, the following Implementation Checklist items will be complete: Create user groups. Create organizational policy. Register users.

86

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 4 Administering Users

A
Groups Demonstrate the following: In Domino Administrator, select the People & Groups tabDomino Directories section WWCorps Directory sectionGroups view. The two default server groups: LocalDomainServers and OtherDomainServers. The optional LocalDomainAdmins group created by the First Server setup program. Click Add Group, and expand the Group Type eld to display the group types. Leave this displayed during the following discussion.

Topic A: Creating Groups


Groups
A group is a list of users and/or servers who have something in common. For example, a group can have the name of a department and contain all the departments members.

What are the benets of using groups?


Groups enable using a single word, the group name, to represent multiple users and/or servers. Use group names for mailing lists and administrative functions to simplify the listing of users and/or servers. Adding a user to a group dynamically controls the users access to resources that specify the group name.

Copyright IBM Corporation 2009.

87

Topic A: Creating Groups


Lesson 4 Administering Users

Practice Activity 4-1: Review Groups


This activity is a review of the IBM Lotus Domino 8.5 System Administration Operating Fundamentals course. Use these questions to facilitate a discussion. The Servers only group type is required for using a group name in the destination server eld of a Connection document. For more information, refer students to the Lotus Domino Administrator 8.5 Help document Scheduling server-toserver replication.

Scenario Answer the following questions with your instructors help.

1.

What type of group can be used as both a mail distribution list and an ACL entry to allow/restrict access to a database? A Multi-Purpose group.

2.

What type of group would allow a databases ACL to restrict replication from the servers in the group? An Access Control only group.

3.

What type of group could specify certain servers as the replication destination in a Connection document? A Servers only group.

Nested Groups
Group maintenance is made easier by including groups within other groups (nesting one inside the other). For example, the Members of a group named Global Marketing could be group names of regional marketing divisions.

Benets of nested groups


Advantages of nesting groups include:

Determining the members by adding only a few entriesthe nested group names. Distributing administration of regional groups, while central administrators control large groups by nesting. Bypassing the size limitation of 15 K of text in the members eld of a Group document.

88

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 4 Administering Users

The Deny List Only Group Type


Present Deny List only. Ensure students understand the concept of the Administration Process and its ability to delete references to users. Then point out the importance of the Deny Lists ability to retain user names. Emphasize that Deny List only groups should be entered in the Not access server eld of each Server document.

One group type, Deny List only, is for server access control and cannot be used for other purposes. Enter a Deny List only group in the Not access server eld of the Server document, to deny the members access to the server. For example, create a Deny List only group and enter names of people who have left the organization. A conventional choice for such a group name is Terminations. The Deny List only group type has a special characteristic. When the Administration Process is used to delete instances of a user name throughout the IBM Lotus Domino Directory, this process does not delete names from Deny List only groups. Therefore, members of Deny List only groups remain listed permanently.

Group Precedence in Database Access


A user can be in more than one group. If a databases ACL has entries for two different groups, and a user is a member of both groups, then the user gets the access level for the more-privileged group. For example, a user is allowed Manager access to a database if the user is a member of the following two groups that are both listed in an ACL: Group1, which has Manager access

Present the rules of group precedence in ACL. (Optional) Supply some examples of a user being in two groups with two different access levels and verify that the students can determine which access level the user gets based on the rules of precedence.

Group2, which has Reader access

Groups of the type Deny List only are an exception. A Deny List only group always takes precedence over any other group, regardless of access level.

User name precedence


If an ACL lists a user by name, the user gets the access level associated with the user name. Group entries are ignored for that user.

Auto-populated Groups
Auto-populated Groups

The auto-populated groups feature enables you to automatically establish and update group membership by employing predened criteria. For example, this feature can be used to apply policies to users and groups based on their home servers. Using the Group document, you can generate a home server group whose members use the same server as their home mail server. Once the home server group is created, you can allocate policies that pertain to everyone in that specic group. Updates to the home servers group membership impacts those users to which the policy is applied.
Note: Home servers is the only available auto-populate method in Lotus Domino 8.5. Auto-populated groups are accessible from within Lotus Domino Administrator, not from within Lotus Domino Web Administrator.

Copyright IBM Corporation 2009.

89

Topic A: Creating Groups


Lesson 4 Administering Users

The following gure displays the Domino Directory Conguration Prole for conguring auto-populated groups using the Auto-populated group Members update interval option.

Figure 4-1: The Domino Directory Conguration Prole for updating auto-populated group membership

The name lookup limit


When retrieving a large number of member names from the Domino Directory, you may reach a name lookup limit. To prevent this discrepancy, you need to use the notes.ini server setting, Namelookup_max_mb, to increase the limit from 1 megabyte (MB) to a greater value. For example, Namelookup_max_mb=3 will allow NAMELookup2 to return 3 MB of data. If this variable is not set, the default of 1 MB is used. Increasing the default will result in a performance hit on the server returning the data. The maximum size for the amount of returned data is MAXDWORD (approximately 4,000 MB).

Subgroups
Subgroups will automatically be created within an auto-populated group when that particular group becomes too large. The subgroup names should appear as <auto-populated group name>-AP<XXXXX>, where XXXXX is equivalent to a number preceded by zeros. For instance, if Home Mail Server is the designated auto-populated group name, then the rst subsequently generated subgroup for that group will be named Home Mail Server-AP00001.
Note: Auto-populated subgroups cannot be created manually, and the Members eld cannot be revised or amended in any way. Auto-populated subgroups should not be copied and pasted into the Domino Directory due to the references they contain to their associated subgroups.

90

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 4 Administering Users

Activity 4-2: Create Groups


Step 1: Assign each student one of the following names to create for the rst group: SalesGlobal SalesEast SalesWest MarketingGlobal MarketingEast MarketingWest HRGlobal HREast HRWest ISSGlobal ISSEast ISSWest Note: The omission of the space in the group name facilitates lookup. Step 16: Explain that nesting this group means that members of LocalDomainAdmins will receive a copy of mail sent to any of the groups. Step 19: If time permits, suggest adding two or three other users to the group. Step 20: Explain that removing Doctor Notes avoids duplication. Doctor Notes is a member of LocalDomainAdmins, so it does not need an explicit listing in the same group document. New users will be added to these groups during user registration later in this lesson.

Scenario Worldwide Corporation is expanding into new business areas. Worldwide administrators need to create mailing lists for new departments, and these mailing lists also need to include the administrators. In addition, administrators need to be able to notify users regarding changes or maintenance to their home servers. To complete this activity: Create a mailing list group, using the group name specied by the instructor.

Create an auto-populated group for notifying users of changes to their home servers. Nest the LocalDomainAdmins group into your mailing list group.

Follow these steps to create groups.


Step Action

Create a mailing list group, using the group name specied by the instructor 1. 2. 3. 4. 5. 6. 7. In Domino Administrator, select your assigned server to administer. Select the People & Groups tabDomino Directories section WWCorps Directory sectionGroups view. Click Add Group. Enter the Group name provided by your instructor. Select Mail only for the Group type, and click OK. (Optional) Enter a description appropriate to the name of the group. Add Doctor Notes/WWCorp as a member.
Note: You will add more members in a later activity.

8.

Click Save & Close.

Create an auto-populated group for notifying users of changes to their home servers 9. 10. Click Add Group. For Group name, type [your server] Users For example, if you were Admin East01, you would type East01 Users 11. For Auto Populate Method, select Home Server.

Copyright IBM Corporation 2009.

91

Topic A: Creating Groups


Lesson 4 Administering Users Step 12. 13. 14. Action For Home Server(s), select your server, and click OK. For Additional Members, select your administrative user. Click Save & Close.

Nest the LocalDomainAdmins group into your mailing list group 15. 16. 17. 18. 19. 20. 21. In the Tools pane, click GroupsManage. In the left pane, select LocalDomainAdmins to include it in the parent group. In the right pane, select the mailing list group you created earlier. Click Add. Repeat Steps 16 through 18, but select two non-administrative users as members. In the right pane, expand the parent group, select Doctor Notes/WWCorp, and click Remove. When you are nished managing groups, click Done.

92

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 4 Administering Users

B
Policies Demonstrate the three concepts by showing the forms. For the rst concept, create a Policy document and point out: The types of settings, in the Settings Type column. The New button next to each type. For the second concept, point out the two keywords in the Policy type eld: Organizational Explicit For the third concept, display the Inherit and Enforce elds in a Settings document. Also, in the Policy document, display the Administration tab to show students the Exception Policy eld. This eld makes a policy override all ancestor policies. Note: Do not save the policies at this time.

Topic B: Creating an Organizational Policy


Policies
A policy is the Policy document and its associated Policy Settings documents. Policies can control many user and administrative functions. An administrator can enforce IBM Lotus Notes and IBM Lotus Domino policies of various types and apply them to various groupings of users. Policies can apply to various sets of users. They can apply to an entire organization, an OU, a group of users, or even one user. Multiple policies can apply to the same user and these can contain a contradictory value for the same setting. A precedence system determines which setting a user gets.

Worldwide Corporations policies


Worldwide Corporation will have the following two policies:

An organizational policy that species a password length for the entire organization An explicit policy to make the password optional for certain users

Policy Documents
Each Policy document contains pointers to selected Settings documents. This combination of the Policy document and its Settings documents constitutes one policy. You create policy documents in the Domino Directory to distribute standard settings and congurations across groups, departments, or entire organizations.

Policy Types
A policy can be either:

Organizational, meaning it applies to an organization or an organizational unit (OU). Explicit, meaning it applies to specic users and may include users from different OUs.

Copyright IBM Corporation 2009.

93

Topic B: Creating an Organizational Policy


Lesson 4 Administering Users

Settings Document Types


Types of Policy Settings Documents

Policies can contain one or more Policy Settings documents. There are numerous settings an administrator can specify in the Policy Settings documents. The following table shows examples of settings in each type of Policy Settings document.

(Optional) Explore a Policy document. In the Policy document: Click the New button for each type of Settings document to point out the number and variety of settings. Point out the many duplicate elds between the following two types of Settings documents: Setup Settings document and Desktop Settings document. Desktop settings are set dynamically when a user authenticates with a server. Because they have so many settings in common with the Setup Settings document, the Desktop Settings document can be considered the dynamic twin of the Setup Settings document.

Type of Policy Settings document Activities

Description Species a users activities server and the port in which the server is assigned. Species what documents or attachments to archive from mail les and where to place the archive. Serverto-server archiving can archive all mail les to central server. Species numerous types of settings to implement on an ongoing basis. For example: A custom corporate welcome page. Smart Upgrade options. Default replication schedule. Bookmark management and update. User preferences.

Archiving

Desktop

Mail

Species settings that control end user eld value modication. Species default settings on the User Registration dialog box. Species controls on Lotus Notes and Internet passwords, as well as the Execution Control List (ECL). Species numerous types of settings implemented during the initial Lotus Notes client setup to populate the users Location document and includes the following: Desktop preferences User preferences Internet browser and proxy settings Applet security settings

Registration

Security

Setup

94

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 4 Administering Users Type of Policy Settings document Lotus Traveler Description Denes preferences for synchronizing Lotus Domino users mail database data, including Mail, Calendar, To-Do, Contacts, and Journal data, with their mobile handheld devices. Congures le-server roaming for registered Notes standard conguration users. Denes whether or not users can use the IBM Lotus Symphony editors, and designates which les and templates can be used.

Roaming

Symphony

Policy Precedence Rules


Policy Precedence Rules

In general, a policy that is more specic to a given user takes precedence over a more general policy. For example, settings in an explicit policy take precedence over the corresponding settings in an organizational policy. An administrator can change this precedence scheme by selecting Inherit or Enforce for individual settings. An administrator can also make the entire policy an Exception policy, meaning that its settings will take precedence over corresponding settings in all ancestor policies. The following gure shows the options for changing default policy precedence rules.

Figure 4-2: Options for changing default policy precedence rules

Copyright IBM Corporation 2009.

95

Topic B: Creating an Organizational Policy


Lesson 4 Administering Users

Static and Dynamic Settings


Settings are applied either statically or dynamically:
Static and Dynamic Policy Settings

Static Settings

Set during user registration, or Set during Workstation setup. Set dynamically when the user is logged in to the server. For example, the Desktop Settings document contains many of the same settings as the Setup Settings document so that these settings can change dynamically, whenever a user authenticates with the server. If a user changes one of the desktop settings, it will change back to the value specied in the Desktop Settings document at the next authentication.

Dynamic Settings

Policy Management Tools


Policy Management Tools

The Policy Viewer is a tool used to view each policy, the settings associated with each policy, and how they relate to each other. Using the Policy Viewer, you can view: Settings for each policy.

Settings by functional area. Settings assigned to a specic user. Effective policies on different levels in the policy hierarchy.

Policy documents are viewable by using either the By Hierarchy view or the By Settings view. The Policy Synopsis tool can be used to determine the effective policy governing a user. This tool generates a report that is written to the Policy Synopsis Results database.

Policy Management Development Tools


There are new XML policy mechanisms that enable the extension of policies and support current as well as future Eclipse features. Additionally, there are application programming interfaces (APIs) available to help you manage policies.

96

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 4 Administering Users

Use of an Organizational Policy


For classroom purposes, most users in the organization will have a weak password quality. An organizational policy will enforce this during user registration. If certain users do not need a password, an explicit policy can override the password setting.

Procedure Reference: Creating an organizational policy


Follow these steps to create a policy for an organization or an OU and assign registration settings to the policy.
1.
Demonstrate this procedure. Step 5: Point out how the policy name changes to hierarchical format. Explain that any settings in this policy apply to any user registered in the WWCorp organization. After creating the Settings document, its name might not appear in the Keywords list in the Policy document. If this happens, you must do one of the following: Save the Policy document. Save and close the Policy document and then reopen it.

In Domino Administrator, click the Conguration tab. In the Tools pane, click PoliciesCreate. Verify that Policy is selected, and click OK. Result: The Policy document displays.

2. 3.

4.

For Policy name, enter the organization name (or organizational unit name). For classroom purposes, WWCorp should be used.

5.

For Policy type, select Organizational, and click OK. Result: The Policy name changes to the hierarchical format. The wildcard symbol (*) indicates that this policy applies to every user in the organization.

6.

Locate the Registration setting type section, and click New in that row. Result: The Registration Settings document displays.

7.

Perform the following in the new Registration Settings document. On the Basics tab: a. For Name, enter a descriptive name, such as: Reg set for the organization b. c. For Choose a registration server, select the appropriate server. For classroom purposes, Hub/SVR/WWCorp should be selected. For Choose a password quality, select an appropriate quality. For classroom purposes, Weak password (4) should be selected.

Use the Rep_dd.txt le to replicate the Policy documents to all of the classroom servers.

8.

Click Save & Close to save the Registration Settings document. Result: Focus is returned to the Policy document.

Copyright IBM Corporation 2009.

97

Topic B: Creating an Organizational Policy


Lesson 4 Administering Users 9.

Press CTRL+S to save the policy. Click the drop-down arrow next to Registration, click the name of the new Registration Settings document, and click OK. Result: The name of the Registration Settings document appears in the eld.

10. Click Save & Close.

98

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 4 Administering Users

C
Policy Assignment

Topic C: Creating and Assigning an Explicit Policy


Policy Assignment Methods
There are various methods to assign explicit policies and view the effective policy of existing users. The effective policy is the combined collection of settings from different policies that apply to a user. The Tools pane in IBM Lotus Domino Administrator provides two methods to assign an explicit policy to an existing user: In the People view, by clicking PeopleAssign Policy.

In the Groups view, by clicking GroupsAssign Policy.

Both methods set the explicit policy in the Person document(s).

Policy Assignment During Registration


An organizational policy is automatically assigned to users based on their place in the organizational hierarchy. In addition to the organizational policy, an administrator can specify an explicit policy to assign to a user during user registration.

Dynamic Policy Assignments


A dynamic policy is an explicit policy that you create by using the Policy Assignment tab on the Policy document to assign the policy to users and groups. When you have created a dynamic policy and the organization changes, such as when a user changes jobs or organizations, you need only to update the Group document for the user to receive the proper policy settings. You do not need to determine which policies need updating, as the updated group information is applied the next time the effective policy is calculated for any users in that group. To create and assign dynamic policies, you need to have at least Editor access to the Lotus Domino Directory and the PolicyCreator role.

Copyright IBM Corporation 2009.

99

Topic C: Creating and Assigning an Explicit Policy


Lesson 4 Administering Users

Procedure Reference: Using dynamic policy assignment during registration


Follow these steps to create and assign a dynamic policy.
1.
Demonstrate the procedure, or at a minimum, show students the Policy Assignment tab as you explain the procedure for implementing dynamic policies.

In Domino Administrator, click People & GroupsPolicies. Click Add Policy. Under Basics, complete the following elds:

2. 3.

For Policy name, provide a unique name for the new dynamic policy. For Policy type, select Explicit. For Description, provide an optional brief description of the policy. For Category, specify any criteria, such as a geographical location, to further dene how or where the policy is to be assigned.

4. 5.

Click the Policy Assignment tab and assign the policy to the intended users and groups. Click Save & Close.

100

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 4 Administering Users

Activity 4-3: Create an Explicit Policy


Each student creates an explicit policy. This is required for later activities.

Scenario Worldwide requires a policy for certain users who are allowed the option of using their Lotus Notes IDs without a password. To complete this activity, create an explicit policy named Password Optional that contains registration settings that provides for optional user passwords.

This task enables a subsequent demo. After completing the activity, pull the changes from one students Domino Directory to receive the explicit policy created by that student. 1. From Lotus Domino Administrator, select Hub/SVR/WWCorp to administer. 2. Click the Server tabStatus tab. 3. Click Server Console. 4. Click Live. 5. Enter the command to pull changes from a student server. For example, enter the following text on the command line, and press Enter: pull East02/SVR/ WWCorp Names.nsf

Follow these steps to create an explicit policy.


Step 1. 2. 3. Action In Domino Administrator, click the Conguration tab. In the Tools pane, click PoliciesCreate. Verify that Policy is selected, and click OK. Result: The Policy document displays. 4. 5. 6. For Policy name, enter Password Optional For Policy type, verify that Explicit is selected. Locate the Registration settings type section, and click New in that row. Result: The Registration Settings document displays. 7. On the Basics tab of the new Registration Settings document:

For Name, enter Reg optional password <your initials> For Choose a registration server, select your server. For Choose a password quality, select Password is optional (0).

8. 9.

On the Mail tab, for the new Registration Settings document, for Choose the mail server, select your server. Click Save & Close to save the Registration Settings document. Result: Focus returns to the Policy document.

10. 11.

Press CTRL+S to save the policy, then click the down-arrow next to Registration, select Reg optional password <your initials>, and click OK. Click Save & Close.

Copyright IBM Corporation 2009.

101

Topic C: Creating and Assigning an Explicit Policy


Lesson 4 Administering Users

The Effect of Multiple Policies


There are two methods to display effective policies:

In the People view, by selecting a Person document and clicking Policy Synopsis. On the Conguration tab, by selecting one of the following views:

Policesby Settings Policesby Hierarchy

For more information on Policies, the Policy Viewer, and Policy Synopsis, refer to the Lotus Domino Administrator 8.5 Help.

Procedure Reference: Assigning policies during user registration


Follow these steps to assign policies during user registration.
1.
Demonstrate this procedure. Show the options for assigning an explicit policy during registration. Step 6: The PasswordQuality will be one higher than the setting specied in the policy. This might be changed in a later release. Step 7: Leave Password blank. Emphasize that an ID without a password cannot be attached to the Person document in the Domino Directory.

In Domino Administrator, select the server to administer. Click the People & Groups tabDomino Directories sectionYour Directory sectionPeople view. In the Tools pane, click PeopleRegister. Click Cancel. Ensure that the appropriate certier ID le is selected, enter its password, and click OK. For classroom purposes, oucert.id should be used.

2. 3. 4.

5.

In the Basics panel, perform the following steps:

Ensure that the registration server specied in the organizational policy is selected. For classroom purposes, Hub/SVR/WWCorp should be used. Enter a First name and Last name. For classroom purposes, Test No_Password should be used.

6. 7. 8. 9.

Click Policy Synopsis, note the PasswordQuality setting, and click OK. Type the password. For Explicit policy, select the appropriate explicit policy. Click Policy Synopsis, verify that the value of the PasswordQuality setting has changed, and click OK.

10. Select Advanced.

102

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 4 Administering Users 11. Click ID Info and verify that the following are correct:

The Certier ID le. For classroom purposes, verify that the Certier ID le is correct and change it if necessary. The options for storing the user ID. For classroom purposes, clear In Domino Directory and select In le.

12. Click

to add the user to the queue.

13. Select the user in the queue and click Register. 14. Click OK when prompted that the person was registered. 15. When registration is complete, click Done.

Copyright IBM Corporation 2009.

103

Topic C: Creating and Assigning an Explicit Policy


Lesson 4 Administering Users

Lesson Summary
Several deployment tasks were implemented in this lesson to administer users. Checklist: Building the Lotus Domino Environment The bolded tasks in the Implementation Checklist were completed in this lesson.

Review the list of items implemented in this lesson.

Task 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery.

15 16 17 18

104

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 4 Administering Users

Lab 4-1: Register Users


Scenario Worldwide administrators need to register new employees with options using policies. To complete this activity:

Register one user who will be affected by the organizational policy. Register one user who will be affected by the explicit policy.

Follow these steps to register users.

1. Register two users using the following information:


Provide students with the appropriate certier ID les: East.id for students in the /East/ WWCorp OU; West.id for students in the / West/WWCorp OU. If there are other user registration topics that need reinforcing, suggest that students practice them during this activity.

Name: Make up a name for each user. Certier ID: East.id or West.id. Policy: Specify the explicit policy for one user. Allow the other user to have the organizational policy. Registration Server: Your server. Mail Server: Your server. Group: The group you created earlier.

Note: In the Registration dialog box, the mail server was blank because the policies do not specify a mail server. Policies override the administration preferences. However, you were able to manually select a mail server.

Copyright IBM Corporation 2009.

105

Setting Up Server Administration


Topic A: Customizing the IBM Lotus Domino Administrator Work Environment Topic B: Setting Access to Create Databases on the Server Topic C: Setting Administration Levels Topic D: Setting Logging Levels

Copyright IBM Corporation 2009.

Lesson 5 Setting Up Server Administration

Introduction
Administrators require access to perform administrative tasks. Worldwide Corporation will use groups to facilitate managing administrators access to perform administrative tasks, such as: Access the server.
Implementation Checklist

Administer the server. Add or modify server connection information.

Additionally, administrators need to congure the tools they will use to administer the server.
At the end of this lesson, the following Implementation Checklist items will be complete: Set administration preferences. Set up access to servers. Set up server logging.

After completing this lesson, you should be able to: Customize the Lotus Domino Administrator work environment. Set access to create databases on the server. Set administration access levels. Set logging levels.

108

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 5 Setting Up Server Administration

A
Administration Preferences Server Console Administration Tasks

Topic A: Customizing the IBM Lotus Domino Administrator Work Environment


Administration Preferences
Administrators can customize the IBM Lotus Domino Administrator work environment by selecting administration preferences. These preferences include the following choices: The domains to administer

The type and order of the le information displayed The way in which Lotus Domino collects and displays server monitoring data The defaults to use when registering users, servers, and certiers

Lotus Domino Server Console Administration Tasks


The Domino server accepts commands from the console on the server machine, or from Lotus Domino Administrator on a workstation. Administrators can issue commands to the Domino server to perform many administration tasks, such as: Start or stop server tasks.

Instruct a server task to perform a function. Change server conguration variables. Restart the server.

Message Color-Coding on the Server Console


To differentiate messages that could indicate a need for administrator intervention, an administrator can select different colors for different message types.

Copyright IBM Corporation 2009.

109

Topic A: Customizing the IBM Lotus Domino Administrator Work Environment


Lesson 5 Setting Up Server Administration

Activity 5-1: Select Domain and Registration Preferences


Before students reach step 6 of the activity, use rep_dd.txt to synchronize all Domino Directories in the classroom environment.

Scenario Worldwide administrators will select administration and registration preferences for the WWCorp domain. To complete this activity:

Specify domain preferences. Specify registration preferences.

Follow these steps to select domain and registration preferences.


Step Specify domain preferences 1. 2. In Domino Administrator, click FilePreferencesAdministration Preferences. On the Basics panel, if the domain is not already set, click New, then enter the following information:

Action

Domain name: WWCorp Domino directory servers for this domain: Your assigned server name Select Change to this location, and select Online. Click OK.

3. 4.

Select the Files tab. Verify that you can select what columns are viewed and in what order. Click the Monitoring panel and review the options.

Specify registration preferences 5. 6. Click the Registration panel. Click Certier ID, select your OU certier ID le, and click Open. Enter passw0rd for the certier IDs password, and click OK. Click Yes to let the organizational policy for */WWCorp override the registration preferences you set. Result: The option buttons disappear. The values you just set for registration preferences will not be used, because the corresponding values in the policy take precedence.
Note: To override the policys settings, change individual entries in the User Registration dialog box during registration.

7.

Click OK to close the Administration Preferences dialog box.

110

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 5 Setting Up Server Administration

Activity 5-2: Add Your User ID to a Location Document


Tell students that specifying the appropriate user ID in the Location document facilitates switching environments if they later need to administer more than one domain.

Scenario Worldwide administrators may have two IBM Lotus Notes IDsone for administration and another for non-administration work. The most efficient way to do this is to create a Location document for each user and specify the appropriate ID le in each Location document. To complete this activity, add your user ID to the current Location document. Follow these steps to add your user ID to a Location document.
Step 1. 2. 3. Action Click FileMobileEdit Current Location. Select the Advanced tab, and on the Basics tab, click .

Locate and select your assigned user ID le in the Lotus Notes clients data subdirectory.
Note: Your user ID may be listed as user.id.

4.

Click Save & Close.

Copyright IBM Corporation 2009.

111

Topic A: Customizing the IBM Lotus Domino Administrator Work Environment


Lesson 5 Setting Up Server Administration

Activity 5-3: Customize Colors in the Server Console


(Optional) After restarting their clients, you can have students issue a command to replicate with a nonexistent server so that they can see a colorcoded error.

Scenario Worldwide administrators can customize the colors on the server console to easily recognize status messages, errors, and so on. To complete this activity, change the colors for the server console background and for each type of event. Follow these steps to customize colors in the server console.
Step 1. 2. 3. 4. 5. 6. 7. Action In Lotus Domino Administrator, select the Server tabStatus tab. Select the Server Console view. From the menu, click Live ConsoleServerConsole Attributes. (Optional) If you are conguring a different servers attributes, select the server. Select a color attribute for the background and for each type of event. Click Save & Close. Exit and restart Domino Administrator to activate the changes.
Note: The Lotus Domino Administrator console defaults to using the same color scheme as the Lotus Domino server console. To specify a different color scheme for each console, refer to the Lotus Domino Administrator 8.5 Help document titled Customizing the appearance of the Domino server console and Domino Administrator console.

112

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 5 Setting Up Server Administration

B
Server Access Control Mechanisms Review Lotus Domino authentication to compare it with authorization. Point out that if a user receives an error message with a phrase containing not authorized, that indicates the user is not included in the appropriate eld in the Server document.

Topic B: Setting Access to Create Databases on the Server


Server Access Control Mechanisms
Two IBM Lotus Domino security options control different access to Lotus Domino servers: Lotus Domino authentication is the process in which Lotus Domino compares the user and server ID les to verify that they share a certicate in common. Authentication occurs when a user or server attempts to communicate with a server.

Lotus Domino authorization is controlled by elds in the Server document that list users and servers allowed to access the server.

Restrictions for Authorizing Server Access


The following table describes some of the restrictions for authorizing server access. These elds are located on the Security tab in the Server document.

To allow/restrict this type of server access To limit access to only those users listed in the Domino Directory

Set this eld Access server (Clear the users listed in all directories check box.)

Additional notes No(default) allows access from users and servers in other domains. If this eld is left blank (default), there is no access restriction. If any names are entered, they will be the only users or servers that can access the server. This eld is for explicit restrictions, such as a Deny access group, and takes precedence over the Access server eld.

To explicitly allow people, servers, or groups access to this server and deny all others

Access server (Enter or select names under the word and.)

To explicitly deny people, servers, or groups access to this server

Not access server

Copyright IBM Corporation 2009.

113

Topic B: Setting Access to Create Databases on the Server


Lesson 5 Setting Up Server Administration

Emphasize placement of the Deny List only group name. Ensure that students understand that merely creating the Deny List only group does not block access. The group name must be placed in the Not Access Server eld in each Server document to prevent server access.

Deny server access to former employees


When people leave the company, nothing prevents them from taking copies of their IDs with them. To prevent them from accessing servers, create a group, such as Terminations, to include in the Not access server eld. Use the Deny List only group type for this group. Groups of this type appear only in the Deny Access Groups view in the Domino Directory, not in the Groups view. Also, groups of this type cannot be used for any purpose other than server access.

User Access to the Server


The following table describes the elds on the Security tab in the Server document that determine some of the privileges users have to access a server.

User Access to the Server

To allow users or a group this type of access


Switch to the Location document and ID for Michelle Grassi. Display the error for unauthorized attempt to create a replica. Attempt to make a replica of a local database from the client to the Hub server to demonstrate that this user, Michelle Grassi, cannot create a replica. Select any local database, but add your initials to the le name to prevent accidentally overwriting an existing database on the server. Switch back to the Location document and ID that Doctor Notes uses.

Edit this server access eld Create new replicas

Additional notes

Create replica databases on this server

Blank allows no one. This eld also applies to other servers creating replicas on this server. Blank allows all. This eld applies to other servers creating databases on this server.

Create databases on this server

Create new databases & templates

When to Restart the Server


Settings changed in the Domino Directory usually activate within a few minutes. To activate a change immediately, or to activate any changes to the notes.ini le, a server restart may be required.

114

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 5 Setting Up Server Administration

Procedure Reference: Setting access to create databases on the server


Follow these steps to allow users the ability to create databases and replicas on the server.
1.
Demonstrate this procedure. Step 3: Open the Server documentSecurity tab to show the following: Create databases & templates: Point out that the eld is blank, allowing all users to create new databases. Create new replicas: Point out the following: You added LocalDomainServers to this eld earlier, to enable that servers Administration Process to create a replica of the Certication Log on student servers. Users listed in the Administrators eld on the Security tab do not need to be listed in the Create new replicas eld. Therefore, members of LocalDomainAdmins would currently be able to create replicas on any server.

In Domino Administrator, select the server to administer. For classroom purposes, Hub/SVR/WWCorp should be selected.

2. 3. 4.

Select the Conguration tabServer sectionAll Server Documents view. Select your server, and click Edit Server. On the Security tabServer Access section, enter the following information: Create databases & templates: Specify users who should be able to create databases and templates on this server, or leave this eld blank to allow all users.

Create new replicas: Specify users and servers who should be able to create replicas on this server.

5.

Click Save & Close.

Copyright IBM Corporation 2009.

115

Topic B: Setting Access to Create Databases on the Server


Lesson 5 Setting Up Server Administration

Procedure Reference: Restarting the server


Follow these steps to restart the server remotely using Lotus Domino Administrator.
1.
Demonstrate this procedure. Tell students that settings in the Server document may require a server restart to take effect immediately. However, settings usually activate within a few minutes. The update task checks for modied views once per minute. The time to actually nish updating depends on the number of changes to views.

In Lotus Domino Administrator, select the server to administer. Select the Server tabStatus tab. Select the Server Console view, and click Live. Type Restart Server, and click Send.

2. 3. 4.

Use group names in Server documents


Use group names instead of user names in Server documents. Lotus Domino caches changes made to existing groups. Therefore, if the security restrictions elds contain group names, adding a user name to the group does not require restarting the server.

116

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 5 Setting Up Server Administration

C
Administration Levels Open the Server documentSecurity tab. Show pop-up Help for the various administrators elds to point out some of the privileges. For example, people and groups listed in elds that allow database management can create new replicas without being listed in the Create new replicas eld.

Topic C: Setting Administration Levels


Administration Levels
The Server document includes settings to designate levels of administrative access for different categories of administrators in the organization. For example, only a few people can be designated as Administrators, while other members of a team are designated as Database Administrators. The following gure outlines the levels and their general rights.

Figure 5-1: Administration levels

Copyright IBM Corporation 2009.

117

Topic C: Setting Administration Levels


Lesson 5 Setting Up Server Administration

Administration Level Details


The following table describes the administration levels in detail.
Administration Level Details

Level Full Access administrators

Description Same rights as Administrators (below), plus: Manager access to all databases, regardless of ACL All programmability rights All passthru rights

Describe the various levels on the Server documentSecurity tab. Point out the eld descriptions as you review the table. Also mention that precedence between a group and an explicit user listing follows a different model than the ACL precedence model. For example, a member of a group in the Administrators eld who is also explicitly listed as a View-only Administrator will have the higher privileges associated with the Administrators eld.

Issue operating system-level commands Overrides the Deny Access list. Similar to root level access on UNIX.

Administrators

Common administrator tasks, for example: Can issue any remote console command. Perform database maintenance tasks. Use message tracking and track subjects.

Database Administrators

Perform database maintenance tasks: Set administration server in database ACLs. Create, compact, and delete database replicas and master templates. Maintain full-text indexes. Maintain directories and links. Maintain options, such as database quotas.

Full Remote Console Administrators View-Only Administrators

Can issue any remote console command.

Can use a safe subset of commands: (SHOW SERVER, SHOW TASKS). Cannot affect server operation.

System Administrators Restricted System Administrators

Can issue operating system commands.

Can issue restricted subset of operating system commands dened in the Server document.

118

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 5 Setting Up Server Administration

The Full Access Administrator Level


Full Access administrator level is required only for system maintenance and troubleshooting tasks where all other administrators cannot gain access to the server. This access level should be given only to trustworthy people who truly need access to all databases on the server.
Note: An administrator who is congured to be a Full Access administrator must activate Full Access administrator mode by clicking AdministrationFull Access Administration.

Stress the security risks and recommendations. Students may have concerns about the Full Access administrator setting. Review the recommendations for using this level when needed.

Full Access Administrator Best Practices


Given the powerful level of access that this setting allows, recommendations for this eld are listed in the following table.

Full Access Administrator Best Practices

Recommendation Leave the eld blank. Create a special Full Access administrator ID le.

Description No administrator has Full Access rights. For example, create an ID for Full Admin/Sales/WWCorp and use that name in the Full Access administrators eld. You can also congure this account to use multiple passwords. Administrators must log in with or switch to this user ID to gain this level of access. Set SECURE_DISABLE_FULLADMIN=1. This causes the server to ignore any values in the Full Access administratorseld in the Server document. When access is required, remove the line from the le and restart the server.

Disable Full Access administrators in the Notes.ini le.

For more information about Full Access administrators, see Restricting administrator access in the Customizing access to a Domino server section of the Security section of Domino 8.5 Administration Help.

The Domino Web Administrator


Overall, Domino Web Administrator is closer to the Lotus Domino Administrator client in its interface and functionality enhancements. However, the new single, merged mail template (Mail85.ntf) serves Lotus Domino iNotes and IBM Lotus Notes users alike. Lotus Domino Web Administrator also provides enriched support for Security policies. System administrators can create a policy that contains Security policy settings. These settings apply to Lotus iNotes users only, and affect the Security Preferences that display in the client.

Copyright IBM Corporation 2009.

119

Topic C: Setting Administration Levels


Lesson 5 Setting Up Server Administration

Other Domino Web Administrator enhancements include the following:


Support for Firefox 2.0 Additional performance and IBM WebSphere Portal integration improvements An integrated instant messaging (IM) Contacts List UI Feed-enabled mail les An enhanced Spell Check engine and dictionary integration Improved contact management for Domino Web Access and Lotus Notes users Lotus Notes and Internet password management improvements Calendar ltering and improved Calendar delegation Lotus Notes 8.5 interoperability and co-existence Support for dynamic view column updates

Administration Levels and the Lotus Domino Web Administrator Application


The HTTP server task routinely synchronizes the names listed in the Full Access administrators or Administrators elds of the Web Server document with those listed on the Web Administration database (Webadmin.nsf) ACL. To give an additional administrator access to the Web Administrator, add the name in one of those elds. Names that are not already on the ACL list are added with Manager access and all roles. If the HTTP server detects a name that is already in the ACL, it does not update the access rights.

Administration Levels and Domino Web Administrator

Procedure Reference: Setting administration levels


Administration levels are set on the Server documentSecurity tab. Follow these steps to modify the settings.
1.
Demonstrate the procedure.

In Domino Administrator, select the server to administer. Select the Conguration tabServer sectionAll Server Documents view. Select your server, and click Edit Server. Select the Security tab. In the Administrators section, enter the user or group name in the appropriate access eld. Click Save & Close.

2. 3. 4. 5. 6.

120

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 5 Setting Up Server Administration

D
Domino Server Log Remind students how to view the Domino Server Log by demonstrating the following: 1. In Domino Administrator, select Hub/ SVR/WWCorp to administer. 2. Select the Server tabAnalysis tab Hubs Log section Mail Routing Events view. 3. Open the document with the most recent date/time to see recent mail routing activity for the server.

Topic D: Setting Logging Levels


The Domino Server Log
IBM Lotus Domino adds information about server activity to a special database, the Domino Server Log (Log.nsf). Individual documents in the log le contain a history of server startups and activity. Lotus Domino automatically creates the Domino Server Log le, Log.nsf, when the server starts. The Domino Server Log contains information about server activity, such as: Mail routing events

Replication events Server phone calls Security events Newsgroup events Miscellaneous events Database usage User activity (if congured)

Recorded level of detail


Administrators can specify the level of detail to record in the Domino Server Log in the Lotus Domino server conguration le, Notes.ini. At server startup, Lotus Domino uses the ASCII text conguration le, Notes.ini, to determine the Lotus Domino server environment. The installation and server setup programs populate the Notes.ini le based on the options selected during installation and server setup.

The Notes.ini File


Notes.ini is a le that stores Lotus Domino and IBM Lotus Notes settings. One Notes.ini le exists for the server, and another for the client. There is rarely a need to edit a Notes.ini le directly, as doing so may cause Lotus Domino or Lotus Notes to run unexpectedly. Three ways to edit Notes.ini le settings are: Editing the Notes.ini le directly. The look of the information will vary depending upon operating system and or text editor used to view it.

The Notes.ini File

Using the Set Conguration server command. Adding or modifying the Notes.ini settings using a Conguration Setting document. Once created, the Conguration Settings document can be applied to Domino servers, but cannot be applied to the Lotus Notes clients Notes.ini le.

Copyright IBM Corporation 2009.

121

Topic D: Setting Logging Levels


Lesson 5 Setting Up Server Administration

Logging Levels
The following table lists variables available to various logging levels.
Logging Levels

Logging level LOG_ MAILROUTING

Variables 10 Only logs errors and warnings (minimal) 20 Minimal plus transfer output and delivery output (normal) 30 Normal plus information about transfer threads/ processes plus more detailed information about the transfers and deliveries (informational) 40 Informational plus more detailed information about transfer queues (verbose) Log replication determines the level of logging for all replication events performed by the current server. There are 5 levels to choose from: 1 logs that a database is replicating 2 logs summary for each database 3 logs document info 4 logs information about every eld replicated 5 logs information about space saving When set to 1, logs the opening and closing of all sessions. When set to 1, logs information when the Server and Server Conguration document are being polled. When set to 1, an informational message is written to the console and Notes Log indicating the name of the database, view name and reason why a view is being rebuilt. The ini variable may be dynamically toggled on or off.

LOG_ REPLICATION

LOG_SESSIONS

LOG_TASKS

LOG_VIEW_ EVENTS

122

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 5 Setting Up Server Administration

Activity 5-4: Congure Logging Levels


Students should use the existing Conguration Settings document that applies to their server and can select any values for the following variables: Log_MailRouting Log_Replication Acceptable values for the other variables listed in the activity are 0 and 1. Students should select 1 for the following variables: Log_Sessions Log_Tasks Log_View_Events There is also a selection for Mail routing logging level in the following place in the Conguration Settings document: Router/ SMTP tabAdvanced tabControls tab Logging level eld. The Log_MailRouting variable in the Notes.ini le takes precedence over the Logging level eld. The server uses the value in the Logging level eld only if the Log_MailRouting variable has not been set either by: Directly editing the Notes.ini le. Or, by modifying the Conguration Settings document from the NOTES.INI Settings tab.

Scenario Worldwide administrators need detailed information about mail transfers and deliveries. This can be accomplished by conguring the appropriate Notes.ini variables for logging by creating or editing a Conguration Settings document. To complete this activity:

Prepare to congure logging levels. Congure the LOG_MAILROUTING item. Congure the remaining logging levels.

Follow these steps to congure logging levels.


Step Prepare to congure logging levels 1. 2. 3. 4. 5. 6. In Domino Administrator, select the server to administer. Select the Conguration tabServer sectionCongurations view. Select your server, and click Edit Conguration. Verify that the Group or Server name eld contains your assigned server name. Select the NOTES.INI Settings tab. Click Set/Modify Parameters. Action

Congure the LOG_MAILROUTING item 7. 8. For the Item eld, click click OK. , select the LOG_MAILROUTING variable, and

Read the Help information in this dialog box to learn what details are added for each increase in logging level.

Copyright IBM Corporation 2009.

123

Topic D: Setting Logging Levels


Lesson 5 Setting Up Server Administration Step 9. Action In the Value eld, enter an appropriate value, and click Add. Result: The Server Conguration Parameters are updated to include the item and value.

Congure the remaining logging levels 10. Repeat Steps 7 through 9 to congure each of the following logging variables:

Log_Replication Log_Sessions Log_Tasks Log_View_Events

11. 12.

Click OK when you are nished conguring variables. Click Save & Close in the Conguration Settings document.

124

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 5 Setting Up Server Administration

Lesson Summary
This lesson implemented tasks that facilitate administration and control server access. Checklist: Building the Lotus Domino Environment The bolded tasks in the Implementation Checklist were completed in this lesson.

Review the list of items implemented in this lesson.

Task 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery.

15 16 17 18

Copyright IBM Corporation 2009.

125

Topic D: Setting Logging Levels


Lesson 5 Setting Up Server Administration

Lab 5-1: Set Administration Access


Pair students with someone in the other OU so that they can test access. The administrators who are not authorized to use the console will receive multiple messages if they try to select the Status tab Tasks view in Lotus Domino Administrator. Tell students that group names work in these elds. Specically mention that users added to a group specied in the elds will have the privileges of that group. Also mention that there could be a delay after adding a user to a group. There can be some latency between the time a member is added to a group and the time the user is recognized as a member of the group. This is due to the timing of the Notes Indexing Facility (NIF), and this latency also applies to other types of documents.

Scenario Some Worldwide administrators require View-only administration access to your server, while others require Administrator access. To complete this activity:

Specify that all administrators in your OU should have Administrator access to your server. Specify that all administrators in the other OU should have View-only access to your server. Test your administrative access to other servers in both OUs.

Follow these steps to set administration access.


Note: We are using OUs because they are convenient for the current classroom environment.

1. On your Server documentSecurity tab, remove LocalDomainAdmins

from the Administrators eld. Then modify the administration levels to allow the access described in the following table.

User or groups All admins in your OU For example: If you are in the East OU, enter */East/WWCorp If you are in the West OU, enter */West/WWCorp

Administrator access level Administrators eld

All admins in the other OU For example: If you are in the East OU, enter */West/WWCorp If you are in the West OU, enter */East/WWCorp

View-only Administrators eld

126

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 5 Setting Up Server Administration 2. Once everyone has updated their access, from your Domino Administra-

tor client, restart your server before testing.

3. Select a server in the other OU and try to compact that servers replica

of the le named Busytime.nsf, using both of the following two methods: The Server tabServer console view. Enter the following command: Load Compact Busytime.nsf

The Files tab by clicking Tools paneDatabaseCompact.

Copyright IBM Corporation 2009.

127

Topic D: Setting Logging Levels


Lesson 5 Setting Up Server Administration

Lab 5-2: Record Administration Access Results


Review these questions with the students.

Scenario Answer the following questions.

1.

Was the Domino Administrator interface different when you changed servers? The interface is unchanged.

2.

For the server in the other OU, what tasks could you perform? Students should not be able to compact the database using the console, but they should be able to compact the database from the Files tab. The View-only Administrators eld restricts console commands, not menu commands.

3.

Were the results expected, based on the access settings? Students results should be the results listed above.

128

Copyright IBM Corporation 2009.

Synchronizing IBM Lotus Domino System Databases


Topic A: Creating Server Groups for Replication Topic B: Creating a Connection Document

Copyright IBM Corporation 2009.

Lesson 6 Synchronizing IBM Lotus Domino System Databases

Introduction
The Domino Directory is the central database in the IBM Lotus Domino domain, and exists on every server in the domain. When administrators add servers and users to the Lotus Domino environment, those servers and users must appear in the Domino Directory on every server. The replication process keeps the Domino Directory synchronized on all servers in the domain. In addition to the Domino Directory, there are other databases that Lotus Domino uses to function properly, such as the Certication Log, that need to be synchronized on all servers in the domain. Other Lotus Domino applications used by the organization, such as workow, tracking, and discussion databases, also need replication. Worldwide Corporation has planned a replication strategy to keep Lotus Domino system databases synchronized across all servers in the domain. After completing this lesson, you should be able to: Create server groups for replication. Create a connection document.

Stress the need for synchronization when a company plans for regional administration. To point out how the classroom environment has already required replication, ask the questions contained in the following Additional Instructor Note.

See Additional Instructor Notes

Implementation Checklist

At the end of this lesson, the following Implementation Checklist item will be complete: Synchronize Lotus Domino system databases throughout the domain.

130

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 6 Synchronizing IBM Lotus Domino System Databases

A
To ensure that students understand the concept, ask students the following questions about the diagrams server group scenario: How many Connection documents does the Hub server need to replicate with the three servers? Answer: Only one. How could an administrator add a new server to the replication topology? Answer: Add the new server name as a member of the group East Mail Servers; there is no need to create another Connection document.

Topic A: Creating Server Groups for Replication


Server Databases to Replicate
Using groups for server access and database access facilitates administration. Administrators can also use groups to schedule replication from one server to a group of servers. Using a group for server replication facilitates administration by: Reducing the number of Connection documents required to replicate with multiple servers.

Simplifying the process of including a new server in the replication topology.

Server Groups and Replication


The following gure illustrates the benet of using a server group for replication.

Figure 6-1: Sample server group

Procedure Reference: Creating the groups for replication


The classroom implementation calls for two server groups for replication:

Server Groups and Replication

One group for the servers in the eastern region, created by the instructor. One group for the servers in the western region, also created by the instructor.

Copyright IBM Corporation 2009.

131

Topic A: Creating Server Groups for Replication


Lesson 6 Synchronizing IBM Lotus Domino System Databases

Follow these steps to create the assigned groups.


1.
Demonstrate this procedure as you create the East and West server groups.

In Domino Administrator, select your server to administer. Select the People & Groups tabDomino Directories sectionYour Directory sectionGroups view. Click Add Group. Enter the appropriate group name. For classroom purposes, East Mail Servers and West Mail Servers should be used.

2. 3. 4.

5.

For Group type, select Servers only. Note: This is the only group type that will work to replicate with a group of servers using a Connection document.

6.

Enter a description of the groups purpose. For classroom purposes, the following descriptions should be used: For East Mail Servers, type All servers in the eastern region

For West Mail Servers, type All servers in the western region

7.

Enter (or select) the appropriate server names for members of the group. For classroom purposes, the following members should be used: For East Mail Servers, add all servers whose names begin with East.

For West Mail Servers, add all servers whose names begin with West.

8.

Click Save & Close.

132

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 6 Synchronizing IBM Lotus Domino System Databases

B
Replication Controls

Topic B: Creating a Connection Document


Replication Controls
Replicas of a database can reside on different servers, enabling users to collaborate without having to use the same server. Replication synchronizes the changes made on these replicas, so that each replica has the required documents. Replication is the controlled synchronization between database replicas. The following types of controls enable an administrator to ne-tune the synchronization, which may include documents, design, and security changes.

Control Replication type

Purpose Replication type denes which servers do the work of replication. The Replication Settings dialog box contains a setting to indicate whether a database is high, medium, or low priority. Connection documents can: Control replication type. Schedule replication timing. Control which databases replicate by: Listing specic databases and/or subdirectories. Specifying that databases of a certain priority will replicate.

Database priority

Connection documents

Selective replication

Selective replication denes which documents replicate. Fields in the Server document control access to the server. Each replicas ACL controls which servers can make changes to the replica. Controls can be placed on documents and design elements to prevent certain servers from replicating specic elements.

Server access

Access Control List

Element access

Copyright IBM Corporation 2009.

133

Topic B: Creating a Connection Document


Lesson 6 Synchronizing IBM Lotus Domino System Databases

Practice Activity 6-1: Review Replication Concepts


Verify students understanding of replication concepts. As a review from the IBM Lotus Domino 8.5 System Administration Operating Fundamentals course, ask students the questions in this activity.

Scenario Your instructor will guide you through the following questions about replication.

1.

How is a replica of a database different from a copy of a database? Replicas share the same replica ID.

2.

How does the replicator know which documents to replicate? The replicator compares UNIDs and checks replication history to determine which documents have been added, changed, or deleted since the last time the two databases replicated.

3.

What causes a replication conict? A replication conict occurs when the same document is edited in different replicas between replication times.

4.

In workstation-to-server replication, does the workstation do all the work? Yes. The servers replicator task is not involved in workstation-to-server replication. The workstation software does the work of writing to both replicas.

5.

What advantage do server groups offer in scheduling replication? In a Connection document, the source server replicates with all members of a server group specied in the Destination server eld. This allows for creating fewer Connection documents to achieve the result of replicating with several servers.

134

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 6 Synchronizing IBM Lotus Domino System Databases

Replication Types
IBM Lotus Domino supports the following four types of replication:
Replication Types

Pull Pull Pull Push Pull only Push only

Copyright IBM Corporation 2009.

135

Topic B: Creating a Connection Document


Lesson 6 Synchronizing IBM Lotus Domino System Databases

Practice Activity 6-2: Review Replication Types


Verify students understanding of replication types.

Scenario Answer the following questions with your instructor.

1.

In Pull Pull replication, does one server do all the work? No. In Pull Pull replication, the servers share the work. Each server pulls changes from replicas on the other server.

2.

If all changes are made on one server, and all other servers pull changes from this server, will all changes be distributed to all servers? Yes. If no changes are made on other servers, then pulling changes from the one server will distribute all changes.

Methods for Forcing Replication


Methods for Forcing Replication

Connection documents determine the replication type. If changes need to be distributed before the next scheduled replication, an administrator can force replication between two servers using one of the following: Console commands.

Console commands and a text le listing servers and databases to replicate. The Domino Administrator client, by selecting the Server tabServer Tasks viewTools pane, and clicking ServerReplicate. This displays a dialog box with selections of:

Servers with which to replicate Databases to replicate (or all databases in common) Replication type

The IBM Lotus Notes client or Domino Administrator client, by selecting the database to replicate and clicking FileReplication Replicate, and selecting the server with which to replicate.

136

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 6 Synchronizing IBM Lotus Domino System Databases

Pull Push Replication


The default replication type is Pull Push, which performs bidirectional replication and requires only one Connection document between the source and destination servers. Using the Pull Push replication type, the initiating servers Replicator pulls changes from the called server and then pushes changes to the called server. The initiating servers Replicator does all the work, writing in both servers. For information on the other replication types, refer to the Lotus Domino Administrator 8.5 Help.

Multiple Replication Hubs


For domains with multiple servers, especially those separated by distance or network topology, multiple replication hubs can be benecial. For example, Worldwide could create Connection documents so that: All servers in the East region replicate to East06.

All servers in the West region replicate to West06. East06 and West06 replicate with Hub.

Multiple hubs should be considered in larger organizations or when there is not a persistent network connection between regions. Timing replication is even more important with multiple hubs. Four replications are required to replicate a document created on a spoke to a spoke in the other region.

Replication timing with multiple hubs


For example, with multiple hubs, changes made on East03 would require the following replications before the changes reach West03: 1. East03 replicates with East06 (the regional hub for the eastern region). 2. 3. 4. East06 replicates with Hub. Hub replicates with West06 (the regional hub for the western region). West06 replicates with West03.

Copyright IBM Corporation 2009.

137

Topic B: Creating a Connection Document


Lesson 6 Synchronizing IBM Lotus Domino System Databases

Sample multiple hub scenario


The following gure represents a possible scenario for Worldwide Corporation. The regional hubs replicate with the Hub at headquarters. Then the regional Hubs replicate with servers in their region.

Multiple Hub Conguration

Present the multiple-hub diagram. Remind students that Worldwide would be a good candidate for the multiple-hub scenario.

Figure 6-2: Sample multiple hub scenario Worldwide Corporation may consider using regional replication hubs. However, in the classroom, each server will replicate directly with the hub server for the following reasons: More hands-on experience

Simpler schedule management

Critical Application Scheduling


Replication Schedules for Critical Applications

An administrator uses Connection documents to schedule replication between servers. Most companies should schedule the Domino Directory (Names.nsf), to replicate regularly throughout the day. Then, schedule all other databases to replicate at a less-frequent time interval. Keep in mind that databases will replicate only if there are changes to distribute. For applications that are critical to the success of the business, consider one of the following options: Specify a replication priority of high for critical applications, then create a Connection document specifying high priority databases with a short interval.

Place critical applications in a separate subdirectory under the Domino\ data directory, then create a Connection document specifying this subdirectory to replicate at a short interval. Mark a database as high priority by clicking FileReplication Options for this ApplicationOther panel, and then selecting the High option for Set scheduled replication priority for this replica.

138

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 6 Synchronizing IBM Lotus Domino System Databases

Sample replication topology


The items in the following table dene Worldwides implementation of replication.

Remind students of the following decisions: Worldwide will consider regional hubs instead of having all servers replicate directly with Hub. Worldwide might consider the Pull Pull replication type to take advantage of faster streaming replications. Worldwide will consider using server groups in the Destination server eld in all Connection documents. Students are using specic server names so that they each create a Connection document.

Item Establish a replication topology. Which server will initiate the connection? Which server will receive the connection? On which port will this session happen? Which database(s) will be replicated?

Deployment plan Hub-and-spoke topology Hub Spoke

TCPIP Domino Directory (Names.nsf) All other databases in common

What priority of databases will be replicated? What replication types would be best? At what times will replication occur?

All priorities

Pull Push Domino Directory, every two hours All other databases, every six hours

Is there a time limit for replication?

No

Note: Replicate based on change. Set up a Connection document to replicate all databases under the Domino\data directory at a regular interval. This connection will not consume any additional system resources, as databases replicate only if there are changes to distribute.

Replication Schedule Criteria


Worldwide Corporations replication schedule requires the following:

All databases under the Domino\data directory replicate every six hours to all servers. The Domino Directory (Names.nsf) replicates every two hours to all servers. The replication type is Pull Push.

Copyright IBM Corporation 2009.

139

Topic B: Creating a Connection Document


Lesson 6 Synchronizing IBM Lotus Domino System Databases

Procedure Reference: Creating a Connection document


Follow these steps to create Connection documents to schedule replication.
1.
Demonstrate this procedure to create two Connection documents.

In Domino Administrator, select the server to administer. For classroom purposes, Hub/SVR/WWCorp should be used.

2. 3.

Select the Conguration tabReplication sectionConnections view. Click Add Connection. The following graphic shows a completed Connection document:

Completed Connection Document

4.

On the Basics tab, select a Connection type. For classroom purposes, Local Area Network should be used.

5.

For Source server and Source domain, enter values, or verify that the elds are correct. For classroom purposes, the following values should be used for both Connection documents: For Source server, select Hub/SVR/WWCorp.

For Source domain, select WWCorp.


Note: The Source server and Destination server elds accept the use of wildcards, such as, */SVR/WWCorp.

140

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 6 Synchronizing IBM Lotus Domino System Databases 6.

Enter the Destination server or server group, and Destination domain. For classroom purposes, the following values should be used: In the rst Connection document, for Destination server, type East Mail Servers and for Destination domain, select WWCorp.

In the second Connection document, for Destination server, type West Mail Servers and for Destination domain, select WWCorp.

7.

Click Choose ports, select the ports to use for this connection, and click OK. For classroom purposes, TCPIP should be used.

8.

On the Replication/Routing tab, enter information in the appropriate elds according to the following descriptions: Replication task: Set to Enabled.

Replicate databases of: The priority of the databases to be replicated for this schedule. For classroom purposes, the default value Low & Medium & High should be used.

Replication type: The type of replication to be used for this schedule. The default is Pull Push. For classroom purposes, the default value of Pull Push should be used.

Files/Directory paths to replicate: The specic databases or directories containing databases to replicate. A blank eld results in all databases in common in the Domino\data directory structure replicating for this schedule. For classroom purposes, a blank eld should be used. Replication time limit: If this eld has a value in it and the replication is not complete at the end of the specied time, or if the server crashes, then replication will begin where it left off once schedule replication restarts. For classroom purposes, a blank eld should be used.

9.

On the Schedule tab, enter the information in the appropriate elds according to the following descriptions: Schedule: Set to Enabled.

Connect at times: Species either one discrete time, a list of times (each separated by a comma), or a time range.

Copyright IBM Corporation 2009.

141

Topic B: Creating a Connection Document


Lesson 6 Synchronizing IBM Lotus Domino System Databases

For classroom purposes, 12:00 AM - 11:59 PM should be used.

Repeat interval of: Species the frequency of calls over the time range. For classroom purposes, 360 should be used. Days of week: Species the days of the week that the schedule should run. For classroom purposes, all days should be used.

10. Click Save & Close.

142

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 6 Synchronizing IBM Lotus Domino System Databases

Lesson Summary
The tasks implemented in this lesson ensure that replicas on all servers have the same information. Checklist: Building the Lotus Domino Environment The bolded task from the Implementation Checklist was completed in this lesson.

Review the item implemented in this lesson.

Task 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery.

15 16 17 18

Copyright IBM Corporation 2009.

143

Topic B: Creating a Connection Document


Lesson 6 Synchronizing IBM Lotus Domino System Databases

Lab 6-1: Create a Connection Document for Replicating the Domino Directory
Tell students to create Connection documents that will replicate the Domino Directory between Hub and their servers. Students will need to replicate appropriate Connection documents, and this activity provides them this experience.

Scenario In this activity, you will establish a more frequent replication schedule for the Domino Directory. To complete this activity:

Create a Push Pull Connection document to replicate names.nsf with the Hub server every 2 hours. Answer questions related to replication.

Follow these steps to create a Connection document for replicating the Domino Directory.

1. Create a Pull Push Connection document on your server using the fol-

lowing information.

Source server Hub/SVR/WWCorp

Destination server Your server

Databases to replicate Names.nsf

Repeat interval 120 minutes

Answer the following questions with your instructors help 2. What existing groups could be used in the Destination server eld? Correct answers include the following two possibilities: LocalDomainServers. The East Mail Servers group and the West Mail Servers group. This would require two Connection documents, one for each group.

Facilitate these questions as a discussion.

Ensure that students understand that groups could be used. Emphasize that students each created a Connection document for hands-on experience, but that the destination server could be a Server group.

144

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 6 Synchronizing IBM Lotus Domino System Databases 3. How long will it take for a change made to a database in the western region to replicate to servers in the eastern region? Assume the following factors: The change is made on a replica that just replicated. The western servers replicate after the eastern servers. The database is not the Domino Directory. About 12 hours6 for the western servers to replicate with Hub and 6 more hours for Hub to replicate with the eastern servers.

Copyright IBM Corporation 2009.

145

Topic B: Creating a Connection Document


Lesson 6 Synchronizing IBM Lotus Domino System Databases

Lab 6-2: Monitor the Replication Schedule


Use the information in this scenario to provide the context and rationale for the tasks students will perform in this activity. After students complete the activity, ask them how they performed each task. Answers include: To replicate the Connection documents, use one of the methods of forcing replication described in this lesson in the section titled Methods for Forcing Replication. To graphically display the replication schedule: 1. Select the server to administer. 2. Select the Replication tabReplication Schedule view. To conrm which replication events have occurred: 1. Select the server to administer. 2. Select the Replication tabReplication Events view. To view the replication topology map: 1. Select the server to administer. 2. Select the Replication tabReplication Topology sectionBy Connections view.

Scenario The following changes have been made to the Domino Directory:

Two new server groups: East Mail Servers and West Mail Servers New Connection documents:

HubEast Mail Servers; all databases in common HubWest Mail Servers; all databases in common Hub<each server>; Names.nsf

Each administrator has changed the Domino Directory on different servers. Therefore, all documents do not appear in the Domino Directory on all servers in the domain. To complete this activity: Replicate the Connection documents with the Hub server.

Use the replication tools in Domino Administrator to verify that replication has occurred.

Follow these steps to monitor the replication schedule.

1. Replicate the Connection documents. All servers in the domain should

synchronize the Domino Directory, so all administrators should force replication of the Domino Directory with Hub/SVR/WWCorp to distribute the Connection documents.
Note: After the Connection documents appear in every Domino Directory, the replication schedule is in place. Lotus Domino will replicate based on the schedule information in the Connection documents.

2. Use the replication tools. In Domino Administrator, perform the following:

Ensure that the Maps Extractor task is running and view the Replication Topology maps by using the Server tabStatus tab Server Tasks view. Conrm which replication events have occurred by using the Replication tabReplication Events view. Graphically display the replication schedule by using the Replication tabReplication TopologyBy Connections view.

146

Copyright IBM Corporation 2009.

Conguring Basic Intranet Mail Routing


Topic A: Conguring Notes Named Networks Topic B: Implementing a Hub-and-Spoke Mail Routing Topology Topic C: Selecting a Mail Storage Format for Incoming Mail

Copyright IBM Corporation 2009.

Lesson 7 Conguring Basic Intranet Mail Routing

Introduction
It is possible to use a combination of SMTP and NRPC within a corporation. For example, Worldwide Corporation will route mail within the company intranet using the IBM Lotus Domino native routing protocol, NRPC, and route mail to the Internet using the SMTP protocol. This lesson discusses how to congure Lotus Domino servers to route mail within the company intranet. Lotus Domino 8.5 supports two mail routing protocols:

The Internet standard, SMTP (Simple Message Transfer Protocol) Lotus Dominos native routing protocol, NRPC (Notes Remote Procedure Calls)

This lesson covers only intranet mail routing. The next lesson covers Internet mail routing. Compare the classroom with an optimum conguration. Explain that optimum deployment is sitespecic. The classroom example is not necessarily an optimum or exclusive example of actual deployment options.

After completing this lesson, you should be able to: Congure Notes Named Networks. Implement a hub-and-spoke mail routing topology. Select a mail storage format for incoming mail.

Implementation Checklist

At the end of this lesson, the following Implementation Checklist item will be complete: Route mail internally.

148

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 7 Conguring Basic Intranet Mail Routing

A
Intranet Mail Routing Checklist Describe the process used to set up intranet mail routing.

Topic A: Conguring Notes Named Networks


Checklist for Conguring Basic Intranet Mail Routing
Complete these tasks to congure Intranet mail routing.

Task 1 2

Procedure Set up Notes Named Networks for mail routing. Create mail routing topologies and schedule mail routing between NNNs. Select a mail storage format.

Sample intranet mail routing architecture


Worldwide Corporations intranet mail routing architecture includes:

Hub-and-spoke topologyfor mail routing as well as replication. Notes Remote Procedure Calls (NRPC)takes advantage of Lotus Domino features such as:

Sending document and database links via e-mail IBM Lotus Notes public key security Mail-enabled workow applications

The following Notes Named Networks (NNNs) to control when mail routes and to reduce network traffic between regions:

WWCorpHQ WWCorpEast WWCorpWest

Note: NNNs are sometimes referred to as either Domino Named Networks or Notes Network (as is used in the Server document).

Copyright IBM Corporation 2009.

149

Topic A: Conguring Notes Named Networks


Lesson 7 Conguring Basic Intranet Mail Routing

The Hub server will route mail between the NNNs and is in a separate NNN. The servers in East and West will be in separate NNNs to enable scheduling of mail routing between regions. The following gure illustrates a sample intranet mail routing architecture.

Classroom Intranet Implementation

Figure 7-1: Sample intranet mail routing architecture For simplicity, the gure shows six servers and six clients. The classroom conguration contains twelve servers and twelve clients. Servers and clients are installed on the same physical box. While it is a supported scenario, it is not a recommended installation scenario. The classroom implementation shows the following conguration: All mail servers in East will route mail internally using the NRPC protocol.

All mail servers in West will route mail internally using the NRPC protocol. The hub server will:

Belong to a different NNN, WWCorpHQ. Route mail to and from one mail server in the WWCorpEast and WWCorpWest NNNs.

150

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 7 Conguring Basic Intranet Mail Routing

Practice Activity 7-1: Review NNNs


Facilitate a discussion of the questions.

Scenario Answer these questions as a review of NNNs.

1.

What is the criteria for a NNN? Servers that: 1. Are in the same domain. 2. Share a common Local Area Network (LAN) protocol. 3. Can maintain a constant connection on the same LAN or bridged/ routed Wide Area Network (WAN).

2.

How is mail routed in a NNN? Mail routing occurs automatically between servers in the same NNN.

Mail Routing Components


The following table identies the key mail routing components.

Mail Routing Components

Term Mail le

Denition The Lotus Domino database with which the user creates, sends, retrieves, and stores mail messages. A users mail server is the server where the users mail le resides and is specied in the Person document in the Domino Directory. Resides on the workstation and performs these tasks: Veries the existence and spelling of the name(s) if the recipient is listed in the Domino Directory. Converts the message to Multipurpose Internet Mail Extensions (MIME), if necessary. Deposits the message in the Mail.box on the senders mail server.

The terms listed in the table were introduced in the IBM Lotus Domino 8.5 System Administration Operating Fundamentals course.

Mail server

Mailer

Copyright IBM Corporation 2009.

151

Topic A: Conguring Notes Named Networks


Lesson 7 Conguring Basic Intranet Mail Routing Term Domino Directory Denition The Domino database that stores information about the senders (and possibly recipients) mail server, mail le system, mail le name, mail address, and connections to other servers for transfer and delivery. A special database that resides on every sever used for mail delivery. Mail is temporarily stored in Mail.box, before the router delivers or transfers the mail. A server-based task that delivers and transfers mail. It checks the Domino Directory for connections to other servers and deposits mail in users mail les and other servers Mail.box.

Mail.box

Router

Mail Routing Behavior Within and Between NNNs


Servers in the same NNN route mail automatically. An administrator can separate servers into different NNNs and use Connection documents to establish a mail routing schedule.
Note: The Lotus Domino servers must be able to connect to each other at the network level using either hosts les or DNS. For more information, refer to the The Domain Name System (DNS) and SMTP mail routing topic in Lotus Domino Administrator 8.5 Help.

Mail routes automatically within each NNN. When using multiple NNNs, Connection documents are required to enable mail routings between NNNs. Congure Connection documents in the Domino Directory to set up communication between servers in other Notes Named Networks. The Connection documents include specic connection information, such as message threshold, and delivery schedule requirements.

152

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 7 Conguring Basic Intranet Mail Routing

Activity 7-2: Determine Current NNNs


Use this activity to review the Server document that was introduced in the IBM Lotus Domino 8.5 System Administration Operating Fundamentals course. Note: Students may need to refresh the server list. Note: NNNs are also referred to as Notes Named Networks in Domino Administrator 8.5 Help and the Server document.

Scenario Worldwide administrators need to determine the number of current NNNs and the existing names for those NNNs. To complete this activity:

View all NNNs in the /WWCorp domain. Identify the NNN for your server.

Follow these steps to determine current NNNs.


Step Action

View all NNNs in the /WWCorp domain 1. 2. Click the WWCORP Domain icon to display the Server pane for the WWCorp domain. Select the Networks section to see a list of NNNs in the domain.

Identify the NNN for your server 3. View each section under Networks to determine the network to which your server belongs, and write the network name. Network name = ____________________

4. 5. 6.

To see where the NNN is dened, select your server. Click the Conguration tabServer sectionAll Server Documents view. Select your Server document, and click Edit Server. Click the Ports tabNotes Network Ports tab as shown in the following graphic.

7.

Verify that the Notes Network name is the same as you recorded in Step 3.

Copyright IBM Corporation 2009.

153

Topic A: Conguring Notes Named Networks


Lesson 7 Conguring Basic Intranet Mail Routing Step 8. Action If necessary, disable all ports other than TCPIP. Click Save & Close.
Note: Lotus Domino installation detects a machines network protocols and enables a port for each. It is important to check the Notes Network Ports tab after installation, and disable unneeded ports.

154

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 7 Conguring Basic Intranet Mail Routing

Practice Activity 7-3: Review the Activitys Results


Question 4: If the classroom is using multiple protocols, students will discover that, by default, the setup program creates multiple NNNs (one for each enabled protocol on the server machine). If only one protocol is used, all servers will be in the same NNN.

Scenario Your instructor will guide you through the following questions to review the results of the previous activity.

1.

In what NNN were the students servers placed after server setup? TCPIP Network.

2.

In what NNN was the instructors server placed? TCPIP Network.

3.

Where is the NNN dened for a server? In the Server document; Ports tabNotes Network Ports tabNotes Network eld.

4.

Is your server a member of more than one NNN? Answer will vary depending on additional protocols used in the classroom.

5.

How is mail routed in Worldwide Corporation now? Mail routing occurs automatically between all servers in the domain, since they are all in the same NNN.

6.

If Worldwide wants to control mail routing between regions, what should they do? Create a separate NNN for each region.

Copyright IBM Corporation 2009.

155

Topic A: Conguring Notes Named Networks


Lesson 7 Conguring Basic Intranet Mail Routing

Activity 7-4: Create NNNs for Regions


Step 4: On Hub/SVR/ WWCorp, change the NNN to WWCorpHQ. Step 6: Force replication by using Rep_dd.txt to update the Domino Directory on all servers.

Scenario Servers that share a common protocol but belong to different NNNs can route mail to each other based on Connection documents. Worldwide Corporation has decided to create a separate NNN for each region. To complete this activity, edit your Server document to change the NNN to WWCorpEast or WWCorpWest depending on your region. Follow these steps to create NNNs for regions.
Step 1. 2. 3. 4. Action In Domino Administrator, select your server. Click the Conguration tabServer sectionAll Server Documents view. Select your Server document, and click Edit Server. On the Ports tabNotes Network Ports tab: a. In the TCPIP row, if you are in the East OU, enter WWCorpEast in the Notes Network eld, or if you are in the West OU, enter WWCorpWest in the Notes Network eld. Verify that the TCPIP port is Enabled. Accept the default for all other elds.
Note: If you have multiple protocols, it is good practice to choose a NNN name that describes the protocol or location of the servers, for example, TCPIP East or WWCorpWestNet.

b. c.

5. 6.

Click Save & Close. Replicate the Domino Directory to update on all servers.
Note: Your instructor will perform replication for all servers.

156

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 7 Conguring Basic Intranet Mail Routing

Activity 7-5: Update Conguration


Introduce the server console and console commands. Show how to get the syntax for commands by clicking Commands. SMTP is used in another lesson. You will need to complete this activity on Hub so that your NNN conguration is updated for a later activity.

Scenario After editing NNNs, Worldwide administrators need to update the routing and SMTP congurations. To complete this activity, enter console commands at the server console that will update the Router and SMTP congurations. Follow these steps to update congurations.
Step 1. Action Click the Server tabStatus tabServer Console view. Result: The server console appears. 2. Click Live. Result: The server console becomes active. 3. Type tell router update config and click Send. Result:

The system checks the Domino Directory for changes and updates the router conguration accordingly. The system reloads routing tables and renumbers mailboxes.
Note: As an alternative, you can click the Commands button to select the command from a list.

4.

Type tell smtp update config and click Send. Result: The system checks the Domino Directory for changes and updates the SMTP conguration accordingly.

Copyright IBM Corporation 2009.

157

Topic A: Conguring Notes Named Networks


Lesson 7 Conguring Basic Intranet Mail Routing

Practice Activity 7-6: Test NNNs


Introduce the activity. Ask students the following questions during the activity. Do they know the students whose mail servers are in their own NNN? Why did the user receive the message? Answer: Mail routes automatically within NNNs. Why did the message not get to Doctor Notes? Answer: Hub is in a different NNN, and there is no Connection document. Discuss the results of the activity.

Scenario After creating different NNNs, Worldwide administrators need to test the new conguration. Addressing mail within the same domain To send mail to Lotus Notes users within the domain, users need only to enter a recipients name in one of the mail address elds. If users are in:

The same NNN, mail routes automatically. A different NNN, mail routes based on Connection documents.
Note: The routing difference is transparent to users, except for a possible time delay for mail to transfer to another NNN.

The sender can enter any of the following recipient names when addressing a message to a user in the same domain: Common name

Hierarchical name Short name Internet address

To complete this activity, send a message to a user in your NNN and to Doctor Notes. Follow these steps to test NNNs.

1. Send a message to a student in your NNN.

Did the user receive the message? Why or why not?

2. Send a message to Doctor Notes.

Did Doctor Notes receive the message? Why or why not?

158

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 7 Conguring Basic Intranet Mail Routing

B
Sample Intranet Mail Routing Scenario

Topic B: Implementing a Hub-andSpoke Mail Routing Topology


The Hub-and-Spoke Mail Routing Topology
Worldwide Corporation is using a hub-and-spoke topology because huband-spoke is the most efficient way to distribute changes to databases. Similarly, scheduling mail routing in a hub-and-spoke topology is the most efficient way to route mail between NNNs.

How Mail Routes in the Hub-and-Spoke Topology


The following gure shows how Lotus Domino would route mail between Worldwide Corporations regions using a hub-and-spoke topology where each region is dened as a separate NNN.

Figure 7-2: Sample hub-and-spoke mail routing In this topology, the following Connection documents are required: One Connection document from the hub server (Hub) to one server in each NNN (spoke).

One Connection document from one server in each NNN to Hub server.

Use Figure 7-2 and the table to illustrate how mail routes from Juan to Mary.

Sample Internet mail routing scenario


The following table describes how mail routes between Worldwide Corporations regions from Juan in East to Mary in West.

Copyright IBM Corporation 2009.

159

Topic B: Implementing a Hub-and-Spoke Mail Routing Topology


Lesson 7 Conguring Basic Intranet Mail Routing

Stage 1

Description When Juan sends mail to Mary, the Mailer veries the name, then moves the mail from Juans workstation to Mail.box on East04. East04s Router performs the following steps: Veries the recipients address. Transfers the mail to Mail.box on East01 based on automatic routing within the NNN.

East01s Router performs the following steps: Looks at the Connection documents in the Domino Directory and sees that East01 has a connection to the Hub. Transfers the mail to Mail.box on Hub based on the schedule in the Connection document.

Hubs Router performs the same lookup as in Step 3 and transfers the mail to Mail.box on West01 based on the schedule in the Connection document. West01s Router transfers the mail to Mail.box on Marys mail server, West06, based on automatic routing with the NNN. Marys mail servers Router deposits the mail message in Marys mail le.

160

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 7 Conguring Basic Intranet Mail Routing

Opportunistic Routing
Opportunistic Routing

By default, both the mail routing and replication tasks are enabled in a single, new Connection document. When servers connect to replicate based on the schedule, IBM Lotus Domino routes any pending mail. This is called opportunistic routing. The replication schedule may be sufficiently frequent to replicate databases. However, it may not be sufficiently frequent to transfer mail between NNNs.
Note: To optimize server connections, use opportunistic routing and create separate Connection documents with a shorter repeat interval for mail routing.

Open a Connection document. Show and explain the elds listed in the table on the student page. Show students how to access pop-up eld Help. Point out the elds on the Scheduling tab. Note that these elds are the same elds used to schedule replication. Tell students that: The Connection document created as a result of additionalserver setup is not yet enabled. It must be enabled before mail routing can occur. To enable a Connection document, you must create a routing schedule.

Connection Document Mail Routing Options


The following table describes some of the elds on the Replication/Routing tab in the Connection document that determine how and when mail routes.

Field Routing task Route at once if X messages pending Router type

Description The task(s) for this connection, such as Mail routing. Routes Normal priority mail immediately, based on the number of pending messages.

Connection Document Mail Routing Options

The type of routing for this connection. Options are: Push Only (Default)Only sends mail to the other server. Pull OnlyOnly receives mail from the other server. Push WaitWaits for the other server to call before sending. The server that does the requesting selects Pull Only or Pull Push. Pull PushSends mail to the other server, then waits for the other server to send mail back.

Router Types and Connection Documents


Router Types and Connection Documents

All router types require two Connection documents. When two servers route mail to each other, each server needs to have a Connection document to allow for two-way communication. Two Connection documents are required, one for each server. Another form of opportunistic routing is to select Pull Push for one server and Push Wait for the other.

Copyright IBM Corporation 2009.

161

Topic B: Implementing a Hub-and-Spoke Mail Routing Topology


Lesson 7 Conguring Basic Intranet Mail Routing

Pull Push and Pull Only settings


Pull Push and Pull Only are used for both Lotus Notes Mail routing and SMTP mail routing. When either of these types is selected, additional elds display on the Replication/Routing tab. The following gure shows these additional elds.

Figure 7-3: Pull Push and Pull Only settings


Note: A Global Domain is an Internet domain that is considered to be internal to a Domino domain and from which the local domain can accept mail.

162

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 7 Conguring Basic Intranet Mail Routing

Activity 7-7: Implement the Hub-and-Spoke Mail Routing Topology


Scenario Worldwide now needs to establish routes between NNNs. The Hub will act as intermediary between regions. Use Connection documents to route mail to and from the Hub server, because not all servers in the domain are in the same Notes Named Network. Worldwide is using the Push Only Router type for Connection documents so that routing intervals and times between regional servers can be controlled separately.

The schedule for East NNN servers will be set six hours ahead of the schedule for West NNN servers, to accommodate the time difference.

Because Worldwide is using Push Only, the following two Connection documents are needed for each NNN:

One to push mail from the Hub to a server in the NNN. One to push mail from the server in the NNN to the Hub.

Select four administrator teams or individuals, two from each region (East and West), to create Connection documents. Make sure that students create only four Connection documents for the classroom. Step 10: Tell students that the repeat interval would normally be set to a longer time period, such as 30 minutes. For classroom purposes, we are setting it to 5 minutes.

To complete this activity, the instructor will select two administrator teams from each region to create two Connection documents to route mail to and from the Hub. Follow these steps to implement the hub-and-spoke mail routing topology.
Step 1. 2. 3. 4. 5. Action In Domino Administrator, select your server. Click the Conguration tabMessaging sectionConnections view. Click Add Connection. For Connection type, accept the default of Local Area Network. Team 1: In the Source server eld, type East01/SVR/WWCorp Team 2: In the Source server eld, type Hub/SVR/WWCorp Team 3: In the Source server eld, type West01/SVR/WWCorp Team 4: In the Source server eld, type Hub/SVR/WWCorp 6. Team 1: In the Destination server eld, type Hub/SVR/WWCorp Team 2: In the Destination server eld, type East01/SVR/WWCorp Team 3: In the Destination server eld, type Hub/SVR/WWCorp Team 4: In the Destination server eld, type West01/SVR/WWCorp 7. In the Source domain and Destination domain elds, verify that WWCorp is selected.

Copyright IBM Corporation 2009.

163

Topic B: Implementing a Hub-and-Spoke Mail Routing Topology


Lesson 7 Conguring Basic Intranet Mail Routing Step 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. Action Click Choose Ports, select the TCPIP port to use for this connection, and click OK. On the Replication/Routing tab, use pop-up eld Help to view eld descriptions, then disable the Replication task. In the Routing task eld, verify that Mail Routing is selected. Verify that Route at once if is set to 1. Accept the default Routing cost. Accept the default Router type. On the Schedule tab, use pop-up eld Help to view eld descriptions. In the Schedule eld, accept the default. Teams 1 and 2: Change Connect at times to 12:00 AM - 11:59 PM Teams 3 and 4: Change Connect at times to 6:00 AM - 11:59 PM Change Repeat interval to 5 minutes. Accept the default Days of week. Click Save & Close.

164

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 7 Conguring Basic Intranet Mail Routing

Practice Activity 7-8: Review How Replication Affects Mail Routing


After completing this activity, initiate replication to have the Connection documents replicate immediately, or have students initiate replication.

Scenario Review the following questions with your instructor.

1.

If the Domino Directory replicates every two hours and you created the mail Connection documents an hour ago, would mail route? If not, why not? No. Mail will not route correctly unless the Domino Directory on the users mail server contains all the appropriate Connection documents.

2.

How would you resolve the problem? Force replication of the Domino Directory with Hub/SVR/WWCorp (twice) to receive all Connection documents for mail routing between NNNs.

Copyright IBM Corporation 2009.

165

Topic C: Selecting a Mail Storage Format for Incoming Mail


Lesson 7 Conguring Basic Intranet Mail Routing

C
Mail Storage Formats Show the outgoing mail format option. Open a Location document, and show the Mail tab Format for messages addressed to Internet addresses eld. (Optional) Show the Setup Policy Settings document. Open the existing Policy document, and click Setup PolicyNew. Click the Mail tab, and show the message format eld. Also mention: Mail format can be set in the Desktop policy as well as in the Setup policy. Desktop settings enforce or change the Setup settings and override the settings in the Location document.

Topic C: Selecting a Mail Storage Format for Incoming Mail


Mail Storage Formats
The server stores messages in the users mail le on the mail server in either of the following mail formats: MIME (messages sent over SMTP are always sent in MIME format)

Notes Rich Text

IBM Lotus Domino converts messages between formats as needed based on the protocol and the settings selected by administrators for incoming and outgoing messages. Users can specify the outgoing mail format. Keeping the message in senders format means that mail les may contain both messages in MIME format and messages in Notes Rich Text format.

Outgoing mail formats


The users Location document (Mail tab) species the format to use for mail sent to Internet addresses: MIME or Lotus Notes Rich Text. A user can select this option, or and administrator can specify the outgoing mail format in a Setup Policy document.

166

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 7 Conguring Basic Intranet Mail Routing

Activity 7-9: Select a Mail Storage Format for Incoming Mail


Scenario Worldwide is allowing messages to stay in their existing format to minimize the work of conversion between MIME and Lotus Notes Rich Text format. To complete this activity, edit your Person document to specify a format preference for incoming mail. Follow these steps to select a mail storage format for incoming mail.
Step 1. 2. 3. 4. 5. Action In Domino Administrator, select your server. Click the People & Groups tabDomino Directories sectionWWCorps Directory sectionPeople view. Select your Person document, and click Edit Person. On the Basics tab, use the pop-up Help to view eld denitions. In the Mail section, in the Format preference for incoming mail eld, verify that Keep in senders format is selected.
Note: Take note of pop-up Help for the Format preference for incoming mail eld.

6.

Click Save & Close.

Copyright IBM Corporation 2009.

167

Topic C: Selecting a Mail Storage Format for Incoming Mail


Lesson 7 Conguring Basic Intranet Mail Routing

Lesson Summary
In this lesson, we completed the following steps in the Intranet Mail Routing checklist: Set up Notes Named Networks for mail routing.

Schedule mail routing between NNNs. Select a mail storage format.

Checklist: Building the Lotus Domino Environment The bolded task from the Implementation Checklist was completed in this lesson.

Refer students to the checklist to remind them where they are in the overall implementation checklist.

Task 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet.

15 16

168

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 7 Conguring Basic Intranet Mail Routing Task 17 18 Set mail controls. Test mail routing and delivery. Procedure

Copyright IBM Corporation 2009.

169

Topic C: Selecting a Mail Storage Format for Incoming Mail


Lesson 7 Conguring Basic Intranet Mail Routing

Lab 7-1: Test Connection Documents by Sending Messages to Users


Ask students the following questions. Who are the students outside of your NNN? Why did the message get to the students and to Doctor Notes? Answer: Connection documents allow messages to be sent from one NNN to another. Review the results of the activity.

Scenario Worldwide administrators need to verify that the Connection documents enable routing through the Hub to the other NNN. To complete this activity, send messages to users who are not in your NNN. Follow these steps to test Connection documents.

1. Send a message to a student outside of your NNN.

Did the user receive the message? Why or why not?

2. Send a message to Doctor Notes.

Did Doctor Notes receive the message? Why or why not?

170

Copyright IBM Corporation 2009.

Conguring Mail Routing to the Internet


Topic A: Enabling the SMTP Listener Task Topic B: Conguring Basic SMTP Settings Topic C: Restricting Internet Mail Delivery Topic D: Enabling Whitelist and Blacklist Filters Topic E: Conguring Extended SMTP (E/SMTP) Options Topic F: Conguring Internet Addressing Topic G: Testing SMTP

Copyright IBM Corporation 2009.

Lesson 8 Conguring Mail Routing to the Internet

Introduction
In this lesson, you will explore conguring SMTP mail routing to the Internet and creating the documents necessary to route mail bound for the Internet from internal IBM Lotus Domino mail servers to the server connected to the Internet. After completing this lesson, you should be able to:
Complete the setup for this lesson.

Enable the SMTP listener task. Congure basic SMTP settings. Restrict Internet mail delivery. Enable whitelist and blacklist lters. Congure the E/SMTP options. Congure Internet addressing. Test outbound SMTP mail.

Implementation Checklist

172

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

A
Internet Mail Routing Checklist

Topic A: Enabling the SMTP Listener Task


Checklist for Conguring Mail Routing to the Internet
Complete these tasks to congure mail routing to the Internet.

Task 1 2 3 4 5

Procedure Enable the SMTP listener task on appropriate servers. Congure basic SMTP options. Restrict mail ow to and from the Internet. Set advanced SMTP options. Congure Internet mail addressing.

SMTP
Simple Messaging Transfer Protocol (SMTP) is the industry standard Internet mail protocol. IBM Lotus Domino supports native SMTP routing, Internet addressing, and native MIME content. Worldwide Corporation has decided to set up all mail servers to route mail to the Internet using SMTP.

Tell students how SMTP mail routing will be set up in the classroom based on Worldwides implementation.

Sample Internet mail routing architecture


Worldwide Corporation is using the following for their Internet mail routing architecture: SMTP to route mail to and from the Internet since SMTP is an industry standard Internet routing protocol native in Lotus Domino.

Explain that in this class, all mail servers will enable SMTP externally, and the Hub server will enable SMTP externally and internally to route to and from the Internet.

All servers in the classroom will be congured to route mail externally using SMTP. Mail servers will route through the Hub server. The Hub server will route mail to and from the Internet.

All servers will have SMTP set externally to route to the Hub. All mail servers will set outbound controls. The Hub server will set inbound and outbound controls.

Copyright IBM Corporation 2009.

173

Topic A: Enabling the SMTP Listener Task


Lesson 8 Conguring Mail Routing to the Internet

In the classroom implementation, the Hub server is set up to route mail to the Internet. Every mail server sets SMTP outbound controls in the Conguration Settings document. The following gure illustrates a sample Internet mail routing architecture.

Classroom Internet Implementation

Figure 8-1: Sample Internet mail routing architecture


Note: Optimum deployment and settings are site-specic. The classroom example is not necessarily an optimum or exclusive example of actual deployment options. What you will do in the classroom relates to the deployment plan.

174

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

SMTP Implementation Scenarios


SMTP Implementation Scenarios

There are two main SMTP conguration scenarios and these can be combined. The following table describes the scenarios and their advantages.

Conguration scenario
Present the scenarios. Emphasize that Lotus Domino meets the needs of various SMTP environments. Point out that if all mail servers do not have SMTP external enabled: Mail servers that do not have SMTP external enabled must have Foreign SMTP Domain Documents and SMTP Connection documents to specify the route to the Internet. Mail servers that do have SMTP external enabled must advertise themselves by enabling the SMTP Mail Routing task in the Routing tasks eld of their Server documents.

Advantages All servers can enable SMTP but relay mail through specic servers connected to the Internet. The advantages of this scenario are: Uses relay hosts to control SMTP traffic and exposes only the relay hosts to the outside world. Facilitates an infrastructure with other SMTP mail packages running in-house. Allows all servers to perform conversion to MIME, distributing the work of conversion. Allows use of DNS to congure failover and load balancing with MX records.

All Servers

Selected Servers

Poll students for interest in splitting domains. Refer to the additional instructor note for more information.

Selected servers can enable SMTP and other servers transfer Internet-bound mail to these servers using the standard IBM Lotus Notes protocol, NRPC. This requires conguring Foreign SMTP Domain documents and SMTP Connection documents to specify the route to the Internet or to specic Internet domains. It also requires SMTP servers to specify the SMTP Mail Routing task in the Server documentRouting tasks eld. Advantages of this scenario include: Accommodates Lotus Domino sites that set up Lotus Domino SMTP prior to Lotus Domino Release 5. This was the only option in releases prior to Release 5. Messages route internally via NRPC to reach the designated SMTP server, where conversion would then occur. Allows directing messages to specic SMTP servers based solely on the Foreign SMTP Domain Documents and SMTP Connection documents.

Combined
See Additional Instructor Notes

SMTP-enabled servers can also use Foreign SMTP Domain documents and SMTP Connection documents to control domain-specic mail routing. For example, WWCorp might send many messages to two Internet domains and could congure a different relay host for each domain.

Copyright IBM Corporation 2009.

175

Topic A: Enabling the SMTP Listener Task


Lesson 8 Conguring Mail Routing to the Internet

SMTP Best Practices


In a best practice SMTP implementation, two servers connect to the Internet and set SMTP controlsone inbound and one outboundto limit the number of control documents. The following gure shows one of the best practice implementations.
Best Practice Implementation

Figure 8-2: SMTP best practice implementation In a best practice SMTP implementation, two servers connect to the Internet and set SMTP controlsone inbound and one outboundto limit the number of control documents. Keep in mind that: There is no one correct scenario. SMTP setup depends on the environment and the needs of the company.

A company might need more than two SMTP servers to increase availability. However, it is a best practice to limit the number of servers congured to route mail externally for security and control. It is generally more efficient to use NRPC routing internally between mail servers, and use one or more SMTP servers to route mail externally using SMTP. In the classroom, you will use multiple Conguration Settings documents so you can set controls, but this is not recommended.
Note: Limit the number of SMTP control documents. It is best to use one Conguration Settings document that includes a server group name instead of a document for each server. Multiple Conguration Settings documents are more likely to conict with one another and produce undened results.

176

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

Internet Mail Routing


Message transfer over SMTP routing is performed as a point-to-point exchange between two servers. The sending SMTP server contacts the receiving SMTP server directly and establishes a two-way transmission channel with it. To send a message over SMTP: The sending server checks the recipients address, which is in the format localpart@domain.com, and looks up the domain in the Domain Name Service (DNS).

DNS returns the Mail Exchange (MX) record for the domain, indicating the IP address of the servers in the domain that accept mail over SMTP. The sending server connects to the destination server over TCP/IP, establishes an SMTP connection on port 25, transfers the message, and closes the connection.

Sample Internet mail routing topology


The following gure and table show how mail would route from the mail servers to the Internet. It is good practice to limit the points of entry into the infrastructure for security and control. Additional inbound and/or outbound SMTP servers can be added to increase performance, if needed.

Sample Internet Mail Routing Scenario

Use the gure and the sample mail routing scenario table to illustrate how mail would route from Mary Costello to an Internet recipient in the classroom implementation.

Figure 8-3: Sample Internet mail routing topology The following table describes how mail would route from Mary Costello to an Internet recipient.

Copyright IBM Corporation 2009.

177

Topic A: Enabling the SMTP Listener Task


Lesson 8 Conguring Mail Routing to the Internet

Stage 1

Description When Mary sends a message to an Internet recipient, the Mailer moves the message from Marys workstation to Mail.box on West03. West03s Router does the following: Sees that address is in *.* format. Looks at the Domino Directory for a match for the address. Finds no match, so determines the message should route to the relay host that is connected to the Internet. Transfers the message to the Mail.box on Hub.

Hubs Router transfers the mail to the Internet.

The SMTP Listener and Router Tasks


SMTP Listener and Router Tasks

Sending and receiving mail over SMTP occurs by means of the SMTP listener task and SMTP Router, respectively, each of which are enabled separately. The SMTP listener task handles incoming SMTP connections and delivers messages received over those connections to Mail.box.

The Router task for SMTP is the same Router task that handles Lotus Notes routing (NRPC). When a message in Mail.box requires transfer to another server, the Router determines where to send it and whether to send it over NRPC or SMTP.

Methods for Enabling SMTP


SMTP can be enabled on any server, during server setup. Once SMTP is enabled, Lotus Domino does not require or support a separate mail transfer agent (MTA) to send mail outside of the Lotus Domino Domain. If SMTP routing is selected during server setup, Lotus Domino uses the default SMTP settings in the server Conguration Settings document. Administrators can change SMTP settings to tailor SMTP mail routing for their site.

178

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

Procedure Reference: Enabling the SMTP listener task


Follow these steps to enable the SMTP listener task, if SMTP is not enabled during server setup.
1.
Demonstrate this procedure. The listener task is enabled only on the Hub server because Hub is the only server receiving messages from the Internet. Emphasize that the listener task can be enabled during server setup. Open the Conguration Settings document and show the SMTP setting to remind students where they enabled SMTP during setup. Alternately, have students open their Conguration Settings documents to see the settings.

In Domino Administrator, select the server to use SMTP mail routing. Click the Conguration tabServer sectionCurrent Server Document. Click Edit Server. On the Basics tab, complete the following elds:

2. 3. 4.

Fully qualied Internet host name: Enter the servers complete combined host name and domain name, including the top-level domain. The fully qualied host name is usually added to the Server document during server setup or by the Administration process (AdminP).

SMTP listener task: Select Enabled.

5.

Click Save & Close.

Copyright IBM Corporation 2009.

179

Topic B: Conguring Basic SMTP Settings


Lesson 8 Conguring Mail Routing to the Internet

B
SMTP Settings

Topic B: Conguring Basic SMTP Settings


SMTP Settings
Conguration Settings documents, located in the Domino Directory, contain settings that control how tasks run on each server. The following table describes some of the basic SMTP settings.

Field SMTP used when sending messages outside of the local internet domain

Description Indicates if the Router can send SMTP messages to other SMTP hosts outside the local Internet domain. Required for any server that uses a relay host, whether the relay host is a Lotus Domino server or not. If disabled, the Router will use the NRPC protocol, connection, and domain documents to route the mail to a server that is SMTP outbound enabled.

SMTP allowed within the local internet domain Servers within the local Notes domain are reachable via SMTP over TCPIP

Indicates whether or not the Router can consider transferring mail to Lotus Domino servers in the local Domain via SMTP. If enabled, all servers in the local Lotus Notes domain with the SMTP listener task enabled can be reached via SMTP. If disabled, only those servers in the same Notes Named Network are reachable via SMTP. The default is Always.

Relay host for messages leaving the local internet domain Host name lookup

Indicates which relay host to send messages to, such as an ISP or rewall server, for any message sent outside the local Internet domain.

Where the Router should look to resolve an Internet host name. The default is Dynamic then local, which uses DNS rst, then the local hosts le.

180

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

Sample SMTP settings for Hub server


The following table lists sample SMTP settings for the Hub server routing mail to the Internet.

Field SMTP used when sending messages outside of the local internet domain SMTP allowed within the local internet domain Servers within the local Notes domain are reachable via SMTP over TCPIP Relay host for messages leaving the local internet domain Enabled

Value

Comments Enables SMTP externally.

Disabled

Not using SMTP internally. Not using SMTP internally.

Only if in same Notes Named Network

Enter the relay host

The relay host used to reach the Internet from your classroom. This could be: Another SMTP server within the company Or, a server at an ISP

Host name lookup

Select this value:

If using this in your classroom: DNS Hosts le

Dynamic lookup only Local lookup only

Sample SMTP settings for mail servers


The following table lists sample SMTP settings for mail servers routing mail to the Internet through the Hub server.

Field SMTP used when sending messages outside of the local internet domain SMTP allowed within the local internet domain Enabled

Value

Comments Enables SMTP externally

Disabled

Not using SMTP internally

Copyright IBM Corporation 2009.

181

Topic B: Conguring Basic SMTP Settings


Lesson 8 Conguring Mail Routing to the Internet Field Servers within the local Notes domain are reachable via SMTP over TCPIP Relay host for messages leaving the local internet domain Host name lookup Value Only if in same Notes Named Network Comments Not using SMTP internally

Enter the relay host

Hub server

Select this value:

If using this in your classroom: DNS Hosts le

Dynamic lookup only Local lookup only

182

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

Activity 8-1: Congure SMTP in the Conguration Settings Document


Guide students through the activity as you congure the Hub server. Step 8: Clarify the term relay host. The relay host for the Hub is different than the relay host for the student servers. The term relay host is used to describe the SMTP server congured to route to the Internet and can be: An internal Lotus Domino SMTP server An internal non-Lotus Domino SMTP server An SMTP server at an ISP Step 9: Host Name Lookup eld: Tell students which setting to select based on classroom conguration.

Scenario Worldwide administrators need to congure all servers to route mail externally using SMTP. Mail servers will route through the Hub server. The Hub server will route mail to and from the Internet. To complete this activity, edit the Conguration Settings document for your server to specify SMTP conguration settings. Follow these steps to congure SMTP in the Conguration Settings document.
Step 1. 2. 3. 4. 5. 6. 7. 8. 9. Action In Domino Administrator, select your server. Click the Conguration tabMessaging sectionCongurations view. Select the Conguration Settings document for your server, and click Edit Conguration. Click the Router/SMTP tab. On the Basics tab, for SMTP used when sending messages outside of the local internet domain, verify that Enabled is selected. For SMTP allowed within the local internet domain, verify that Disabled is selected. For Servers within the local Notes domain are reachable via SMTP over TCPIP, select Only if in same Notes Named Network. In the Relay host for messages leaving the local internet domain eld, type hub.wwcorp.com For Host name lookup:

If DNS is used in the classroom, select Dynamic lookup only (DNS only). If a Hosts le is used in the classroom, select Local lookup only (hosts le only).

10.

Click Save & Close.

Copyright IBM Corporation 2009.

183

Topic C: Restricting Internet Mail Delivery


Lesson 8 Conguring Mail Routing to the Internet

C
SMTP Inbound and Outbound Controls

Topic C: Restricting Internet Mail Delivery


SMTP Inbound Controls
To specify how mail is sent to and from the Internet, set inbound and outbound SMTP Controls.
Note: Use one server for inbound and one for outbound to avoid bottlenecks and for optimum performance.

Inbound Controls specify from which external hosts the Lotus Domino mail server accepts messages. With Inbound Controls, it is possible to allow or deny: Receiving messages from specic external Internet domains.

Receiving unsolicited commercial messages in general or from sources listed in one or more DNS Blacklists (DNSBLs). Receiving messages directed to specic Lotus Notes addresses. Relaying of messages from specic external Internet hosts to external Internet domains.

SMTP Outbound Controls


Outbound Controls specify who can send mail to the Internet from within an organization. With the Outbound Controls, it is possible to allow or deny sending messages: To specic Internet addresses to be sent out to the Internet

From specic Lotus Notes addresses to the Internet


Note: SMTP Inbound and Outbound Controls apply only to routing mail externally via SMTP.

184

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

Practice Activity 8-2: Predict Sample Scenarios


Using either a classroom example or a real-life example, use the questions in this activity to initiate a discussion of how best to apply the allow and deny access controls.

Scenario Review the following questions with your instructor.

1.

When are anti-spamming options most useful? When employees are receiving unwanted e-mail (also known as spam) from a particular Internet domain address.

2.

What are the potential repercussions of misuse? Inadvertently restricting mail from a source from which employees would like to send or receive mail.
Note: Worldwide has determined the following restrictions for inbound and outbound mail:

Prevent mail from passing through external domains. Enable Blacklist lters. Prevent Sales personnel from sending messages to the Internet.

Message Relay Prevention


By default, IBM Lotus Domino prevents all external Internet hosts from relaying messages to external Internet domains. However, you can specify selected Internet hosts to prevent just those hosts from relaying messages, thereby allowing other unlisted hosts to relay messages.

Copyright IBM Corporation 2009.

185

Topic C: Restricting Internet Mail Delivery


Lesson 8 Conguring Mail Routing to the Internet

Procedure Reference: Preventing mail from passing through the domain


Follow these steps to prevent the current domain from relaying messages from external domains.
1.
Demonstrate the procedure. Tell students that using the asterisk prevents external Internet domains from using the SMTP hub to relay mail to any other external domain. Point out that being used as a relay can diminish server performance, especially in the case of mass-mail advertising.

Edit the Conguration Settings document for the server. Click the Router/SMTP tabRestrictions and Controls tabSMTP Inbound Controls tab. Accept or change the default value in the Deny messages to be sent to the following external internet domains eld.
Note: Allow or deny specic IP addresses.

2. 3.

Use the restrictions and controls to allow or deny mail to or from specic IP addresses. To do this, specify a range of IP addresses to allow or deny as appropriate. Include the IP addresses block in brackets, for example: [198.114.90.*]. In the example, all IP addresses that begin with 198.114.90 are excluded, or allowed exclusively, to send mail through the SMTP server.

Keep the Conguration Settings document open and use the Workspace tab buttons to switch between the Administration window and the Conguration Settings document window.

Note: Allow or deny specic host names.

To allow or deny a range of host names, enter the portion of the host name and insert the asterisk (*) where appropriate. For example, use *.xyz.com to block all hosts ending with .xyz.com. Entering mail.com would also restrict hotmail.com. To restrict only the host name mail.com, enter *.mail.com or @mail.com.

4.

Click Save & Close.

186

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

Activity 8-3: Prevent Lotus Notes Users from Sending Mail Over SMTP
Guide students through the activity as you congure the Hub server.

Scenario Worldwide has determined that Sales personnel should be prevented from sending messages to the Internet. To complete this activity, edit your Conguration Settings document to prevent users in the Sales group from sending mail over the Internet.

Point out that the Sales group is used as an example and is not a real group in the current Domino Directory.

Follow these steps to prevent IBM Lotus Notes users from sending mail over SMTP.
Step 1. 2. 3. 4. Action Edit the Conguration Settings document for your server. Click the Router/SMTP tabRestrictions and Controls tabSMTP Outbound Controls tab. In the Deny messages from the following Notes addresses to be sent to the Internet eld, type Sales Click Save & Close.

Copyright IBM Corporation 2009.

187

Topic D: Enabling Whitelist and Blacklist Filters


Lesson 8 Conguring Mail Routing to the Internet

D
DNS Whitelist Filters

Topic D: Enabling Whitelist and Blacklist Filters


What Are DNS Whitelist Filters?
DNS whitelist lters are used in conjunction with anti-spam features, to validate the mail received by your inbound SMTP server is legitimate mail.Commercial senders or e-mail marketers can submit a completed application to bonded senders and post a nancial bond to have their companys e-mail servers IP addresses added to the whitelist database. By paying this nancial bond, the company agrees that they are not sending spam or unsolicited e-mail. This bonding process identies the IP address of the server that will be used to send their e-mail. Each server is required to have its own bond posted. Any complaint reported against a particular IP address may result in a debit of the bond. Sponsored by ReturnPath, the Bonded Sender Program is a free service for e-mail receivers to use. For more information on the Bonded Sender Program is available at the following Web addresses: http://www.sendsercorecertied.org (Rev)

http://www.senderscorecertied.com (SND)

The DNS Whitelist Filter Query Process


IBM Lotus Domino 8.5 includes the ability to query DNS whitelist lter sites to validate that inbound SMTP connections are coming from legitimate e-mail senders. The DNS query will attempt to locate the IP address of the connecting server in the whitelist database as specied on the Conguration Settings document. IP addresses found in the database are considered to be legitimate senders of e-mail and will be added to the whitelist host lists.

Impact on server performance


By enabling this feature within Lotus Domino, you are choosing to verify all inbound SMTP connections against an external DNS whitelist site prior to receiving the message from the sender. This process will submit a DNS query to the host or IP address you have specied on your Conguration Settings document. Be aware that enabling this feature is certain to add some overhead to your Lotus Domino server.

What happens during this query?


The Lotus Domino SMTP Listener task submits a DNS query to the DNS whitelist site(s) in attempt to locate the connecting servers IP address in the databases. The following table describes the possible results of the query.

188

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

If IP address is Found in the whitelist database

Then Add this address to the whitelist

And Bypass all blacklist lter checks, if enabled in Lotus Domino Perform blacklist lter checks, if enabled in Lotus Domino

Not found in the whitelist database

Do not add this address to the whitelist

Note: Although messages are accepted and appear to be from legitimate hosts during the DNS whitelist query, a message is not guaranteed to be delivered. Each message is still subject to additional SMTP inbound checks. These would include connection controls, relay controls, recipient controls, and sender controls. To avoid unnecessary lookups, hosts that are exempt from relay checks are also exempt from whitelist queries.

Enabling DNS Whitelist Filters


DNS whitelist lters are found on the Conguration Settings document Router/SMTP tabRestrictions and Controls tabSMTP Inbound Controls tab. DNS whitelist lters are disabled by default. The following gure shows a Conguration Settings document with DNS whitelist lters enabled, using Bonded Sender Program service, and set to log and tag each message.

Enabling DNS Whitelist Filters

Figure 8-4: DNS whitelist lters

What Happens When a Host is Found in the DNS Whitelist?


You can choose what action to take when hosts are found in the DNS whitelist database. By default, hosts found in the whitelist database will automatically skip the DNS blacklist checks, if blacklist lters are enabled on the server. There is no Log and Reject option. All mail is accepted when using DNS whitelist lters. The following table describes the eld options.

Copyright IBM Corporation 2009.

189

Topic D: Enabling Whitelist and Blacklist Filters


Lesson 8 Conguring Mail Routing to the Internet

Field option Silently skip blacklist lters (Default)

Description Skips blacklist lters. Performs no logging.

Log only

Skips blacklist lters. Logs IP address and hostname of connecting host, and the name of the site where the server was listed.

Log and tag message

Skips blacklist lters. Logs IP address and hostname of connecting host, and the name of the site where the server was listed. Adds item $DNSWLSite to received messages.

DNS Whitelist Filter Statistics


The Lotus Domino SMTP listener task keeps statistics on the total number of hits a given DNS whitelist site has. Use one of the following methods to view these statistics and all SMTP-related stats: Issue the following command on the server console: show stat SMTP

Use Domino Administrator; Server tabStatistics tabSMTP section. The following gure shows an example of some statistics that will display.

DNS Whitelist Filter Statistics

Figure 8-5: Example of statistics displayed

190

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

Note: The resulting list of statistics is the total accrued statistics since the SMTP Listener task was started. Restarting the SMTP Listener task will result in these values being reset back to zero.

SMTPExpandDNSWLStats=1 notes.ini variable


To obtain more expanded statistic information, set the following Notes.ini variable: SMTPExpandDNSWLStats=1 Enabling this variable allows you to see more details on the effectiveness of the DNS whitelist sites you are querying. The following statistics will be available after enabling this variable:
SMTP.DNSWL.<dnswlsite>.Hits

SMTP.DNSWL.<dnswlsite>.[X.X.X.X].Hits Where [X.X.X.X] is the IP address of the connecting host.


SMTP.DNSWL.TotalHits
Note: When using more than 1 DNSWL site to query on, it is normal to see multiple statistics for SMTP.DNSWL.<dnswlsite>.Hits and SMTP.DNSWL.<dnswlsite>.[X.X.X.X].Hits for each whitelist lter.

What are DNS Blacklist Filters?


DNS Blacklist Filters

DNS blacklist lters work similarly to DNS whitelist lters. When blacklist lters are enabled, the Lotus Domino server sends a query to the specied sites to check the blacklist. If a host is blacklisted, the Lotus Domino server will act in whatever way is specied in the Desired action when a connecting host is found in a DNS blacklist eld.

Enabling DNS Blacklist Filters


DNS blacklist lters are found on the Conguration Settings document Router/SMTP tabRestrictions and Controls tabSMTP Inbound Controls tab. DNS blacklist lters are disabled by default.

Copyright IBM Corporation 2009.

191

Topic D: Enabling Whitelist and Blacklist Filters


Lesson 8 Conguring Mail Routing to the Internet

The following gure shows a Conguration Settings document with DNS blacklist lters enabled.

Figure 8-6: DNS blacklist lters Any connections made by a host listed on the DNS blacklist site will be terminated due to the setting of the desired action eld. Connections from any of these hosts will be terminated with the following SMTP error code:
554 Your host xx.xx.xx.xx was blacklisted from sending messages to our site.

What Happens When a Host is Found in the DNS Blacklist?


Actions for Hosts Found in DNS Blacklist Database

You can choose what action to take when hosts are found in the DNS blacklist. The Desired action when a connecting host is found in the private blacklist eld is checked when a blacklisted host establishes a connection with the Lotus Domino server. The following table describes the possible values for this eld.

Field Log only (default)

Possible values Logs IP and hostname of connecting host.

Log and tag message

Logs IP and hostname of connecting host. Adds item $DNSBLSite to received messages.

Log and reject message

Logs IP and hostname of connecting host. Rejects the message and returns an error response to the blacklisted host.

192

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

Note: You can view statistics on DNS blacklist lters in the same way that you view DNS whitelist lters. Refer to the DNS whitelist lter statistics section.

What are Private Whitelist Filters?


Private Whitelist Filters

Lotus Domino 8.5 includes the ability to use private whitelist lters on a Lotus Domino server. In this capacity, the administrator has the ability to specify which host names or IP address should be considered whitelisted and therefore should automatically bypass DNS blacklist lter checks, if blacklist lters are enabled on the server. Private whitelist lters are considered the exceptions to DNS blacklists. This feature gives an administrator the most control to allow certain external hosts, to connect to their SMTP server without having to undergo DNS blacklist checking. By designating these hosts exempt from all DNS blacklist checking, this is one way to receive mail from a host that might be listed in a blacklist database.
Note: To avoid unnecessary lookups, hosts that are exempt from relay checks are also exempt from private whitelist queries.

When to enable a private whitelist lter


Private whitelist lters can be used anytime, especially if you communicate with a known SMTP server external to your environment. You might want to include external hosts from which you frequently receive mail to avoid DNS blacklist checking. You might also nd this feature helpful when you are unable to receive mail from known hosts that could have been incorrectly placed on a blacklist. If you have deemed these hosts safe, you can add the host name or the IP Address of this server to the private whitelist to exclude the host from blacklist checking. By using this feature, you can still receive mail from the host while their administrator works with the owner of the blacklist site to clear the host from the database. Often times, this could take from hours to a week to convince the blacklist owners that the reason they were blacklisted has been resolved. Note that by enabling this feature, you are choosing to bypass blacklist lter checks for all hosts, IP addresses, and domains that you have specied here. However, these same hosts will not be exempt from inbound relay, connection, sender, or recipient checking. Without this feature, all inbound connections from a blacklisted host could potentially fail if the server has blacklists enabled and is set to reject messages.

Copyright IBM Corporation 2009.

193

Topic D: Enabling Whitelist and Blacklist Filters


Lesson 8 Conguring Mail Routing to the Internet

Enabling Private Whitelist Filters


Private whitelist lters are found on the Conguration Settings documentRouter/SMTP tabRestrictions and Controls tabSMTP Inbound Controls tab. Private whitelist lters are disabled by default. The following gure shows a Conguration Settings document with private whitelist lters enabled, two hosts have been whitelisted, and logging of the host name and IP address will occur when the host is found in the private whitelist.

Figure 8-7: Private whitelist lters

Allowed values for the Whitelist the following hosts eld


The Whitelist the following hosts eld will accept host names, IP addresses in brackets, IP ranges, and masks including the use of wildcards in specic IP addresses and host names. However, wildcards cannot be used when specifying a range of IP addresses.

What Happens When a Host is Found in the Private Whitelist?


You can choose what action to take when hosts are found in the private whitelist. By default, hosts found in the private whitelist will automatically skip the DNS blacklist checks, if enabled on the server. The Desired action when a connecting host is found in the private whitelist eld is selected when a whitelisted host establishes a connection with the Lotus Domino server. The values are identical to the Desired action when a connection host is found in a DNS whitelist eld.
Note: You can view statistics on private blacklist lters in the same way that you view DNS whitelist lters. Refer to the DNS Whitelist Filter Statistics section previously in this lesson.

194

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

What Are Private Blacklist Filters?


Lotus Domino 8.5 includes the ability to use private blacklist lters on a Lotus Domino server. In this capacity, the administrator has the ability to specify which host names or IP addresses they consider blacklisted from sending messages to their domain. This list is maintained by the administrator and might not directly correlate whether these hosts are already listed in a DNS blacklist. In this way, the administrator can make the ultimate decision of which hosts to handle differently. Private blacklist lters are a way for an administrator to specify external hosts that they consider to be on their blacklist. These hosts might not be found in any DNS blacklist database, but the administrator has deemed the messages received from these hosts to be offensive or unsolicited. Private blacklist checking occurs before the DNS whitelist lter and DNS blacklist checking, so the earlier the host is found the sooner the connection can be terminated when the choice is to reject the message.
Note: To avoid unnecessary lookups, hosts that are exempt from relay checks are also exempt from private blacklist queries.

When to enable a private blacklist lter


Private blacklist lters can be used anytime, especially if you nd spam messages are being received by specic hosts or IP addresses. By adding the offending host name or IP Address, you quickly stop further messages from being received. Note that by enabling this feature, you are choosing to bypass DNS blacklist lter checks for all hosts, IP addresses, and domains that you have specied in the private blacklist lter. These same hosts, however, will not be exempt from inbound relay, connection, sender, or recipient checking.

Enabling Private Blacklist Filters


Private blacklist lters are found on the Conguration Settings documentRouter/SMTP tabRestrictions and Controls tabSMTP Inbound Controls tab. Private blacklist lters are disabled by default.

Copyright IBM Corporation 2009.

195

Topic D: Enabling Whitelist and Blacklist Filters


Lesson 8 Conguring Mail Routing to the Internet

The following gure shows a Conguration Settings document with private blacklist lters enabled.

Private Blacklist Filters

Figure 8-8: Private blacklist lters In this gure, several hosts and IP ranges have been blacklisted. Any connections made by a host listed here will be terminated due to the setting of the desired action eld. Connections from any of these hosts will be terminated with the following SMTP error code:
554 Your host xx.xx.xx.xx was blacklisted from sending messages to our site.

Allowed values for Blacklist the following hosts eld


The Blacklist the following hosts eld will accept host names, IP addresses in brackets, IP ranges, and masks including the use of wildcards in specic IP addresses and host names. However, wildcards cannot be used when specifying a range of IP addresses.

What Happens When a Host is Found in the Private Blacklist?


You can choose what action to take when hosts are found in the private blacklist. By default, hosts found in the private blacklist will automatically skip the DNS blacklist checks, if enabled on the server. The Desired action when a connecting host is found in the private blacklist eld is checked when a blacklisted host establishes a connection with the Lotus Domino server. The possible values for this eld are identical to the DNS blacklist lter logging eld.
Note: You can view statistics on private blacklist lters in the same way that you view DNS whitelist lters. Refer to the DNS whitelist lter statistics section.

196

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

Order of Whitelist and Blacklist Precedence


Order of Whitelist and Blacklist Precedence

The order of precedence of processing each of the lters is as follows: private whitelists private blacklists DNS whitelists DNS blacklists.

How to Enable Whitelist and Blacklist Filters


Administrators can enable all four types of lters on the Router/SMTP tab in the Conguration Settings document.

Procedure Reference: Enabling whitelist and blacklist lters


Follow these steps to enable whitelist and blacklist lters.
1.
Demonstrate the procedure. Step 7: Close the document without saving to avoid an error message prompting for blacklist and whitelist sites.

Edit the Conguration Settings document. Click the Router/SMTP tabRestrictions and Controls tabSMTP Inbound Controls tab. In the DNS Whitelist Filters section, complete the following elds:

2. 3.

DNS Whitelist lters: Select Enabled. DNS Whitelist sites: Type the list of sites that the SMTP listener task will perform DNS queries against. Desired action when a connecting host is found in a DNS whitelist: Select the appropriate desired action. DNS Blacklist lters: Select Enabled. DNS Blacklist sites: Type the list of sites that the SMTP listener task will perform DNS queries against. Desired action when a connecting host is found in a DNS Blacklist: Select the appropriate desired action. Custom SMTP error response for rejected messages: Type a custom error response to be sent when the connecting host is found in a DNS Blacklist. For example, Your host %s was blacklisted from sending messages to our site. Private Whitelist Filter: Select Enabled. Whitelist the following hosts: Type the IP addresses or host names of the systems to whitelist. Desired action when a connecting host is found in the private whitelist: Select the appropriate desired action.

4.

In the DNS Blacklist Filters section, complete the following elds:


5.

In the Private Whitelist Filters section, complete the following elds:


Copyright IBM Corporation 2009.

197

Topic D: Enabling Whitelist and Blacklist Filters


Lesson 8 Conguring Mail Routing to the Internet 6.

In the Private Blacklist Filter section, complete the following elds:


Private Blacklist Filter: Select Enabled. Blacklist the following hosts: Type the IP addresses or host names of the systems to blacklist. Desired action when a connecting host is found in the private blacklist: Select the appropriate desired action. Custom SMTP error response for rejected messages: Type a custom error response to be sent when the connecting host is found in a private blacklist. For example, Your host %s was blacklisted from sending messages to our site.

7.

Click Save & Close.

198

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

E
E/SMTP Settings Uses

Topic E: Conguring Extended SMTP (E/SMTP) Options


E/SMTP Settings
Although it is not required, Lotus Domino supports E/SMTP (extended SMTP settings). These settings allow ner control over mail. For example: To reduce connection charges, set the extended Turn (ETRN) extension to enable the calling server (for example, an ISP server) to request the called server to push mail to the ISP server. This conguration requires that the ISP pay for the connection charges.

To restrict messages of a specic size from being delivered, enable the Size extension eld. The send will immediately fail if the message size is greater than the maximum size allowed on that server before the message is transmitted. Set the maximum message size on the Restrictions tab.

Procedure Reference: Conguring E/SMTP options


Follow these steps to set controls to reduce connection charges and set message size restriction.
1.
Demonstrate this procedure. Edit Hubs Conguration Settings document. Use pop-up eld Help to explain the optional settings on the Router/ SMTP tabAdvanced tabCommands and Extensions tab. The maximum message size will be set in another lesson. When the maximum message size is set and the size extension is enabled, messages that are greater than the maximum message size will not be sent.

Edit the Conguration Settings document. Click the Router/SMTP tabAdvanced tabCommands and Extensions tab. Complete the elds as follows:

2. 3.

ETRN command: Select Enabled. SIZE extension: Select Enabled.

4.

Click Save & Close.

Consideration for enabling ETRN


ETRN requests the ISP to send messages to the Lotus Domino server after the server nishes sending messages. If the SMTP server makes dial-up connections, maximize the connection by enabling ETRN. Specify either Pull Only or Pull Push routing in the Connection document for the ISP server.

Copyright IBM Corporation 2009.

199

Topic F: Conguring Internet Addressing


Lesson 8 Conguring Mail Routing to the Internet

F
Conguring Internet Addresses

Topic F: Conguring Internet Addressing


When to Set Internet Addresses
To enable IBM Lotus Notes users to send and receive mail to and from Internet users, set users Internet address during user registration. An administrator can also set or change the Internet address of existing users.

Internet Address Lookup Options


The Address lookup eld on the Router/SMTP tabBasics tab determines what part of the address to consider when looking up the recipient of an inbound SMTP message. Options for matching addresses are based upon: The full SMTP address only. For example, carlos_ giralt@WWCorp.com.

The local part of the SMTP address. For example, carlos_giralt. The full SMTP address, then if no matches are found, the local part SMTP address.

200

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

Activity 8-4: Congure the Internet Address Field for Existing Users
Guide students through the steps to congure the Internet address, ensuring that students select only their own Person documents. Point out the following: If they do not select a Person document, all Person documents will be modied. This could lead to replication conicts because other students are modifying the same documents. Also mention that the Internet address format can be set in the Registration Settings of a policy.

Scenario The Internet address is normally congured during user registration; however, some Worldwide employees do not have their Internet Address eld congured. To complete this activity, edit your Person document to change the conguration of the Internet address. Follow these steps to congure the Internet Address eld for existing users.
Step 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Action In Domino Administrator, select your server to administer. Click the People & Groups tabDomino Directories sectionWWCorps Directory sectionPeople view. Open your Person document, and note your Internet address. Close the Person document. In the Tools pane, click PeopleSet Internet Address. In the Set Internet Address dialog box, select Use existing address from shortname eld, if available. For Default format, select FI LastName. For Separator, select Underscore. For Internet domain, type wwcorp.com (Optional) Click More Options, and dene the address further. Click OK. In the message box, click OK. Open your Person document again, and note your Internet address. Close your Person document.
Caution: If no users are selected in the view, every Person document will change to reect the new Internet address format.

Copyright IBM Corporation 2009.

201

Topic F: Conguring Internet Addressing


Lesson 8 Conguring Mail Routing to the Internet

Activity 8-5: Specify How to Look Up Internet Addresses


Scenario Worldwide wants to specify how to look up Internet addresses as rst looking up the Full name, then the Local part because:

Users were registered with full Internet addresses. The secondary, Local part search will nd any names that have had the domain part removed.

To complete this activity, edit the Conguration Settings document for your server to congure the Address lookup eld appropriately. Follow these steps to specify how to look up Internet addresses.
Step 1. 2. 3. Action Edit the Conguration Settings document for your server. Click the Router/SMTP tabBasics tab. In the Address lookup eld, verify Fullname then Local Part is selected.
Note: This setting allows Lotus Domino to look up users, groups, and mail-in databases for mail received via SMTP. The Address lookup eld applies to routing SMTP mail within the local domain as well as inbound mail from outside the domain.

4.

Click Save & Close.

202

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

Topic G: Testing SMTP


An Implementation of SMTP Routing
Worldwides implementation of SMTP relays all SMTP outbound mail through the Hub server. The Router rst searches Person documents for the Internet address. If no match is found, the Router sends the message to the Internet.

Copyright IBM Corporation 2009.

203

Topic G: Testing SMTP


Lesson 8 Conguring Mail Routing to the Internet

Activity 8-6: Send Mail to Internet Addresses


Before the activity, stop the Router on Hub so that mail does not go beyond the Hub server. Step 6: Point out that the Live Console shows that the message to the external user was transferred via SMTP. The Internet address of the internal user resolved to the users IBM Lotus Notes hierarchical address. For demonstration purposes, the messages will route only to the Hub server. If this were a live implementation, messages would continue to route to the Internet. The Live Console shows that the message to the external user was transferred via SMTP. Also point out that the Internet address of the internal user resolved to the users Lotus Notes hierarchical address. Show students how messages route. Open Hubs Mail.box and show the messages that students sent over SMTP. Show the Mail Routing Events view of the log le on Hub. When you have nished this, delete all mail in Mail.box on Hub, and then start the Router on Hub.

Scenario Now that Worldwide administrators have congured mail routing to the Internet, they need to test the conguration. To complete this activity, send messages to a WWCorp user and an external user, and view the Server Console to verify that your Internet mail conguration works. Follow these steps to send mail to Internet addresses.
Step 1. From the Lotus Notes client:

Action

Create a mail message addressed to a WWCorp user, such as TBaker@WWCorp.com Create a mail message addressed to a non-existent user, such as xyz@jkjkjkjkjk.com
Note: Do not send the messages yet.

2. 3. 4. 5.

In Domino Administrator, click the Server tabStatus tab. Select the Server Console view. Click Live. Return to the Lotus Notes client, and send both messages. Result: Messages are sent using SMTP to the Hub server.
Note: In a real-world scenario, the message would then be relayed to the Internet (the server listed as the relay host on the Hubs Conguration Settings document).

6.

Return to the Server Console to see how messages were sent.

204

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 8 Conguring Mail Routing to the Internet

Lesson Summary
In this lesson, we completed the following steps from the Internet Mail Routing checklist: Enable the SMTP listener task on appropriate servers.

Congure basic SMTP options. Restrict mail ow to or from the Internet. Set advanced SMTP options. Congure Internet mail addressing.

Checklist: Building the Lotus Domino Environment The bolded task from the Implementation Checklist was completed in this lesson.

Review the Internet Mail Routing Checklist steps completed in this lesson.

Task
Refer students to the implementation checklist to remind them where they are in the overall implementation checklist.

Procedure Set up the rst server. Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally.

1 2 3 4 5 6 7 8 9 10 11 12 13 14

15

Copyright IBM Corporation 2009.

205

Topic G: Testing SMTP


Lesson 8 Conguring Mail Routing to the Internet Task 16 17 18 Procedure Route mail to the Internet. Set mail controls. Test mail routing and delivery.

206

Copyright IBM Corporation 2009.

Establishing Mail Controls


Topic A: Conguring Router Restrictions Topic B: Implementing Message Disclaimers Topic C: Implementing Mail Delivery Controls Topic D: Implementing Mail Transfer Controls Topic E: Conguring Multiple Server Mailboxes

Copyright IBM Corporation 2009.

Lesson 9 Establishing Mail Controls

Introduction
When setting up a mail infrastructure, it is important to set limitations on how and when mail routes to ensure control over the environment. This lesson covers the types of controls that can be set and provides practice on setting some specic controls. After completing this lesson, you should be able to: Congure router restrictions.
In this lesson, we will begin discussion of the following Implementation Checklist item: Set mail controls.

Implementation Checklist

Implement message disclaimers. Implement mail delivery controls. Implement mail transfer controls. Congure multiple server mailboxes.

208

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 9 Establishing Mail Controls

A
Mail Restrictions and Controls Explain how the settings control mail ow. Introduce the control settings in the Conguration Settings document specic to mail routing. Note the defaults, available restrictions, and access options.

Topic A: Conguring Router Restrictions


Mail Restrictions and Controls
The Conguration Settings documents contain default settings for routing mail internally in the domain. Administrators can change the default settings to tailor mail routing for their site. The Restrictions and Controls tab contains elds that control mail ow to and from other IBM Lotus Domino and Internet domains. The following table describes some of the Restrictions and Control elds.

To control this type of mail ow Allow only the specied domains to send mail to this domain.

Use this eld Allow mail only from domains

Additional notes Blank eld allows all domains except those explicitly listed in the Deny mail from domains eld. Blank eld indicates there are no domains restricted. Use wildcards, for example, */East.

Restrict specic domains from sending mail to this domain. Restrict only specic organization hierarchy to send mail to this domain. Deny messages larger than a specic size.

Deny mail from domains

Allow mail only from the following organizations and organizational units Maximum message size

A non-delivery report is sent to the sender if the message is larger than the specied size. The maximum end of the range is the value in the Maximum message sizeeld.

To route larger messages as low priority, therefore, defer transferring until a different time of day.

Send all messages as low priority if message size is between

Note: The Router restrictions elds also apply to mail routed to the Internet.

Copyright IBM Corporation 2009.

209

Topic A: Conguring Router Restrictions


Lesson 9 Establishing Mail Controls

Activity 9-1: Congure Router Restrictions


Step 5: Tell students to save but not to close the Conguration Settings document since they will be using it throughout this lesson. Step 6: Review the results of the Tell Router Update Cong command.

Scenario Worldwide Corporation has determined that large mail messages should be sent during off-peak hours. To complete this activity, edit your Conguration Settings document to set the maximum message size restrictions. Follow these steps to congure router restrictions.
Step 1. Action Edit the Conguration Settings document. Click the Router/SMTP tabRestrictions and Controls tabRestrictions tab. In the Router Restrictions section, in the Maximum message size eld, type 10000
Caution: If the size is too low, it may prevent messages from ever being sent. Make sure a Connection document exists that species mail routing during off-peak hours.

Show how to manually select low priority. Tell students that users can choose to send messages low priority even if there is no restriction set. Administrators might want to teach users this so that users can delay low-priority mail until off-peak hours. To show this: 1. Create a new memo. 2. Click Delivery Options. 3. Click the drop-down arrow for Importance. 4. Point out the priority options.

2. 3.

4.

For the Send all messages as low priority if message size is between eld, select Enabled, and then type 5000
Note: To manage costs and connection times, send all large messages, such as those between 2 to 10 MB, low priority, instead of restricting them entirely.

5.

Click FileSave Result: The Conguration Settings document is saved and remains open for later editing.

6.

To force the settings to take effect immediately, enter tell router update config at the server console.
Note: Otherwise, the updates take place every ve minutes.

210

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 9 Establishing Mail Controls

B
Message Disclaimers

Topic B: Implementing Message Disclaimers


Message Disclaimers
Message disclaimers are notices (usually short text blocks) that are added to e-mail messages. They are often used in an attempt to protect an organizations legal interests. An administrator can enable or disable the use of message disclaimers from the IBM Lotus Domino server, IBM Lotus Notes client, or both. Message disclaimers are not added to incoming SMTP messages; they are added only to outgoing SMTP messages. They are not added to internal NRPC messages.
Note: In some cases, all recipients, including local Lotus Notes users, receive the disclaimer, but only if all local Lotus Notes users receive MIME messages. Any local Lotus Notes users who have the setting Prefers Notes Rich Text selected in their Person document in the Domino Directory will not receive the disclaimer. This is the only situation in which the Lotus Notes client splits messages: one message for Lotus Notes client rich text users, and one message for all other users.

Administrator options
Administrators have three options when creating disclaimers. They can:

Create one disclaimer and apply it to all messages sent from an organization or organizational unit. Create multiple disclaimers to be used by different parts of the organization. Create individual disclaimers for individual senders.

The Message Disclaimer Implementation Process


Implementing message disclaimers is a two-step process:

Enable message disclaimers at the server level. Create Mail Policy Settings documents. Each document contains the appropriate disclaimer text for your organization.

To associate a disclaimer with an individual sender, use an explicit policy that applies to specic individuals or groups. To associate multiple disclaimers with combinations of mail messages, you also use policies. For example, use organizational polices to create one disclaimer for the Sales organization, another disclaimer for the Accounting department, and so forth.

Copyright IBM Corporation 2009.

211

Topic B: Implementing Message Disclaimers


Lesson 9 Establishing Mail Controls

If multiple disclaimers apply to a given sender, the server will apply the standard rules of policy hierarchies to select the appropriate disclaimer.

Options for Attaching Disclaimers


There are two options for attaching the disclaimer:
Attaching and Enabling Message Disclaimers

At the server: Disclaimer text that is specied in the Policy Settings document is attached by the server. At the Lotus Notes client: Disclaimer text is attached by the Lotus Notes client prior to depositing the mail message on the server.

If message disclaimers are enabled for the client and the server, message disclaimers can be added to mail messages using the server or the client. The server is able to determine whether the Lotus Notes client has added a disclaimer.

Enabling Server Message Disclaimers


Enable message disclaimers for the server using the Conguration Settings documentRouter/SMTP tabMessage Disclaimers tab as shown in the following gure.

Show where to enable message disclaimers. Show the Conguration Settings document Router/SMTP tab Message Disclaimers tab. Explain that message disclaimers must be enabled at the server level.

Figure 9-1: Conguration settings


Note: When disclaimers are enabled on the server, all messages sent from that server are disclaimed, regardless of the message source.

212

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 9 Establishing Mail Controls

Creating Message Disclaimer Policy Settings


Type the message disclaimer text in the Mail Policy Settings document Mail tabMessage Disclaimers tab. The following gure shows the elds on this tab.

Message Disclaimer Policy Settings

Show the Mail Policy Settings document Mail tabMessage Disclaimers tab.

Figure 9-2: The Message Disclaimers tab Add the message disclaimer text in the Disclaimer text eld. Enable message disclaimers on the Lotus Notes client using the Notes client can add disclaimers eld.

Explain message disclaimers in S/MIME messages. Stress that adding disclaimers at the Lotus Notes client avoids any potential performance problems or bottlenecks at the router.

Using Message Disclaimers in S/MIME Messages


You can add disclaimers to all messages, including signed and encrypted messages. The Message Disclaimers feature is primarily designed for use with Internet-bound messages. For this reason, whenever possible, use the Lotus Notes client to add disclaimers instead of adding them from the server. Issues with signed and encrypted messages do not apply to disclaimers added from the Lotus Notes client because the disclaimer is added before the message is signed. Issues with character sets also do not apply to disclaimers added from the Lotus Notes client because the Lotus Notes client determines the Internet character set used for outgoing messaging. Adding disclaimers at the Lotus Notes client avoids any potential performance problems or bottlenecks at the router.

Copyright IBM Corporation 2009.

213

Topic B: Implementing Message Disclaimers


Lesson 9 Establishing Mail Controls

Activity 9-2: Congure Message Disclaimers


Step 1: Show students how to determine which explicit policy is theirs. Step 12: Provide students with the relay host server name.

Scenario Worldwide Corporation has decided to include a message disclaimer on all outgoing SMTP mail for specic users who often communicate with independent vendors. The message disclaimer should be attached by the Lotus Notes client prior to the message being transferred to the mail server. To complete this activity, modify your existing explicit policy to include a Mail Settings document and a message disclaimer. Follow these steps to congure message disclaimers.
Step 1. 2. 3. 4. 5. 6. Action Select the explicit policy you created earlier, Password Optional, and click Edit Policy. In the Mail row, click New to create a new Mail Settings document. On the Basics tab of the Mail Settings document, in the Name eld, type Disclaimerxx where xx is your initials. In the Description eld, type any descriptive text. Click the Mail tabMessage Disclaimers tab. For Notes client can add disclaimers, select Enabled. Click in the Disclaimer text eld, and type This message may contain information that is confidential to Worldwide Corporation. As a business partner, you are prohibited from sharing this information with anyone. Click Save & Close to close the Mail Settings document. On the Policy document, in the Mail eld, select your Disclaimerxx document. Click Save & Close to save the Policy document. Edit your Conguration Settings document. Click the Router/SMTP tabBasics tab, and verify that SMTP used when sending messages outside of the local internet domain is set to Enabled. Click in the Relay host for messages leaving the local internet domain eld, and type the server name provided by the instructor. On the Message Disclaimers tab, change the Message disclaimers eld to Enabled, and accept the default values for the other elds. Click Save & Close.

7. 8. 9. 10. 11.

12. 13. 14.

214

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 9 Establishing Mail Controls

C
Introduce the control settings in the Conguration Settings document specic to mail delivery. Note the defaults, available restrictions, and access options. Use predelivery agents as an example, since students will perform an activity to disable them. Quota controls are discussed later in this lesson.

Topic C: Implementing Mail Delivery Controls


Delivery Controls
Delivery controls allow customization of message delivery, including how many threads are used to deliver messages, whether the messages must be encrypted, how long the server waits for a pre-delivery agent to run, and whether the Router supports the forwarding action in IBM Lotus Notes client mail rules.

Delivery Controls elds


The Delivery Controls tab contains elds that control mail delivery. The following table describes some of the Delivery Control elds.

To control this type of mail delivery Maximum number of server threads IBM Lotus Domino can create to deliver mail from Mail.box to local mail les

Use this eld Maximum delivery threads Enter a maximum between 1 and 25, based on the server load.

Additional notes The Router automatically sets the default maximum number of delivery threads based on server memory. Letting the Router select the maximum number is recommended. When encryption is enabled and an external user requests a return receipt for a message sent to a user whose mail le is on the server, the return receipt message that Lotus Domino generates contains a blank message body.

Mail Delivery Controls

Whether Lotus Domino encrypts messages: Regardless of whether the sender or the recipients mail le encrypts messages (Enabled), or Only if the recipients mail le is set to encrypt received messages (Disabled)

Encrypt all delivered mail Enabled Disabled (default)

Copyright IBM Corporation 2009.

215

Topic C: Implementing Mail Delivery Controls


Lesson 9 Establishing Mail Controls To control this type of mail delivery Whether or not the server permits the use of predelivery agents Use this eld Pre-delivery agents Enabled (default) Disabled Additional notes If the Router detects a pre-delivery agent created by a user, it runs the agent against the message before the message appears in the recipients inbox. Failure to restrict agents can slow routing performance on the server.

Maximum time (in seconds) that a pre-delivery agent, such as a mail lter, can run before the Router interrupts it Whether the Router supports the rule action to send copies of selected messages automatically to other recipients

Pre-delivery agent timeout Default is 30 seconds.

User rules mail forwarding Enabled (default) Disabled

Lotus Notes users can create mail le rules that automatically process new mail.

216

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 9 Establishing Mail Controls

Activity 9-3: Disable Pre-delivery Agents


If students ask about Quota controls, tell them they are covered later in this lesson.

Scenario Worldwide Corporation wants to restrict pre-delivery agents to improve server performance. To complete this activity, edit your Conguration Settings document to modify the Delivery Controls eld. Follow these steps to disable pre-delivery agents.
Step 1. 2. 3. 4. 5. Action Edit the Conguration Settings document. Click the Router/SMTP tabRestrictions and Controls tabDelivery Controls tab. For the Pre-delivery agents eld, select Disabled, and click OK. Click Save & Close. To force the settings to take effect immediately, enter tell router update config at the server console.
Note: Otherwise, the updates take place every 5 minutes.

Copyright IBM Corporation 2009.

217

Topic D: Implementing Mail Transfer Controls


Lesson 9 Establishing Mail Controls

D
Describe the elds on the Transfer Controls tab. Note that in general, the defaults for the Initial transfer retry interval and Expired message purge interval are sufficient for most mail routing topologies. Mail Transfer Controls

Topic D: Implementing Mail Transfer Controls


Mail Transfer Controls
Transfer control elds determine how and when mail is transferred to other servers. The following table describes some of the transfer control elds.

To manage this type of mail transfer When low priority mail should be transferred How often the Router should retry transferring mail How often expired messages should be purged from the servers Mail.box

Set this eld Low priority mail routing time range Initial transfer retry interval

Default 12:00 AM - 06:00 AM

15 minutes

Expired message purge interval

15 minutes

Note: The Transfer Control elds also apply to mail routed to the Internet.

218

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 9 Establishing Mail Controls

Activity 9-4: Specify When Low Priority Mail Should Route


Scenario Worldwide Corporation wants messages between 2 and 10 MB in size to route low priority. Worldwide Corporation wants a short time range for routing low priority mail (between the hours of 2:00 AM and 5:00 AM) because of international time zones. To complete this activity, edit your Conguration Settings document to modify the Transfer Controls. Follow these steps to specify when low priority mail should route.
Step 1. 2. 3. Action Edit the Conguration Settings document. Click the Router/SMTP tabRestrictions and Controls tabTransfer Controls tab. Set the Low priority mail routing time range to 2:00 AM - 5:00 AM
Caution: By default, Connection documents are not scheduled to route during the low priority time range. Make sure there is a Connection document that includes the low priority time range; otherwise, low priority mail will not route.

4.

Click Save & Close.

Copyright IBM Corporation 2009.

219

Topic E: Conguring Multiple Server Mailboxes


Lesson 9 Establishing Mail Controls

E
Using Multiple Server Mailboxes

Topic E: Conguring Multiple Server Mailboxes


Benets of Multiple Mailboxes
By default, the Router uses only one Mail.box. The Router supports using multiple mailboxes on a server. Using multiple mailboxes: Reduces contention.

Increases reliability. Increases delivery speed.


Note: On busy mail servers, add one or two mailboxes and increase the number until mail routing patterns are optimal.

220

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 9 Establishing Mail Controls

Activity 9-5: Congure Multiple Mailboxes


Scenario Worldwide Corporation wants busy mail servers to use two mailboxes to increase the reliability of mail delivery. To complete this activity, edit your Conguration Settings document to specify that two server mailboxes should be used. Follow these steps to congure multiple mailboxes.
Step 1. 2. 3. 4. 5. 6. 7. Action Click the Messaging tabMail tabServername Mailbox (mail.box) view. Edit the Conguration Settings document for your server. Click the Router/SMTP tabBasics tab. In the Number of mailboxes eld, enter 2 Click FileSave. Restart the server for the changes to take effect. Close and restart Domino Administrator to view the two new mailboxes.
Note: After the server creates multiple mailboxes, the Router no longer uses the initial Mail.box. Therefore, after creating multiple mailboxes, ensure that the Router processes messages by copying messages from the original Mail.box to one of the new mailboxes.

Copyright IBM Corporation 2009.

221

Topic E: Conguring Multiple Server Mailboxes


Lesson 9 Establishing Mail Controls

Lesson Summary
In this lesson, we began examination of the processes involved in setting mail controls. We will continue to explore setting mail controls in the next lesson. Checklist: Building the Lotus Domino Environment The bolded task from the Implementation Checklist was started in this lesson.

Remind students that task 17 in the implementation checklist, set mail controls, will be complete at the end of the next lesson.

Task 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery.

15 16 17 18

222

Copyright IBM Corporation 2009.

10

Implementing Mail Rules and Storage Limits


Topic A: Creating and Activating a Server Mail Rule Topic B: Enabling Mail Journaling Topic C: Implementing Blacklist Tag and Whitelist Tag Mail Rule Conditions Topic D: Establishing Mail Quotas Topic E: Controlling Inbox Size with Inbox Maintenance Topic F: Archiving Mail

Copyright IBM Corporation 2009.

Lesson 10 Implementing Mail Rules and Storage Limits

Introduction
Part of an IBM Lotus Domino mail infrastructure includes mail rules to govern what type of mail is sent or received, and storage limitations on how much mail can be stored on the server. This lesson covers the types of mail rules and storage limitations that can be set. After completing this lesson, you should be able to: Create and activate a server mail rule. Enable mail journaling. Implement blacklist tag and whitelist tag mail rule conditions. Establish mail quotas. Use the Inbox Maintenance feature to control users inbox sizes. Archive mail.

Implementation Checklist

224

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

A
Complete the setup for this lesson. Mail Rules (Optional) Show how to view existing rules.

Topic A: Creating and Activating a Server Mail Rule


Mail Rules
Mail rules dene actions to be taken on certain messages. When a new message that meets the condition specied in the rule is deposited in Mail.box, IBM Lotus Domino automatically performs the designated action. Mail rules can be created to:

Reject mail:

With subjects such as make money fast. From a known spam vendor. From a domain known for sending unsolicited commercial e-mail.

Redirect to a quarantine database any message containing an attachment that could be a virus. Copy all messages from a particular customer to a database.

Mail rules and virus protection


Although mail rules can assist in deterring messages containing viruses, they are not a substitute for virus protection.

How Mail Rules Work


The following table describes how rules are processed.

How Mail Rules Work

When Lotus Domino server starts

Then Each server retrieves rules from the appropriate Conguration Settings document and registers them as monitors on each Mail.box database in use. The server evaluates the message elds against the registered mail rules. Notes: Each message is evaluated only once. Additional updates occurring after a message is added to Mail.boxsuch as updates to reect the number of recipients handleddo not cause reevaluation of the rules.

Mail Rule Processing

Mail.box receives a new message from any sourcethe SMTP process, the Router on another server, or a client depositing a message

Copyright IBM Corporation 2009.

225

Topic A: Creating and Activating a Server Mail Rule


Lesson 10 Implementing Mail Rules and Storage Limits When A new rule is added Then The rule takes effect after the server reloads the mail rules. A reload is automatically triggered if the Server task detects a rule change when performing its routine check of the Conguration Settings document. This check occurs approximately every ve minutes. Note: You can force the server to reload rules, using the set rules command at the server console. The server mail rules process any rule conditions that are based on unencrypted information in the message envelope, such as the sender, importance, and recipients, but do not process conditions based on the encrypted portion of the message body. For example, if an inbound SMTP message is refused, the sending server would typically generate a delivery failure report to the sending user. Similarly, an IBM Lotus Notes user receives an error if a mail rule prevents the Lotus Domino server from accepting a message.

Mail.box receives an encrypted message (Lotus Notes encrypted, S/MIME, PGP, and so forth)

A rule prevents a message from reaching its destination

Note: In Lotus Domino and Lotus Notes 8.5, mail rule formulas use temporary variables to handle the most repetitive tasks instead of having to continually reprocess the same conditions over and over again. This logic improves performance in processing mail rules.

Sender notication
Because the lter executes as mail is deposited to Mail.box, in some cases the sender may still receive notication that the message was rejected. For example, when: The Domino SMTP listener refuses a message because of a mail rule, the sending SMTP server receives the error indicating that the transaction was rejected for policy reasons. Typically, servers receiving this type of error generate a delivery failure report to the sending user.

A mail rule prevents the server from accepting a message, a Lotus Notes client attempting to deposit the message in Mail.box displays an error indicating that the message cannot be sent.

226

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

Mail Rule Actions


Mail rules dene the following actions:
Mail Rule Actions

Journal a message. Move a message to a database for storage or quarantine. Refuse to accept or deliver a message. Change the routing state of a message. Administrator review of messages redirected to quarantine database. Stop processing of subsequent mail rules.

When actions are performed


The server searches each message for conditions specied in the server mail rules and performs an action on the message. Some types of actions occur immediately. Other types of actions are performed by the Router later, so the server tags these messages before depositing them in Mail.box. Server Actions Dont accept message.

Change routing state. Journal this message. Move to database. Do not deliver message. Stop processing.

Router Actions

Stop processing action for server mail rules


The stop processing action for mail rules allows administrators and mail users more control over the execution of rules they create by specifying when to stop processing rules if a certain condition or exception is met. By having the ability to stop the remaining rules from executing, administrators can expect better performance on the server because the server is not required to execute all rules before acting on the message.

Compatibility with previous software releases


The stop processing action requires formula language that is available on Lotus Domino server versions 6.0.3, 6.5, or more recent. The stop processing rule does not execute correctly on Lotus Domino servers released prior to versions 6.0.3 and 6.5. If mail is delivered to a Lotus Domino 5.x server with a rule dened that uses the new rule formula, the rule does not execute as expected and processing of mail server rules does not stop. Subsequent mail server rules would process.

Copyright IBM Corporation 2009.

227

Topic A: Creating and Activating a Server Mail Rule


Lesson 10 Implementing Mail Rules and Storage Limits

Activating a Server Mail Rule


The Router task reloads the list of rules every ve minutes. To activate a new rule immediately, issue the set rules command at the server console.

228

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

Activity 10-1: Create a Mail Rule


Introduce the concepts of conditions, exceptions, and actions as you lead students through this activity. Demonstrate how to create conditions and exceptions and select actions to be performed when those conditions and exceptions exist.

Scenario Worldwide needs mail rules to reject messages with subjects containing certain words, unless such messages are from specic senders. To complete this activity, edit your Conguration Settings document to create a mail rule that prevents sending messages with a specic subject, except when the message is from a specic sender. Follow these steps to create a mail rule.
Step 1. 2. 3. Action Edit your Conguration Settings document. Click the Router/SMTP tabRestrictions and Controls tabRules tab New Rule. For Specify Conditions, perform the following:

Select Subject. Verify Contains is selected. Enter a subject. Click Add.

4.

For Specify Conditions, perform the following:


Next to Create, select Exception. Select sender. Select is. Enter a sender. Click Add.

5.

For Specify Actions, perform the following:


Select dont accept message. Click Add Action.

6. 7.

Click OK to save the rule. Save the Conguration Settings document.


Note: The Conguration Settings document must be saved to make the rule available for activation.

Copyright IBM Corporation 2009.

229

Topic A: Creating and Activating a Server Mail Rule


Lesson 10 Implementing Mail Rules and Storage Limits

Activity 10-2: Activate the Rule


Optional: Ask students to navigate to the server console without looking at Steps 1 through 3.

Scenario Worldwide administrators want the new rules to take effect immediately. To complete this activity, enter a server console command to force the new mail rule to take effect. Follow these steps to activate the rule.
Step 1. 2. 3. 4. Click the Server tabStatus tab. Click the Server Console view. Click Live. In the Domino Command eld of the console, type the command set rules and click Send. Action

Prioritizing mail rules


If there are multiple mail rules, you can set their relative priority by moving them up and down the list. For example, keeping rules that affect security at the top of the list ensures greater protection. In most cases, only one action is taken per message, so prioritization can be used to customize rules. Prioritizing allows one rule to take precedence over another. For example, one rule may reject all messages with the subject buy, to avoid spam messages in general. But another rule can accept all messages from a specic domain, such as a specic customer, even if they include the word buy.

Show students how to prioritize the rules you created during lesson setup.

230

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

B
Mail Journaling

Topic B: Enabling Mail Journaling


Mail Journaling
Mail journaling enables capturing of a copy of all or specied messages that the Router processes by the IBM Lotus Domino system. The benets of using journaling include: Compliance with laws or regulations that require an organization to save a copy of every message processed by the local mail system and permanently store or otherwise process the message copies. Government agencies such as the Securities and Exchange Commission (SEC) require a business to retain all messages related to the transactions they undertake.

Long-term storage needs if used in conjunction with third-party archiving programs.

By default, mail journaling is not enabled. Lotus Domino automatically creates the Mail Journaling database in the specied location when mail journaling is enabled.
Note: Refer to the IBM Lotus C API Toolkit for Lotus Notes and Lotus Domino 8.5 for more information on how to combine journaling with third-party archiving tools. The toolkit is available at http://www.lotus.com/capi.

Journaling and Mail Rules Interactions


Mail journaling works in conjunction with mail rules. The journaling rule determines which messages to journal. For example, you can journal messages sent to or from specic people, groups, or domains. Once congured, journaling is done automatically by the server. A copy of the message is retained, even if the recipient, or an agent acting on the recipients mail le, deletes it immediately upon delivery.

Journaling and the ISpy task


On servers running the ISpy task, the Mail Journaling database captures each trace message that the ISpy task sends. To prevent the Mail Journaling database from accumulating these entries, congure a rule exception for messages where the sender includes ISpy.

Copyright IBM Corporation 2009.

231

Topic B: Enabling Mail Journaling


Lesson 10 Implementing Mail Rules and Storage Limits

Journaling and Mail Routing


Journaling does not disrupt the normal routing of a message. When mail journaling is enabled, Lotus Domino: Examines messages as they pass through Mail.box.
How Mail Journaling Works

Sets a journal ag on the message before transferring it to the next server on the route so it is journaled only once. Saves copies of selected messages to a Lotus Domino Mail Journaling database (Mailjrn.nsf)

After the Router copies a message to the Mail Journaling database, it sends the message to the intended recipient. Before depositing messages in the Mail Journaling database, the Router encrypts them to ensure that only authorized persons can examine them.

Delivers the message from the destination server after removing the journal ag so the user is not aware that the message was journaled.
Note: When using a mail-in database, the mail-in database is just added as a recipient to the original message. Messages are not re-encrypted.

Encryption
The main reason for encryption is so that an operating system copy of the database will not allow the contents to be read. The database ACL should be set very restrictively to protect the database from unauthorized users.

Router conditions for journaling


The Router creates the journal database upon startup if all of the following conditions are met: Journaling is enabled.

The Copy to local database option is selected. The server specied on the top-level Basics tab of the Conguration Settings document is either empty or is the current server. The specied journal database does not already exist.

Journaling and Server Conguration


Journaling is also affected by the server conguration. There is a possibility of a message being journaled more than once from a users perspective due to server conguration or message modications.

232

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

For example, if Servers B and C have journaling enabled, but Server A does not, and a user on Server A sends a message to one user on Server B and another user on Server C, the message will be journaled on both Servers B and C. If journaling is enabled on Server A, then only Server A would journal the message.

Procedure Reference: Enabling mail journaling


Follow these steps to congure the Mail Journaling database by specifying where to store journaled messages and setting options for managing the security and size of the database.
1.
Demonstrate the procedure.

Edit the Conguration Settings document. Click the Router/SMTP tabAdvanced tabJournaling tab. In the Basics section, complete the following elds:

2. 3.

Journaling: Disabled is the default. For classroom purposes, select Enabled. Field encryption exclusion list: Fields that are not encrypted and will display in the view. Default encrypted elds are Form, From, Principal, and PostedDate. If you want the subject of the message to appear, add Subject to the list. For classroom purposes, the default list should be used. Method:

(Optional) Show the journaling database. Conguring journaling creates the Mailjrn.nsf database automatically. After journaling is congured, use the Files tab to display the Mail journaling database, as it does not appear in the Open Application dialog box.

Copy to local database (default): If the Conguration Settings document applies to multiple servers, Lotus Domino creates a unique Mail journaling database on each server. Send to mail-in database: The database must already exist. Messages are not encrypted. When using a mail-in database, encrypt messages when adding them to the database.

Database Name: Default (mailjrn.nsf, applies to local copy only). Mail destination: Name of the mail-in database. Encrypt on behalf of user: Fully qualied Lotus Notes Name of the user whose certied public key Lotus Domino uses to encrypt messages added to the database. For classroom purposes, Doctor Notes/WWCorp should be used.
Note: Consider creating a special user ID for reviewing journaled messages and protecting the ID with multiple passwords. You can enable encryption for the mail-in database on the Administration tab of the mail-in database document. You cannot use a group for this eld.

Journal Recipients: Enable.

Copyright IBM Corporation 2009.

233

Topic B: Enabling Mail Journaling


Lesson 10 Implementing Mail Rules and Storage Limits 4.

In the Database Management section, complete the following elds: Method: Periodic Rollover: Create new database at 12 AM every x days (specify the days in the periodicity eld). For this option, Lotus Domino renames the existing Mail Journaling database and creates a new database with the original name.

None: No method of data retention used. For this option, you need to monitor the database size and use appropriate tools to archive the journal data. Purge/Compact: Delete documents after specied number of days and compact database (specify days in the data retention eld). Size Rollover: Create new database when maximum size is reached (specify size in the maximum size eld). For this option, Lotus Domino renames the Mail Journaling database and creates a new database with the original name.

For classroom purposes, Size Rollover should be used, with the Maximum size being 200
5. 6.

Click Save & Close. To have settings take effect immediately, enter Tell Router Update Config at the server console.
Note: Otherwise, the updates take place every ve minutes.

234

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

C
Tag Mail Rule Conditions

Topic C: Implementing Blacklist Tag and Whitelist Tag Mail Rule Conditions
Tag Mail Rule Conditions
Mail rules offer a way for administrators and users to do more with the messages that get tagged by private whitelists, private blacklists, DNS whitelists, and DNS blacklists. For server mail rules: The administrator can choose to move these messages to a particular database to analyze the message contents or they could place the message on hold.

For user mail rules: The user might want to move these messages to a certain folder, delete them, or send a copy to the administrator.

If administrators choose Log and Reject in an attempt to block spam mail, the result may be that some legitimate messages (often called false positives) are tagged and rejected. The ability to move suspected spam mail to a database and review these tagged messages gives the administrator more options in managing spam mail.

Field Names Associated with Tags


To create the rule to act on messages containing the whitelist or backlist tag, you will need to know some portion of the whitelist or blacklist site name. The name of the DNS whitelist or DNS blacklist can be found on the Conguration Settings document for the SMTP server that handles inbound mail. It can also be found by examining the messages tagged previously. The following table outlines the elds added to the messages and the respective values for which you might create a rule.

Tags, Field Names, and Values

Tag Private Whitelist DNS Whitelist

Field name $DNSWLSite <Private Whitelist>

Value

$DNSWLSite

<Name of Whitelist host where address was found> For example: query.bondedsender.org bondedsender

Copyright IBM Corporation 2009.

235

Topic C: Implementing Blacklist Tag and Whitelist Tag Mail Rule Conditions
Lesson 10 Implementing Mail Rules and Storage Limits Tag Private Blacklist DNS Blacklist Field name $DNSBLSite <Private Blacklist> Value

$DNSBLSite

<Name of Blacklist site where address was found> For example: bl.spamcop.net spamcop

The following gure shows two examples of tagged messages and the eld values that were populated.

Tagged Messages and Fields Examples

Figure 10-1: Examples of tagged messages

236

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

Options for Creating Rules with Blacklist or Whitelist Tags


Two conditions called blacklist tag and whitelist tag are available in the Server Mail Rule New Rule dialog box, as shown in the following gure.

Creating Mail Rules with Tags

Figure 10-2: Creating a new rule


Note: These same conditions are also available in the User Mail Rule New Rule dialog box.

In this example, the server mail rule is congured to move all messages with the blacklist tag ($DNSBLSite eld) containing bl.smapcop.net to a database called spam.nsf. This is one possible example of how this feature can be useful. These messages could later be examined by the administrator to determine if any of the messages are truly spam or not. Any messages that are indeed valid could then be moved to the intended recipients mail le manually.

Copyright IBM Corporation 2009.

237

Topic D: Establishing Mail Quotas


Lesson 10 Implementing Mail Rules and Storage Limits

D
Mail Quotas Explain how quotas, thresholds, and restrictions work together to allow control over mail les.

Topic D: Establishing Mail Quotas


Quotas
Quotas are size limits that are set on users mail les. There are two types of quotas: Absolute quota size

Warning threshold

Quotas restrict mail-le size by allowing interruption of mail ow. Warning thresholds provide users with advance notice when their mail les approach the designated mail le quota, so they can reduce the size of their mail les before message ow is interrupted. Quotas must be set before warning thresholds are specied. Quotas and warning thresholds are associated with a particular mail le database only, not with a user ID.

Quota Implementation Options


Set quota limits and warning thresholds:

During registrationQuotas specied during registration apply only to new users, not to existing users. Per databaseAdministrators can manually specify the warning threshold and quota of one or more mail les.

Quota Restrictions
Quota restrictions allow:

For several types of restriction settings including non-delivery of mail. (Hold messages in Mail.box or return to sender.) Administrators to dene actions to take on mail les whose quotas are reached or exceeded. Reduction in servers disk space and increase in performance of the mail client.

238

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

Activity 10-3: Create Mail Quotas


Assign a user listed in the Domino Directory to each student. To enable the optional test of the demonstration on the next page, perform these steps for a user whose mail le is on Hub/SVR/WWCorp.

Scenario Worldwide has asked administrators to restrict the size of some users mail les. To complete this activity:

Congure your assigned users mail le to be no larger than 10 MB. Specify that warning messages be sent to the user when the mail le reaches 9 MB.

Follow these steps to create mail quotas.


Step 1. 2. Action On the Files tab, select your users mail database. On the Tools pane, click DatabaseQuotas. Result: The Set Quotas dialog box appears. 3. 4. 5. Click Set database quota to, and type 10 Click Set warning threshold to, and type 9 Click OK.

Copyright IBM Corporation 2009.

239

Topic D: Establishing Mail Quotas


Lesson 10 Implementing Mail Rules and Storage Limits

How to Establish Mail Quotas


Demonstrate this procedure. The specied settings send a warning message once per day to a mail le that is over its warning threshold, and send a non-delivery report (NDR) message for each message the Router attempts to deliver to an over-quota mail le.

Procedure Reference: Setting mail quota restrictions


After setting a mail quota, specify what happens when mail les with quotas approach and reach the quota. Follow these steps to specify handling of quota restrictions on mail les.
1. 2. 3.

Edit the Conguration Settings document. Click the Router/SMTP tabRestrictions and Controls tabDelivery Controls tab. For Over warning threshold notications, select one of the following:

None Per message to send a message to the user when the threshold is reached Per time interval to send one message during the time interval specied:

(Optional) Test the quota restriction. Send a message to the user whose mail le exceeds the quota. Show the message sent to the sender and recipient. Show the server console message saying that mail was not delivered.

For Warning interval, select Hour(s), Minute(s), or Day(s), and enter a number. For classroom purposes, 1 Day(s) should be used.

4.

For Over quota notication, select one of the following:


None Per message to send a message to the user when the quota is exceeded Per time interval to one message during the time interval specied:

The Hold mail and retry over quota enforcement option is not recommended on a transaction-logged server when the NSF quota enforcement method is based on le size. Usage-based quota enforcement is recommended on transaction-logged servers. The Hold undeliverable mail setting works independently of the quota enforcement option, Hold and retry.

For Warning interval, select Hour(s), Minute(s), or Day(s). Enter a number.

For classroom purposes, Per message should be used.


5.

For Over quota enforcement select one of the following:


Deliver anyway (dont obey quotas) Router delivers new mail even if quota is exceeded. Non deliver to originator Router does not deliver mail and sends notication to intended recipient (and sender, since Over quota notication eld was set to Per Message). Hold mail and retry mail is held in Mail.box and Router resends until mail le is below quota. When this option is selected, the following elds appear:

Attempt delivery of each message Maximum messages to hold per user

240

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

Maximum message size to hold

For classroom purposes, Non deliver to originator should be used.


6. 7.

Click Save & Close. To force the settings to take effect immediately, enter Tell Router Update Config at the server console.
Note: Otherwise, the updates take place every ve minutes.

Copyright IBM Corporation 2009.

241

Topic E: Controlling Inbox Size with Inbox Maintenance


Lesson 10 Implementing Mail Rules and Storage Limits

E
Enabling Inbox Maintenance in Mail Policy Settings

Topic E: Controlling Inbox Size with Inbox Maintenance


In this topic, you will use Inbox Maintenance to control user inbox size.

Inbox Maintenance
You can use the Inbox Maintenance feature to improve server performance by reducing the size of users inboxes in mail les. When you enable the Inbox Maintenance feature, the Inbox Maintenance agent is run on the IBM Lotus Notes client users home server, that is, the server that stores the mail les containing the users inboxes. The Inbox Maintenance agent resides in the mail template, mail85.ntf. The agent removes documents from the inbox based on settings you dene in the Server document or the mail policy settings document. The following gure shows Inbox Maintenance enabled in the Mail Policy Settings document.

Figure 10-3: Inbox Maintenance enabled in the Mail Policy Settings document The settings that are specied in the Server document override the Inbox Maintenance settings in the mail policy settings document. You must be using the mail template, mail85.ntf, and a Domino Directory created with or upgraded to the Lotus Domino 8.5 version of names.ntf.

242

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

The following gure illustrates the Inbox Maintenance section of the Server document.

Conguring Inbox Maintenance in the Server Document

Figure 10-4: Inbox Maintenance conguration settings in the Server document

Benets of Inbox Maintenance


The Inbox Maintenance feature is a signicant improvement over quotas. With its capability to empty mailboxes, it provides for better server management.

Use the Inbox Maintenance Feature to Control Inbox Size


Procedure Reference: Specifying Inbox Maintenance settings in the Server document
Follow these steps to specify Inbox Maintenance settings in the Server document.
1. 2. 3. 4.

In Domino Administrator, click the Conguration tab. Click ServerAll Server Documents, and then select the Server document you want to work with. Click Edit Server and then click the Server TasksAdministration Process tabs. Complete these elds in the Mail Inbox Maintenance section:

Copyright IBM Corporation 2009.

243

Topic E: Controlling Inbox Size with Inbox Maintenance


Lesson 10 Implementing Mail Rules and Storage Limits

Table 10-1: Mail Inbox Maintenance Options


Field Start executing Inbox Maintenance agent on Action Specify one or more days of the week on which to run the Inbox Maintenance agent on the Lotus Notes client users home server, that is, the server that stores the mail les containing the users inboxes. The default is Saturday. Specify the time of day at which to run the Inbox Maintenance agent on the Lotus Notes client users home server, that is, the server that stores the mail les containing the users inboxes. The default is 1:00 AM. Select this option to maintain inboxes only for those users that you specify. When you select this option, the Selected users eld appears. Select this option to maintain inboxes based on settings that you specify in the Mail Settings Policy document, on the MailBasics tab. Specify the users whose inboxes on the home server are to be maintained by the Inbox Maintenance agent. This option applies only if you select the Maintain inboxes for only these selected users on this home server option. Specify the number of days to elapse prior to automatically removing documents from users inboxes. This option applies only if you select the Maintain inboxes for only these selected users on this home server option. Specify the maximum number of documents to remove automatically. This option applies only if you select the Maintain inboxes for only these selected users on this home server option.

Start executing Inbox Maintenance agent at

Maintain inboxes for only these selected users on this home server

Maintain inboxes based on policies

Selected users

Remove documents older that [X] days from Inbox

Maximum number of documents to remove per cleanup

244

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits Field Do not remove unread documents from Inbox Action Click Yes if you want to prevent unread documents from being removed from the users inboxes. Documents are removed from a users inbox according to the value you specify in the Remove documents older than [X] days from Inbox eld. By default, this setting is not checked. This option applies only if you select the Maintain inboxes for only these selected users on this home server option.

5.

Click Save & Close.

Copyright IBM Corporation 2009.

245

Topic E: Controlling Inbox Size with Inbox Maintenance


Lesson 10 Implementing Mail Rules and Storage Limits

Activity 10-4: Enable the Inbox Maintenance Feature


Scenario As the Domino administrator, you have been asked by management to control the size of all the inboxes on your server. To complete this activity:

Enable the Inbox Maintenance feature to execute on Sundays at 11 p.m. and to maintain the inboxes on your server. Congure the Inbox Maintenance feature to remove documents that are more than 60 days old and to leave unread documents in the inboxes.

Follow these steps to enable the Inbox Maintenance feature.


Step Action

Enable the Inbox Maintenance feature to execute on Sundays at 11 p.m. and to maintain the inboxes on your server 1. 2. 3. 4. 5. In Domino Administrator, click the Conguration tab. Expand Server, and then click All Server Documents. Select your server, and click Edit Server. Click the Server Tasks tab. Under Mail Inbox Maintenance, click the Start executing Inbox Maintenance agent on drop-down arrow and click Sun. Click Sat to clear that check box, and then click OK. Highlight the time in Start executing Inbox Maintenance agent at eld, and type 11:00 PM Select Maintain inboxes for only these selected users on this home server. Click the Selected users drop-down arrow. In the Select Names dialog box, scroll down and select your server. Click Add, and then click OK.

6. 7. 8.

Congure the Inbox Maintenance feature to remove documents that are more than 60 days old and to leave unread documents in the inboxes 9. 10. 11. Double-click in the Remove documents older than [X] days from Inbox eld and type 60 For Do not remove unread documents from Inbox, select Yes. Click Save & Close.

246

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

F
Archiving Demonstrate this procedure. Open your mail le, and show students how users could archive their own mail if an archive policy were assigned to them. Review the default archive documents: Default for Last Modied Default for Expired

Topic F: Archiving Mail


Archiving
Archiving an IBM Lotus Notes users mail documents is a method of copying outdated mail to an archive database or deleting the mail. After these documents are copied to the archive database, a clean-up task is performed on the users mail le.

Benets of Archiving and Policies


The advantages of using an archive policy include:

Policies are easier to manage and allow standardization of archiving. Archiving provides greater control over the mail environment, as seen in the Archiving solutions table.

Procedure Reference: Archiving user mail


Users can follow these steps to archive their mail.
1. 2.

Open the mail le. Click ActionsArchiveSettings. Result: The Archive Settings dialog box appears.

3. 4. 5. 6. 7. 8. 9.

Click Create, and enter a descriptive name for the criteria. Click Selection Criteria, review the options, change them as needed, and click OK. Under What Should Happen to the Selected Documents? select an option. Under How do You Want to Clean up Documents in this Application? select an option. Select Enable this criteria, and click OK. When you are prompted to create an archiving schedule, click Yes. In the Archive Settings dialog box, select Schedule Archiving.

10. For Run at, select a time. 11. For On these days, select the days to archive. 12. Under Perform Scheduled Archiving when using, select one of the

options. If you selected Specic Location, select the locations from which to archive.
13. Click OK.

Copyright IBM Corporation 2009.

247

Topic F: Archiving Mail


Lesson 10 Implementing Mail Rules and Storage Limits

Archive Policy Documents


To enable mail le archiving, use the following documents:

The Policy document The Archive Policy Settings document The Archive Criteria Settings document

Archive Policy Documents

The Archive Policy Settings Document


The Archive Policy Settings document allows standardization of document archiving. Archive settings are centrally managed and enforced by the administrator. Use the Settings document to specify: Whether to allow archiving.

Archive location. Archive selection criteria. Archive log information.

Server-to-server archiving can archive all mail les to central server.

Archiving solutions
Archiving policies can solve the problems listed in the following table.

Problem Space is tight on the mail server. Need a centralized archive server.

Solution Server-based archiving is enabled from a mail server to a designated archive server. Note: To archive a mail le to a server, the user must have access to create databases on the server. Archiving is scheduled to occur during off hours. Users are prohibited from changing or creating archive settings. The designated archive server is a Lotus Domino 8.5 server, so that policies can be enforced in a mixed environment.

Archiving cannot occur during peak work hours. End users must not be allowed to control their archive settings. Lotus Notes 8.5 clients will not be rolled out immediately.

248

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

Archive Criteria Settings Document


The following describes the Archive Settings and Archive Criteria Settings documents: An Archive Settings document species whether or not to allow archiving, whether or not to allow Lotus Notes users to set their own private archiving criteria where archiving occurs, and the destination location for the Archive Log database.

The Archive Criteria Settings document establishes the criteria for document selection and mail le cleanup. Each Archive Settings documents requires:

At least one Archive Criteria Settings document if enabling archiving. No Archive Criteria Settings document if prohibiting archiving.

Copyright IBM Corporation 2009.

249

Topic F: Archiving Mail


Lesson 10 Implementing Mail Rules and Storage Limits

Activity 10-5: Create an Archive Policy


Tell students to use themselves as the users. Point out that they are adding a new Policy Settings document to an existing Policy document. The Organizational policy created earlier in the course establishes policies for all of / WWCorp.

Scenario Worldwide Corporation wants to allow specic user groups to archive their own mail to save space. However, they have ordered a server to use specically for archiving and it has not arrived yet. The administrators have been asked to prohibit archiving for all users until the new server is up and running. To complete this activity, add policy settings to your explicit policy that prohibit archiving. Follow these steps to create an archive policy.
Step 1. 2. 3. 4. Action Click the People & Groups tabDomino Directories sectionPolicies view. Select the explicit policy you created. Click Edit Policy. Locate the Archiving Setting Type, and click New. Result: The Archiving Settings document is created. 5. On the Basics tab, click in the Name eld, and type Archiving Prohibition for Admin number (where Admin number is your Admin user number, for example West01). In the Archiving Options section, select Prohibit archiving. Result: The remaining sections and some tabs are no longer available. 7. Click Save & Close. Result: The Policy document is displayed. 8. 9. Press Ctrl+S to save the policy, then click the drop-down arrow next to Archiving, and click the name of the new Archive Settings document. Click Save & Close.

6.

250

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

Lesson Summary
This lesson covered conguring mail rules and quota to control mail delivery. Checklist: Building the Lotus Domino Environment The bolded task from the Implementation Checklist was completed in this lesson.

Refer students to the checklist to remind them where they are in the overall implementation checklist.

Task 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery.

15 16 17 18

Copyright IBM Corporation 2009.

251

Topic F: Archiving Mail


Lesson 10 Implementing Mail Rules and Storage Limits

Lab 10-1: Set Mail Controls


Present the scenario and the issues that Worldwide wants to resolve using mail controls. Step 1: Students can work individually (or in teams). Refer students to the procedure in this lesson for the steps to enable journaling. Step 2: Pair students in teams of two or three. Tell students where the Test.abc le resides.

Scenario Worldwide Corporation has set the following standards for their mail infrastructure:

All mail les must not exceed 15 MB. Users must be notied when their mail les are about to exceed 14 MB. Messages will not be delivered when mail les are larger than 14 MB. All messages containing an attachment with the extension .abc are refused. All messages from Doctor Notes must be saved in a local database that is backed up and re-created once per day. Implement the Worldwide Corporation mail standards on your server. Test your implementation.

To complete this activity:


Follow these steps to set mail controls.

Send a message to students so they can see that the message from Doctor Notes is sent to the mail journaling database.

1. Use mail controls to establish standards. Complete the following tasks:


Create a mail quota and threshold to ensure mail databases do not exceed 15 MB. Create a quota restriction to notify users and deny delivery of messages when quota is exceeded. Enable mail journaling. Create a mail rule to deny messages containing attachments with the extension .abc. Create a mail rule to journal all messages from Doctor Notes. Activate the rules.

252

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits 2. Test mail controls. Complete the following tasks:

Create a message with the Help database (/Data/Help/help85_ admin.nsf) attached and send it to your partner to test the mail quota.

Did your partner receive the message? Did you receive a warning?

Create a message with the Test.abc le attached to it and send it to your partner to test the mail rule.

Did your partner receive the message?

Locate the message from Doctor Notes in the mail journaling database.

Copyright IBM Corporation 2009.

253

Topic F: Archiving Mail


Lesson 10 Implementing Mail Rules and Storage Limits

Lab 10-2: Assign and Test the Archive Policy


Scenario Worldwide administrators have congured the appropriate policy settings, and now need to test the archive policy. The simplest way to test an explicit policy is to assign the policy to yourself. To complete this activity, assign the explicit policy to your user account, and test the effect of the policy. Follow these steps to assign and test the archive policy.

254

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 10 Implementing Mail Rules and Storage Limits

1. Assign the explicit policy to yourself.


Tell students they might need to restart the Lotus Notes client to activate the restriction quickly.

2. Open your mail le and try to archive your mail.

Show that archiving still works for non-mail databases. Students may wonder if the policy affects non-mail databases. Follow these steps to show that it apples only to mail databases. 1. Open any non-mail database on the server, for example, the Domino Server Log (Log.nsf). 2. Click File Database Properties. 3. Click Archive Settings. 4. Point out that the options are available on the Archive Settings dialog box, so archiving will work with this non-mail database. Point out that the policy only applies to mail les.

Copyright IBM Corporation 2009.

255

11

Monitoring Mail

Topic A: Verifying Routing and Checking Mail Delivery Topic B: Enabling Mail Statistics Topic C: Enabling Message Tracking Topic D: Conguring Message Recall

Copyright IBM Corporation 2009.

Lesson 11 Monitoring Mail

Introduction
Once the mail infrastructure is in place, it is important to monitor mail to make sure it is routing correctly. This lesson introduces monitoring tools and methods to ensure that messages are delivered. After completing this lesson, you should be able to: Verify routing and check mail delivery.
Revisit the checklist. In this lesson, we will begin discussion of the following Implementation Checklist item: Test mail routing and delivery

Implementation Checklist

Enable mail statistics. Enable message tracking. Congure Message Recall.

Complete the setup for this lesson.

258

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 11 Monitoring Mail

A
Mail Troubleshooting Checklist

Topic A: Verifying Routing and Checking Mail Delivery


Checklist for Verifying Mail Routing
After implementing mail routing, test the connections to ensure messages route properly. If problems occur during routing, check the details in the following table.

Task 1 2 3 4

Procedure The network connections are set up correctly. The servers and Router are up and running. The NNNs are set up properly. The appropriate Connection documents exist and contain the following: The server name is correct. The schedule is enabled. The Router type is correct.

The connection requirements for sending mail, such as calling times or message thresholds, have been met. Replication between servers is successful, ensuring Connection document information is up-to-date on all relevant servers. Router restrictions do not prohibit message delivery. SMTP settings are correct. Inbound and outbound controls are properly set. Quotas are not exceeded. Mail rules do not prohibit message delivery. The mail address is correct. The person information is correct.

7 8 9 10 11 12 13

Copyright IBM Corporation 2009.

259

Topic A: Verifying Routing and Checking Mail Delivery


Lesson 11 Monitoring Mail

The checklist is primarily to troubleshoot mail routing problems that occur during implementation. However, these tasks indicate what can be monitored to ensure proper mail routing.

Checklist for Monitoring Mail


Complete these tasks to ensure that mail is routing properly.

Mail Monitoring Checklist

Task 1 2 3 4

Procedure Check for misdelivered mail. Check mail monitoring tools. Set up mail statistic monitors. Enable message tracking.

This lesson covers how to perform the monitoring tasks. Another lesson describes how to x problems that may occur.

Types of Misdelivered Mail


Often, misdelivered mail falls into one of the categories described in the following table.

Misdelivered Mail

Category Dead mail

Denition Mail that is not delivered to the recipient and cannot be returned to the sender for non-delivery. For example, if the sender mails a message to the wrong address, and the senders mail le is deleted or moved, IBM Lotus Domino can neither deliver the mail nor return the mail to the sender. Mail that is not delivered because either: The Router on the server is not running. The recipients mail server is down.

Undelivered mail

260

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 11 Monitoring Mail

Show students the MessagingMail tab. Note the tools and options for monitoring and checking mail routing problems. Show students the Mail Routing Topology views as a quick way to see the connections and NNNs. They can use this in troubleshooting to determine if the connections and NNNs are correct. Open the Domino Server log and remind students that the log was congured earlier.

Dead mail example


For example, if the sender mails a message to the wrong address, and the senders mail le is deleted or moved, the Router can neither deliver the mail nor return the mail to the sender.

Dealing with undeliverable mail


If there is undeliverable mail in the mailbox, the Lotus Domino administrator might be able to correct the problem by editing the recipient and releasing the message. The administrator can also choose to delete dead or held mail to release the space in the mail.box le.

Checking Mail Delivery


The Domino Administrator Messaging tab contains monitors and tools for verifying mail routing and server connections, and for monitoring mail delivery status. These can be invaluable when you need to monitor and troubleshoot mail routing problems.

Procedure Reference: Checking mail delivery


Follow these steps to check mail delivery.
1.
Demonstrate this procedure. You might need to start the Maps Extractor task manually. Observe what type of mail is not routing properly, then use these guidelines. If Internet mail, then verify the gateway to the Internet. If IBM Lotus Notes mail, then investigate which hubs are not getting mail.

In Domino Administrator, select the mail server. Click the Messaging tabMail tab. Select each of the following views:

2. 3.

Servername Mailbox view Mail Routing Status view Mail Routing Events view

4. 5. 6.

Double-click a document in the Mail Routing Events view to display the details of mail routing events. Click Close. Click the Messaging tabMail tabMail Routing Topology. Select each of the following views:

By Connections view. By Named Networks view.

Copyright IBM Corporation 2009.

261

Topic B: Enabling Mail Statistics


Lesson 11 Monitoring Mail

B
Mail Statistics

Topic B: Enabling Mail Statistics


Mail Statistics
Mail statistics provide additional information on mail ow and current mail conguration performance. Enable and monitor statistics using the Server Monitor.

262

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 11 Monitoring Mail

Activity 11-1: Enable Mail Statistics


Scenario Worldwide administrators are responsible for monitoring mail statistics to ensure that mail is owing correctly and in a timely manner. To complete this activity, use the Server Monitor to enable and monitor several statistics dealing with mail routing. Follow these steps to enable mail statistics.
Step 1. 2. 3. 4. Action In Domino Administrator, select your server. Click the Server tabMonitoring tab. Click Start. From the menu, click MonitoringMonitor New Statistic. Result: The Add Statistic(s) to this prole dialog box appears. 5. Expand the Mail section. Result: Mail statistics are displayed. 6. Select the following statistics:

Delivered MaximumServerHops TransferFailures

7.

Click OK. Result: Mail statistics appear in monitor.


Note: You may need to scroll to the right to view the Mail statistics.

8. 9.

Click Proles

, and click Save As.

Type Mail Monitoring and click OK.

Copyright IBM Corporation 2009.

263

Topic C: Enabling Message Tracking


Lesson 11 Monitoring Mail

C
Message Tracking

Topic C: Enabling Message Tracking


Message Tracking
IBM Lotus Domino provides the ability to track a sent mail message across servers. With message tracking enabled, Lotus Domino stores information about each mail message in a database (MTstore.nsf). The Message Tracking facility can: Track messages across Lotus Domino domains.

Be used by administrators and users from an IBM Lotus Notes client or Web browser. Provide reports of where a particular mail message was sent.

Only those messages sent after enabling message tracking can be tracked. Both administrators and users can request tracking reports.

264

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 11 Monitoring Mail

Activity 11-2: Enable Message Tracking


Either during or after the activity, point out the following elds related to restricting message tracking: Dont track messages for Dont log subjects for Generating tracking reports is beyond the scope of this course. Refer students responsible for using the Message Tracking Center to the Lotus software course Managing IBM Lotus Domino 8.5 Servers and Users.

Scenario Worldwide Corporation will use Message Tracking to be able to later generate tracking reports when the need arises. To complete this activity, edit your Conguration Settings document to support message tracking. Follow these steps to enable message tracking.
Step 1. 2. 3. 4. 5. 6. 7. 8. 9. Action Click the Conguration tabMessaging sectionCongurations view. Edit your Conguration Settings document. Click the Router/SMTP tabMessage tracking tab, then in the Message tracking eld, select Enabled. In the Message Tracking collection interval eld, accept the default. For Log message subjects, select Yes. For Allowed to track messages and Allowed to track subjects, select the LocalDomainAdmins and LocalDomainServers groups. Click Save & Close. Click the Server tabStatus tabServer Console view, and click Live. Watch the server console for messages related to message tracking. This may take a few minutes. Or, enter tell router update config
Note: For more information about using message tracking across domains or tracking reports, see Lotus Domino Administrator 8.5 Help.

Copyright IBM Corporation 2009.

265

Topic D: Conguring Message Recall


Lesson 11 Monitoring Mail

D
Message Recall

Topic D: Conguring Message Recall


Many IBM Lotus Notes 8.5 users might want to take advantage of the ability to recall a sent message. As an administrator, you will need to decide if you will make this feature available to your users. If so, you will need to choose the best method to implement it, as well as understand how the Message Recall function works from the users perspective within the Lotus Notes 8.5 client environment.

What is Message Recall?


To help increase productivity and avoid information overload, IBM Lotus Domino 8.5 offers the Message Recall feature. It is a controllable, optional feature that must be enabled on the server to function within the end-users environment, unless a Server Conguration document has been created, in which case the feature is automatically enabled. The Message Recall function allows users to retrieve Lotus Notes mail they accidentally or inappropriately sent to the wrong people. Activated from the Sent Mail folder or All Documents view in Lotus Notes, this feature allows users to retrieve messages from one or all of the recipients. A user must have the desired message in the Sent folder so that the message can be selected to recall. The feature removes the message from the recipients mailbox and noties the person recalling the message if it has been opened. You can congure the Message Recall feature, and you can set policy-based controls on which users can recall messages and whether or not recipients can prevent recall requests.

Message Recall Options


Messages are deleted from servers in the same domain or from a domain other than the one from which the original message was sent. If the message sender has enabled the setting to receive a status report, the router then sends a status report to the originator of the message. By default, when a message is recalled, a report is sent to the originator of the message. The message is recalled using the server ID of the server performing the recall. Use the Do not allow recall of messages older than eld on the mail Policy Settings document to dene the time period during which a message may be recalled after the date of delivery. You can dene the state in which a message can exist when it is recalled. For example, you can dene whether only unread messages can be recalled, or whether both read and unread messages can be recalled. Specify the number of weeks, days, hours, or minutes according to the unit of time you want to use.

266

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 11 Monitoring Mail

You can control and apply message recall settings using a mail policy settings document or a Server Conguration document. If there is no policy in place, the values in the Server Conguration document are used to establish the message recall settings. If those message recall elds on the Server Conguration document do not contain values, the default settings are used.
Note: The Message Recall feature applies only to Domino servers, and only to mail messages not routed over SMTP servers.

Conguring the Message Recall Feature


Procedure Reference: Recalling a message
Follow these steps to recall a message:
1.
Recalling a Message

Open or select the message in your Sent mail folder. Click Recall Message. If the message was sent to more than one recipient, select the recipients from which to recall the message. (Optional) To recall the message even if a recipient has already opened it, select Recall the message even if it has been read. (Optional) To suppress recall status reports, clear Send me a recall status report for each recipient. Click OK. Click OK to clear the Recall Message window.

2. 3. 4. 5. 6. 7.

Copyright IBM Corporation 2009.

267

Topic D: Conguring Message Recall


Lesson 11 Monitoring Mail

Activity 11-3: Congure the Message Recall Feature


Scenario As a Lotus Domino and Notes 8.5 administrator, you can congure the Message Recall feature allowing users to retrieve Lotus Notes mail they accidentally or inappropriately sent to the wrong people. To complete this activity, edit your Conguration Settings document to congure Message Recall to recall any message, regardless of whether or not it has been opened, as long as it is no more than three days old. Follow these steps to congure the Message Recall feature.

Step 1. 2. 3. 4.

Action Verify that you are connected to the your mail server, and click the Conguration tabMessaging section. Edit your Conguration Settings document. Click the Router/SMTP tab, and then click the Message Recall tab. Verify that Message Recall is Enabled. IMPORTANT: Enabled by default!

5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15.

Click the Allow recall of messages with unread status drop-down arrow and then click Both read and unread. Double-click in the Do not allow recall of messages older than eld and type 3 Click Save & Close. Open Lotus Notes and click the Mail tab. Create a new mail message to Doctor Notes with a subject of Testing Message Recall Click Send. Open the Sent folder. Select the message you just sent, and click Recall Message. In the Recall Message dialog box, verify that Doctor Notes is selected to recall from. Select the check box to Recall the message even if it has been read, and click OK. In the Recall Message dialog box, click OK.

268

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 11 Monitoring Mail Step 16. 17. Action In the Sent folder, double-click to open the Message Recall Request. Verify that the message was recalled, and close the report.

Copyright IBM Corporation 2009.

269

Topic D: Conguring Message Recall


Lesson 11 Monitoring Mail

Lesson Summary
This lesson began examining the tools used to monitor and troubleshoot mail problems. Checklist: Building the Lotus Domino Environment The bolded task from the Implementation Checklist was started in this lesson.

Remind students that task 18 in the implementation checklist, test mail routing and delivery, will be complete at the end of the next lesson.

Task 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery.

15 16 17 18

270

Copyright IBM Corporation 2009.

12

Resolving Common Mail Routing Problems


Topic A: Sending a Mail Trace Topic B: Restarting the Router Topic C: Forcing Mail Routing Topic D: Resolving Undelivered and Dead Mail

Copyright IBM Corporation 2009.

Lesson 12 Resolving Common Mail Routing Problems

Introduction
Problems with mail routing and delivery may be caused one or more factors. Monitoring helps to isolate the cause of the problem. Once the cause is determined, follow the checklist tasks to resolve the problem. Some of the tasks, such as checking Connection documents, NNNs, and Replication schedules, involve viewing documents, which was covered in previous lessons. After completing this lesson, you should be able to: Send a mail trace.
Mail Troubleshooting Checklist

Implementation Checklist

Restart the router to resolve mail routing issues. Restart the router to resolve mail routing issues. Resolve undelivered and dead mail.

Revisit the Mail Troubleshooting Checklist as a guide to determining how to resolve a problem. Remind students that they have this troubleshooting checklist at the beginning of the previous lesson. Also, remind students to check the network, servers, and Routers rst.

272

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 12 Resolving Common Mail Routing Problems

A
Common Causes of Mail Routing Problems Troubleshooting Stages

Topic A: Sending a Mail Trace


Common Causes for Mail Routing and Delivery Problems
Mail routing problems most often occur for one of the following reasons:

A mail server is down. The Router is not running. Mail routing connections are improperly or poorly congured.

Troubleshooting Stages
When you are trying to determine a problem, look at the following general areas: Servers

Router Network and server connections Document settings Message settings Person settings (Person document, Location document)

The Mail Trace Tool


IBM Lotus Domino Administrator includes a Mail Trace tool that administrators can use to verify mail delivery and troubleshoot delivery problems. This tool does not actually deliver mail to the users mail le; the tool simply pings the users mail le and traces the path the message travelled to reach the users mail le. This is also helpful for testing network connections.

Copyright IBM Corporation 2009.

273

Topic A: Sending a Mail Trace


Lesson 12 Resolving Common Mail Routing Problems

Activity 12-1: Send a Mail Trace


Step 4: Tell students to send a message to another student who is in a different NNN. Step 6: Tell students to select Each server on the path.

Scenario Worldwide administrators have been notied that some users are not receiving mail. To complete this activity:

Send a mail trace to a user in another NNN. View the trace report.

Follow these steps to send a mail trace.


Step Action

Send a mail trace to a user in another NNN 1. 2. 3. 4. 5. 6. 7. 8. In Domino Administrator, select your server. Click the Messaging tabMail tab. In the Tools pane, click MessagingSend Mail Trace. In the To eld, enter or select a mail user in a different NNN. In the Subject eld, type Mail trace message for username. For Send me a trace report from, verify that Each server on the path is selected. This option returns a trace report indicating each Router hop. Click Send. Click Done.

View the trace report 9. View the trace report in your mail le by:

Opening your mail le Double-clicking the message with the subject entered in step 5

10.

Click Close.

274

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 12 Resolving Common Mail Routing Problems

Topic B: Restarting the Router


When to Restart the Router
Check to see if the Router is running by looking at the Router task in the Server Monitor. If the Router is not running, start the Router.

Copyright IBM Corporation 2009.

275

Topic B: Restarting the Router


Lesson 12 Resolving Common Mail Routing Problems

Activity 12-2: View the Server Monitor


Step 4: Have students check the previously enabled statistics to see if there are any problems.

Scenario As a rst step in determining mail routing problems, Worldwide administrators should verify that the router task is running by viewing the Server Monitor. To complete this activity, use the Server Monitor to determine whether mail is being delivered, identify potential problems, and see if the Router is running. Follow these steps to view the Server Monitor.
Step 1. 2. 3. 4. Action In Domino Administrator, select your server. Click the Server tabMonitoring tab. Verify that the Monitoring Proles eld displays Mail Monitoring. Examine the mail statistics and the Router task.

276

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 12 Resolving Common Mail Routing Problems

Instructor Activity 12-3: Stop and Start the Router


Use the procedure in the activity to demonstrate how to stop and start the Router. Also show how to stop and start the Router from Server StatusServer Tasks. Step 3: Point out that students machines now indicate that Hubs Router is not running. Step 4: Have students verify that Hubs Router restarted.

Scenario As the next step in determining mail routing problems, Worldwide administrators should stop and start the router. To complete this activity, observe as your instructor stops and restarts the Router. Follow these steps to stop and start the Router.
Step 1. 2. 3. 4. Action In Domino Administrator, select the mail server to administer. Click the Messaging tabMail tab. In the Tools pane, click MessagingStop Router. In the Tools pane, click MessagingStart Router.
Note: Stopping and restarting the Router also routes pending mail.

Copyright IBM Corporation 2009.

277

Topic C: Forcing Mail Routing


Lesson 12 Resolving Common Mail Routing Problems

C
Demonstrate this procedure to show students how to force mail routing between Hub/SVR/WWCorp and any classroom mail server.

Topic C: Forcing Mail Routing


When to Force Mail Routing
To see if the mail routing problems are xed, force mail to route.

Procedure Reference: Forcing mail routing


Follow these steps to force mail routing, either to test connections or to send all pending messages (including low priority messages) immediately.
1. 2. 3. 4.

In Domino Administrator, select the server. Click the Messaging tabMail tab. In the Tools pane, click MessagingRoute Mail. Enter the destination servers fully distinguished hierarchical name.
Note: Use quotation marks ( ) if the server name contains spaces. For example, use quotes around the server name: USMail01/SVR/Earth Corporation.

5. 6.

Click Route to route mail. Click Done.

278

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 12 Resolving Common Mail Routing Problems

D
The Delivery Failure Process

Topic D: Resolving Undelivered and Dead Mail


The Delivery Failure Process
Dead and undelivered mail is agged in the servers Mail.box. Dead mail indicates a problem with the user information. Undelivered mail indicates a problem with mail routing. When a server has pending mail in its mailbox: 1. The server determines the addressees destination server. 2. 3. If the Router is down or the destination server is unavailable, the server holds the mail as undelivered. If the destination server is available but the delivery attempt fails, the server attempts to send a Delivery Failure report to the message sender. If the Router is unable to send a Delivery Failure report, it places the report as a dead mail message in the servers mailbox.

4.

The following gure illustrates the delivery failure process.

Figure 12-1: The delivery failure process

Copyright IBM Corporation 2009.

279

Topic D: Resolving Undelivered and Dead Mail


Lesson 12 Resolving Common Mail Routing Problems

Activity 12-4: Resolve Undelivered and Dead Mail


Step 3: Recommend an option to select.

Scenario Worldwide administrators should regularly check for and resolve dead and undelivered mail in the servers Mail.box les. To complete this activity:

Check the Mail1.box and Mail2.box les to identify undelivered and dead mail. Use the Release options to resolve dead mail.

Follow these steps to resolve undelivered and dead mail.


Step 1. 2. 3. Action In Domino Administrator, select your server to administer. Click the Messaging (mail1.box) view. tabMail tabYourServername Mailbox

To x dead mail (agged with a red icon) or undelivered mail, click Release, and click one of the following options:

4. 5.

If another dead mail message exists, select it and click Delete Message. Then, press the F9 key and click Yes to refresh the view. Select the YourServername Mailbox (mail1.box) view, and repeat steps 3 and 4.

280

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 12 Resolving Common Mail Routing Problems

Lesson Summary
This lesson introduced typical scenarios involving mail routing problems. Checklist: Building the Lotus Domino Environment The bolded task from the Implementation Checklist was completed in this lesson.

Review the steps completed in this lesson. Refer students to the checklist in the text to remind them where they are in the overall implementation checklist.

Task 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Domino Directory. Add Lotus Domino servers. Add organizational units. Register administrators. Add Lotus Domino clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery.

15 16 17 18

Copyright IBM Corporation 2009.

281

Topic D: Resolving Undelivered and Dead Mail


Lesson 12 Resolving Common Mail Routing Problems

Lab 12-1: Troubleshoot Intranet Mail Routing


Complete the following tasks to set up the activity: 1. Stop the Router on Hub, and change server names in Connection documents (for example, change East01/SVR/ WWCorp to East01/ SRV/WWCorp for all servers). 2. Change SMTP used when sending messages outside of the local internet domain eld to Disabled on East servers. 3. Change outbound controls on West serverschange Deny messages from the following Lotus Notes addresses to be sent to the Internet eld to LocalDomainAdmins. 4. Replicate for changes to take effect.

Scenario Worldwide administrators need to locate and solve two problems within Worldwides mail routing environment. To complete this activity:

Send a test message to a user in another NNN to help determine the source of the problems. Correct the problems, and test your solution.

Follow these steps to troubleshoot intranet mail routing.

1. Send a message to a student in another NNN.

Did the mail message reach the users mail le?

2. If the message did not reach the users mail le, determine the causes

of the problem. Consider the following: Router


Mail le quotas Replication of Connection documents in the Domino Directory throughout the domain NNN conguration Mail routing Connection documents

Problem 1:
Mail Troubleshooting Checklist

Problem 2:

Have students send a message to their counterpart in the other region. There are two issues to diagnose and x. If students cannot solve the problem, tell them to check the Router using the Server Monitor and to verify the contents of Connection documents. 282

3. Fix the problems you found, then send another message.

Did the mail message reach the users mail le? If not, why not?

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 12 Resolving Common Mail Routing Problems Your instructor will guide you through the following questions. 4. Why did the message not route? The Router on the Hub was stopped and server names were incorrect in Connection documents.

When students determine that the Router is stopped, restart the Router. When students x the Connection documents and the message still will not route, force replication (use the supplied Rep_dd.txt le) and have them try to resend. The messages should route.

5.

How did you x the problem? The instructor restarts the Router. Students x names in Connection documents and enter tell router update cong.

6.

Why did the message not route? The Connection documents have not replicated.

7.

Why did the quota controls set in the previous module not affect sending the message? The restriction was set to non-delivery of message so that quota was never exceeded.

Copyright IBM Corporation 2009.

283

Topic D: Resolving Undelivered and Dead Mail


Lesson 12 Resolving Common Mail Routing Problems

Lab 12-2: Troubleshoot Internet Mail Routing


Scenario Worldwide administrators need to locate a problem that prevents servers in other NNNs from routing Internet mail to the relay host. To complete this activity:

Test mail routing to an Internet user to help determine the source of the problem. Correct the problem, and test your solution.

Follow these steps to troubleshoot Internet mail routing.

1. Use the Lotus Notes client to create and send a mail message to an

Internet user. Did the mail message route to Hub/SVR/WWCorp correctly?

2. If the mail message did not route, try to determine the cause of the

problem. Consider whether or not any of the following might be the cause: Network connections

SMTP settings Inbound (Hub) and outbound (Mail servers) controls

3. After xing the problem, resend the mail message.

Did the mail message route to Hub/SVR/WWCorp correctly?


Your instructor will guide you through the following questions. 4. East students: Why did the message not route? SMTP external disabled

284

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 12 Resolving Common Mail Routing Problems 5. West students: Why did the message not route? SMTP outbound controls changed

6.

How did you x the problem? Changed SMTP settings, entered tell router update cong.

Copyright IBM Corporation 2009.

285

Topic D: Resolving Undelivered and Dead Mail


Lesson 12 Resolving Common Mail Routing Problems

Lab 12-3: Troubleshoot Undelivered Mail


Before students begin this activity, perform one or both of the following tasks: Change mail le locations in the Person documents. Switch students locations to Offline. Step 3: Provide hints for resolving the problem. Tell students to refer to the checklist at the beginning of the Monitoring Mail section of this course. If students are having trouble resolving the problems, tell them to check the Person and Location documents. Remind students that when they make changes to the Domino Directory, the changes must replicate to all servers.

Scenario Worldwide administrators need to determine the cause of undelivered mail left in Mail.box. To complete this activity:

Test mail routing to a user in another NNN to help determine the source of the problem. Check for undelivered and dead mail. Correct the problem, and test your solution.

Follow these steps to troubleshoot undelivered mail.

1. Use the Lotus Notes client to create and send a mail message to a user

in another NNN. Did the mail message route to the user correctly?

2. Find at least two ways to see if the mail was undelivered or dead.

3. If the mail message did not route, try to determine the cause of the

problem. Consider whether or not any of the following might be the cause: NNN conguration

Person documents Location documents Replication of Connection documents in the Domino Directory throughout the domain Mail routing Connection documents

4. After xing the problem, release the undelivered/dead mail message.

Did the mail message route to Hub/SVR/WWCorp correctly?

286

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure


Lesson 12 Resolving Common Mail Routing Problems Your instructor will guide you through the following questions. 5. How did you determine that the mail was not delivered? Mail tab and Server Monitor.

6.

Why was the mail not delivered? Incorrect mail location in Person document and incorrect Location document.

7.

How did you x the problem? Changed mail location in Person document, changed Location documents. Forced replication, resent or released mail.

Copyright IBM Corporation 2009.

287

Topic D: Resolving Undelivered and Dead Mail


Lesson Follow-up

Follow-up
In this course, you deployed a basic Lotus Domino 8.5 infrastructure. This practical experience has prepared you to move forward and obtain the additional knowledge needed for managing the servers and users that make up a Lotus Domino 8.5 infrastructure.

Whats Next?
This course is one in a series of system administration courses. The material in Building the IBM Lotus Domino 8.5 Infrastructure provides practice in deploying a Lotus Domino infrastructure. Once you have completed Building the IBM Lotus Domino 8.5. Infrastructure, the recommended next step in the series is the Managing IBM Lotus Domino 8.5 Servers and Users course.

288

Appendix
Solutions to Practice Activities

Copyright IBM Corporation 2009

Appendix
Appendix A Solutions to Practice Activities

About This Document


The appendix provides detailed, step-by-step solutions to the hands-on portions of the lesson labs for this course. For solutions to activities included elsewhere in the course content, please see the Solutions section of the student guide.

Lesson Lab Solutions


The lesson lab solutions appear in the order in which the material is presented in the course content.

290

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix A Solutions to Practice Activities

Activity A-1: Lesson Lab 3-1 Solution: Verify the Components Created So Far
Check for Replication or Save conict documents, and delete them before students start this exercise.

Scenario Perform the following tasks to complete this activity:


Locate your Server document and the Administrators eld. Locate the Certier documents. Locate your Person document and mail le name. Locate your servers Mail.box. Locate your mail le.
Action

Step

Locate your Server document and the Administrators eld 1. 2. 3. In Domino Administrator, click the Conguration tabServer section All Server Documents view. Double-click your Server document to open it. Click the Security tab, and note the Administrators eld. Result: Your instructor added LocalDomainServers as well as the original entry, which was LocalDomainAdmins. 4. Click the X in the task window to close the Server document.

Locate the Certier documents 5. 6. 7. In Domino Administrator, click the Conguration tab Security section Certicates sectionCerticates view. Scroll to the bottom of the view. Click Notes CertiersWWCorp, and note the names of the four certiers.

Locate your Person document and mail le name 8. 9. 10. 11. In Domino Administrator, click the People & Groups tabDomino Directories sectionWWCorps Directory sectionPeople view. Double-click your Person document to open it. On the Basics tab, note your mail server and the path and le name of your mail le. Close the Person document.

Locate your servers Mail.box 12. In Domino Administrator, click the Messaging tabMail tabServer Mailbox (mail.box).

Copyright IBM Corporation 2009

291

Appendix
Appendix A Solutions to Practice Activities Step Locate your mail le 13. 14. 15. In Domino Administrator, click the Files tab. Click the mail folder to see the list of mail les on your assigned server. Locate the mail le that matches the name you noted in the Person document. Action

292

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix A Solutions to Practice Activities

Activity A-2: Lesson Lab 4-1 Solution: Register Users


Scenario Worldwide administrators need to register new employees with options using policies. To complete this activity:

Register one user who will be affected by the organizational policy. Register one user who will be affected by the explicit policy.

Follow these steps to register users.


Step 1. 2. 3. 4. 5. 6. Action In Domino Administrator, select your server to administer. Click the People & Groups tabDomino Directories sectionWWCorps Directory sectionPeople view. In the Tools pane, click PeopleRegister. Click Certier ID, select the certier ID for your region, and click Open. Then, click OK. For the certier ID password, type passw0rd and click OK. In the Basics panel, perform the following steps:

Click Registration Server, select your server, and click OK. Enter the name you created. Enter passw0rd for the password. For the rst user you are registering, select the explicit policy you created earlier in the course. For the second user you are registering, do not select any explicit policythe organizational policy will automatically be assigned to this user.

7. 8. 9. 10. 11. 12. 13.

Click Advanced. In the Mail panel, verify that your assigned server is selected as the Mail Server. In the Groups panel, add the user to the mailing list group you created previously. Click .

Repeat Steps 6 through 10 to add another user to the queue. Click Register All. Click OK.

Copyright IBM Corporation 2009

293

Appendix
Appendix A Solutions to Practice Activities Step 14. Click Done. Action

294

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix A Solutions to Practice Activities

Activity A-3: Lesson Lab 5-1 Solution: Set Administration Access


Scenario Perform the following tasks to complete this activity:

Modify administration levels. Access a server in the other administrator group. Attempt to compact a database using two methods:

Compact a database from the console. Compact the database using menus.

Record administration access results.


Action

Step Modify administration levels 1. 2. 3. 4.

In Domino Administrator, click the Conguration tabAll Servers Documents view, then open your Server document. Click the Security tab, then click Edit Server. In the Administrators eld, delete LocalDomainAdmins. In the Administrators eld:

If you are in the East OU, enter */East/WWCorp If you are in the West OU, enter */West/WWCorp

5.

In the View-only Administrators eld:


If you are in the East OU, enter */West/WWCorp If you are in the West OU, enter */East/WWCorp

6. 7.

Click Save & Close. At the server console, enter restart server

Access a server in the other administrator group 8. 9. 10. Click FileOpen Server. Enter the name of a server in the other region. Click OK.

Attempt to compact a database from the console 11. 12. 13. Click the Server tabStatus tabServer Console view. Click Live. In the Domino Command eld, enter the following command: Load Compact Busytime.nsf

Copyright IBM Corporation 2009

295

Appendix
Appendix A Solutions to Practice Activities Step 14. Click Send. Result: The status bar displays an error saying that you are not authorized to use this remote console command. Compact the database using menus 15. 16. 17. 18. Click the Files tab. Highlight the Local free time info database (Busytime.nsf). In the Tools pane, click DatabaseCompact. Keep the default settings, and click OK. Result: The database should compact successfully using the menu commands. The View-only Administrators eld restricts console commands, not menu commands. Action

296

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix A Solutions to Practice Activities

Activity A-4: Lesson Lab 6-1 Solution: Create a Connection Document for the Domino Directory
Scenario To complete this activity, create a Connection document for the Domino Directory.
Step Action

Create a Connection document for the Domino Directory 1. 2. 3. 4. 5. In Domino Administrator, select the server to administer. Click the Conguration tabReplication sectionConnections view. Click Add Connection. On the Basics tab, select Local Area Network for the Connection type. Enter the following information for the source server and domain:

Source server: Hub/SVR/WWCorp Source domain: WWCorp

6.

Enter the following information for the destination server and domain:

Destination server: Enter your servers hierarchical name. Destination domain: WWCorp

7. 8.

Click Choose Ports, select TCPIP, and click OK. On the Replication/Routing tab, enter information in the appropriate elds according to the descriptions that follow.

Replication task: Set to enabled. Replicate databases of: Leave this at the default (Low & Medium & High) in case someone changes the priority in the replication settings of the Domino Directory. Replication type: Select Pull Push. Files/Directory paths to replicate: Enter Names.nsf Replication time limit: Leave this blank for classroom purposes.

Copyright IBM Corporation 2009

297

Appendix
Appendix A Solutions to Practice Activities Step 9. Action On the Schedule tab, enter the information in the appropriate elds according to the descriptions that follow.

Schedule: Set to Enabled. Connect at times: Enter 12:00 AM - 11:59 PM Repeat interval of: Enter 120 minutes. Days of week: Leave the following default days: Sun, Mon, Tue, Wed, Thu, Fri, Sat

10.

Click Save & Close.

298

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix A Solutions to Practice Activities

Activity A-5: Lesson Lab 6-2 Solution: Monitor the Replication Schedule
Scenario Perform the following tasks to complete this activity:

Replicate the Connection documents. Use the Replication Tools.


Action

Step Replicate the Connection documents 1. 2. 3.

In Domino Administrator, click the Server tabServer Tasks view. In the Tools pane, click ServerReplicate. In the dialog box, perform the following:

For Which server do you want to replicate with, select Hub/ SVR/ WWCorp. For Replicate, select Selected database, click Database, select WWCorps Directory, and click OK. Click Replicate.

4.

When replication is nished, click Done.

Use the Replication Tools 5. 6. In Domino Administrator, click the Server tabStatus tabServer Tasks view. Locate the Maps Extractor task. If it is not listed, use the Tools pane to click TaskStart, and select Maps Extractor. Then, click Start Task, and click Done. Click the Replication tabReplication Events view, and open each document to verify that data was exchanged between replicas. Click the Replication Topology sectionBy Connections view to see a map that represents the servers between which there are Connection documents. Note: The map shows all Connection documents, even ones in which replication is disabled.

7. 8.

Copyright IBM Corporation 2009

299

Appendix
Appendix A Solutions to Practice Activities

Activity A-6: Practice Activity 7-1 Solution: Test NNNs


Scenario To complete this activity, send messages to users.
Step Send messages to users 1. Create a mail message and send it to a user in your NNN. For example, if you are in the WWCorpEast NNN, send it to a user in WWCorpEast. The user should receive the message because both mail servers are in the same NNN. 2. Create a mail message and send it to Doctor Notes. Doctor Notes should not receive the message because Doctor Notes is in a different NNN: WWCorpHQ. Action

300

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix A Solutions to Practice Activities

Activity A-7: Lesson Lab 7-2 Solution: Test Connection Documents by Sending Messages to Users
Scenario To complete this activity, send messages to users.
Step Send messages to users 1. Create a mail message and send it to a user in a different NNN. For example, if you are in the WWCorpEast NNN, send it to a user in WWCorpWest. Create a mail message and send it to Doctor Notes. All users should receive the messages because Connection documents allow for mail to be sent to different NNNs. Action

2.

Copyright IBM Corporation 2009

301

Appendix
Appendix A Solutions to Practice Activities

Activity A-8: Lesson Lab 10-1 Solution: Set Mail Controls


Scenario To complete this activity:

Create a quota and threshold on the users mail le. Set a quota restriction on the users mail le. Enable mail journaling. Create a mail rule to deny messages containing specic attachments. Create a mail rule to journal messages from Doctor Notes. Activate the rules. Use mail controls to establish standards. Test mail controls.
Action

Step

Create a quota and threshold on the users mail le 1. 2. On the Files tab, select your users mail database. In the Tools pane, click DatabaseQuotas. Result: The Set Quotas dialog box appears. 3. 4. 5. Click Set database quota to and enter 15 Click Set warning threshold to and enter 14 Click OK.

Set a quota restriction on the users mail le 6. 7. 8. 9. Click the Conguration tabMessaging sectionCongurations view. Select your server, and click Edit Conguration. Click the Router/SMTP tabRestrictions and Controls tabDelivery Controls tab. For Over warning threshold notications, select Per time interval. Result: The Warning interval eld appears. 10. 11. 12. 13. For Warning interval, type 1 and select Days. For Over quota notication, select Per message to send a message to the user when the quota is exceeded. For Over quota enforcement, select Non deliver to originator. Save the Conguration Settings document.

302

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix A Solutions to Practice Activities Step 14. Action At the server console, enter tell router update config

Enable mail journaling 15. 16. In the Conguration Settings document for your server, click the Router/ SMTP tabAdvanced tabJournaling tab. In the Basics section:

For Journaling, select Enabled. For Field encryption exclusion list, use the default values. For Method, use the default value. For Encrypt on behalf of user, select your administrator user name. For Method, use the default value. For Periodicity, use the default value.

In the Database Management section:


17. 18.

Save the Conguration Settings document. At the server console, enter Tell Router Update Config

Create a mail rule to deny messages containing specic attachments 19. 20. In your Conguration Settings document, click the Router/SMTP tab Restrictions and Controls tabRules tab. Click New Rule. For Specify Conditions:

Select any attachment name. Select contains (default). Enter .abc Click Add.

21.

For Specify Actions, perform the following:


Select dont accept message. Click Add Action.

22. 23.

Click OK. Save the Conguration Settings document.

Create a mail rule to journal messages from Doctor Notes 24. In your Conguration Settings document, click the Router/SMTP tab Restrictions and Controls tabRules tab. Click New Rule.

Copyright IBM Corporation 2009

303

Appendix
Appendix A Solutions to Practice Activities Step 25. For Specify Conditions:

Action

Select sender. Select contains. Enter Doctor Notes Click Add.

26.

For Specify Actions, perform the following:


Select journal this message (default). Click Add Action.

27. 28.

Click OK. Save the Conguration Settings document.

Activate the rules 29. 30. 31. Click the Server tabStatus tabServer Console view. If necessary, click Live. In the Domino Command eld of the console, enter the following command: set rules Click Send. Use mail controls to establish standards 32. 33. 34. Create a mail message addressed to your partner. Attach the Domino Administrator Help le to make the message large enough to trigger the quota. Send the message.

Test mail controls 35. 36. 37. Address a memo to your partner. Attach the Test.abc le to the message. Click Send. Result: A message box displays: Document has been rejected by mail rule <server_name> mail.box 38. 39. 40. 41. Click OK. Press Esc, and click Discard to dismiss the memo form. In Domino Administrator, open the Mailjrn.nsf database to see if there are any messages from Doctor Notes. Close the Mail Journaling database.

304

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix A Solutions to Practice Activities

Activity A-9: Lesson Lab 10-2 Solution: Assign and Test the Archive Policy
Scenario Perform the following tasks to complete this activity:

Assign an explicit policy to yourself. Try to archive your mail.


Action

Step Assign an explicit policy to yourself 1. 2. 3. 4. 5. 6. 7. 8.

Click the People & Groups tabDomino Directories sectionWWCorps Directory section. In the People view, select your user name and click ToolsPeople Assign Policy. Click OK. For Policy to assign, select the explicit policy you created. For How to apply policies to selected users, select In the Person document. Click OK. Click Yes. Click OK. Select your Person document, and click Edit Person. Note: You must be in edit mode to see assigned policies in the Person document.

9. 10.

Click the Administration tab and locate the Policy Management section Assigned policy eld to verify the policy was assigned. Click Save & Close.

Try to archive your mail 11. 12. Open your mail le. Click ActionsArchiveSettings. Result: The Archive Settings dialog box appears with settings disabled and a message stating that archiving is not permitted. 13. Click Cancel.

Copyright IBM Corporation 2009

305

Appendix
Appendix A Solutions to Practice Activities

Activity A-10: Lesson Lab 12-1 Solution: Troubleshoot Intranet Mail Routing
Scenario To complete this activity, send mail to a user in another Notes Named Network, and then complete the following tasks:

Restart the Router. Fix server names in Connection documents. Force replication.
Action

Step Restart the Router 1. 2. 3. 4.

In Domino Administrator, select the mail server to administer. Click the Messaging tabMail tab. In the Tools pane, click MessagingStop Router. In the Tools pane, click MessagingStart Router.

Fix server names in Connection documents 5. 6. 7. 8. In Domino Administrator, edit your servers Connection document. Correct the server names in the source and/or destination elds of the Connection documents. Click Save & Close. At the server console, enter tell router update config

Force replication 9. 10. 11. Click the Server tabStatus tabServer Console view. Click Live. In the Domino Command eld of the console, enter the following command: rep Hub/SVR/WWCorp Click Send.

306

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix A Solutions to Practice Activities

Activity A-11: Lesson Lab 12-2 Solution: Troubleshoot Internet Mail Routing
Scenario To complete this activity, send mail to an Internet address and then perform the following tasks:

Enable SMTP externally. Set SMTP controls. Force replication.


Action

Step Enable SMTP externally 1. 2. 3.

Edit your Conguration Settings document. Click the Router/SMTP tabBasics tab. On the Basics tab, complete the SMTP elds as follows:

SMTP used when sending messages outside of the local internet domain: Enabled

4. 5.

Click Save & Close. At the sever console, enter tell router update config

Set SMTP controls 6. 7. 8. 9. 10. Edit your Conguration Settings document. Click the Router/SMTP tabRestrictions and Controls tabSMTP Outbound Controls tab. In the Deny messages from the following Notes addresses to be sent to the Internet eld, enter GlobalSales Click Save & Close. At the sever console, enter tell router update config

Force replication 11. 12. 13. Click the Server tabStatus tabServer Console view. Click Live. In the Domino Command eld of the console, enter the following command: rep Hub/SVR/WWCorp Click Send.

Copyright IBM Corporation 2009

307

Appendix
Appendix A Solutions to Practice Activities

Activity A-12: Lesson Lab 12-3 Solution: Troubleshoot Undelivered Mail


Scenario Perform the following tasks to complete this activity:

Change the person information. Change the Location document. Force replication.
Action

Step Change the person information 1. 2. 3. 4. 5. Click the People & Groups tab.

Select your Person document, and click Edit Person. Click the Basics tab, and locate the Mail le eld. Change the location of the mail le. Click Save & Close.

Change the Location document 6. 7. In the Notes client message bar, click the Location document in the lower right. Select the Online location.

Force replication 8. 9. 10. Click the Server tabStatus tabServer Console view. Click Live. In the Domino Command eld of the console, enter the following command: rep Hub/SVR/WWCorp Click Send.

308

Copyright IBM Corporation 2009

Appendix
About This Appendix

The Worldwide Corporation Infrastructure Plan


This appendix provides an overview of Worldwide Corporations infrastructure. It is intended to provide an overall view of the environment as designed by the planning team. It does not provide details on specic IBM Lotus Domino functionality. This document will be continually updated. Administrators should refer to the Policies and Procedures application on any Worldwide Corporation server for the latest version of this document. IBM Lotus Notes and Lotus Domino are Worldwide Corporations global standard for electronic mail and for developing and deploying groupware applications.

Copyright IBM Corporation 2009

Appendix
Appendix B The Worldwide Corporation Infrastructure Plan

Organization Structure
The structure of Worldwide Corporation is illustrated in the following gure.

Figure B-1: Structure of Worldwide Corporation

Servers By Task
Worldwide Corporation will designate servers to specic tasks based on Information Groups. The following table lists the servers, associated tasks, and rationale behind the decision.

Server type Hub

Tasks Routes mail and replication applications to and from other hub or spoke servers.

Rationale Provide easier administration and maintenance.

310

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix B The Worldwide Corporation Infrastructure Plan Server type Internet Messaging Tasks Provides non-Lotus Domino mail services, such as: POP3. IMAP. SMTP. NNTP. LDAP.

Rationale Use Lotus Domino server to provide employees with access to non-Lotus Domino mail les.

LDAP

Service, LDAP Directory

Provides a central user record repository. Use IBM Lotus Sametime and IBM Lotus Quickr to service collaboration needs. Utilize IBM WebSphere Portal as a composite application interface.

Collaboration

Provide, instant messaging, web meeting, blogs, wikis, and audio/video needs.

Application Web Server

Provide, content application web interface.

Mail

Stores users mail and applications and routes mail across the intranet and Internet.

Provide easier administration. Minimize server processor load. Reduce network traffic. Provide predictable server performance and grouping of users. Allow user access to applications when mail server is down.

Copyright IBM Corporation 2009

311

Appendix
Appendix B The Worldwide Corporation Infrastructure Plan Server type Application Tasks Stores applications.

Rationale Provide easier administration. Group applications by usage, replication needs, and/or security requirements. Allow tuning of server to optimize performance and response time independent of mail usage. Ease expansion by adding new application servers as usage and storage needs increase.

Web

Provides access to an application from the Internet or to the corporate intranet. Can use either: Lotus Domino Web server. Microsoft IIS.

Can place outside the rewall for Internet access. Provide employees with access to corporate information from a browser.

Service Oriented Architecture

Lotus WebSphere. Application server.

Deliver a secure system. Provide a portal.

Servers By Location
Worldwide Corporation will have one Lotus Domino Domain (WWCorp) that includes all Worldwide Corporation offices. Worldwide Corporations Internet domain name has been registered as WWCorp.com.

Topology
Worldwide Corporation has selected a hub-and-spoke topology for ease of management and future expansion. There is one hub server and one or more spoke servers. Each site will be set up to run independently, although they will be connected to the corporate hub. Connection documents are required for replication to tell the corporate hub how and when to communicate with other servers and for spoke servers to connect to the corporate hub.

312

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix B The Worldwide Corporation Infrastructure Plan

The hub server is the center of the infrastructure, which has high-speed links running to the offices. Each individual server is responsible for its own mail routing and replication events. The hub server is responsible for replication of the critical applications between all its spoke servers. The following gure illustrates the locations and types of servers.

Figure B-2: Server types and locations

The hub server


The hub server is the administration server for the Worldwide Corporation domain and replicates the Directory Catalog and the Administration Requests application to all other servers within the Worldwide Corporation domain (WWCorp). Customers and vendors will have access through a Web server.

Notes Named Networks


The regional sites will be logically grouped into Notes Named Networks (NNNs), since they share a common protocol (TCP/IP) and are constantly connected. Grouping the Notes Named Networks this way will ensure that users see information on their local servers to reduce network traffic.

Copyright IBM Corporation 2009

313

Appendix
Appendix B The Worldwide Corporation Infrastructure Plan

System Administration
System administration is locally controlled by region, but monitored from the corporate office. Administration tasks are controlled by regional administrators. General policies and guidelines are maintained and distributed from the Corporate office. Implementation and design changes are carried out after business justications are submitted and approved. All Lotus Domino system administrators use the Lotus Domino Administrator and Web Administrator for all administration tasks. All other administrators use appropriate tools to complete their daily tasks.

Domino Domain Monitoring


System administrators will use Domino Domain Monitoring and the integrated IBM support assistant to proactively monitor the WWCorp Domain.

Network Strategy
Worldwide Corporations strategy includes these components:

Incorporating TCP/IP as their primary network protocol. Providing high-bandwidth networking connections to all offices from headquarters. Incorporating Lotus Sametime and Lotus Quickr throughout the corporation as collaboration tools. Incorporating a WAS server to enhance internal and customer interaction.

Directory Strategy
There will be more than one Lotus Domino domain (WWCorp) for the entire Worldwide Corporation Lotus Domino environment. The model matches the physical layout of the Worldwide Corporation WAN. The rst congured server (the corporate hub) will have full administration rights over the entire domain. When incorporated, the LDAP TDI is used to provide user information. The Lotus Domino Directory will reside on the corporate hub server at headquarters, and replicate to each regional server. The corporate hub will create Directory Catalogs and replicate to regional servers for use by remote users. Remote users can keep a local replica of the Directory Catalog on the client for faster response time and timely encryption of messages. System administrators will periodically update the Directory Catalog and replicate once a day to servers.

314

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix B The Worldwide Corporation Infrastructure Plan

Directory access is from:


Lotus Notes clients. Web browsers. Other e-mail and directory clients. Lotus Sametime client.

Replication Topology
A hub-and-spoke topology will be used for replication. This structure consists of a main hub with spoke servers. The corporate hub server will be the primary hub and share control of replication with regional servers.

Streaming replication
Connection documents are required for replication to tell the corporate hub how and when to communicate with other servers and for spoke servers to connect to the corporate hub. To take advantage of the new streaming replication feature in Lotus Domino 8, connections between hub servers will use the Pull/Pull replication strategy. Administrators will create Connection documents between the WWCorp Domain Hub and regional hub servers using the Pull:Pull strategy. This will take advantage of the speed of Streaming Replication. It is important to note that WWCorp employees are not expected to access these servers, so all hub servers can share the replication workload.
Note: Employees are not expected to access hub servers.

Copyright IBM Corporation 2009

315

Appendix
Appendix B The Worldwide Corporation Infrastructure Plan

The following gure illustrates Worldwide Corporations replication topology.

Figure B-3: Worldwide Corporations replication topology

Integrated Db2 Technology


Administrators will leverage the speed of Db2 Server Technology while maintaining Lotus Domino security access to data in the Db2 environment.

Mail Routing Strategy


Each region will have its own server that is responsible for local mail delivery, but will rely on the corporate mail server for inbound Internet mail: Simple Mail Transfer Protocol (SMTP) will route mail to the Internet.

Notes Remote Procedure Call (NRPC) will route mail within the corporate intranet.

The following conguration provides for ease of conguration and optimum load balancing and failover: One Internet domain.

ISP as a relay host to Internet. The corporate mail server is enabled to route external mail using the SMTP protocol. All mail servers have Connection documents and route mail using NRPC internally.

316

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix B The Worldwide Corporation Infrastructure Plan

The WWCorp Domain Hub will be congured to send and receive Internet mail. Administrators will use whitelists and blacklists to improve mail routing performance. In addition, Transfer and Delivery Reports will be used to notify users if their mail is unable to be delivered.

Mail Administrators
Administrators must perform the following tasks:

Store the Internet domain name in the Foreign SMTP and Global Domain documents. List the inbound mail servers in the Mail Exchange (MX) records in the Domain Name Service under the domains name. Only one is required. (Note that load balancing for multiple servers is dependent on the algorithm used by the client SMTP system to select a server from the MX records.) Congure complete address lookup or congure local part only lookup to identify each mail recipients mail server so that the router can make the nal delivery.

Mail clients
Initially, some mail users will have Lotus Notes mail les. In the future, some mail users may use other Internet mail client software. At that time, Worldwide Corporation will set up select Internet POP3 Messaging Servers for non-Lotus Notes mail clients to access mail les on the Lotus Domino server.

Mail monitors and controls


The following mechanisms will be put into place for monitoring and controlling mail: Automated testing of mail routers.

Mail quotas. Inbox cleanup. Mail journaling. Set options for Mail Recall. Set options for Out of Office agent. Reject inbound ambiguous names/deny mail to groups. Maximum message size for inbound and outbound message set to 10 megabytes. User restrictions, such as full-text indexing and other Policy Management enhancements.

Copyright IBM Corporation 2009

317

Appendix
Appendix B The Worldwide Corporation Infrastructure Plan

Server managed provisioning


Administrators will use the Eclipse Provisioning model to deploy Lotus Notes 8 Client features, components, and composite applications.

Mail routing topology


The following gure illustrates Worldwide Corporations mail routing topology.

Figure B-4: Worldwide Corporations mail routing topology

Reverse path setting for forwarded messages


Administrators will use this function to specify how the mail router handles delivery failure reports when e-mails are automatically forwarded by an action in a users mail rule. This will reduce inadvertent rejection of legitimate mail by some SPAM lters when automatic mail forwarding is enabled.

Worldwide Corporation Naming Conventions


The following table denes the Worldwide Corporation naming scheme.

318

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix B The Worldwide Corporation Infrastructure Plan

Organization component Organization (O) Organizational units (OUs) WWCorp

Value

Certier wwcorp.id sales.id operations.id hub.id west.id east.id svr.id There may be additional id les needed.

WEST: West EAST: East SVR: All servers

Organizational units are based on geographical regions and job role. The servers organizational unit will be used for better control of management and creation of servers. All organizational units and common names are descendants of the organization certier /WWCorp.

User naming
The following table provides user naming conventions.

Type Common name for Lotus Domino environment Internet mail addressing

Syntax Firstname Lastname

username@WWCorp.com where username = Firstinitial_Lastname

Server naming for Lotus Domino


The following table provides examples for regional server names.

Region Hub East

Code

Server names (server types) HUB/SVR/WWCorp (Hub)

Server address hub.wwcorp.com east01.wwcorp.com

East## (01 06) West## (01 06)

EAST01/SVR/WWCorp

West

WEST01/SVR/WWCorp

west01.wwcorp.com

Copyright IBM Corporation 2009

319

Appendix
Appendix B The Worldwide Corporation Infrastructure Plan

Naming examples for Lotus Domino


The following table provides naming examples for international sites.

If you want to ... Create a new server.

Then ... Use the name Type##/SVR/WWCorp, where: Type is the server type, or region for example, East. ## is the server number of this type.

Create a new organizational unit.

Use the standard department code that identies the location of the organizational unit. A new organizational unit for Sales might be: /Sales/WWCorp Certify under the regional organizational unit where the user works. A new user named Sara Jones in Sales would be: Sara Jones/Sales/WWCorp The corresponding Internet name would be: Sara_Jones@WWCorp.com

Create a new user.

Certier/ID management policy


The following table describes the certier/ID management policy.

Type Organization certier

Management policy Corporate system administrators create the O certier. Corporate system administrators create the OU certiers. Access is limited to two administrators using multiple passwords. Store IDs in protected areas.

Organizational unit certiers

Corporate administrators keep copies of OU certiers. OU certiers are migrated to the CA process. Regional administrators use the CA process to register users and servers using these OU certiers. Store IDs in protected areas.

320

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix B The Worldwide Corporation Infrastructure Plan Type Server IDs

Management policy Corporate system administrators create all server IDs. Store IDs on the server. Use only for the server.

User IDs

Regional administrators create user IDs. Regional system administrators keep copies of IDs in a secure application on the hub server. Use a Certication Log application to track certication. All Certier IDs have multiple passwords and expiration dates of 20 years from date of creation. This is not recommended, but is used for classroom purposes. Store backups in a secure off-site location.

Key les for Interent (X.509) Certicates

Using Lotus Domino as a Certicate Authority, administrators will create X.509 certicates using the Certicate Authority Application on a workstation and store the CA key ring on that workstation, not on the server. Do not distribute these les to other administrators in the organization. Store the certicates in a secure off-site location. Store in corporate user Lotus Notes ID les. Store in trusted LDAP directories (for customers).

Copyright IBM Corporation 2009

321

Appendix
Appendix B The Worldwide Corporation Infrastructure Plan

Hierarchical naming for Worldwide Corporation


The following gure illustrates the organization hierarchy, including currently planned server names.

Figure B-5: Worldwide Corporations organizational hierarchy

Remote Access
Worldwide Corporation has determined specic Internet access for remote employees, vendors, resellers, and customers, based on their needs.

Internet access
The following Internet access will be used:

Authenticated access for employees Public access Web server for vendors, resellers, and customers, including controlled access to servers, applications, and data

The following table describes types of access.

322

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix B The Worldwide Corporation Infrastructure Plan

Employees X.509 certicates

Customers Anonymous access to catalog and public company information. Future: Username and password access to information about their own orders, for example, shipping information.

Vendors Anonymous access

Resellers Authenticated access through outside LDAP directories.

Internet security features


Administrators will use XACLs to decipher hashed passwords. Internet Password Lockout will be used to restrict Internet users to three login attempts before account lockout.

Remote users
Users at home offices that do not have direct connections to the WAN can use an Internet Server Provider (ISP) to access the Lotus Domino system through a local Firewall server. Remote users can connect to their mail server through the local Firewall servers.

Server Congurations and Security


Worldwide Corporation has determined congurations for servers, including licensing, le structure, and server tasks. Server security has been dened as group access to servers.

Server types
The following table lists the server licenses that will be used for each of the server types.

Server type Lotus Domino Mail and Internet Messaging servers

Server license Lotus Domino Messaging Server

Rationale To provide Lotus Domino and Internet mail services

Copyright IBM Corporation 2009

323

Appendix
Appendix B The Worldwide Corporation Infrastructure Plan Server type Application and Web servers Server license Lotus Domino Utility Server Rationale To provide custom application applications for Lotus Notes and Web clients To provide the following services: Clustering Partitioning

Hub server

Lotus Domino Enterprise Server

WAS

WebSphere Application Server

To provide the following services: Build and deploy application services Run services efficiently Secure applications and data

File structure for Domino Servers


The following table lists the standard le structure on the Domino servers.

Path Domino

Contents System les, client les

Description Client les will be installed for network distribution purposes. Lotus Domino system applications that are required for Lotus Domino to function properly. Critical applications that require frequent replication.

Domino\data

Applications, general data les

Domino\data\critical

Applications

Use the standard installation le paths whenever possible to ensure standardized training and ease of support and troubleshooting.
Note: Store Lotus Domino executables on a separate disk than Lotus Domino data for better performance.

324

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix B The Worldwide Corporation Infrastructure Plan

These areas of the Lotus Domino le structure are accessible to only designated personnel for installation purposes. All other Lotus Domino data is protected by operating system security and is accessible to Lotus Domino administrators only.

Conguration documents
Every Worldwide Corporation server has its own Conguration document. This ensures that each server conguration can be modied separately and that there is a log of any changes made. The Lotus Domino conguration application will be used for server setup to streamline and automate setup. A Conguration document exists for each server type (for example, hub, mail, application) and is then distributed to other servers of the same type.

Lotus Domino tasks by server type


The following table lists the minimum requirements for all Conguration documents.

Lotus Domino server type Standard services for all servers

Recommended tasks The following are the recommended tasks: Mail Router

Replicator Indexer Agent Manager Administration Process Event Manager Statistics

Mail servers

The following are the recommended tasks: Calendar Connector Schedule Manager HTTP for Web mail

Application servers

The following are the recommended tasks: Standard services only, no additional services

Copyright IBM Corporation 2009

325

Appendix
Appendix B The Worldwide Corporation Infrastructure Plan Lotus Domino server type Hub servers Recommended tasks The following are the recommended tasks: HTTP, both mail and applications SMTP (Headquarters hub only)

Web servers

The following are the recommended tasks: HTTP for Web applications

Internet messaging servers

The following are the recommended tasks: POP3 and SMTP IMAP LDAP NNTP

Group naming for servers


Groups will be used to determine access to servers and for added security. The following naming convention will be used to identify the location and type of group: region[global]descriptionofgroup
Note: Administrators may use Tivoli Directory Integrator (TDi) as an LDAP provider in addition to Domino Directory. In that case, groups such as LocalDomainAdmins, OtherDomainServers, and DenyAccess must reside on Domino Directory, while others can reside on TDi.

For example: HQAdmins or GlobalSales. Within groups, names are sorted in alphabetical order.

Deny access groups


As an added security feature, Worldwide Corporation will use four groups, which represent access denial to any Worldwide Corporation servers. In each server restrictions setting, these groups will be added in the Not access server elds. The following table describes the four groups.

326

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix B The Worldwide Corporation Infrastructure Plan

Group name Deny Access A-F

Description Denial for people whose family names begin with A-F. Denial for people whose family names begin with G-L. Denial for people whose family names begin with M-R. Denial for people whose family names begin with S-Z.

Deny Access G-L

Deny Access M-R

Deny Access S-Z

Before deleting a user from the Lotus Domino system, add the user to one of these groups. This will ensure immediate denial to any Worldwide Corporation server.
Note: This is subject to replication of the changes throughout the domain, which will take no longer than 60 minutes.

Server conguration plan


The following table describes the server conguration plan.

Standard Application size quotas

Requirement No application size quotas, unless archiving is needed for a particular course No database naming standards Standard directory structure, for example: \Domino\Data\Global\HR1 \Domino\Data\Global\Marketing \Domino\Data\Local\Marketing \Domino\Data\Local\Dev1 One group for all server administrators, for example: GlobalAdmins Groups for specic categories of employees, for example: GlobalSales

Application names File system directory structure

Groups spanning the entire organization

Copyright IBM Corporation 2009

327

Appendix
Appendix B The Worldwide Corporation Infrastructure Plan Standard Groups at all sites

Requirement A group for each region, for example: EastAll (for all Worldwide Corporation employees in East) One group for administrators per region, for example: WestAdmins (for all server administrators in West)

Client Congurations and Security


Worldwide Corporation has determined congurations for clients, including licensing and registration and desktop settings. Client security has been dened using security policies, including client IDs and certicates and group access to databases.

Client licenses
Client licenses will be:

Lotus Notes Client for most users, all generic IDs, and any contractual or affiliate accounts. IBM Lotus Domino Designer for users who will create, modify, or design databases. Lotus Domino Administrator for system administrators.

Client deployment
Desktop, registration, and security policies will be used to set up users environments. For Internet mail, account documents will be created locally for each mail protocol. Mail will be stored in Notes Rich Text format. Worldwide Corporation will use policy documents to create and update Location and Connection documents on workstations for dial-up users to determine where and how to locate the servers.

Client IDs and certicates


The following table describes the policy regarding client IDs and certicates.

328

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix B The Worldwide Corporation Infrastructure Plan

Type Lotus Notes client IDs

Policy Certify all IDs using a Lotus Domino certicate. Users responsible for secure or encrypted information, such as pricing information to resellers, will hold an Internet (X.509) certicate. Stored on workstations for all users and encrypted locally. Copies are kept in a secure location by regional as well as corporate administrators.

Internet client browsers

Accept CA certicate as a trusted root. Store internal signed client certicates for access to secure information.

Longer encryption keys


Administrators will use the Lotus Domino 8 Certier Key rollover to upgrade user, server, and certier ids, taking advantage of the new 2048-bit encryption for users and servers, and 4096-bit keys for certier ids.

File storage
Client-based data les, such as IDs, Notes.ini, and *.dsk, will be stored on the workstation for all users and encrypted locally.

Implementing the Deployment Plan


Complete these tasks to implement the Lotus Notes and Lotus Domino components of the Worldwide Corporation deployment plan.

Task 1 2 3 4 5 Set up the rst server.

Procedure

Add an administrators workstation. Set up access to the Lotus Domino Directory. Add Lotus Domino servers. Add organizational units.

Copyright IBM Corporation 2009

329

Appendix
Appendix B The Worldwide Corporation Infrastructure Plan Task 6 7 8 9 10 11 12 13 14 Register administrators. Add Lotus Notes clients. Create user groups. Create organizational policy. Register users. Set administration preferences. Set up access to servers. Set up server logging. Synchronize Lotus Domino system databases throughout the domain. Route mail internally. Route mail to the Internet. Set mail controls. Test mail routing and delivery. Procedure

15 16 17 18

330

Copyright IBM Corporation 2009

Appendix

Certication and Exam Competencies


IBM Software Services for Lotus Training and Certication
IBM Software Services for Lotus offers training and certication programs designed to help customers take full advantage of technology investments to improve business processes. Lotus software training ensures that individuals get up to speed quickly and effectively whether delivered in the classroom, on the desktop, or via distributed learning. For more information on Lotus software training, please visit http://www.ibm.com/lotus/training. The IBM Certied Professional for Lotus Software program provides individuals with a means to benchmark their technical knowledge and achieve industry recognition, which results in increased business value to both the individual and their organization. As a member of a highly regarded certied community, individuals enjoy benets commensurate to their certication level. For more information on certication, please visit http://www.ibm.com/lotus/certication. Skills Roadmaps are available to guide you on your path to knowledge. Roadmaps identify courses in their logical sequence to complete a specic curriculum or certication program. To view Skills Roadmaps for Lotus, please visit http://www.ibm.com/lotus/trainingroadmaps.

Lotus Professional Certication


Lotus software has robust certication programs in support of IBM Lotus software and technical skills. For complete information on the Lotus professional certication program, visit the IBM Software Services for Lotus Certication Web page at http://www.ibm.com/lotus/certication.

Copyright IBM Corporation 2009

Appendix
Appendix C Certication and Exam Competencies

Place in certication
Building the IBM Lotus Domino 8.5 Infrastructure is listed as one of the preparation resources for the following exam: Exam 981- IBM Lotus Notes Domino 8.5 Building the Infrastructure This exam is part of the path for IBM Certied System Administrator - Lotus Notes and Domino 8.5 certication. The complete path is described here: IBM Certied Associate System Administrator - Lotus Notes and Domino 8.5 Exam 980 - IBM Lotus Notes Domino 8.5 System Administration Operating Fundamentals IBM Certied System Administrator - Lotus Notes and Domino 8.5 Successfully pass the following three exams:

Exam 980 - IBM Lotus Notes Domino 8.5 System Administration Operating Fundamentals Exam 981- IBM Lotus Notes Domino 8.5 Building the Infrastructure Exam 982 - IBM Lotus Domino 8.5 Managing Servers and Users

IBM Certied Advanced System Administrator - Lotus Notes and Domino 8.5 Exam TBD - IBM Lotus Notes Domino 8.5 Conguring Domino Web Servers

Preparing for a Lotus certication exam


Attending this course and using this Student Guide will help you prepare for certication. Some topics covered on the exam are not covered in this course and some of the objectives covered in this course are not tested on the exam. Be sure to follow all the steps listed in order to prepare fully for the exam.

Step 1 2 3 4

Action Review the exam competencies. Get hands-on experience. Use the exam preparation page. Use all available resources.

332

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix C Certication and Exam Competencies

Step 1: Review the exam competencies


Review the exam competencies to see the complete listing of possible topics for the exam. Use the competency listing as your checklist to determine your weaknesses and the areas on which you will want to focus more attention in your studies and preparation. You will nd the competencies listed in: The Exam Competencies Appendix included in this course.

The Exam Guides located on the IBM Software Services for Lotus Certication Web page at http://www.ibm.com/lotus/certication.

Step 2: Get hands-on experience


Actual hands-on experience is a critical component in preparing for the exam. The exam is looking to measure how well you perform tasks, not how well you memorize features and functions: Spend time using the product and applying the skills learned.

Direct application of the skills learned in this class cannot be replaced by any other single resource listed here.

Step 3: Use the exam preparation page


The exam preparation page lists resources available for each individual exam. To nd the exam preparation page for this exam, go to http:// www.ibm.com/lotus/certication and use the Select an exam drop-down menu. Select the exam name and link to the exam preparation page.

Step 4: Use all available resources


We recommend using a range of resources when preparing to take an exam. The following table describes the types of resources available to prepare for certication exams. For a listing of resources specic to each exam, use the individual exam preparation page located at http://www.ibm.com/ lotus/certication.

Resource Exam guides

Brief description Complete version includes certication titles and paths, sample questions, and registration information.

Where to nd resource Abbreviated version is available in the Exam Competencies Appendix included in this course. Complete version is available on the IBM Software Services for Lotus Certication Web page at http:// www.ibm.com/lotus/ certication.

Copyright IBM Corporation 2009

333

Appendix
Appendix C Certication and Exam Competencies Resource Lotus authorized courses Brief description Offered at Education Centers for IBM Software (ECIS) and Lotus education locations worldwide. Where to nd resource A complete list of courses and education centers are on the IBM Software Services for Lotus Education Web page at http:// www.ibm.com/lotus/ education. Additional information is available at The Education Store on the IBM Software Services for Lotus Education Web page at http:// www.ibm.com/lotus/ education. Available from the IBM Software Services for Lotus Certication Web page at http:// www.ibm.com/lotus/ certication. See the individual exam preparation page for recommended online learning resources. Additional information available at http://www10.lotus.com/ldd/doc. Ordering information is available at http:// www.redbooks.ibm.com.

CBT programs

Used as an alternate learning tool or supplement to courses or both.

Practice tests

Available from a variety of vendors. Visit the individual exam preparation page to determine what practice tests are available for a specic exam. This includes online tutorials and other learning resources.

Online learning

Product Documentation

Official Lotus product documentation.

IBM Redbooks

Technical cookbooks that address topics that the reference manuals may not cover.

Preparing for the IBM Lotus Notes Domino 8.5 Building the Infrastructure exam
The following materials are available for the IBM Lotus Notes Domino 8.5 Building the Infrastructure exam: Building the IBM Lotus Domino 8.5 Infrastructure Course

CertFX Practice Test Notes, Domino, and Domino Designer 8.5 Release Notes Lotus Domino 8.5 Administrator Help

334

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix C Certication and Exam Competencies

For the most up-to-date resource listing for this exam, visit the individual exam preparation page. Go to http://www.ibm.com/lotus/certication and select the exam name from the Select an exam drop-down menu. These individual pages will give you the most up to date list of resources available.

Exam 981- IBM Lotus Notes Domino 8.5 Building the Infrastructure Exam Competencies
This section contains the exam competencies for the IBM Lotus Notes Domino 8.5 Building the Infrastructure exam. The exam competencies are one tool for preparing for IBM Certied for Lotus Software exams. For more a complete listing of learning resources, refer to the Lotus Certication Web site available at www.lotus.com/certication.

Copyright IBM Corporation 2009

335

Appendix
Appendix C Certication and Exam Competencies

Install and Congure


The following competencies relate to installation and conguration.

Binding ports and Internet Services Conguring Directory Links Conguring Directory Services\Directory Catalogs Conguring Directory Services\LDAP services Conguring Domain Searching Conguring Domino Clustering Conguring Domino Domain Monitoring (DDM) Conguring Domino Domain Monitoring (DDM) collection hierarchy Conguring Domino Domain Monitoring (DDM) probes Conguring Domino Web Servers Conguring Event Handler Notications Conguring network compression Conguring the Domino Console and binder Conguring the Room and Resource Manager Implementing database design compression Implementing database on demand collations Implementing database redirection Implementing new agent manager features Understanding Domino Domain Monitoring (DDM) event classes Understanding Domino Domain Monitoring (DDM) probe types Understanding the Server Health Monitor Understanding authentication-only directory services Understanding Websphere Portal integration enhancements Utilizing Response Files for Server Installations

336

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix C Certication and Exam Competencies

Mail
The following competencies are related to mail.

Conguring DNS whitelists on the Domino server Conguring private blacklists on the Domino server Conguring private whitelists on the Domino server Conguring public blacklists on the Domino server Conguring public whitelists on the Domino server Conguring connection error limits Conguring mail delivery delay reports Conguring Mail Journaling Conguring Mail Rule Enhancements Conguring Mail Tracking Conguring Message Recall functionality Conguring outbound SMTP relay authentication Conguring Reverse Path Settings Enabling/Disabling message disclaimers from Domino server Enabling Message Recall functionality Enabling TNEF conversion Expanding Mail Topologies Setting up message disclaimers Understanding ambiguous name rejections Understanding Mail Management enhancements Understanding Message Recall functionality Understanding new Out of Office service types

Copyright IBM Corporation 2009

337

Appendix
Appendix C Certication and Exam Competencies

Manage and Maintain


The following competencies relate to managing and maintaining.

Analyzing server crash les Conguring Critical Request scheduling Conguring Domino Domain Monitoring (DDM) probe schedules Conguring Server Auxiliary Ports Conguring the Domino Console Conguring the prevention of incorrect system time changes Conguring the Server Controller Conguring transaction logging Connecting Lotus Domino and WebSphere Portal Implementing Console Log Mirroring Implementing Image Compression Implementing Lotus Traveler Policies Integrating Domino and IBM CommonStore Archive Services Integrating Domino and the Tivoli Enterprise Console Troubleshooting message disclaimers from Domino server Understanding Advanced Domino Server Tasks Understanding Directory Assistance enhancements Understanding Directory Services\Directory Assistance Understanding Directory Services\Extended Directory Catalogs Understanding Directory Services\Search Orders Understanding Router Optimizations Using Domino Domain Monitoring (DDM) Utilizing Administration Process statistics Utilizing Domino Attachment and Object Service (DAOS) Utilizing Domino Conguration Tuner Utilizing Domino server commands Utilizing Dynamic Policies Utilizing Server Console Commands Utilizing server serviceability enhancements Utilizing stronger encryption capabilities Utilizing the Widget Catalog Utilizing Web Administration server bookmarks

338

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix C Certication and Exam Competencies

Replication
The following competencies relate to replication.

Building Replication Topologies Viewing Replication Topologies

Security
The following competencies relate to security.

Certicate Authority\Conguring Certicate Authority\Creating the Database Certicate Authority\Maintaining Conguring Message Recall security Controlling Server Access Deploying Lotus Traveler security features Deploying the ID Vault Encrypting network traffic Implementing LTPAToken2 for single sign-on Implementing stronger key strengths Integrating WebSphere and Domino with tokens Managing Shared Login Managing the ID Vault Managing XPages Security

Copyright IBM Corporation 2009

339

Appendix
Preparation Checklist

Instructor Preparation
This appendix is provided to assist instructors in their preparation for leading instructor-led training in a classroom or online (ILT and ILO).

When preparing to teach this course, consider doing the following:


Read through the Instructor Guide. Perform all activities in the course. Perform all demonstrations and labs described in the Instructor Guide. Refer to the Instructor Lounge to gather useful teaching tips and techniques that other instructors have used to teach this course. Use the information in this section to nd additional resources to further your knowledge of the subject. Practice the classroom setup.

Additional Preparation Resources


The following additional resources are available as you prepare to lead training.

Copyright IBM Corporation 2009

Appendix
Appendix D Instructor Preparation

Name IBM developerWorks Forums and Community

Location http://www.ibm.com/ developerworks/lotus/ community

Description You can discuss Lotus and related products with your peers, expand your understanding of these products, and create connections with others. Join our public discussion forums, where the Lotus community meets to talk about Lotus software. You are welcome to read all our forums. To participate in some forums, you need to complete our free registration form to get a developerWorks Lotus user name and password. (If you have previously registered on Notes.net/Lotus Developer Domain, that is the user name and password to use here.) Other forums require an IBM ID to participate. IBM Lotus Domino and Lotus Notes product information where you can nd system requirements, installation and conguration procedures, and information about managing your Lotus Domino servers and Lotus Notes clients.

IBM Lotus Domino and Notes Information Center

http:// publib.boulder.ibm.com/ infocenter/domhelp/v8r0/ index.jsp

342

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix D Instructor Preparation Name IBM Lotus Notes and Domino Wiki Location http://www-10.lotus.com/ ldd/dominowiki.nsf Description The Lotus Notes and Lotus Domino Wiki, where you can nd and contribute to information about installing, administering, and using Lotus Notes and Lotus Domino, and other members of the Lotus Notes product family. Lotus Labs is about providing content in new ways: consumable, collaborative, customizable. This page highlights the pilots, projects, and programs weve been working on recently.

Lotus Labs

http://www-10.lotus.com/ ldd/lotuslabs.nsf

Course Strategy
Approach
This course covers the administrative tasks necessary for administrators to install and congure a basic IBM Lotus Domino 8.5 infrastructure. Students will manage the installation of Lotus Domino, IBM Lotus Notes, and Domino Administrator within the ctitious company Worldwide Corporation. The course intent is to provide an environment analogous to the tasks students will perform back at their jobs. The Building the IBM Lotus Domino 8.5 Infrastructure course covers installing Domino server and Notes client software, initialling conguring server and clients, registering and managing users, conguring server access for administrators, replicating Server documents, conguring mail services, and managing, monitoring, and troubleshooting mail.

Recommended Agendas
This course is a two-day instructor-led course with computer-based activities and labs. These tables are provided to help you plan your instructional agenda for each of the training days.

Copyright IBM Corporation 2009

343

Appendix
Appendix D Instructor Preparation

Recommended agenda for ILT delivery


The following table shows the recommended agenda. Day 1

Time 15 minutes 1 hour 30 minutes 15 minutes 1 hour, 30 minutes 1 hour 1 hour 15 minutes 1 hour 30 minutes Introductions Lesson 1 Lesson 2 Break Lesson 3 Lunch Break Lesson 4 Break Lesson 5 Lesson 6

Lessons or topics

Day 2

Time 1 hour 30 minutes 15 minutes 1 hour 1 hour 1 hour, 30 minutes 15 minutes 30 minutes 1 hour Lesson 7 Lesson 8 Break Lesson 9 Lunch Break Lesson 10 Break Lesson 11 Lesson 12

Lessons or topics

344

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix D Instructor Preparation

Recommended agenda for ILO delivery


The following table shows the recommended agenda for ILO delivery. Day 1

Time 1 hour, 30 minutes 1 hour, 30 minutes 1 hour, 30 minutes 1 hour 1 hour, 30 minutes Lessons 1 and 2 Lesson 3 Lesson 3 Lesson 4 Lessons 5 and 6

Lessons or topics

Day 2

Time 1 hour, 30 minutes 1 hour 1 hour, 30 minutes 1 hour, 30 minutes Lessons 7 and 8 Lesson 9 Lesson 10

Lessons or topics

Lessons 11 and 12

Facilitating an ILO Course


Delivering a course in on online environment is probably more similar to classroom training than it is different. Many course delivery strategies are valid in the online interface but require some modication for remote delivery.

Technologies used in an online course


The delivery environments used for an instructor-led online (ILO) course are: Web meeting Using the tools of a Web meeting application, instructors present slides, conduct demonstrations, lead discussions, and answer questions.

Virtual lab

Copyright IBM Corporation 2009

345

Appendix
Appendix D Instructor Preparation

Student workstations are installed in an eLab and accessed by students remotely. The lab workstation is available to students for the duration of the course and used to complete all lab activities and for independent practice.

Comparing classroom and ILO delivery


The following table lists the course activities and how they can be facilitated in both classroom and online classroom environments.

Course activity Presentation

In the classroom Instructor projects slides on the classroom monitor or projection screen. Instructor performs demonstrations and output is displayed on classroom monitor or projection screen. Students and instructor discuss topics

In an online classroom Instructor displays slides in the online classroom interface. Instructor shares her desktop or application using the screen sharing features of the online classroom interface. Students and instructor use audio connection to discuss topics. Other tools to aid discussion include: Hand raise Chat window in Web conference Break out sessions for small group interaction

Application demonstration

Discussion

346

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix D Instructor Preparation Course activity Guided practice In the classroom Instructors and students perform activities simultaneously. The instructors activities are displayed on the classroom monitor or projection screen. In an online classroom

The instructor chooses to: Convert the practice to demonstration and instruct students to practice the activity, after the session, using the instructions in the Student Guide.

Note: This option may be used only if the completion of the practice activity is not a prerequisite to subsequent course practice activities. If a live application is available for students, instruct students to perform the guided practice as unguided practice.

Unguided practice and exercises

Students complete these independently on classroom lab machines.

Students complete these independently on virtual lab machines. Generally, these activities may be completed after the live session. If the activity cannot be moved because it affects the ow of delivery, then instructor may pause the live session to allow students to log into their virtual accounts to complete the activities. Then students rejoin the live session. The instructor may be available to students during lab periods by phone, instant messaging, or using the virtual classroom chat feature.

Copyright IBM Corporation 2009

347

Appendix
Appendix D Instructor Preparation Course activity Questions In the classroom Instructors query for questions or encourage students to interrupt when they need to ask a question. In an online classroom Instructors pause the presentation or demonstration to ask for questions. Students use the hand raise feature to indicate they have a question. This is a more formal task in a virtual environment. Instructors may need to ask for feedback either verbally or use polling features of the virtual classroom. Some conferencing applications allow participants to provide feedback by displaying icons in the participant list. Instructors may conduct feedback discussions at the end of each session to ask for specic pacing, level, and content feedback.

Feedback

Instructors view body language to assess students interest, understanding, and to judge pacing of delivery. Instructors use this feedback to adjust the content or pacing, or to address an individual students questions.

The ILO agenda


We have provided a recommended ILO agenda for you earlier in this appendix. Should you wish to create your own agenda, you need to: Divide the course into modules that can be delivered in online sessions.

Adjust the order of practice activities so that independent lab activities can be completed after the online sessions. Modify some activities so they are demonstrations rather than independent practice. This strategy is used when a practice activity is in the middle of a live session. Note: The completion of some course activities is required for subsequent activities to be completed. For example, students need to complete an activity to register a new user before they can complete an activity where they give that user access privileges. In these instances, you will need to identify the required activities and ensure they are completed as needed.

348

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix D Instructor Preparation

Additional tips for creating the ILO agenda


Consider the following when setting up your course agenda:

The optimal length of an online session is two hours. You may, optionally, choose to deliver the course in full-day sessions, breaking for activities. You should schedule instructor office hours when students may reach you by phone for individual tutoring on topics as needed. You should allot more time for breaks than you would in a live classroom situation. Add time to the beginning of the online sessions to review lab activities. In the early sessions, when students are rst using the eLab environment, you will need this time to address any problems or observations students have about working in the virtual lab environment.

Scheduling the ILO


When setting your ILO schedule, consider the following:

A virtual class may be attended by participants in multiple time zones. You need to be available during the times students are completing their lab activities. Although you will not be presenting lab activities, you need to schedule time for students to complete these. If your online class ends late in the day, you should not expect students to complete the lab activities by early the next day. The virtual lab, used by students to complete activities, may not be available to class participants during certain hours. Or, the lab may be unsupported during night time hours. Schedule time before the rst class session, to help students test their ability to connect to the Web meeting facilities.

Instructor Preparation for an ILO Course


Additional tasks should be completed to prepare and deliver this course in a live, online session. This section lists some preparation tasks for preparing to teach online.

Presenting a live session in an e-learning environment


This seminar requires you to manage several tasks simultaneously, which can be challenging. You must manage multiple presentation tools, engage students interactively, demonstrate applications, respond to questions, and troubleshoot technical glitchesall while maintaining ow and continuity in the restricted time frame of the scheduled class session.

Copyright IBM Corporation 2009

349

Appendix
Appendix D Instructor Preparation

In addition, you must manage the pacing and interaction within the course; monitor electronic and verbal hand raising; compose, send, and evaluate questions and answers; and ll time as you wait for applications to display. You will also need to manage other, unscheduled events. For example, applications may crash, displays may freeze, or you may unintentionally close a window. You may also need to help students manage their own display. For example, you may need to instruct a student on how to recover a oating course screen, scroll the display, or scale a windows image. All these events require your attention, and at rst, the online collaboration tools will require training and practice. We recommend that you attend e-learning facandilitation training for the e-learning tool being used for delivery and rehearse your class presentations demonstrations.

Assisting the facilitator


We strongly recommend, in addition to extensive preparation and rehearsal, that you recruit a colleague to assist in delivering this course, at least the rst time you present it. Consider delegating the following roles and responsibilities: Facilitator: This person presents the content and performs the interactive demonstrations, paying attention to the ow and interaction of the course. The facilitator:

Displays each presentation page. Performs and narrates the interactive demonstrations. Responds to verbal questions. Manages the session pacing.

User Interface (UI) manager: This person manages the elements of the user interface. The UI manager:

Monitors the display on a separate machine to ensure that the facilitator narrative matches the refresh rate in the student browser. Monitors the participant list for raised hands. Answers students questions regarding the UI and any problems they may be having with it. This can be done in a separate chat window.

You should rehearse each session with your partner and clearly dene your roles and responsibilities regarding each element of the presentations and interactive demonstrations. Take a few minutes after each live session to review the things that did and did not work.

350

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix D Instructor Preparation

Preparation checklist
After the course has been set up in the e-learning environment, you should:

Prepare your e-learning podium. Rehearse the presentation. Reserve audio conference services (do this if you will not use IP audio). Conduct a connection test with students. Review Preparing to Teach an e-Learning Session, in this section. Review Delivering an e-Learning Session, in this section.

Preparing your e-learning podium


The e-learning delivery podium is very different from the classroom podium. You can deliver this course from any workstation with a browser. You should also examine the environment from which you deliver the class. Review your setup.

Place a second computer next to your facilitator machine. Log on to this second machine as a student. Using the second student machine, you can monitor what the students are seeing, for example, how fast the refresh rate is. Use the fastest machine you can for interactive demonstrations. Waiting for a slow processor to perform your interactive demonstrations can be awkward. Invest in a high-quality telephone headset. Your students will be listening to you talk for hours at a time. Using a low-quality speakerphone or headset can be irritating to listeners. Turn off the ringer on your phone and disable call waiting. Disable voice paging on your phone, if you have this feature. Disable the intercom. Close the door (if you have one). Inform your colleagues and office neighbors of class dates and times.

Listen to your environment.


Copyright IBM Corporation 2009

351

Appendix
Appendix D Instructor Preparation

Rehearse the presentation


Create a test session. Test and rehearse:

Presentation materials: Display each slide and practice delivering the content as scripted in the Instructor Guide. Screen sharing demonstrations: As with any course, you should rehearse these demos to ensure that you can access the required applications and you can smoothly transition between the presentations and interactive demonstrations. Rehearsing interactive demonstrations: This course requires you to use the screen sharing feature to share demonstration media les. You should rehearse these interactive demonstrations several times. Rehearsing transitions: Several times during this course you are required to switch from presenting slides to using screen sharing.

Reserve conference services


Course participants connect to the course session using a Web browser. The audio portion of the session can be heard from: The speakers on the students computer: The session must be enabled for IP audio.

A telephone conference: Students use their telephones to listen and participate in the session. A conference service is used to join all phone connections into a conference.

Information you provide Whether you use internal or vendor-provided conference services, you will need to provide the following information:

Estimated number of participants: It is always better to overestimate, just in case you have a few last-minute course registrants. Origin of calls: Calls that originate in another country or time zone may require different support or conguration on the part of the conference provider. You should identify this in advance. Contact name and number prior to the conference: If conference facility personnel need to conrm or modify arrangements, they will need to contact you.

Information you need to provide to students

352

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix D Instructor Preparation

When you reserve the bridge facilities, you should conrm the following information. This information will be communicated to students prior to the rst class: Dial-in number for participants: This is the phone number that students will dial.

International dial-in number (if needed): Some conference providers will provide different dial-in numbers for international callers. Conference reference name or number: Some conference service providers connect callers to specic conferences. In these instances, the caller dials a central number and identies the desired conference using a predened conference number, title, or host (facilitator) name. The call is then connected to the appropriate conference. Password: Optionally, some providers may require a password for entrance into a restricted conference. Support resources: The conference provider may provide an additional phone number for participants to call if they are having problems connecting to the course.

Conduct a connection test There are several reasons why you should request that students test their ability to connect to the coursethe least of which is to troubleshoot problems prior to the rst class. To prepare students, you should:

Create a live session and schedule it to occur about one week prior to the session. Invite students to join the session so that they can:

Test their ability to connect to the session services. Download any applications and plug-ins. Get acquainted with the e-learning user interface.

Copyright IBM Corporation 2009

353

Appendix
Appendix D Instructor Preparation

Additional Considerations
Preparing students
While preparing the to lead the course, you provided a test connection session for students and tested your own equipment and network connections. However, you will still need to make time at the beginning of the class to troubleshoot any connection or presentation issues that arise. In addition, you should: Encourage students to test their virtual lab connections. Allot some time in the rst or second class session to review student questions regarding the lab environment. Students connect to remote facilities to complete the lab exercises. It is common for the lab machines to be available for the duration of a course. Although you cannot provide support during this entire time, you should establish the times when students can expect to receive support for their lab activities.

Help students distinguish the kind of help they need. There will be two types of help required:

Content help: Assistance completing the lab task, which includes help understanding the instructions and troubleshooting errors that may occur. Lab facility help: This includes help connecting to the lab and using credentials to log in to the student account.

Provide additional ILO class support information. Students in a distributed learning environment require several types of support, ensure they have the necessary information to gain each type of support:

Technical support: To help resolve connection issues. Content support: To answer questions about the materials presented in class. Process support: To assure them that their participation in class is appropriate.

Schedule office hours: Make yourself available by phone, e-mail, or chat to support students. Recommend that students plan to complete the lab exercises during those office hours, when you can provide assistance to them. Encourage students to help each other.

You can support this formally by setting up an online community using collaboration applications such as forums or wikis. You can encourage students to do this informally using shared contact information or, if students are co-located, they may choose to complete the lab activities together.

354

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix D Instructor Preparation

Beginning the class


Before you begin the class:

Display the opening slide and dial into the conference services at least 15 minutes prior to the beginning of class. This will give students a chance to test their connections. Use the draw tools to enter the time at which the class will begin. Arrange your workspace.

Clear the clutter on your desk; leave ample room for your Facilitator Guide, notes, documentation, and so on. Close any unused applications. They use valuable system resources. Arrange the e-learning windows so that you can display all the required functions.

Pacing and interaction


Consider the following :

Keep students engaged. Two hours of watching a presentation can put even the most enthusiastic student to sleep. Add interaction where possible.

Survey your students, either verbally or by sending an electronic question. Ask them about the level and pacing of your presentation. As with classroom-based audiences, some students will have more advanced experience and will benet from less presentation and more demonstrations with verbal questions and answers. Others may require more remedial instruction. You may not know this unless you ask. Share the demonstration. When you share an application, as you do when you demonstrate, you may be able to pass control to vol-

Copyright IBM Corporation 2009

355

Appendix
Appendix D Instructor Preparation

unteers who can complete tasks. Sharing the demonstration adds more activity in the class and helps to engage students.

Pause for discussion. Ask your students to discuss the implications of a specic function or feature. Be aware that discussions take time and you may need to limit their scope and timing in order to stay within the session time.

Ask for volunteers. Be aware that some adult learners prefer to observe and are uncomfortable when called upon to answer a question or perform an exercise. If you initiate discussion or share an application, ask for volunteers to electronically raise their hands. Then, select from those students. Manage silence. It is ne to pause your presentation to catch your breath or to wait for a slide to load, but remember that students have no visual contact with you. If you are silent for too long, they may think they have lost their audio connection. If you nd that you are waiting a long time for an application to perform a function, ask for questions, initiate a short discussion, or review what you have done so far. Make your personality larger. As an effective instructor you use your personality and demonstrated passion for the content being delivered to engage students in learning. You will need to nd a way to communicate these things in the virtual environment without the aid of facial and body language.

Managing the visual display


Consider these tips:

Use the pointer tools to show bulleted list items. If you distribute student materials, refer to the pages often. Move your cursor slowly and deliberately. Note: It is helpful to change the cursor style on your system so it is easy for students to identify it from their own.

Do not use shortcut keys to initiate functionality, unless it is part of the instructions. Students cannot follow you when you press CTRL+C, but they can follow you if you click EditCopy. Close demonstrations when they are complete. Start new demonstrations from a neutral screen.

CLI Private Site


For more information on how to teach this course, refer to the CLI Private Site located at http://www.lotus.com/cli. If you have already registered, enter your user name and password to access the Instructor Lounge and other private areas of the Web site to gain additional information for teaching this course.

356

Copyright IBM Corporation 2009

Building the IBM Lotus Domino 8.5 Infrastructure


Appendix D Instructor Preparation

If you have not registered, visit the Education Zone located at http:// www.lotus.com/educationzone and follow the instructions to register for the certied community. After registering, you will be able to access the CLI Private Site using your user name and password.

CLI Certication Requirements


To learn about the requirements for becoming a CLI or to upgrade your current certication, visit the IBM Software Services for Lotus Certication Web site at http://www.lotus.com/certication.

Course Evaluation
At the end of the course, lead students to connect to the course evaluation Web page to complete an evaluation survey. Explain the importance of student feedback as a tool to help IBM improve course design and content and you to improve your presentation. Tell students that the survey is anonymous; they will not be required to provide their name or contact information, but can do so if they wish.

Completing the evaluation survey


Instruct students to complete the online course evaluation. This should take no longer than 15 minutes. Write the following information on the classroom whiteboard or ipchart:

Evaluation site: http://www-03.ibm.com/certify/certs/lotussurvey.shtml Instructor name: Class number: Course code:

Copyright IBM Corporation 2009

357

Additional Instructor Notes


This section provides notes that aid in teaching the course. They provide the instructor with helpful information and may contain alternate tasks for instructor-based classroom demonstrations.

Lesson 1 page 11
The slide builds to show the Lotus Notes and Lotus Domino components to implement in the following order: Build 1: Instructors machines Hub server Administrators workstation

Build 2: Student server machines Twelve mail servers Build 3: Student workstation machines Twelve mail server administrators Build 4: Mail routing topology: Three Lotus Notes Named Networks, and mail routing between NNNs within the company intranet One NNN for Headquarters One NNN for the West region One NNN for the East region

Build 5: Mail routing to the Internet Ask students to identify the machine at which they are seated by providing the name of the server from the gure.

Copyright IBM Corporation 2009.

Additional Instructor Notes

Lesson 1 page 33
During registration, you will notice the choice to Use the CA Process during registration. Basic guidelines to remember regarding server-based certication authority include: Any certier ID le can be migrated to use the server-based CA.

The administrator who migrates a certier selects trusted administrators to use and manage a certier. The trusted administrators who use the server-based CA do not need a password to register users, servers, or certiers. A migrated certier can be used for registering Lotus Notes users from the Lotus Domino Web Administrator client. CA administrators can manage migrated certiers by using console commands to affect a server task named CA.

Lesson 6 page 130


Ask the following questions to point out how the classroom environment has already required replication: When we registered users in the Domino Directory on Hub/SVR/WWCorp, did the Lotus Domino Directories on the other servers need the user information? Answer: Yes. We replicated the changes to the Domino Directory manually.

When we changed the Domino Directory ACL on one server, did the other classroom servers need the ACL change? Answer: Yes. We replicated the changes manually. Are there other databases on the classroom servers that should be synchronized? Answer: Yes, for example, the Certication Log.

Lesson 8 page 175


Refer students to Lotus Domino Administrator 8.5 Help for information on both congurations. Emphasize that both scenarios can do this. If there is interest, provide an example such as a company who wants different relay hosts for mail destined for Acme.com than for mail destined for AcmeSubsidiary.com. This can be done by creating: One Foreign SMTP Domain document for *.Acme.com specifying that all mail for Acme.com routes to a particular SMTP server.

360

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure

Another Foreign SMTP Domain document for *.AcmeSubsidiary.com specifying that all mail for that domain routes to a different SMTP server.

The Router on an SMTP-enabled server will use Foreign SMTP Domain documents and SMTP Connection documents for domain splitting sending to different relay hosts. The following rules apply: If the source server of an associated SMTP Connection document is another server, messages will be transferred to that server.

If the source server of an associated SMTP Connection Record is the current SMTP-enabled server, the host specied in the Connection document will override the relay host specied in the Conguration Settings document or DNS.

Copyright IBM Corporation 2009.

361

Glossary
API (application programming interface) A set of functions that gives programmers access to another applications internal features from within their own application. DNS whitelist lters Used in conjunction with anti-spam features, to validate the mail received by your inbound SMTP server is legitimate mail. domain A collection of Domino servers and users that share the same Domino Directory. Eclipse Update Sites Catalogs that contain features and plug-ins for Eclipse/RCP applications that are published in the form expected by the Eclipse Update Manager to locate new and updated versions to download. Expeditor Component Packaging A method by which administrators can customize client installation for Lotus Notes. group A list of users and/or servers who have something in common. For example, a group can have the name of a department and contain all the departments members. organization Dened by the certier that stamps the IDs of users, servers, and other certiers. policy The Policy document and its associated Policy Settings documents. replication The controlled synchronization between database replicas.
Copyright IBM Corporation 2009.

Additional Instructor Notes

silent installation An automated client installation that supports the IBM Lotus Domino clients and simplies installation for end users because it presents very few or none of the installation windows.

364

Copyright IBM Corporation 2009.

Index
A
adding workstations, 75 administration domino directory, 52 administration levels, 117, 120 administration preferences, 109 administration process components, 79 Administration process requests, 80 administrator access, 62, 66 administrators, 42 Adminp, 79 Also See: The Administration process API, 96 application programming interface See: API Archive Criteria Settings document, 249 Archive Policy Settings document, 248 archiving, 247 steps, 247 archiving policies, 248 assigning policies, 102 assigning roles, 42

C
central directory structure, 52 certication log, 62 Certlog.nsf, 62 checking mail delivery, 261 clearing the server id password, 53 conguration directory server, 52 conguration domino directory, 52 conguring E/SMTP options, 199 conguring mail routing to the Internet, 173 connection document mail routing options, 161 connection documents, 161 country codes, 34 hierarchical naming, 34 creating a database on the server, 115 creating an organizational policy, 97 creating an organizational unit certier, 63 creating connection documents, 140 creating replicas, 81 critical application scheduling, 138 cross-certication, 33

B
blacklist tags, 237

D
database access, 89 database tools, 80
Copyright IBM Corporation 2009.

Index

delivery controls, 215 delivery failure, 279 deny list only, 114 deny list only group type, 89 deny server access, 114 detailed administration levels, 118 DNS blacklist lters, 191 DNS whitelist lter query process, 188 DNS whitelist lter statistics, 190 DNS whitelist lters, 188 domain, 27 domains multiple, 27 Domino Directory, 26 replicas, 26 Domino Directory Access, 47 Domino Directory Document Synchronization, 73 Domino infrastructure, 3 Domino server types, 14 Domino server log, 35 Domino Server Log, 121 Also See: Log.nsf Domino Web Administrator, 119 dynamic settings, 96

F
rst server setting up, 36 launching rst server setup, 25 force mail routing, 278 forcing replication, 136 full access administrator level, 119

G
group precedence, 89 groups, 87

H
hierarchical naming, 34 hub-and-spoke mail routing toplology, 159

I
ID le distribution options, 68 Inbox Maintenance benets, 243 specifying settings in the Server document, 243 Inbox Maintenance feature, 242 infrastructure deployment planning process, 4 planning checklist, 3 planning considerations, 3 planning tasks guidelines, 4 infrastructure plan supported platforms, 13 system requirements InstallShield Tuner capabilities Lotus Notes 8.5, 21 Internet address lookup options, 200 Internet mail routing, 177 Internet password locking, 67 Internet password options, 66 Internet password protection with xACLs, 68 Intranet mail routing, 149

E
E/SMTP settings, 199 Eclipse, 20 automated installation options, 22 Eclipse Update Sites, 21 enabling a private whitelist lter, 194 enabling blacklist lters, 197 enabling DNS blacklist lters, 191 enabling DNS whitelist lters, 189 enabling private blacklist lters, 195 enabling SMTP, 178 enabling the SMTP listener task, 179 enabling whitelist lters, 197

366

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure

L
license tracking, 66 license tracking database, 66 LocalDomainAdmins, 42 log.nsf, 121 Log.nsf, 35 logging levels, 122 Lotus Domino 8.5 server platform requirements, 15 operating system requirements Lotus Domino Administrator, 77 Lotus Domino authentication, 113 Lotus Domino authorization, 113 Lotus Domino server log, 35 Lotus Domino web administrator application, 120 Lotus Expeditor, 21 Expeditor component packaging, 21 Lotus Notes 8.5 client installation types, 20 standard conguration, 18 basic conguration Lotus Notes workstation setting up, 40 Lotus Notes workstations multiple users, 22

adding to S/MIME messages, 213 creating policy settings, 213 enabling, 212 implementing, 211 options for attaching, 212 Message Recall function, 266 options, 266 message tracking, 264 MIME, 166 misdelivered mail, 260 multiple mailboxes benets, 220 multiple policies, 102 multiple replication hubs, 137

N
nesting groups, 88 NNN, 152 Notes Named Networks See: NNN notes rich text, 166 notes.ini le, 121

O
opportunistic routing, 161 organization, 27 organization authentication, 33 organization certier descendants, 32 organization certier id security, 32 organization security, 32 organizational unit, 29, 34 alternatives, 30 naming requirements, 29 organizations country codes, 34 Oucert.id le name, 33 outgoing mail formats, 166

M
mail delivery failure process, 279 mail journaling, 231 interacting with mail rules, 231 mail routing behavior, 152 mail routing components, 151 mail routing problems, 273 mail routing protocols, 148 mail rules, 225 actions, 227 mail statistics, 262 mail storage formats, 166 mail trace tool, 273 mail transfer controls, 218 message color-coding, 109 message disclaimers, 211

P
policies, 93 policy assignment, 99

Copyright IBM Corporation 2009.

367

Index

policy assignment methods, 99 policy documents, 93 policy management tools, 96 policy precedence rules, 95 policy types, 93 preventing message relay, 186 primary domino directory, 52 private blacklist lters, 195 private whitelist lters, 193 privileges, 42 pull only, 162 pull push, 162 pull push replication, 137

Q
quota restrictions, 238 quotas, 238 setting, 238, 240

R
recall a message, 267 registering, 65, 71 registering new administrators, 65 registering OU certiers, 62 registering servers, 47 registering user from a text le, 72 registering users, 66 replicating, 53 replicating a subset of documents, 53 replication, 26, 131 replication controls, 133 replication schedule criteria, 139 replication topology, 139 restarting the router, 275 restarting the server, 116 Restrictions and Controls tab, 209 router tasks, 178 router types, 161 routing, 161, 177

security enhancements, 66 selecting a registration server, 47 server access, 114 server access control mechanisms, 113 server access restrictions, 113 server audience types, 35 server database replication, 131 server groups, 131 server id storage, 48 server registration process, 47 server setup options for adding entries to ACLs, 36 selecting Internet protocols, 35 server setup proles, 53 server-based certication authority, 33 servers, 42 setting administration levels, 120 setting Internet addresses, 200 setting logging levels, 121 Simple Messaging Transfer Protocol See: SMTP SMTP, 173, 175 SMTP implementation best practices, 176 SMTP inbound controls, 184 SMTP listener tasks, 178 SMTP outbound controls, 184 SMTP settings, 180 SMTPExpandDNSWLStats=1 notes.ini variable, 191 special privileges, 42 standard directory structure, 51 static settings, 96 storage options, 48 synchronization, 73

T
tag mail rule conditions, 235 tagged messages eld names associated with, 235 terminations, 114 The Administration process, 79 the certier registration process, 61

S
security, 32

368

Copyright IBM Corporation 2009.

Building the IBM Lotus Domino 8.5 Infrastructure

thresholds setting, 238 troubleshooting mail, 273 types of replication, 135

V
values for whitelist, 194 verifying mail routing, 259

W U
user name precedence, 89 user registration, 71 user registration options, 65 user registration text les, 71 using group names in server documents, 116 whitelist tags, 237 workstation setup, 75 WWCorp deployment plan, 10, 12 WWCorp organizational structure, 29

Copyright IBM Corporation 2009.

369

IBMD8L76IG rev 1.0